sudo/sme9/sudo-1.8.6p3-sssdfixes.patch

diff -up sudo-1.8.6p3/plugins/sudoers/sssd.c.sssdfixes sudo-1.8.6p3/plugins/sudoers/sssd.c
--- sudo-1.8.6p3/plugins/sudoers/sssd.c.sssdfixes       2013-08-13 15:20:39.558187669 +0200
+++ sudo-1.8.6p3/plugins/sudoers/sssd.c 2013-08-13 16:24:27.209064162 +0200
@@ -534,30 +534,31 @@ sudo_sss_check_runas_group(struct sudo_s
  * Walk through search results and return true if we have a runas match,
  * else false.  RunAs info is optional.
  */
-static int
+static bool
 sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
 {
-    int ret;
+    bool ret;
     debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD);
 
     if (rule == NULL)
-        debug_return_int(false);
+        debug_return_bool(false);
 
     ret = sudo_sss_check_runas_user(handle, rule) != false &&
         sudo_sss_check_runas_group(handle, rule) != false;
 
-    debug_return_int(ret);
+    debug_return_bool(ret);
 }
 
-static int
+static bool
 sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
 {
     char **val_array, *val;
-    int ret = false, i;
+    bool ret = false;
+    int i;
     debug_decl(sudo_sss_check_host, SUDO_DEBUG_SSSD);
 
     if (rule == NULL)
-       debug_return_int(ret);
+       debug_return_bool(ret);
 
     /* get the values from the rule */
     switch (handle->fn_get_values(rule, "sudoHost", &val_array))
@@ -566,10 +567,10 @@ sudo_sss_check_host(struct sudo_sss_hand
        break;
     case ENOENT:
        sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
-       debug_return_int(false);
+       debug_return_bool(false);
     default:
        sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0");
-       debug_return_int(ret);
+       debug_return_bool(ret);
     }
 
     /* walk through values */
@@ -589,7 +590,52 @@ sudo_sss_check_host(struct sudo_sss_hand
 
     handle->fn_free_values(val_array);
 
-    debug_return_int(ret);
+    debug_return_bool(ret);
+}
+
+/*
+ * Look for netgroup specifcations in the sudoUser attribute and
+ * if found, filter according to netgroup membership.
+ *  returns:
+ *   true -> netgroup spec found && negroup member
+ *  false -> netgroup spec found && not a meber of netgroup
+ *   true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception)
+ */
+bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
+{
+       bool ret = false, netgroup_spec_found = false;
+       char **val_array, *val;
+       int i;
+       debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD);
+
+       if (!handle || !rule)
+               debug_return_bool(ret);
+
+       switch (handle->fn_get_values(rule, "sudoUser", &val_array)) {
+               case 0:
+                       break;
+               case ENOENT:
+                       sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
+                       debug_return_bool(ret);
+               default:
+                       sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
+                       debug_return_bool(ret);
+       }
+
+       for (i = 0; val_array[i] != NULL && !ret; ++i) {
+               val = val_array[i];
+               if (*val == '+') {
+                       netgroup_spec_found = true;
+               }
+               sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
+               if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, user_name)) {
+                       ret = true;
+                       sudo_debug_printf(SUDO_DEBUG_DIAG,
+                                         "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name);
+               }
+       }
+       handle->fn_free_values(val_array);
+       debug_return_bool(netgroup_spec_found ? ret : true);
 }
 
 static int
@@ -599,7 +645,8 @@ sudo_sss_result_filterp(struct sudo_sss_
     (void)unused;
     debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
 
-    if (sudo_sss_check_host(handle, rule))
+    if (sudo_sss_check_host(handle, rule) &&
+        sudo_sss_filter_user_netgroup(handle, rule))
        debug_return_int(1);
     else
        debug_return_int(0);
1	diff -up sudo-1.8.6p3/plugins/sudoers/sssd.c.sssdfixes sudo-1.8.6p3/plugins/sudoers/sssd.c
2	--- sudo-1.8.6p3/plugins/sudoers/sssd.c.sssdfixes 2013-08-13 15:20:39.558187669 +0200
3	+++ sudo-1.8.6p3/plugins/sudoers/sssd.c 2013-08-13 16:24:27.209064162 +0200
4	@@ -534,30 +534,31 @@ sudo_sss_check_runas_group(struct sudo_s
5	* Walk through search results and return true if we have a runas match,
6	* else false. RunAs info is optional.
7	*/
8	-static int
9	+static bool
10	sudo_sss_check_runas(struct sudo_sss_handle handle, struct sss_sudo_rule rule)
11	{
12	- int ret;
13	+ bool ret;
14	debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD);
15
16	if (rule == NULL)
17	- debug_return_int(false);
18	+ debug_return_bool(false);
19
20	ret = sudo_sss_check_runas_user(handle, rule) != false &&
21	sudo_sss_check_runas_group(handle, rule) != false;
22
23	- debug_return_int(ret);
24	+ debug_return_bool(ret);
25	}
26
27	-static int
28	+static bool
29	sudo_sss_check_host(struct sudo_sss_handle handle, struct sss_sudo_rule rule)
30	{
31	char *val_array, val;
32	- int ret = false, i;
33	+ bool ret = false;
34	+ int i;
35	debug_decl(sudo_sss_check_host, SUDO_DEBUG_SSSD);
36
37	if (rule == NULL)
38	- debug_return_int(ret);
39	+ debug_return_bool(ret);
40
41	/* get the values from the rule */
42	switch (handle->fn_get_values(rule, "sudoHost", &val_array))
43	@@ -566,10 +567,10 @@ sudo_sss_check_host(struct sudo_sss_hand
44	break;
45	case ENOENT:
46	sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
47	- debug_return_int(false);
48	+ debug_return_bool(false);
49	default:
50	sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0");
51	- debug_return_int(ret);
52	+ debug_return_bool(ret);
53	}
54
55	/* walk through values */
56	@@ -589,7 +590,52 @@ sudo_sss_check_host(struct sudo_sss_hand
57
58	handle->fn_free_values(val_array);
59
60	- debug_return_int(ret);
61	+ debug_return_bool(ret);
62	+}
63	+
64	+/*
65	+ * Look for netgroup specifcations in the sudoUser attribute and
66	+ * if found, filter according to netgroup membership.
67	+ * returns:
68	+ * true -> netgroup spec found && negroup member
69	+ * false -> netgroup spec found && not a meber of netgroup
70	+ * true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception)
71	+ */
72	+bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle handle, struct sss_sudo_rule rule)
73	+{
74	+ bool ret = false, netgroup_spec_found = false;
75	+ char *val_array, val;
76	+ int i;
77	+ debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD);
78	+
79	+ if (!handle \|\| !rule)
80	+ debug_return_bool(ret);
81	+
82	+ switch (handle->fn_get_values(rule, "sudoUser", &val_array)) {
83	+ case 0:
84	+ break;
85	+ case ENOENT:
86	+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
87	+ debug_return_bool(ret);
88	+ default:
89	+ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
90	+ debug_return_bool(ret);
91	+ }
92	+
93	+ for (i = 0; val_array[i] != NULL && !ret; ++i) {
94	+ val = val_array[i];
95	+ if (*val == '+') {
96	+ netgroup_spec_found = true;
97	+ }
98	+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
99	+ if (strcmp(val, "ALL") == 0 \|\| netgr_matches(val, NULL, NULL, user_name)) {
100	+ ret = true;
101	+ sudo_debug_printf(SUDO_DEBUG_DIAG,
102	+ "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name);
103	+ }
104	+ }
105	+ handle->fn_free_values(val_array);
106	+ debug_return_bool(netgroup_spec_found ? ret : true);
107	}
108
109	static int
110	@@ -599,7 +645,8 @@ sudo_sss_result_filterp(struct sudo_sss_
111	(void)unused;
112	debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
113
114	- if (sudo_sss_check_host(handle, rule))
115	+ if (sudo_sss_check_host(handle, rule) &&
116	+ sudo_sss_filter_user_netgroup(handle, rule))
117	debug_return_int(1);
118	else
119	debug_return_int(0);