From d38ffc9c92daeb62de7d28c409bdaeff98f82775 Mon Sep 17 00:00:00 2001 From: Pavel Březina Date: Tue, 30 Oct 2012 12:01:51 +0100 Subject: sudo: support users from subdomains https://fedorahosted.org/sssd/ticket/1616 --- src/responder/sudo/sudosrv_get_sudorules.c | 64 ++++++++++++++++++++++++------ 1 file changed, 52 insertions(+), 12 deletions(-) (limited to 'src/responder/sudo/sudosrv_get_sudorules.c') diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c index 9081cbd70..6d6b95d3f 100644 --- a/src/responder/sudo/sudosrv_get_sudorules.c +++ b/src/responder/sudo/sudosrv_get_sudorules.c @@ -29,6 +29,22 @@ #include "db/sysdb_sudo.h" #include "responder/sudo/sudosrv_private.h" +static struct sysdb_ctx* sudosrv_get_user_sysdb(struct sss_domain_info *domain) +{ + return domain->sysdb; +} + +static struct sysdb_ctx* sudosrv_get_rules_sysdb(struct sss_domain_info *domain) +{ + if (domain->parent == NULL) { + return domain->sysdb; + } else { + /* sudo rules are stored under parent domain basedn, so we will return + * parent's sysdb context */ + return domain->parent->sysdb; + } +} + static errno_t sudosrv_get_user(struct sudo_dom_ctx *dctx); errno_t sudosrv_get_sudorules(struct sudo_dom_ctx *dctx) @@ -112,7 +128,7 @@ static errno_t sudosrv_get_user(struct sudo_dom_ctx *dctx) DEBUG(SSSDBG_FUNC_DATA, ("Requesting info about [%s@%s]\n", name, dom->name)); - sysdb = dctx->domain->sysdb; + sysdb = sudosrv_get_user_sysdb(dctx->domain); if (sysdb == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, ("sysdb context not found for this domain!\n")); @@ -327,7 +343,8 @@ errno_t sudosrv_get_rules(struct sudo_cmd_ctx *cmd_ctx) TALLOC_CTX *tmp_ctx = NULL; struct tevent_req *dpreq = NULL; struct dp_callback_ctx *cb_ctx = NULL; - struct sysdb_ctx *sysdb; + struct sysdb_ctx *user_sysdb = NULL; + struct sysdb_ctx *rules_sysdb = NULL; char **groupnames = NULL; size_t expired_rules_num = 0; struct sysdb_attrs **expired_rules = NULL; @@ -341,7 +358,21 @@ errno_t sudosrv_get_rules(struct sudo_cmd_ctx *cmd_ctx) return EFAULT; } - sysdb = cmd_ctx->domain->sysdb; + user_sysdb = sudosrv_get_user_sysdb(cmd_ctx->domain); + if (user_sysdb == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("user sysdb context not found for this domain!\n")); + ret = EIO; + goto done; + } + + rules_sysdb = sudosrv_get_rules_sysdb(cmd_ctx->domain); + if (rules_sysdb == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("rules sysdb context not found for this domain!\n")); + ret = EIO; + goto done; + } tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { @@ -367,7 +398,7 @@ errno_t sudosrv_get_rules(struct sudo_cmd_ctx *cmd_ctx) * expired rules for this user and defaults at once we will save one * provider call */ - ret = sysdb_get_sudo_user_info(tmp_ctx, cmd_ctx->orig_username, sysdb, + ret = sysdb_get_sudo_user_info(tmp_ctx, cmd_ctx->orig_username, user_sysdb, NULL, &groupnames); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, @@ -379,7 +410,7 @@ errno_t sudosrv_get_rules(struct sudo_cmd_ctx *cmd_ctx) | SYSDB_SUDO_FILTER_INCLUDE_DFL | SYSDB_SUDO_FILTER_ONLY_EXPIRED | SYSDB_SUDO_FILTER_USERINFO; - ret = sudosrv_get_sudorules_query_cache(tmp_ctx, sysdb, cmd_ctx->type, + ret = sudosrv_get_sudorules_query_cache(tmp_ctx, rules_sysdb, cmd_ctx->type, attrs, flags, cmd_ctx->orig_username, cmd_ctx->uid, groupnames, &expired_rules, &expired_rules_num); @@ -535,7 +566,8 @@ static errno_t sudosrv_get_sudorules_from_cache(TALLOC_CTX *mem_ctx, { TALLOC_CTX *tmp_ctx; errno_t ret; - struct sysdb_ctx *sysdb; + struct sysdb_ctx *user_sysdb = NULL; + struct sysdb_ctx *rules_sysdb = NULL; char **groupnames = NULL; const char *debug_name = NULL; unsigned int flags = SYSDB_SUDO_FILTER_NONE; @@ -565,10 +597,18 @@ static errno_t sudosrv_get_sudorules_from_cache(TALLOC_CTX *mem_ctx, return ENOMEM; } - sysdb = cmd_ctx->domain->sysdb; - if (sysdb == NULL) { + user_sysdb = sudosrv_get_user_sysdb(cmd_ctx->domain); + if (user_sysdb == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("user sysdb context not found for this domain!\n")); + ret = EIO; + goto done; + } + + rules_sysdb = sudosrv_get_rules_sysdb(cmd_ctx->domain); + if (rules_sysdb == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, - ("sysdb context not found for this domain!\n")); + ("rules sysdb context not found for this domain!\n")); ret = EIO; goto done; } @@ -576,8 +616,8 @@ static errno_t sudosrv_get_sudorules_from_cache(TALLOC_CTX *mem_ctx, switch (cmd_ctx->type) { case SSS_SUDO_USER: debug_name = cmd_ctx->cased_username; - ret = sysdb_get_sudo_user_info(tmp_ctx, cmd_ctx->orig_username, sysdb, - NULL, &groupnames); + ret = sysdb_get_sudo_user_info(tmp_ctx, cmd_ctx->orig_username, + user_sysdb, NULL, &groupnames); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, ("Unable to retrieve user info [%d]: %s\n", strerror(ret))); @@ -591,7 +631,7 @@ static errno_t sudosrv_get_sudorules_from_cache(TALLOC_CTX *mem_ctx, break; } - ret = sudosrv_get_sudorules_query_cache(tmp_ctx, sysdb, cmd_ctx->type, + ret = sudosrv_get_sudorules_query_cache(tmp_ctx, rules_sysdb, cmd_ctx->type, attrs, flags, cmd_ctx->orig_username, cmd_ctx->uid, groupnames, &rules, &num_rules); -- cgit