File 0016-sudo-fetch-sudoRunAs-attribute.patch of Package sssd.openSUSE_Leap_42.1_Update

From 7c30e60c525ea798aaab142766ff00eef4b5df3b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 14 Jul 2014 14:23:50 +0200
Subject: [PATCH] sudo: fetch sudoRunAs attribute

This attribute was used in pre 1.7 versions of sudo and it is now
deprecated by sudoRunAsUser and sudoRunAsGroup. However, some users
still use this attribute so we need to support it to ensure backward
compatibility.

This patch makes sure that this attribute is downloaded if present and
provided to sudo. Sudo than decides how to handle it.

The new mapping option is not present in a man page since this
attribute is deprecated in sudo for a very long time.

Resolves:
https://fedorahosted.org/sssd/ticket/2212

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index d9b186f..439378f 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -354,6 +354,7 @@ option_strings = {
     'ldap_sudorule_host' : _('Sudo rule host attribute'),
     'ldap_sudorule_user' : _('Sudo rule user attribute'),
     'ldap_sudorule_option' : _('Sudo rule option attribute'),
+    'ldap_sudorule_runas' : _('Sudo rule runas attribute'),
     'ldap_sudorule_runasuser' : _('Sudo rule runasuser attribute'),
     'ldap_sudorule_runasgroup' : _('Sudo rule runasgroup attribute'),
     'ldap_sudorule_notbefore' : _('Sudo rule notbefore attribute'),
diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf
index 33d460e..74ca49a 100644
--- a/src/config/etc/sssd.api.d/sssd-ad.conf
+++ b/src/config/etc/sssd.api.d/sssd-ad.conf
@@ -151,6 +151,7 @@ ldap_sudorule_command = str, None, false
 ldap_sudorule_host = str, None, false
 ldap_sudorule_user = str, None, false
 ldap_sudorule_option = str, None, false
+ldap_sudorule_runas = str, None, false
 ldap_sudorule_runasuser = str, None, false
 ldap_sudorule_runasgroup = str, None, false
 ldap_sudorule_notbefore = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 11484e7..459db06 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -216,6 +216,7 @@ ldap_sudorule_command = str, None, false
 ldap_sudorule_host = str, None, false
 ldap_sudorule_user = str, None, false
 ldap_sudorule_option = str, None, false
+ldap_sudorule_runas = str, None, false
 ldap_sudorule_runasuser = str, None, false
 ldap_sudorule_runasgroup = str, None, false
 ldap_sudorule_notbefore = str, None, false
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index fa9cdd6..c1c0309 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -152,6 +152,7 @@ ldap_sudorule_command = str, None, false
 ldap_sudorule_host = str, None, false
 ldap_sudorule_user = str, None, false
 ldap_sudorule_option = str, None, false
+ldap_sudorule_runas = str, None, false
 ldap_sudorule_runasuser = str, None, false
 ldap_sudorule_runasgroup = str, None, false
 ldap_sudorule_notbefore = str, None, false
diff --git a/src/db/sysdb_sudo.h b/src/db/sysdb_sudo.h
index f8e214f..fc896c3 100644
--- a/src/db/sysdb_sudo.h
+++ b/src/db/sysdb_sudo.h
@@ -39,6 +39,7 @@
 #define SYSDB_SUDO_CACHE_AT_HOST       "sudoHost"
 #define SYSDB_SUDO_CACHE_AT_COMMAND    "sudoCommand"
 #define SYSDB_SUDO_CACHE_AT_OPTION     "sudoOption"
+#define SYSDB_SUDO_CACHE_AT_RUNAS      "sudoRunAs"
 #define SYSDB_SUDO_CACHE_AT_RUNASUSER  "sudoRunAsUser"
 #define SYSDB_SUDO_CACHE_AT_RUNASGROUP "sudoRunAsGroup"
 #define SYSDB_SUDO_CACHE_AT_NOTBEFORE  "sudoNotBefore"
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index adf200c..39c2473 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -321,6 +321,7 @@ struct sdap_attr_map native_sudorule_map[] = {
     { "ldap_sudorule_host", "sudoHost", SYSDB_SUDO_CACHE_AT_HOST, NULL },
     { "ldap_sudorule_user", "sudoUser", SYSDB_SUDO_CACHE_AT_USER, NULL },
     { "ldap_sudorule_option", "sudoOption", SYSDB_SUDO_CACHE_AT_OPTION, NULL },
+    { "ldap_sudorule_runas", "sudoRunAs", SYSDB_SUDO_CACHE_AT_RUNAS, NULL },
     { "ldap_sudorule_runasuser", "sudoRunAsUser", SYSDB_SUDO_CACHE_AT_RUNASUSER, NULL },
     { "ldap_sudorule_runasgroup", "sudoRunAsGroup", SYSDB_SUDO_CACHE_AT_RUNASGROUP, NULL },
     { "ldap_sudorule_notbefore", "sudoNotBefore", SYSDB_SUDO_CACHE_AT_NOTBEFORE, NULL },
diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
index 9d8ef5d..4b35a1a 100644
--- a/src/responder/sudo/sudosrv_get_sudorules.c
+++ b/src/responder/sudo/sudosrv_get_sudorules.c
@@ -537,6 +537,7 @@ static errno_t sudosrv_get_sudorules_from_cache(TALLOC_CTX *mem_ctx,
                             SYSDB_SUDO_CACHE_AT_HOST,
                             SYSDB_SUDO_CACHE_AT_COMMAND,
                             SYSDB_SUDO_CACHE_AT_OPTION,
+                            SYSDB_SUDO_CACHE_AT_RUNAS,
                             SYSDB_SUDO_CACHE_AT_RUNASUSER,
                             SYSDB_SUDO_CACHE_AT_RUNASGROUP,
                             SYSDB_SUDO_CACHE_AT_NOTBEFORE,
-- 
2.10.2