URL: https://github.com/SSSD/sssd/pull/43 Author: celestian Title: #43: SUDO: Adding user name alias to sudoRule filter Action: opened
PR body: """ This patch adds another value to sudoUser attribute of sudoRule filter. The value is 'user alias' which means it is cased version of user (in domains where it matters). Resolves: https://fedorahosted.org/sssd/ticket/3203 ----- This is complement to #39 . The idea is some domains are case sensitive and another not. If we would like to search ```sudoRules``` we need handle user names. With this patch we add user name alias (case sensitive form) of user name to the ```sudoRule``` filter. Another point is we could save both forms of user name to cached ```sudoRules```. It could be extension of this patch. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/43/head:pr43 git checkout pr43
From be9c59fc9a66b0165a9b6bb4b82b8478c9f08f4f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Fri, 7 Oct 2016 14:40:05 +0200 Subject: [PATCH] SUDO: Adding user name alias to sudoRule filter This patch adds another value to sudoUser attribute of sudoRule filter. The value is 'user alias' which means it is cased version of user (in domains where it matters). Resolves: https://fedorahosted.org/sssd/ticket/3203 --- src/db/sysdb_sudo.c | 28 +++++++++- src/db/sysdb_sudo.h | 3 + src/responder/sudo/sudosrv_get_sudorules.c | 90 +++++++++++++++++++++++++----- 3 files changed, 103 insertions(+), 18 deletions(-) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 601fb63..cb4543e 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -218,6 +218,7 @@ errno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx, static char * sysdb_sudo_filter_userinfo(TALLOC_CTX *mem_ctx, const char *username, + const char *username_alias, char **groupnames, uid_t uid) { @@ -250,6 +251,20 @@ sysdb_sudo_filter_userinfo(TALLOC_CTX *mem_ctx, goto done; } + if (strcmp(username, username_alias) != 0) { + ret = sss_filter_sanitize(tmp_ctx, username_alias, &sanitized_name); + if (ret != EOK) { + goto done; + } + + filter = talloc_asprintf_append(filter, "(%s=%s)", attr, + sanitized_name); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + } + if (uid != 0) { filter = talloc_asprintf_append(filter, "(%s=#%"SPRIuid")", attr, uid); if (filter == NULL) { @@ -289,6 +304,7 @@ sysdb_sudo_filter_userinfo(TALLOC_CTX *mem_ctx, char * sysdb_sudo_filter_expired(TALLOC_CTX *mem_ctx, const char *username, + const char *username_alias, char **groupnames, uid_t uid) { @@ -296,7 +312,8 @@ sysdb_sudo_filter_expired(TALLOC_CTX *mem_ctx, char *filter; time_t now; - userfilter = sysdb_sudo_filter_userinfo(mem_ctx, username, groupnames, uid); + userfilter = sysdb_sudo_filter_userinfo(mem_ctx, username, username_alias, + groupnames, uid); if (userfilter == NULL) { return NULL; } @@ -322,16 +339,19 @@ sysdb_sudo_filter_defaults(TALLOC_CTX *mem_ctx) SYSDB_NAME); } +//TODO char * sysdb_sudo_filter_user(TALLOC_CTX *mem_ctx, const char *username, + const char *username_alias, char **groupnames, uid_t uid) { char *userfilter; char *filter; - userfilter = sysdb_sudo_filter_userinfo(mem_ctx, username, groupnames, uid); + userfilter = sysdb_sudo_filter_userinfo(mem_ctx, username, username_alias, + groupnames, uid); if (userfilter == NULL) { return NULL; } @@ -347,13 +367,15 @@ sysdb_sudo_filter_user(TALLOC_CTX *mem_ctx, char * sysdb_sudo_filter_netgroups(TALLOC_CTX *mem_ctx, const char *username, + const char *username_alias, char **groupnames, uid_t uid) { char *userfilter; char *filter; - userfilter = sysdb_sudo_filter_userinfo(mem_ctx, username, groupnames, uid); + userfilter = sysdb_sudo_filter_userinfo(mem_ctx, username, username_alias, + groupnames, uid); if (userfilter == NULL) { return NULL; } diff --git a/src/db/sysdb_sudo.h b/src/db/sysdb_sudo.h index 9c2456c..d9a9c3c 100644 --- a/src/db/sysdb_sudo.h +++ b/src/db/sysdb_sudo.h @@ -99,6 +99,7 @@ errno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx, char * sysdb_sudo_filter_expired(TALLOC_CTX *mem_ctx, const char *username, + const char *username_alias, char **groupnames, uid_t uid); @@ -108,12 +109,14 @@ sysdb_sudo_filter_defaults(TALLOC_CTX *mem_ctx); char * sysdb_sudo_filter_user(TALLOC_CTX *mem_ctx, const char *username, + const char *username_alias, char **groupnames, uid_t uid); char * sysdb_sudo_filter_netgroups(TALLOC_CTX *mem_ctx, const char *username, + const char *username_alias, char **groupnames, uid_t uid); diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c index 92a09f2..1656ece 100644 --- a/src/responder/sudo/sudosrv_get_sudorules.c +++ b/src/responder/sudo/sudosrv_get_sudorules.c @@ -171,6 +171,7 @@ static errno_t sudosrv_expired_rules(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, uid_t uid, const char *username, + const char *username_alias, char **groups, struct sysdb_attrs ***_rules, uint32_t *_num_rules) @@ -179,7 +180,8 @@ static errno_t sudosrv_expired_rules(TALLOC_CTX *mem_ctx, char *filter; errno_t ret; - filter = sysdb_sudo_filter_expired(NULL, username, groups, uid); + filter = sysdb_sudo_filter_expired(NULL, username, username_alias, + groups, uid); if (filter == NULL) { return ENOMEM; } @@ -195,6 +197,7 @@ static errno_t sudosrv_cached_rules_by_user(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, uid_t uid, const char *username, + const char *username_alias, char **groupnames, struct sysdb_attrs ***_rules, uint32_t *_num_rules) @@ -224,7 +227,8 @@ static errno_t sudosrv_cached_rules_by_user(TALLOC_CTX *mem_ctx, return ENOMEM; } - filter = sysdb_sudo_filter_user(tmp_ctx, username, groupnames, uid); + filter = sysdb_sudo_filter_user(tmp_ctx, username, username_alias, + groupnames, uid); if (filter == NULL) { ret = ENOMEM; goto done; @@ -267,6 +271,7 @@ static errno_t sudosrv_cached_rules_by_ng(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, uid_t uid, const char *username, + const char *username_alias, char **groupnames, struct sysdb_attrs ***_rules, uint32_t *_num_rules) @@ -287,7 +292,8 @@ static errno_t sudosrv_cached_rules_by_ng(TALLOC_CTX *mem_ctx, SYSDB_SUDO_CACHE_AT_ORDER, NULL }; - filter = sysdb_sudo_filter_netgroups(NULL, username, groupnames, uid); + filter = sysdb_sudo_filter_netgroups(NULL, username, username_alias, + groupnames, uid); if (filter == NULL) { return ENOMEM; } @@ -303,6 +309,7 @@ static errno_t sudosrv_cached_rules(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, uid_t uid, const char *username, + const char *username_alias, char **groups, bool inverse_order, struct sysdb_attrs ***_rules, @@ -323,14 +330,16 @@ static errno_t sudosrv_cached_rules(TALLOC_CTX *mem_ctx, return ENOMEM; } - ret = sudosrv_cached_rules_by_user(tmp_ctx, domain, uid, username, groups, - &user_rules, &num_user_rules); + ret = sudosrv_cached_rules_by_user(tmp_ctx, domain, uid, username, + username_alias, groups, &user_rules, + &num_user_rules); if (ret != EOK) { goto done; } - ret = sudosrv_cached_rules_by_ng(tmp_ctx, domain, uid, username, groups, - &ng_rules, &num_ng_rules); + ret = sudosrv_cached_rules_by_ng(tmp_ctx, domain, uid, username, + username_alias, groups, &ng_rules, + &num_ng_rules); if (ret != EOK) { goto done; } @@ -412,6 +421,7 @@ static errno_t sudosrv_fetch_rules(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, uid_t uid, const char *username, + const char *username_alias, char **groups, bool inverse_order, struct sysdb_attrs ***_rules, @@ -428,8 +438,9 @@ static errno_t sudosrv_fetch_rules(TALLOC_CTX *mem_ctx, username, domain->name); debug_name = "rules"; - ret = sudosrv_cached_rules(mem_ctx, domain, uid, username, groups, - inverse_order, &rules, &num_rules); + ret = sudosrv_cached_rules(mem_ctx, domain, uid, username, + username_alias, groups, inverse_order, + &rules, &num_rules); break; case SSS_SUDO_DEFAULTS: @@ -481,6 +492,7 @@ sudosrv_refresh_rules_send(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, uid_t uid, const char *username, + const char *username_alias, char **groups) { struct sudosrv_refresh_rules_state *state; @@ -501,8 +513,8 @@ sudosrv_refresh_rules_send(TALLOC_CTX *mem_ctx, state->domain = domain; state->username = username; - ret = sudosrv_expired_rules(state, domain, uid, username, groups, - &rules, &num_rules); + ret = sudosrv_expired_rules(state, domain, uid, username, username_alias, + groups, &rules, &num_rules); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to retrieve expired sudo rules [%d]: %s\n", @@ -606,6 +618,7 @@ struct sudosrv_get_rules_state { enum sss_sudo_type type; uid_t uid; char *username; + char *username_alias; struct sss_domain_info *domain; char **groups; bool inverse_order; @@ -666,22 +679,68 @@ struct tevent_req *sudosrv_get_rules_send(TALLOC_CTX *mem_ctx, return req; } +static errno_t cache_req_initgr_get_user_alias(TALLOC_CTX *mem_ctx, + struct ldb_result *initgr, + char **_user_alias) +{ + const char *obj_class = NULL; + const char *user_alias = NULL; + errno_t ret; + + for (int i = 0; i < initgr->count; i++) { + obj_class = ldb_msg_find_attr_as_string(initgr->msgs[i], + SYSDB_OBJECTCLASS, NULL); + if (obj_class == NULL) { + ret = ENOENT; + goto done; + } + + if (strcmp(obj_class, SYSDB_USER_CLASS) == 0) { + user_alias = ldb_msg_find_attr_as_string(initgr->msgs[i], + SYSDB_NAME, NULL); + if (user_alias == NULL) { + ret = ENOENT; + goto done; + } + break; + } + } + + if (user_alias == NULL) { + ret = ENOENT; + goto done; + } + + *_user_alias = talloc_steal(mem_ctx, discard_const(user_alias)); + ret = EOK; + +done: + return ret; +} + static void sudosrv_get_rules_initgr_done(struct tevent_req *subreq) { struct sudosrv_get_rules_state *state; struct tevent_req *req; + struct ldb_result *initgr_res; errno_t ret; req = tevent_req_callback_data(subreq, struct tevent_req); state = tevent_req_data(req, struct sudosrv_get_rules_state); - ret = cache_req_initgr_by_name_recv(state, subreq, NULL, + ret = cache_req_initgr_by_name_recv(state, subreq, &initgr_res, &state->domain, &state->username); talloc_zfree(subreq); if (ret != EOK) { goto done; } + ret = cache_req_initgr_get_user_alias(state, initgr_res, + &state->username_alias); + if (ret != EOK) { + goto done; + } + ret = sysdb_get_sudo_user_info(state, state->domain, state->username, NULL, &state->groups); if (ret != EOK) { @@ -692,7 +751,8 @@ static void sudosrv_get_rules_initgr_done(struct tevent_req *subreq) subreq = sudosrv_refresh_rules_send(state, state->ev, state->rctx, state->domain, state->uid, - state->username, state->groups); + state->username, state->username_alias, + state->groups); if (subreq == NULL) { ret = ENOMEM; goto done; @@ -729,8 +789,8 @@ static void sudosrv_get_rules_done(struct tevent_req *subreq) } ret = sudosrv_fetch_rules(state, state->type, state->domain, state->uid, - state->username, state->groups, - state->inverse_order, + state->username, state->username_alias, + state->groups, state->inverse_order, &state->rules, &state->num_rules); if (ret != EOK) {
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
