diff options
| author | Arun Scaria <arunscaria91@gmail.com> | 2011-08-10 21:55:14 +0530 |
|---|---|---|
| committer | Arun Scaria <arunscaria91@gmail.com> | 2011-08-10 21:55:14 +0530 |
| commit | 04e2cd22d3c5d995f8f056c3c6a2563211ff2036 (patch) | |
| tree | 47f2d75d7a05c8fed1aa351a7d2dece5a594d05a | |
| parent | b8495d2fd3a293e567cd34e78e0f5d40062fdf76 (diff) | |
| download | sssd_unused-04e2cd22d3c5d995f8f056c3c6a2563211ff2036.tar.gz sssd_unused-04e2cd22d3c5d995f8f056c3c6a2563211ff2036.tar.xz sssd_unused-04e2cd22d3c5d995f8f056c3c6a2563211ff2036.zip | |
sudo rules are extracted from the sysdb and they are sorted according to the suOrder attribute
| -rw-r--r-- | Makefile.am | 5 | ||||
| -rw-r--r-- | src/db/sysdb.h | 23 | ||||
| -rw-r--r-- | src/db/sysdb_ops.c | 56 | ||||
| -rw-r--r-- | src/monitor/monitor.c | 2 | ||||
| -rw-r--r-- | src/responder/sudo/sudosrv.c | 270 | ||||
| -rw-r--r-- | src/responder/sudo/sudosrv.h | 35 | ||||
| -rw-r--r-- | src/sss_client/sudo_plugin/sss_sudo_cli.h | 2 | ||||
| -rw-r--r-- | src/sss_client/sudo_plugin/sss_sudoplugin.c | 1 |
8 files changed, 352 insertions, 42 deletions
diff --git a/Makefile.am b/Makefile.am index 565ae2b4..0d764ba9 100644 --- a/Makefile.am +++ b/Makefile.am @@ -192,7 +192,9 @@ AM_CPPFLAGS = \ -DSSSD_CONF_DIR=\"$(sssdconfdir)\" \ -DSSS_NSS_SOCKET_NAME=\"$(pipepath)/nss\" \ -DSSS_PAM_SOCKET_NAME=\"$(pipepath)/pam\" \ + -DSSS_SUDO_SOCKET_NAME=\"$(pipepath)/sudo\" \ -DSSS_PAM_PRIV_SOCKET_NAME=\"$(pipepath)/private/pam\" \ + -DSSS_SUDO_PRIV_SOCKET_NAME=\"$(pipepath)/private/sudo\" \ -DLOCALEDIR=\"$(localedir)\" EXTRA_DIST = build/config.rpath @@ -403,10 +405,11 @@ sssd_pam_LDADD = \ sssd_sudo_SOURCES = \ src/responder/sudo/sudosrv.c \ - src/responder/sudo/sudosrv.h + $(SSSD_RESPONDER_OBJ) sssd_sudo_LDADD = \ $(TDB_LIBS) \ $(SSSD_LIBS) \ + $(LDB_LIBS) \ libsss_util.la \ $(DBUS_LIBS) \ $(DHASH_LIBS) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 1eac748c..d8c0c78c 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -30,21 +30,35 @@ #define CACHE_SYSDB_FILE "cache_%s.ldb" #define LOCAL_SYSDB_FILE "sssd.ldb" +#define SUDO_RULE_OBJ_CLASS "sudoRole" #define SYSDB_BASE "cn=sysdb" #define SYSDB_DOM_BASE "cn=%s,cn=sysdb" #define SYSDB_USERS_CONTAINER "cn=users" #define SYSDB_GROUPS_CONTAINER "cn=groups" #define SYSDB_CUSTOM_CONTAINER "cn=custom" #define SYSDB_NETGROUP_CONTAINER "cn=Netgroups" +#define SYSDB_SUDO_CONTAINER "ou=sudoers" #define SYSDB_TMPL_USER_BASE SYSDB_USERS_CONTAINER",cn=%s,"SYSDB_BASE #define SYSDB_TMPL_GROUP_BASE SYSDB_GROUPS_CONTAINER",cn=%s,"SYSDB_BASE #define SYSDB_TMPL_CUSTOM_BASE SYSDB_CUSTOM_CONTAINER",cn=%s,"SYSDB_BASE #define SYSDB_TMPL_NETGROUP_BASE SYSDB_NETGROUP_CONTAINER",cn=%s,"SYSDB_BASE +#define SYSDB_TMPL_SUDO_BASE SYSDB_SUDO_CONTAINER",cn=%s,"SYSDB_BASE +#define SYSDB_SUDORULE SYSDB_OBJECTCLASS"="SUDO_RULE_OBJ_CLASS #define SYSDB_USER_CLASS "user" #define SYSDB_GROUP_CLASS "group" #define SYSDB_NETGROUP_CLASS "netgroup" +#define SYSDB_SUDO_USER_ATTR "sudoUser" +#define SYSDB_SUDO_HOST_ATTR "sudoHost" +#define SYSDB_SUDO_OPTION_ATTR "sudoOption" +#define SYSDB_SUDO_COMMAND_ATTR "sudoCommand" +#define SYSDB_SUDO_RUNAS_USER_ATTR "sudoRunAsUser" +#define SYSDB_SUDO_RUNAS_GROUP_ATTR "sudoRunAsGroup" +#define SYSDB_SUDO_NOT_BEFORE_ATTR "sudoNotBefore" +#define SYSDB_SUDO_NOT_AFTER_ATTR "sudoNotAfter" +#define SYSDB_SUDO_ORDER_ATTR "sudoOrder" + #define SYSDB_NAME "name" #define SYSDB_OBJECTCLASS "objectClass" @@ -400,6 +414,15 @@ int sysdb_search_entry(TALLOC_CTX *mem_ctx, size_t *msgs_count, struct ldb_message ***msgs); +/* search sudo rules */ +int sysdb_search_sudo_rules(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + const char *sub_filter, + const char **attrs, + size_t *msgs_count, + struct ldb_message ***msgs); + /* Search User (by uid or name) */ int sysdb_search_user_by_name(TALLOC_CTX *mem_ctx, struct sysdb_ctx *ctx, diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index a7911de4..77e0fe9f 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -2096,6 +2096,62 @@ fail: return ret; } +int sysdb_search_sudo_rules(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + const char *sub_filter, + const char **attrs, + size_t *msgs_count, + struct ldb_message ***msgs) +{ + TALLOC_CTX *tmpctx; + struct ldb_dn *basedn; + char *filter; + int ret; + + tmpctx = talloc_new(mem_ctx); + if (!tmpctx) { + return ENOMEM; + } + + if (!domain) { + domain = sysdb->domain; + } + + basedn = ldb_dn_new_fmt(tmpctx, sysdb->ldb,SYSDB_TMPL_SUDO_BASE, domain->name); + if (!basedn) { + DEBUG(2, ("Failed to build base dn\n")); + ret = ENOMEM; + goto fail; + } + + filter = talloc_asprintf(tmpctx, "(&(%s)(%s))", SYSDB_SUDORULE, sub_filter); + if (!filter) { + DEBUG(2, ("Failed to build filter\n")); + ret = ENOMEM; + goto fail; + } + + DEBUG(6, ("Search users with filter: %s\n", filter)); + + ret = sysdb_search_entry(mem_ctx, sysdb, basedn, + LDB_SCOPE_SUBTREE, filter, attrs, + msgs_count, msgs); + if (ret) { + goto fail; + } + + talloc_zfree(tmpctx); + return EOK; + +fail: + DEBUG(6, ("Error: %d (%s)\n", ret, strerror(ret))); + talloc_zfree(tmpctx); + return ret; +} + + + /* =Search-Users-with-Custom-Filter====================================== */ int sysdb_search_users(TALLOC_CTX *mem_ctx, diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c index d1f2e661..6d68b1cd 100644 --- a/src/monitor/monitor.c +++ b/src/monitor/monitor.c @@ -818,7 +818,7 @@ static int check_local_domain_unique(struct sss_domain_info *domains) static char *check_services(char **services) { - const char *known_services[] = { "nss", "pam", NULL }; + const char *known_services[] = { "nss", "pam", "sudo", NULL }; int i; int ii; diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c index be93954b..f5927d0f 100644 --- a/src/responder/sudo/sudosrv.c +++ b/src/responder/sudo/sudosrv.c @@ -33,11 +33,19 @@ #include <popt.h> #include "dhash.h" #include "util/util.h" +#include "db/sysdb.h" #include "sbus/sbus_client.h" #include "sbus/sssd_dbus_messages_helpers.h" +#include "responder/common/responder.h" +#include "responder/common/negcache.h" +#include "responder/common/responder_packet.h" -#include "sudosrv.h" +#include "responder/sudo/sudosrv.h" #include "sss_client/sudo_plugin/sss_sudo_cli.h" +#include "sbus/sbus_client.h" +#include "responder/common/responder_packet.h" +#include "providers/data_provider.h" +#include "monitor/monitor_interfaces.h" @@ -56,7 +64,89 @@ struct test { char * cwd; char * tty; }; -struct sss_sudo_msg_contents * msg; + +int compare_sudo_order(struct ldb_message **msg1, struct ldb_message **msg2) +{ + double order_msg1 = ldb_msg_find_attr_as_double(*msg1, SYSDB_SUDO_ORDER_ATTR, 0.0); + double order_msg2 = ldb_msg_find_attr_as_double(*msg2, SYSDB_SUDO_ORDER_ATTR, 0.0); + if(order_msg1>order_msg2) return 1; + else if (order_msg1==order_msg1) return 0; + else return -1; +} + + +int search_sudo_rules(struct sudo_client *sudocli) { + TALLOC_CTX *tmpctx; + struct sysdb_ctx_list *sysdblist = sudocli->sudoctx->rctx->db_list; + struct sss_domain_info *domain = sudocli->sudoctx->rctx->be_conns->domain; + const char *attrs[] = { SYSDB_SUDO_USER_ATTR, + SYSDB_SUDO_HOST_ATTR, + SYSDB_SUDO_OPTION_ATTR, + SYSDB_SUDO_COMMAND_ATTR, + SYSDB_SUDO_RUNAS_USER_ATTR, + SYSDB_SUDO_RUNAS_GROUP_ATTR, + SYSDB_SUDO_NOT_BEFORE_ATTR, + SYSDB_SUDO_NOT_AFTER_ATTR, + SYSDB_SUDO_ORDER_ATTR, + NULL }; + char *filter = NULL; + struct ldb_message **msgs; + int ret; + size_t count; + int i; + double order; + + fprintf(stdout,"in Sudo rule\n"); + tmpctx = talloc_new(sudocli); + if (!tmpctx) { + return ENOMEM; + } + + filter = talloc_asprintf(tmpctx,""); + if (!filter) { + DEBUG(2, ("Failed to build filter\n")); + fprintf(stdout," failed Filter - %s\n",filter); + ret = ENOMEM; + goto done; + } + fprintf(stdout,"Filter - %s\n",filter); + ret = sysdb_search_sudo_rules(tmpctx, + *(sysdblist->dbs), + domain, + filter, + attrs, + &count, + &msgs); + + fprintf(stdout,"in Sudo rule search %d\n",count); + if (ret) { + if (ret == ENOENT) { + ret = EOK; + } + goto done; + } + + DEBUG(4, ("Found %d sudo rule entries!\n", count)); + + if (count == 0) { + ret = EOK; + goto done; + } + fprintf(stdin,"-----%d commands ----",count); + + qsort(msgs,count,sizeof(struct ldb_message *),compare_sudo_order); + + for (i = 0; i < count; i++) { + order = ldb_msg_find_attr_as_double(msgs[i], SYSDB_SUDO_ORDER_ATTR, 0.0); + + DEBUG(0, ("-----%f ----%s----",order,ldb_dn_get_linearized(msgs[i]->dn))); + fprintf(stderr,"-----%f ----",order); + } + + done: + talloc_zfree(tmpctx); + return ret; +} static int sudo_query_validation(DBusMessage *message, struct sbus_connection *conn) @@ -68,14 +158,16 @@ static int sudo_query_validation(DBusMessage *message, struct sbus_connection *c DBusError dbus_error; DBusMessageIter msg_iter; DBusMessageIter subItem; - char *tmp,**ui; + char **ui; char **command_array; + int ret = -1; dbus_bool_t dbret; void *data; int count = 0; hash_table_t *settings_table; hash_table_t *env_table; char * result; + struct sss_sudo_msg_contents * msg; result = strdup("PASS"); @@ -193,14 +285,14 @@ static int sudo_query_validation(DBusMessage *message, struct sbus_connection *c } fprintf(stdout,"-----------Message END---------\n"); - - /*if (!dbret) { - DEBUG(1, ("Failed to parse message, killing connection\n")); - if (dbus_error_is_set(&dbus_error)) dbus_error_free(&dbus_error); - sbus_disconnect(conn); +////////////////// - }*/ + ret = search_sudo_rules(sudocli); + if(ret != EOK){ + fprintf(stderr,"Error in rule"); + } +///////////////////// talloc_set_destructor((TALLOC_CTX *)sudocli, sudo_client_destructor); @@ -303,7 +395,7 @@ static int sudo_client_init(struct sbus_connection *conn, void *data) /* 5 seconds should be plenty */ tv = tevent_timeval_current_ofs(5, 0); - sudocli->timeout = tevent_add_timer(sudoctx->ev, sudocli, tv, init_timeout, sudocli); + sudocli->timeout = tevent_add_timer(sudoctx->rctx->ev, sudocli, tv, init_timeout, sudocli); if (!sudocli->timeout) { DEBUG(0,("Out of memory?!\n")); talloc_zfree(conn); @@ -317,49 +409,165 @@ static int sudo_client_init(struct sbus_connection *conn, void *data) return EOK; } +static void sudo_dp_reconnect_init(struct sbus_connection *conn, int status, void *pvt) +{ + struct be_conn *be_conn = talloc_get_type(pvt, struct be_conn); + int ret; + + /* Did we reconnect successfully? */ + if (status == SBUS_RECONNECT_SUCCESS) { + DEBUG(1, ("Reconnected to the Data Provider.\n")); + + /* Identify ourselves to the data provider */ + ret = dp_common_send_id(be_conn->conn, + DATA_PROVIDER_VERSION, + "PAM"); + /* all fine */ + if (ret == EOK) return; + } + + /* Handle failure */ + DEBUG(0, ("Could not reconnect to %s provider.\n", + be_conn->domain->name)); + +} int sudo_server_init(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct sudo_ctx *_ctx) + struct sudo_ctx *_ctx) { - + int ret; struct sbus_connection *serv; - - + + DEBUG(1, ("Setting up the sudo server.\n")); - - - - ret = sbus_new_server(mem_ctx,ev, SSS_SUDO_SERVICE_PIPE, - &sudo_interface, &serv, - sudo_client_init, _ctx); + + + + ret = sbus_new_server(mem_ctx, + _ctx->rctx->ev, + SSS_SUDO_SERVICE_PIPE, + &sudo_monitor_interface, + &serv, + sudo_client_init, + _ctx); if (ret != EOK) { DEBUG(0, ("Could not set up sudo sbus server.\n")); return ret; } return EOK; - + +} + +struct cli_protocol_version *register_cli_protocol_version(void) +{ + static struct cli_protocol_version sudo_cli_protocol_version[] = { + {0, NULL, NULL} + }; + + return sudo_cli_protocol_version; +} + +struct sss_cmd_table *get_sudo_cmds(void) +{ + static struct sss_cmd_table sss_cmds[] = { + {SSS_SUDO_AUTHENTICATE, NULL}, + {SSS_SUDO_INVALIDATE, NULL}, + {SSS_SUDO_VALIDATE, NULL}, + {SSS_SUDO_LIST, NULL}, + {SSS_CLI_NULL, NULL} + }; + + return sss_cmds; } int sudo_process_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct confdb_ctx *cdb) { + struct sss_cmd_table *sudo_cmds; + struct be_conn *iter; struct sudo_ctx *ctx; - int ret; + int ret, max_retries; + int id_timeout; + ctx = talloc_zero(mem_ctx, struct sudo_ctx); - ctx->ev = ev; - ctx->cdb = cdb; - - - ret = sudo_server_init(mem_ctx, ev, ctx); - DEBUG(0, ("sudo server returned %d.\n",ret)); - - return EOK; + if (!ctx) { + DEBUG(0, ("fatal error initializing sudo_ctx\n")); + return ENOMEM; + } + sudo_cmds = get_sudo_cmds(); + ret = sss_process_init(ctx, + ev, + cdb, + sudo_cmds, + SSS_SUDO_SOCKET_NAME, + SSS_SUDO_PRIV_SOCKET_NAME, + CONFDB_SUDO_CONF_ENTRY, + SSS_SUDO_SBUS_SERVICE_NAME, + SSS_SUDO_SBUS_SERVICE_VERSION, + &sudo_monitor_interface, + "SUDO", &sudo_dp_interface, + &ctx->rctx); + if (ret != EOK) { + goto done; + } + + + ctx->rctx->pvt_ctx = ctx; + + + + ret = confdb_get_int(ctx->rctx->cdb, ctx->rctx, CONFDB_SUDO_CONF_ENTRY, + CONFDB_SERVICE_RECON_RETRIES, 3, &max_retries); + if (ret != EOK) { + DEBUG(0, ("Failed to set up automatic reconnection\n")); + goto done; + } + + for (iter = ctx->rctx->be_conns; iter; iter = iter->next) { + sbus_reconnect_init(iter->conn, max_retries, + sudo_dp_reconnect_init, iter); + } + + /* Set up the negative cache */ + ret = confdb_get_int(cdb, ctx, CONFDB_SUDO_CONF_ENTRY, + CONFDB_SUDO_ENTRY_NEG_TIMEOUT, 15, + &ctx->neg_timeout); + if (ret != EOK) goto done; + + /* Set up the PAM identity timeout */ + ret = confdb_get_int(cdb, ctx, CONFDB_SUDO_CONF_ENTRY, + CONFDB_SUDO_ID_TIMEOUT, 5, + &id_timeout); + if (ret != EOK) goto done; + + ctx->id_timeout = (size_t)id_timeout; + + ret = sss_ncache_init(ctx, &ctx->ncache); + if (ret != EOK) { + DEBUG(0, ("fatal error initializing negative cache\n")); + goto done; + } + + ret = sss_ncache_prepopulate(ctx->ncache, cdb, ctx->rctx->names, + ctx->rctx->domains); + if (ret != EOK) { + goto done; + } + + ret = sudo_server_init(mem_ctx, ctx); + DEBUG(0, ("sudo server returned %d.\n",ret)); + + return EOK; + done: + if (ret != EOK) { + talloc_free(ctx); + } + return ret; } int main(int argc, const char *argv[]) diff --git a/src/responder/sudo/sudosrv.h b/src/responder/sudo/sudosrv.h index c5db6a15..91bc76ae 100644 --- a/src/responder/sudo/sudosrv.h +++ b/src/responder/sudo/sudosrv.h @@ -40,9 +40,20 @@ #ifndef SUDO_METHOD_QUERY #define SUDO_METHOD_QUERY "queryService" #endif +#define SUDO_DP_INTERFACE "org.freedesktop.sssd.sudo.dataprovider" +#define SUDO_DP_PATH "/org/freedesktop/sssd/sudo/dataprovider" +#define SUDO_DP_METHOD_QUERY "queryDPService" + #define SSS_SUDO_RESPONDER_HEADER 0x43256 +#define SSS_SUDO_SBUS_SERVICE_VERSION 0x0001 +#define SSS_SUDO_SBUS_SERVICE_NAME "sudo" + +#define CONFDB_SERVICE_RECON_RETRIES "reconnection_retries" +#define CONFDB_SUDO_ENTRY_NEG_TIMEOUT "entry_negative_timeout" +#define CONFDB_SUDO_ID_TIMEOUT "sudo_id_timeout" + static int sudo_query_validation(DBusMessage *message, struct sbus_connection *conn); struct sbus_method sudo_methods[] = { @@ -50,7 +61,7 @@ struct sbus_method sudo_methods[] = { { NULL, NULL } }; -struct sbus_interface sudo_interface = { +struct sbus_interface sudo_monitor_interface = { SUDO_SERVER_INTERFACE, SUDO_SERVER_PATH, SBUS_DEFAULT_VTABLE, @@ -58,14 +69,20 @@ struct sbus_interface sudo_interface = { NULL }; +struct sbus_interface sudo_dp_interface = { + SUDO_DP_INTERFACE, + SUDO_DP_PATH, + SBUS_DEFAULT_VTABLE, + NULL/*sudo_dp_methods*/, + NULL +}; + struct sudo_ctx { - struct tevent_context *ev; - struct confdb_ctx *cdb; - - struct sbus_connection *mon_conn; - struct sbus_connection *sbus_srv; + struct resp_ctx *rctx; + struct sss_nc_ctx *ncache; - size_t check_online_ref_count; + int neg_timeout; + time_t id_timeout; }; struct sudo_client { @@ -86,7 +103,9 @@ enum error_types_sudo_responder{ SSS_SUDO_RESPONDER_LOG_ERR, SSS_SUDO_RESPONDER_MESSAGE_ERR, SSS_SUDO_RESPONDER_REPLY_ERR, - SSS_SUDO_RESPONDER_DHASH_ERR + SSS_SUDO_RESPONDER_DHASH_ERR, + SUDO_LDB_CONNECT_ERR, + SUDO_LDB_SEARCH_ERR }; #endif diff --git a/src/sss_client/sudo_plugin/sss_sudo_cli.h b/src/sss_client/sudo_plugin/sss_sudo_cli.h index cebaec7d..94488b6f 100644 --- a/src/sss_client/sudo_plugin/sss_sudo_cli.h +++ b/src/sss_client/sudo_plugin/sss_sudo_cli.h @@ -71,6 +71,8 @@ enum sss_status { #endif + + enum error_types_sudo{ SSS_SUDO_SUCCESS = 0x01, diff --git a/src/sss_client/sudo_plugin/sss_sudoplugin.c b/src/sss_client/sudo_plugin/sss_sudoplugin.c index fa1aed0e..514f56c2 100644 --- a/src/sss_client/sudo_plugin/sss_sudoplugin.c +++ b/src/sss_client/sudo_plugin/sss_sudoplugin.c @@ -163,7 +163,6 @@ static struct pam_conv conv = { #define GET_BOOL_STRING(x) ((x)? strdup("TRUE") : strdup("FALSE")) - void print_sudo_items(void) { |