diff options
Diffstat (limited to 'src/responder/sudo')
-rw-r--r-- | src/responder/sudo/sudosrv.c | 141 | ||||
-rw-r--r-- | src/responder/sudo/sudosrv.c~ | 846 | ||||
-rw-r--r-- | src/responder/sudo/sudosrv.h | 50 | ||||
-rw-r--r-- | src/responder/sudo/sudosrv.h~ | 59 |
4 files changed, 148 insertions, 948 deletions
diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c index 5f11ea33..8e7aaf6a 100644 --- a/src/responder/sudo/sudosrv.c +++ b/src/responder/sudo/sudosrv.c @@ -30,6 +30,8 @@ #include <sys/time.h> #include <errno.h> #include <fnmatch.h> +#include <netdb.h> + #include <popt.h> #include "dhash.h" @@ -63,10 +65,36 @@ static int sudo_client_destructor(void *ctx) return 0; } -int prepare_filter(char * filter,uid_t user_id,char * host, struct ldb_result *res){ +char * get_host_name(TALLOC_CTX* ctx){ + return "arun.scaria.com"; + struct addrinfo hints, *info, *p; + int gai_result; + + char hostname[1024]; + hostname[1024]='\0'; + gethostname(hostname, 1023); + + memset(&hints, 0, sizeof hints); + hints.ai_family = AF_UNSPEC; /*either IPV4 or IPV6*/ + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_CANONNAME; + + if ((gai_result = getaddrinfo(hostname, "http", &hints, &info)) != 0) { + fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(gai_result)); + exit(1); + } + + + return talloc_asprintf(ctx,"%s", p->ai_canonname); + +} + +errno_t prepare_filter(char ** filter_in,uid_t user_id,char * host, struct ldb_result *res){ int i,ret=EOK; - filter = talloc_asprintf_append(filter,"("SYSDB_SUDO_USER_ATTR"=#%d)",user_id); + char *filter; + + filter = talloc_asprintf_append(*filter_in,"("SYSDB_SUDO_USER_ATTR"=#%d)",user_id); if (!filter) { DEBUG(0, ("Failed to build filter - %s\n",filter)); ret = ENOMEM; @@ -107,6 +135,7 @@ int prepare_filter(char * filter,uid_t user_id,char * host, struct ldb_result *r goto done; } done: + *filter_in = filter; if(ret!=ENOMEM) return EOK; else return ret; @@ -123,12 +152,12 @@ int compare_sudo_order(const struct ldb_message **msg1, const struct ldb_message } -int search_sudo_rules(struct sudo_client *sudocli, - struct sysdb_ctx *sysdb, - struct sss_domain_info * domain, - char * user_name, - uid_t user_id, - struct sss_sudo_msg_contents *sudo_msg) { +errno_t search_sudo_rules(struct sudo_client *sudocli, + struct sysdb_ctx *sysdb, + struct sss_domain_info * domain, + const char * user_name, + uid_t user_id, + struct sss_sudo_msg_contents *sudo_msg) { TALLOC_CTX *tmpctx; const char *attrs[] = { SYSDB_SUDO_CONTAINER_ATTR, SYSDB_SUDO_USER_ATTR, @@ -147,19 +176,24 @@ int search_sudo_rules(struct sudo_client *sudocli, struct ldb_result *res; int ret; size_t count; - int i,j,flag=0; - double order; + int i,flag=0; TALLOC_CTX *listctx; list_sss *list, *current, *tmp; struct sudo_cmd_ctx * sudo_cmnd; - char * host = "arun.scaria.com"; - + char * host,*tmphost,*domain_name ; fprintf(stdout,"in Sudo rule\n"); tmpctx = talloc_new(sudocli); if (!tmpctx) { return ENOMEM; } + host = get_host_name(tmpctx); + if (!host) { + DEBUG(0, ("Failed to build hostname - %s\n",filter)); + ret = ENOMEM; + goto done; + } + DEBUG(0, ("Host - %s\n",host)); ret = sysdb_get_groups_by_user(tmpctx, sysdb, @@ -178,14 +212,14 @@ int search_sudo_rules(struct sudo_client *sudocli, ret = ENOMEM; goto done; } - ret = prepare_filter(filter,user_id,host, res); + ret = prepare_filter(&filter,user_id,host, res); if (ret==ENOMEM) { DEBUG(0, ("Failed to build filter - %s\n",filter)); goto done; } - DEBUG(0,(stdout,"Filter - %s\n",filter)); + DEBUG(0,("Filter - %s\n",filter)); ret = sysdb_search_sudo_rules(tmpctx, sysdb, domain, @@ -245,12 +279,18 @@ int search_sudo_rules(struct sudo_client *sudocli, } flag = 0; /* see if this is a user */ - for (j = 0; j < el->num_values; j++) { - DEBUG(0, ("sudoCommand: %s\n" ,(const char *) (el->values[j].data))); + for (i = 0; i < el->num_values; i++) { + DEBUG(0, ("sudoCommand: %s\n" ,(const char *) (el->values[i].data))); /* Do command elimination here */ tmpcmd = talloc_asprintf(listctx, "%s", - (const char *) (el->values[j].data)); + (const char *) (el->values[i].data)); + + if(fstrcmp(tmpcmd,"ALL") == 0){ + current=current->next; + flag=1; + break; + } space = strchr(tmpcmd,' '); if(space != NULL) { *space = '\0'; @@ -282,7 +322,72 @@ int search_sudo_rules(struct sudo_client *sudocli, current = tmp; } + /// + ret = unsetenv("_SSS_LOOPS"); + if (ret != EOK) { + DEBUG(0, ("Failed to unset _SSS_LOOPS, " + "sudo rule elimination might not work as expected.\n")); + } + + current = list; + domain_name = sysdb->domain->name; + while(current!=NULL) { + + + + DEBUG(0, ("\n\n\n\n--sudoOrder: %f\n", + ldb_msg_find_attr_as_double((struct ldb_message *)current->data, + SYSDB_SUDO_ORDER_ATTR, + 0.0))); + DEBUG(0, ("--dn: %s----\n", + ldb_dn_get_linearized(((struct ldb_message *)current->data)->dn))); + el = ldb_msg_find_element((struct ldb_message *)current->data, + SYSDB_SUDO_HOST_ATTR); + + if (!el) { + DEBUG(0, ("Failed to get sudo hosts for sudorule [%s]\n", + ldb_dn_get_linearized(((struct ldb_message *)current->data)->dn))); + current = current->next; + continue; + } + flag = 0; + + for (i = 0; i < el->num_values; i++) { + + DEBUG(0, ("sudoHost: %s\n" ,(const char *) (el->values[i].data))); + tmphost = ( char *) (el->values[i].data); + if(strcmp(tmphost,"ALL")==0){ + current=current->next; + flag=1; + break; + } + else if(tmphost[0] == '+'){ + ++tmphost; + if(innetgr(tmphost,host,NULL,domain_name) == 1){ + current=current->next; + flag=1; + break; + + } + } + else { + if(strcmp(tmphost,host)==0){ + current=current->next; + flag=1; + break; + } + } + + } + if(flag==1) { + continue; + } + tmp = current->next; + delNode(&list,current); + current = tmp; + } + setenv("_SSS_LOOPS", "NO", 0); talloc_free(listctx); @@ -480,7 +585,7 @@ static int sudo_query_validation(DBusMessage *message, struct sbus_connection *c } user_name = ldb_msg_find_attr_as_string(ldb_msg, SYSDB_NAME, NULL); - user_id = ldb_msg_find_attr_as_string(ldb_msg, SYSDB_UIDNUM, NULL); + user_id = ldb_msg_find_attr_as_uint64(ldb_msg, SYSDB_UIDNUM, 0); ret = search_sudo_rules(sudocli, sysdblist[i],sysdblist[i]->domain, "tom",user_id,msg); if(ret != EOK){ DEBUG(0, ("Error in rule")); diff --git a/src/responder/sudo/sudosrv.c~ b/src/responder/sudo/sudosrv.c~ deleted file mode 100644 index 762cea9b..00000000 --- a/src/responder/sudo/sudosrv.c~ +++ /dev/null @@ -1,846 +0,0 @@ -/* - SSSD - - SUDO Responder - - Copyright (C) Arun Scaria <arunscaria91@gmail.com> (2011) - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. - */ - -#include <stdio.h> -#include <unistd.h> -#include <fcntl.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <sys/socket.h> -#include <sys/un.h> -#include <string.h> -#include <sys/time.h> -#include <errno.h> -#include <fnmatch.h> - -#include <popt.h> -#include "dhash.h" -#include "util/util.h" -#include "db/sysdb.h" -#include "db/sysdb_private.h" -#include "sbus/sbus_client.h" -#include "sbus/sssd_dbus_messages_helpers.h" -#include "responder/common/responder.h" -#include "responder/common/negcache.h" -#include "responder/common/responder_packet.h" - -#include "responder/sudo/sudosrv.h" -#include "sss_client/sudo_plugin/sss_sudo_cli.h" -#include "sbus/sbus_client.h" -#include "responder/common/responder_packet.h" -#include "providers/data_provider.h" -#include "monitor/monitor_interfaces.h" -#include "list_sss/list_sss.h" - - - - -static int sudo_client_destructor(void *ctx) -{ - struct sudo_client *sudocli = talloc_get_type(ctx, struct sudo_client); - if (sudocli) { - talloc_zfree(sudocli); - DEBUG(4, ("Removed Sudo client\n")); - } - return 0; -} - -int prepare_filter(char * filter,uid_t user_id,char * host, struct ldb_result *res){ - - int i,ret=EOK; - filter = talloc_asprintf_append(filter,"("SYSDB_SUDO_USER_ATTR"=#%d)",user_id); - if (!filter) { - DEBUG(0, ("Failed to build filter - %s\n",filter)); - ret = ENOMEM; - goto done; - } - filter = talloc_asprintf_append(filter,"("SYSDB_SUDO_USER_ATTR"=+*)"); - if (!filter) { - DEBUG(0, ("Failed to build filter - %s\n",filter)); - ret = ENOMEM; - goto done; - } - - - for(i=0;i< res->count;i++){ - filter = talloc_asprintf_append(filter,"("SYSDB_SUDO_USER_ATTR"=%s)",ldb_msg_find_attr_as_string(res->msgs[i], SYSDB_NAME, NULL)); - if (!filter) { - DEBUG(0, ("Failed to build filter - %s\n",filter)); - ret = ENOMEM; - goto done; - } - } - filter = talloc_asprintf_append(filter,")("SYSDB_SUDO_HOST_ATTR"=+*)"); - if (!filter) { - DEBUG(0, ("Failed to build filter - %s\n",filter)); - ret = ENOMEM; - goto done; - } - filter = talloc_asprintf_append(filter,"("SYSDB_SUDO_HOST_ATTR"=ALL)"); - if (!filter) { - DEBUG(0, ("Failed to build filter - %s\n",filter)); - ret = ENOMEM; - goto done; - } - filter = talloc_asprintf_append(filter,"("SYSDB_SUDO_HOST_ATTR"=%s)",host); - if (!filter) { - DEBUG(0, ("Failed to build filter - %s\n",filter)); - ret = ENOMEM; - goto done; - } - done: - if(ret!=ENOMEM) return EOK; - else return ret; - -} - - -int compare_sudo_order(const struct ldb_message **msg1, const struct ldb_message **msg2) -{ - double order_msg1 = ldb_msg_find_attr_as_double(*msg1, SYSDB_SUDO_ORDER_ATTR, 0.0); - double order_msg2 = ldb_msg_find_attr_as_double(*msg2, SYSDB_SUDO_ORDER_ATTR, 0.0); - if(order_msg1>order_msg2) return 1; - else if (order_msg1==order_msg1) return 0; - else return -1; -} - - -int search_sudo_rules(struct sudo_client *sudocli, - struct sysdb_ctx *sysdb, - struct sss_domain_info * domain, - char * user_name, - uid_t user_id, - struct sss_sudo_msg_contents *sudo_msg) { - TALLOC_CTX *tmpctx; - const char *attrs[] = { SYSDB_SUDO_CONTAINER_ATTR, - SYSDB_SUDO_USER_ATTR, - SYSDB_SUDO_HOST_ATTR, - SYSDB_SUDO_OPTION_ATTR, - SYSDB_SUDO_COMMAND_ATTR, - SYSDB_SUDO_RUNAS_USER_ATTR, - SYSDB_SUDO_RUNAS_GROUP_ATTR, - SYSDB_SUDO_NOT_BEFORE_ATTR, - SYSDB_SUDO_NOT_AFTER_ATTR, - SYSDB_SUDO_ORDER_ATTR, - NULL }; - char *filter = NULL, *tmpcmd,*space; - struct ldb_message **sudo_rules_msgs; - struct ldb_message_element *el; - struct ldb_result *res; - int ret; - size_t count; - int i,j,flag=0; - double order; - TALLOC_CTX *listctx; - list_sss *list, *current, *tmp; - struct sudo_cmd_ctx * sudo_cmnd; - char * host = "arun.scaria.com"; - - - fprintf(stdout,"in Sudo rule\n"); - tmpctx = talloc_new(sudocli); - if (!tmpctx) { - return ENOMEM; - } - - ret = sysdb_get_groups_by_user(tmpctx, - sysdb, - domain, - user_name, - &res); - if (ret) { - if (ret == ENOENT) { - ret = EOK; - } - goto done; - } - filter = talloc_asprintf(tmpctx,"|(|("SYSDB_SUDO_USER_ATTR"=%s)",user_name); - if (!filter) { - DEBUG(0, ("Failed to build filter - %s\n",filter)); - ret = ENOMEM; - goto done; - } - ret = prepare_filter(filter,user_id,host, res); - if (ret==ENOMEM) { - DEBUG(0, ("Failed to build filter - %s\n",filter)); - goto done; - } - - - DEBUG(0,(stdout,"Filter - %s\n",filter)); - ret = sysdb_search_sudo_rules(tmpctx, - sysdb, - domain, - filter, - attrs, - &count, - &sudo_rules_msgs); - - if (ret) { - if (ret == ENOENT) { - ret = EOK; - } - goto done; - } - - DEBUG(0, ("Found %d sudo rule entries!\n\n", count)); - - if (count == 0) { - ret = EOK; - goto done; - } - - qsort(sudo_rules_msgs,count,sizeof(struct ldb_message *), (__compar_fn_t)compare_sudo_order); - - listctx = talloc_new(NULL); - if (!listctx) { - return ENOMEM; - } - initList(&list); - - for(i=0; i< count ; i++) { - appendNode(listctx, &list, sudo_rules_msgs[i]); - } - current = list; - sudo_cmnd = talloc(listctx,struct sudo_cmd_ctx); - - while(current!=NULL) { - - - - DEBUG(0, ("--sudoOrder: %f\n", - ldb_msg_find_attr_as_double((struct ldb_message *)current->data, - SYSDB_SUDO_ORDER_ATTR, - 0.0))); - DEBUG(0, ("--dn: %s----\n", - ldb_dn_get_linearized(((struct ldb_message *)current->data)->dn))); - - el = ldb_msg_find_element((struct ldb_message *)current->data, - SYSDB_SUDO_COMMAND_ATTR); - if (!el) { - DEBUG(0, ("Failed to get sudo commands for sudorule [%s]\n", - ldb_dn_get_linearized(((struct ldb_message *)current->data)->dn))); - tmp = current->next; - delNode(&list,current); - current = tmp; - continue; - } - flag = 0; - /* see if this is a user */ - for (j = 0; j < el->num_values; j++) { - DEBUG(0, ("sudoCommand: %s\n" ,(const char *) (el->values[j].data))); - /* Do command elimination here */ - tmpcmd = talloc_asprintf(listctx, - "%s", - (const char *) (el->values[j].data)); - space = strchr(tmpcmd,' '); - if(space != NULL) { - *space = '\0'; - sudo_cmnd->arg= (space +1); - } - else - sudo_cmnd->arg= NULL; - - if(tmpcmd[0]=='!') { - sudo_cmnd->fqcomnd=tmpcmd+1; - } - else { - sudo_cmnd->fqcomnd=tmpcmd; - } - - if(fnmatch(sudo_cmnd->fqcomnd,sudo_msg->fq_command,FNM_PATHNAME) == 0){ - current=current->next; - flag=1; - break; - } - } - - if(flag==1) { - continue; - } - - tmp = current->next; - delNode(&list,current); - current = tmp; - - } - /// - current = list; - while(current!=NULL) { - - - - DEBUG(0, ("\n\n\n\n--sudoOrder: %f\n", - ldb_msg_find_attr_as_double((struct ldb_message *)current->data, - SYSDB_SUDO_ORDER_ATTR, - 0.0))); - DEBUG(0, ("--dn: %s----\n", - ldb_dn_get_linearized(((struct ldb_message *)current->data)->dn))); - - el = ldb_msg_find_element((struct ldb_message *)current->data, - SYSDB_SUDO_COMMAND_ATTR); - if (!el) { - DEBUG(0, ("Failed to get sudo commands for sudorule [%s]\n", - ldb_dn_get_linearized(((struct ldb_message *)current->data)->dn))); - - - } - current = current->next; - } - - /*el = ldb_msg_find_element((struct ldb_message *)current->data, SYSDB_SUDO_USER_ATTR); - if (!el) { - DEBUG(0, ("Failed to get sudo Users for sudorule [%s]\n", - ldb_dn_get_linearized(msgs[i]->dn))); - continue; - }*/ - - talloc_free(listctx); - - done: - talloc_zfree(tmpctx); - return ret; -} - - -static int sudo_query_validation(DBusMessage *message, struct sbus_connection *conn) -{ - - dbus_uint32_t header = SSS_SUDO_RESPONDER_HEADER,command_size; - struct sudo_client *sudocli; - DBusMessage *reply; - DBusError dbus_error; - DBusMessageIter msg_iter; - DBusMessageIter subItem; - char **ui; - char **command_array; - int ret = -1; - dbus_bool_t dbret; - void *data; - int count = 0, i = 0; - hash_table_t *settings_table; - hash_table_t *env_table; - char * result; - struct sss_sudo_msg_contents * msg; - struct sysdb_ctx **sysdblist; - TALLOC_CTX * tmpctx; - struct ldb_message *ldb_msg; - size_t no_ldbs = 0; - const char *attrs[] = { SYSDB_NAME, SYSDB_UIDNUM, NULL}; - const char * user_name; - uid_t user_id; - - result = strdup("PASS"); - - data = sbus_conn_get_private_data(conn); - sudocli = talloc_get_type(data, struct sudo_client); - if (!sudocli) { - DEBUG(0, ("Connection holds no valid init data\n")); - return SSS_SUDO_RESPONDER_CONNECTION_ERR; - } - - msg = talloc((TALLOC_CTX *)sudocli,struct sss_sudo_msg_contents); - - /* First thing, cancel the timeout */ - DEBUG(4, ("Cancel SUDO client timeout [%p]\n", sudocli->timeout)); - talloc_zfree(sudocli->timeout); - - dbus_error_init(&dbus_error); - - if (!dbus_message_iter_init(message, &msg_iter)) { - fprintf(stderr, "Message received as empty!\n"); - return SSS_SUDO_RESPONDER_MESSAGE_ERR; - } - - if(DBUS_TYPE_STRUCT != dbus_message_iter_get_arg_type(&msg_iter)) { - fprintf(stderr, "Argument is not struct!\n"); - return SSS_SUDO_RESPONDER_MESSAGE_ERR; - } - else{ - dbus_message_iter_recurse(&msg_iter,&subItem); - } - - if(DBUS_TYPE_UINT32 != dbus_message_iter_get_arg_type(&subItem)) { - fprintf(stderr,"UID failed"); - return SSS_SUDO_RESPONDER_MESSAGE_ERR; - } - else { - dbus_message_iter_get_basic(&subItem, &msg->userid); - dbus_message_iter_next (&subItem); - } - - if(DBUS_TYPE_STRING != dbus_message_iter_get_arg_type(&subItem)) { - fprintf(stderr,"CWD failed"); - return SSS_SUDO_RESPONDER_MESSAGE_ERR; - } - else { - dbus_message_iter_get_basic(&subItem, &msg->cwd); - dbus_message_iter_next (&subItem); - } - - if(DBUS_TYPE_STRING != dbus_message_iter_get_arg_type(&subItem)) { - fprintf(stderr,"TTY failed"); - return SSS_SUDO_RESPONDER_MESSAGE_ERR; - } - else { - dbus_message_iter_get_basic(&subItem, &msg->tty); - dbus_message_iter_next (&subItem); - } - if(DBUS_TYPE_STRING != dbus_message_iter_get_arg_type(&subItem)) { - fprintf(stderr,"FQ Command failed"); - return SSS_SUDO_RESPONDER_MESSAGE_ERR; - } - else { - dbus_message_iter_get_basic(&subItem, &msg->fq_command); - } - - fprintf(stdout,"-----------Message---------\n" - "uid : %d\ncwd : %s\ntty : %s\nFQ Command: %s\n",msg->userid,msg->cwd,msg->tty,msg->fq_command); - - dbus_message_iter_next (&msg_iter); - - if(DBUS_TYPE_UINT32 != dbus_message_iter_get_arg_type(&msg_iter)) { - fprintf(stderr,"array size failed"); - return SSS_SUDO_RESPONDER_MESSAGE_ERR; - } - else { - dbus_message_iter_get_basic(&msg_iter, &msg->command_count); - fprintf(stdout,"Command array size: %d\n",msg->command_count); - } - dbus_message_iter_next (&msg_iter); - - command_array = (char**)malloc(msg->command_count*sizeof(char *)); - fprintf(stdout,"command : "); - - if( DBUS_TYPE_ARRAY != dbus_message_iter_get_arg_type(&msg_iter)) { - fprintf(stderr, "Command array failed!\n"); - return SSS_SUDO_RESPONDER_MESSAGE_ERR; - } - else{ - dbus_message_iter_recurse(&msg_iter,&subItem); - } - - for(ui = command_array,count = msg->command_count; count--; ui++) - { - if(DBUS_TYPE_STRING != dbus_message_iter_get_arg_type(&subItem)) { - printf("string array content failed"); - return SSS_SUDO_RESPONDER_MESSAGE_ERR; - - } - else { - dbus_message_iter_get_basic(&subItem, ui); - fprintf(stdout,"%s ",*ui); - if(!dbus_message_iter_next (&subItem)) { - /*"Array ended. */ - break; - } - } - } - fprintf(stdout,"\n"); - - msg->command = command_array; - dbus_message_iter_next(&msg_iter); - - if( dbus_msg_iter_to_dhash(&msg_iter, &settings_table)!= SSS_SBUS_CONV_SUCCESS){ - fprintf(stderr, "settings table corrupted!\n"); - return SSS_SUDO_RESPONDER_MESSAGE_ERR; - } - - dbus_message_iter_next(&msg_iter); - - if( dbus_msg_iter_to_dhash(&msg_iter, &env_table)!= SSS_SBUS_CONV_SUCCESS){ - fprintf(stderr, "environment table corrupted!\n"); - return SSS_SUDO_RESPONDER_MESSAGE_ERR; - } - - DEBUG(0, ("-----------Message END---------\n")); - ////////////////// - - tmpctx = talloc_new(NULL); - if (!tmpctx) { - return ENOMEM; - } - i=0; - sysdblist = sudocli->sudoctx->rctx->db_list->dbs; - no_ldbs = sudocli->sudoctx->rctx->db_list->num_dbs; - i=0; - while(i < no_ldbs) { - - ret = sysdb_search_user_by_uid(tmpctx, - sysdblist[i], - sysdblist[i]->domain, - msg->userid, - attrs, - &ldb_msg); - if (ret != EOK) { - i++; - DEBUG(0, ("No User matched\n")); - if (ret == ENOENT) { - - continue; - } - DEBUG(0, ("sysdb_search_user_by_uid Returned something other that ENOENT\n")); - continue; - } - break; - - } - if(ldb_msg == NULL) { - DEBUG(0, ("NoUserEntryFound Error. Exit with error message.\n")); - goto free_ctx; - } - - user_name = ldb_msg_find_attr_as_string(ldb_msg, SYSDB_NAME, NULL); - user_id = ldb_msg_find_attr_as_string(ldb_msg, SYSDB_UIDNUM, NULL); - ret = search_sudo_rules(sudocli, sysdblist[i],sysdblist[i]->domain, "tom",user_id,msg); - if(ret != EOK){ - DEBUG(0, ("Error in rule")); - } - - free_ctx: - talloc_zfree(tmpctx); - ///////////////////// - - - talloc_set_destructor((TALLOC_CTX *)sudocli, sudo_client_destructor); - - DEBUG(4, ("Got string [%s]\n", msg->cwd)); - - /* reply that all is ok */ - reply = dbus_message_new_method_return(message); - if (!reply) { - DEBUG(0, ("Dbus Out of memory!\n")); - return SSS_SUDO_RESPONDER_REPLY_ERR; - } - - command_size = msg->command_count; - dbret = dbus_message_append_args(reply, - DBUS_TYPE_UINT32, &header, - DBUS_TYPE_STRING,&result, - DBUS_TYPE_INVALID); - if (!dbret) { - DEBUG(0, ("Failed to build sudo dbus reply\n")); - dbus_message_unref(reply); - sbus_disconnect(conn); - return SSS_SUDO_RESPONDER_REPLY_ERR; - } - - dbus_message_iter_init_append(reply, &msg_iter); - - if(!dbus_message_iter_open_container(&msg_iter, - DBUS_TYPE_ARRAY, - "s", - &subItem)) { - fprintf(stderr, "Out Of Memory!\n"); - return SSS_SUDO_RESPONDER_REPLY_ERR; - } - - for(command_array = msg->command ; command_size-- ; command_array++) { - - if (!dbus_message_iter_append_basic(&subItem, - DBUS_TYPE_STRING, - command_array)) { - fprintf(stderr, "Out Of Memory!\n"); - return SSS_SUDO_RESPONDER_REPLY_ERR; - } - } - - if (!dbus_message_iter_close_container(&msg_iter,&subItem)) { - fprintf(stderr, "Out Of Memory!\n"); - return SSS_SUDO_RESPONDER_REPLY_ERR; - } - - if(dbus_dhash_to_msg_iter(&env_table,&msg_iter) != SSS_SBUS_CONV_SUCCESS){ - fprintf(stderr,"fatal: env message framing failed."); - return SSS_SUDO_RESPONDER_DHASH_ERR; - } - - /* send reply back */ - sbus_conn_send_reply(conn, reply); - dbus_message_unref(reply); - - sudocli->initialized = true; - free(result); - return EOK; -} - -static void init_timeout(struct tevent_context *ev, - struct tevent_timer *te, - struct timeval t, void *ptr) -{ - struct sudo_client *sudocli; - - DEBUG(2, ("Client timed out [%p]!\n", te)); - - sudocli = talloc_get_type(ptr, struct sudo_client); - - sbus_disconnect(sudocli->conn); - talloc_zfree(sudocli); -} - -static int sudo_client_init(struct sbus_connection *conn, void *data) -{ - struct sudo_ctx *sudoctx; - struct sudo_client *sudocli; - struct timeval tv; - - sudoctx = talloc_get_type(data, struct sudo_ctx); - - /* hang off this memory to the connection so that when the connection - * is freed we can potentially call a destructor */ - - sudocli = talloc(conn, struct sudo_client); - if (!sudocli) { - DEBUG(0,("Out of memory?!\n")); - talloc_zfree(conn); - return ENOMEM; - } - sudocli->sudoctx = sudoctx; - sudocli->conn = conn; - sudocli->initialized = false; - - /* 5 seconds should be plenty */ - tv = tevent_timeval_current_ofs(5, 0); - - sudocli->timeout = tevent_add_timer(sudoctx->rctx->ev, sudocli, tv, init_timeout, sudocli); - if (!sudocli->timeout) { - DEBUG(0,("Out of memory?!\n")); - talloc_zfree(conn); - return ENOMEM; - } - DEBUG(4, ("Set-up Sudo client timeout [%p]\n", sudocli->timeout)); - - /* Attach the client context to the connection context, so that it is - * always available when we need to manage the connection. */ - sbus_conn_set_private_data(conn, sudocli); - - return EOK; -} -static void sudo_dp_reconnect_init(struct sbus_connection *conn, int status, void *pvt) -{ - struct be_conn *be_conn = talloc_get_type(pvt, struct be_conn); - int ret; - - /* Did we reconnect successfully? */ - if (status == SBUS_RECONNECT_SUCCESS) { - DEBUG(1, ("Reconnected to the Data Provider.\n")); - - /* Identify ourselves to the data provider */ - ret = dp_common_send_id(be_conn->conn, - DATA_PROVIDER_VERSION, - "PAM"); - /* all fine */ - if (ret == EOK) return; - } - - /* Handle failure */ - DEBUG(0, ("Could not reconnect to %s provider.\n", - be_conn->domain->name)); - - -} - -int sudo_server_init(TALLOC_CTX *mem_ctx, - struct sudo_ctx *_ctx) -{ - - int ret; - struct sbus_connection *serv; - - - DEBUG(1, ("Setting up the sudo server.\n")); - - - - ret = sbus_new_server(mem_ctx, - _ctx->rctx->ev, - SSS_SUDO_SERVICE_PIPE, - &sudo_monitor_interface, - &serv, - sudo_client_init, - _ctx); - if (ret != EOK) { - DEBUG(0, ("Could not set up sudo sbus server.\n")); - return ret; - } - - return EOK; - -} - -struct cli_protocol_version *register_cli_protocol_version(void) -{ - static struct cli_protocol_version sudo_cli_protocol_version[] = { - {0, NULL, NULL} - }; - - return sudo_cli_protocol_version; -} - -struct sss_cmd_table *get_sudo_cmds(void) -{ - static struct sss_cmd_table sss_cmds[] = { - {SSS_SUDO_AUTHENTICATE, NULL}, - {SSS_SUDO_INVALIDATE, NULL}, - {SSS_SUDO_VALIDATE, NULL}, - {SSS_SUDO_LIST, NULL}, - {SSS_CLI_NULL, NULL} - }; - - return sss_cmds; -} - -int sudo_process_init(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct confdb_ctx *cdb) -{ - struct sss_cmd_table *sudo_cmds; - struct be_conn *iter; - struct sudo_ctx *ctx; - int ret, max_retries; - int id_timeout; - - - ctx = talloc_zero(mem_ctx, struct sudo_ctx); - if (!ctx) { - DEBUG(0, ("fatal error initializing sudo_ctx\n")); - return ENOMEM; - } - sudo_cmds = get_sudo_cmds(); - ret = sss_process_init(ctx, - ev, - cdb, - sudo_cmds, - SSS_SUDO_SOCKET_NAME, - SSS_SUDO_PRIV_SOCKET_NAME, - CONFDB_SUDO_CONF_ENTRY, - SSS_SUDO_SBUS_SERVICE_NAME, - SSS_SUDO_SBUS_SERVICE_VERSION, - &sudo_monitor_interface, - "SUDO", &sudo_dp_interface, - &ctx->rctx); - if (ret != EOK) { - goto done; - } - - - ctx->rctx->pvt_ctx = ctx; - - - - ret = confdb_get_int(ctx->rctx->cdb, ctx->rctx, CONFDB_SUDO_CONF_ENTRY, - CONFDB_SERVICE_RECON_RETRIES, 3, &max_retries); - if (ret != EOK) { - DEBUG(0, ("Failed to set up automatic reconnection\n")); - goto done; - } - - for (iter = ctx->rctx->be_conns; iter; iter = iter->next) { - sbus_reconnect_init(iter->conn, max_retries, - sudo_dp_reconnect_init, iter); - } - - /* Set up the negative cache */ - ret = confdb_get_int(cdb, ctx, CONFDB_SUDO_CONF_ENTRY, - CONFDB_SUDO_ENTRY_NEG_TIMEOUT, 15, - &ctx->neg_timeout); - if (ret != EOK) goto done; - - /* Set up the PAM identity timeout */ - ret = confdb_get_int(cdb, ctx, CONFDB_SUDO_CONF_ENTRY, - CONFDB_SUDO_ID_TIMEOUT, 5, - &id_timeout); - if (ret != EOK) goto done; - - ctx->id_timeout = (size_t)id_timeout; - - ret = sss_ncache_init(ctx, &ctx->ncache); - if (ret != EOK) { - DEBUG(0, ("fatal error initializing negative cache\n")); - goto done; - } - - ret = sss_ncache_prepopulate(ctx->ncache, cdb, ctx->rctx->names, - ctx->rctx->domains); - if (ret != EOK) { - goto done; - } - - ret = sudo_server_init(mem_ctx, ctx); - DEBUG(0, ("sudo server returned %d.\n",ret)); - - return EOK; - done: - if (ret != EOK) { - talloc_free(ctx); - } - return ret; -} - -int main(int argc, const char *argv[]) -{ - int opt; - poptContext pc; - struct main_context *main_ctx; - int ret; - - struct poptOption long_options[] = { - POPT_AUTOHELP - SSSD_MAIN_OPTS - POPT_TABLEEND - }; - - pc = poptGetContext(argv[0], argc, argv, long_options, 0); - while((opt = poptGetNextOpt(pc)) != -1) { - switch(opt) { - default: - fprintf(stderr, "\nInvalid option %s: %s\n\n", - poptBadOption(pc, 0), poptStrerror(opt)); - poptPrintUsage(pc, stderr, 0); - return 1; - } - } - - poptFreeContext(pc); - - /* set up things like debug, signals, daemonization, etc... */ - debug_log_file = "sssd_sudo"; - - ret = server_setup("sssd[sudo]", 0, CONFDB_SUDO_CONF_ENTRY, &main_ctx); - if (ret != EOK) return 2; - - ret = die_if_parent_died(); - if (ret != EOK) { - /* This is not fatal, don't return */ - DEBUG(2, ("Could not set up to exit when parent process does\n")); - } - - ret = sudo_process_init(main_ctx, - main_ctx->event_ctx, - main_ctx->confdb_ctx); - if (ret != EOK) return 3; - - /* loop on main */ - server_loop(main_ctx); - - return 0; -} - diff --git a/src/responder/sudo/sudosrv.h b/src/responder/sudo/sudosrv.h index a24ead8c..539bd0c1 100644 --- a/src/responder/sudo/sudosrv.h +++ b/src/responder/sudo/sudosrv.h @@ -17,7 +17,7 @@ You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ + */ #ifndef _SUDOSRV_PRIVATE_H_ #define _SUDOSRV_PRIVATE_H_ @@ -56,25 +56,25 @@ static int sudo_query_validation(DBusMessage *message, struct sbus_connection *conn); struct sbus_method sudo_methods[] = { - - { SUDO_METHOD_QUERY, sudo_query_validation }, - { NULL, NULL } + + { SUDO_METHOD_QUERY, sudo_query_validation }, + { NULL, NULL } }; struct sbus_interface sudo_monitor_interface = { - SUDO_SERVER_INTERFACE, - SUDO_SERVER_PATH, - SBUS_DEFAULT_VTABLE, - sudo_methods, - NULL + SUDO_SERVER_INTERFACE, + SUDO_SERVER_PATH, + SBUS_DEFAULT_VTABLE, + sudo_methods, + NULL }; struct sbus_interface sudo_dp_interface = { - SUDO_DP_INTERFACE, - SUDO_DP_PATH, - SBUS_DEFAULT_VTABLE, - NULL/*sudo_dp_methods*/, - NULL + SUDO_DP_INTERFACE, + SUDO_DP_PATH, + SBUS_DEFAULT_VTABLE, + NULL/*sudo_dp_methods*/, + NULL }; struct sudo_ctx { @@ -100,17 +100,17 @@ struct sudo_client { enum error_types_sudo_responder{ - SSS_SUDO_RESPONDER_SUCCESS = 0x01, - SSS_SUDO_RESPONDER_FAILED, - SSS_SUDO_RESPONDER_BUF_ERR, - SSS_SUDO_RESPONDER_CONNECTION_ERR, - SSS_SUDO_RESPONDER_SYSTEM_ERR, - SSS_SUDO_RESPONDER_LOG_ERR, - SSS_SUDO_RESPONDER_MESSAGE_ERR, - SSS_SUDO_RESPONDER_REPLY_ERR, - SSS_SUDO_RESPONDER_DHASH_ERR, - SUDO_LDB_CONNECT_ERR, - SUDO_LDB_SEARCH_ERR + SSS_SUDO_RESPONDER_SUCCESS = 0x01, + SSS_SUDO_RESPONDER_FAILED, + SSS_SUDO_RESPONDER_BUF_ERR, + SSS_SUDO_RESPONDER_CONNECTION_ERR, + SSS_SUDO_RESPONDER_SYSTEM_ERR, + SSS_SUDO_RESPONDER_LOG_ERR, + SSS_SUDO_RESPONDER_MESSAGE_ERR, + SSS_SUDO_RESPONDER_REPLY_ERR, + SSS_SUDO_RESPONDER_DHASH_ERR, + SUDO_LDB_CONNECT_ERR, + SUDO_LDB_SEARCH_ERR }; #endif diff --git a/src/responder/sudo/sudosrv.h~ b/src/responder/sudo/sudosrv.h~ deleted file mode 100644 index 0b933ea4..00000000 --- a/src/responder/sudo/sudosrv.h~ +++ /dev/null @@ -1,59 +0,0 @@ -/* - SSSD - - SUDO Responder - - Copyright (C) Arun Scaria <arunscaria91@gmail.com> (2011) - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - - -#define CONFDB_SUDO_CONF_ENTRY "config/sudo" - -#define SUDO_INTERFACE "org.freedesktop.sssd.sudo" -#define SUDO_PATH "/org/freedesktop/sssd/sudo" -#define SUDO_METHOD_QUERY "queryService" - -static int sudo_query_validation(DBusMessage *message, struct sbus_connection *conn); -struct sbus_method sudo_methods[] = { - - { SUDO_METHOD_QUERY, sudo_query_validation }, - { NULL, NULL } -}; - -struct sbus_interface sudo_interface = { - SUDO_INTERFACE, - SUDO_PATH, - SBUS_DEFAULT_VTABLE, - sudo_methods, - NULL -}; - -struct sudo_ctx { - struct tevent_context *ev; - struct confdb_ctx *cdb; - - struct sbus_connection *mon_conn; - struct sbus_connection *sbus_srv; - - size_t check_online_ref_count; -}; - -struct sudo_client { - struct sudo_ctx *sudoctx; - struct sbus_connection *conn; - struct tevent_timer *timeout; - bool initialized; -};
\ No newline at end of file |