/[smeserver]/rpms/sudo/sme9/sudo-1.8.6p3-sssdfixes.patch
ViewVC logotype

Annotation of /rpms/sudo/sme9/sudo-1.8.6p3-sssdfixes.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Thu Feb 4 19:44:36 2021 UTC (3 years, 8 months ago) by jpp
Branch: MAIN
CVS Tags: sudo-1_8_6p3-30_el6_sme, sudo-1_8_6p3-29_el6_9, HEAD
Sudo

1 jpp 1.1 diff -up sudo-1.8.6p3/plugins/sudoers/sssd.c.sssdfixes sudo-1.8.6p3/plugins/sudoers/sssd.c
2     --- sudo-1.8.6p3/plugins/sudoers/sssd.c.sssdfixes 2013-08-13 15:20:39.558187669 +0200
3     +++ sudo-1.8.6p3/plugins/sudoers/sssd.c 2013-08-13 16:24:27.209064162 +0200
4     @@ -534,30 +534,31 @@ sudo_sss_check_runas_group(struct sudo_s
5     * Walk through search results and return true if we have a runas match,
6     * else false. RunAs info is optional.
7     */
8     -static int
9     +static bool
10     sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
11     {
12     - int ret;
13     + bool ret;
14     debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD);
15    
16     if (rule == NULL)
17     - debug_return_int(false);
18     + debug_return_bool(false);
19    
20     ret = sudo_sss_check_runas_user(handle, rule) != false &&
21     sudo_sss_check_runas_group(handle, rule) != false;
22    
23     - debug_return_int(ret);
24     + debug_return_bool(ret);
25     }
26    
27     -static int
28     +static bool
29     sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
30     {
31     char **val_array, *val;
32     - int ret = false, i;
33     + bool ret = false;
34     + int i;
35     debug_decl(sudo_sss_check_host, SUDO_DEBUG_SSSD);
36    
37     if (rule == NULL)
38     - debug_return_int(ret);
39     + debug_return_bool(ret);
40    
41     /* get the values from the rule */
42     switch (handle->fn_get_values(rule, "sudoHost", &val_array))
43     @@ -566,10 +567,10 @@ sudo_sss_check_host(struct sudo_sss_hand
44     break;
45     case ENOENT:
46     sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
47     - debug_return_int(false);
48     + debug_return_bool(false);
49     default:
50     sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0");
51     - debug_return_int(ret);
52     + debug_return_bool(ret);
53     }
54    
55     /* walk through values */
56     @@ -589,7 +590,52 @@ sudo_sss_check_host(struct sudo_sss_hand
57    
58     handle->fn_free_values(val_array);
59    
60     - debug_return_int(ret);
61     + debug_return_bool(ret);
62     +}
63     +
64     +/*
65     + * Look for netgroup specifcations in the sudoUser attribute and
66     + * if found, filter according to netgroup membership.
67     + * returns:
68     + * true -> netgroup spec found && negroup member
69     + * false -> netgroup spec found && not a meber of netgroup
70     + * true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception)
71     + */
72     +bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
73     +{
74     + bool ret = false, netgroup_spec_found = false;
75     + char **val_array, *val;
76     + int i;
77     + debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD);
78     +
79     + if (!handle || !rule)
80     + debug_return_bool(ret);
81     +
82     + switch (handle->fn_get_values(rule, "sudoUser", &val_array)) {
83     + case 0:
84     + break;
85     + case ENOENT:
86     + sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
87     + debug_return_bool(ret);
88     + default:
89     + sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
90     + debug_return_bool(ret);
91     + }
92     +
93     + for (i = 0; val_array[i] != NULL && !ret; ++i) {
94     + val = val_array[i];
95     + if (*val == '+') {
96     + netgroup_spec_found = true;
97     + }
98     + sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
99     + if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, user_name)) {
100     + ret = true;
101     + sudo_debug_printf(SUDO_DEBUG_DIAG,
102     + "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name);
103     + }
104     + }
105     + handle->fn_free_values(val_array);
106     + debug_return_bool(netgroup_spec_found ? ret : true);
107     }
108    
109     static int
110     @@ -599,7 +645,8 @@ sudo_sss_result_filterp(struct sudo_sss_
111     (void)unused;
112     debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
113    
114     - if (sudo_sss_check_host(handle, rule))
115     + if (sudo_sss_check_host(handle, rule) &&
116     + sudo_sss_filter_user_netgroup(handle, rule))
117     debug_return_int(1);
118     else
119     debug_return_int(0);

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed