URL: https://github.com/SSSD/sssd/pull/595 Author: pbrezina Title: #595: sudo: allow use of default domain suffix Action: opened
PR body: """ This patch is based on post 1.13 work. The purpose is to allow combination of fully qualified names and default domain suffix when user log in with a short name. Similarly to later version, we add #uid value to sudoUser attribute. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/595/head:pr595 git checkout pr595
From 5323e3bf592307e2032c0d6106236552e72db27c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Mon, 11 Jun 2018 11:16:07 +0200 Subject: [PATCH] sudo: allow use of default domain suffix --- src/db/sysdb_sudo.h | 3 +- src/responder/sudo/sudosrv_get_sudorules.c | 190 +++++++++++++++++++++++++---- 2 files changed, 167 insertions(+), 26 deletions(-) diff --git a/src/db/sysdb_sudo.h b/src/db/sysdb_sudo.h index 896bcb355..b8de6c4ee 100644 --- a/src/db/sysdb_sudo.h +++ b/src/db/sysdb_sudo.h @@ -86,8 +86,7 @@ #define SYSDB_SUDO_FILTER_INCLUDE_DFL 0x40 /* include cn=default */ #define SYSDB_SUDO_FILTER_USERINFO SYSDB_SUDO_FILTER_USERNAME \ | SYSDB_SUDO_FILTER_UID \ - | SYSDB_SUDO_FILTER_GROUPS \ - | SYSDB_SUDO_FILTER_NGRS + | SYSDB_SUDO_FILTER_GROUPS errno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx, uint32_t in_num_rules, diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c index 5527ec6f1..d83f7c063 100644 --- a/src/responder/sudo/sudosrv_get_sudorules.c +++ b/src/responder/sudo/sudosrv_get_sudorules.c @@ -30,6 +30,9 @@ #include "responder/sudo/sudosrv_private.h" #include "providers/data_provider.h" +static errno_t +sort_sudo_rules(struct sysdb_attrs **rules, size_t count, bool higher_wins); + static errno_t sudosrv_get_user(struct sudo_dom_ctx *dctx); errno_t sudosrv_get_sudorules(struct sudo_dom_ctx *dctx) @@ -396,7 +399,8 @@ errno_t sudosrv_get_rules(struct sudo_cmd_ctx *cmd_ctx) flags = SYSDB_SUDO_FILTER_INCLUDE_ALL | SYSDB_SUDO_FILTER_INCLUDE_DFL | SYSDB_SUDO_FILTER_ONLY_EXPIRED - | SYSDB_SUDO_FILTER_USERINFO; + | SYSDB_SUDO_FILTER_USERINFO + | SYSDB_SUDO_FILTER_NGRS; ret = sudosrv_get_sudorules_query_cache(tmp_ctx, cmd_ctx->domain, attrs, flags, cmd_ctx->orig_username, @@ -552,6 +556,147 @@ sudosrv_get_sudorules_dp_callback(uint16_t err_maj, uint32_t err_min, sudosrv_cmd_done(cmd_ctx, ret); } +static errno_t +sudosrv_merge_rules(TALLOC_CTX *mem_ctx, + struct sudo_cmd_ctx *cmd_ctx, + struct sysdb_attrs **user_rules, + struct sysdb_attrs **ng_rules, + uint32_t num_user_rules, + uint32_t num_ng_rules, + struct sysdb_attrs ***_rules, + uint32_t *_num_rules) +{ + struct sysdb_attrs **rules; + uint32_t rule_iter, i; + uint32_t num_rules; + errno_t ret; + + num_rules = num_user_rules + num_ng_rules; + if (num_rules == 0) { + *_rules = NULL; + *_num_rules = 0; + return EOK; + } + + rules = talloc_array(mem_ctx, struct sysdb_attrs *, num_rules); + if (rules == NULL) { + return ENOMEM; + } + + rule_iter = 0; + for (i = 0; i < num_user_rules; rule_iter++, i++) { + rules[rule_iter] = talloc_steal(rules, user_rules[i]); + } + + for (i = 0; i < num_ng_rules; rule_iter++, i++) { + rules[rule_iter] = talloc_steal(rules, ng_rules[i]); + } + + ret = sort_sudo_rules(rules, num_rules, cmd_ctx->sudo_ctx->inverse_order); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not sort rules by sudoOrder\n"); + talloc_zfree(rules); + return ret; + } + + *_rules = rules; + *_num_rules = num_rules; + + return EOK; +} + +static errno_t +sudosrv_get_sudorules_with_uid(TALLOC_CTX *mem_ctx, + struct sudo_cmd_ctx *cmd_ctx, + const char **attrs, + struct sysdb_attrs ***_rules, + uint32_t *_num_rules) +{ + TALLOC_CTX *tmp_ctx; + char **groupnames = NULL; + char **aliases = NULL; + unsigned int flags = SYSDB_SUDO_FILTER_NONE; + struct sysdb_attrs **user_rules; + struct sysdb_attrs **ng_rules; + uint32_t num_user_rules; + uint32_t num_ng_rules; + const char *val; + errno_t ret; + uint32_t i; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + ret = sysdb_get_sudo_user_info(tmp_ctx, cmd_ctx->domain, + cmd_ctx->orig_username, + NULL, &aliases, &groupnames); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to retrieve user info [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + /* Get user rules and add #uid information to sudoUser. */ + flags = SYSDB_SUDO_FILTER_USERINFO | SYSDB_SUDO_FILTER_INCLUDE_ALL; + + ret = sudosrv_get_sudorules_query_cache(tmp_ctx, cmd_ctx->domain, attrs, + flags, cmd_ctx->orig_username, + aliases, cmd_ctx->uid, groupnames, + cmd_ctx->sudo_ctx->inverse_order, + &user_rules, &num_user_rules); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to retrieve sudo rules [%d]: %s\n", ret, strerror(ret)); + goto done; + } + + val = talloc_asprintf(tmp_ctx, "#%"SPRIuid, cmd_ctx->uid); + if (val == NULL) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Replacing sudoUser attribute with " + "sudoUser: %s\n", val); + for (i = 0; i < num_user_rules; i++) { + ret = sysdb_attrs_add_string(user_rules[i], SYSDB_SUDO_CACHE_AT_USER, + val); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to alter sudoUser attribute " + "[%d]: %s\n", ret, sss_strerror(ret)); + } + } + + /* Find rules with netgroups. */ + flags = SYSDB_SUDO_FILTER_NGRS; + + ret = sudosrv_get_sudorules_query_cache(tmp_ctx, cmd_ctx->domain, attrs, + flags, cmd_ctx->orig_username, + aliases, cmd_ctx->uid, groupnames, + cmd_ctx->sudo_ctx->inverse_order, + &ng_rules, &num_ng_rules); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to retrieve sudo rules [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + /* Merge them together. */ + ret = sudosrv_merge_rules(mem_ctx, cmd_ctx, user_rules, ng_rules, + num_user_rules, num_ng_rules, _rules, _num_rules); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to merge sudo rules [%d]: %s\n", + ret, sss_strerror(ret)); + } + +done: + talloc_free(tmp_ctx); + return ret; +} + static errno_t sudosrv_get_sudorules_from_cache(TALLOC_CTX *mem_ctx, struct sudo_cmd_ctx *cmd_ctx, struct sysdb_attrs ***_rules, @@ -593,36 +738,36 @@ static errno_t sudosrv_get_sudorules_from_cache(TALLOC_CTX *mem_ctx, switch (cmd_ctx->type) { case SSS_SUDO_USER: debug_name = cmd_ctx->cased_username; - ret = sysdb_get_sudo_user_info(tmp_ctx, - cmd_ctx->domain, - cmd_ctx->orig_username, - NULL, &aliases, &groupnames); + + ret = sudosrv_get_sudorules_with_uid(tmp_ctx, cmd_ctx, attrs, + &rules, &num_rules); if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Unable to retrieve user info [%d]: %s\n", - ret, strerror(ret)); + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to retrieve user rules " + "[%d]: %s\n", ret, sss_strerror(ret)); goto done; } - flags = SYSDB_SUDO_FILTER_USERINFO | SYSDB_SUDO_FILTER_INCLUDE_ALL; break; case SSS_SUDO_DEFAULTS: debug_name = "<default options>"; flags = SYSDB_SUDO_FILTER_INCLUDE_DFL; + + ret = sudosrv_get_sudorules_query_cache(tmp_ctx, + cmd_ctx->domain, attrs, flags, + cmd_ctx->orig_username, + aliases, + cmd_ctx->uid, groupnames, + cmd_ctx->sudo_ctx->inverse_order, + &rules, &num_rules); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to retrieve sudo rules [%d]: %s\n", ret, strerror(ret)); + goto done; + } + break; } - ret = sudosrv_get_sudorules_query_cache(tmp_ctx, - cmd_ctx->domain, attrs, flags, - cmd_ctx->orig_username, - aliases, - cmd_ctx->uid, groupnames, - cmd_ctx->sudo_ctx->inverse_order, - &rules, &num_rules); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Unable to retrieve sudo rules [%d]: %s\n", ret, strerror(ret)); - goto done; - } + DEBUG(SSSDBG_TRACE_FUNC, "Returning %d rules for [%s@%s]\n", num_rules, debug_name, cmd_ctx->domain->name); @@ -641,9 +786,6 @@ static errno_t sudosrv_get_sudorules_from_cache(TALLOC_CTX *mem_ctx, return ret; } -static errno_t -sort_sudo_rules(struct sysdb_attrs **rules, size_t count, bool higher_wins); - static errno_t sudosrv_get_sudorules_query_cache(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, const char **attrs,
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/YTOMUHTN7OZ27I7TSO3ZZEJCTHUI7PVC/