From f6171b2bc954a367f316853ab71090eb213bdee3 Mon Sep 17 00:00:00 2001 From: Pavel Březina Date: Tue, 17 Jan 2012 12:28:33 +0100 Subject: SUDO Integration - make sysdb_get_sudo_filter() more configurable https://fedorahosted.org/sssd/ticket/1143 --- src/db/sysdb_sudo.c | 99 +++++++++++++++++------------- src/db/sysdb_sudo.h | 15 +++-- src/responder/sudo/sudosrv_get_sudorules.c | 7 ++- 3 files changed, 73 insertions(+), 48 deletions(-) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index f7e87ee48..5adde76e7 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -67,76 +67,91 @@ sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, uid_t uid, char **groupnames, unsigned int flags, char **_filter) { - TALLOC_CTX *tmp_ctx; + TALLOC_CTX *tmp_ctx = NULL; + char *filter = NULL; + char *specific_filter = NULL; + char *time_filter = NULL; errno_t ret; - char *filter; - char *t; int i; tmp_ctx = talloc_new(NULL); NULL_CHECK(tmp_ctx, ret, done); - /* AND with objectclass */ - filter = talloc_asprintf(tmp_ctx, "(&(%s=%s)", - SYSDB_OBJECTCLASS, - SYSDB_SUDO_CACHE_AT_OC); - NULL_CHECK(filter, ret, done); + /* build specific filter */ - /* And with the timed rules if requested */ - if (flags & SYSDB_SUDO_FILTER_TIMED) { - t = get_sudo_time_filter(filter); - filter = talloc_asprintf_append(filter, "%s", t); - talloc_free(t); - NULL_CHECK(filter, ret, done); + specific_filter = talloc_zero(tmp_ctx, char); /* assign to tmp_ctx */ + NULL_CHECK(specific_filter, ret, done); + + if (flags & SYSDB_SUDO_FILTER_INCLUDE_ALL) { + specific_filter = talloc_asprintf_append(specific_filter, "(%s=ALL)", + SYSDB_SUDO_CACHE_AT_USER); + NULL_CHECK(specific_filter, ret, done); } - /* Add global OR and the username */ - filter = talloc_asprintf_append(filter, "(|(%s=%s)", - SYSDB_SUDO_CACHE_AT_USER, - username); - NULL_CHECK(filter, ret, done); + if (flags & SYSDB_SUDO_FILTER_INCLUDE_DFL) { + specific_filter = talloc_asprintf_append(specific_filter, "(%s=defaults)", + SYSDB_NAME); + NULL_CHECK(specific_filter, ret, done); + } - if (uid) { - filter = talloc_asprintf_append(filter, "(%s=#%llu)", - SYSDB_SUDO_CACHE_AT_USER, - (unsigned long long) uid); - NULL_CHECK(filter, ret, done); + if ((flags & SYSDB_SUDO_FILTER_USERNAME) && (username != NULL)) { + specific_filter = talloc_asprintf_append(specific_filter, "(%s=%s)", + SYSDB_SUDO_CACHE_AT_USER, + username); + NULL_CHECK(specific_filter, ret, done); + } + + if ((flags & SYSDB_SUDO_FILTER_UID) && (uid != 0)) { + specific_filter = talloc_asprintf_append(specific_filter, "(%s=#%llu)", + SYSDB_SUDO_CACHE_AT_USER, + (unsigned long long) uid); + NULL_CHECK(specific_filter, ret, done); } - if (groupnames) { - for (i=0; groupnames[i]; i++) { - filter = talloc_asprintf_append(filter, "(%s=%%%s)", - SYSDB_SUDO_CACHE_AT_USER, - groupnames[i]); - NULL_CHECK(filter, ret, done); + if ((flags & SYSDB_SUDO_FILTER_GROUPS) && (groupnames != NULL)) { + for (i=0; groupnames[i] != NULL; i++) { + specific_filter = talloc_asprintf_append(specific_filter, "(%s=%%%s)", + SYSDB_SUDO_CACHE_AT_USER, + groupnames[i]); + NULL_CHECK(specific_filter, ret, done); } } if (flags & SYSDB_SUDO_FILTER_NGRS) { - filter = talloc_asprintf_append(filter, "(%s=+*)", - SYSDB_SUDO_CACHE_AT_USER); - NULL_CHECK(filter, ret, done); + specific_filter = talloc_asprintf_append(specific_filter, "(%s=+*)", + SYSDB_SUDO_CACHE_AT_USER); + NULL_CHECK(specific_filter, ret, done); } - if (flags & SYSDB_SUDO_FILTER_INCLUDE_ALL) { - filter = talloc_asprintf_append(filter, "(%s=ALL)", - SYSDB_SUDO_CACHE_AT_USER); + /* build time filter */ + + if (flags & SYSDB_SUDO_FILTER_TIMED) { + time_filter = get_sudo_time_filter(tmp_ctx); + NULL_CHECK(time_filter, ret, done); + } + + /* build global filter */ + + filter = talloc_asprintf(tmp_ctx, "(&(%s=%s)", + SYSDB_OBJECTCLASS, SYSDB_SUDO_CACHE_AT_OC); + NULL_CHECK(filter, ret, done); + + if (time_filter != NULL) { + filter = talloc_strdup_append(filter, time_filter); NULL_CHECK(filter, ret, done); } - if (flags & SYSDB_SUDO_FILTER_INCLUDE_DFL) { - filter = talloc_asprintf_append(filter, "(%s=defaults)", - SYSDB_NAME); + if (specific_filter[0] != '\0') { + filter = talloc_asprintf_append(filter, "(|%s)", specific_filter); NULL_CHECK(filter, ret, done); } - /* end the global AND and OR filters */ - filter = talloc_asprintf_append(filter, "))"); + filter = talloc_strdup_append(filter, ")"); NULL_CHECK(filter, ret, done); - ret = EOK; *_filter = talloc_steal(mem_ctx, filter); + done: talloc_free(tmp_ctx); return ret; diff --git a/src/db/sysdb_sudo.h b/src/db/sysdb_sudo.h index 67f9e9126..b4e3eaff8 100644 --- a/src/db/sysdb_sudo.h +++ b/src/db/sysdb_sudo.h @@ -46,10 +46,17 @@ /* When constructing a sysdb filter, OR these values to include.. */ #define SYSDB_SUDO_FILTER_NONE 0x00 /* no additional filter */ -#define SYSDB_SUDO_FILTER_NGRS 0x01 /* netgroups */ -#define SYSDB_SUDO_FILTER_TIMED 0x02 /* timed rules */ -#define SYSDB_SUDO_FILTER_INCLUDE_ALL 0x04 /* ALL */ -#define SYSDB_SUDO_FILTER_INCLUDE_DFL 0x08 /* include cn=default */ +#define SYSDB_SUDO_FILTER_USERNAME 0x01 /* username */ +#define SYSDB_SUDO_FILTER_UID 0x02 /* uid */ +#define SYSDB_SUDO_FILTER_GROUPS 0x04 /* groups */ +#define SYSDB_SUDO_FILTER_NGRS 0x08 /* netgroups */ +#define SYSDB_SUDO_FILTER_TIMED 0x10 /* timed rules */ +#define SYSDB_SUDO_FILTER_INCLUDE_ALL 0x20 /* ALL */ +#define SYSDB_SUDO_FILTER_INCLUDE_DFL 0x40 /* include cn=default */ +#define SYSDB_SUDO_FILTER_USERINFO SYSDB_SUDO_FILTER_USERNAME \ + | SYSDB_SUDO_FILTER_UID \ + | SYSDB_SUDO_FILTER_GROUPS \ + | SYSDB_SUDO_FILTER_NGRS errno_t sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c index fba8a85e1..0b3b81e82 100644 --- a/src/responder/sudo/sudosrv_get_sudorules.c +++ b/src/responder/sudo/sudosrv_get_sudorules.c @@ -412,6 +412,7 @@ static errno_t sudosrv_get_sudorules_query_cache(TALLOC_CTX *mem_ctx, size_t count; struct sysdb_attrs **rules; struct ldb_message **msgs; + unsigned int flags = SYSDB_SUDO_FILTER_NONE; const char *attrs[] = { SYSDB_OBJECTCLASS SYSDB_SUDO_CACHE_AT_OC, SYSDB_SUDO_CACHE_AT_CN, @@ -429,9 +430,11 @@ static errno_t sudosrv_get_sudorules_query_cache(TALLOC_CTX *mem_ctx, tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) return ENOMEM; + flags = SYSDB_SUDO_FILTER_USERINFO + | SYSDB_SUDO_FILTER_INCLUDE_ALL + | SYSDB_SUDO_FILTER_INCLUDE_DFL; ret = sysdb_get_sudo_filter(tmp_ctx, username, uid, groupnames, - (SYSDB_SUDO_FILTER_NGRS | SYSDB_SUDO_FILTER_INCLUDE_ALL | - SYSDB_SUDO_FILTER_INCLUDE_DFL), &filter); + flags, &filter); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, ("Could not construct the search filter [%d]: %s\n", -- cgit