diff options
-rw-r--r-- | sudoers/Makefile | 5 | ||||
-rw-r--r-- | sudoers/policy_metadata.rng | 29 | ||||
-rw-r--r-- | sudoers/sudoers.rng | 2 | ||||
-rw-r--r-- | sudoers/sudoers_example_policy.xml | 29 | ||||
-rw-r--r-- | sudoers/worker.c | 106 |
5 files changed, 156 insertions, 15 deletions
diff --git a/sudoers/Makefile b/sudoers/Makefile new file mode 100644 index 0000000..e3866ab --- /dev/null +++ b/sudoers/Makefile @@ -0,0 +1,5 @@ + +CFLAGS=`xml2-config --cflags` +LDFLAGS=`xml2-config --libs` +worker: worker.c + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $+ diff --git a/sudoers/policy_metadata.rng b/sudoers/policy_metadata.rng index 810d32c..ca5ac19 100644 --- a/sudoers/policy_metadata.rng +++ b/sudoers/policy_metadata.rng @@ -2,7 +2,8 @@ <grammar xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes" xmlns:a="http://freeipa.org/xml/rng/ns/annotations/1.0" -xmlns:ui="http://freeipa.org/xml/rng/ns/ui/1.0"> +xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> + <define name="policy_metadata"> <element name="metadata"> @@ -13,44 +14,44 @@ xmlns:ui="http://freeipa.org/xml/rng/ns/ui/1.0"> <text/> </element> - <element name="author" ui:edit="no"> + <element name="author" pa:edit="no"> <a:doc>should be added automatically, use login information</a:doc> <text/> </element> - <element name="version" ui:edit="no"> + <element name="version" pa:edit="no"> <a:doc>should be added automatically</a:doc> <text/> </element> - <element name="RNGfile" ui:label="Name of the RELAX NG file"> + <element name="RNGfile" pa:label="Name of the RELAX NG file"> <a:doc>should be added automatically from RelaxNG metadata</a:doc> <ref name="rng_filename"/> </element> - <element name="XSLTfile" ui:label="Name of the XSLT file"> + <element name="XSLTfile" pa:label="Name of the XSLT file"> <a:doc>should be added automatically from RelaxNG metadata</a:doc> <ref name="xslt_filename"/> </element> <optional> - <element name="mergeStrategyXML" ui:label="Howto merge with other policies"> + <element name="mergeStrategyXML" pa:label="Howto merge with other policies"> <choice> - <value ui:label="Use only this policy">exclusive</value> - <value ui:label="Merge with other policies">merge</value> - <value ui:label="Ignore this, if other policies apply">ignore</value> + <value pa:label="Use only this policy">exclusive</value> + <value pa:label="Merge with other policies">merge</value> + <value pa:label="Ignore this, if other policies apply">ignore</value> </choice> </element> - <element name="mergeStrategyLocal" ui:label="Howto merge with local files"> + <element name="mergeStrategyLocal" pa:label="Howto merge with local files"> <choice> - <value ui:label="Use only this policy">exclusive</value> - <value ui:label="Merge with local file">merge</value> - <value ui:label="Ignore this, if local file exsits">ignore</value> + <value pa:label="Use only this policy">exclusive</value> + <value pa:label="Merge with local file">merge</value> + <value pa:label="Ignore this, if local file exsits">ignore</value> </choice> </element> - <element name="description" ui:label="Description, what should the policy do and why, maybe a changelog"> + <element name="description" pa:label="Description, what should the policy do and why, maybe a changelog"> <text/> </element> diff --git a/sudoers/sudoers.rng b/sudoers/sudoers.rng index e15bca6..d916e2d 100644 --- a/sudoers/sudoers.rng +++ b/sudoers/sudoers.rng @@ -3,7 +3,7 @@ xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes" xmlns:a="http://relaxng.org/ns/compatibility/annotations/1.0" -xmlns:ui="http://freeipa.org/xml/rng/ns/ui/1.0"> +xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> <a:documentation>Sudo configuration (/etc/sudoers)</a:documentation> diff --git a/sudoers/sudoers_example_policy.xml b/sudoers/sudoers_example_policy.xml new file mode 100644 index 0000000..10d097a --- /dev/null +++ b/sudoers/sudoers_example_policy.xml @@ -0,0 +1,29 @@ +<?xml version="1.0" encoding="UTF-8"?> +<ipa xmlns="http://freeipa.org/xml/rng/sudo/sudoers/1.0"> +<metadata> + <name>simple sudoers example, allowing mount/umount of a CD-ROM</name> + <author>sbose@redhat.com</author> + <version>0.7071</version> + <RNGfile>sudoers.rng</RNGfile> + <XSLTfile>sudoers.xslt</XSLTfile> +</metadata> + +<ipaconfig> +<sudoers> + <subject><name>abc</name><type>netgroup</type></subject> + <command><path>/sbin/umount /CDROM</path><tag>NOPASSWD</tag><runas>root</runas></command> + <option><authenticate>on</authenticate></option> + <command><path>/sbin/mount -o nosuid,nodev /dev/cd0a /CDROM</path></command> +</sudoers> +<sudoers> + <subject><name>def</name><type>posixGroup</type></subject> + <option><authenticate>off</authenticate></option> +</sudoers> +<sudoers> + <subject><name>EWLFKFKJKFwe</name><type>ALL</type></subject> + <command><path>/sbin/shutdown -r now</path></command> + <option><lecture>always</lecture></option> +</sudoers> +</ipaconfig> + +</ipa> diff --git a/sudoers/worker.c b/sudoers/worker.c new file mode 100644 index 0000000..3d5d637 --- /dev/null +++ b/sudoers/worker.c @@ -0,0 +1,106 @@ +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <assert.h> + +#include <libxml/tree.h> +#include <libxml/parser.h> +#include <libxml/xpath.h> +#include <libxml/xpathInternals.h> + + +int main(int argc, char **argv) { + + int i; + xmlChar *str; + xmlDocPtr doc; + xmlXPathContextPtr xpathCtx; + xmlXPathObjectPtr xpathObj; +/* If a default namespace is defined + * + * IMPORTANT: XPath 1.0 has no concept of a default namespace. Unprefixed names in XPath only match names which have no namespace. + * So, if the document uses a default namespace, it is required to associate a non-empty prefix with the default namespace + * via register-namespace and add that prefix to names in XPath expressions intended to match nodes in the default namespace. + */ + xmlChar *xpathExpr_rng = (xmlChar *) "//su:RNGfile"; + xmlChar *xpathExpr_xslt = (xmlChar *) "//su:XSLTfile"; + xmlNodeSetPtr nodeset; + + if (argc!=2) { + fprintf(stderr, "missing or to many arguments, I expect a single filename!\n"); + exit(1); + } + + doc = xmlParseFile(argv[1]); + if (doc==NULL) { + fprintf(stderr, "Cannot parse document %s!\n", argv[1]); + exit(1); + } + + /* Create xpath evaluation context */ + xpathCtx = xmlXPathNewContext(doc); + if(xpathCtx == NULL) { + fprintf(stderr,"Error: unable to create new XPath context\n"); + xmlFreeDoc(doc); + exit(1); + } + + + /* Register a namespace */ + if(xmlXPathRegisterNs(xpathCtx, "su", "http://freeipa.org/xml/rng/sudo/sudoers/1.0") != 0) { + fprintf(stderr,"Error: unable to register NS with prefix=\"%s\" and href=\"%s\"\n", "", "http://freeipa.org/xml/rng/sudo/sudoers/1.0"); + xmlXPathFreeContext(xpathCtx); + xmlFreeDoc(doc); + exit(1); + } + + + /* Evaluate xpath expression */ + xpathObj = xmlXPathEvalExpression(xpathExpr_xslt, xpathCtx); + if(xpathObj == NULL) { + fprintf(stderr,"Error: unable to evaluate xpath expression \"%s\"\n", xpathExpr_xslt); + xmlXPathFreeContext(xpathCtx); + xmlFreeDoc(doc); + return(-1); + } + + if (xmlXPathNodeSetIsEmpty(xpathObj->nodesetval)) { + printf("Nothing found ...\n"); + } else { + nodeset=xpathObj->nodesetval; + for(i=0; i<nodeset->nodeNr; i++) { + str = xmlNodeListGetString(doc, nodeset->nodeTab[i]->xmlChildrenNode, 1); + printf("--%s--\n", str); + xmlFree(str); + } + } + /* Evaluate xpath expression */ + xpathObj = xmlXPathEvalExpression(xpathExpr_rng, xpathCtx); + if(xpathObj == NULL) { + fprintf(stderr,"Error: unable to evaluate xpath expression \"%s\"\n", xpathExpr_rng); + xmlXPathFreeContext(xpathCtx); + xmlFreeDoc(doc); + return(-1); + } + + if (xmlXPathNodeSetIsEmpty(xpathObj->nodesetval)) { + printf("Nothing found ...\n"); + } else { + nodeset=xpathObj->nodesetval; + for(i=0; i<nodeset->nodeNr; i++) { + str = xmlNodeListGetString(doc, nodeset->nodeTab[i]->xmlChildrenNode, 1); + printf("--%s--\n", str); + xmlFree(str); + } + } + + /* Cleanup */ + xmlXPathFreeObject(xpathObj); + xmlXPathFreeContext(xpathCtx); + xmlFreeDoc(doc); + + + + + return(0); +} |