diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2016-04-19 15:10:05 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-07-07 10:28:21 +0200 |
commit | 26c722d568b0061e0f1edb8d07093bf051d76083 (patch) | |
tree | bf558aa5b89295552bbe004502e7d0eacd888bf7 /src/tools | |
parent | 6181113ea79806a414aadc580e6e241a6b317763 (diff) | |
download | sssd-26c722d568b0061e0f1edb8d07093bf051d76083.tar.gz sssd-26c722d568b0061e0f1edb8d07093bf051d76083.tar.xz sssd-26c722d568b0061e0f1edb8d07093bf051d76083.zip |
SSS_OVERRIDE: Fixes for fully qualified names
Use sss_create_internal_fqname for internal cache lookups. Because the
object's existence is verified using getpw* and getgr*, we keep using
sss_tc_fqname there, just to feed the NSS interface the expected
qualified or unqualified name format.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Diffstat (limited to 'src/tools')
-rw-r--r-- | src/tools/sss_cache.c | 3 | ||||
-rw-r--r-- | src/tools/sss_override.c | 146 |
2 files changed, 87 insertions, 62 deletions
diff --git a/src/tools/sss_cache.c b/src/tools/sss_cache.c index e44da5d48..8b1e82db1 100644 --- a/src/tools/sss_cache.c +++ b/src/tools/sss_cache.c @@ -406,7 +406,8 @@ static errno_t update_all_filters(struct cache_tool_ctx *tctx, /* Update sudo rule filter */ ret = update_filter(tctx, dinfo, tctx->sudo_rule_name, - tctx->update_sudo_rule_filter, "(%s=%s)", false, + tctx->update_sudo_rule_filter, + "(%s=%s)", TYPE_SUDO_RULE, false, &tctx->sudo_rule_filter); if (ret != EOK) { return ret; diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c index fafed6dad..e497d12b9 100644 --- a/src/tools/sss_override.c +++ b/src/tools/sss_override.c @@ -32,6 +32,7 @@ struct override_user { const char *input_name; const char *orig_name; + const char *sysdb_name; struct sss_domain_info *domain; const char *name; @@ -46,6 +47,7 @@ struct override_user { struct override_group { const char *input_name; const char *orig_name; + const char *sysdb_name; struct sss_domain_info *domain; const char *name; @@ -295,6 +297,7 @@ static char *build_anchor(TALLOC_CTX *mem_ctx, const char *obj_dn) } static struct sysdb_attrs *build_attrs(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, const char *name, uid_t uid, gid_t gid, @@ -305,6 +308,7 @@ static struct sysdb_attrs *build_attrs(TALLOC_CTX *mem_ctx, { struct sysdb_attrs *attrs; errno_t ret; + char *fqname; attrs = sysdb_new_attrs(mem_ctx); if (attrs == NULL) { @@ -312,7 +316,13 @@ static struct sysdb_attrs *build_attrs(TALLOC_CTX *mem_ctx, } if (name != NULL) { - ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, name); + fqname = sss_create_internal_fqname(attrs, name, dom->name); + if (fqname == NULL) { + return NULL; + } + + ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, fqname); + talloc_free(fqname); if (ret != EOK) { goto done; } @@ -374,76 +384,55 @@ done: static struct sysdb_attrs *build_user_attrs(TALLOC_CTX *mem_ctx, struct override_user *user) { - return build_attrs(mem_ctx, user->name, user->uid, user->gid, user->home, - user->shell, user->gecos, user->cert); + return build_attrs(mem_ctx, user->domain, user->name, user->uid, user->gid, + user->home, user->shell, user->gecos, user->cert); } static struct sysdb_attrs *build_group_attrs(TALLOC_CTX *mem_ctx, struct override_group *group) { - return build_attrs(mem_ctx, group->name, 0, group->gid, 0, NULL, NULL, NULL); + return build_attrs(mem_ctx, group->domain, group->name, 0, group->gid, + 0, NULL, NULL, NULL); } static char *get_fqname(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, const char *name) { - char *fqname; - int fqlen; - int check; + char *fqname = NULL; char *dummy_domain = NULL; errno_t ret; + TALLOC_CTX *tmp_ctx; + char *shortname; + struct sss_domain_info *dom; if (domain == NULL || domain->names == NULL) { return NULL; } - /* check if the name already contains domain part */ - ret = sss_parse_name(mem_ctx, domain->names, name, &dummy_domain, NULL); - if (ret == ERR_REGEX_NOMATCH) { - DEBUG(SSSDBG_TRACE_FUNC, - "sss_parse_name could not parse domain from [%s]. " - "Assuming it is not FQDN.\n", name); - } else if (ret != EOK) { - DEBUG(SSSDBG_TRACE_FUNC, - "sss_parse_name failed [%d]: %s\n", ret, sss_strerror(ret)); - return NULL; - } - - if (dummy_domain != NULL) { - talloc_free(dummy_domain); - DEBUG(SSSDBG_TRACE_FUNC, "Name is already fully qualified.\n"); - fqname = talloc_strdup(mem_ctx, name); - if (fqname == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); - return NULL; - } - - return fqname; - } - - /* Get length. */ - fqlen = sss_fqname(NULL, 0, domain->names, domain, name); - if (fqlen > 0) { - fqlen++; /* \0 */ - } else { + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { return NULL; } - fqname = talloc_zero_array(mem_ctx, char, fqlen); - if (fqname == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n"); - return NULL; + /* the name stored in sysdb already contains the lowercased domain */ + ret = sss_parse_internal_fqname(tmp_ctx, name, &shortname, &dummy_domain); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "sss_parse_internal_fqname failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; } - check = sss_fqname(fqname, fqlen, domain->names, domain, name); - if (check < 0 || check != fqlen - 1) { - DEBUG(SSSDBG_CRIT_FAILURE, "Failed to generate a fully qualified name " - "for user [%s] in [%s]! Skipping user.\n", name, domain->name); - talloc_free(fqname); - return NULL; + dom = find_domain_by_name(get_domains_head(domain), dummy_domain, true); + if (dom == NULL) { + goto done; } + /* Get length. */ + fqname = sss_tc_fqname(mem_ctx, dom->names, dom, shortname); +done: + talloc_free(tmp_ctx); return fqname; } @@ -455,7 +444,7 @@ static char *get_sysname(TALLOC_CTX *mem_ctx, return talloc_strdup(mem_ctx, name); } - return get_fqname(mem_ctx, domain, name); + return sss_tc_fqname(mem_ctx, domain->names, domain, name); } static struct sss_domain_info * @@ -469,6 +458,7 @@ get_object_domain(enum sysdb_member_type type, struct ldb_result *res; const char *strtype; char *sysname; + char *fqname = NULL; bool check_next; errno_t ret; @@ -513,17 +503,24 @@ get_object_domain(enum sysdb_member_type type, } do { + talloc_zfree(fqname); + fqname = sss_create_internal_fqname(tmp_ctx, name, dom->name); + if (fqname == NULL) { + ret = ENOMEM; + goto done; + } + switch (type) { case SYSDB_MEMBER_USER: DEBUG(SSSDBG_TRACE_FUNC, "Trying to find user %s@%s\n", name, dom->name); - ret = sysdb_getpwnam(tmp_ctx, dom, name, &res); + ret = sysdb_getpwnam(tmp_ctx, dom, fqname, &res); strtype = "user"; break; case SYSDB_MEMBER_GROUP: DEBUG(SSSDBG_TRACE_FUNC, "Trying to find group %s@%s\n", name, dom->name); - ret = sysdb_getgrnam(tmp_ctx, dom, name, &res); + ret = sysdb_getgrnam(tmp_ctx, dom, fqname, &res); strtype = "group"; break; default: @@ -588,6 +585,12 @@ static errno_t get_user_domain_msg(struct sss_tool_ctx *tool_ctx, return ENOENT; } + user->sysdb_name = sss_create_internal_fqname(tool_ctx, user->orig_name, + newdom->name); + if (user->sysdb_name == NULL) { + return ENOMEM; + } + user->domain = newdom; return EOK; } @@ -607,6 +610,12 @@ static errno_t get_group_domain_msg(struct sss_tool_ctx *tool_ctx, return ENOENT; } + group->sysdb_name = sss_create_internal_fqname(tool_ctx, group->orig_name, + newdom->name); + if (group->sysdb_name == NULL) { + return ENOMEM; + } + group->domain = newdom; return EOK; } @@ -797,7 +806,7 @@ static errno_t override_user(struct sss_tool_ctx *tool_ctx, } ret = override_object_add(user.domain, SYSDB_MEMBER_USER, attrs, - user.orig_name); + user.sysdb_name); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add override object.\n"); goto done; @@ -846,7 +855,7 @@ static errno_t override_group(struct sss_tool_ctx *tool_ctx, } ret = override_object_add(group.domain, SYSDB_MEMBER_GROUP, attrs, - group.orig_name); + group.sysdb_name); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add override object.\n"); goto done; @@ -1119,6 +1128,8 @@ list_user_overrides(TALLOC_CTX *mem_ctx, errno_t ret; const char *attrs[] = SYSDB_PW_ATTRS; struct ldb_message_element *el; + const char *fqname; + char *name; tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { @@ -1147,7 +1158,14 @@ list_user_overrides(TALLOC_CTX *mem_ctx, goto done; } - objs[i].name = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL); + fqname = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL); + ret = sss_parse_internal_fqname(tmp_ctx, fqname, &name, NULL); + if (ret != EOK) { + ret = ERR_WRONG_NAME_FORMAT; + goto done; + } + objs[i].name = talloc_steal(objs, name); + objs[i].uid = ldb_msg_find_attr_as_uint(msgs[i], SYSDB_UIDNUM, 0); objs[i].gid = ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0); objs[i].home = ldb_msg_find_attr_as_string(msgs[i], SYSDB_HOMEDIR, NULL); @@ -1169,7 +1187,6 @@ list_user_overrides(TALLOC_CTX *mem_ctx, } talloc_steal(objs, objs[i].orig_name); - talloc_steal(objs, objs[i].name); talloc_steal(objs, objs[i].home); talloc_steal(objs, objs[i].shell); talloc_steal(objs, objs[i].gecos); @@ -1199,6 +1216,8 @@ list_group_overrides(TALLOC_CTX *mem_ctx, size_t i; errno_t ret; const char *attrs[] = SYSDB_GRSRC_ATTRS; + const char *fqname; + char *name; tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { @@ -1226,12 +1245,17 @@ list_group_overrides(TALLOC_CTX *mem_ctx, ret = ERR_INTERNAL; goto done; } + talloc_steal(objs, objs[i].orig_name); - objs[i].name = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL); - objs[i].gid = ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0); + fqname = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL); + ret = sss_parse_internal_fqname(tmp_ctx, fqname, &name, NULL); + if (ret != EOK) { + ret = ERR_WRONG_NAME_FORMAT; + goto done; + } + objs[i].name = talloc_steal(objs, name); - talloc_steal(objs, objs[i].orig_name); - talloc_steal(objs, objs[i].name); + objs[i].gid = ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0); } talloc_steal(mem_ctx, objs); @@ -1424,7 +1448,7 @@ static int override_user_del(struct sss_cmdline *cmdline, return ret; } - ret = override_object_del(user.domain, SYSDB_MEMBER_USER, user.orig_name); + ret = override_object_del(user.domain, SYSDB_MEMBER_USER, user.sysdb_name); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to delete override object.\n"); return ret; @@ -1493,7 +1517,7 @@ static int override_user_show(struct sss_cmdline *cmdline, } ret = get_object_dn(tmp_ctx, input.domain, SYSDB_MEMBER_USER, - input.orig_name, NULL, &dn); + input.sysdb_name, NULL, &dn); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get object dn\n"); goto done; @@ -1680,7 +1704,7 @@ static int override_group_del(struct sss_cmdline *cmdline, } ret = override_object_del(group.domain, SYSDB_MEMBER_GROUP, - group.orig_name); + group.sysdb_name); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to delete override object.\n"); return ret; @@ -1749,7 +1773,7 @@ static int override_group_show(struct sss_cmdline *cmdline, } ret = get_object_dn(tmp_ctx, input.domain, SYSDB_MEMBER_GROUP, - input.orig_name, NULL, &dn); + input.sysdb_name, NULL, &dn); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get object dn\n"); goto done; |