Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Maintenance:6965
sudo.openSUSE_Leap_42.2_Update
sudo-1.8.10p3-sssd_netgroup_filtering.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File sudo-1.8.10p3-sssd_netgroup_filtering.patch of Package sudo.openSUSE_Leap_42.2_Update
# HG changeset patch # User Todd C. Miller <Todd.Miller@courtesan.com> # Date 1464886059 21600 # Node ID 50d8d88bcc28ba9c6236c2a6cc51a593b0c308a1 # Parent bec7e2ec26ff5837d7225c414f3ac6d2e52b9093 SSSD doesn't handle netgroups, we have to ensure they are correctly filtered in sudo. The rules may contain mixed sudoUser specification so we have to check not only for netgroup membership but also for user and group matches. Adapted from a patch from Daniel Kopecek. Index: sudo-1.8.10p3/plugins/sudoers/sssd.c =================================================================== --- sudo-1.8.10p3.orig/plugins/sudoers/sssd.c +++ sudo-1.8.10p3/plugins/sudoers/sssd.c @@ -592,52 +592,70 @@ sudo_sss_check_host(struct sudo_sss_hand } /* - * Look for netgroup specifcations in the sudoUser attribute and - * if found, filter according to netgroup membership. - * returns: - * true -> netgroup spec found && netgroup member - * false -> netgroup spec found && not a member of netgroup - * true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception) + * SSSD doesn't handle netgroups, we have to ensure they are correctly filtered + * in sudo. The rules may contain mixed sudoUser specification so we have to + * check not only for netgroup membership but also for user and group matches. */ static bool -sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) +sudo_sss_check_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) { - bool ret = false, netgroup_spec_found = false; - char **val_array, *val; + int matched = UNSPEC; + char **val_array; int i; - debug_decl(sudo_sss_filter_user_netgroup, SUDO_DEBUG_SSSD); + debug_decl(sudo_sss_check_user, SUDO_DEBUG_SSSD); if (!handle || !rule) - debug_return_bool(ret); + debug_return_bool(false); switch (handle->fn_get_values(rule, "sudoUser", &val_array)) { case 0: break; case ENOENT: sudo_debug_printf(SUDO_DEBUG_INFO, "No result."); - debug_return_bool(ret); + debug_return_bool(false); default: sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0"); - debug_return_bool(ret); + debug_return_bool(false); } - for (i = 0; val_array[i] != NULL && !ret; ++i) { - val = val_array[i]; - if (*val == '+') { - netgroup_spec_found = true; - } + /* Walk through sudoUser values. */ + for (i = 0; val_array[i] != NULL && matched != false; ++i) { + int negated = false; + const char *val = val_array[i]; + sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val); - if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, handle->pw->pw_name)) { - ret = true; - sudo_debug_printf(SUDO_DEBUG_DIAG, - "sssd/ldap sudoUser '%s' ... MATCH! (%s)", - val, handle->pw->pw_name); + if (*val == '!') { + val++; + negated = true; + } + switch (*val) { + case '+': + /* Netgroup spec found, check membership. */ + if (netgr_matches(val, NULL, NULL, handle->pw->pw_name)) { + matched = !negated; + } + break; + case '%': + /* User group found, check membership. */ + if (usergr_matches(val, handle->pw->pw_name, handle->pw)) { + matched = !negated; + } + break; + default: + /* Not a netgroup or user group. */ + if (strcmp(val, "ALL") == 0 || + userpw_matches(val, handle->pw->pw_name, handle->pw)) { + matched = !negated; + } break; } + sudo_debug_printf(SUDO_DEBUG_DIAG, + "sssd/ldap sudoUser '%s' ... %s (%s)", val_array[i], + matched == true ? "MATCH!" : "not", handle->pw->pw_name); } handle->fn_free_values(val_array); - debug_return_bool(netgroup_spec_found ? ret : true); + debug_return_bool(matched == true); } static int @@ -648,7 +666,7 @@ sudo_sss_result_filterp(struct sudo_sss_ debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD); if (sudo_sss_check_host(handle, rule) && - sudo_sss_filter_user_netgroup(handle, rule)) + sudo_sss_check_user(handle, rule)) debug_return_int(1); else debug_return_int(0);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor