From fcff118bbf3b0a6af585b696ab0815cbd6ddec3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 27 Apr 2018 21:18:59 +0200 Subject: [PATCH] Resolves: upstream#3558 - sudo: report error when two rules share cn MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Fabiano Fidêncio --- ...-store-rules-without-sudoHost-attrib.patch | 39 +++++++ ...pletely-replace-old-object-instead-o.patch | 100 ++++++++++++++++++ sssd.spec | 3 + 3 files changed, 142 insertions(+) create mode 100644 0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch create mode 100644 0018-sysdb-custom-completely-replace-old-object-instead-o.patch diff --git a/0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch b/0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch new file mode 100644 index 0000000..fa51604 --- /dev/null +++ b/0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch @@ -0,0 +1,39 @@ +From d7795e33668b3e2ef212c5fa0bfaf4485e87db65 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 31 Oct 2017 15:14:52 +0100 +Subject: [PATCH] sudo ldap: do not store rules without sudoHost attribute +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Unless it is cn=defaults. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3558 + +Reviewed-by: Fabiano Fidêncio +Reviewed-by: Jakub Hrozek +(cherry picked from commit 47ad0778be72994a2294b2e73cc5c670be6811a7) +--- + src/providers/ldap/sdap_async_sudo.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c +index 5dc580128..3da76256e 100644 +--- a/src/providers/ldap/sdap_async_sudo.c ++++ b/src/providers/ldap/sdap_async_sudo.c +@@ -158,8 +158,9 @@ static char *sdap_sudo_build_host_filter(TALLOC_CTX *mem_ctx, + goto done; + } + +- /* sudoHost is not specified */ +- filter = talloc_asprintf_append_buffer(filter, "(!(%s=*))", ++ /* sudoHost is not specified and it is a cn=defaults rule */ ++ filter = talloc_asprintf_append_buffer(filter, "(&(!(%s=*))(%s=defaults))", ++ map[SDAP_AT_SUDO_HOST].name, + map[SDAP_AT_SUDO_HOST].name); + if (filter == NULL) { + goto done; +-- +2.14.3 + diff --git a/0018-sysdb-custom-completely-replace-old-object-instead-o.patch b/0018-sysdb-custom-completely-replace-old-object-instead-o.patch new file mode 100644 index 0000000..0da0d09 --- /dev/null +++ b/0018-sysdb-custom-completely-replace-old-object-instead-o.patch @@ -0,0 +1,100 @@ +From 547aebfde6fda8088682c9d12a3b5bcfa87c52a2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 31 Oct 2017 15:16:35 +0100 +Subject: [PATCH] sysdb custom: completely replace old object instead of + merging it +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch is written primary for sudo use case, but it makes sure the we do +not merge two record in other parts of the code that uses sysdb_store_custom. + +1) If there are two rules with the same cn (possible with multiple search bases +or organizational units) we would end up merging those two rules instead of +choosing one of them. + +2) Also smart refresh would merge the diff insteand of removing the attributes +that are no longer present in ldap. + +Since 1) is a rare use case and it is a misconfiguration we completely replace +the old rule with new one. It is simpler to implement and it solves both issues. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3558 + +Reviewed-by: Fabiano Fidêncio +Reviewed-by: Jakub Hrozek +(cherry picked from commit cd4590de2a84b8143a6c75b5198f5e1b3c0a6d63) +--- + src/db/sysdb_ops.c | 33 +++++---------------------------- + 1 file changed, 5 insertions(+), 28 deletions(-) + +diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c +index 09aa04a29..5d3cf643d 100644 +--- a/src/db/sysdb_ops.c ++++ b/src/db/sysdb_ops.c +@@ -3399,12 +3399,7 @@ int sysdb_store_custom(struct sss_domain_info *domain, + struct sysdb_attrs *attrs) + { + TALLOC_CTX *tmp_ctx; +- const char *search_attrs[] = { "*", NULL }; +- size_t resp_count = 0; +- struct ldb_message **resp; + struct ldb_message *msg; +- struct ldb_message_element *el; +- bool add_object = false; + int ret; + int i; + +@@ -3423,17 +3418,12 @@ int sysdb_store_custom(struct sss_domain_info *domain, + goto done; + } + +- ret = sysdb_search_custom_by_name(tmp_ctx, domain, +- object_name, subtree_name, +- search_attrs, &resp_count, &resp); +- if (ret != EOK && ret != ENOENT) { ++ /* Always add a new object. */ ++ ret = sysdb_delete_custom(domain, object_name, subtree_name); ++ if (ret != EOK) { + goto done; + } + +- if (ret == ENOENT) { +- add_object = true; +- } +- + msg = ldb_msg_new(tmp_ctx); + if (msg == NULL) { + ret = ENOMEM; +@@ -3455,24 +3445,11 @@ int sysdb_store_custom(struct sss_domain_info *domain, + + for (i = 0; i < attrs->num; i++) { + msg->elements[i] = attrs->a[i]; +- if (add_object) { +- msg->elements[i].flags = LDB_FLAG_MOD_ADD; +- } else { +- el = ldb_msg_find_element(resp[0], attrs->a[i].name); +- if (el == NULL) { +- msg->elements[i].flags = LDB_FLAG_MOD_ADD; +- } else { +- msg->elements[i].flags = LDB_FLAG_MOD_REPLACE; +- } +- } ++ msg->elements[i].flags = LDB_FLAG_MOD_ADD; + } + msg->num_elements = attrs->num; + +- if (add_object) { +- ret = ldb_add(domain->sysdb->ldb, msg); +- } else { +- ret = ldb_modify(domain->sysdb->ldb, msg); +- } ++ ret = ldb_add(domain->sysdb->ldb, msg); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to store custom entry: %s(%d)[%s]\n", + ldb_strerror(ret), ret, ldb_errstring(domain->sysdb->ldb)); +-- +2.14.3 + diff --git a/sssd.spec b/sssd.spec index 8195f5d..5e888e9 100644 --- a/sssd.spec +++ b/sssd.spec @@ -58,6 +58,8 @@ Patch0013: 0013-intg-convert-results-returned-as-bytes-to-strings.patch Patch0014: 0014-KCM-Fix-typo-in-ccdb_sec_delete_list_done.patch Patch0015: 0015-KCM-Only-print-the-number-of-found-items-after-we-ha.patch Patch0016: 0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch +Patch0017: 0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch +Patch0018: 0018-sysdb-custom-completely-replace-old-object-instead-o.patch Patch0502: 0502-SYSTEMD-Use-capabilities.patch Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch @@ -1262,6 +1264,7 @@ fi - Resolves: upstream#3684 - A group is not updated if its member is removed with the cleanup task, but the group does not change +- Resolves: upstream#3558 - sudo: report error when two rules share cn * Fri Mar 30 2018 Fabiano Fidêncio - 1.16.1-2 - Resolves: upstream#3573 - sssd won't show netgroups with blank domain