/[smeserver]/rpms/sudo/sme9/sudo-1.8.6p3-netgroup_tuple.patch
ViewVC logotype

Annotation of /rpms/sudo/sme9/sudo-1.8.6p3-netgroup_tuple.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Thu Feb 4 19:44:24 2021 UTC (3 years, 8 months ago) by jpp
Branch: MAIN
CVS Tags: sudo-1_8_6p3-30_el6_sme, sudo-1_8_6p3-29_el6_9, HEAD
Sudo

1 jpp 1.1 diff -up sudo-1.8.6p3/plugins/sudoers/defaults.c.netgroup_tuple sudo-1.8.6p3/plugins/sudoers/defaults.c
2     --- sudo-1.8.6p3/plugins/sudoers/defaults.c.netgroup_tuple 2015-09-24 09:47:12.302832111 +0200
3     +++ sudo-1.8.6p3/plugins/sudoers/defaults.c 2015-09-24 09:49:55.637827777 +0200
4     @@ -362,6 +362,7 @@ init_defaults(void)
5     }
6    
7     /* First initialize the flags. */
8     + def_netgroup_tuple = false;
9     def_legacy_group_processing = true;
10     #ifdef LONG_OTP_PROMPT
11     def_long_otp_prompt = true;
12     diff -up sudo-1.8.6p3/plugins/sudoers/def_data.c.netgroup_tuple sudo-1.8.6p3/plugins/sudoers/def_data.c
13     --- sudo-1.8.6p3/plugins/sudoers/def_data.c.netgroup_tuple 2015-09-24 09:34:23.073852520 +0200
14     +++ sudo-1.8.6p3/plugins/sudoers/def_data.c 2015-09-24 09:54:40.369820222 +0200
15     @@ -359,6 +359,10 @@ struct sudo_defs_types sudo_defs_table[]
16     N_("Don't pre-resolve all group names"),
17     NULL,
18     }, {
19     + "netgroup_tuple", T_FLAG,
20     + N_("Use both user and host/domain fields when matching netgroups"),
21     + NULL,
22     + }, {
23     NULL, 0, NULL
24     }
25     };
26     diff -up sudo-1.8.6p3/plugins/sudoers/def_data.h.netgroup_tuple sudo-1.8.6p3/plugins/sudoers/def_data.h
27     --- sudo-1.8.6p3/plugins/sudoers/def_data.h.netgroup_tuple 2015-09-24 09:34:29.321852355 +0200
28     +++ sudo-1.8.6p3/plugins/sudoers/def_data.h 2015-09-24 09:46:53.325832614 +0200
29     @@ -166,6 +166,8 @@
30     #define I_CMND_NO_WAIT 82
31     #define def_legacy_group_processing (sudo_defs_table[83].sd_un.flag)
32     #define I_LEGACY_GROUP_PROCESSING 83
33     +#define def_netgroup_tuple (sudo_defs_table[84].sd_un.flag)
34     +#define I_NETGROUP_TUPLE 84
35    
36     enum def_tuple {
37     never,
38     diff -up sudo-1.8.6p3/plugins/sudoers/ldap.c.netgroup_tuple sudo-1.8.6p3/plugins/sudoers/ldap.c
39     --- sudo-1.8.6p3/plugins/sudoers/ldap.c.netgroup_tuple 2015-09-24 09:59:12.779812995 +0200
40     +++ sudo-1.8.6p3/plugins/sudoers/ldap.c 2015-09-24 10:39:44.523748475 +0200
41     @@ -635,8 +635,12 @@ sudo_ldap_check_user_netgroup(LDAP *ld,
42     for (p = bv; *p != NULL && !ret; p++) {
43     val = (*p)->bv_val;
44     /* match any */
45     - if (netgr_matches(val, NULL, NULL, user))
46     - ret = true;
47     + if (netgr_matches(val,
48     + def_netgroup_tuple ? user_host : NULL,
49     + def_netgroup_tuple ? user_shost : NULL,
50     + user)) {
51     + ret = true;
52     + }
53     DPRINTF(("ldap sudoUser netgroup '%s' ... %s", val,
54     ret ? "MATCH!" : "not"), 2 + ((ret) ? 0 : 1));
55     }
56     @@ -651,7 +655,7 @@ sudo_ldap_check_user_netgroup(LDAP *ld,
57     * host match, else false.
58     */
59     static bool
60     -sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry)
61     +sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, char *user)
62     {
63     struct berval **bv, **p;
64     char *val;
65     @@ -671,7 +675,7 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessa
66     val = (*p)->bv_val;
67     /* match any or address or netgroup or hostname */
68     if (!strcmp(val, "ALL") || addr_matches(val) ||
69     - netgr_matches(val, user_host, user_shost, NULL) ||
70     + netgr_matches(val, user_host, user_shost, def_netgroup_tuple ? user : NULL) ||
71     hostname_matches(user_shost, user_host, val))
72     ret = true;
73     DPRINTF(("ldap sudoHost '%s' ... %s", val,
74     @@ -728,7 +732,10 @@ sudo_ldap_check_runas_user(LDAP *ld, LDA
75     val = (*p)->bv_val;
76     switch (val[0]) {
77     case '+':
78     - if (netgr_matches(val, NULL, NULL, runas_pw->pw_name))
79     + if (netgr_matches(val,
80     + def_netgroup_tuple ? user_host : NULL,
81     + def_netgroup_tuple ? user_shost : NULL,
82     + runas_pw->pw_name))
83     ret = true;
84     break;
85     case '%':
86     @@ -2679,13 +2686,13 @@ sudo_ldap_result_get(struct sudo_nss *ns
87     LDAP_FOREACH(entry, ld, result) {
88     if (do_netgr) {
89     if (sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name) &&
90     - sudo_ldap_check_host(ld, entry)) {
91     + sudo_ldap_check_host(ld, entry, pw->pw_name)) {
92     lres->host_matches = true;
93     lres->user_matches = true;
94     sudo_ldap_result_add_entry(lres, entry);
95     }
96     } else {
97     - if (sudo_ldap_check_host(ld, entry)) {
98     + if (sudo_ldap_check_host(ld, entry, pw->pw_name)) {
99     lres->host_matches = true;
100     sudo_ldap_result_add_entry(lres, entry);
101     }
102     diff -up sudo-1.8.6p3/plugins/sudoers/match.c.netgroup_tuple sudo-1.8.6p3/plugins/sudoers/match.c
103     --- sudo-1.8.6p3/plugins/sudoers/match.c.netgroup_tuple 2015-09-24 10:49:42.271732615 +0200
104     +++ sudo-1.8.6p3/plugins/sudoers/match.c 2015-09-24 10:57:40.555719925 +0200
105     @@ -115,7 +115,10 @@ userlist_matches(struct passwd *pw, stru
106     matched = !m->negated;
107     break;
108     case NETGROUP:
109     - if (netgr_matches(m->name, NULL, NULL, pw->pw_name))
110     + if (netgr_matches(m->name,
111     + def_netgroup_tuple ? user_host : NULL,
112     + def_netgroup_tuple ? user_shost : NULL,
113     + pw->pw_name))
114     matched = !m->negated;
115     break;
116     case USERGROUP:
117     @@ -170,7 +173,10 @@ runaslist_matches(struct member_list *us
118     user_matched = !m->negated;
119     break;
120     case NETGROUP:
121     - if (netgr_matches(m->name, NULL, NULL, runas_pw->pw_name))
122     + if (netgr_matches(m->name,
123     + def_netgroup_tuple ? user_host : NULL,
124     + def_netgroup_tuple ? user_shost : NULL,
125     + runas_pw->pw_name))
126     user_matched = !m->negated;
127     break;
128     case USERGROUP:
129     @@ -267,7 +273,7 @@ hostlist_matches(struct member_list *lis
130     matched = !m->negated;
131     break;
132     case NETGROUP:
133     - if (netgr_matches(m->name, user_host, user_shost, NULL))
134     + if (netgr_matches(m->name, user_host, user_shost, def_netgroup_tuple ? user_name : NULL))
135     matched = !m->negated;
136     break;
137     case NTWKADDR:
138     diff -up sudo-1.8.6p3/plugins/sudoers/sssd.c.netgroup_tuple sudo-1.8.6p3/plugins/sudoers/sssd.c
139     --- sudo-1.8.6p3/plugins/sudoers/sssd.c.netgroup_tuple 2015-09-24 10:41:40.376745401 +0200
140     +++ sudo-1.8.6p3/plugins/sudoers/sssd.c 2015-09-24 10:48:56.699733824 +0200
141     @@ -451,7 +451,10 @@ sudo_sss_check_runas_user(struct sudo_ss
142     switch (val[0]) {
143     case '+':
144     sudo_debug_printf(SUDO_DEBUG_DEBUG, "netgr_");
145     - if (netgr_matches(val, NULL, NULL, runas_pw->pw_name)) {
146     + if (netgr_matches(val,
147     + def_netgroup_tuple ? user_host : NULL,
148     + def_netgroup_tuple ? user_shost : NULL,
149     + runas_pw->pw_name)) {
150     sudo_debug_printf(SUDO_DEBUG_DEBUG, "=> match");
151     ret = true;
152     }
153     @@ -550,7 +553,7 @@ sudo_sss_check_runas(struct sudo_sss_han
154     debug_return_bool(ret);
155     }
156    
157     -static bool sudo_sss_ipa_hostname_matches(const char *hostname_val)
158     +static bool sudo_sss_ipa_hostname_matches(const char *hostname_val, char *user)
159     {
160     bool ret = false;
161     char *ipa_hostname_val;
162     @@ -558,7 +561,7 @@ static bool sudo_sss_ipa_hostname_matche
163    
164     if ((ipa_hostname_val = ipa_hostname()) != NULL) {
165     ret = hostname_matches(ipa_hostname_val, ipa_hostname_val, hostname_val) || \
166     - netgr_matches(hostname_val, ipa_hostname_val, ipa_hostname_val, NULL);
167     + netgr_matches(hostname_val, ipa_hostname_val, ipa_hostname_val, def_netgroup_tuple ? user : NULL);
168     }
169    
170     sudo_debug_printf(SUDO_DEBUG_TRACE, "IPA hostname (%s) matches %s => %s",
171     @@ -599,8 +602,9 @@ sudo_sss_check_host(struct sudo_sss_hand
172    
173     /* match any or address or netgroup or hostname */
174     if (!strcmp(val, "ALL") || addr_matches(val) ||
175     - sudo_sss_ipa_hostname_matches(val) ||
176     - netgr_matches(val, user_host, user_shost, NULL) ||
177     + sudo_sss_ipa_hostname_matches(val, handle->pw->pw_name) ||
178     + netgr_matches(val, user_host, user_shost,
179     + def_netgroup_tuple ? handle->pw->pw_name : NULL) ||
180     hostname_matches(user_shost, user_host, val))
181     ret = true;
182    
183     @@ -648,7 +652,10 @@ bool sudo_sss_filter_sudoUser(struct sud
184     sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
185     if (*val == '+') {
186     /* Netgroup spec found, check netgroup membership */
187     - if (netgr_matches(val, NULL, NULL, handle->pw->pw_name)) {
188     + if (netgr_matches(val,
189     + def_netgroup_tuple ? user_host : NULL,
190     + def_netgroup_tuple ? user_shost : NULL,
191     + handle->pw->pw_name)) {
192     ret = true;
193     sudo_debug_printf(SUDO_DEBUG_DIAG,
194     "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, handle->pw->pw_name);

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed