From dfafb437f49d31e015184e212571e9917aa94eef Mon Sep 17 00:00:00 2001 From: Pavel Březina Date: Mon, 14 May 2012 16:28:58 +0200 Subject: sudo: clean up --- src/config/SSSDConfig/__init__.py.in | 1 - src/config/etc/sssd.api.conf | 1 - src/db/sysdb_sudo.c | 206 ----------------------------------- src/db/sysdb_sudo.h | 6 - src/providers/data_provider.h | 7 +- src/providers/dp_backend.h | 4 - 6 files changed, 2 insertions(+), 223 deletions(-) diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 30de27a1d..2bd6e3499 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -81,7 +81,6 @@ option_strings = { # [sudo] 'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'), - 'sudo_cache_timeout' : _('How many seconds to keep sudorules cached before asking the provider again'), # [autofs] 'autofs_negative_timeout' : _('Negative cache timeout length (seconds)'), diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 2cf5713f9..f1cd067db 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -54,7 +54,6 @@ get_domains_timeout = int, None, false [sudo] # sudo service sudo_timed = bool, None, false -sudo_cache_timeout = int, None, false [autofs] # autofs service diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 0f9d99945..be7df6512 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -534,57 +534,6 @@ errno_t sysdb_sudo_get_last_full_refresh(struct sysdb_ctx *sysdb, time_t *value) value); } -char **sysdb_sudo_build_sudouser(TALLOC_CTX *mem_ctx, const char *username, - uid_t uid, char **groupnames, bool include_all) -{ - char **sudouser = NULL; - int count = 0; - errno_t ret; - int i; - - if (username == NULL || uid == 0) { - return NULL; - } - - count = include_all ? 3 : 2; - sudouser = talloc_array(NULL, char*, count + 1); - NULL_CHECK(sudouser, ret, done); - - sudouser[0] = talloc_strdup(sudouser, username); - NULL_CHECK(sudouser[0], ret, done); - - sudouser[1] = talloc_asprintf(sudouser, "#%llu", (unsigned long long)uid); - NULL_CHECK(sudouser[1], ret, done); - - if (include_all) { - sudouser[2] = talloc_strdup(sudouser, "ALL"); - NULL_CHECK(sudouser[2], ret, done); - } - - if (groupnames != NULL) { - for (i = 0; groupnames[i] != NULL; i++) { - count++; - sudouser = talloc_realloc(NULL, sudouser, char*, count + 1); - NULL_CHECK(sudouser, ret, done); - - sudouser[count - 1] = talloc_asprintf(sudouser, "%s", groupnames[i]); - NULL_CHECK(sudouser[count - 1], ret, done); - } - } - - sudouser[count] = NULL; - - ret = EOK; - -done: - if (ret != EOK) { - talloc_free(sudouser); - return NULL; - } - - return talloc_steal(mem_ctx, sudouser); -} - /* ==================== Purge functions ==================== */ errno_t sysdb_sudo_purge_all(struct sysdb_ctx *sysdb) @@ -694,158 +643,3 @@ done: talloc_free(tmp_ctx); return ret; } - -errno_t sysdb_sudo_purge_bysudouser(struct sysdb_ctx *sysdb, - char **sudouser) -{ - TALLOC_CTX *tmp_ctx = NULL; - char *filter = NULL; - char *value = NULL; - const char *rule_name = NULL; - struct ldb_message_element *attr = NULL; - struct ldb_message *msg = NULL; - struct ldb_message **rules = NULL; - size_t num_rules; - errno_t ret; - errno_t sret; - int lret; - int i, j, k; - bool in_transaction = false; - const char *attrs[] = { SYSDB_OBJECTCLASS, - SYSDB_NAME, - SYSDB_SUDO_CACHE_AT_USER, - NULL }; - - if (sudouser == NULL || sudouser[0] == NULL) { - return EOK; - } - - tmp_ctx = talloc_new(NULL); - NULL_CHECK(tmp_ctx, ret, done); - - /* create search filter */ - filter = talloc_strdup(tmp_ctx, "(|"); - NULL_CHECK(filter, ret, done); - for (i = 0; sudouser[i] != NULL; i++) { - filter = talloc_asprintf_append(filter, "(%s=%s)", - SYSDB_SUDO_CACHE_AT_USER, sudouser[i]); - NULL_CHECK(filter, ret, done); - } - filter = talloc_strdup_append(filter, ")"); - NULL_CHECK(filter, ret, done); - - /* search the rules */ - ret = sysdb_search_custom(tmp_ctx, sysdb, filter, SUDORULE_SUBDIR, attrs, - &num_rules, &rules); - if (ret != EOK && ret != ENOENT) { - DEBUG(SSSDBG_CRIT_FAILURE, ("Error looking up SUDO rules")); - goto done; - } if (ret == ENOENT) { - DEBUG(SSSDBG_TRACE_FUNC, ("No rules matched\n")); - ret = EOK; - goto done; - } - - ret = sysdb_transaction_start(sysdb); - if (ret != EOK) { - goto done; - } - in_transaction = true; - - /* - * remove values from sudoUser and delete the rule - * if the attribute is empty afterwards - */ - - for (i = 0; i < num_rules; i++) { - /* find name */ - rule_name = ldb_msg_find_attr_as_string(rules[i], SYSDB_NAME, NULL); - if (rule_name == NULL) { - DEBUG(SSSDBG_OP_FAILURE, ("A rule without a name?\n")); - /* skip this one but still delete other entries */ - continue; - } - - /* find sudoUser */ - attr = ldb_msg_find_element(rules[i], SYSDB_SUDO_CACHE_AT_USER); - if (attr == NULL) { - /* this should never happen because we search by this attribute */ - DEBUG(SSSDBG_CRIT_FAILURE, ("BUG: sudoUser attribute is missing\n")); - continue; - } - - /* create message */ - msg = ldb_msg_new(tmp_ctx); - NULL_CHECK(msg, ret, done); - - msg->dn = ldb_dn_new_fmt(msg, sysdb->ldb, SYSDB_TMPL_CUSTOM, rule_name, - SUDORULE_SUBDIR, sysdb->domain->name); - NULL_CHECK(msg->dn, ret, done); - - /* create empty sudoUser */ - lret = ldb_msg_add_empty(msg, SYSDB_SUDO_CACHE_AT_USER, - LDB_FLAG_MOD_DELETE, NULL); - if (lret != LDB_SUCCESS) { - ret = sysdb_error_to_errno(lret); - goto done; - } - - /* filter values */ - for (j = 0; j < attr->num_values; j++) { - value = (char*)(attr->values[j].data); - for (k = 0; sudouser[k] != NULL; k++) { - if (strcmp(value, sudouser[k]) == 0) { - /* delete value from cache */ - lret = ldb_msg_add_string(msg, SYSDB_SUDO_CACHE_AT_USER, - sudouser[k]); - if (lret != LDB_SUCCESS) { - ret = sysdb_error_to_errno(lret); - goto done; - } - break; - } - } - } - - /* update the cache */ - if (msg->elements[0].num_values == attr->num_values) { - /* sudoUser would remain empty, delete the rule */ - ret = sysdb_sudo_purge_byname(sysdb, rule_name); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, ("Could not delete rule %s\n", - rule_name)); - goto done; - } - } else { - /* sudoUser will not be empty, modify the rule */ - DEBUG(SSSDBG_TRACE_INTERNAL, ("Modifying sudoUser of rule %s\n", - rule_name)); - lret = ldb_modify(sysdb->ldb, msg); - if (lret != LDB_SUCCESS) { - DEBUG(SSSDBG_OP_FAILURE, ("Could not modify rule %s\n", - rule_name)); - ret = sysdb_error_to_errno(lret); - goto done; - } - } - - talloc_free(msg); - } - - ret = sysdb_transaction_commit(sysdb); - if (ret == EOK) { - in_transaction = false; - } - -done: - if (in_transaction) { - sret = sysdb_transaction_cancel(sysdb); - if (sret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, ("Could not cancel transaction\n")); - } - } - - talloc_free(tmp_ctx); - return ret; -} - diff --git a/src/db/sysdb_sudo.h b/src/db/sysdb_sudo.h index b8ed2bc41..0d11b110e 100644 --- a/src/db/sysdb_sudo.h +++ b/src/db/sysdb_sudo.h @@ -86,9 +86,6 @@ sysdb_save_sudorule(struct sysdb_ctx *sysdb_ctx, errno_t sysdb_sudo_set_last_full_refresh(struct sysdb_ctx *sysdb, time_t value); errno_t sysdb_sudo_get_last_full_refresh(struct sysdb_ctx *sysdb, time_t *value); -char **sysdb_sudo_build_sudouser(TALLOC_CTX *mem_ctx, const char *username, - uid_t uid, char **groupnames, bool include_all); - errno_t sysdb_sudo_purge_all(struct sysdb_ctx *sysdb); errno_t sysdb_sudo_purge_byname(struct sysdb_ctx *sysdb, @@ -97,7 +94,4 @@ errno_t sysdb_sudo_purge_byname(struct sysdb_ctx *sysdb, errno_t sysdb_sudo_purge_byfilter(struct sysdb_ctx *sysdb, const char *filter); -errno_t sysdb_sudo_purge_bysudouser(struct sysdb_ctx *sysdb, - char **sudoUser); - #endif /* _SYSDB_SUDO_H_ */ diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h index 8c46115b1..b783081bc 100644 --- a/src/providers/data_provider.h +++ b/src/providers/data_provider.h @@ -138,11 +138,8 @@ #define BE_REQ_INITGROUPS 0x0003 #define BE_REQ_NETGROUP 0x0004 #define BE_REQ_SERVICES 0x0005 -#define BE_REQ_SUDO_ALL 0x0006 -#define BE_REQ_SUDO_DEFAULTS 0x0007 -#define BE_REQ_SUDO_USER 0x0008 -#define BE_REQ_SUDO_FULL 0x0100 /* todo: change it after clean up */ -#define BE_REQ_SUDO_RULES 0x0200 /* todo: change it after clean up */ +#define BE_REQ_SUDO_FULL 0x0006 +#define BE_REQ_SUDO_RULES 0x0007 #define BE_REQ_AUTOFS 0x0009 #define BE_REQ_HOST 0x0010 #define BE_REQ_FAST 0x1000 diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h index 2c56f1475..6e5c6e1a6 100644 --- a/src/providers/dp_backend.h +++ b/src/providers/dp_backend.h @@ -159,10 +159,6 @@ struct be_acct_req { struct be_sudo_req { uint32_t type; char **rules; - - char *username; - uid_t uid; - char **groups; }; struct be_autofs_req { -- cgit