From 5e7ddcae402bc284d43c5ebb5d215310a5658aba Mon Sep 17 00:00:00 2001 From: Pavel Březina Date: Fri, 11 May 2012 10:26:59 +0200 Subject: sudo responder: allow fetching only expired rules in sudosrv_get_sudorules_query_cache() --- src/responder/sudo/sudosrv_get_sudorules.c | 47 ++++++++++++++---------------- 1 file changed, 22 insertions(+), 25 deletions(-) (limited to 'src') diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c index cd359b686..9f670b9b4 100644 --- a/src/responder/sudo/sudosrv_get_sudorules.c +++ b/src/responder/sudo/sudosrv_get_sudorules.c @@ -408,6 +408,8 @@ sudosrv_get_sudorules_dp_callback(uint16_t err_maj, uint32_t err_min, static errno_t sudosrv_get_sudorules_query_cache(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, enum sss_dp_sudo_type type, + const char **attrs, + unsigned int flags, const char *username, uid_t uid, char **groupnames, @@ -421,6 +423,20 @@ static errno_t sudosrv_get_sudorules_from_cache(struct sudo_cmd_ctx *cmd_ctx) struct sysdb_ctx *sysdb; char **groupnames = NULL; const char *debug_name = NULL; + unsigned int flags = SYSDB_SUDO_FILTER_NONE; + const char *attrs[] = { SYSDB_OBJECTCLASS + SYSDB_SUDO_CACHE_AT_OC, + SYSDB_SUDO_CACHE_AT_CN, + SYSDB_SUDO_CACHE_AT_USER, + SYSDB_SUDO_CACHE_AT_HOST, + SYSDB_SUDO_CACHE_AT_COMMAND, + SYSDB_SUDO_CACHE_AT_OPTION, + SYSDB_SUDO_CACHE_AT_RUNASUSER, + SYSDB_SUDO_CACHE_AT_RUNASGROUP, + SYSDB_SUDO_CACHE_AT_NOTBEFORE, + SYSDB_SUDO_CACHE_AT_NOTAFTER, + SYSDB_SUDO_CACHE_AT_ORDER, + NULL }; if (cmd_ctx->domain == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, ("Domain is not set!\n")); @@ -451,14 +467,16 @@ static errno_t sudosrv_get_sudorules_from_cache(struct sudo_cmd_ctx *cmd_ctx) ("Unable to retrieve user info [%d]: %s\n", strerror(ret))); goto done; } + flags = SYSDB_SUDO_FILTER_USERINFO | SYSDB_SUDO_FILTER_INCLUDE_ALL; break; case SSS_SUDO_DEFAULTS: debug_name = ""; + flags = SYSDB_SUDO_FILTER_INCLUDE_DFL; break; } ret = sudosrv_get_sudorules_query_cache(cmd_ctx, sysdb, cmd_ctx->type, - cmd_ctx->orig_username, + attrs, flags, cmd_ctx->orig_username, cmd_ctx->uid, groupnames, &cmd_ctx->rules, &cmd_ctx->num_rules); if (ret != EOK) { @@ -482,6 +500,8 @@ sort_sudo_rules(struct sysdb_attrs **rules, size_t count); static errno_t sudosrv_get_sudorules_query_cache(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, enum sss_dp_sudo_type type, + const char **attrs, + unsigned int flags, const char *username, uid_t uid, char **groupnames, @@ -494,35 +514,12 @@ static errno_t sudosrv_get_sudorules_query_cache(TALLOC_CTX *mem_ctx, size_t count; struct sysdb_attrs **rules; struct ldb_message **msgs; - unsigned int flags = SYSDB_SUDO_FILTER_NONE; - const char *attrs[] = { SYSDB_OBJECTCLASS - SYSDB_SUDO_CACHE_AT_OC, - SYSDB_SUDO_CACHE_AT_CN, - SYSDB_SUDO_CACHE_AT_USER, - SYSDB_SUDO_CACHE_AT_HOST, - SYSDB_SUDO_CACHE_AT_COMMAND, - SYSDB_SUDO_CACHE_AT_OPTION, - SYSDB_SUDO_CACHE_AT_RUNASUSER, - SYSDB_SUDO_CACHE_AT_RUNASGROUP, - SYSDB_SUDO_CACHE_AT_NOTBEFORE, - SYSDB_SUDO_CACHE_AT_NOTAFTER, - SYSDB_SUDO_CACHE_AT_ORDER, - NULL }; tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) return ENOMEM; - switch (type) { - case SSS_SUDO_DEFAULTS: - flags = SYSDB_SUDO_FILTER_INCLUDE_DFL; - break; - case SSS_SUDO_USER: - flags = SYSDB_SUDO_FILTER_USERINFO | SYSDB_SUDO_FILTER_INCLUDE_ALL; - break; - } - ret = sysdb_get_sudo_filter(tmp_ctx, username, uid, groupnames, - flags, 0, &filter); + flags, &filter); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, ("Could not construct the search filter [%d]: %s\n", -- cgit