8eda442b2e
Resolves: rhbz#1488327 - SELinux is preventing selinux_child from write access
on the sock_file system_bus_socket
Resolves: rhbz#1490402 - SSSD does not create /var/lib/sss/deskprofile and
fails to download desktop profile data
Resolves: upstream#3485 - getsidbyid does not work with 1.15.3
Resolves: upstream#3488 - SUDO doesn't work for IPA users on IPA clients after
applying ID Views for them in IPA server
Resolves: upstream#3501 - Accessing IdM kerberos ticket fails while id mapping
is applied
598 lines
23 KiB
Diff
598 lines
23 KiB
Diff
From dee665060ba71ff61ad223e755ae61441118fbba Mon Sep 17 00:00:00 2001
|
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
Date: Tue, 22 Aug 2017 22:32:19 +0200
|
|
Subject: [PATCH 115/115] SUDO: Use initgr_with_views when looking up a sudo
|
|
user
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
The sudo responder code didn't take views into account when looking for
|
|
rules, which resulted in sudo rules being ignored if the user's name was
|
|
overriden.
|
|
|
|
Please see the ticket for a detailed info on how to reproduce the bug.
|
|
|
|
Resolves:
|
|
https://pagure.io/SSSD/sssd/issue/3488
|
|
|
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
---
|
|
src/db/sysdb_sudo.c | 89 ++++++++++-----
|
|
src/db/sysdb_sudo.h | 6 +-
|
|
src/responder/sudo/sudosrv_get_sudorules.c | 45 +++++---
|
|
src/responder/sudo/sudosrv_private.h | 2 +-
|
|
src/tests/cmocka/test_sysdb_sudo.c | 170 ++++++++++++++++++++++++++++-
|
|
5 files changed, 259 insertions(+), 53 deletions(-)
|
|
|
|
diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
|
|
index 97a1bee99c0255579f42cc7263d3d755429cd417..ff8c95105ad8d4c7d36d5bf5c3005bcc8ff93040 100644
|
|
--- a/src/db/sysdb_sudo.c
|
|
+++ b/src/db/sysdb_sudo.c
|
|
@@ -370,38 +370,58 @@ sysdb_sudo_filter_netgroups(TALLOC_CTX *mem_ctx,
|
|
errno_t
|
|
sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
|
|
struct sss_domain_info *domain,
|
|
- const char *username, uid_t *_uid,
|
|
- char ***groupnames)
|
|
+ const char *username,
|
|
+ const char **_orig_name,
|
|
+ uid_t *_uid,
|
|
+ char ***_groupnames)
|
|
{
|
|
TALLOC_CTX *tmp_ctx;
|
|
errno_t ret;
|
|
- struct ldb_message *msg;
|
|
struct ldb_message *group_msg = NULL;
|
|
+ struct ldb_result *res;
|
|
char **sysdb_groupnames = NULL;
|
|
const char *primary_group = NULL;
|
|
- struct ldb_message_element *groups;
|
|
uid_t uid = 0;
|
|
gid_t gid = 0;
|
|
size_t num_groups = 0;
|
|
- int i;
|
|
- const char *attrs[] = { SYSDB_MEMBEROF,
|
|
- SYSDB_GIDNUM,
|
|
- SYSDB_UIDNUM,
|
|
- NULL };
|
|
+ const char *groupname;
|
|
const char *group_attrs[] = { SYSDB_NAME,
|
|
NULL };
|
|
+ const char *orig_name;
|
|
|
|
tmp_ctx = talloc_new(NULL);
|
|
NULL_CHECK(tmp_ctx, ret, done);
|
|
|
|
- ret = sysdb_search_user_by_name(tmp_ctx, domain, username, attrs, &msg);
|
|
+ /*
|
|
+ * Even though we lookup initgroups with views, we don't want to use
|
|
+ * overridden group names/gids since the rules contains the original
|
|
+ * values.
|
|
+ */
|
|
+ ret = sysdb_initgroups_with_views(tmp_ctx, domain, username, &res);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_CRIT_FAILURE, "Error looking up user %s\n", username);
|
|
goto done;
|
|
}
|
|
|
|
+ if (res->count == 0) {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "No such user %s\n", username);
|
|
+ ret = ENOENT;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ /* Even though the database might be queried with the overriden name,
|
|
+ * the original name must be used in the filter later on
|
|
+ */
|
|
+ orig_name = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, NULL);
|
|
+ if (orig_name == NULL) {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "No original name?\n");
|
|
+ ret = EINVAL;
|
|
+ goto done;
|
|
+ }
|
|
+ DEBUG(SSSDBG_TRACE_FUNC, "original name: %s\n", orig_name);
|
|
+
|
|
if (_uid != NULL) {
|
|
- uid = ldb_msg_find_attr_as_uint64(msg, SYSDB_UIDNUM, 0);
|
|
+ uid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, 0);
|
|
if (!uid) {
|
|
DEBUG(SSSDBG_CRIT_FAILURE, "A user with no UID?\n");
|
|
ret = EIO;
|
|
@@ -409,35 +429,40 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
|
|
}
|
|
}
|
|
|
|
- /* resolve secondary groups */
|
|
- if (groupnames != NULL) {
|
|
- groups = ldb_msg_find_element(msg, SYSDB_MEMBEROF);
|
|
- if (!groups || groups->num_values == 0) {
|
|
+ /* get secondary group names */
|
|
+ if (_groupnames != NULL) {
|
|
+ if (res->count < 2) {
|
|
/* No groups for this user in sysdb currently */
|
|
sysdb_groupnames = NULL;
|
|
num_groups = 0;
|
|
} else {
|
|
- num_groups = groups->num_values;
|
|
- sysdb_groupnames = talloc_array(tmp_ctx, char *, num_groups + 1);
|
|
+ sysdb_groupnames = talloc_zero_array(tmp_ctx, char *, res->count);
|
|
NULL_CHECK(sysdb_groupnames, ret, done);
|
|
|
|
- /* Get a list of the groups by groupname only */
|
|
- for (i = 0; i < groups->num_values; i++) {
|
|
- ret = sysdb_group_dn_name(domain->sysdb,
|
|
- sysdb_groupnames,
|
|
- (const char *)groups->values[i].data,
|
|
- &sysdb_groupnames[i]);
|
|
- if (ret != EOK) {
|
|
- ret = ENOMEM;
|
|
- goto done;
|
|
+ /* Start counting from 1 to exclude the user entry */
|
|
+ num_groups = 0;
|
|
+ for (size_t i = 1; i < res->count; i++) {
|
|
+ groupname = ldb_msg_find_attr_as_string(res->msgs[i],
|
|
+ SYSDB_NAME,
|
|
+ NULL);
|
|
+ if (groupname == NULL) {
|
|
+ DEBUG(SSSDBG_MINOR_FAILURE, "A group with no name?");
|
|
+ continue;
|
|
}
|
|
+
|
|
+ sysdb_groupnames[num_groups] = talloc_strdup(sysdb_groupnames,
|
|
+ groupname);
|
|
+ if (sysdb_groupnames[num_groups] == NULL) {
|
|
+ DEBUG(SSSDBG_MINOR_FAILURE, "Cannot strdup %s\n", groupname);
|
|
+ continue;
|
|
+ }
|
|
+ num_groups++;
|
|
}
|
|
- sysdb_groupnames[groups->num_values] = NULL;
|
|
}
|
|
}
|
|
|
|
/* resolve primary group */
|
|
- gid = ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 0);
|
|
+ gid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_GIDNUM, 0);
|
|
if (gid != 0) {
|
|
ret = sysdb_search_group_by_gid(tmp_ctx, domain, gid, group_attrs,
|
|
&group_msg);
|
|
@@ -468,12 +493,16 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
|
|
|
|
ret = EOK;
|
|
|
|
+ if (orig_name != NULL) {
|
|
+ *_orig_name = talloc_steal(mem_ctx, orig_name);
|
|
+ }
|
|
+
|
|
if (_uid != NULL) {
|
|
*_uid = uid;
|
|
}
|
|
|
|
- if (groupnames != NULL) {
|
|
- *groupnames = talloc_steal(mem_ctx, sysdb_groupnames);
|
|
+ if (_groupnames != NULL) {
|
|
+ *_groupnames = talloc_steal(mem_ctx, sysdb_groupnames);
|
|
}
|
|
done:
|
|
talloc_free(tmp_ctx);
|
|
diff --git a/src/db/sysdb_sudo.h b/src/db/sysdb_sudo.h
|
|
index 0c75d78eb8bfc5f6c7d484bf17f7a0a68f7fd044..4770c889789d9805b19a2d419bb73b5880ca3f74 100644
|
|
--- a/src/db/sysdb_sudo.h
|
|
+++ b/src/db/sysdb_sudo.h
|
|
@@ -120,8 +120,10 @@ sysdb_sudo_filter_netgroups(TALLOC_CTX *mem_ctx,
|
|
errno_t
|
|
sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
|
|
struct sss_domain_info *domain,
|
|
- const char *username, uid_t *_uid,
|
|
- char ***groupnames);
|
|
+ const char *username,
|
|
+ const char **_orig_name,
|
|
+ uid_t *_uid,
|
|
+ char ***_groupnames);
|
|
|
|
errno_t sysdb_sudo_set_last_full_refresh(struct sss_domain_info *domain,
|
|
time_t value);
|
|
diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
|
|
index 3272e634d895acf4854309371779a00cf1525126..a420c76fb39757eba817120ab2045b319dd48f94 100644
|
|
--- a/src/responder/sudo/sudosrv_get_sudorules.c
|
|
+++ b/src/responder/sudo/sudosrv_get_sudorules.c
|
|
@@ -193,7 +193,8 @@ static errno_t sudosrv_expired_rules(TALLOC_CTX *mem_ctx,
|
|
|
|
static errno_t sudosrv_cached_rules_by_user(TALLOC_CTX *mem_ctx,
|
|
struct sss_domain_info *domain,
|
|
- uid_t uid,
|
|
+ uid_t cli_uid,
|
|
+ uid_t orig_uid,
|
|
const char *username,
|
|
char **groupnames,
|
|
struct sysdb_attrs ***_rules,
|
|
@@ -224,7 +225,7 @@ static errno_t sudosrv_cached_rules_by_user(TALLOC_CTX *mem_ctx,
|
|
return ENOMEM;
|
|
}
|
|
|
|
- filter = sysdb_sudo_filter_user(tmp_ctx, username, groupnames, uid);
|
|
+ filter = sysdb_sudo_filter_user(tmp_ctx, username, groupnames, orig_uid);
|
|
if (filter == NULL) {
|
|
ret = ENOMEM;
|
|
goto done;
|
|
@@ -236,7 +237,7 @@ static errno_t sudosrv_cached_rules_by_user(TALLOC_CTX *mem_ctx,
|
|
goto done;
|
|
}
|
|
|
|
- val = talloc_asprintf(tmp_ctx, "#%"SPRIuid, uid);
|
|
+ val = talloc_asprintf(tmp_ctx, "#%"SPRIuid, cli_uid);
|
|
if (val == NULL) {
|
|
ret = ENOMEM;
|
|
goto done;
|
|
@@ -301,7 +302,8 @@ static errno_t sudosrv_cached_rules_by_ng(TALLOC_CTX *mem_ctx,
|
|
|
|
static errno_t sudosrv_cached_rules(TALLOC_CTX *mem_ctx,
|
|
struct sss_domain_info *domain,
|
|
- uid_t uid,
|
|
+ uid_t cli_uid,
|
|
+ uid_t orig_uid,
|
|
const char *username,
|
|
char **groups,
|
|
bool inverse_order,
|
|
@@ -323,13 +325,15 @@ static errno_t sudosrv_cached_rules(TALLOC_CTX *mem_ctx,
|
|
return ENOMEM;
|
|
}
|
|
|
|
- ret = sudosrv_cached_rules_by_user(tmp_ctx, domain, uid, username, groups,
|
|
+ ret = sudosrv_cached_rules_by_user(tmp_ctx, domain,
|
|
+ cli_uid, orig_uid, username, groups,
|
|
&user_rules, &num_user_rules);
|
|
if (ret != EOK) {
|
|
goto done;
|
|
}
|
|
|
|
- ret = sudosrv_cached_rules_by_ng(tmp_ctx, domain, uid, username, groups,
|
|
+ ret = sudosrv_cached_rules_by_ng(tmp_ctx, domain,
|
|
+ orig_uid, username, groups,
|
|
&ng_rules, &num_ng_rules);
|
|
if (ret != EOK) {
|
|
goto done;
|
|
@@ -410,7 +414,8 @@ static errno_t sudosrv_cached_defaults(TALLOC_CTX *mem_ctx,
|
|
static errno_t sudosrv_fetch_rules(TALLOC_CTX *mem_ctx,
|
|
enum sss_sudo_type type,
|
|
struct sss_domain_info *domain,
|
|
- uid_t uid,
|
|
+ uid_t cli_uid,
|
|
+ uid_t orig_uid,
|
|
const char *username,
|
|
char **groups,
|
|
bool inverse_order,
|
|
@@ -428,7 +433,8 @@ static errno_t sudosrv_fetch_rules(TALLOC_CTX *mem_ctx,
|
|
username, domain->name);
|
|
debug_name = "rules";
|
|
|
|
- ret = sudosrv_cached_rules(mem_ctx, domain, uid, username, groups,
|
|
+ ret = sudosrv_cached_rules(mem_ctx, domain,
|
|
+ cli_uid, orig_uid, username, groups,
|
|
inverse_order, &rules, &num_rules);
|
|
|
|
break;
|
|
@@ -616,13 +622,16 @@ struct sudosrv_get_rules_state {
|
|
struct tevent_context *ev;
|
|
struct resp_ctx *rctx;
|
|
enum sss_sudo_type type;
|
|
- uid_t uid;
|
|
+ uid_t cli_uid;
|
|
const char *username;
|
|
struct sss_domain_info *domain;
|
|
char **groups;
|
|
bool inverse_order;
|
|
int threshold;
|
|
|
|
+ uid_t orig_uid;
|
|
+ const char *orig_username;
|
|
+
|
|
struct sysdb_attrs **rules;
|
|
uint32_t num_rules;
|
|
};
|
|
@@ -634,7 +643,7 @@ struct tevent_req *sudosrv_get_rules_send(TALLOC_CTX *mem_ctx,
|
|
struct tevent_context *ev,
|
|
struct sudo_ctx *sudo_ctx,
|
|
enum sss_sudo_type type,
|
|
- uid_t uid,
|
|
+ uid_t cli_uid,
|
|
const char *username)
|
|
{
|
|
struct sudosrv_get_rules_state *state;
|
|
@@ -651,7 +660,7 @@ struct tevent_req *sudosrv_get_rules_send(TALLOC_CTX *mem_ctx,
|
|
state->ev = ev;
|
|
state->rctx = sudo_ctx->rctx;
|
|
state->type = type;
|
|
- state->uid = uid;
|
|
+ state->cli_uid = cli_uid;
|
|
state->inverse_order = sudo_ctx->inverse_order;
|
|
state->threshold = sudo_ctx->threshold;
|
|
|
|
@@ -702,7 +711,9 @@ static void sudosrv_get_rules_initgr_done(struct tevent_req *subreq)
|
|
talloc_zfree(result);
|
|
|
|
ret = sysdb_get_sudo_user_info(state, state->domain, state->username,
|
|
- NULL, &state->groups);
|
|
+ &state->orig_username,
|
|
+ &state->orig_uid,
|
|
+ &state->groups);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to obtain user groups [%d]: %s\n",
|
|
ret, sss_strerror(ret));
|
|
@@ -711,7 +722,8 @@ static void sudosrv_get_rules_initgr_done(struct tevent_req *subreq)
|
|
|
|
subreq = sudosrv_refresh_rules_send(state, state->ev, state->rctx,
|
|
state->domain, state->threshold,
|
|
- state->uid, state->username,
|
|
+ state->orig_uid,
|
|
+ state->orig_username,
|
|
state->groups);
|
|
if (subreq == NULL) {
|
|
ret = ENOMEM;
|
|
@@ -748,8 +760,11 @@ static void sudosrv_get_rules_done(struct tevent_req *subreq)
|
|
"in cache.\n");
|
|
}
|
|
|
|
- ret = sudosrv_fetch_rules(state, state->type, state->domain, state->uid,
|
|
- state->username, state->groups,
|
|
+ ret = sudosrv_fetch_rules(state, state->type, state->domain,
|
|
+ state->cli_uid,
|
|
+ state->orig_uid,
|
|
+ state->orig_username,
|
|
+ state->groups,
|
|
state->inverse_order,
|
|
&state->rules, &state->num_rules);
|
|
|
|
diff --git a/src/responder/sudo/sudosrv_private.h b/src/responder/sudo/sudosrv_private.h
|
|
index c76bdd3955bc29b7ba2cda58c503a4c616d7e63a..164f033c0eae2af6f3184c8927b1b7c6cf57afd4 100644
|
|
--- a/src/responder/sudo/sudosrv_private.h
|
|
+++ b/src/responder/sudo/sudosrv_private.h
|
|
@@ -71,7 +71,7 @@ struct tevent_req *sudosrv_get_rules_send(TALLOC_CTX *mem_ctx,
|
|
struct tevent_context *ev,
|
|
struct sudo_ctx *sudo_ctx,
|
|
enum sss_sudo_type type,
|
|
- uid_t uid,
|
|
+ uid_t cli_uid,
|
|
const char *username);
|
|
|
|
errno_t sudosrv_get_rules_recv(TALLOC_CTX *mem_ctx,
|
|
diff --git a/src/tests/cmocka/test_sysdb_sudo.c b/src/tests/cmocka/test_sysdb_sudo.c
|
|
index 5cd348259fc8ccef888772a497feb7b674b3fa0a..1f8432395595c3d0981624d1788230a7e3812de8 100644
|
|
--- a/src/tests/cmocka/test_sysdb_sudo.c
|
|
+++ b/src/tests/cmocka/test_sysdb_sudo.c
|
|
@@ -40,6 +40,10 @@
|
|
#define TEST_GROUP_NAME "test_sudo_group"
|
|
#define TEST_GID 10001
|
|
|
|
+#define OVERRIDE_USER_NAME "user_test"
|
|
+#define OVERRIDE_GROUP_NAME "group_sudo_test"
|
|
+#define OVERRIDE_UID 2112
|
|
+
|
|
struct test_user {
|
|
const char *name;
|
|
uid_t uid;
|
|
@@ -186,6 +190,52 @@ static int test_sysdb_teardown(void **state)
|
|
return 0;
|
|
}
|
|
|
|
+static int test_sysdb_views_setup(void **state)
|
|
+{
|
|
+ struct sysdb_test_ctx *test_ctx;
|
|
+ errno_t ret;
|
|
+
|
|
+ assert_true(leak_check_setup());
|
|
+
|
|
+ test_ctx = talloc_zero(global_talloc_context, struct sysdb_test_ctx);
|
|
+ assert_non_null(test_ctx);
|
|
+
|
|
+ test_dom_suite_setup(TESTS_PATH);
|
|
+
|
|
+ test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH, TEST_CONF_DB,
|
|
+ TEST_DOM_NAME, "ipa", NULL);
|
|
+ assert_non_null(test_ctx->tctx);
|
|
+
|
|
+ create_groups(test_ctx->tctx->dom);
|
|
+ create_users(test_ctx->tctx->dom);
|
|
+
|
|
+ ret = sysdb_update_view_name(test_ctx->tctx->dom->sysdb, SYSDB_LOCAL_VIEW_NAME);
|
|
+ assert_int_equal(ret, EOK);
|
|
+ sysdb_master_domain_update(test_ctx->tctx->dom);
|
|
+
|
|
+ reset_ldb_errstrings(test_ctx->tctx->dom);
|
|
+ check_leaks_push(test_ctx);
|
|
+
|
|
+ *state = (void *)test_ctx;
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static int test_sysdb_views_teardown(void **state)
|
|
+{
|
|
+ struct sysdb_test_ctx *test_ctx;
|
|
+
|
|
+ test_ctx = talloc_get_type_abort(*state, struct sysdb_test_ctx);
|
|
+
|
|
+ test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME);
|
|
+
|
|
+ reset_ldb_errstrings(test_ctx->tctx->dom);
|
|
+ assert_true(check_leaks_pop(test_ctx));
|
|
+ talloc_zfree(test_ctx);
|
|
+ assert_true(leak_check_teardown());
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
void test_store_sudo(void **state)
|
|
{
|
|
errno_t ret;
|
|
@@ -452,44 +502,146 @@ void test_get_sudo_user_info(void **state)
|
|
{
|
|
errno_t ret;
|
|
char **groupnames = NULL;
|
|
+ const char *orig_username;
|
|
struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state,
|
|
struct sysdb_test_ctx);
|
|
|
|
/* User 1 has group. */
|
|
- ret = sysdb_get_sudo_user_info(test_ctx, test_ctx->tctx->dom,
|
|
- users[1].name, NULL, &groupnames);
|
|
+ ret = sysdb_get_sudo_user_info(test_ctx, test_ctx->tctx->dom, users[1].name,
|
|
+ &orig_username, NULL, &groupnames);
|
|
assert_int_equal(ret, EOK);
|
|
assert_string_equal(groupnames[0], TEST_GROUP_NAME);
|
|
+ assert_string_equal(orig_username, users[1].name);
|
|
|
|
talloc_zfree(groupnames);
|
|
+ talloc_zfree(orig_username);
|
|
+}
|
|
+
|
|
+void test_get_overriden_sudo_user_info(void **state)
|
|
+{
|
|
+ errno_t ret;
|
|
+ char **groupnames = NULL;
|
|
+ const char *orig_username;
|
|
+ uid_t orig_uid;
|
|
+ struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state,
|
|
+ struct sysdb_test_ctx);
|
|
+
|
|
+ char *strdn;
|
|
+ char *safe_dn;
|
|
+ char *anchor;
|
|
+ char *group_fqname;
|
|
+ char *user_fqname;
|
|
+ struct sysdb_attrs *attrs;
|
|
+ struct ldb_dn *ldb_dn;
|
|
+
|
|
+ attrs = sysdb_new_attrs(test_ctx);
|
|
+ assert_non_null(attrs);
|
|
+
|
|
+ /* Override user's name and primary UID */
|
|
+ user_fqname = sss_create_internal_fqname(test_ctx,
|
|
+ OVERRIDE_USER_NAME,
|
|
+ test_ctx->tctx->dom->name);
|
|
+ assert_non_null(user_fqname);
|
|
+
|
|
+ ldb_dn = sysdb_user_dn(attrs, test_ctx->tctx->dom, users[1].name);
|
|
+ assert_non_null(ldb_dn);
|
|
+ strdn = sysdb_user_strdn(attrs, test_ctx->tctx->dom->name, users[1].name);
|
|
+ assert_non_null(strdn);
|
|
+ ret = sysdb_dn_sanitize(attrs, strdn, &safe_dn);
|
|
+ assert_int_equal(ret, EOK);
|
|
+ anchor = talloc_asprintf(attrs, ":%s:%s", SYSDB_LOCAL_VIEW_NAME, safe_dn);
|
|
+ assert_non_null(anchor);
|
|
+
|
|
+ ret = sysdb_attrs_add_string(attrs, SYSDB_OVERRIDE_ANCHOR_UUID, anchor);
|
|
+ assert_int_equal(ret, EOK);
|
|
+ ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, user_fqname);
|
|
+ assert_int_equal(ret, EOK);
|
|
+ ret = sysdb_attrs_add_uint32(attrs, SYSDB_UIDNUM, OVERRIDE_UID);
|
|
+ assert_int_equal(ret, EOK);
|
|
+
|
|
+ ret = sysdb_store_override(test_ctx->tctx->dom, SYSDB_LOCAL_VIEW_NAME,
|
|
+ SYSDB_MEMBER_USER, attrs, ldb_dn);
|
|
+ assert_int_equal(ret, EOK);
|
|
+ talloc_zfree(attrs);
|
|
+
|
|
+ /* Override user's secondary group name */
|
|
+ attrs = sysdb_new_attrs(test_ctx);
|
|
+ assert_non_null(attrs);
|
|
+
|
|
+ group_fqname = sss_create_internal_fqname(test_ctx,
|
|
+ OVERRIDE_GROUP_NAME,
|
|
+ test_ctx->tctx->dom->name);
|
|
+ assert_non_null(group_fqname);
|
|
+
|
|
+ ldb_dn = sysdb_group_dn(attrs, test_ctx->tctx->dom, TEST_GROUP_NAME);
|
|
+ assert_non_null(ldb_dn);
|
|
+ strdn = sysdb_group_strdn(attrs, test_ctx->tctx->dom->name, TEST_GROUP_NAME);
|
|
+ assert_non_null(strdn);
|
|
+ ret = sysdb_dn_sanitize(attrs, strdn, &safe_dn);
|
|
+ assert_int_equal(ret, EOK);
|
|
+ anchor = talloc_asprintf(attrs, ":%s:%s", SYSDB_LOCAL_VIEW_NAME, safe_dn);
|
|
+ assert_non_null(anchor);
|
|
+
|
|
+ ret = sysdb_attrs_add_string(attrs, SYSDB_OVERRIDE_ANCHOR_UUID, anchor);
|
|
+ assert_int_equal(ret, EOK);
|
|
+ ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, group_fqname);
|
|
+ assert_int_equal(ret, EOK);
|
|
+
|
|
+ ret = sysdb_store_override(test_ctx->tctx->dom, SYSDB_LOCAL_VIEW_NAME,
|
|
+ SYSDB_MEMBER_GROUP, attrs, ldb_dn);
|
|
+ assert_int_equal(ret, EOK);
|
|
+
|
|
+ /* User must be searchable by their overriden name */
|
|
+ ret = sysdb_get_sudo_user_info(test_ctx, test_ctx->tctx->dom, user_fqname,
|
|
+ &orig_username, &orig_uid, &groupnames);
|
|
+ assert_int_equal(ret, EOK);
|
|
+
|
|
+ /* sysdb_get_sudo_user_info must return the original values, not the
|
|
+ * overriden one */
|
|
+ assert_string_equal(groupnames[0], TEST_GROUP_NAME);
|
|
+ assert_string_equal(orig_username, users[1].name);
|
|
+ assert_int_equal(orig_uid, users[1].uid);
|
|
+
|
|
+ talloc_zfree(groupnames);
|
|
+ talloc_zfree(orig_username);
|
|
+ talloc_zfree(attrs);
|
|
+ talloc_zfree(user_fqname);
|
|
+ talloc_zfree(group_fqname);
|
|
}
|
|
|
|
void test_get_sudo_user_info_nogroup(void **state)
|
|
{
|
|
errno_t ret;
|
|
char **groupnames = NULL;
|
|
+ const char *orig_username;
|
|
struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state,
|
|
struct sysdb_test_ctx);
|
|
|
|
/* User 0 hasn't group. */
|
|
- ret = sysdb_get_sudo_user_info(test_ctx, test_ctx->tctx->dom,
|
|
- users[0].name, NULL, &groupnames);
|
|
+ ret = sysdb_get_sudo_user_info(test_ctx, test_ctx->tctx->dom, users[0].name,
|
|
+ &orig_username, NULL, &groupnames);
|
|
assert_int_equal(ret, EOK);
|
|
assert_null(groupnames);
|
|
+ assert_string_equal(orig_username, users[0].name);
|
|
|
|
talloc_zfree(groupnames);
|
|
+ talloc_zfree(orig_username);
|
|
}
|
|
|
|
void test_get_sudo_nouser(void **state)
|
|
{
|
|
errno_t ret;
|
|
char **groupnames = NULL;
|
|
+ const char *orig_username = NULL;
|
|
struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state,
|
|
struct sysdb_test_ctx);
|
|
|
|
ret = sysdb_get_sudo_user_info(test_ctx, test_ctx->tctx->dom,
|
|
- TEST_USER_NON_EXIST, NULL, &groupnames);
|
|
+ TEST_USER_NON_EXIST,
|
|
+ &orig_username, NULL, &groupnames);
|
|
assert_int_equal(ret, ENOENT);
|
|
+ assert_null(orig_username);
|
|
+ assert_null(groupnames);
|
|
}
|
|
|
|
void test_set_sudo_rule_attr_add(void **state)
|
|
@@ -849,6 +1001,14 @@ int main(int argc, const char *argv[])
|
|
test_sysdb_setup,
|
|
test_sysdb_teardown),
|
|
|
|
+ /* The override tests use a different setup/teardown because loading
|
|
+ * the view allocates some data on the confdb and domain pointers,
|
|
+ * which would confuse the leak check
|
|
+ */
|
|
+ cmocka_unit_test_setup_teardown(test_get_overriden_sudo_user_info,
|
|
+ test_sysdb_views_setup,
|
|
+ test_sysdb_views_teardown),
|
|
+
|
|
/* sysdb_set_sudo_rule_attr() */
|
|
cmocka_unit_test_setup_teardown(test_set_sudo_rule_attr_add,
|
|
test_sysdb_setup,
|
|
--
|
|
2.14.1
|
|
|