[SSSD] [sssd PR#765][opened] sudo: format runas attributes to correct output name

Wed, 27 Feb 2019 05:18:31 -0800 

   URL: https://github.com/SSSD/sssd/pull/765
Author: pbrezina
 Title: #765: sudo: format runas attributes to correct output name
Action: opened

PR body:
"""
sudo internally calls getpwnam and getgrnam on user and groups that should
be used for the invoked command. Output of these calls is compared to
values in runAsUser/Group attributes.

When different output format is used then what is present in LDAP, this
comparison will fail, denying user to use sudo. Now, we convert these
attributes into correct output name, respecting domain resolution order,
fully qualified domains and fqname format.

E.g. sudo call: sudo -u tu...@ipa.vm -g tgr...@ipa.vm id

Resolves: https://pagure.io/SSSD/sssd/issue/3957
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/765/head:pr765
git checkout pr765

From 7784751bd37d15a6f286efe539c5fdcc4ce35707 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Wed, 27 Feb 2019 14:04:54 +0100
Subject: [PATCH 1/2] ipa: store sudo runas attribute with internal fqname

We need to be able to differentiate between external users and IPA user.

Resolves:
https://pagure.io/SSSD/sssd/issue/3957
---
 src/providers/ipa/ipa_sudo_conversion.c | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
index bfa66b2c68..9586e6a2a3 100644
--- a/src/providers/ipa/ipa_sudo_conversion.c
+++ b/src/providers/ipa/ipa_sudo_conversion.c
@@ -908,6 +908,27 @@ convert_group(TALLOC_CTX *mem_ctx,
     return rdn;
 }
 
+static const char *
+convert_group_fqdn(TALLOC_CTX *mem_ctx,
+                   struct ipa_sudo_conv *conv,
+                   const char *value,
+                   bool *skip_entry)
+{
+    const char *shortname = NULL;
+    char *fqdn = NULL;
+
+    *skip_entry = false;
+
+    shortname = convert_group(mem_ctx, conv, value, skip_entry);
+    if (shortname == NULL) {
+        return NULL;
+    }
+
+    fqdn = sss_create_internal_fqname(mem_ctx, shortname, conv->dom->name);
+    talloc_free(discard_const(shortname));
+    return fqdn;
+}
+
 static const char *
 convert_runasextusergroup(TALLOC_CTX *mem_ctx,
                           struct ipa_sudo_conv *conv,
@@ -954,8 +975,8 @@ convert_attributes(struct ipa_sudo_conv *conv,
     } table[] = {{SYSDB_NAME,                            SYSDB_SUDO_CACHE_AT_CN         , NULL},
                  {SYSDB_IPA_SUDORULE_HOST,               SYSDB_SUDO_CACHE_AT_HOST       , convert_host},
                  {SYSDB_IPA_SUDORULE_USER,               SYSDB_SUDO_CACHE_AT_USER       , convert_user_fqdn},
-                 {SYSDB_IPA_SUDORULE_RUNASUSER,          SYSDB_SUDO_CACHE_AT_RUNASUSER  , convert_user},
-                 {SYSDB_IPA_SUDORULE_RUNASGROUP,         SYSDB_SUDO_CACHE_AT_RUNASGROUP , convert_group},
+                 {SYSDB_IPA_SUDORULE_RUNASUSER,          SYSDB_SUDO_CACHE_AT_RUNASUSER  , convert_user_fqdn},
+                 {SYSDB_IPA_SUDORULE_RUNASGROUP,         SYSDB_SUDO_CACHE_AT_RUNASGROUP , convert_group_fqdn},
                  {SYSDB_IPA_SUDORULE_OPTION,             SYSDB_SUDO_CACHE_AT_OPTION     , NULL},
                  {SYSDB_IPA_SUDORULE_NOTAFTER,           SYSDB_SUDO_CACHE_AT_NOTAFTER   , NULL},
                  {SYSDB_IPA_SUDORULE_NOTBEFORE,          SYSDB_SUDO_CACHE_AT_NOTBEFORE  , NULL},

From 2a584c1ae412632348aad0840bf7b22416d9c7e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Wed, 27 Feb 2019 14:06:06 +0100
Subject: [PATCH 2/2] sudo: format runas attributes to correct output name

sudo internally calls getpwnam and getgrnam on user and groups
that should be used for the invoked command. Output of these calls
is compared to values in runAsUser/Group attributes.

When different output format is used then what is present in LDAP,
this comparison will fail, denying user to use sudo. Now, we convert
these attributes into correct output name, respecting domain resolution
order, fully qualified domains and fqname format.

E.g. sudo call:
sudo -u tu...@ipa.vm -g tgr...@ipa.vm id

Resolves:
https://pagure.io/SSSD/sssd/issue/3957
---
 src/responder/sudo/sudosrv_get_sudorules.c | 101 ++++++++++++++++++++-
 1 file changed, 99 insertions(+), 2 deletions(-)

diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
index 76faef0f56..a0edb5b7e2 100644
--- a/src/responder/sudo/sudosrv_get_sudorules.c
+++ b/src/responder/sudo/sudosrv_get_sudorules.c
@@ -113,6 +113,95 @@ sort_sudo_rules(struct sysdb_attrs **rules, size_t count, bool lower_wins)
     return EOK;
 }
 
+static errno_t sudosrv_format_runas(struct resp_ctx *rctx,
+                                    struct sysdb_attrs *rule,
+                                    const char *attr)
+{
+    TALLOC_CTX *tmp_ctx;
+    struct ldb_message_element *el;
+    struct sss_domain_info *dom;
+    const char *value;
+    char *fqname;
+    unsigned int i;
+    errno_t ret;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory!\n");
+        return ENOMEM;
+    }
+
+    ret = sysdb_attrs_get_el_ext(rule, attr, false, &el);
+    if (ret == ENOENT) {
+        ret = EOK;
+        goto done;
+    } else if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get %s attribute "
+              "[%d]: %s\n", attr, ret, sss_strerror(ret));
+        goto done;
+    }
+
+    for (i = 0; i < el->num_values; i++) {
+        value = (const char *)el->values[i].data;
+        if (value == NULL) {
+            continue;
+        }
+
+        dom = find_domain_by_object_name_ex(rctx->domains, value, true);
+        if (dom == NULL) {
+            continue;
+        }
+
+        ret = sss_output_fqname(tmp_ctx, dom, value,
+                                rctx->override_space, &fqname);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to convert %s to output fqname "
+                  "[%d]: %s\n", value, ret, sss_strerror(ret));
+            goto done;
+        }
+
+        talloc_free(el->values[i].data);
+        el->values[i].data = (uint8_t*)talloc_steal(el->values, fqname);
+        el->values[i].length = strlen(fqname);
+    }
+
+done:
+    talloc_free(tmp_ctx);
+
+    return ret;
+}
+
+static errno_t sudosrv_format_rules(struct resp_ctx *rctx,
+                                    struct sysdb_attrs **rules,
+                                    uint32_t num_rules)
+{
+    uint32_t i;
+    errno_t ret;
+
+
+    for (i = 0; i < num_rules; i++) {
+        ret = sudosrv_format_runas(rctx, rules[i],
+                                   SYSDB_SUDO_CACHE_AT_RUNAS);
+        if (ret != EOK) {
+            return ret;
+        }
+
+        ret = sudosrv_format_runas(rctx, rules[i],
+                                   SYSDB_SUDO_CACHE_AT_RUNASUSER);
+        if (ret != EOK) {
+            return ret;
+        }
+
+        ret = sudosrv_format_runas(rctx, rules[i],
+                                   SYSDB_SUDO_CACHE_AT_RUNASGROUP);
+        if (ret != EOK) {
+            return ret;
+        }
+    }
+
+    return ret;
+}
+
 static errno_t sudosrv_query_cache(TALLOC_CTX *mem_ctx,
                                    struct sss_domain_info *domain,
                                    const char **attrs,
@@ -301,6 +390,7 @@ static errno_t sudosrv_cached_rules_by_ng(TALLOC_CTX *mem_ctx,
 }
 
 static errno_t sudosrv_cached_rules(TALLOC_CTX *mem_ctx,
+                                    struct resp_ctx *rctx,
                                     struct sss_domain_info *domain,
                                     uid_t cli_uid,
                                     uid_t orig_uid,
@@ -368,6 +458,12 @@ static errno_t sudosrv_cached_rules(TALLOC_CTX *mem_ctx,
         goto done;
     }
 
+    ret = sudosrv_format_rules(rctx, rules, num_rules);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "Could not format sudo rules\n");
+        goto done;
+    }
+
     *_rules = talloc_steal(mem_ctx, rules);
     *_num_rules = num_rules;
 
@@ -412,6 +508,7 @@ static errno_t sudosrv_cached_defaults(TALLOC_CTX *mem_ctx,
 }
 
 static errno_t sudosrv_fetch_rules(TALLOC_CTX *mem_ctx,
+                                   struct resp_ctx *rctx,
                                    enum sss_sudo_type type,
                                    struct sss_domain_info *domain,
                                    uid_t cli_uid,
@@ -433,7 +530,7 @@ static errno_t sudosrv_fetch_rules(TALLOC_CTX *mem_ctx,
               username, domain->name);
         debug_name = "rules";
 
-        ret = sudosrv_cached_rules(mem_ctx, domain,
+        ret = sudosrv_cached_rules(mem_ctx, rctx, domain,
                                    cli_uid, orig_uid, username, groups,
                                    inverse_order, &rules, &num_rules);
 
@@ -765,7 +862,7 @@ static void sudosrv_get_rules_done(struct tevent_req *subreq)
               "in cache.\n");
     }
 
-    ret = sudosrv_fetch_rules(state, state->type, state->domain,
+    ret = sudosrv_fetch_rules(state, state->rctx, state->type, state->domain,
                               state->cli_uid,
                               state->orig_uid,
                               state->orig_username,

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org

Reply via email to