[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Author: celestian Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/39/head:pr39 git checkout pr39 From 40ecde220e26109b81c9be5676b4c8ef4084de03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Wed, 12 Oct 2016 16:48:38 +0200 Subject: [PATCH] SYSDB: Adding lowercase sudoUser form If domain is not case sensitive we add lowercase form of usernames to sudoUser attributes. So we actually able to apply sudoRule on user Administrator@... with login admnistrator@... This patch is squashed with Resolves: https://fedorahosted.org/sssd/ticket/3203 (cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645) Squashed with: SYSDB: Fixing of sudorule without a sudoUser This patch solved a regression caused by the recent patches to lowercase sudoUser -- in case sudoUser is missing completely, we abort the processing of this rule and all others. With this patch, we return ERR_MALFORMED_ENTRY and gracefully skip the malformed rule instead. Resolves: https://fedorahosted.org/sssd/ticket/3241 Reviewed-by: Jakub Hrozek (cherry picked from commit 7e23edbaa7a6bbd0b461d5792535896b6a77928b) --- src/db/sysdb_sudo.c| 110 - src/db/sysdb_sudo.h| 7 +- src/responder/sudo/sudosrv_get_sudorules.c | 15 ++-- 3 files changed, 122 insertions(+), 10 deletions(-) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 76116ab..de1e8da 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -216,9 +216,9 @@ errno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx, } errno_t -sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, - uid_t uid, char **groupnames, unsigned int flags, - char **_filter) +sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, char **aliases, + uid_t uid, char **groupnames, bool case_sensitive_domain, + unsigned int flags, char **_filter) { TALLOC_CTX *tmp_ctx = NULL; char *filter = NULL; @@ -258,6 +258,15 @@ sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, SYSDB_SUDO_CACHE_AT_USER, sanitized); NULL_CHECK(specific_filter, ret, done); + +if (case_sensitive_domain == false) { +for (i = 0; aliases[i] != NULL; i++) { +specific_filter = talloc_asprintf_append(specific_filter, "(%s=%s)", + SYSDB_SUDO_CACHE_AT_USER, + aliases[i]); +NULL_CHECK(specific_filter, ret, done); +} +} } if ((flags & SYSDB_SUDO_FILTER_UID) && (uid != 0)) { @@ -320,6 +329,7 @@ errno_t sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, const char *username, uid_t *_uid, + char ***_aliases, char ***groupnames) { TALLOC_CTX *tmp_ctx; @@ -327,15 +337,19 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, struct ldb_message *msg; struct ldb_message *group_msg = NULL; char **sysdb_groupnames = NULL; +char **sysdb_aliases = NULL; const char *primary_group = NULL; struct ldb_message_element *groups; +struct ldb_message_element *aliases; uid_t uid = 0; gid_t gid = 0; size_t num_groups = 0; +size_t num_aliases = 0; int i; const char *attrs[] = { SYSDB_MEMBEROF, SYSDB_GIDNUM, SYSDB_UIDNUM, +SYSDB_NAME_ALIAS, NULL }; const char *group_attrs[] = { SYSDB_NAME, NULL }; @@ -358,6 +372,24 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, } } +aliases = ldb_msg_find_element(msg, SYSDB_NAME_ALIAS); +if (!aliases || aliases->num_values == 0) { +/* No nameAlias for this user in sysdb currently */ +sysdb_aliases = NULL; +num_aliases = 0; +} else { +num_aliases = aliases->num_values; +sysdb_aliases = talloc_array(tmp_ctx, char *, num_aliases + 1); +NULL_CHECK(sysdb_aliases, ret, done); + +for (i = 0; i < aliases->num_values; i++) { +sysdb_aliases[i] = talloc_strdup(sysdb_aliases, + (const char *)aliases->values[i].data); +NULL_CHECK(sysdb_aliases[i], ret, done); +} +sysdb_aliases[aliases->num_values] = NULL; +} + /* resolve secondary groups */ if (groupnames != NULL) { groups = ldb_msg_find_element(m
[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Author: celestian Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/39/head:pr39 git checkout pr39 From dbba27272c8ab358dbf6dea8adfedfe9d511c36d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Wed, 12 Oct 2016 16:48:38 +0200 Subject: [PATCH 1/2] SYSDB: Adding lowercase sudoUser form If domain is not case sensitive we add lowercase form of usernames to sudoUser attributes. So we actually able to apply sudoRule on user Administrator@... with login admnistrator@... Resolves: https://fedorahosted.org/sssd/ticket/3203 (cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645) --- src/db/sysdb_sudo.c| 105 - src/db/sysdb_sudo.h| 7 +- src/responder/sudo/sudosrv_get_sudorules.c | 15 +++-- 3 files changed, 117 insertions(+), 10 deletions(-) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 76116ab..39a6558 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -216,9 +216,9 @@ errno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx, } errno_t -sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, - uid_t uid, char **groupnames, unsigned int flags, - char **_filter) +sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, char **aliases, + uid_t uid, char **groupnames, bool case_sensitive_domain, + unsigned int flags, char **_filter) { TALLOC_CTX *tmp_ctx = NULL; char *filter = NULL; @@ -258,6 +258,15 @@ sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, SYSDB_SUDO_CACHE_AT_USER, sanitized); NULL_CHECK(specific_filter, ret, done); + +if (case_sensitive_domain == false) { +for (i = 0; aliases[i] != NULL; i++) { +specific_filter = talloc_asprintf_append(specific_filter, "(%s=%s)", + SYSDB_SUDO_CACHE_AT_USER, + aliases[i]); +NULL_CHECK(specific_filter, ret, done); +} +} } if ((flags & SYSDB_SUDO_FILTER_UID) && (uid != 0)) { @@ -320,6 +329,7 @@ errno_t sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, const char *username, uid_t *_uid, + char ***_aliases, char ***groupnames) { TALLOC_CTX *tmp_ctx; @@ -327,15 +337,19 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, struct ldb_message *msg; struct ldb_message *group_msg = NULL; char **sysdb_groupnames = NULL; +char **sysdb_aliases = NULL; const char *primary_group = NULL; struct ldb_message_element *groups; +struct ldb_message_element *aliases; uid_t uid = 0; gid_t gid = 0; size_t num_groups = 0; +size_t num_aliases = 0; int i; const char *attrs[] = { SYSDB_MEMBEROF, SYSDB_GIDNUM, SYSDB_UIDNUM, +SYSDB_NAME_ALIAS, NULL }; const char *group_attrs[] = { SYSDB_NAME, NULL }; @@ -358,6 +372,24 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, } } +aliases = ldb_msg_find_element(msg, SYSDB_NAME_ALIAS); +if (!aliases || aliases->num_values == 0) { +/* No nameAlias for this user in sysdb currently */ +sysdb_aliases = NULL; +num_aliases = 0; +} else { +num_aliases = aliases->num_values; +sysdb_aliases = talloc_array(tmp_ctx, char *, num_aliases + 1); +NULL_CHECK(sysdb_aliases, ret, done); + +for (i = 0; i < aliases->num_values; i++) { +sysdb_aliases[i] = talloc_strdup(sysdb_aliases, + (const char *)aliases->values[i].data); +NULL_CHECK(sysdb_aliases[i], ret, done); +} +sysdb_aliases[aliases->num_values] = NULL; +} + /* resolve secondary groups */ if (groupnames != NULL) { groups = ldb_msg_find_element(msg, SYSDB_MEMBEROF); @@ -421,6 +453,10 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, *_uid = uid; } +if (sysdb_aliases != NULL) { +*_aliases = talloc_steal(mem_ctx, sysdb_aliases); +} + if (groupnames != NULL) { *groupnames = talloc_steal(mem_ctx, sysdb_groupnames); } @@ -801,6 +837,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, return EOK; } +static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, +
[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Author: celestian Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/39/head:pr39 git checkout pr39 From dbba27272c8ab358dbf6dea8adfedfe9d511c36d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Wed, 12 Oct 2016 16:48:38 +0200 Subject: [PATCH] SYSDB: Adding lowercase sudoUser form If domain is not case sensitive we add lowercase form of usernames to sudoUser attributes. So we actually able to apply sudoRule on user Administrator@... with login admnistrator@... Resolves: https://fedorahosted.org/sssd/ticket/3203 (cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645) --- src/db/sysdb_sudo.c| 105 - src/db/sysdb_sudo.h| 7 +- src/responder/sudo/sudosrv_get_sudorules.c | 15 +++-- 3 files changed, 117 insertions(+), 10 deletions(-) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 76116ab..39a6558 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -216,9 +216,9 @@ errno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx, } errno_t -sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, - uid_t uid, char **groupnames, unsigned int flags, - char **_filter) +sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, char **aliases, + uid_t uid, char **groupnames, bool case_sensitive_domain, + unsigned int flags, char **_filter) { TALLOC_CTX *tmp_ctx = NULL; char *filter = NULL; @@ -258,6 +258,15 @@ sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, SYSDB_SUDO_CACHE_AT_USER, sanitized); NULL_CHECK(specific_filter, ret, done); + +if (case_sensitive_domain == false) { +for (i = 0; aliases[i] != NULL; i++) { +specific_filter = talloc_asprintf_append(specific_filter, "(%s=%s)", + SYSDB_SUDO_CACHE_AT_USER, + aliases[i]); +NULL_CHECK(specific_filter, ret, done); +} +} } if ((flags & SYSDB_SUDO_FILTER_UID) && (uid != 0)) { @@ -320,6 +329,7 @@ errno_t sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, const char *username, uid_t *_uid, + char ***_aliases, char ***groupnames) { TALLOC_CTX *tmp_ctx; @@ -327,15 +337,19 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, struct ldb_message *msg; struct ldb_message *group_msg = NULL; char **sysdb_groupnames = NULL; +char **sysdb_aliases = NULL; const char *primary_group = NULL; struct ldb_message_element *groups; +struct ldb_message_element *aliases; uid_t uid = 0; gid_t gid = 0; size_t num_groups = 0; +size_t num_aliases = 0; int i; const char *attrs[] = { SYSDB_MEMBEROF, SYSDB_GIDNUM, SYSDB_UIDNUM, +SYSDB_NAME_ALIAS, NULL }; const char *group_attrs[] = { SYSDB_NAME, NULL }; @@ -358,6 +372,24 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, } } +aliases = ldb_msg_find_element(msg, SYSDB_NAME_ALIAS); +if (!aliases || aliases->num_values == 0) { +/* No nameAlias for this user in sysdb currently */ +sysdb_aliases = NULL; +num_aliases = 0; +} else { +num_aliases = aliases->num_values; +sysdb_aliases = talloc_array(tmp_ctx, char *, num_aliases + 1); +NULL_CHECK(sysdb_aliases, ret, done); + +for (i = 0; i < aliases->num_values; i++) { +sysdb_aliases[i] = talloc_strdup(sysdb_aliases, + (const char *)aliases->values[i].data); +NULL_CHECK(sysdb_aliases[i], ret, done); +} +sysdb_aliases[aliases->num_values] = NULL; +} + /* resolve secondary groups */ if (groupnames != NULL) { groups = ldb_msg_find_element(msg, SYSDB_MEMBEROF); @@ -421,6 +453,10 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, *_uid = uid; } +if (sysdb_aliases != NULL) { +*_aliases = talloc_steal(mem_ctx, sysdb_aliases); +} + if (groupnames != NULL) { *groupnames = talloc_steal(mem_ctx, sysdb_groupnames); } @@ -801,6 +837,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, return EOK; } +static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, +
[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Author: celestian Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/39/head:pr39 git checkout pr39 From b268ea119a295ad20c7270ae7d0a5fc6bbcc04ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Wed, 12 Oct 2016 16:48:38 +0200 Subject: [PATCH] SYSDB: Adding lowercase sudoUser form If domain is not case sensitive we add lowercase form of usernames to sudoUser attributes. So we actually able to apply sudoRule on user Administrator@... with login admnistrator@... Resolves: https://fedorahosted.org/sssd/ticket/3203 (cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645) --- src/db/sysdb_sudo.c| 89 +- src/db/sysdb_sudo.h| 4 +- src/responder/sudo/sudosrv_get_sudorules.c | 2 +- 3 files changed, 90 insertions(+), 5 deletions(-) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 76116ab..6368c64 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -217,13 +217,14 @@ errno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx, errno_t sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, - uid_t uid, char **groupnames, unsigned int flags, - char **_filter) + uid_t uid, char **groupnames, bool case_sensitive_domain, + unsigned int flags, char **_filter) { TALLOC_CTX *tmp_ctx = NULL; char *filter = NULL; char *specific_filter = NULL; char *sanitized = NULL; +const char *lowered = NULL; time_t now; errno_t ret; int i; @@ -258,6 +259,27 @@ sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, SYSDB_SUDO_CACHE_AT_USER, sanitized); NULL_CHECK(specific_filter, ret, done); + +if (case_sensitive_domain == false) { +lowered = sss_tc_utf8_str_tolower(tmp_ctx, username); +if (lowered == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); +ret = ENOMEM; +goto done; +} + +if (strcmp(username, lowered) != 0) { +ret = sss_filter_sanitize(tmp_ctx, lowered, &sanitized); +if (ret != EOK) { +goto done; +} + +specific_filter = talloc_asprintf_append(specific_filter, "(%s=%s)", + SYSDB_SUDO_CACHE_AT_USER, + sanitized); +NULL_CHECK(specific_filter, ret, done); +} +} } if ((flags & SYSDB_SUDO_FILTER_UID) && (uid != 0)) { @@ -801,6 +823,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, return EOK; } +static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, +struct sysdb_attrs *rule) +{ +TALLOC_CTX *tmp_ctx; +const char **users = NULL; +const char *lowered = NULL; +errno_t ret; + +if (domain->case_sensitive == true || rule == NULL) { +return EOK; +} + +tmp_ctx = talloc_new(NULL); +if (tmp_ctx == NULL) { +return ENOMEM; +} + +ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx, + &users); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", +SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +if (users == NULL) { +ret = EOK; +goto done; +} + +for (int i = 0; users[i] != NULL; i++) { +lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]); +if (lowered == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); +ret = ENOMEM; +goto done; +} + +if (strcmp(users[i], lowered) == 0) { +/* It protects us from adding duplicate. */ +continue; +} + +ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, + "Unable to add %s attribute [%d]: %s\n", + SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +} + +ret = EOK; + +done: +talloc_zfree(tmp_ctx); +return ret; +} + static errno_t sysdb_sudo_store_rule(struct sss_domain_info *domain, struct sysdb_attrs *rule, @@ -817,6 +897,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain, DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name); +ret = sysd
[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Author: celestian Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/39/head:pr39 git checkout pr39 From d83eb122f75ff1204cfdac6d5bc1ec138056 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Wed, 12 Oct 2016 16:48:38 +0200 Subject: [PATCH] SYSDB: Adding lowercase sudoUser form If domain is not case sensitive we add lowercase form of usernames to sudoUser attributes. So we actually able to apply sudoRule on user Administrator@... with login admnistrator@... Resolves: https://fedorahosted.org/sssd/ticket/3203 (cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645) --- src/db/sysdb_sudo.c | 63 + 1 file changed, 63 insertions(+) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 76116ab..ecf350f 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -801,6 +801,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, return EOK; } +static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, +struct sysdb_attrs *rule) +{ +TALLOC_CTX *tmp_ctx; +const char **users = NULL; +const char *lowered = NULL; +errno_t ret; + +if (domain->case_sensitive == true || rule == NULL) { +return EOK; +} + +tmp_ctx = talloc_new(NULL); +if (tmp_ctx == NULL) { +return ENOMEM; +} + +ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx, + &users); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", +SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +if (users == NULL) { +ret = EOK; +goto done; +} + +for (int i = 0; users[i] != NULL; i++) { +lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]); +if (lowered == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); +ret = ENOMEM; +goto done; +} + +if (strcmp(users[i], lowered) == 0) { +/* It protects us from adding duplicate. */ +continue; +} + +ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, + "Unable to add %s attribute [%d]: %s\n", + SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +} + +ret = EOK; + +done: +talloc_zfree(tmp_ctx); +return ret; +} + static errno_t sysdb_sudo_store_rule(struct sss_domain_info *domain, struct sysdb_attrs *rule, @@ -817,6 +875,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain, DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name); +ret = sysdb_sudo_add_lowered_users(domain, rule); +if (ret != EOK) { +return ret; +} + ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now); if (ret != EOK) { return ret; ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Author: celestian Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/39/head:pr39 git checkout pr39 From 92c5b11f1c17454a5b258f3776224124a808af3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Wed, 12 Oct 2016 16:48:38 +0200 Subject: [PATCH 1/2] SYSDB: Adding lowercase sudoUser form If domain is not case sensitive we add lowercase form of usernames to sudoUser attributes. So we actually able to apply sudoRule on user Administrator@... with login admnistrator@... Resolves: https://fedorahosted.org/sssd/ticket/3203 (cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645) --- src/db/sysdb_sudo.c | 63 + 1 file changed, 63 insertions(+) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 76116ab..ecf350f 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -801,6 +801,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, return EOK; } +static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, +struct sysdb_attrs *rule) +{ +TALLOC_CTX *tmp_ctx; +const char **users = NULL; +const char *lowered = NULL; +errno_t ret; + +if (domain->case_sensitive == true || rule == NULL) { +return EOK; +} + +tmp_ctx = talloc_new(NULL); +if (tmp_ctx == NULL) { +return ENOMEM; +} + +ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx, + &users); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", +SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +if (users == NULL) { +ret = EOK; +goto done; +} + +for (int i = 0; users[i] != NULL; i++) { +lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]); +if (lowered == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); +ret = ENOMEM; +goto done; +} + +if (strcmp(users[i], lowered) == 0) { +/* It protects us from adding duplicate. */ +continue; +} + +ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, + "Unable to add %s attribute [%d]: %s\n", + SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +} + +ret = EOK; + +done: +talloc_zfree(tmp_ctx); +return ret; +} + static errno_t sysdb_sudo_store_rule(struct sss_domain_info *domain, struct sysdb_attrs *rule, @@ -817,6 +875,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain, DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name); +ret = sysdb_sudo_add_lowered_users(domain, rule); +if (ret != EOK) { +return ret; +} + ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now); if (ret != EOK) { return ret; From d521c43a46689730ad92c5bdfa13a69590c66307 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Tue, 18 Oct 2016 10:01:43 +0200 Subject: [PATCH 2/2] SYSDB: Adding fq user names to cached sudoRules This patch adds fg user names to sudoUser attribute of cached sudoRules. Resolves: https://fedorahosted.org/sssd/ticket/3203 --- src/db/sysdb_sudo.c | 55 + 1 file changed, 55 insertions(+) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index ecf350f..3c37f9b 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -801,6 +801,56 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, return EOK; } +static errno_t sysdb_sudo_add_fq_users(struct sss_domain_info *domain, + struct sysdb_attrs *rule) +{ +TALLOC_CTX *tmp_ctx; +const char **users = NULL; +const char *fqname = NULL; +errno_t ret; + +tmp_ctx = talloc_new(NULL); +if (tmp_ctx == NULL) { +return ENOMEM; +} + +ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx, + &users); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", +SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +if (users == NULL) { +ret = EOK; +goto done; +} + +for (int i = 0; users[i] != NULL; i++) { +fqname = sss_tc_fqname(tmp_ctx, domain->names, domain, users[i]); +if (fqname == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "Could not create fgname.\n"); +ret = ENOMEM; +goto done; +}
[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Author: celestian Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/39/head:pr39 git checkout pr39 From 989460d4ed0a8c33ba12f73b6e73bf905a877116 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Wed, 12 Oct 2016 16:48:38 +0200 Subject: [PATCH 1/2] SYSDB: Adding lowercase sudoUser form If domain is not case sensitive we add lowercase form of usernames to sudoUser attributes. So we actually able to apply sudoRule on user Administrator@... with login admnistrator@... Resolves: https://fedorahosted.org/sssd/ticket/3203 (cherry picked from commit fbc12bcdad4547d698ddbb9771e125ff7ae981df) --- src/db/sysdb_sudo.c | 63 + 1 file changed, 63 insertions(+) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 76116ab..ecf350f 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -801,6 +801,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, return EOK; } +static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, +struct sysdb_attrs *rule) +{ +TALLOC_CTX *tmp_ctx; +const char **users = NULL; +const char *lowered = NULL; +errno_t ret; + +if (domain->case_sensitive == true || rule == NULL) { +return EOK; +} + +tmp_ctx = talloc_new(NULL); +if (tmp_ctx == NULL) { +return ENOMEM; +} + +ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx, + &users); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", +SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +if (users == NULL) { +ret = EOK; +goto done; +} + +for (int i = 0; users[i] != NULL; i++) { +lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]); +if (lowered == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); +ret = ENOMEM; +goto done; +} + +if (strcmp(users[i], lowered) == 0) { +/* It protects us from adding duplicate. */ +continue; +} + +ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, + "Unable to add %s attribute [%d]: %s\n", + SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +} + +ret = EOK; + +done: +talloc_zfree(tmp_ctx); +return ret; +} + static errno_t sysdb_sudo_store_rule(struct sss_domain_info *domain, struct sysdb_attrs *rule, @@ -817,6 +875,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain, DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name); +ret = sysdb_sudo_add_lowered_users(domain, rule); +if (ret != EOK) { +return ret; +} + ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now); if (ret != EOK) { return ret; From d257d03b9c480747433096f410cbd36165c3c532 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Tue, 18 Oct 2016 10:01:43 +0200 Subject: [PATCH 2/2] SYSDB: Adding fq user names to cached sudoRules This patch adds fg user names to sudoUser attribute of cached sudoRules. Resolves: https://fedorahosted.org/sssd/ticket/3203 --- src/db/sysdb_sudo.c | 55 + 1 file changed, 55 insertions(+) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index ecf350f..3c37f9b 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -801,6 +801,56 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, return EOK; } +static errno_t sysdb_sudo_add_fq_users(struct sss_domain_info *domain, + struct sysdb_attrs *rule) +{ +TALLOC_CTX *tmp_ctx; +const char **users = NULL; +const char *fqname = NULL; +errno_t ret; + +tmp_ctx = talloc_new(NULL); +if (tmp_ctx == NULL) { +return ENOMEM; +} + +ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx, + &users); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", +SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +if (users == NULL) { +ret = EOK; +goto done; +} + +for (int i = 0; users[i] != NULL; i++) { +fqname = sss_tc_fqname(tmp_ctx, domain->names, domain, users[i]); +if (fqname == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "Could not create fgname.\n"); +ret = ENOMEM; +goto done; +}
[SSSD] [sssd PR#39][synchronized] RESPONDER: Enable sudoRule in case insen. domains (1.13)
URL: https://github.com/SSSD/sssd/pull/39 Author: celestian Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/39/head:pr39 git checkout pr39 From dbeb8eef5e1732b0d8b578f6648f27983b3147e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Wed, 12 Oct 2016 16:48:38 +0200 Subject: [PATCH 1/2] SYSDB: Adding lowercase sudoUser form If domain is not case sensitive we add lowercase form of usernames to sudoUser attributes. So we actually able to apply sudoRule on user Administrator@... with login admnistrator@... Resolves: https://fedorahosted.org/sssd/ticket/3203 (cherry picked from commit fbc12bcdad4547d698ddbb9771e125ff7ae981df) --- src/db/sysdb_sudo.c | 63 + 1 file changed, 63 insertions(+) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 76116ab..ecf350f 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -801,6 +801,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, return EOK; } +static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, +struct sysdb_attrs *rule) +{ +TALLOC_CTX *tmp_ctx; +const char **users = NULL; +const char *lowered = NULL; +errno_t ret; + +if (domain->case_sensitive == true || rule == NULL) { +return EOK; +} + +tmp_ctx = talloc_new(NULL); +if (tmp_ctx == NULL) { +return ENOMEM; +} + +ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx, + &users); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", +SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +if (users == NULL) { +ret = EOK; +goto done; +} + +for (int i = 0; users[i] != NULL; i++) { +lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]); +if (lowered == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); +ret = ENOMEM; +goto done; +} + +if (strcmp(users[i], lowered) == 0) { +/* It protects us from adding duplicate. */ +continue; +} + +ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, + "Unable to add %s attribute [%d]: %s\n", + SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +} + +ret = EOK; + +done: +talloc_zfree(tmp_ctx); +return ret; +} + static errno_t sysdb_sudo_store_rule(struct sss_domain_info *domain, struct sysdb_attrs *rule, @@ -817,6 +875,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain, DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name); +ret = sysdb_sudo_add_lowered_users(domain, rule); +if (ret != EOK) { +return ret; +} + ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now); if (ret != EOK) { return ret; From 467feba75a6681fc41a2c87c0c82f2189ff059ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= Date: Tue, 18 Oct 2016 10:01:43 +0200 Subject: [PATCH 2/2] SYSDB: Adding fq user names to cached sudoRules This patch adds fg user names to sudoUser attribute of cached sudoRules. Resolves: https://fedorahosted.org/sssd/ticket/3203 --- src/db/sysdb_sudo.c | 54 + 1 file changed, 54 insertions(+) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index ecf350f..fb14912 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -801,6 +801,55 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, return EOK; } +static errno_t sysdb_sudo_add_fq_users(struct sss_domain_info *domain, + struct sysdb_attrs *rule) +{ +TALLOC_CTX *tmp_ctx; +const char **users = NULL; +const char *fqname = NULL; +errno_t ret; + +tmp_ctx = talloc_new(NULL); +if (tmp_ctx == NULL) { +return ENOMEM; +} + +ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx, + &users); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", +SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); +goto done; +} +if (users == NULL) { +ret = EOK; +goto done; +} + +for (int i = 0; users[i] != NULL; i++) { +fqname = sss_tc_fqname(tmp_ctx, domain->names, domain, users[i]); +if (fqname == NULL) { +DEBUG(SSSDBG_OP_FAILURE, "Could not create fgname.\n"); +ret = ENOMEM; +goto done; +}