eb6c560542
Resolves: rhbz#1392916 - sssd failes to start after update
Resolves: rhbz#1398789 - SELinux is preventing sssd from 'write' accesses
on the directory /etc/sssd
108 lines
3.2 KiB
Diff
108 lines
3.2 KiB
Diff
From b87ca4233342e1537fda5ce731db77cf24e422c3 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Petr=20=C4=8Cech?= <pcech@redhat.com>
|
|
Date: Wed, 12 Oct 2016 16:48:38 +0200
|
|
Subject: [PATCH 22/39] SYSDB: Adding lowercase sudoUser form
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
If domain is not case sensitive we add lowercase form of usernames
|
|
to sudoUser attributes. So we actually able to apply sudoRule on
|
|
user Administrator@... with login admnistrator@...
|
|
|
|
Resolves:
|
|
https://fedorahosted.org/sssd/ticket/3203
|
|
|
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
(cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645)
|
|
(cherry picked from commit 88239b7f17f599aefa88a8a31c2d0ea44b766c87)
|
|
---
|
|
src/db/sysdb_sudo.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
1 file changed, 64 insertions(+)
|
|
|
|
diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
|
|
index 601fb63f2..4bd93ffc6 100644
|
|
--- a/src/db/sysdb_sudo.c
|
|
+++ b/src/db/sysdb_sudo.c
|
|
@@ -852,6 +852,65 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule,
|
|
return EOK;
|
|
}
|
|
|
|
+static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain,
|
|
+ struct sysdb_attrs *rule)
|
|
+{
|
|
+ TALLOC_CTX *tmp_ctx;
|
|
+ const char **users = NULL;
|
|
+ const char *lowered = NULL;
|
|
+ errno_t ret;
|
|
+
|
|
+ if (domain->case_sensitive == true || rule == NULL) {
|
|
+ return EOK;
|
|
+ }
|
|
+
|
|
+ tmp_ctx = talloc_new(NULL);
|
|
+ if (tmp_ctx == NULL) {
|
|
+ return ENOMEM;
|
|
+ }
|
|
+
|
|
+ ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx,
|
|
+ &users);
|
|
+ if (ret != EOK) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n",
|
|
+ SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ if (users == NULL) {
|
|
+ ret = EOK;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ for (int i = 0; users[i] != NULL; i++) {
|
|
+ lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]);
|
|
+ if (lowered == NULL) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n");
|
|
+ ret = ENOMEM;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ if (strcmp(users[i], lowered) == 0) {
|
|
+ /* It protects us from adding duplicate. */
|
|
+ continue;
|
|
+ }
|
|
+
|
|
+ ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered);
|
|
+ if (ret != EOK) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
+ "Unable to add %s attribute [%d]: %s\n",
|
|
+ SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret));
|
|
+ goto done;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ ret = EOK;
|
|
+
|
|
+done:
|
|
+ talloc_zfree(tmp_ctx);
|
|
+ return ret;
|
|
+}
|
|
+
|
|
static errno_t
|
|
sysdb_sudo_store_rule(struct sss_domain_info *domain,
|
|
struct sysdb_attrs *rule,
|
|
@@ -868,6 +927,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain,
|
|
|
|
DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name);
|
|
|
|
+ ret = sysdb_sudo_add_lowered_users(domain, rule);
|
|
+ if (ret != EOK) {
|
|
+ return ret;
|
|
+ }
|
|
+
|
|
ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now);
|
|
if (ret != EOK) {
|
|
return ret;
|
|
--
|
|
2.11.0
|
|
|