From 7c30e60c525ea798aaab142766ff00eef4b5df3b Mon Sep 17 00:00:00 2001
From: Pavel Březina <pbrezina@redhat.com>
Date: Mon, 14 Jul 2014 14:23:50 +0200
Subject: sudo: fetch sudoRunAs attribute

This attribute was used in pre 1.7 versions of sudo and it is now
deprecated by sudoRunAsUser and sudoRunAsGroup. However, some users
still use this attribute so we need to support it to ensure backward
compatibility.

This patch makes sure that this attribute is downloaded if present and
provided to sudo. Sudo than decides how to handle it.

The new mapping option is not present in a man page since this
attribute is deprecated in sudo for a very long time.

Resolves:
https://fedorahosted.org/sssd/ticket/2212

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/config/SSSDConfig/__init__.py.in       | 1 +
 src/config/etc/sssd.api.d/sssd-ad.conf     | 1 +
 src/config/etc/sssd.api.d/sssd-ipa.conf    | 1 +
 src/config/etc/sssd.api.d/sssd-ldap.conf   | 1 +
 src/db/sysdb_sudo.h                        | 1 +
 src/providers/ldap/ldap_opts.h             | 1 +
 src/responder/sudo/sudosrv_get_sudorules.c | 1 +
 7 files changed, 7 insertions(+)

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index d9b186f73..439378ff8 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -354,6 +354,7 @@ option_strings = {
     'ldap_sudorule_host' : _('Sudo rule host attribute'),
     'ldap_sudorule_user' : _('Sudo rule user attribute'),
     'ldap_sudorule_option' : _('Sudo rule option attribute'),
+    'ldap_sudorule_runas' : _('Sudo rule runas attribute'),
     'ldap_sudorule_runasuser' : _('Sudo rule runasuser attribute'),
     'ldap_sudorule_runasgroup' : _('Sudo rule runasgroup attribute'),
     'ldap_sudorule_notbefore' : _('Sudo rule notbefore attribute'),
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 33d460e82..74ca49ab9 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -151,6 +151,7 @@ ldap_sudorule_command = str, None, false
 ldap_sudorule_host = str, None, false
 ldap_sudorule_user = str, None, false
 ldap_sudorule_option = str, None, false
+ldap_sudorule_runas = str, None, false
 ldap_sudorule_runasuser = str, None, false
 ldap_sudorule_runasgroup = str, None, false
 ldap_sudorule_notbefore = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 11484e7d4..459db0627 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -216,6 +216,7 @@ ldap_sudorule_command = str, None, false
 ldap_sudorule_host = str, None, false
 ldap_sudorule_user = str, None, false
 ldap_sudorule_option = str, None, false
+ldap_sudorule_runas = str, None, false
 ldap_sudorule_runasuser = str, None, false
 ldap_sudorule_runasgroup = str, None, false
 ldap_sudorule_notbefore = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index fa9cdd698..c1c030976 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -152,6 +152,7 @@ ldap_sudorule_command = str, None, false
 ldap_sudorule_host = str, None, false
 ldap_sudorule_user = str, None, false
 ldap_sudorule_option = str, None, false
+ldap_sudorule_runas = str, None, false
 ldap_sudorule_runasuser = str, None, false
 ldap_sudorule_runasgroup = str, None, false
 ldap_sudorule_notbefore = str, None, false
diff --git a/src/db/sysdb_sudo.h b/src/db/sysdb_sudo.h
index f8e214f9f..fc896c385 100644
--- a/src/db/sysdb_sudo.h
+++ b/src/db/sysdb_sudo.h
@@ -39,6 +39,7 @@
 #define SYSDB_SUDO_CACHE_AT_HOST       "sudoHost"
 #define SYSDB_SUDO_CACHE_AT_COMMAND    "sudoCommand"
 #define SYSDB_SUDO_CACHE_AT_OPTION     "sudoOption"
+#define SYSDB_SUDO_CACHE_AT_RUNAS      "sudoRunAs"
 #define SYSDB_SUDO_CACHE_AT_RUNASUSER  "sudoRunAsUser"
 #define SYSDB_SUDO_CACHE_AT_RUNASGROUP "sudoRunAsGroup"
 #define SYSDB_SUDO_CACHE_AT_NOTBEFORE  "sudoNotBefore"
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index adf200caa..39c247332 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -321,6 +321,7 @@ struct sdap_attr_map native_sudorule_map[] = {
     { "ldap_sudorule_host", "sudoHost", SYSDB_SUDO_CACHE_AT_HOST, NULL },
     { "ldap_sudorule_user", "sudoUser", SYSDB_SUDO_CACHE_AT_USER, NULL },
     { "ldap_sudorule_option", "sudoOption", SYSDB_SUDO_CACHE_AT_OPTION, NULL },
+    { "ldap_sudorule_runas", "sudoRunAs", SYSDB_SUDO_CACHE_AT_RUNAS, NULL },
     { "ldap_sudorule_runasuser", "sudoRunAsUser", SYSDB_SUDO_CACHE_AT_RUNASUSER, NULL },
     { "ldap_sudorule_runasgroup", "sudoRunAsGroup", SYSDB_SUDO_CACHE_AT_RUNASGROUP, NULL },
     { "ldap_sudorule_notbefore", "sudoNotBefore", SYSDB_SUDO_CACHE_AT_NOTBEFORE, NULL },
diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
index 9d8ef5d2a..4b35a1aed 100644
--- a/src/responder/sudo/sudosrv_get_sudorules.c
+++ b/src/responder/sudo/sudosrv_get_sudorules.c
@@ -537,6 +537,7 @@ static errno_t sudosrv_get_sudorules_from_cache(TALLOC_CTX *mem_ctx,
                             SYSDB_SUDO_CACHE_AT_HOST,
                             SYSDB_SUDO_CACHE_AT_COMMAND,
                             SYSDB_SUDO_CACHE_AT_OPTION,
+                            SYSDB_SUDO_CACHE_AT_RUNAS,
                             SYSDB_SUDO_CACHE_AT_RUNASUSER,
                             SYSDB_SUDO_CACHE_AT_RUNASGROUP,
                             SYSDB_SUDO_CACHE_AT_NOTBEFORE,
-- 
cgit