diff options
author | Pavel Březina <pbrezina@redhat.com> | 2016-05-26 11:37:30 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-07-07 10:30:26 +0200 |
commit | 61913b8f0d1ba54d82640500d7486fac5f72b030 (patch) | |
tree | 21ed1952b88d463468d690a22f40328e4bbf4d7c /src/util/sss_sockets.c | |
parent | 552390afcc81af96ca201fa6c25ddefbbecbeb4e (diff) | |
download | sssd-61913b8f0d1ba54d82640500d7486fac5f72b030.tar.gz sssd-61913b8f0d1ba54d82640500d7486fac5f72b030.tar.xz sssd-61913b8f0d1ba54d82640500d7486fac5f72b030.zip |
sudo: solve problems with fully qualified names
sudo expects the same name in sudo rule as login name. Therefore
if fully qualified name is used or even enforced by setting
use_fully_qualified_names to true or by forcing default domain
with default_domain_suffix sssd is able to correctly return the
rules but sudo can't match the user with contect of sudoUser
attribute since it is not qualified.
This patch changes the rules on the fly to avoid using names at all.
We do this in two steps:
1. We fetch all rules that match current user name, id or groups and
replace sudoUser attribute with sudoUser: #uid.
2. We fetch complementry rules that contain netgroups since it is
expected we don't have infromation about existing netgroups in
cache, sudo still needs to evaluate it for us if needed.
This patch also remove test for sysdb_get_sudo_filter since it wasn't
sufficient anyway and I did not rewrite it since I don't thing it
is a good thing to have filter tests that depends on exact filter
order.
Resolves:
https://fedorahosted.org/sssd/ticket/2919
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/util/sss_sockets.c')
0 files changed, 0 insertions, 0 deletions