sssd.git/src/db/sysdb_sudo.c, branch jhrozek_sysdb_fqdn Unnamed repository; edit this file to name it for gitweb. sudo: solve problems with fully qualified names 2016-07-06T15:40:23+00:00 Pavel Březina pbrezina@redhat.com 2016-05-26T09:37:30+00:00 98a85bf0b2334c45a60c5bc10042e5abdeff3f98 sudo expects the same name in sudo rule as login name. Therefore if fully qualified name is used or even enforced by setting use_fully_qualified_names to true or by forcing default domain with default_domain_suffix sssd is able to correctly return the rules but sudo can't match the user with contect of sudoUser attribute since it is not qualified. This patch changes the rules on the fly to avoid using names at all. We do this in two steps: 1. We fetch all rules that match current user name, id or groups and replace sudoUser attribute with sudoUser: #uid. 2. We fetch complementry rules that contain netgroups since it is expected we don't have infromation about existing netgroups in cache, sudo still needs to evaluate it for us if needed. This patch also remove test for sysdb_get_sudo_filter since it wasn't sufficient anyway and I did not rewrite it since I don't thing it is a good thing to have filter tests that depends on exact filter order. Resolves: https://fedorahosted.org/sssd/ticket/2919 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
sudo expects the same name in sudo rule as login name. Therefore
if fully qualified name is used or even enforced by setting
use_fully_qualified_names to true or by forcing default domain
with default_domain_suffix sssd is able to correctly return the
rules but sudo can't match the user with contect of sudoUser
attribute since it is not qualified.

This patch changes the rules on the fly to avoid using names at all.
We do this in two steps:
1. We fetch all rules that match current user name, id or groups and
   replace sudoUser attribute with sudoUser: #uid.
2. We fetch complementry rules that contain netgroups since it is
   expected we don't have infromation about existing netgroups in
   cache, sudo still needs to evaluate it for us if needed.

This patch also remove test for sysdb_get_sudo_filter since it wasn't
sufficient anyway and I did not rewrite it since I don't thing it
is a good thing to have filter tests that depends on exact filter
order.

Resolves:
https://fedorahosted.org/sssd/ticket/2919

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SYSDB: Add new funtions into sysdb_sudo 2016-04-20T18:26:40+00:00 Petr Cech pcech@redhat.com 2016-02-24T14:12:41+00:00 e2d26e97d62f06f65e8228b28746471cc5f73fe5 This patch adds two new functions into public API of sysdb_sudo: * sysdb_search_sudo_rules * sysdb_set_sudo_rule_attr Resolves: https://fedorahosted.org/sssd/ticket/2081 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
This patch adds two new functions into public
API of sysdb_sudo:
* sysdb_search_sudo_rules
* sysdb_set_sudo_rule_attr

Resolves:
https://fedorahosted.org/sssd/ticket/2081

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
SYSDB_SUDO: Remove useless test 2016-04-18T16:15:38+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-04-13T19:44:37+00:00 aeb3cef10158a1c621d58c6d982e53569e40c6c0 The function sysdb_search_custom cannot return EOK and together set output argument count to zero. This case is already handled in function sysdb_search_entry which is used inside sysdb_search_custom. Such useless test can just cause read of unitialized variable in case of other errors returned from sysdb_search_custom. Error: UNINIT (CWE-457): [#def1] sssd-1.13.4/src/db/sysdb_sudo.c:678: var_decl: Declaring variable "count" without initializer. sssd-1.13.4/src/db/sysdb_sudo.c:698: uninit_use: Using uninitialized value "count". # 696| SUDORULE_SUBDIR, attrs, # 697| &count, &msgs); # 698|-> if (ret == ENOENT || count == 0) { # 699| DEBUG(SSSDBG_TRACE_FUNC, "No rules matched\n"); # 700| ret = EOK; Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
The function sysdb_search_custom cannot return EOK
and together set output argument count to zero.
This case is already handled in function sysdb_search_entry
which is used inside sysdb_search_custom.

Such useless test can just cause read of unitialized variable
in case of other errors returned from sysdb_search_custom.

Error: UNINIT (CWE-457): [#def1]
sssd-1.13.4/src/db/sysdb_sudo.c:678:
    var_decl: Declaring variable "count" without initializer.
sssd-1.13.4/src/db/sysdb_sudo.c:698:
    uninit_use: Using uninitialized value "count".
 #  696|                                 SUDORULE_SUBDIR, attrs,
 #  697|                                 &count, &msgs);
 #  698|->     if (ret == ENOENT || count == 0) {
 #  699|           DEBUG(SSSDBG_TRACE_FUNC, "No rules matched\n");
 #  700|           ret = EOK;

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
SUDO: make sudo sysdb interface more reusable 2016-01-19T13:33:04+00:00 Pavel Březina pbrezina@redhat.com 2015-12-16T13:42:04+00:00 68abbe716bed7c8d6790d9bec168ef44469306a1 Reviewed-by: Sumit Bose <sbose@redhat.com> 
Reviewed-by: Sumit Bose <sbose@redhat.com>
sudo: sanitize filter values 2015-04-13T15:57:05+00:00 Pavel Březina pbrezina@redhat.com 2015-04-09T11:03:08+00:00 c526cd124515cc2d44a413dcbfd4a74ddb490150 Resolves: https://fedorahosted.org/sssd/ticket/2613 Reviewed-by: Pavel Reichl <preichl@redhat.com> 
Resolves:
https://fedorahosted.org/sssd/ticket/2613

Reviewed-by: Pavel Reichl <preichl@redhat.com>
Add missing new lines to debug messages 2015-03-17T13:40:19+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-02-17T15:40:01+00:00 87f8bee53ee1b4ca87b602ff8536bc5fd5b5b595 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Log reason in debug message why ldb_modify failed 2015-03-11T09:04:30+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-03-10T15:35:03+00:00 04d138472cc086fb7961f0d378852b09961b1a33 Reviewed-by: Sumit Bose <sbose@redhat.com> 
Reviewed-by: Sumit Bose <sbose@redhat.com>
Don't use macro _XOPEN_SOURCE for function strptime 2014-05-27T19:40:03+00:00 Lukas Slebodnik lslebodn@redhat.com 2014-05-26T21:36:58+00:00 5389b3714be747f1a11ac51beb0c5988cfb6c240 We detect all necessary feature macros in configure script using AC_USE_SYSTEM_EXTENSIONS or AC_GNU_SOURCE. This patch replaces all definitions of macro _XOPEN_SOURCE with header file config.h Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
We detect all necessary feature macros in configure script
using AC_USE_SYSTEM_EXTENSIONS or AC_GNU_SOURCE.
This patch replaces all definitions of macro _XOPEN_SOURCE with
header file config.h

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Make DEBUG macro invocations variadic 2014-02-12T21:30:55+00:00 Nikolai Kondrashov Nikolai.Kondrashov@redhat.com 2014-02-12T15:12:04+00:00 a3c8390d19593b1e5277d95bfb4ab206d4785150 Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.

This script was used to update the code:

grep -rwl --include '*.[hc]' DEBUG . |
    while read f; do
        mv "$f"{,.orig}
        perl -e \
            'use strict;
             use File::Slurp;
             my $text=read_file(\*STDIN);
             $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
             print $text;' < "$f.orig" > "$f"
        rm "$f.orig"
    done

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
sudo: memset tm when converting time attributes 2014-01-29T16:25:15+00:00 Pavel Březina pbrezina@redhat.com 2014-01-29T11:56:08+00:00 e6f4dbf8474e928ca7da33d6be18e94cbc66a5de strptime() which is used to parse LDAP time value does not initialize all fields of tm structure (especially tm_isdst). This results in random behavior - when the tm is converted into timestamp via mktime(), the result depends on current value of tm_isdst. Resolves: https://fedorahosted.org/sssd/ticket/2213 
strptime() which is used to parse LDAP time value does not initialize
all fields of tm structure (especially tm_isdst). This results in
random behavior - when the tm is converted into timestamp via mktime(),
the result depends on current value of tm_isdst.

Resolves:
https://fedorahosted.org/sssd/ticket/2213