/[smeserver]/rpms/sudo/sme9/sudo-1.8.6p3-netgroup_tuple.patch
ViewVC logotype

Contents of /rpms/sudo/sme9/sudo-1.8.6p3-netgroup_tuple.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Thu Feb 4 19:44:24 2021 UTC (3 years, 9 months ago) by jpp
Branch: MAIN
CVS Tags: sudo-1_8_6p3-30_el6_sme, sudo-1_8_6p3-29_el6_9, HEAD
Sudo

1 diff -up sudo-1.8.6p3/plugins/sudoers/defaults.c.netgroup_tuple sudo-1.8.6p3/plugins/sudoers/defaults.c
2 --- sudo-1.8.6p3/plugins/sudoers/defaults.c.netgroup_tuple 2015-09-24 09:47:12.302832111 +0200
3 +++ sudo-1.8.6p3/plugins/sudoers/defaults.c 2015-09-24 09:49:55.637827777 +0200
4 @@ -362,6 +362,7 @@ init_defaults(void)
5 }
6
7 /* First initialize the flags. */
8 + def_netgroup_tuple = false;
9 def_legacy_group_processing = true;
10 #ifdef LONG_OTP_PROMPT
11 def_long_otp_prompt = true;
12 diff -up sudo-1.8.6p3/plugins/sudoers/def_data.c.netgroup_tuple sudo-1.8.6p3/plugins/sudoers/def_data.c
13 --- sudo-1.8.6p3/plugins/sudoers/def_data.c.netgroup_tuple 2015-09-24 09:34:23.073852520 +0200
14 +++ sudo-1.8.6p3/plugins/sudoers/def_data.c 2015-09-24 09:54:40.369820222 +0200
15 @@ -359,6 +359,10 @@ struct sudo_defs_types sudo_defs_table[]
16 N_("Don't pre-resolve all group names"),
17 NULL,
18 }, {
19 + "netgroup_tuple", T_FLAG,
20 + N_("Use both user and host/domain fields when matching netgroups"),
21 + NULL,
22 + }, {
23 NULL, 0, NULL
24 }
25 };
26 diff -up sudo-1.8.6p3/plugins/sudoers/def_data.h.netgroup_tuple sudo-1.8.6p3/plugins/sudoers/def_data.h
27 --- sudo-1.8.6p3/plugins/sudoers/def_data.h.netgroup_tuple 2015-09-24 09:34:29.321852355 +0200
28 +++ sudo-1.8.6p3/plugins/sudoers/def_data.h 2015-09-24 09:46:53.325832614 +0200
29 @@ -166,6 +166,8 @@
30 #define I_CMND_NO_WAIT 82
31 #define def_legacy_group_processing (sudo_defs_table[83].sd_un.flag)
32 #define I_LEGACY_GROUP_PROCESSING 83
33 +#define def_netgroup_tuple (sudo_defs_table[84].sd_un.flag)
34 +#define I_NETGROUP_TUPLE 84
35
36 enum def_tuple {
37 never,
38 diff -up sudo-1.8.6p3/plugins/sudoers/ldap.c.netgroup_tuple sudo-1.8.6p3/plugins/sudoers/ldap.c
39 --- sudo-1.8.6p3/plugins/sudoers/ldap.c.netgroup_tuple 2015-09-24 09:59:12.779812995 +0200
40 +++ sudo-1.8.6p3/plugins/sudoers/ldap.c 2015-09-24 10:39:44.523748475 +0200
41 @@ -635,8 +635,12 @@ sudo_ldap_check_user_netgroup(LDAP *ld,
42 for (p = bv; *p != NULL && !ret; p++) {
43 val = (*p)->bv_val;
44 /* match any */
45 - if (netgr_matches(val, NULL, NULL, user))
46 - ret = true;
47 + if (netgr_matches(val,
48 + def_netgroup_tuple ? user_host : NULL,
49 + def_netgroup_tuple ? user_shost : NULL,
50 + user)) {
51 + ret = true;
52 + }
53 DPRINTF(("ldap sudoUser netgroup '%s' ... %s", val,
54 ret ? "MATCH!" : "not"), 2 + ((ret) ? 0 : 1));
55 }
56 @@ -651,7 +655,7 @@ sudo_ldap_check_user_netgroup(LDAP *ld,
57 * host match, else false.
58 */
59 static bool
60 -sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry)
61 +sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, char *user)
62 {
63 struct berval **bv, **p;
64 char *val;
65 @@ -671,7 +675,7 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessa
66 val = (*p)->bv_val;
67 /* match any or address or netgroup or hostname */
68 if (!strcmp(val, "ALL") || addr_matches(val) ||
69 - netgr_matches(val, user_host, user_shost, NULL) ||
70 + netgr_matches(val, user_host, user_shost, def_netgroup_tuple ? user : NULL) ||
71 hostname_matches(user_shost, user_host, val))
72 ret = true;
73 DPRINTF(("ldap sudoHost '%s' ... %s", val,
74 @@ -728,7 +732,10 @@ sudo_ldap_check_runas_user(LDAP *ld, LDA
75 val = (*p)->bv_val;
76 switch (val[0]) {
77 case '+':
78 - if (netgr_matches(val, NULL, NULL, runas_pw->pw_name))
79 + if (netgr_matches(val,
80 + def_netgroup_tuple ? user_host : NULL,
81 + def_netgroup_tuple ? user_shost : NULL,
82 + runas_pw->pw_name))
83 ret = true;
84 break;
85 case '%':
86 @@ -2679,13 +2686,13 @@ sudo_ldap_result_get(struct sudo_nss *ns
87 LDAP_FOREACH(entry, ld, result) {
88 if (do_netgr) {
89 if (sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name) &&
90 - sudo_ldap_check_host(ld, entry)) {
91 + sudo_ldap_check_host(ld, entry, pw->pw_name)) {
92 lres->host_matches = true;
93 lres->user_matches = true;
94 sudo_ldap_result_add_entry(lres, entry);
95 }
96 } else {
97 - if (sudo_ldap_check_host(ld, entry)) {
98 + if (sudo_ldap_check_host(ld, entry, pw->pw_name)) {
99 lres->host_matches = true;
100 sudo_ldap_result_add_entry(lres, entry);
101 }
102 diff -up sudo-1.8.6p3/plugins/sudoers/match.c.netgroup_tuple sudo-1.8.6p3/plugins/sudoers/match.c
103 --- sudo-1.8.6p3/plugins/sudoers/match.c.netgroup_tuple 2015-09-24 10:49:42.271732615 +0200
104 +++ sudo-1.8.6p3/plugins/sudoers/match.c 2015-09-24 10:57:40.555719925 +0200
105 @@ -115,7 +115,10 @@ userlist_matches(struct passwd *pw, stru
106 matched = !m->negated;
107 break;
108 case NETGROUP:
109 - if (netgr_matches(m->name, NULL, NULL, pw->pw_name))
110 + if (netgr_matches(m->name,
111 + def_netgroup_tuple ? user_host : NULL,
112 + def_netgroup_tuple ? user_shost : NULL,
113 + pw->pw_name))
114 matched = !m->negated;
115 break;
116 case USERGROUP:
117 @@ -170,7 +173,10 @@ runaslist_matches(struct member_list *us
118 user_matched = !m->negated;
119 break;
120 case NETGROUP:
121 - if (netgr_matches(m->name, NULL, NULL, runas_pw->pw_name))
122 + if (netgr_matches(m->name,
123 + def_netgroup_tuple ? user_host : NULL,
124 + def_netgroup_tuple ? user_shost : NULL,
125 + runas_pw->pw_name))
126 user_matched = !m->negated;
127 break;
128 case USERGROUP:
129 @@ -267,7 +273,7 @@ hostlist_matches(struct member_list *lis
130 matched = !m->negated;
131 break;
132 case NETGROUP:
133 - if (netgr_matches(m->name, user_host, user_shost, NULL))
134 + if (netgr_matches(m->name, user_host, user_shost, def_netgroup_tuple ? user_name : NULL))
135 matched = !m->negated;
136 break;
137 case NTWKADDR:
138 diff -up sudo-1.8.6p3/plugins/sudoers/sssd.c.netgroup_tuple sudo-1.8.6p3/plugins/sudoers/sssd.c
139 --- sudo-1.8.6p3/plugins/sudoers/sssd.c.netgroup_tuple 2015-09-24 10:41:40.376745401 +0200
140 +++ sudo-1.8.6p3/plugins/sudoers/sssd.c 2015-09-24 10:48:56.699733824 +0200
141 @@ -451,7 +451,10 @@ sudo_sss_check_runas_user(struct sudo_ss
142 switch (val[0]) {
143 case '+':
144 sudo_debug_printf(SUDO_DEBUG_DEBUG, "netgr_");
145 - if (netgr_matches(val, NULL, NULL, runas_pw->pw_name)) {
146 + if (netgr_matches(val,
147 + def_netgroup_tuple ? user_host : NULL,
148 + def_netgroup_tuple ? user_shost : NULL,
149 + runas_pw->pw_name)) {
150 sudo_debug_printf(SUDO_DEBUG_DEBUG, "=> match");
151 ret = true;
152 }
153 @@ -550,7 +553,7 @@ sudo_sss_check_runas(struct sudo_sss_han
154 debug_return_bool(ret);
155 }
156
157 -static bool sudo_sss_ipa_hostname_matches(const char *hostname_val)
158 +static bool sudo_sss_ipa_hostname_matches(const char *hostname_val, char *user)
159 {
160 bool ret = false;
161 char *ipa_hostname_val;
162 @@ -558,7 +561,7 @@ static bool sudo_sss_ipa_hostname_matche
163
164 if ((ipa_hostname_val = ipa_hostname()) != NULL) {
165 ret = hostname_matches(ipa_hostname_val, ipa_hostname_val, hostname_val) || \
166 - netgr_matches(hostname_val, ipa_hostname_val, ipa_hostname_val, NULL);
167 + netgr_matches(hostname_val, ipa_hostname_val, ipa_hostname_val, def_netgroup_tuple ? user : NULL);
168 }
169
170 sudo_debug_printf(SUDO_DEBUG_TRACE, "IPA hostname (%s) matches %s => %s",
171 @@ -599,8 +602,9 @@ sudo_sss_check_host(struct sudo_sss_hand
172
173 /* match any or address or netgroup or hostname */
174 if (!strcmp(val, "ALL") || addr_matches(val) ||
175 - sudo_sss_ipa_hostname_matches(val) ||
176 - netgr_matches(val, user_host, user_shost, NULL) ||
177 + sudo_sss_ipa_hostname_matches(val, handle->pw->pw_name) ||
178 + netgr_matches(val, user_host, user_shost,
179 + def_netgroup_tuple ? handle->pw->pw_name : NULL) ||
180 hostname_matches(user_shost, user_host, val))
181 ret = true;
182
183 @@ -648,7 +652,10 @@ bool sudo_sss_filter_sudoUser(struct sud
184 sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
185 if (*val == '+') {
186 /* Netgroup spec found, check netgroup membership */
187 - if (netgr_matches(val, NULL, NULL, handle->pw->pw_name)) {
188 + if (netgr_matches(val,
189 + def_netgroup_tuple ? user_host : NULL,
190 + def_netgroup_tuple ? user_shost : NULL,
191 + handle->pw->pw_name)) {
192 ret = true;
193 sudo_debug_printf(SUDO_DEBUG_DIAG,
194 "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, handle->pw->pw_name);

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed