Resolves: upstream#3558 - sudo: report error when two rules share cn

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This commit is contained in:
Fabiano Fidêncio 2018-04-27 21:18:59 +02:00
parent f3d06df50d
commit fcff118bbf
3 changed files with 142 additions and 0 deletions

View File

@ -0,0 +1,39 @@
From d7795e33668b3e2ef212c5fa0bfaf4485e87db65 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 31 Oct 2017 15:14:52 +0100
Subject: [PATCH] sudo ldap: do not store rules without sudoHost attribute
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Unless it is cn=defaults.
Resolves:
https://pagure.io/SSSD/sssd/issue/3558
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 47ad0778be72994a2294b2e73cc5c670be6811a7)
---
src/providers/ldap/sdap_async_sudo.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c
index 5dc580128..3da76256e 100644
--- a/src/providers/ldap/sdap_async_sudo.c
+++ b/src/providers/ldap/sdap_async_sudo.c
@@ -158,8 +158,9 @@ static char *sdap_sudo_build_host_filter(TALLOC_CTX *mem_ctx,
goto done;
}
- /* sudoHost is not specified */
- filter = talloc_asprintf_append_buffer(filter, "(!(%s=*))",
+ /* sudoHost is not specified and it is a cn=defaults rule */
+ filter = talloc_asprintf_append_buffer(filter, "(&(!(%s=*))(%s=defaults))",
+ map[SDAP_AT_SUDO_HOST].name,
map[SDAP_AT_SUDO_HOST].name);
if (filter == NULL) {
goto done;
--
2.14.3

View File

@ -0,0 +1,100 @@
From 547aebfde6fda8088682c9d12a3b5bcfa87c52a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 31 Oct 2017 15:16:35 +0100
Subject: [PATCH] sysdb custom: completely replace old object instead of
merging it
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This patch is written primary for sudo use case, but it makes sure the we do
not merge two record in other parts of the code that uses sysdb_store_custom.
1) If there are two rules with the same cn (possible with multiple search bases
or organizational units) we would end up merging those two rules instead of
choosing one of them.
2) Also smart refresh would merge the diff insteand of removing the attributes
that are no longer present in ldap.
Since 1) is a rare use case and it is a misconfiguration we completely replace
the old rule with new one. It is simpler to implement and it solves both issues.
Resolves:
https://pagure.io/SSSD/sssd/issue/3558
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit cd4590de2a84b8143a6c75b5198f5e1b3c0a6d63)
---
src/db/sysdb_ops.c | 33 +++++----------------------------
1 file changed, 5 insertions(+), 28 deletions(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 09aa04a29..5d3cf643d 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -3399,12 +3399,7 @@ int sysdb_store_custom(struct sss_domain_info *domain,
struct sysdb_attrs *attrs)
{
TALLOC_CTX *tmp_ctx;
- const char *search_attrs[] = { "*", NULL };
- size_t resp_count = 0;
- struct ldb_message **resp;
struct ldb_message *msg;
- struct ldb_message_element *el;
- bool add_object = false;
int ret;
int i;
@@ -3423,17 +3418,12 @@ int sysdb_store_custom(struct sss_domain_info *domain,
goto done;
}
- ret = sysdb_search_custom_by_name(tmp_ctx, domain,
- object_name, subtree_name,
- search_attrs, &resp_count, &resp);
- if (ret != EOK && ret != ENOENT) {
+ /* Always add a new object. */
+ ret = sysdb_delete_custom(domain, object_name, subtree_name);
+ if (ret != EOK) {
goto done;
}
- if (ret == ENOENT) {
- add_object = true;
- }
-
msg = ldb_msg_new(tmp_ctx);
if (msg == NULL) {
ret = ENOMEM;
@@ -3455,24 +3445,11 @@ int sysdb_store_custom(struct sss_domain_info *domain,
for (i = 0; i < attrs->num; i++) {
msg->elements[i] = attrs->a[i];
- if (add_object) {
- msg->elements[i].flags = LDB_FLAG_MOD_ADD;
- } else {
- el = ldb_msg_find_element(resp[0], attrs->a[i].name);
- if (el == NULL) {
- msg->elements[i].flags = LDB_FLAG_MOD_ADD;
- } else {
- msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
- }
- }
+ msg->elements[i].flags = LDB_FLAG_MOD_ADD;
}
msg->num_elements = attrs->num;
- if (add_object) {
- ret = ldb_add(domain->sysdb->ldb, msg);
- } else {
- ret = ldb_modify(domain->sysdb->ldb, msg);
- }
+ ret = ldb_add(domain->sysdb->ldb, msg);
if (ret != LDB_SUCCESS) {
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to store custom entry: %s(%d)[%s]\n",
ldb_strerror(ret), ret, ldb_errstring(domain->sysdb->ldb));
--
2.14.3

View File

@ -58,6 +58,8 @@ Patch0013: 0013-intg-convert-results-returned-as-bytes-to-strings.patch
Patch0014: 0014-KCM-Fix-typo-in-ccdb_sec_delete_list_done.patch Patch0014: 0014-KCM-Fix-typo-in-ccdb_sec_delete_list_done.patch
Patch0015: 0015-KCM-Only-print-the-number-of-found-items-after-we-ha.patch Patch0015: 0015-KCM-Only-print-the-number-of-found-items-after-we-ha.patch
Patch0016: 0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch Patch0016: 0016-SYSDB-When-marking-an-entry-as-expired-also-set-the-.patch
Patch0017: 0017-sudo-ldap-do-not-store-rules-without-sudoHost-attrib.patch
Patch0018: 0018-sysdb-custom-completely-replace-old-object-instead-o.patch
Patch0502: 0502-SYSTEMD-Use-capabilities.patch Patch0502: 0502-SYSTEMD-Use-capabilities.patch
Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
@ -1262,6 +1264,7 @@ fi
- Resolves: upstream#3684 - A group is not updated if its member is removed - Resolves: upstream#3684 - A group is not updated if its member is removed
with the cleanup task, but the group does not with the cleanup task, but the group does not
change change
- Resolves: upstream#3558 - sudo: report error when two rules share cn
* Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2 * Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2
- Resolves: upstream#3573 - sssd won't show netgroups with blank domain - Resolves: upstream#3573 - sssd won't show netgroups with blank domain