diff options
author | Arun Scaria <arunscaria91@gmail.com> | 2011-08-19 16:42:50 +0530 |
---|---|---|
committer | Arun Scaria <arunscaria91@gmail.com> | 2011-08-19 16:42:50 +0530 |
commit | c9899af4bb3b0a2d7bfc1232eba73d0dcb43ab59 (patch) | |
tree | ace55460b15743fa9965fc092f371229a30e9a47 | |
parent | 62131dc37085d9815ea3bfbffe36b58420ea8562 (diff) | |
download | sssd_unused-c9899af4bb3b0a2d7bfc1232eba73d0dcb43ab59.tar.gz sssd_unused-c9899af4bb3b0a2d7bfc1232eba73d0dcb43ab59.tar.xz sssd_unused-c9899af4bb3b0a2d7bfc1232eba73d0dcb43ab59.zip |
Bug fixes - What if all the rules got eliminated in command elimination itself?? Added suo option to be supported to as macros
-rw-r--r-- | src/responder/sudo/sudo_options.h | 183 | ||||
-rw-r--r-- | src/responder/sudo/sudosrv.c | 113 | ||||
-rw-r--r-- | src/responder/sudo/sudosrv.h | 3 |
3 files changed, 271 insertions, 28 deletions
diff --git a/src/responder/sudo/sudo_options.h b/src/responder/sudo/sudo_options.h new file mode 100644 index 00000000..2aedb32b --- /dev/null +++ b/src/responder/sudo/sudo_options.h @@ -0,0 +1,183 @@ +/* + * + * + * SSSD + * + * sudo_options.h + * + * Copyright (C) Arun Scaria <arunscaria91@gmail.com> (2011) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef SUDO_OPTIONS_H_ +#define SUDO_OPTIONS_H_ + +#include <stdbool.h> + +#define SUDO_OPT_ALWAYS_SET_HOME "always_set_home" +#define SUDO_OPT_AUTHENTICATE "authenticate" +#define SUDO_OPT_CLOSE_FROM_OVERRIDE "closefrom_override" +#define SUDO_OPT_COMPRESS_IO "compress_io" +#define SUDO_OPT_ENV_EDITOR "env_editor" +#define SUDO_OPT_ENV_RESET "env_reset" +#define SUDO_OPT_FAST_GLOB "fast_glob" +#define SUDO_OPT_FQDN "fqdn" +#define SUDO_OPT_IGNORE_DOT "ignore_dot" +#define SUDO_OPT_IGNORE_LOCAL_SUDOERS "ignore_local_sudoers" +#define SUDO_OPT_INSULT "insults" +#define SUDO_OPT_LOG_HOST "log_host" +#define SUDO_OPT_LOG_INPUT "log_input" +#define SUDO_OPT_LOG_OUTPUT "log_output" +#define SUDO_OPT_LOG_YEAR "log_year" +#define SUDO_OPT_LONG_OTP_PROMPT "long_otp_prompt" +#define SUDO_OPT_MAIL_ALWAYS "mail_always" +#define SUDO_OPT_MAIL_BADPASS "mail_badpass" +#define SUDO_OPT_MAIL_NO_HOST "mail_no_host" +#define SUDO_OPT_MAIL_NO_PERMS "mail_no_perms" +#define SUDO_OPT_MAIL_NO_USER "mail_no_user" +#define SUDO_OPT_NOEXEC "noexec" +#define SUDO_OPT_PATH_INFO "path_info" +#define SUDO_OPT_PASSPROMPT_OVERRIDE "passprompt_override" +#define SUDO_OPT_PRESERVE_GROUPS "preserve_groups" +#define SUDO_OPT_PWFEEDBACK "pwfeedback" +#define SUDO_OPT_REQUIRETTY "requiretty" +#define SUDO_OPT_ROOT_SUDO "root_sudo" +#define SUDO_OPT_ROOTPW "rootpw" +#define SUDO_OPT_RUNASPW "runaspw" +#define SUDO_OPT_SET_HOME "set_home" +#define SUDO_OPT_SET_LOGNAME "set_logname" +#define SUDO_OPT_SET_UTMP "set_utmp" +#define SUDO_OPT_SETENV "setenv" +#define SUDO_OPT_SHELL_NOARGS "shell_noargs" +#define SUDO_OPT_STAY_SETUID "stay_setuid" +#define SUDO_OPT_TARGETPW "targetpw" +#define SUDO_OPT_TTY_TICKETS "tty_tickets" +#define SUDO_OPT_UMASK_OVERRIDE "umask_override" +#define SUDO_OPT_USE_PTY "use_pty" +#define SUDO_OPT_UTMP_RUNAS "utmp_runas" +#define SUDO_OPT_VISIBLEPW "visiblepw" +#define SUDO_OPT_CLOSEFROM "closefrom" +#define SUDO_OPT_PASSWD_TRIES "passwd_tries" +#define SUDO_OPT_LOGLINELEN "loglinelen" +#define SUDO_OPT_PASSWD_TIMEOUT "passwd_timeout" +#define SUDO_OPT_TIMESTAMP_TIMEOUT "timestamp_timeout" +#define SUDO_OPT_UMASK "umask" +#define SUDO_OPT_BADPASS_MESSAGE "badpass_message" +#define SUDO_OPT_EDITOR "editor" +#define SUDO_OPT_IOLOG_DIR "iolog_dir" +#define SUDO_OPT_IOLOG_FILE "iolog_file" +#define SUDO_OPT_MAILSUB "mailsub" +#define SUDO_OPT_NOEXEC_FILE "noexec_file" +#define SUDO_OPT_PASSPROMPT "passprompt" +#define SUDO_OPT_RUNAS_DEFAULT "runas_default" +#define SUDO_OPT_SYSLOG_BADPRI "syslog_badpri" +#define SUDO_OPT_SYSLOG_GOODPRI "syslog_goodpri" +#define SUDO_OPT_SUDOERS_LOCALE "sudoers_locale" +#define SUDO_OPT_TIMESTAMPDIR "timestampdir" +#define SUDO_OPT_TIMESTAMPOWNER "timestampowner" +#define SUDO_OPT_ASKPASS "askpass" +#define SUDO_OPT_ENV_FILE "env_file" +#define SUDO_OPT_EXEMPT_GROUP "exempt_group" +#define SUDO_OPT_GROUP_PLUGIN "group_plugin" +#define SUDO_OPT_LECTURE "lecture" +#define SUDO_OPT_LECTURE_FILE "lecture_file" +#define SUDO_OPT_LISTPW "listpw" +#define SUDO_OPT_LOGFILE "logfile" +#define SUDO_OPT_MAILERFLAGS "mailerflags" +#define SUDO_OPT_MAILERPATH "mailerpath" +#define SUDO_OPT_MAILFROM "mailfrom" +#define SUDO_OPT_MAILTO "mailto" +#define SUDO_OPT_SECURE_PATH "secure_path" +#define SUDO_OPT_SYSLOG "syslog" +#define SUDO_OPT_VERIFYPW "verifypw" +#define SUDO_OPT_ENV_CHECK "env_check" +#define SUDO_OPT_ENV_DELETE "env_delete" +#define SUDO_OPT_ENV_KEEP "env_keep" + +struct sss_sudo_options{ + + bool log_host; + bool log_input; + bool log_output; + bool log_year; + bool long_otp_prompt; + bool mail_always; + bool mail_badpass; + bool mail_no_host; + bool mail_no_perms; + bool mail_no_user; + bool noexec; + bool path_info; + bool passprompt_override; + bool preserve_groups; + bool pwfeedback; + bool requiretty; + bool root_sudo; + bool rootpw; + bool runaspw; + bool set_home; + bool set_logname; + bool set_utmp; + bool setenv; + bool shell_noargs; + bool stay_setuid; + bool targetpw; + bool tty_tickets; + bool umask_override; + bool use_pty; + bool utmp_runas; + bool visiblepw; + int closefrom; + int passwd_tries; + int loglinelen; + int passwd_timeout; + int timestamp_timeout; + int umask; + char * badpass_message; + char * editor; + char * iolog_dir; + char * iolog_file; + char * mailsub; + char * noexec_file; + char * passprompt; + char * runas_default; + char * syslog_badpri; + char * syslog_goodpri; + char * sudoers_locale; + char * timestampdir; + char * timestampowner; + char * askpass; + char * env_file; + char * exempt_group; + char * group_plugin; + char * lecture; + char * lecture_file; + char * listpw; + char * logfile; + char * mailerflags; + char * mailerpath; + char * mailfrom; + char * mailto; + char * secure_path; + char * syslog; + char * verifypw; + char * env_check; + char * env_delete; + char * env_keep; + +}; + + +#endif /* SUDO_OPTIONS_H_ */ diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c index 8ac858bd..2f0a7e09 100644 --- a/src/responder/sudo/sudosrv.c +++ b/src/responder/sudo/sudosrv.c @@ -168,15 +168,16 @@ errno_t eliminate_sudorules_by_sudocmd(TALLOC_CTX * mem_ctx, char * tmpcmd, *space; struct sudo_cmd_ctx * sudo_cmnd; + DEBUG(0,("\n\n\nIn rule elimination based on commands\n")); sudo_cmnd = talloc_zero(mem_ctx,struct sudo_cmd_ctx); if(!sudo_cmnd){ - DEBUG(0,("Failed to allocate command structure.")); + DEBUG(0,("Failed to allocate command structure.\n")); return ENOMEM; } current_node = list_head; while(current_node != NULL) { - DEBUG(0, ("--sudoOrder: %f\n", + DEBUG(0, ("\n--sudoOrder: %f\n", ldb_msg_find_attr_as_double(current_node->data, SYSDB_SUDO_ORDER_ATTR, 0.0))); @@ -242,6 +243,7 @@ errno_t eliminate_sudorules_by_sudocmd(TALLOC_CTX * mem_ctx, current_node = tmp_node; } *head = list_head; + DEBUG(0,("Rule elimination based on commands is over\n")); return EOK; } @@ -257,11 +259,12 @@ errno_t eliminate_sudorules_by_sudohosts(TALLOC_CTX * mem_ctx, int flag =0; int i=0; char * tmphost; + DEBUG(0,("\n\n\nIn rule elimination based on hosts\n")); current_node = list_head; while(current_node != NULL) { - DEBUG(0, ("\n\n\n\n--sudoOrder: %f\n", + DEBUG(0, ("\n--sudoOrder: %f\n", ldb_msg_find_attr_as_double((struct ldb_message *)current_node->data, SYSDB_SUDO_ORDER_ATTR, 0.0))); @@ -314,6 +317,7 @@ errno_t eliminate_sudorules_by_sudohosts(TALLOC_CTX * mem_ctx, current_node = tmp_node; } *head = list_head; + DEBUG(0,("Rule elimination based on hosts over\n")); return EOK; } @@ -329,9 +333,15 @@ errno_t eliminate_sudorules_by_sudouser_netgroups(TALLOC_CTX * mem_ctx, int i=0, valid_user_count = 0; char * tmpuser; - + DEBUG(0,("\n\n\nIn rule elimination based on user net groups\n")); current_node = list_head; while(current_node != NULL) { + DEBUG(0, ("\n--sudoOrder: %f\n", + ldb_msg_find_attr_as_double((struct ldb_message *)current_node->data, + SYSDB_SUDO_ORDER_ATTR, + 0.0))); + DEBUG(0, ("--dn: %s----\n", + ldb_dn_get_linearized(((struct ldb_message *)current_node->data)->dn))); el = ldb_msg_find_element((struct ldb_message *)current_node->data, SYSDB_SUDO_USER_ATTR); @@ -342,6 +352,17 @@ errno_t eliminate_sudorules_by_sudouser_netgroups(TALLOC_CTX * mem_ctx, continue; } flag = 0; + /* + * TODO: The elimination of sudo rules based on hosts an user net groups depends + * on the innetgr(). This makes the code less efficient since we are calling the + * sssd in loop. Find a good solution to resolve the membserNisnetgroup attribute. + * + * CAUTION: Most of the contents of the netgroup is stored on LDAP. But they leave + * a generic memberNisNetgroup entry in the LDAP entry, so that if the local machine + * chooses, they can add an "override" locally. So there's no guarantee that + * memberNisNetgroup maps to something else on the LDAP server. + * + */ for (i = 0; i < el->num_values; i++) { @@ -368,6 +389,7 @@ errno_t eliminate_sudorules_by_sudouser_netgroups(TALLOC_CTX * mem_ctx, current_node = tmp_node; } *head = list_head; + DEBUG(0,("Rule elimination based on user net groups is over\n")); return EOK; } @@ -512,6 +534,14 @@ errno_t search_sudo_rules(struct sudo_client *sudocli, ret = EIO; goto done; } + if(list_head == NULL){ + /* No more rules left. Return err */ + DEBUG(0, ("All rules are eliminated based on sudo commands\n")); + ret = EOK; + valid_rules->non_defaults = NULL; + *valid_sudorules_out = valid_rules; + goto done; + } ret = unsetenv("_SSS_LOOPS"); if (ret != EOK) { @@ -528,6 +558,14 @@ errno_t search_sudo_rules(struct sudo_client *sudocli, ret = EIO; goto done; } + if(list_head == NULL){ + /* No more rules left. Return err */ + DEBUG(0, ("All rules are eliminated based on sudo Hosts\n")); + ret = EOK; + valid_rules->non_defaults = NULL; + *valid_sudorules_out = valid_rules; + goto done; + } ret = eliminate_sudorules_by_sudouser_netgroups(tmp_mem_ctx, &list_head, @@ -538,6 +576,14 @@ errno_t search_sudo_rules(struct sudo_client *sudocli, ret = EIO; goto done; } + if(list_head == NULL){ + /* No more rules left. Return err */ + DEBUG(0, ("All rules are eliminated based on sudo users\n")); + ret = EOK; + valid_rules->non_defaults = NULL; + *valid_sudorules_out = valid_rules; + goto done; + } setenv("_SSS_LOOPS", "NO", 0); talloc_steal(sudocli,listctx); @@ -547,7 +593,6 @@ errno_t search_sudo_rules(struct sudo_client *sudocli, done: - talloc_zfree(tmp_mem_ctx); return ret; } @@ -588,7 +633,7 @@ errno_t find_sudorules_for_user_in_db_list(TALLOC_CTX * ctx, break; } - if(ldb_msg == NULL) { + if(ret !=EOK || ldb_msg == NULL) { DEBUG(0, ("NoUserEntryFound Error. Exit with error message.\n")); return ENOENT; } @@ -607,8 +652,15 @@ errno_t find_sudorules_for_user_in_db_list(TALLOC_CTX * ctx, sudo_msg, &res_sudorules_valid); if(ret != EOK){ - DEBUG(0, ("Error in rule")); + DEBUG(0, ("Error in rule search")); + return ret; + } + if(res_sudorules_valid == NULL || res_sudorules_valid->non_defaults == NULL){ + /* All the rules are eliminated and nothing left for evaluation */ + DEBUG(0, ("No rule left for evaluation\n")); } + /* Do the evaluation now */ + return ret; @@ -808,11 +860,9 @@ errno_t format_sudo_result_reply(TALLOC_CTX * mem_ctx, static int sudo_query_validation(DBusMessage *message, struct sbus_connection *conn) { struct sudo_client *sudocli; - DBusMessage *reply; - DBusError dbus_error; + DBusMessage *reply = NULL; int ret = -1; void *data; - char * result; struct sss_sudo_msg_contents * msg; @@ -824,7 +874,8 @@ static int sudo_query_validation(DBusMessage *message, struct sbus_connection *c if (!sudocli) { DEBUG(0, ("Connection holds no valid init data exists \n", SSS_SUDO_RESPONDER_CONNECTION_ERR)); - return SSS_SUDO_RESPONDER_CONNECTION_ERR; + ret = SSS_SUDO_RESPONDER_CONNECTION_ERR; + goto done; } result = talloc_strdup(sudocli,"PASS"); @@ -832,30 +883,31 @@ static int sudo_query_validation(DBusMessage *message, struct sbus_connection *c DEBUG(4, ("Cancel SUDO client timeout [%p]\n", sudocli->timeout)); talloc_zfree(sudocli->timeout); - dbus_error_init(&dbus_error); - ret = sudo_query_parse(sudocli, message, &msg); if(ret != SSS_SUDO_RESPONDER_SUCCESS){ - DEBUG(0,( "message parser for sudo returned &d\n",ret)); - /* TODO: Do the error recovery method */ - + DEBUG(0,( "message parser for sudo returned %d\n",ret)); + ret = SSS_SUDO_RESPONDER_PARSE_ERR; + goto done; } DEBUG(0, ("-----------Message successfully Parsed---------\n")); talloc_set_destructor(sudocli, sudo_client_destructor); tmpctx = talloc_new(NULL); if (!tmpctx) { - return ENOMEM; + DEBUG(0, ("Failed create a context for sudo rule processing\n")); + ret = ENOMEM; + goto done; } - ret = find_sudorules_for_user_in_db_list(tmpctx,sudocli,msg); if(ret != EOK ){ DEBUG(0, ("sysdb_search_user_by_uid() failed - No sudo commands found with given criterion\n")); + ret = SSS_SUDO_RESPONDER_PARSE_ERR; + goto done; } - talloc_zfree(tmpctx); + /* * TODO: Evaluate the list of non eliminated sudo rules and make necessary @@ -867,7 +919,8 @@ static int sudo_query_validation(DBusMessage *message, struct sbus_connection *c reply = dbus_message_new_method_return(message); if (!reply) { DEBUG(0, ("Dbus Out of memory!\n")); - return SSS_SUDO_RESPONDER_REPLY_ERR; + ret = SSS_SUDO_RESPONDER_REPLY_ERR; + goto done; } ret = format_sudo_result_reply(sudocli, @@ -876,21 +929,27 @@ static int sudo_query_validation(DBusMessage *message, struct sbus_connection *c result); if (ret != SSS_SUDO_RESPONDER_SUCCESS) { DEBUG(0, ("Dbus reply failed with error state %d\n",ret)); - /* TODO: Do the error recovery method - * dbus_message_unref(reply); - * sbus_disconnect(conn); - * - * */ + ret = SSS_SUDO_RESPONDER_REPLY_ERR; + goto done; } /* send reply back */ sbus_conn_send_reply(conn, reply); - dbus_message_unref(reply); + ret = EOK; + + done: + talloc_zfree(tmpctx); + /*if(message) + dbus_message_unref(message); + if(reply) + dbus_message_unref(reply); sudocli->initialized = true; - return EOK; + if(!conn) + sbus_disconnect(conn);*/ + return ret; } static void init_timeout(struct tevent_context *ev, diff --git a/src/responder/sudo/sudosrv.h b/src/responder/sudo/sudosrv.h index 350dce18..a2b35e6e 100644 --- a/src/responder/sudo/sudosrv.h +++ b/src/responder/sudo/sudosrv.h @@ -124,7 +124,8 @@ enum error_types_sudo_responder{ SSS_SUDO_RESPONDER_MESSAGE_ERR, SSS_SUDO_RESPONDER_REPLY_ERR, SSS_SUDO_RESPONDER_DHASH_ERR, - SSS_SUDO_RESPONDER_MEMORY_ERR + SSS_SUDO_RESPONDER_MEMORY_ERR, + SSS_SUDO_RESPONDER_PARSE_ERR }; #endif |