diff --git a/sudo-1.8.5-add-sssd-debug-subsystem.patch b/sudo-1.8.5-add-sssd-debug-subsystem.patch new file mode 100644 index 0000000..2af83c3 --- /dev/null +++ b/sudo-1.8.5-add-sssd-debug-subsystem.patch @@ -0,0 +1,290 @@ +diff -rup original/common/sudo_debug.c new/common/sudo_debug.c +--- original/common/sudo_debug.c 2012-05-15 18:22:01.000000000 +0200 ++++ new/common/sudo_debug.c 2012-07-17 10:24:05.389397245 +0200 +@@ -101,6 +101,7 @@ const char *const sudo_debug_subsystems[ + "perms", + "plugin", + "hooks", ++ "sssd", + NULL + }; + +diff -rup original/include/sudo_debug.h new/include/sudo_debug.h +--- original/include/sudo_debug.h 2012-05-15 18:22:02.000000000 +0200 ++++ new/include/sudo_debug.h 2012-07-17 10:49:43.470809390 +0200 +@@ -71,6 +71,7 @@ + #define SUDO_DEBUG_PERMS (23<<6) /* uid/gid swapping functions */ + #define SUDO_DEBUG_PLUGIN (24<<6) /* main plugin functions */ + #define SUDO_DEBUG_HOOKS (25<<6) /* hook functions */ ++#define SUDO_DEBUG_SSSD (26<<6) /* sudoers SSSD */ + #define SUDO_DEBUG_ALL 0xfff0 /* all subsystems */ + + /* Flag to include string version of errno in debug info. */ +diff -rup original/plugins/sudoers/sssd.c new/plugins/sudoers/sssd.c +--- original/plugins/sudoers/sssd.c 2012-07-17 10:13:42.366133003 +0200 ++++ new/plugins/sudoers/sssd.c 2012-07-17 10:24:05.383397175 +0200 +@@ -86,7 +86,7 @@ static struct sss_sudo_result *sudo_sss_ + static void sudo_sss_attrcpy(struct sss_sudo_attr *dst, const struct sss_sudo_attr *src) + { + int i; +- debug_decl(sudo_sss_attrcpy, SUDO_DEBUG_LDAP) ++ debug_decl(sudo_sss_attrcpy, SUDO_DEBUG_SSSD) + + DPRINTF(3, "dst=%p, src=%p", dst, src); + DPRINTF(2, "emalloc: cnt=%d", src->num_values); +@@ -104,8 +104,8 @@ static void sudo_sss_attrcpy(struct sss_ + static void sudo_sss_rulecpy(struct sss_sudo_rule *dst, const struct sss_sudo_rule *src) + { + int i; +- debug_decl(sudo_sss_rulecpy, SUDO_DEBUG_LDAP) +- ++ debug_decl(sudo_sss_rulecpy, SUDO_DEBUG_SSSD) ++ + DPRINTF(3, "dst=%p, src=%p", dst, src); + DPRINTF(2, "emalloc: cnt=%d", src->num_attrs); + +@@ -130,7 +130,7 @@ static struct sss_sudo_result *sudo_sss_ + { + struct sss_sudo_result *out_res; + int i, l, r; +- debug_decl(sudo_sss_filter_result, SUDO_DEBUG_LDAP) ++ debug_decl(sudo_sss_filter_result, SUDO_DEBUG_SSSD) + + DPRINTF(3, "in_res=%p, count=%u, act=%s", + in_res, in_res->num_rules, act == _SUDO_SSS_FILTER_EXCLUDE ? "EXCLUDE" : "INCLUDE"); +@@ -193,7 +193,7 @@ struct sudo_nss sudo_nss_sss = { + static int sudo_sss_open(struct sudo_nss *nss) + { + struct sudo_sss_handle *handle; +- debug_decl(sudo_sss_open, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_open, SUDO_DEBUG_SSSD); + + /* Create a handle container. */ + handle = emalloc(sizeof(struct sudo_sss_handle)); +@@ -209,7 +209,7 @@ static int sudo_sss_open(struct sudo_nss + // ok + static int sudo_sss_close(struct sudo_nss *nss) + { +- debug_decl(sudo_sss_close, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_close, SUDO_DEBUG_SSSD); + efree(nss->handle); + debug_return_int(0); + } +@@ -217,7 +217,7 @@ static int sudo_sss_close(struct sudo_ns + // ok + static int sudo_sss_parse(struct sudo_nss *nss) + { +- debug_decl(sudo_sss_parse, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_parse, SUDO_DEBUG_SSSD); + debug_return_int(0); + } + +@@ -229,7 +229,7 @@ static int sudo_sss_setdefs(struct sudo_ + struct sss_sudo_rule *sss_rule; + uint32_t sss_error; + int i; +- debug_decl(sudo_sss_setdefs, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_setdefs, SUDO_DEBUG_SSSD); + + if (handle == NULL) + debug_return_int(-1); +@@ -257,7 +257,7 @@ static int sudo_sss_setdefs(struct sudo_ + static int sudo_sss_checkpw(struct sudo_nss *nss, struct passwd *pw) + { + struct sudo_sss_handle *handle = nss->handle; +- debug_decl(sudo_sss_checkpw, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_checkpw, SUDO_DEBUG_SSSD); + + if (pw->pw_name != handle->pw->pw_name || + pw->pw_uid != handle->pw->pw_uid) +@@ -278,13 +278,13 @@ sudo_sss_check_runas_user(struct sss_sud + char **val_array = NULL; + char *val; + int ret = false, i; +- debug_decl(sudo_sss_check_runas_user, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_check_runas_user, SUDO_DEBUG_SSSD); + + if (!runas_pw) + debug_return_int(UNSPEC); + + /* get the runas user from the entry */ +- switch (sss_sudo_get_values(sss_rule, "sudoRunAsUser", &val_array)) ++ switch (sss_sudo_get_values(sss_rule, "sudoRunAsUser", &val_array)) + { + case 0: + break; +@@ -315,18 +315,18 @@ sudo_sss_check_runas_user(struct sss_sud + + /* + * BUG: +- * ++ * + * if runas is not specified on the command line, the only information + * as to which user to run as is in the runas_default option. We should + * check to see if we have the local option present. Unfortunately we + * don't parse these options until after this routine says yes or no. + * The query has already returned, so we could peek at the attribute + * values here though. +- * ++ * + * For now just require users to always use -u option unless its set + * in the global defaults. This behaviour is no different than the global + * /etc/sudoers. +- * ++ * + * Sigh - maybe add this feature later + */ + +@@ -381,7 +381,7 @@ sudo_sss_check_runas_group(struct sss_su + char **val_array = NULL; + char *val; + int ret = false, i; +- debug_decl(sudo_sss_check_runas_group, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_check_runas_group, SUDO_DEBUG_SSSD); + + /* runas_gr is only set if the user specified the -g flag */ + if (!runas_gr) +@@ -424,7 +424,7 @@ static int + sudo_sss_check_runas(struct sss_sudo_rule *rule) + { + int ret; +- debug_decl(sudo_sss_check_runas, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD); + + if (rule == NULL) + debug_return_int(false); +@@ -439,7 +439,7 @@ static int sudo_sss_check_host(struct ss + { + char **val_array, *val; + int ret = false, i; +- debug_decl(sudo_sss_check_host, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_check_host, SUDO_DEBUG_SSSD); + + if (rule == NULL) + debug_return_int(ret); +@@ -479,7 +479,7 @@ static int sudo_sss_check_host(struct ss + static int sudo_sss_result_filterp(struct sss_sudo_rule *rule, void *unused) + { + (void)unused; +- debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD); + + if (sudo_sss_check_host(rule)) + debug_return_int(1); +@@ -492,7 +492,7 @@ static struct sss_sudo_result *sudo_sss_ + struct sudo_sss_handle *handle = nss->handle; + struct sss_sudo_result *u_sss_result, *f_sss_result; + uint32_t sss_error = 0, ret; +- debug_decl(sudo_sss_result_get, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_result_get, SUDO_DEBUG_SSSD); + + if (sudo_sss_checkpw(nss, pw) != 0) + debug_return_ptr(NULL); +@@ -558,7 +558,7 @@ sudo_sss_check_bool(struct sss_sudo_rule + { + char ch, *var, **val_array = NULL; + int i, ret = UNSPEC; +- debug_decl(sudo_sss_check_bool, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_check_bool, SUDO_DEBUG_SSSD); + + if (rule == NULL) + debug_return_int(ret); +@@ -601,7 +601,7 @@ sudo_sss_check_command(struct sss_sudo_r + char **val_array = NULL, *val; + char *allowed_cmnd, *allowed_args; + int i, foundbang, ret = UNSPEC; +- debug_decl(sudo_sss_check_command, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_check_command, SUDO_DEBUG_SSSD); + + if (rule == NULL) + debug_return_int(ret); +@@ -670,7 +670,7 @@ sudo_sss_parse_options(struct sss_sudo_r + int i; + char op, *v, *val; + char **val_array = NULL; +- debug_decl(sudo_sss_parse_options, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_parse_options, SUDO_DEBUG_SSSD); + + if (rule == NULL) + debug_return; +@@ -726,7 +726,7 @@ static int sudo_sss_lookup(struct sudo_n + struct sss_sudo_result *sss_result = NULL; + struct sss_sudo_rule *rule; + uint32_t i, state = 0; +- debug_decl(sudo_sss_lookup, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_lookup, SUDO_DEBUG_SSSD); + + /* Fetch list of sudoRole entries that match user and host. */ + sss_result = sudo_sss_result_get(nss, sudo_user.pw, &state); +@@ -738,7 +738,7 @@ static int sudo_sss_lookup(struct sudo_n + if (pwflag) { + int doauth = UNSPEC; + int matched = UNSPEC; +- enum def_tuple pwcheck = ++ enum def_tuple pwcheck = + (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple; + + DPRINTF(2, "perform search for pwflag %d", pwflag); +@@ -842,7 +842,7 @@ static int sudo_sss_display_cmnd(struct + struct sss_sudo_result *sss_result = NULL; + struct sss_sudo_rule *rule; + int i, found = false; +- debug_decl(sudo_sss_display_cmnd, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_display_cmnd, SUDO_DEBUG_SSSD); + + if (handle == NULL) + goto done; +@@ -893,7 +893,7 @@ static int sudo_sss_display_defaults(str + char *prefix, *val, **val_array = NULL; + int count = 0, i, j; + +- debug_decl(sudo_sss_display_defaults, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_display_defaults, SUDO_DEBUG_SSSD); + + if (handle == NULL) + goto done; +@@ -934,7 +934,7 @@ static int sudo_sss_display_defaults(str + prefix = ", "; + count++; + } +- ++ + sss_sudo_free_values(val_array); + val_array = NULL; + } +@@ -948,7 +948,7 @@ done: + static int sudo_sss_display_bound_defaults(struct sudo_nss *nss, + struct passwd *pw, struct lbuf *lbuf) + { +- debug_decl(sudo_sss_display_bound_defaults, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_display_bound_defaults, SUDO_DEBUG_SSSD); + debug_return_int(0); + } + +@@ -956,7 +956,7 @@ static int sudo_sss_display_entry_long(s + { + char **val_array = NULL; + int count = 0, i; +- debug_decl(sudo_sss_display_entry_long, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_display_entry_long, SUDO_DEBUG_SSSD); + + /* get the RunAsUser Values from the entry */ + lbuf_append(lbuf, " RunAsUsers: "); +@@ -1051,7 +1051,7 @@ static int sudo_sss_display_entry_short( + { + char **val_array = NULL; + int count = 0, i; +- debug_decl(sudo_sss_display_entry_short, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_display_entry_short, SUDO_DEBUG_SSSD); + + lbuf_append(lbuf, " ("); + +@@ -1164,7 +1164,7 @@ static int sudo_sss_display_privs(struct + struct sss_sudo_result *sss_result = NULL; + struct sss_sudo_rule *rule; + unsigned int i, count = 0; +- debug_decl(sudo_sss_display_privs, SUDO_DEBUG_LDAP); ++ debug_decl(sudo_sss_display_privs, SUDO_DEBUG_SSSD); + + if (handle == NULL) + debug_return_int(-1); diff --git a/sudo-1.8.5-remove-source-when-open-failed.patch b/sudo-1.8.5-remove-source-when-open-failed.patch new file mode 100644 index 0000000..0267f39 --- /dev/null +++ b/sudo-1.8.5-remove-source-when-open-failed.patch @@ -0,0 +1,33 @@ +diff -rup original/plugins/sudoers/sudoers.c new/plugins/sudoers/sudoers.c +--- original/plugins/sudoers/sudoers.c 2012-07-19 12:13:31.292479203 +0200 ++++ new/plugins/sudoers/sudoers.c 2012-07-19 12:14:02.898844521 +0200 +@@ -145,6 +145,7 @@ sudoers_policy_open(unsigned int version + volatile int sources = 0; + sigaction_t sa; + struct sudo_nss *nss; ++ struct sudo_nss *nss_next; + debug_decl(sudoers_policy_open, SUDO_DEBUG_PLUGIN) + + sudo_version = version; +@@ -201,12 +202,15 @@ sudoers_policy_open(unsigned int version + set_perms(PERM_ROOT); + + /* Open and parse sudoers, set global defaults */ +- tq_foreach_fwd(snl, nss) { +- if (nss->open(nss) == 0 && nss->parse(nss) == 0) { +- sources++; +- if (nss->setdefs(nss) != 0) +- log_error(NO_STDERR, _("problem with defaults entries")); +- } ++ for (nss = snl->first; nss != NULL; nss = nss_next) { ++ nss_next = nss->next; ++ if (nss->open(nss) == 0 && nss->parse(nss) == 0) { ++ sources++; ++ if (nss->setdefs(nss) != 0) ++ log_error(NO_STDERR, _("problem with defaults entries")); ++ } else { ++ tq_remove(snl, nss); ++ } + } + if (sources == 0) { + warningx(_("no valid sudoers sources found, quitting")); diff --git a/sudo-1.8.5-sssd-dlopen-lib.patch b/sudo-1.8.5-sssd-dlopen-lib.patch new file mode 100644 index 0000000..e9b1914 --- /dev/null +++ b/sudo-1.8.5-sssd-dlopen-lib.patch @@ -0,0 +1,905 @@ +diff -rup original/configure.in new/configure.in +--- original/configure.in 2012-07-19 12:13:15.872301022 +0200 ++++ new/configure.in 2012-07-23 11:31:42.821466529 +0200 +@@ -101,6 +101,7 @@ AC_SUBST([root_sudo]) + AC_SUBST([path_info]) + AC_SUBST([ldap_conf]) + AC_SUBST([ldap_secret]) ++AC_SUBST([sssd_lib]) + AC_SUBST([nsswitch_conf]) + AC_SUBST([netsvc_conf]) + AC_SUBST([secure_path]) +@@ -290,8 +291,6 @@ dnl + AC_ARG_WITH(sssd, [AS_HELP_STRING([--with-sssd], [enable SSSD support])], + [case $with_sssd in + yes) +- SUDO_LIBS="${SUDO_LIBS} `pkg-config libsss_sudo --libs`" +- SUDOERS_LIBS="${SUDO_LIBS} `pkg-config libsss_sudo --libs`" + SUDOERS_OBJS="${SUDOERS_OBJS} sssd.lo" + AC_DEFINE(HAVE_SSSD) + ;; +@@ -300,6 +299,11 @@ AC_ARG_WITH(sssd, [AS_HELP_STRING([--wit + ;; + esac]) + ++AC_ARG_WITH(sssd-lib, [AS_HELP_STRING([--with-sssd-lib], [path to the SSSD library])]) ++sssd_lib="\"LIBDIR\"" ++test -n "$with_sssd_lib" && sssd_lib="$with_sssd_lib" ++SUDO_DEFINE_UNQUOTED(_PATH_SSSD_LIB, "$sssd_lib", [Path to the SSSD library]) ++ + AC_ARG_WITH(incpath, [AS_HELP_STRING([--with-incpath], [additional places to look for include files])], + [case $with_incpath in + yes) AC_MSG_ERROR(["must give --with-incpath an argument."]) +diff -rup original/pathnames.h.in new/pathnames.h.in +--- original/pathnames.h.in 2012-07-19 12:13:15.779299949 +0200 ++++ new/pathnames.h.in 2012-07-19 15:58:49.454653685 +0200 +@@ -157,6 +157,10 @@ + #undef _PATH_LDAP_SECRET + #endif /* _PATH_LDAP_SECRET */ + ++#ifndef _PATH_SSSD_LIB ++#undef _PATH_SSSD_LIB ++#endif /* _PATH_SSSD_LIB */ ++ + #ifndef _PATH_NSSWITCH_CONF + #undef _PATH_NSSWITCH_CONF + #endif /* _PATH_NSSWITCH_CONF */ +diff -rup original/plugins/sudoers/Makefile.in new/plugins/sudoers/Makefile.in +--- original/plugins/sudoers/Makefile.in 2012-07-19 12:13:15.756299680 +0200 ++++ new/plugins/sudoers/Makefile.in 2012-07-23 11:31:56.084610531 +0200 +@@ -32,6 +32,7 @@ top_srcdir = @top_srcdir@ + incdir = $(top_srcdir)/include + docdir = @docdir@ + timedir = @timedir@ ++libdir = @libdir@ + + # Compiler & tools to use + CC = @CC@ +@@ -51,7 +52,7 @@ SUDOERS_LIBS = @SUDOERS_LIBS@ @AFS_LIBS@ + REPLAY_LIBS = @REPLAY_LIBS@ @ZLIB@ + + # C preprocessor flags +-CPPFLAGS = -I$(incdir) -I$(top_builddir) -I$(devdir) -I$(srcdir) -I$(top_srcdir) @CPPFLAGS@ ++CPPFLAGS = -I$(incdir) -I$(top_builddir) -I$(devdir) -I$(srcdir) -I$(top_srcdir) -DLIBDIR=\"$(libdir)\" @CPPFLAGS@ + + # Usually -O and/or -g + CFLAGS = @CFLAGS@ +diff -rup original/plugins/sudoers/sssd.c new/plugins/sudoers/sssd.c +--- original/plugins/sudoers/sssd.c 2012-07-19 12:13:15.667298652 +0200 ++++ new/plugins/sudoers/sssd.c 2012-07-23 11:32:04.260699269 +0200 +@@ -44,23 +44,70 @@ + #if TIME_WITH_SYS_TIME + # include + #endif ++#ifdef HAVE_DLOPEN ++# include ++#else ++# include "compat/dlfcn.h" ++#endif + #include + #include + #include + +-#include + #include ++#include + + #include "sudoers.h" + #include "parse.h" + #include "lbuf.h" + #include "sudo_debug.h" + ++/* SSSD <--> SUDO interface - do not change */ ++struct sss_sudo_attr { ++ char *name; ++ char **values; ++ unsigned int num_values; ++}; ++ ++struct sss_sudo_rule { ++ unsigned int num_attrs; ++ struct sss_sudo_attr *attrs; ++}; ++ ++struct sss_sudo_result { ++ unsigned int num_rules; ++ struct sss_sudo_rule *rules; ++}; ++ ++typedef int (*sss_sudo_send_recv_t)(uid_t, const char*, const char*, ++ uint32_t*, struct sss_sudo_result**); ++ ++typedef int (*sss_sudo_send_recv_defaults_t)(uid_t, const char*, uint32_t*, ++ char**, struct sss_sudo_result**); ++ ++typedef void (*sss_sudo_free_result_t)(struct sss_sudo_result*); ++ ++typedef int (*sss_sudo_get_values_t)(struct sss_sudo_rule*, const char*, ++ char***); ++ ++typedef void (*sss_sudo_free_values_t)(char**); ++ + /* sudo_nss implementation */ ++ ++struct sudo_sss_handle { ++ char *domainname; ++ struct passwd *pw; ++ void *ssslib; ++ sss_sudo_send_recv_t fn_send_recv; ++ sss_sudo_send_recv_defaults_t fn_send_recv_defaults; ++ sss_sudo_free_result_t fn_free_result; ++ sss_sudo_get_values_t fn_get_values; ++ sss_sudo_free_values_t fn_free_values; ++}; ++ + static int sudo_sss_open(struct sudo_nss *nss); + static int sudo_sss_close(struct sudo_nss *nss); + static int sudo_sss_parse(struct sudo_nss *nss); +-static void sudo_sss_parse_options(struct sss_sudo_rule *rule); ++static void sudo_sss_parse_options(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule); + static int sudo_sss_setdefs(struct sudo_nss *nss); + static int sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag); + static int sudo_sss_display_cmnd(struct sudo_nss *nss, struct passwd *pw); +@@ -121,7 +168,7 @@ static void sudo_sss_rulecpy(struct sss_ + #define _SUDO_SSS_STATE_HOSTMATCH 0x01 + #define _SUDO_SSS_STATE_USERMATCH 0x02 + +-static struct sss_sudo_result *sudo_sss_filter_result(struct sss_sudo_result *in_res, int (*filterp)(struct sss_sudo_rule *, void *), int act, void *filterp_arg) ++static struct sss_sudo_result *sudo_sss_filter_result(struct sudo_sss_handle *handle, struct sss_sudo_result *in_res, int (*filterp)(struct sudo_sss_handle *, struct sss_sudo_rule *, void *), int act, void *filterp_arg) + { + struct sss_sudo_result *out_res; + int i, l, r; +@@ -140,7 +187,7 @@ static struct sss_sudo_result *sudo_sss_ + out_res->num_rules = 0; + + for (i = l = 0; i < in_res->num_rules; ++i) { +- r = filterp(in_res->rules + i, filterp_arg); ++ r = filterp(handle, in_res->rules + i, filterp_arg); + + if (( r && act == _SUDO_SSS_FILTER_INCLUDE) || + (!r && act == _SUDO_SSS_FILTER_EXCLUDE)) +@@ -164,11 +211,6 @@ static struct sss_sudo_result *sudo_sss_ + debug_return_ptr(out_res); + } + +-struct sudo_sss_handle { +- char *domainname; +- struct passwd *pw; +-}; +- + struct sudo_nss sudo_nss_sss = { + &sudo_nss_sss, + NULL, +@@ -188,10 +230,50 @@ struct sudo_nss sudo_nss_sss = { + static int sudo_sss_open(struct sudo_nss *nss) + { + struct sudo_sss_handle *handle; ++ static const char path[] = _PATH_SSSD_LIB"/libsss_sudo.so"; + debug_decl(sudo_sss_open, SUDO_DEBUG_SSSD); + + /* Create a handle container. */ + handle = emalloc(sizeof(struct sudo_sss_handle)); ++ ++ /* Load symbols */ ++ handle->ssslib = dlopen(path, RTLD_LAZY); ++ if (handle->ssslib == NULL) { ++ warningx(_("Unable to dlopen %s: %s"), path, dlerror()); ++ warningx(_("Unable to initialize SSS source. Is SSSD installed on your machine?")); ++ debug_return_int(EFAULT); ++ } ++ ++ handle->fn_send_recv = dlsym(handle->ssslib, "sss_sudo_send_recv"); ++ if (handle->fn_send_recv == NULL) { ++ warningx(_("unable to find symbol \"sss_sudo_send_recv\" in %s"), path); ++ debug_return_int(EFAULT); ++ } ++ ++ handle->fn_send_recv_defaults = dlsym(handle->ssslib, "sss_sudo_send_recv_defaults"); ++ if (handle->fn_send_recv_defaults == NULL) { ++ warningx(_("unable to find symbol \"sss_sudo_send_recv_defaults\" in %s"), path); ++ debug_return_int(EFAULT); ++ } ++ ++ handle->fn_free_result = dlsym(handle->ssslib, "sss_sudo_free_result"); ++ if (handle->fn_free_result == NULL) { ++ warningx(_("unable to find symbol \"sss_sudo_free_result\" in %s"), path); ++ debug_return_int(EFAULT); ++ } ++ ++ handle->fn_get_values = dlsym(handle->ssslib, "sss_sudo_get_values"); ++ if (handle->fn_get_values == NULL) { ++ warningx(_("unable to find symbol \"sss_sudo_get_values\" in %s"), path); ++ debug_return_int(EFAULT); ++ } ++ ++ handle->fn_free_values = dlsym(handle->ssslib, "sss_sudo_free_values"); ++ if (handle->fn_free_values == NULL) { ++ warningx(_("unable to find symbol \"sss_sudo_free_values\" in %s"), path); ++ debug_return_int(EFAULT); ++ } ++ + handle->domainname = NULL; + handle->pw = sudo_user.pw; + nss->handle = handle; +@@ -204,7 +286,14 @@ static int sudo_sss_open(struct sudo_nss + // ok + static int sudo_sss_close(struct sudo_nss *nss) + { ++ struct sudo_sss_handle *handle; + debug_decl(sudo_sss_close, SUDO_DEBUG_SSSD); ++ ++ if (nss && nss->handle) { ++ handle = nss->handle; ++ dlclose(handle->ssslib); ++ } ++ + efree(nss->handle); + debug_return_int(0); + } +@@ -231,11 +320,11 @@ static int sudo_sss_setdefs(struct sudo_ + + sudo_debug_printf(1, "Looking for cn=defaults"); + +- if (sss_sudo_send_recv_defaults(handle->pw->pw_uid, handle->pw->pw_name, ++ if (handle->fn_send_recv_defaults(handle->pw->pw_uid, handle->pw->pw_name, + &sss_error, &handle->domainname, + &sss_result) != 0) + { +- sudo_debug_printf(2, "sss_sudo_send_recv_defaults: != 0, sss_error=%u", sss_error); ++ sudo_debug_printf(2, "handle->fn_send_recv_defaults: != 0, sss_error=%u", sss_error); + debug_return_int(-1); + } + +@@ -250,10 +339,10 @@ static int sudo_sss_setdefs(struct sudo_ + for (i = 0; i < sss_result->num_rules; ++i) { + sudo_debug_printf(1, "Parsing cn=defaults, %d/%d", i, sss_result->num_rules); + sss_rule = sss_result->rules + i; +- sudo_sss_parse_options(sss_rule); ++ sudo_sss_parse_options(handle, sss_rule); + } + +- sss_sudo_free_result(sss_result); ++ handle->fn_free_result(sss_result); + debug_return_int(0); + } + +@@ -276,7 +365,7 @@ static int sudo_sss_checkpw(struct sudo_ + } + + static int +-sudo_sss_check_runas_user(struct sss_sudo_rule *sss_rule) ++sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *sss_rule) + { + char **val_array = NULL; + char *val; +@@ -287,7 +376,7 @@ sudo_sss_check_runas_user(struct sss_sud + debug_return_int(UNSPEC); + + /* get the runas user from the entry */ +- switch (sss_sudo_get_values(sss_rule, "sudoRunAsUser", &val_array)) ++ switch (handle->fn_get_values(sss_rule, "sudoRunAsUser", &val_array)) + { + case 0: + break; +@@ -295,7 +384,7 @@ sudo_sss_check_runas_user(struct sss_sud + sudo_debug_printf(2, "No result. Trying old style (sudoRunAs)"); + + /* try old style */ +- switch (sss_sudo_get_values(sss_rule, "sudoRunAs", &val_array)) ++ switch (handle->fn_get_values(sss_rule, "sudoRunAs", &val_array)) + { + case 0: + break; +@@ -307,12 +396,12 @@ sudo_sss_check_runas_user(struct sss_sud + */ + return !strcasecmp(runas_pw->pw_name, def_runas_default); + default: +- sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAs): != 0"); ++ sudo_debug_printf(2, "handle->fn_get_values(sudoRunAs): != 0"); + debug_return_int(UNSPEC); + } + break; + default: +- sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsUser): != 0"); ++ sudo_debug_printf(2, "handle->fn_get_values(sudoRunAsUser): != 0"); + debug_return_int(UNSPEC); + } + +@@ -373,13 +462,13 @@ sudo_sss_check_runas_user(struct sss_sud + sudo_debug_printf(2, "sssd/ldap sudoRunAsUser '%s' ... %s", val, ret ? "MATCH!" : "not"); + } + +- sss_sudo_free_values(val_array); /* cleanup */ ++ handle->fn_free_values(val_array); /* cleanup */ + + debug_return_int(ret); + } + + static int +-sudo_sss_check_runas_group(struct sss_sudo_rule *rule) ++sudo_sss_check_runas_group(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) + { + char **val_array = NULL; + char *val; +@@ -391,7 +480,7 @@ sudo_sss_check_runas_group(struct sss_su + debug_return_int(UNSPEC); + + /* get the values from the entry */ +- switch (sss_sudo_get_values(rule, "sudoRunAsGroup", &val_array)) ++ switch (handle->fn_get_values(rule, "sudoRunAsGroup", &val_array)) + { + case 0: + break; +@@ -399,7 +488,7 @@ sudo_sss_check_runas_group(struct sss_su + sudo_debug_printf(2, "No result."); + debug_return_int(false); + default: +- sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsGroup): != 0"); ++ sudo_debug_printf(2, "handle->fn_get_values(sudoRunAsGroup): != 0"); + debug_return_int(UNSPEC); + } + +@@ -414,7 +503,7 @@ sudo_sss_check_runas_group(struct sss_su + sudo_debug_printf(2, "sssd/ldap sudoRunAsGroup '%s' ... %s", val, ret ? "MATCH!" : "not"); + } + +- sss_sudo_free_values(val_array); ++ handle->fn_free_values(val_array); + + debug_return_int(ret); + } +@@ -424,7 +513,7 @@ sudo_sss_check_runas_group(struct sss_su + * else false. RunAs info is optional. + */ + static int +-sudo_sss_check_runas(struct sss_sudo_rule *rule) ++sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) + { + int ret; + debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD); +@@ -432,13 +521,13 @@ sudo_sss_check_runas(struct sss_sudo_rul + if (rule == NULL) + debug_return_int(false); + +- ret = sudo_sss_check_runas_user(rule) != false && +- sudo_sss_check_runas_group(rule) != false; ++ ret = sudo_sss_check_runas_user(handle, rule) != false && ++ sudo_sss_check_runas_group(handle, rule) != false; + + debug_return_int(ret); + } + +-static int sudo_sss_check_host(struct sss_sudo_rule *rule) ++static int sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) + { + char **val_array, *val; + int ret = false, i; +@@ -448,7 +537,7 @@ static int sudo_sss_check_host(struct ss + debug_return_int(ret); + + /* get the values from the rule */ +- switch (sss_sudo_get_values(rule, "sudoHost", &val_array)) ++ switch (handle->fn_get_values(rule, "sudoHost", &val_array)) + { + case 0: + break; +@@ -456,7 +545,7 @@ static int sudo_sss_check_host(struct ss + sudo_debug_printf(2, "No result."); + debug_return_int(false); + default: +- sudo_debug_printf(2, "sss_sudo_get_values(sudoHost): != 0"); ++ sudo_debug_printf(2, "handle->fn_get_values(sudoHost): != 0"); + debug_return_int(ret); + } + +@@ -474,17 +563,17 @@ static int sudo_sss_check_host(struct ss + sudo_debug_printf(2, "sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); + } + +- sss_sudo_free_values(val_array); ++ handle->fn_free_values(val_array); + + debug_return_int(ret); + } + +-static int sudo_sss_result_filterp(struct sss_sudo_rule *rule, void *unused) ++static int sudo_sss_result_filterp(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule, void *unused) + { + (void)unused; + debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD); + +- if (sudo_sss_check_host(rule)) ++ if (sudo_sss_check_host(handle, rule)) + debug_return_int(1); + else + debug_return_int(0); +@@ -505,7 +594,7 @@ static struct sss_sudo_result *sudo_sss_ + + u_sss_result = f_sss_result = NULL; + +- switch (ret = sss_sudo_send_recv(handle->pw->pw_uid, handle->pw->pw_name, ++ switch (ret = handle->fn_send_recv(handle->pw->pw_uid, handle->pw->pw_name, + handle->domainname, &sss_error, &u_sss_result)) + { + case 0: +@@ -530,11 +619,11 @@ static struct sss_sudo_result *sudo_sss_ + } + break; + default: +- sudo_debug_printf(2, "sss_sudo_send_recv: != 0: ret=%d", ret); ++ sudo_debug_printf(2, "handle->fn_send_recv: != 0: ret=%d", ret); + debug_return_ptr(NULL); + } + +- f_sss_result = sudo_sss_filter_result(u_sss_result, sudo_sss_result_filterp, ++ f_sss_result = sudo_sss_filter_result(handle, u_sss_result, sudo_sss_result_filterp, + _SUDO_SSS_FILTER_INCLUDE, NULL); + + if (f_sss_result != NULL) +@@ -547,7 +636,7 @@ static struct sss_sudo_result *sudo_sss_ + sudo_debug_printf(3, "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", + u_sss_result, u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules); + +- sss_sudo_free_result(u_sss_result); ++ handle->fn_free_result(u_sss_result); + + debug_return_ptr(f_sss_result); + } +@@ -557,7 +646,7 @@ static struct sss_sudo_result *sudo_sss_ + * Returns true if found and allowed, false if negated, else UNSPEC. + */ + static int +-sudo_sss_check_bool(struct sss_sudo_rule *rule, char *option) ++sudo_sss_check_bool(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule, char *option) + { + char ch, *var, **val_array = NULL; + int i, ret = UNSPEC; +@@ -566,7 +655,7 @@ sudo_sss_check_bool(struct sss_sudo_rule + if (rule == NULL) + debug_return_int(ret); + +- switch (sss_sudo_get_values(rule, "sudoOption", &val_array)) ++ switch (handle->fn_get_values(rule, "sudoOption", &val_array)) + { + case 0: + break; +@@ -574,7 +663,7 @@ sudo_sss_check_bool(struct sss_sudo_rule + sudo_debug_printf(2, "No result."); + debug_return_int(ret); + default: +- sudo_debug_printf(2, "sss_sudo_get_values: != 0"); ++ sudo_debug_printf(2, "handle->fn_get_values: != 0"); + debug_return_int(ret); + } + +@@ -589,7 +678,7 @@ sudo_sss_check_bool(struct sss_sudo_rule + ret = (ch != '!'); + } + +- sss_sudo_free_values(val_array); ++ handle->fn_free_values(val_array); + + debug_return_int(ret); + } +@@ -599,7 +688,7 @@ sudo_sss_check_bool(struct sss_sudo_rule + * false if disallowed and UNSPEC if not matched. + */ + static int +-sudo_sss_check_command(struct sss_sudo_rule *rule, int *setenv_implied) ++sudo_sss_check_command(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule, int *setenv_implied) + { + char **val_array = NULL, *val; + char *allowed_cmnd, *allowed_args; +@@ -609,7 +698,7 @@ sudo_sss_check_command(struct sss_sudo_r + if (rule == NULL) + debug_return_int(ret); + +- switch (sss_sudo_get_values(rule, "sudoCommand", &val_array)) ++ switch (handle->fn_get_values(rule, "sudoCommand", &val_array)) + { + case 0: + break; +@@ -617,7 +706,7 @@ sudo_sss_check_command(struct sss_sudo_r + sudo_debug_printf(2, "No result."); + debug_return_int(ret); + default: +- sudo_debug_printf(2, "sss_sudo_get_values: != 0"); ++ sudo_debug_printf(2, "handle->fn_get_values: != 0"); + debug_return_int(ret); + } + +@@ -662,13 +751,13 @@ sudo_sss_check_command(struct sss_sudo_r + efree(allowed_cmnd); /* cleanup */ + } + +- sss_sudo_free_values(val_array); /* more cleanup */ ++ handle->fn_free_values(val_array); /* more cleanup */ + + debug_return_int(ret); + } + + static void +-sudo_sss_parse_options(struct sss_sudo_rule *rule) ++sudo_sss_parse_options(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) + { + int i; + char op, *v, *val; +@@ -678,7 +767,7 @@ sudo_sss_parse_options(struct sss_sudo_r + if (rule == NULL) + debug_return; + +- switch (sss_sudo_get_values(rule, "sudoOption", &val_array)) ++ switch (handle->fn_get_values(rule, "sudoOption", &val_array)) + { + case 0: + break; +@@ -686,7 +775,7 @@ sudo_sss_parse_options(struct sss_sudo_r + sudo_debug_printf(2, "No result."); + debug_return; + default: +- sudo_debug_printf(2, "sss_sudo_get_values(sudoOption): != 0"); ++ sudo_debug_printf(2, "handle->fn_get_values(sudoOption): != 0"); + debug_return; + } + +@@ -718,7 +807,7 @@ sudo_sss_parse_options(struct sss_sudo_r + efree(v); + } + +- sss_sudo_free_values(val_array); ++ handle->fn_free_values(val_array); + debug_return; + } + +@@ -726,6 +815,7 @@ static int sudo_sss_lookup(struct sudo_n + { + int rc, setenv_implied; + ++ struct sudo_sss_handle *handle = nss->handle; + struct sss_sudo_result *sss_result = NULL; + struct sss_sudo_rule *rule; + uint32_t i, state = 0; +@@ -750,12 +840,12 @@ static int sudo_sss_lookup(struct sudo_n + rule = sss_result->rules + i; + if ((pwcheck == any && doauth != false) || + (pwcheck == all && doauth == false)) { +- doauth = sudo_sss_check_bool(rule, "authenticate"); ++ doauth = sudo_sss_check_bool(handle, rule, "authenticate"); + } + /* Only check the command when listing another user. */ + if (user_uid == 0 || list_pw == NULL || + user_uid == list_pw->pw_uid || +- sudo_sss_check_command(rule, NULL)) { ++ sudo_sss_check_command(handle, rule, NULL)) { + matched = true; + break; + } +@@ -791,9 +881,9 @@ static int sudo_sss_lookup(struct sudo_n + if (sss_result != NULL) { + for (i = 0; i < sss_result->num_rules; i++) { + rule = sss_result->rules + i; +- if (!sudo_sss_check_runas(rule)) ++ if (!sudo_sss_check_runas(handle, rule)) + continue; +- rc = sudo_sss_check_command(rule, &setenv_implied); ++ rc = sudo_sss_check_command(handle, rule, &setenv_implied); + if (rc != UNSPEC) { + /* We have a match. */ + sudo_debug_printf(1, "Command %sallowed", rc == true ? "" : "NOT "); +@@ -802,7 +892,7 @@ static int sudo_sss_lookup(struct sudo_n + /* Apply entry-specific options. */ + if (setenv_implied) + def_setenv = true; +- sudo_sss_parse_options(rule); ++ sudo_sss_parse_options(handle, rule); + #ifdef HAVE_SELINUX + /* Set role and type if not specified on command line. */ + if (user_role == NULL) +@@ -865,8 +955,8 @@ static int sudo_sss_display_cmnd(struct + + for (i = 0; i < sss_result->num_rules; i++) { + rule = sss_result->rules + i; +- if (sudo_sss_check_command(rule, NULL) && +- sudo_sss_check_runas(rule)) { ++ if (sudo_sss_check_command(handle, rule, NULL) && ++ sudo_sss_check_runas(handle, rule)) { + found = true; + goto done; + } +@@ -878,7 +968,7 @@ done: + user_args ? " " : "", user_args ? user_args : ""); + + if (sss_result != NULL) +- sss_sudo_free_result(sss_result); ++ handle->fn_free_result(sss_result); + + debug_return_int(!found); + } +@@ -901,11 +991,11 @@ static int sudo_sss_display_defaults(str + if (handle == NULL) + goto done; + +- if (sss_sudo_send_recv_defaults(pw->pw_uid, pw->pw_name, ++ if (handle->fn_send_recv_defaults(pw->pw_uid, pw->pw_name, + &sss_error, &handle->domainname, + &sss_result) != 0) + { +- sudo_debug_printf(2, "sss_sudo_send_recv_defaults: !=0, sss_error=%u", sss_error); ++ sudo_debug_printf(2, "handle->fn_send_recv_defaults: !=0, sss_error=%u", sss_error); + goto done; + } + +@@ -922,7 +1012,7 @@ static int sudo_sss_display_defaults(str + for (i = 0; i < sss_result->num_rules; ++i) { + rule = sss_result->rules + i; + +- switch (sss_sudo_get_values(rule, "sudoOption", &val_array)) ++ switch (handle->fn_get_values(rule, "sudoOption", &val_array)) + { + case 0: + break; +@@ -930,7 +1020,7 @@ static int sudo_sss_display_defaults(str + sudo_debug_printf(2, "No result."); + continue; + default: +- sudo_debug_printf(2, "sss_sudo_get_values: != 0"); ++ sudo_debug_printf(2, "handle->fn_get_values: != 0"); + continue; + } + +@@ -946,11 +1036,11 @@ static int sudo_sss_display_defaults(str + count++; + } + +- sss_sudo_free_values(val_array); ++ handle->fn_free_values(val_array); + val_array = NULL; + } + +- sss_sudo_free_result(sss_result); ++ handle->fn_free_result(sss_result); + done: + debug_return_int(count); + } +@@ -963,7 +1053,7 @@ static int sudo_sss_display_bound_defaul + debug_return_int(0); + } + +-static int sudo_sss_display_entry_long(struct sss_sudo_rule *rule, struct lbuf *lbuf) ++static int sudo_sss_display_entry_long(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule, struct lbuf *lbuf) + { + char **val_array = NULL; + int count = 0, i; +@@ -971,94 +1061,94 @@ static int sudo_sss_display_entry_long(s + + /* get the RunAsUser Values from the entry */ + lbuf_append(lbuf, " RunAsUsers: "); +- switch (sss_sudo_get_values(rule, "sudoRunAsUser", &val_array)) ++ switch (handle->fn_get_values(rule, "sudoRunAsUser", &val_array)) + { + case 0: + for (i = 0; val_array[i] != NULL; ++i) + lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); +- sss_sudo_free_values(val_array); ++ handle->fn_free_values(val_array); + break; + case ENOENT: +- switch (sss_sudo_get_values(rule, "sudoRunAs", &val_array)) ++ switch (handle->fn_get_values(rule, "sudoRunAs", &val_array)) + { + case 0: + for (i = 0; val_array[i] != NULL; ++i) + lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); +- sss_sudo_free_values(val_array); ++ handle->fn_free_values(val_array); + break; + case ENOENT: + sudo_debug_printf(2, "No result."); + lbuf_append(lbuf, "%s", def_runas_default); + break; + default: +- sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAs): != 0"); ++ sudo_debug_printf(2, "handle->fn_get_values(sudoRunAs): != 0"); + debug_return_int(count); + } + break; + default: +- sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsUser): != 0"); ++ sudo_debug_printf(2, "handle->fn_get_values(sudoRunAsUser): != 0"); + debug_return_int(count); + } + lbuf_append(lbuf, "\n"); + + /* get the RunAsGroup Values from the entry */ +- switch (sss_sudo_get_values(rule, "sudoRunAsGroup", &val_array)) ++ switch (handle->fn_get_values(rule, "sudoRunAsGroup", &val_array)) + { + case 0: + lbuf_append(lbuf, " RunAsGroups: "); + for (i = 0; val_array[i] != NULL; ++i) + lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); +- sss_sudo_free_values(val_array); ++ handle->fn_free_values(val_array); + lbuf_append(lbuf, "\n"); + break; + case ENOENT: + sudo_debug_printf(2, "No result."); + break; + default: +- sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsGroup): != 0"); ++ sudo_debug_printf(2, "handle->fn_get_values(sudoRunAsGroup): != 0"); + debug_return_int(count); + } + + /* get the Option Values from the entry */ +- switch (sss_sudo_get_values(rule, "sudoOption", &val_array)) ++ switch (handle->fn_get_values(rule, "sudoOption", &val_array)) + { + case 0: + lbuf_append(lbuf, " Options: "); + for (i = 0; val_array[i] != NULL; ++i) + lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); +- sss_sudo_free_values(val_array); ++ handle->fn_free_values(val_array); + lbuf_append(lbuf, "\n"); + break; + case ENOENT: + sudo_debug_printf(2, "No result."); + break; + default: +- sudo_debug_printf(2, "sss_sudo_get_values(sudoOption): != 0"); ++ sudo_debug_printf(2, "handle->fn_get_values(sudoOption): != 0"); + debug_return_int(count); + } + + /* Get the command values from the entry. */ +- switch (sss_sudo_get_values(rule, "sudoCommand", &val_array)) { ++ switch (handle->fn_get_values(rule, "sudoCommand", &val_array)) { + case 0: + lbuf_append(lbuf, _(" Commands:\n")); + for (i = 0; val_array[i] != NULL; ++i) { + lbuf_append(lbuf, "\t%s\n", val_array[i]); + count++; + } +- sss_sudo_free_values(val_array); ++ handle->fn_free_values(val_array); + break; + case ENOENT: + sudo_debug_printf(2, "No result."); + break; + default: +- sudo_debug_printf(2, "sss_sudo_get_values(sudoCommand): != 0"); ++ sudo_debug_printf(2, "handle->fn_get_values(sudoCommand): != 0"); + debug_return_int(count); + } + + debug_return_int(count); + } + +-static int sudo_sss_display_entry_short(struct sss_sudo_rule *rule, struct lbuf *lbuf) ++static int sudo_sss_display_entry_short(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule, struct lbuf *lbuf) + { + char **val_array = NULL; + int count = 0, i; +@@ -1067,58 +1157,58 @@ static int sudo_sss_display_entry_short( + lbuf_append(lbuf, " ("); + + /* get the RunAsUser Values from the entry */ +- switch (sss_sudo_get_values(rule, "sudoRunAsUser", &val_array)) ++ switch (handle->fn_get_values(rule, "sudoRunAsUser", &val_array)) + { + case 0: + for (i = 0; val_array[i] != NULL; ++i) + lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); +- sss_sudo_free_values(val_array); ++ handle->fn_free_values(val_array); + break; + case ENOENT: + sudo_debug_printf(2, "No result. Trying old style (sudoRunAs)."); + /* try old style */ +- switch (sss_sudo_get_values(rule, "sudoRunAs", &val_array)) ++ switch (handle->fn_get_values(rule, "sudoRunAs", &val_array)) + { + case 0: + for (i = 0; val_array[i] != NULL; ++i) + lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); +- sss_sudo_free_values(val_array); ++ handle->fn_free_values(val_array); + break; + case ENOENT: + sudo_debug_printf(2, "No result."); + lbuf_append(lbuf, "%s", def_runas_default); + break; + default: +- sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAs): != 0"); ++ sudo_debug_printf(2, "handle->fn_get_values(sudoRunAs): != 0"); + debug_return_int(count); + } + break; + default: +- sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsUser): != 0"); ++ sudo_debug_printf(2, "handle->fn_get_values(sudoRunAsUser): != 0"); + debug_return_int(count); + } + + /* get the RunAsGroup Values from the entry */ +- switch (sss_sudo_get_values(rule, "sudoRunAsGroup", &val_array)) ++ switch (handle->fn_get_values(rule, "sudoRunAsGroup", &val_array)) + { + case 0: + lbuf_append(lbuf, " : "); + for (i = 0; val_array[i] != NULL; ++i) + lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); +- sss_sudo_free_values(val_array); ++ handle->fn_free_values(val_array); + break; + case ENOENT: + sudo_debug_printf(2, "No result."); + break; + default: +- sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsGroup): != 0"); ++ sudo_debug_printf(2, "handle->fn_get_values(sudoRunAsGroup): != 0"); + debug_return_int(count); + } + + lbuf_append(lbuf, ") "); + + /* get the Option Values from the entry */ +- switch (sss_sudo_get_values(rule, "sudoOption", &val_array)) ++ switch (handle->fn_get_values(rule, "sudoOption", &val_array)) + { + case 0: + for (i = 0; val_array[i] != NULL; ++i) { +@@ -1136,30 +1226,30 @@ static int sudo_sss_display_entry_short( + "NOSETENV: " : "SETENV: "); + } + +- sss_sudo_free_values(val_array); ++ handle->fn_free_values(val_array); + break; + case ENOENT: + sudo_debug_printf(2, "No result."); + break; + default: +- sudo_debug_printf(2, "sss_sudo_get_values(sudoOption): != 0"); ++ sudo_debug_printf(2, "handle->fn_get_values(sudoOption): != 0"); + debug_return_int(count); + } + + /* get the Command Values from the entry */ +- switch (sss_sudo_get_values(rule, "sudoCommand", &val_array)) { ++ switch (handle->fn_get_values(rule, "sudoCommand", &val_array)) { + case 0: + for (i = 0; val_array[i] != NULL; ++i) { + lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); + count++; + } +- sss_sudo_free_values(val_array); ++ handle->fn_free_values(val_array); + break; + case ENOENT: + sudo_debug_printf(2, "No result."); + break; + default: +- sudo_debug_printf(2, "sss_sudo_get_values(sudoCommand): != 0"); ++ sudo_debug_printf(2, "handle->fn_get_values(sudoCommand): != 0"); + debug_return_int(count); + } + lbuf_append(lbuf, "\n"); +@@ -1193,13 +1283,13 @@ static int sudo_sss_display_privs(struct + for (i = 0; i < sss_result->num_rules; ++i) { + rule = sss_result->rules + i; + if (long_list) +- count += sudo_sss_display_entry_long(rule, lbuf); ++ count += sudo_sss_display_entry_long(handle, rule, lbuf); + else +- count += sudo_sss_display_entry_short(rule, lbuf); ++ count += sudo_sss_display_entry_short(handle, rule, lbuf); + } + + if (sss_result != NULL) +- sss_sudo_free_result(sss_result); ++ handle->fn_free_result(sss_result); + + debug_return_int(count); + } diff --git a/sudo-1.8.5-sssd-handle-sss_ret-correctly.patch b/sudo-1.8.5-sssd-handle-sss_ret-correctly.patch new file mode 100644 index 0000000..b03592a --- /dev/null +++ b/sudo-1.8.5-sssd-handle-sss_ret-correctly.patch @@ -0,0 +1,43 @@ +diff -rup original/plugins/sudoers/sssd.c new/plugins/sudoers/sssd.c +--- original/plugins/sudoers/sssd.c 2012-07-18 13:17:53.026208728 +0200 ++++ new/plugins/sudoers/sssd.c 2012-07-18 13:35:59.780623153 +0200 +@@ -239,6 +239,14 @@ static int sudo_sss_setdefs(struct sudo_ + debug_return_int(-1); + } + ++ if (sss_error == ENOENT) { ++ sudo_debug_printf(2, "The user was not found in SSSD."); ++ debug_return_int(-1); ++ } else if(sss_error != 0) { ++ sudo_debug_printf(2, "sss_error=%u\n", sss_error); ++ debug_return_int(-1); ++ } ++ + for (i = 0; i < sss_result->num_rules; ++i) { + sudo_debug_printf(1, "Parsing cn=defaults, %d/%d", i, sss_result->num_rules); + sss_rule = sss_result->rules + i; +@@ -515,7 +523,7 @@ static struct sss_sudo_result *sudo_sss_ + } + break; + case ENOENT: +- sudo_debug_printf(2, "No result."); ++ sudo_debug_printf(2, "The user was not found in SSSD."); + default: + sudo_debug_printf(2, "sss_error=%u\n", sss_error); + debug_return_ptr(NULL); +@@ -901,6 +909,14 @@ static int sudo_sss_display_defaults(str + goto done; + } + ++ if (sss_error == ENOENT) { ++ sudo_debug_printf(2, "The user was not found in SSSD."); ++ goto done; ++ } else if(sss_error != 0) { ++ sudo_debug_printf(2, "sss_error=%u\n", sss_error); ++ goto done; ++ } ++ + handle->pw = pw; + + for (i = 0; i < sss_result->num_rules; ++i) { + diff --git a/sudo-1.8.5-sssd-use-sudo_debug_printf.patch b/sudo-1.8.5-sssd-use-sudo_debug_printf.patch new file mode 100644 index 0000000..25ac0ad --- /dev/null +++ b/sudo-1.8.5-sssd-use-sudo_debug_printf.patch @@ -0,0 +1,600 @@ +diff -rup original/plugins/sudoers/sssd.c new/plugins/sudoers/sssd.c +--- original/plugins/sudoers/sssd.c 2012-07-17 10:50:20.110201384 +0200 ++++ new/plugins/sudoers/sssd.c 2012-07-17 11:09:31.213626613 +0200 +@@ -56,11 +56,6 @@ + #include "lbuf.h" + #include "sudo_debug.h" + +-extern int debug_level; +-#define __sssd_debug debug_level +- +-#define DPRINTF(level, fmt, ...) if (__sssd_debug >= (level)) warningx("%s:%d: "fmt, __PRETTY_FUNCTION__, __LINE__, ##__VA_ARGS__) +- + /* sudo_nss implementation */ + static int sudo_sss_open(struct sudo_nss *nss); + static int sudo_sss_close(struct sudo_nss *nss); +@@ -88,8 +83,8 @@ static void sudo_sss_attrcpy(struct sss_ + int i; + debug_decl(sudo_sss_attrcpy, SUDO_DEBUG_SSSD) + +- DPRINTF(3, "dst=%p, src=%p", dst, src); +- DPRINTF(2, "emalloc: cnt=%d", src->num_values); ++ sudo_debug_printf(3, "dst=%p, src=%p", dst, src); ++ sudo_debug_printf(2, "emalloc: cnt=%d", src->num_values); + + dst->name = strdup(src->name); + dst->num_values = src->num_values; +@@ -106,8 +101,8 @@ static void sudo_sss_rulecpy(struct sss_ + int i; + debug_decl(sudo_sss_rulecpy, SUDO_DEBUG_SSSD) + +- DPRINTF(3, "dst=%p, src=%p", dst, src); +- DPRINTF(2, "emalloc: cnt=%d", src->num_attrs); ++ sudo_debug_printf(3, "dst=%p, src=%p", dst, src); ++ sudo_debug_printf(2, "emalloc: cnt=%d", src->num_attrs); + + dst->num_attrs = src->num_attrs; + dst->attrs = emalloc(sizeof(struct sss_sudo_attr) * dst->num_attrs); +@@ -132,13 +127,13 @@ static struct sss_sudo_result *sudo_sss_ + int i, l, r; + debug_decl(sudo_sss_filter_result, SUDO_DEBUG_SSSD) + +- DPRINTF(3, "in_res=%p, count=%u, act=%s", ++ sudo_debug_printf(3, "in_res=%p, count=%u, act=%s", + in_res, in_res->num_rules, act == _SUDO_SSS_FILTER_EXCLUDE ? "EXCLUDE" : "INCLUDE"); + + if (in_res == NULL) + debug_return_ptr(NULL); + +- DPRINTF(3, "emalloc: cnt=%d", in_res->num_rules); ++ sudo_debug_printf(3, "emalloc: cnt=%d", in_res->num_rules); + + out_res = emalloc(sizeof(struct sss_sudo_result)); + out_res->rules = in_res->num_rules > 0 ? emalloc(sizeof(struct sss_sudo_rule) * in_res->num_rules) : NULL; +@@ -150,7 +145,7 @@ static struct sss_sudo_result *sudo_sss_ + if (( r && act == _SUDO_SSS_FILTER_INCLUDE) || + (!r && act == _SUDO_SSS_FILTER_EXCLUDE)) + { +- DPRINTF(3, "COPY (%s): %p[%u] => %p[%u] (= %p)", ++ sudo_debug_printf(3, "COPY (%s): %p[%u] => %p[%u] (= %p)", + act == _SUDO_SSS_FILTER_EXCLUDE ? "not excluded" : "included", + in_res->rules, i, out_res->rules, l, in_res->rules + i); + +@@ -160,7 +155,7 @@ static struct sss_sudo_result *sudo_sss_ + } + + if (l < in_res->num_rules) { +- DPRINTF(3, "reallocating result: %p (count: %u -> %u)", out_res->rules, in_res->num_rules, l); ++ sudo_debug_printf(3, "reallocating result: %p (count: %u -> %u)", out_res->rules, in_res->num_rules, l); + out_res->rules = realloc(out_res->rules, sizeof(struct sss_sudo_rule) * l); + } + +@@ -201,7 +196,7 @@ static int sudo_sss_open(struct sudo_nss + handle->pw = sudo_user.pw; + nss->handle = handle; + +- DPRINTF(3, "handle=%p", handle); ++ sudo_debug_printf(3, "handle=%p", handle); + + debug_return_int(0); + } +@@ -234,18 +229,18 @@ static int sudo_sss_setdefs(struct sudo_ + if (handle == NULL) + debug_return_int(-1); + +- DPRINTF(1, "Looking for cn=defaults"); ++ sudo_debug_printf(1, "Looking for cn=defaults"); + + if (sss_sudo_send_recv_defaults(handle->pw->pw_uid, handle->pw->pw_name, + &sss_error, &handle->domainname, + &sss_result) != 0) + { +- DPRINTF(2, "sss_sudo_send_recv_defaults: != 0, sss_error=%u", sss_error); ++ sudo_debug_printf(2, "sss_sudo_send_recv_defaults: != 0, sss_error=%u", sss_error); + debug_return_int(-1); + } + + for (i = 0; i < sss_result->num_rules; ++i) { +- DPRINTF(1, "Parsing cn=defaults, %d/%d", i, sss_result->num_rules); ++ sudo_debug_printf(1, "Parsing cn=defaults, %d/%d", i, sss_result->num_rules); + sss_rule = sss_result->rules + i; + sudo_sss_parse_options(sss_rule); + } +@@ -262,7 +257,7 @@ static int sudo_sss_checkpw(struct sudo_ + if (pw->pw_name != handle->pw->pw_name || + pw->pw_uid != handle->pw->pw_uid) + { +- DPRINTF(1, "Requested name or uid don't match the initial once, reinitializing..."); ++ sudo_debug_printf(1, "Requested name or uid don't match the initial once, reinitializing..."); + handle->pw = pw; + + if (sudo_sss_setdefs(nss) != 0) +@@ -289,7 +284,7 @@ sudo_sss_check_runas_user(struct sss_sud + case 0: + break; + case ENOENT: +- DPRINTF(2, "No result. Trying old style (sudoRunAs)"); ++ sudo_debug_printf(2, "No result. Trying old style (sudoRunAs)"); + + /* try old style */ + switch (sss_sudo_get_values(sss_rule, "sudoRunAs", &val_array)) +@@ -297,19 +292,19 @@ sudo_sss_check_runas_user(struct sss_sud + case 0: + break; + case ENOENT: +- DPRINTF(2, "No result. Matching against runas_default"); ++ sudo_debug_printf(2, "No result. Matching against runas_default"); + /* + * If there are no runas entries, match runas_default against + * what the user specified on the command line. + */ + return !strcasecmp(runas_pw->pw_name, def_runas_default); + default: +- DPRINTF(2, "sss_sudo_get_values(sudoRunAs): != 0"); ++ sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAs): != 0"); + debug_return_int(UNSPEC); + } + break; + default: +- DPRINTF(2, "sss_sudo_get_values(sudoRunAsUser): != 0"); ++ sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsUser): != 0"); + debug_return_int(UNSPEC); + } + +@@ -334,40 +329,40 @@ sudo_sss_check_runas_user(struct sss_sud + for (i = 0; val_array[i] != NULL && !ret; ++i) { + val = val_array[i]; + +- DPRINTF(3, "val[%d]=%s", i, val); ++ sudo_debug_printf(3, "val[%d]=%s", i, val); + + switch (val[0]) { + case '+': +- DPRINTF(3, "netgr_"); ++ sudo_debug_printf(3, "netgr_"); + if (netgr_matches(val, NULL, NULL, runas_pw->pw_name)) { +- DPRINTF(3, "=> match"); ++ sudo_debug_printf(3, "=> match"); + ret = true; + } + break; + case '%': +- DPRINTF(3, "usergr_"); ++ sudo_debug_printf(3, "usergr_"); + if (usergr_matches(val, runas_pw->pw_name, runas_pw)) { +- DPRINTF(3, "=> match"); ++ sudo_debug_printf(3, "=> match"); + ret = true; + } + break; + case 'A': + if (strcmp(val, "ALL") == 0) { +- DPRINTF(3, "ALL => match"); ++ sudo_debug_printf(3, "ALL => match"); + ret = true; + break; + } + /* FALLTHROUGH */ +- DPRINTF(3, "FALLTHROUGH"); ++ sudo_debug_printf(3, "FALLTHROUGH"); + default: + if (strcasecmp(val, runas_pw->pw_name) == 0) { +- DPRINTF(3, "%s == %s (pw_name) => match", val, runas_pw->pw_name); ++ sudo_debug_printf(3, "%s == %s (pw_name) => match", val, runas_pw->pw_name); + ret = true; + } + break; + } + +- DPRINTF(2, "sssd/ldap sudoRunAsUser '%s' ... %s", val, ret ? "MATCH!" : "not"); ++ sudo_debug_printf(2, "sssd/ldap sudoRunAsUser '%s' ... %s", val, ret ? "MATCH!" : "not"); + } + + sss_sudo_free_values(val_array); /* cleanup */ +@@ -393,22 +388,22 @@ sudo_sss_check_runas_group(struct sss_su + case 0: + break; + case ENOENT: +- DPRINTF(2, "No result."); ++ sudo_debug_printf(2, "No result."); + debug_return_int(false); + default: +- DPRINTF(2, "sss_sudo_get_values(sudoRunAsGroup): != 0"); ++ sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsGroup): != 0"); + debug_return_int(UNSPEC); + } + + /* walk through values returned, looking for a match */ + for (i = 0; val_array[i] != NULL; ++i) { + val = val_array[i]; +- DPRINTF(3, "val[%d]=%s", i, val); ++ sudo_debug_printf(3, "val[%d]=%s", i, val); + + if (strcmp(val, "ALL") == 0 || group_matches(val, runas_gr)) + ret = true; + +- DPRINTF(2, "sssd/ldap sudoRunAsGroup '%s' ... %s", val, ret ? "MATCH!" : "not"); ++ sudo_debug_printf(2, "sssd/ldap sudoRunAsGroup '%s' ... %s", val, ret ? "MATCH!" : "not"); + } + + sss_sudo_free_values(val_array); +@@ -450,17 +445,17 @@ static int sudo_sss_check_host(struct ss + case 0: + break; + case ENOENT: +- DPRINTF(2, "No result."); ++ sudo_debug_printf(2, "No result."); + debug_return_int(false); + default: +- DPRINTF(2, "sss_sudo_get_values(sudoHost): != 0"); ++ sudo_debug_printf(2, "sss_sudo_get_values(sudoHost): != 0"); + debug_return_int(ret); + } + + /* walk through values */ + for (i = 0; val_array[i] != NULL; ++i) { + val = val_array[i]; +- DPRINTF(3, "val[%d]=%s", i, val); ++ sudo_debug_printf(3, "val[%d]=%s", i, val); + + /* match any or address or netgroup or hostname */ + if (!strcmp(val, "ALL") || addr_matches(val) || +@@ -468,7 +463,7 @@ static int sudo_sss_check_host(struct ss + hostname_matches(user_shost, user_host, val)) + ret = true; + +- DPRINTF(2, "sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); ++ sudo_debug_printf(2, "sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); + } + + sss_sudo_free_values(val_array); +@@ -497,8 +492,8 @@ static struct sss_sudo_result *sudo_sss_ + if (sudo_sss_checkpw(nss, pw) != 0) + debug_return_ptr(NULL); + +- DPRINTF(1, " username=%s", handle->pw->pw_name); +- DPRINTF(1, "domainname=%s", handle->domainname); ++ sudo_debug_printf(1, " username=%s", handle->pw->pw_name); ++ sudo_debug_printf(1, "domainname=%s", handle->domainname); + + u_sss_result = f_sss_result = NULL; + +@@ -510,24 +505,24 @@ static struct sss_sudo_result *sudo_sss_ + case 0: + if (u_sss_result != NULL) { + if (state != NULL) { +- DPRINTF(3, "state |= USERMATCH"); ++ sudo_debug_printf(3, "state |= USERMATCH"); + *state |= _SUDO_SSS_STATE_USERMATCH; + } +- DPRINTF(2, "Received %u rule(s)", u_sss_result->num_rules); ++ sudo_debug_printf(2, "Received %u rule(s)", u_sss_result->num_rules); + } else { +- DPRINTF(2, "Internal error: u_sss_result == NULL && sss_error == 0"); ++ sudo_debug_printf(2, "Internal error: u_sss_result == NULL && sss_error == 0"); + debug_return_ptr(NULL); + } + break; + case ENOENT: +- DPRINTF(2, "No result."); ++ sudo_debug_printf(2, "No result."); + default: +- DPRINTF(2, "sss_error=%u\n", sss_error); ++ sudo_debug_printf(2, "sss_error=%u\n", sss_error); + debug_return_ptr(NULL); + } + break; + default: +- DPRINTF(2, "sss_sudo_send_recv: != 0: ret=%d", ret); ++ sudo_debug_printf(2, "sss_sudo_send_recv: != 0: ret=%d", ret); + debug_return_ptr(NULL); + } + +@@ -537,11 +532,11 @@ static struct sss_sudo_result *sudo_sss_ + if (f_sss_result != NULL) + if (f_sss_result->num_rules > 0) + if (state != NULL) { +- DPRINTF(3, "state |= HOSTMATCH"); ++ sudo_debug_printf(3, "state |= HOSTMATCH"); + *state |= _SUDO_SSS_STATE_HOSTMATCH; + } + +- DPRINTF(3, "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", ++ sudo_debug_printf(3, "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", + u_sss_result, u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules); + + sss_sudo_free_result(u_sss_result); +@@ -568,17 +563,17 @@ sudo_sss_check_bool(struct sss_sudo_rule + case 0: + break; + case ENOENT: +- DPRINTF(2, "No result."); ++ sudo_debug_printf(2, "No result."); + debug_return_int(ret); + default: +- DPRINTF(2, "sss_sudo_get_values: != 0"); ++ sudo_debug_printf(2, "sss_sudo_get_values: != 0"); + debug_return_int(ret); + } + + /* walk through options */ + for (i = 0; val_array[i] != NULL; ++i) { + var = val_array[i]; +- DPRINTF(2, "sssd/ldap sudoOption: '%s'", var); ++ sudo_debug_printf(2, "sssd/ldap sudoOption: '%s'", var); + + if ((ch = *var) == '!') + var++; +@@ -611,24 +606,24 @@ sudo_sss_check_command(struct sss_sudo_r + case 0: + break; + case ENOENT: +- DPRINTF(2, "No result."); ++ sudo_debug_printf(2, "No result."); + debug_return_int(ret); + default: +- DPRINTF(2, "sss_sudo_get_values: != 0"); ++ sudo_debug_printf(2, "sss_sudo_get_values: != 0"); + debug_return_int(ret); + } + + for (i = 0; val_array[i] != NULL && ret != false; ++i) { + val = val_array[i]; + +- DPRINTF(3, "val[%d]=%s", i, val); ++ sudo_debug_printf(3, "val[%d]=%s", i, val); + + /* Match against ALL ? */ + if (!strcmp(val, "ALL")) { + ret = true; + if (setenv_implied != NULL) + *setenv_implied = true; +- DPRINTF(2, "sssd/ldap sudoCommand '%s' ... MATCH!", val); ++ sudo_debug_printf(2, "sssd/ldap sudoCommand '%s' ... MATCH!", val); + continue; + } + +@@ -655,7 +650,7 @@ sudo_sss_check_command(struct sss_sudo_r + ret = foundbang ? false : true; + } + +- DPRINTF(2, "sssd/ldap sudoCommand '%s' ... %s", val, ret == true ? "MATCH!" : "not"); ++ sudo_debug_printf(2, "sssd/ldap sudoCommand '%s' ... %s", val, ret == true ? "MATCH!" : "not"); + efree(allowed_cmnd); /* cleanup */ + } + +@@ -680,16 +675,16 @@ sudo_sss_parse_options(struct sss_sudo_r + case 0: + break; + case ENOENT: +- DPRINTF(2, "No result."); ++ sudo_debug_printf(2, "No result."); + debug_return; + default: +- DPRINTF(2, "sss_sudo_get_values(sudoOption): != 0"); ++ sudo_debug_printf(2, "sss_sudo_get_values(sudoOption): != 0"); + debug_return; + } + + /* walk through options */ + for (i = 0; val_array[i] != NULL; i++) { +- DPRINTF(2, "sssd/ldap sudoOption: '%s'", val_array[i]); ++ sudo_debug_printf(2, "sssd/ldap sudoOption: '%s'", val_array[i]); + v = estrdup(val_array[i]); + + /* check for equals sign past first char */ +@@ -741,7 +736,7 @@ static int sudo_sss_lookup(struct sudo_n + enum def_tuple pwcheck = + (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple; + +- DPRINTF(2, "perform search for pwflag %d", pwflag); ++ sudo_debug_printf(2, "perform search for pwflag %d", pwflag); + if (sss_result != NULL) { + for (i = 0; i < sss_result->num_rules; i++) { + rule = sss_result->rules + i; +@@ -782,7 +777,7 @@ static int sudo_sss_lookup(struct sudo_n + goto done; + } + +- DPRINTF(1, "searching SSSD/LDAP for sudoers entries"); ++ sudo_debug_printf(1, "searching SSSD/LDAP for sudoers entries"); + + setenv_implied = false; + if (sss_result != NULL) { +@@ -793,9 +788,9 @@ static int sudo_sss_lookup(struct sudo_n + rc = sudo_sss_check_command(rule, &setenv_implied); + if (rc != UNSPEC) { + /* We have a match. */ +- DPRINTF(1, "Command %sallowed", rc == true ? "" : "NOT "); ++ sudo_debug_printf(1, "Command %sallowed", rc == true ? "" : "NOT "); + if (rc == true) { +- DPRINTF(3, "SSSD rule: %p", rule); ++ sudo_debug_printf(3, "SSSD rule: %p", rule); + /* Apply entry-specific options. */ + if (setenv_implied) + def_setenv = true; +@@ -818,7 +813,7 @@ static int sudo_sss_lookup(struct sudo_n + } + } + done: +- DPRINTF(1, "Done with LDAP searches"); ++ sudo_debug_printf(1, "Done with LDAP searches"); + + if (!ISSET(ret, VALIDATE_OK)) { + /* No matching entries. */ +@@ -831,7 +826,7 @@ done: + if (state & _SUDO_SSS_STATE_HOSTMATCH) + CLR(ret, FLAG_NO_HOST); + +- DPRINTF(3, "sudo_sss_lookup(%d)=0x%02x", pwflag, ret); ++ sudo_debug_printf(3, "sudo_sss_lookup(%d)=0x%02x", pwflag, ret); + + debug_return_int(ret); + } +@@ -854,7 +849,7 @@ static int sudo_sss_display_cmnd(struct + * The sudo_sss_result_get() function returns all nodes that match + * the user and the host. + */ +- DPRINTF(1, "sssd/ldap search for command list"); ++ sudo_debug_printf(1, "sssd/ldap search for command list"); + sss_result = sudo_sss_result_get(nss, pw, NULL); + + if (sss_result == NULL) +@@ -902,7 +897,7 @@ static int sudo_sss_display_defaults(str + &sss_error, &handle->domainname, + &sss_result) != 0) + { +- DPRINTF(2, "sss_sudo_send_recv_defaults: !=0, sss_error=%u", sss_error); ++ sudo_debug_printf(2, "sss_sudo_send_recv_defaults: !=0, sss_error=%u", sss_error); + goto done; + } + +@@ -916,10 +911,10 @@ static int sudo_sss_display_defaults(str + case 0: + break; + case ENOENT: +- DPRINTF(2, "No result."); ++ sudo_debug_printf(2, "No result."); + continue; + default: +- DPRINTF(2, "sss_sudo_get_values: != 0"); ++ sudo_debug_printf(2, "sss_sudo_get_values: != 0"); + continue; + } + +@@ -976,16 +971,16 @@ static int sudo_sss_display_entry_long(s + sss_sudo_free_values(val_array); + break; + case ENOENT: +- DPRINTF(2, "No result."); ++ sudo_debug_printf(2, "No result."); + lbuf_append(lbuf, "%s", def_runas_default); + break; + default: +- DPRINTF(2, "sss_sudo_get_values(sudoRunAs): != 0"); ++ sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAs): != 0"); + debug_return_int(count); + } + break; + default: +- DPRINTF(2, "sss_sudo_get_values(sudoRunAsUser): != 0"); ++ sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsUser): != 0"); + debug_return_int(count); + } + lbuf_append(lbuf, "\n"); +@@ -1001,10 +996,10 @@ static int sudo_sss_display_entry_long(s + lbuf_append(lbuf, "\n"); + break; + case ENOENT: +- DPRINTF(2, "No result."); ++ sudo_debug_printf(2, "No result."); + break; + default: +- DPRINTF(2, "sss_sudo_get_values(sudoRunAsGroup): != 0"); ++ sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsGroup): != 0"); + debug_return_int(count); + } + +@@ -1019,10 +1014,10 @@ static int sudo_sss_display_entry_long(s + lbuf_append(lbuf, "\n"); + break; + case ENOENT: +- DPRINTF(2, "No result."); ++ sudo_debug_printf(2, "No result."); + break; + default: +- DPRINTF(2, "sss_sudo_get_values(sudoOption): != 0"); ++ sudo_debug_printf(2, "sss_sudo_get_values(sudoOption): != 0"); + debug_return_int(count); + } + +@@ -1037,10 +1032,10 @@ static int sudo_sss_display_entry_long(s + sss_sudo_free_values(val_array); + break; + case ENOENT: +- DPRINTF(2, "No result."); ++ sudo_debug_printf(2, "No result."); + break; + default: +- DPRINTF(2, "sss_sudo_get_values(sudoCommand): != 0"); ++ sudo_debug_printf(2, "sss_sudo_get_values(sudoCommand): != 0"); + debug_return_int(count); + } + +@@ -1064,7 +1059,7 @@ static int sudo_sss_display_entry_short( + sss_sudo_free_values(val_array); + break; + case ENOENT: +- DPRINTF(2, "No result. Trying old style (sudoRunAs)."); ++ sudo_debug_printf(2, "No result. Trying old style (sudoRunAs)."); + /* try old style */ + switch (sss_sudo_get_values(rule, "sudoRunAs", &val_array)) + { +@@ -1074,16 +1069,16 @@ static int sudo_sss_display_entry_short( + sss_sudo_free_values(val_array); + break; + case ENOENT: +- DPRINTF(2, "No result."); ++ sudo_debug_printf(2, "No result."); + lbuf_append(lbuf, "%s", def_runas_default); + break; + default: +- DPRINTF(2, "sss_sudo_get_values(sudoRunAs): != 0"); ++ sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAs): != 0"); + debug_return_int(count); + } + break; + default: +- DPRINTF(2, "sss_sudo_get_values(sudoRunAsUser): != 0"); ++ sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsUser): != 0"); + debug_return_int(count); + } + +@@ -1097,10 +1092,10 @@ static int sudo_sss_display_entry_short( + sss_sudo_free_values(val_array); + break; + case ENOENT: +- DPRINTF(2, "No result."); ++ sudo_debug_printf(2, "No result."); + break; + default: +- DPRINTF(2, "sss_sudo_get_values(sudoRunAsGroup): != 0"); ++ sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsGroup): != 0"); + debug_return_int(count); + } + +@@ -1128,10 +1123,10 @@ static int sudo_sss_display_entry_short( + sss_sudo_free_values(val_array); + break; + case ENOENT: +- DPRINTF(2, "No result."); ++ sudo_debug_printf(2, "No result."); + break; + default: +- DPRINTF(2, "sss_sudo_get_values(sudoOption): != 0"); ++ sudo_debug_printf(2, "sss_sudo_get_values(sudoOption): != 0"); + debug_return_int(count); + } + +@@ -1145,10 +1140,10 @@ static int sudo_sss_display_entry_short( + sss_sudo_free_values(val_array); + break; + case ENOENT: +- DPRINTF(2, "No result."); ++ sudo_debug_printf(2, "No result."); + break; + default: +- DPRINTF(2, "sss_sudo_get_values(sudoCommand): != 0"); ++ sudo_debug_printf(2, "sss_sudo_get_values(sudoCommand): != 0"); + debug_return_int(count); + } + lbuf_append(lbuf, "\n"); +@@ -1171,7 +1166,7 @@ static int sudo_sss_display_privs(struct + if (sudo_sss_checkpw(nss, pw) != 0) + debug_return_int(-1); + +- DPRINTF(2, "sssd/ldap search for command list"); ++ sudo_debug_printf(2, "sssd/ldap search for command list"); + + sss_result = sudo_sss_result_get(nss, pw, NULL); + diff --git a/sudo.spec b/sudo.spec index 8132bf4..3e5df6b 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.8.5 -Release: 3%{?dist} +Release: 4%{?dist} License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -20,7 +20,6 @@ BuildRequires: audit-libs-devel libcap-devel BuildRequires: libselinux-devel BuildRequires: sendmail BuildRequires: gettext -BuildRequires: libsss_sudo-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch @@ -32,6 +31,17 @@ Patch3: sudo-1.7.4p3-m4path.patch Patch4: sudo-1.8.5-pipelist.patch # SSSD support Patch5: sudo-1.8.5-sssd-support.patch +# Add SSSD debug subsystem +Patch6: sudo-1.8.5-add-sssd-debug-subsystem.patch +# Use sudo_debug_printf instead of DPRINTF in sssd.c +Patch7: sudo-1.8.5-sssd-use-sudo_debug_printf.patch +# Handle sss_ret correctly in sssd.c to avoid segfault +# when user is not found in sssd +Patch8: sudo-1.8.5-sssd-handle-sss_ret-correctly.patch +# dlopen libsss_sudo +Patch9: sudo-1.8.5-sssd-dlopen-lib.patch +# remove source when nss->open() fails +Patch10: sudo-1.8.5-remove-source-when-open-failed.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -61,7 +71,11 @@ plugins that use %{name}. %patch3 -p1 -b .m4path %patch4 -p1 -b .pipelist %patch5 -p1 -b .sssd-support - +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 %build autoreconf -fv --install @@ -90,8 +104,8 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" --with-ldap \ --with-selinux \ --with-passprompt="[sudo] password for %p: " \ - --with-linux-audit -# --with-sssd + --with-linux-audit \ + --with-sssd # --without-kerb5 \ # --without-kerb4 make @@ -171,6 +185,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog +* Thu Jul 26 2012 Daniel Kopecek - 1.8.5-4 +- added patches that fix & improve SSSD support (thanks to pbrezina@redhat.com) +- re-enabled SSSD support +- removed libsss_sudo dependency + * Tue Jul 24 2012 Bill Nottingham - 1.8.5-3 - flip sudoers2ldif executable bit after make install, not in setup