diff options
author | Arun Scaria <arunscaria91@gmail.com> | 2011-08-18 16:45:58 +0530 |
---|---|---|
committer | Arun Scaria <arunscaria91@gmail.com> | 2011-08-18 16:45:58 +0530 |
commit | 62131dc37085d9815ea3bfbffe36b58420ea8562 (patch) | |
tree | 682b8ed6489e23b3670d317a7ea681f82d417481 | |
parent | e19c8c46306a4decd7805ee618f4e735067fa2ea (diff) | |
download | sssd_unused-62131dc37085d9815ea3bfbffe36b58420ea8562.tar.gz sssd_unused-62131dc37085d9815ea3bfbffe36b58420ea8562.tar.xz sssd_unused-62131dc37085d9815ea3bfbffe36b58420ea8562.zip |
Added support to default sudo rules
-rw-r--r-- | src/db/sysdb.h | 1 | ||||
-rw-r--r-- | src/responder/sudo/sudosrv.c | 61 | ||||
-rw-r--r-- | src/responder/sudo/sudosrv.h | 6 |
3 files changed, 56 insertions, 12 deletions
diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 0c36375a..e0ad4c8e 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -59,6 +59,7 @@ #define SYSDB_SUDO_NOT_BEFORE_ATTR "sudoNotBefore" #define SYSDB_SUDO_NOT_AFTER_ATTR "sudoNotAfter" #define SYSDB_SUDO_ORDER_ATTR "sudoOrder" +#define SYSDB_SUDO_DEFAULT_RULE "defaults" #define SYSDB_SUDO_USER_MATCH_ATTR "("SYSDB_SUDO_USER_ATTR"=%s)" diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c index 2cc594bf..8ac858bd 100644 --- a/src/responder/sudo/sudosrv.c +++ b/src/responder/sudo/sudosrv.c @@ -378,7 +378,7 @@ errno_t search_sudo_rules(struct sudo_client *sudocli, const char * user_name, uid_t user_id, struct sss_sudo_msg_contents *sudo_msg, - struct sss_sudorule_list **sudorule_list) { + struct sss_valid_sudorules **valid_sudorules_out) { TALLOC_CTX *tmp_mem_ctx; const char *attrs[] = { SYSDB_SUDO_CONTAINER_ATTR, SYSDB_SUDO_USER_ATTR, @@ -391,14 +391,20 @@ errno_t search_sudo_rules(struct sudo_client *sudocli, SYSDB_SUDO_NOT_AFTER_ATTR, SYSDB_SUDO_ORDER_ATTR, NULL }; + const char *attrs_default[] = { SYSDB_SUDO_CONTAINER_ATTR, + SYSDB_SUDO_OPTION_ATTR, + NULL }; char *filter = NULL, *host = NULL; + char * filter_default = NULL; struct ldb_message **sudo_rules_msgs; + struct ldb_message **default_rule; struct ldb_result *res; int ret; - size_t count; + size_t count = 0, count_default = 0; int i = 0; TALLOC_CTX *listctx; struct sss_sudorule_list *list_head =NULL, *tmp_node; + struct sss_valid_sudorules * valid_rules; DEBUG(0,("in Sudo rule elimination\n")); tmp_mem_ctx = talloc_new(NULL); @@ -406,6 +412,7 @@ errno_t search_sudo_rules(struct sudo_client *sudocli, return ENOMEM; } + valid_rules = talloc_zero(tmp_mem_ctx,struct sss_valid_sudorules); ret = sysdb_get_groups_by_user(tmp_mem_ctx, sysdb, domain, @@ -425,12 +432,20 @@ errno_t search_sudo_rules(struct sudo_client *sudocli, } DEBUG(0, ("Host - %s\n",host)); + filter_default = talloc_asprintf(tmp_mem_ctx,SYSDB_SUDO_CONTAINER_ATTR"="SYSDB_SUDO_DEFAULT_RULE); + if (!filter_default) { + DEBUG(0, ("Failed to build filter for default rule \n")); + ret = ENOMEM; + goto done; + } + ret = prepare_filter(tmp_mem_ctx,user_name,user_id,host,res,&filter); if (ret!=EOK) { - DEBUG(0, ("Failed to build filter - %s\n",filter)); + DEBUG(0, ("Failed to build filter(Non default) - %s\n",filter)); goto done; } - DEBUG(0,("Filter - %s\n",filter)); + DEBUG(0,("Filter(Non Default) - %s\n",filter)); + DEBUG(0,("Filter(Default) - %s\n",filter_default)); ret = sysdb_search_sudo_rules(tmp_mem_ctx, sysdb, @@ -439,20 +454,39 @@ errno_t search_sudo_rules(struct sudo_client *sudocli, attrs, &count, &sudo_rules_msgs); - if (ret) { + if (ret != EOK) { if (ret == ENOENT) { - ret = EOK; + DEBUG(0, ("Failed to get the rules - Deny the command execution\n")); } goto done; } - DEBUG(0, ("Found %d sudo rule entries!\n\n", count)); - if (count == 0) { ret = EOK; goto done; } + ret = sysdb_search_sudo_rules(tmp_mem_ctx, + sysdb, + domain, + filter_default, + attrs_default, + &count_default, + &default_rule); + if (ret) { + DEBUG(0, ("Failed to get the default rule - Not fatal\n", count)); + valid_rules->default_rule = NULL; + } + else { + valid_rules->default_rule = *default_rule; + } + if(count_default > 1){ + DEBUG(0, ("More than one default rule found - Unexpected behavior( fatal )\n", count)); + ret = EIO; + goto done; + } + DEBUG(0, ("Found %d sudo rules and %d default rules entries!\n\n", count, count_default)); + qsort(sudo_rules_msgs,count,sizeof(struct ldb_message *), (__compar_fn_t)compare_sudo_order); listctx = talloc_new(tmp_mem_ctx); @@ -506,10 +540,13 @@ errno_t search_sudo_rules(struct sudo_client *sudocli, } setenv("_SSS_LOOPS", "NO", 0); + talloc_steal(sudocli,listctx); + + valid_rules->non_defaults = list_head; + *valid_sudorules_out = valid_rules; done: - talloc_steal(sudocli,listctx); - *sudorule_list = list_head; + talloc_zfree(tmp_mem_ctx); return ret; @@ -525,7 +562,7 @@ errno_t find_sudorules_for_user_in_db_list(TALLOC_CTX * ctx, uid_t user_id; int i = 0,ret; const char * user_name; - struct sss_sudorule_list * res_sudorule_list; + struct sss_valid_sudorules * res_sudorules_valid; sysdblist = sudocli->sudoctx->rctx->db_list->dbs; no_ldbs = sudocli->sudoctx->rctx->db_list->num_dbs; @@ -568,7 +605,7 @@ errno_t find_sudorules_for_user_in_db_list(TALLOC_CTX * ctx, "tom"/*user_name*/, user_id, sudo_msg, - &res_sudorule_list); + &res_sudorules_valid); if(ret != EOK){ DEBUG(0, ("Error in rule")); } diff --git a/src/responder/sudo/sudosrv.h b/src/responder/sudo/sudosrv.h index 3dd2a1f2..350dce18 100644 --- a/src/responder/sudo/sudosrv.h +++ b/src/responder/sudo/sudosrv.h @@ -107,6 +107,12 @@ struct sss_sudorule_list struct sss_sudorule_list *prev; } ; +struct sss_valid_sudorules +{ + struct ldb_message *default_rule; + struct sss_sudorule_list *non_defaults; +}; + enum error_types_sudo_responder{ SSS_SUDO_RESPONDER_SUCCESS = 0x01, |