summaryrefslogtreecommitdiffstats
path: root/src/db/sysdb_sudo.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/db/sysdb_sudo.c')
-rw-r--r--src/db/sysdb_sudo.c185
1 files changed, 118 insertions, 67 deletions
diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index 5f1a8a13e..601fb63f2 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -215,105 +215,156 @@ done:
return ret;
}
-errno_t
-sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username,
- uid_t uid, char **groupnames, unsigned int flags,
- char **_filter)
+static char *
+sysdb_sudo_filter_userinfo(TALLOC_CTX *mem_ctx,
+ const char *username,
+ char **groupnames,
+ uid_t uid)
{
- TALLOC_CTX *tmp_ctx = NULL;
- char *filter = NULL;
- char *specific_filter = NULL;
- char *sanitized = NULL;
- time_t now;
+ const char *attr = SYSDB_SUDO_CACHE_AT_USER;
+ TALLOC_CTX *tmp_ctx;
+ char *sanitized_name;
+ char *filter;
errno_t ret;
int i;
tmp_ctx = talloc_new(NULL);
- NULL_CHECK(tmp_ctx, ret, done);
-
- /* build specific filter */
+ if (tmp_ctx == NULL) {
+ return NULL;
+ }
- specific_filter = talloc_zero(tmp_ctx, char); /* assign to tmp_ctx */
- NULL_CHECK(specific_filter, ret, done);
+ filter = talloc_asprintf(tmp_ctx, "(%s=ALL)", attr);
+ if (filter == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
- if (flags & SYSDB_SUDO_FILTER_INCLUDE_ALL) {
- specific_filter = talloc_asprintf_append(specific_filter, "(%s=ALL)",
- SYSDB_SUDO_CACHE_AT_USER);
- NULL_CHECK(specific_filter, ret, done);
+ ret = sss_filter_sanitize(tmp_ctx, username, &sanitized_name);
+ if (ret != EOK) {
+ goto done;
}
- if (flags & SYSDB_SUDO_FILTER_INCLUDE_DFL) {
- specific_filter = talloc_asprintf_append(specific_filter, "(%s=defaults)",
- SYSDB_NAME);
- NULL_CHECK(specific_filter, ret, done);
+ filter = talloc_asprintf_append(filter, "(%s=%s)", attr, sanitized_name);
+ if (filter == NULL) {
+ ret = ENOMEM;
+ goto done;
}
- if ((flags & SYSDB_SUDO_FILTER_USERNAME) && (username != NULL)) {
- ret = sss_filter_sanitize(tmp_ctx, username, &sanitized);
- if (ret != EOK) {
+ if (uid != 0) {
+ filter = talloc_asprintf_append(filter, "(%s=#%"SPRIuid")", attr, uid);
+ if (filter == NULL) {
+ ret = ENOMEM;
goto done;
}
-
- specific_filter = talloc_asprintf_append(specific_filter, "(%s=%s)",
- SYSDB_SUDO_CACHE_AT_USER,
- sanitized);
- NULL_CHECK(specific_filter, ret, done);
- }
-
- if ((flags & SYSDB_SUDO_FILTER_UID) && (uid != 0)) {
- specific_filter = talloc_asprintf_append(specific_filter, "(%s=#%llu)",
- SYSDB_SUDO_CACHE_AT_USER,
- (unsigned long long) uid);
- NULL_CHECK(specific_filter, ret, done);
}
- if ((flags & SYSDB_SUDO_FILTER_GROUPS) && (groupnames != NULL)) {
+ if (groupnames != NULL) {
for (i=0; groupnames[i] != NULL; i++) {
- ret = sss_filter_sanitize(tmp_ctx, groupnames[i], &sanitized);
+ ret = sss_filter_sanitize(tmp_ctx, groupnames[i], &sanitized_name);
if (ret != EOK) {
goto done;
}
- specific_filter = talloc_asprintf_append(specific_filter, "(%s=%%%s)",
- SYSDB_SUDO_CACHE_AT_USER,
- sanitized);
- NULL_CHECK(specific_filter, ret, done);
+ filter = talloc_asprintf_append(filter, "(%s=%%%s)", attr,
+ sanitized_name);
+ if (filter == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
}
}
- if (flags & SYSDB_SUDO_FILTER_NGRS) {
- specific_filter = talloc_asprintf_append(specific_filter, "(%s=+*)",
- SYSDB_SUDO_CACHE_AT_USER);
- NULL_CHECK(specific_filter, ret, done);
+ talloc_steal(mem_ctx, filter);
+
+done:
+ talloc_free(tmp_ctx);
+
+ if (ret != EOK) {
+ return NULL;
}
- /* build global filter */
+ return filter;
+}
- filter = talloc_asprintf(tmp_ctx, "(&(%s=%s)",
- SYSDB_OBJECTCLASS, SYSDB_SUDO_CACHE_OC);
- NULL_CHECK(filter, ret, done);
+char *
+sysdb_sudo_filter_expired(TALLOC_CTX *mem_ctx,
+ const char *username,
+ char **groupnames,
+ uid_t uid)
+{
+ char *userfilter;
+ char *filter;
+ time_t now;
- if (specific_filter[0] != '\0') {
- filter = talloc_asprintf_append(filter, "(|%s)", specific_filter);
- NULL_CHECK(filter, ret, done);
+ userfilter = sysdb_sudo_filter_userinfo(mem_ctx, username, groupnames, uid);
+ if (userfilter == NULL) {
+ return NULL;
}
- if (flags & SYSDB_SUDO_FILTER_ONLY_EXPIRED) {
- now = time(NULL);
- filter = talloc_asprintf_append(filter, "(&(%s<=%lld))",
- SYSDB_CACHE_EXPIRE, (long long)now);
- NULL_CHECK(filter, ret, done);
+ now = time(NULL);
+ filter = talloc_asprintf(mem_ctx,
+ "(&(%s=%s)(%s<=%lld)(|(%s=defaults)%s(%s=+*)))",
+ SYSDB_OBJECTCLASS, SYSDB_SUDO_CACHE_OC,
+ SYSDB_CACHE_EXPIRE, (long long)now,
+ SYSDB_NAME,
+ userfilter,
+ SYSDB_SUDO_CACHE_AT_USER);
+ talloc_free(userfilter);
+
+ return filter;
+}
+
+char *
+sysdb_sudo_filter_defaults(TALLOC_CTX *mem_ctx)
+{
+ return talloc_asprintf(mem_ctx, "(&(%s=%s)(%s=defaults))",
+ SYSDB_OBJECTCLASS, SYSDB_SUDO_CACHE_OC,
+ SYSDB_NAME);
+}
+
+char *
+sysdb_sudo_filter_user(TALLOC_CTX *mem_ctx,
+ const char *username,
+ char **groupnames,
+ uid_t uid)
+{
+ char *userfilter;
+ char *filter;
+
+ userfilter = sysdb_sudo_filter_userinfo(mem_ctx, username, groupnames, uid);
+ if (userfilter == NULL) {
+ return NULL;
}
- filter = talloc_strdup_append(filter, ")");
- NULL_CHECK(filter, ret, done);
+ filter = talloc_asprintf(mem_ctx, "(&(%s=%s)(|%s))",
+ SYSDB_OBJECTCLASS, SYSDB_SUDO_CACHE_OC,
+ userfilter);
+ talloc_free(userfilter);
- ret = EOK;
- *_filter = talloc_steal(mem_ctx, filter);
+ return filter;
+}
-done:
- talloc_free(tmp_ctx);
- return ret;
+char *
+sysdb_sudo_filter_netgroups(TALLOC_CTX *mem_ctx,
+ const char *username,
+ char **groupnames,
+ uid_t uid)
+{
+ char *userfilter;
+ char *filter;
+
+ userfilter = sysdb_sudo_filter_userinfo(mem_ctx, username, groupnames, uid);
+ if (userfilter == NULL) {
+ return NULL;
+ }
+
+ filter = talloc_asprintf(mem_ctx, "(&(%s=%s)(%s=+*)(!(|%s)))",
+ SYSDB_OBJECTCLASS, SYSDB_SUDO_CACHE_OC,
+ SYSDB_SUDO_CACHE_AT_USER,
+ userfilter);
+ talloc_free(userfilter);
+
+ return filter;
}
errno_t
@@ -985,4 +1036,4 @@ sysdb_set_sudo_rule_attr(struct sss_domain_info *domain,
done:
talloc_free(tmp_ctx);
return ret;
-} \ No newline at end of file
+}
generated by cgit (git 2.34.1) at 2024-04-16 22:57:00 +0000