/[smeserver]/rpms/sudo/sme9/sudo-1.8.6p3-netgrfilterfix.patch
ViewVC logotype

Annotation of /rpms/sudo/sme9/sudo-1.8.6p3-netgrfilterfix.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Thu Feb 4 19:44:23 2021 UTC (3 years, 9 months ago) by jpp
Branch: MAIN
CVS Tags: sudo-1_8_6p3-30_el6_sme, sudo-1_8_6p3-29_el6_9, HEAD
Sudo

1 jpp 1.1 diff -up sudo-1.8.6p3/plugins/sudoers/sssd.c.netgrfilterfix sudo-1.8.6p3/plugins/sudoers/sssd.c
2     --- sudo-1.8.6p3/plugins/sudoers/sssd.c.netgrfilterfix 2014-07-30 13:29:47.713823996 +0200
3     +++ sudo-1.8.6p3/plugins/sudoers/sssd.c 2014-07-30 13:30:08.917436088 +0200
4     @@ -614,16 +615,13 @@ sudo_sss_check_host(struct sudo_sss_hand
5     }
6    
7     /*
8     - * Look for netgroup specifcations in the sudoUser attribute and
9     - * if found, filter according to netgroup membership.
10     - * returns:
11     - * true -> netgroup spec found && negroup member
12     - * false -> netgroup spec found && not a meber of netgroup
13     - * true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception)
14     + * SSSD doesn't handle netgroups, we have to ensure they are correctly filtered
15     + * in sudo. The rules may contain mixed sudoUser specification so we have to check
16     + * not only for netgroup membership but also for user and group matches.
17     */
18     -bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
19     +bool sudo_sss_filter_sudoUser(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
20     {
21     - bool ret = false, netgroup_spec_found = false;
22     + bool ret = false;
23     char **val_array, *val;
24     int i;
25     debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD);
26     @@ -641,21 +639,48 @@ bool sudo_sss_filter_user_netgroup(struc
27     sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
28     debug_return_bool(ret);
29     }
30     -
31     + /*
32     + * Scan sudoUser values and look for netgroup specs.
33     + * Netgroup-only rule specification should be filtered
34     + * out if the user isn't member of any specified netgroup.
35     + */
36     for (i = 0; val_array[i] != NULL && !ret; ++i) {
37     val = val_array[i];
38     - if (*val == '+') {
39     - netgroup_spec_found = true;
40     - }
41     sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
42     - if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, user_name)) {
43     - ret = true;
44     - sudo_debug_printf(SUDO_DEBUG_DIAG,
45     - "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name);
46     + if (*val == '+') {
47     + /* Netgroup spec found, check netgroup membership */
48     + if (netgr_matches(val, NULL, NULL, handle->pw->pw_name)) {
49     + ret = true;
50     + sudo_debug_printf(SUDO_DEBUG_DIAG,
51     + "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, handle->pw->pw_name);
52     + }
53     + } else {
54     + /*
55     + * Non-netgroup sudoUser value
56     + */
57     + if (strcmp(val, "ALL") == 0) {
58     + ret = true;
59     + } else {
60     + const char *match_val = (*val == '!' ? val + 1 : val);
61     + const bool negated = (*val == '!' ? true : false);
62     + const bool group_spec = (*match_val == '%' ? true : false);
63     +
64     + if (group_spec) {
65     + if (usergr_matches(match_val,
66     + handle->pw->pw_name, handle->pw)) {
67     + ret = !negated;
68     + }
69     + } else {
70     + if (userpw_matches(match_val,
71     + handle->pw->pw_name, handle->pw)) {
72     + ret = !negated;
73     + }
74     + }
75     + }
76     }
77     }
78     handle->fn_free_values(val_array);
79     - debug_return_bool(netgroup_spec_found ? ret : true);
80     + debug_return_bool(ret);
81     }
82    
83     static int
84     @@ -666,7 +691,7 @@ sudo_sss_result_filterp(struct sudo_sss_
85     debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
86    
87     if (sudo_sss_check_host(handle, rule) &&
88     - sudo_sss_filter_user_netgroup(handle, rule))
89     + sudo_sss_filter_sudoUser(handle, rule))
90     debug_return_int(1);
91     else
92     debug_return_int(0);

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed