sssd.git/src/db/sysdb_sudo.h, branch jhrozek_sysdb_fqdn Unnamed repository; edit this file to name it for gitweb. sudo: solve problems with fully qualified names 2016-07-06T15:40:23+00:00 Pavel Březina pbrezina@redhat.com 2016-05-26T09:37:30+00:00 98a85bf0b2334c45a60c5bc10042e5abdeff3f98 sudo expects the same name in sudo rule as login name. Therefore if fully qualified name is used or even enforced by setting use_fully_qualified_names to true or by forcing default domain with default_domain_suffix sssd is able to correctly return the rules but sudo can't match the user with contect of sudoUser attribute since it is not qualified. This patch changes the rules on the fly to avoid using names at all. We do this in two steps: 1. We fetch all rules that match current user name, id or groups and replace sudoUser attribute with sudoUser: #uid. 2. We fetch complementry rules that contain netgroups since it is expected we don't have infromation about existing netgroups in cache, sudo still needs to evaluate it for us if needed. This patch also remove test for sysdb_get_sudo_filter since it wasn't sufficient anyway and I did not rewrite it since I don't thing it is a good thing to have filter tests that depends on exact filter order. Resolves: https://fedorahosted.org/sssd/ticket/2919 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
sudo expects the same name in sudo rule as login name. Therefore
if fully qualified name is used or even enforced by setting
use_fully_qualified_names to true or by forcing default domain
with default_domain_suffix sssd is able to correctly return the
rules but sudo can't match the user with contect of sudoUser
attribute since it is not qualified.

This patch changes the rules on the fly to avoid using names at all.
We do this in two steps:
1. We fetch all rules that match current user name, id or groups and
   replace sudoUser attribute with sudoUser: #uid.
2. We fetch complementry rules that contain netgroups since it is
   expected we don't have infromation about existing netgroups in
   cache, sudo still needs to evaluate it for us if needed.

This patch also remove test for sysdb_get_sudo_filter since it wasn't
sufficient anyway and I did not rewrite it since I don't thing it
is a good thing to have filter tests that depends on exact filter
order.

Resolves:
https://fedorahosted.org/sssd/ticket/2919

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SYSDB: Add new funtions into sysdb_sudo 2016-04-20T18:26:40+00:00 Petr Cech pcech@redhat.com 2016-02-24T14:12:41+00:00 e2d26e97d62f06f65e8228b28746471cc5f73fe5 This patch adds two new functions into public API of sysdb_sudo: * sysdb_search_sudo_rules * sysdb_set_sudo_rule_attr Resolves: https://fedorahosted.org/sssd/ticket/2081 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
This patch adds two new functions into public
API of sysdb_sudo:
* sysdb_search_sudo_rules
* sysdb_set_sudo_rule_attr

Resolves:
https://fedorahosted.org/sssd/ticket/2081

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
IPA SUDO: download externalUser attribute 2016-03-09T14:24:43+00:00 Pavel Březina pbrezina@redhat.com 2016-03-01T13:00:26+00:00 991c9f47fcb24704b880f60ab8ee77cfda056e2c This allows configuration with id_provider = proxy and sudo_provider = ipa when someone needs to fetch rules for local users. https://fedorahosted.org/sssd/ticket/2972 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
This allows configuration with id_provider = proxy
and sudo_provider = ipa when someone needs to fetch
rules for local users.

https://fedorahosted.org/sssd/ticket/2972

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
IPA SUDO: Add support for ipaSudoRunAsExt* attributes 2016-01-19T13:34:02+00:00 Pavel Březina pbrezina@redhat.com 2016-01-18T11:15:47+00:00 a7d2b4f157194c14bc4a40c74f6416b82befa460 Reviewed-by: Sumit Bose <sbose@redhat.com> 
Reviewed-by: Sumit Bose <sbose@redhat.com>
IPA SUDO: Add ipasudocmd mapping 2016-01-19T13:33:30+00:00 Pavel Březina pbrezina@redhat.com 2015-12-02T14:02:39+00:00 cc7766c8456653ab5d7dedbf432cb1711a905804 Reviewed-by: Sumit Bose <sbose@redhat.com> 
Reviewed-by: Sumit Bose <sbose@redhat.com>
IPA SUDO: Add ipasudocmdgrp mapping 2016-01-19T13:33:28+00:00 Pavel Březina pbrezina@redhat.com 2015-12-02T13:48:18+00:00 ed8650be18af26b7bf389e1246f7e8cdb363f829 Reviewed-by: Sumit Bose <sbose@redhat.com> 
Reviewed-by: Sumit Bose <sbose@redhat.com>
IPA SUDO: Add ipasudorule mapping 2016-01-19T13:33:24+00:00 Pavel Březina pbrezina@redhat.com 2015-12-01T12:10:16+00:00 a2057618f30a3c64bdffb35a2ef3c2ba148c8a03 Reviewed-by: Sumit Bose <sbose@redhat.com> 
Reviewed-by: Sumit Bose <sbose@redhat.com>
SUDO: make sudo sysdb interface more reusable 2016-01-19T13:33:04+00:00 Pavel Březina pbrezina@redhat.com 2015-12-16T13:42:04+00:00 68abbe716bed7c8d6790d9bec168ef44469306a1 Reviewed-by: Sumit Bose <sbose@redhat.com> 
Reviewed-by: Sumit Bose <sbose@redhat.com>
sudo: fetch sudoRunAs attribute 2014-07-15T14:45:05+00:00 Pavel Březina pbrezina@redhat.com 2014-07-14T12:23:50+00:00 7c30e60c525ea798aaab142766ff00eef4b5df3b This attribute was used in pre 1.7 versions of sudo and it is now deprecated by sudoRunAsUser and sudoRunAsGroup. However, some users still use this attribute so we need to support it to ensure backward compatibility. This patch makes sure that this attribute is downloaded if present and provided to sudo. Sudo than decides how to handle it. The new mapping option is not present in a man page since this attribute is deprecated in sudo for a very long time. Resolves: https://fedorahosted.org/sssd/ticket/2212 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
This attribute was used in pre 1.7 versions of sudo and it is now
deprecated by sudoRunAsUser and sudoRunAsGroup. However, some users
still use this attribute so we need to support it to ensure backward
compatibility.

This patch makes sure that this attribute is downloaded if present and
provided to sudo. Sudo than decides how to handle it.

The new mapping option is not present in a man page since this
attribute is deprecated in sudo for a very long time.

Resolves:
https://fedorahosted.org/sssd/ticket/2212

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SYSDB: Drop the sysdb_ctx parameter from the sysdb_sudo.c module 2013-11-15T19:20:18+00:00 Jakub Hrozek jhrozek@redhat.com 2013-10-16T09:53:24+00:00 6a31a971a376a992afb838fe60b311360c970267