rpms/sudo
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to 1.8.6

Browse Source 
- dropped SSSD patches as they are now part of the upstream source code
 - use the upstream version of -pipelist patch
This commit is contained in:
Daniel Kopecek 2012-09-06 14:41:27 +02:00
parent 049d9661dd
commit 41b07d49de
11 changed files with 41 additions and 3255 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -7,3 +7,4 @@ sudo-1.7.2p2-sudoers
/sudo-1.8.1p2.tar.gz
/sudo-1.8.3p1.tar.gz
/sudo-1.8.5.tar.gz
/sudo-1.8.6.tar.gz

2
sources
View File

@ -1,2 +1,2 @@
8d5a664bba74b19ca0b40db1d90f2cee sudo-1.8.5.tar.gz
3d400e84c3a1e2164171db8d54b11aab sudo-1.8.6.tar.gz
56f74aed3a7b32f2b01a34d65ac86f85 sudo-1.7.4p4-sudoers

290
sudo-1.8.5-add-sssd-debug-subsystem.patch
View File

@ -1,290 +0,0 @@
diff -rup original/common/sudo_debug.c new/common/sudo_debug.c
--- original/common/sudo_debug.c 2012-05-15 18:22:01.000000000 +0200
+++ new/common/sudo_debug.c 2012-07-17 10:24:05.389397245 +0200
@@ -101,6 +101,7 @@ const char *const sudo_debug_subsystems[
"perms",
"plugin",
"hooks",
+ "sssd",
NULL
};
diff -rup original/include/sudo_debug.h new/include/sudo_debug.h
--- original/include/sudo_debug.h 2012-05-15 18:22:02.000000000 +0200
+++ new/include/sudo_debug.h 2012-07-17 10:49:43.470809390 +0200
@@ -71,6 +71,7 @@
#define SUDO_DEBUG_PERMS (23<<6) /* uid/gid swapping functions */
#define SUDO_DEBUG_PLUGIN (24<<6) /* main plugin functions */
#define SUDO_DEBUG_HOOKS (25<<6) /* hook functions */
+#define SUDO_DEBUG_SSSD (26<<6) /* sudoers SSSD */
#define SUDO_DEBUG_ALL 0xfff0 /* all subsystems */
/* Flag to include string version of errno in debug info. */
diff -rup original/plugins/sudoers/sssd.c new/plugins/sudoers/sssd.c
--- original/plugins/sudoers/sssd.c 2012-07-17 10:13:42.366133003 +0200
+++ new/plugins/sudoers/sssd.c 2012-07-17 10:24:05.383397175 +0200
@@ -86,7 +86,7 @@ static struct sss_sudo_result *sudo_sss_
static void sudo_sss_attrcpy(struct sss_sudo_attr *dst, const struct sss_sudo_attr *src)
{
int i;
- debug_decl(sudo_sss_attrcpy, SUDO_DEBUG_LDAP)
+ debug_decl(sudo_sss_attrcpy, SUDO_DEBUG_SSSD)
DPRINTF(3, "dst=%p, src=%p", dst, src);
DPRINTF(2, "emalloc: cnt=%d", src->num_values);
@@ -104,8 +104,8 @@ static void sudo_sss_attrcpy(struct sss_
static void sudo_sss_rulecpy(struct sss_sudo_rule *dst, const struct sss_sudo_rule *src)
{
int i;
- debug_decl(sudo_sss_rulecpy, SUDO_DEBUG_LDAP)
-
+ debug_decl(sudo_sss_rulecpy, SUDO_DEBUG_SSSD)
+
DPRINTF(3, "dst=%p, src=%p", dst, src);
DPRINTF(2, "emalloc: cnt=%d", src->num_attrs);
@@ -130,7 +130,7 @@ static struct sss_sudo_result *sudo_sss_
{
struct sss_sudo_result *out_res;
int i, l, r;
- debug_decl(sudo_sss_filter_result, SUDO_DEBUG_LDAP)
+ debug_decl(sudo_sss_filter_result, SUDO_DEBUG_SSSD)
DPRINTF(3, "in_res=%p, count=%u, act=%s",
in_res, in_res->num_rules, act == _SUDO_SSS_FILTER_EXCLUDE ? "EXCLUDE" : "INCLUDE");
@@ -193,7 +193,7 @@ struct sudo_nss sudo_nss_sss = {
static int sudo_sss_open(struct sudo_nss *nss)
{
struct sudo_sss_handle *handle;
- debug_decl(sudo_sss_open, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_open, SUDO_DEBUG_SSSD);
/* Create a handle container. */
handle = emalloc(sizeof(struct sudo_sss_handle));
@@ -209,7 +209,7 @@ static int sudo_sss_open(struct sudo_nss
// ok
static int sudo_sss_close(struct sudo_nss *nss)
{
- debug_decl(sudo_sss_close, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_close, SUDO_DEBUG_SSSD);
efree(nss->handle);
debug_return_int(0);
}
@@ -217,7 +217,7 @@ static int sudo_sss_close(struct sudo_ns
// ok
static int sudo_sss_parse(struct sudo_nss *nss)
{
- debug_decl(sudo_sss_parse, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_parse, SUDO_DEBUG_SSSD);
debug_return_int(0);
}
@@ -229,7 +229,7 @@ static int sudo_sss_setdefs(struct sudo_
struct sss_sudo_rule *sss_rule;
uint32_t sss_error;
int i;
- debug_decl(sudo_sss_setdefs, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_setdefs, SUDO_DEBUG_SSSD);
if (handle == NULL)
debug_return_int(-1);
@@ -257,7 +257,7 @@ static int sudo_sss_setdefs(struct sudo_
static int sudo_sss_checkpw(struct sudo_nss *nss, struct passwd *pw)
{
struct sudo_sss_handle *handle = nss->handle;
- debug_decl(sudo_sss_checkpw, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_checkpw, SUDO_DEBUG_SSSD);
if (pw->pw_name != handle->pw->pw_name ||
pw->pw_uid != handle->pw->pw_uid)
@@ -278,13 +278,13 @@ sudo_sss_check_runas_user(struct sss_sud
char **val_array = NULL;
char *val;
int ret = false, i;
- debug_decl(sudo_sss_check_runas_user, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_check_runas_user, SUDO_DEBUG_SSSD);
if (!runas_pw)
debug_return_int(UNSPEC);
/* get the runas user from the entry */
- switch (sss_sudo_get_values(sss_rule, "sudoRunAsUser", &val_array))
+ switch (sss_sudo_get_values(sss_rule, "sudoRunAsUser", &val_array))
{
case 0:
break;
@@ -315,18 +315,18 @@ sudo_sss_check_runas_user(struct sss_sud
/*
* BUG:
- *
+ *
* if runas is not specified on the command line, the only information
* as to which user to run as is in the runas_default option. We should
* check to see if we have the local option present. Unfortunately we
* don't parse these options until after this routine says yes or no.
* The query has already returned, so we could peek at the attribute
* values here though.
- *
+ *
* For now just require users to always use -u option unless its set
* in the global defaults. This behaviour is no different than the global
* /etc/sudoers.
- *
+ *
* Sigh - maybe add this feature later
*/
@@ -381,7 +381,7 @@ sudo_sss_check_runas_group(struct sss_su
char **val_array = NULL;
char *val;
int ret = false, i;
- debug_decl(sudo_sss_check_runas_group, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_check_runas_group, SUDO_DEBUG_SSSD);
/* runas_gr is only set if the user specified the -g flag */
if (!runas_gr)
@@ -424,7 +424,7 @@ static int
sudo_sss_check_runas(struct sss_sudo_rule *rule)
{
int ret;
- debug_decl(sudo_sss_check_runas, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD);
if (rule == NULL)
debug_return_int(false);
@@ -439,7 +439,7 @@ static int sudo_sss_check_host(struct ss
{
char **val_array, *val;
int ret = false, i;
- debug_decl(sudo_sss_check_host, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_check_host, SUDO_DEBUG_SSSD);
if (rule == NULL)
debug_return_int(ret);
@@ -479,7 +479,7 @@ static int sudo_sss_check_host(struct ss
static int sudo_sss_result_filterp(struct sss_sudo_rule *rule, void *unused)
{
(void)unused;
- debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
if (sudo_sss_check_host(rule))
debug_return_int(1);
@@ -492,7 +492,7 @@ static struct sss_sudo_result *sudo_sss_
struct sudo_sss_handle *handle = nss->handle;
struct sss_sudo_result *u_sss_result, *f_sss_result;
uint32_t sss_error = 0, ret;
- debug_decl(sudo_sss_result_get, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_result_get, SUDO_DEBUG_SSSD);
if (sudo_sss_checkpw(nss, pw) != 0)
debug_return_ptr(NULL);
@@ -558,7 +558,7 @@ sudo_sss_check_bool(struct sss_sudo_rule
{
char ch, *var, **val_array = NULL;
int i, ret = UNSPEC;
- debug_decl(sudo_sss_check_bool, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_check_bool, SUDO_DEBUG_SSSD);
if (rule == NULL)
debug_return_int(ret);
@@ -601,7 +601,7 @@ sudo_sss_check_command(struct sss_sudo_r
char **val_array = NULL, *val;
char *allowed_cmnd, *allowed_args;
int i, foundbang, ret = UNSPEC;
- debug_decl(sudo_sss_check_command, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_check_command, SUDO_DEBUG_SSSD);
if (rule == NULL)
debug_return_int(ret);
@@ -670,7 +670,7 @@ sudo_sss_parse_options(struct sss_sudo_r
int i;
char op, *v, *val;
char **val_array = NULL;
- debug_decl(sudo_sss_parse_options, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_parse_options, SUDO_DEBUG_SSSD);
if (rule == NULL)
debug_return;
@@ -726,7 +726,7 @@ static int sudo_sss_lookup(struct sudo_n
struct sss_sudo_result *sss_result = NULL;
struct sss_sudo_rule *rule;
uint32_t i, state = 0;
- debug_decl(sudo_sss_lookup, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_lookup, SUDO_DEBUG_SSSD);
/* Fetch list of sudoRole entries that match user and host. */
sss_result = sudo_sss_result_get(nss, sudo_user.pw, &state);
@@ -738,7 +738,7 @@ static int sudo_sss_lookup(struct sudo_n
if (pwflag) {
int doauth = UNSPEC;
int matched = UNSPEC;
- enum def_tuple pwcheck =
+ enum def_tuple pwcheck =
(pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple;
DPRINTF(2, "perform search for pwflag %d", pwflag);
@@ -842,7 +842,7 @@ static int sudo_sss_display_cmnd(struct
struct sss_sudo_result *sss_result = NULL;
struct sss_sudo_rule *rule;
int i, found = false;
- debug_decl(sudo_sss_display_cmnd, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_display_cmnd, SUDO_DEBUG_SSSD);
if (handle == NULL)
goto done;
@@ -893,7 +893,7 @@ static int sudo_sss_display_defaults(str
char *prefix, *val, **val_array = NULL;
int count = 0, i, j;
- debug_decl(sudo_sss_display_defaults, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_display_defaults, SUDO_DEBUG_SSSD);
if (handle == NULL)
goto done;
@@ -934,7 +934,7 @@ static int sudo_sss_display_defaults(str
prefix = ", ";
count++;
}
-
+
sss_sudo_free_values(val_array);
val_array = NULL;
}
@@ -948,7 +948,7 @@ done:
static int sudo_sss_display_bound_defaults(struct sudo_nss *nss,
struct passwd *pw, struct lbuf *lbuf)
{
- debug_decl(sudo_sss_display_bound_defaults, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_display_bound_defaults, SUDO_DEBUG_SSSD);
debug_return_int(0);
}
@@ -956,7 +956,7 @@ static int sudo_sss_display_entry_long(s
{
char **val_array = NULL;
int count = 0, i;
- debug_decl(sudo_sss_display_entry_long, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_display_entry_long, SUDO_DEBUG_SSSD);
/* get the RunAsUser Values from the entry */
lbuf_append(lbuf, " RunAsUsers: ");
@@ -1051,7 +1051,7 @@ static int sudo_sss_display_entry_short(
{
char **val_array = NULL;
int count = 0, i;
- debug_decl(sudo_sss_display_entry_short, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_display_entry_short, SUDO_DEBUG_SSSD);
lbuf_append(lbuf, " (");
@@ -1164,7 +1164,7 @@ static int sudo_sss_display_privs(struct
struct sss_sudo_result *sss_result = NULL;
struct sss_sudo_rule *rule;
unsigned int i, count = 0;
- debug_decl(sudo_sss_display_privs, SUDO_DEBUG_LDAP);
+ debug_decl(sudo_sss_display_privs, SUDO_DEBUG_SSSD);
if (handle == NULL)
debug_return_int(-1);

29
sudo-1.8.5-pipelist.patch
View File

@ -1,29 +0,0 @@
diff -up sudo-1.8.5rc5/common/ttysize.c.pipelist sudo-1.8.5rc5/common/ttysize.c
--- sudo-1.8.5rc5/common/ttysize.c.pipelist 2012-04-06 21:43:19.000000000 +0200
+++ sudo-1.8.5rc5/common/ttysize.c 2012-05-16 13:03:17.184034854 +0200
@@ -20,6 +20,7 @@
#include <sys/types.h>
#include <sys/ioctl.h>
+#include <sys/stat.h>
#include <stdio.h>
#ifdef STDC_HEADERS
# include <stdlib.h>
@@ -71,8 +72,17 @@ get_ttysize_ioctl(int *rowp, int *colp)
void
get_ttysize(int *rowp, int *colp)
{
+ struct stat st;
debug_decl(fork_cmnd, SUDO_DEBUG_EXEC)
+ if (fstat(STDOUT_FILENO, &st) == 0) {
+ if (S_ISFIFO(st.st_mode)) {
+ *rowp = 0;
+ *colp = 0;
+ return;
+ }
+ }
+
if (get_ttysize_ioctl(rowp, colp) == -1) {
char *p;

33
sudo-1.8.5-remove-source-when-open-failed.patch
View File

@ -1,33 +0,0 @@
diff -rup original/plugins/sudoers/sudoers.c new/plugins/sudoers/sudoers.c
--- original/plugins/sudoers/sudoers.c 2012-07-19 12:13:31.292479203 +0200
+++ new/plugins/sudoers/sudoers.c 2012-07-19 12:14:02.898844521 +0200
@@ -145,6 +145,7 @@ sudoers_policy_open(unsigned int version
volatile int sources = 0;
sigaction_t sa;
struct sudo_nss *nss;
+ struct sudo_nss *nss_next;
debug_decl(sudoers_policy_open, SUDO_DEBUG_PLUGIN)
sudo_version = version;
@@ -201,12 +202,15 @@ sudoers_policy_open(unsigned int version
set_perms(PERM_ROOT);
/* Open and parse sudoers, set global defaults */
- tq_foreach_fwd(snl, nss) {
- if (nss->open(nss) == 0 && nss->parse(nss) == 0) {
- sources++;
- if (nss->setdefs(nss) != 0)
- log_error(NO_STDERR, _("problem with defaults entries"));
- }
+ for (nss = snl->first; nss != NULL; nss = nss_next) {
+ nss_next = nss->next;
+ if (nss->open(nss) == 0 && nss->parse(nss) == 0) {
+ sources++;
+ if (nss->setdefs(nss) != 0)
+ log_error(NO_STDERR, _("problem with defaults entries"));
+ } else {
+ tq_remove(snl, nss);
+ }
}
if (sources == 0) {
warningx(_("no valid sudoers sources found, quitting"));

905
sudo-1.8.5-sssd-dlopen-lib.patch
View File

@ -1,905 +0,0 @@
diff -rup original/configure.in new/configure.in
--- original/configure.in 2012-07-19 12:13:15.872301022 +0200
+++ new/configure.in 2012-07-23 11:31:42.821466529 +0200
@@ -101,6 +101,7 @@ AC_SUBST([root_sudo])
AC_SUBST([path_info])
AC_SUBST([ldap_conf])
AC_SUBST([ldap_secret])
+AC_SUBST([sssd_lib])
AC_SUBST([nsswitch_conf])
AC_SUBST([netsvc_conf])
AC_SUBST([secure_path])
@@ -290,8 +291,6 @@ dnl
AC_ARG_WITH(sssd, [AS_HELP_STRING([--with-sssd], [enable SSSD support])],
[case $with_sssd in
yes)
- SUDO_LIBS="${SUDO_LIBS} `pkg-config libsss_sudo --libs`"
- SUDOERS_LIBS="${SUDO_LIBS} `pkg-config libsss_sudo --libs`"
SUDOERS_OBJS="${SUDOERS_OBJS} sssd.lo"
AC_DEFINE(HAVE_SSSD)
;;
@@ -300,6 +299,11 @@ AC_ARG_WITH(sssd, [AS_HELP_STRING([--wit
;;
esac])
+AC_ARG_WITH(sssd-lib, [AS_HELP_STRING([--with-sssd-lib], [path to the SSSD library])])
+sssd_lib="\"LIBDIR\""
+test -n "$with_sssd_lib" && sssd_lib="$with_sssd_lib"
+SUDO_DEFINE_UNQUOTED(_PATH_SSSD_LIB, "$sssd_lib", [Path to the SSSD library])
+
AC_ARG_WITH(incpath, [AS_HELP_STRING([--with-incpath], [additional places to look for include files])],
[case $with_incpath in
yes) AC_MSG_ERROR(["must give --with-incpath an argument."])
diff -rup original/pathnames.h.in new/pathnames.h.in
--- original/pathnames.h.in 2012-07-19 12:13:15.779299949 +0200
+++ new/pathnames.h.in 2012-07-19 15:58:49.454653685 +0200
@@ -157,6 +157,10 @@
#undef _PATH_LDAP_SECRET
#endif /* _PATH_LDAP_SECRET */
+#ifndef _PATH_SSSD_LIB
+#undef _PATH_SSSD_LIB
+#endif /* _PATH_SSSD_LIB */
+
#ifndef _PATH_NSSWITCH_CONF
#undef _PATH_NSSWITCH_CONF
#endif /* _PATH_NSSWITCH_CONF */
diff -rup original/plugins/sudoers/Makefile.in new/plugins/sudoers/Makefile.in
--- original/plugins/sudoers/Makefile.in 2012-07-19 12:13:15.756299680 +0200
+++ new/plugins/sudoers/Makefile.in 2012-07-23 11:31:56.084610531 +0200
@@ -32,6 +32,7 @@ top_srcdir = @top_srcdir@
incdir = $(top_srcdir)/include
docdir = @docdir@
timedir = @timedir@
+libdir = @libdir@
# Compiler & tools to use
CC = @CC@
@@ -51,7 +52,7 @@ SUDOERS_LIBS = @SUDOERS_LIBS@ @AFS_LIBS@
REPLAY_LIBS = @REPLAY_LIBS@ @ZLIB@
# C preprocessor flags
-CPPFLAGS = -I$(incdir) -I$(top_builddir) -I$(devdir) -I$(srcdir) -I$(top_srcdir) @CPPFLAGS@
+CPPFLAGS = -I$(incdir) -I$(top_builddir) -I$(devdir) -I$(srcdir) -I$(top_srcdir) -DLIBDIR=\"$(libdir)\" @CPPFLAGS@
# Usually -O and/or -g
CFLAGS = @CFLAGS@
diff -rup original/plugins/sudoers/sssd.c new/plugins/sudoers/sssd.c
--- original/plugins/sudoers/sssd.c 2012-07-19 12:13:15.667298652 +0200
+++ new/plugins/sudoers/sssd.c 2012-07-23 11:32:04.260699269 +0200
@@ -44,23 +44,70 @@
#if TIME_WITH_SYS_TIME
# include <time.h>
#endif
+#ifdef HAVE_DLOPEN
+# include <dlfcn.h>
+#else
+# include "compat/dlfcn.h"
+#endif
#include <ctype.h>
#include <pwd.h>
#include <grp.h>
-#include <sss_sudo.h>
#include <errno.h>
+#include <stdint.h>
#include "sudoers.h"
#include "parse.h"
#include "lbuf.h"
#include "sudo_debug.h"
+/* SSSD <--> SUDO interface - do not change */
+struct sss_sudo_attr {
+ char *name;
+ char **values;
+ unsigned int num_values;
+};
+
+struct sss_sudo_rule {
+ unsigned int num_attrs;
+ struct sss_sudo_attr *attrs;
+};
+
+struct sss_sudo_result {
+ unsigned int num_rules;
+ struct sss_sudo_rule *rules;
+};
+
+typedef int (*sss_sudo_send_recv_t)(uid_t, const char*, const char*,
+ uint32_t*, struct sss_sudo_result**);
+
+typedef int (*sss_sudo_send_recv_defaults_t)(uid_t, const char*, uint32_t*,
+ char**, struct sss_sudo_result**);
+
+typedef void (*sss_sudo_free_result_t)(struct sss_sudo_result*);
+
+typedef int (*sss_sudo_get_values_t)(struct sss_sudo_rule*, const char*,
+ char***);
+
+typedef void (*sss_sudo_free_values_t)(char**);
+
/* sudo_nss implementation */
+
+struct sudo_sss_handle {
+ char *domainname;
+ struct passwd *pw;
+ void *ssslib;
+ sss_sudo_send_recv_t fn_send_recv;
+ sss_sudo_send_recv_defaults_t fn_send_recv_defaults;
+ sss_sudo_free_result_t fn_free_result;
+ sss_sudo_get_values_t fn_get_values;
+ sss_sudo_free_values_t fn_free_values;
+};
+
static int sudo_sss_open(struct sudo_nss *nss);
static int sudo_sss_close(struct sudo_nss *nss);
static int sudo_sss_parse(struct sudo_nss *nss);
-static void sudo_sss_parse_options(struct sss_sudo_rule *rule);
+static void sudo_sss_parse_options(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule);
static int sudo_sss_setdefs(struct sudo_nss *nss);
static int sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag);
static int sudo_sss_display_cmnd(struct sudo_nss *nss, struct passwd *pw);
@@ -121,7 +168,7 @@ static void sudo_sss_rulecpy(struct sss_
#define _SUDO_SSS_STATE_HOSTMATCH 0x01
#define _SUDO_SSS_STATE_USERMATCH 0x02
-static struct sss_sudo_result *sudo_sss_filter_result(struct sss_sudo_result *in_res, int (*filterp)(struct sss_sudo_rule *, void *), int act, void *filterp_arg)
+static struct sss_sudo_result *sudo_sss_filter_result(struct sudo_sss_handle *handle, struct sss_sudo_result *in_res, int (*filterp)(struct sudo_sss_handle *, struct sss_sudo_rule *, void *), int act, void *filterp_arg)
{
struct sss_sudo_result *out_res;
int i, l, r;
@@ -140,7 +187,7 @@ static struct sss_sudo_result *sudo_sss_
out_res->num_rules = 0;
for (i = l = 0; i < in_res->num_rules; ++i) {
- r = filterp(in_res->rules + i, filterp_arg);
+ r = filterp(handle, in_res->rules + i, filterp_arg);
if (( r && act == _SUDO_SSS_FILTER_INCLUDE) ||
(!r && act == _SUDO_SSS_FILTER_EXCLUDE))
@@ -164,11 +211,6 @@ static struct sss_sudo_result *sudo_sss_
debug_return_ptr(out_res);
}
-struct sudo_sss_handle {
- char *domainname;
- struct passwd *pw;
-};
-
struct sudo_nss sudo_nss_sss = {
&sudo_nss_sss,
NULL,
@@ -188,10 +230,50 @@ struct sudo_nss sudo_nss_sss = {
static int sudo_sss_open(struct sudo_nss *nss)
{
struct sudo_sss_handle *handle;
+ static const char path[] = _PATH_SSSD_LIB"/libsss_sudo.so";
debug_decl(sudo_sss_open, SUDO_DEBUG_SSSD);
/* Create a handle container. */
handle = emalloc(sizeof(struct sudo_sss_handle));
+
+ /* Load symbols */
+ handle->ssslib = dlopen(path, RTLD_LAZY);
+ if (handle->ssslib == NULL) {
+ warningx(_("Unable to dlopen %s: %s"), path, dlerror());
+ warningx(_("Unable to initialize SSS source. Is SSSD installed on your machine?"));
+ debug_return_int(EFAULT);
+ }
+
+ handle->fn_send_recv = dlsym(handle->ssslib, "sss_sudo_send_recv");
+ if (handle->fn_send_recv == NULL) {
+ warningx(_("unable to find symbol \"sss_sudo_send_recv\" in %s"), path);
+ debug_return_int(EFAULT);
+ }
+
+ handle->fn_send_recv_defaults = dlsym(handle->ssslib, "sss_sudo_send_recv_defaults");
+ if (handle->fn_send_recv_defaults == NULL) {
+ warningx(_("unable to find symbol \"sss_sudo_send_recv_defaults\" in %s"), path);
+ debug_return_int(EFAULT);
+ }
+
+ handle->fn_free_result = dlsym(handle->ssslib, "sss_sudo_free_result");
+ if (handle->fn_free_result == NULL) {
+ warningx(_("unable to find symbol \"sss_sudo_free_result\" in %s"), path);
+ debug_return_int(EFAULT);
+ }
+
+ handle->fn_get_values = dlsym(handle->ssslib, "sss_sudo_get_values");
+ if (handle->fn_get_values == NULL) {
+ warningx(_("unable to find symbol \"sss_sudo_get_values\" in %s"), path);
+ debug_return_int(EFAULT);
+ }
+
+ handle->fn_free_values = dlsym(handle->ssslib, "sss_sudo_free_values");
+ if (handle->fn_free_values == NULL) {
+ warningx(_("unable to find symbol \"sss_sudo_free_values\" in %s"), path);
+ debug_return_int(EFAULT);
+ }
+
handle->domainname = NULL;
handle->pw = sudo_user.pw;
nss->handle = handle;
@@ -204,7 +286,14 @@ static int sudo_sss_open(struct sudo_nss
// ok
static int sudo_sss_close(struct sudo_nss *nss)
{
+ struct sudo_sss_handle *handle;
debug_decl(sudo_sss_close, SUDO_DEBUG_SSSD);
+
+ if (nss && nss->handle) {
+ handle = nss->handle;
+ dlclose(handle->ssslib);
+ }
+
efree(nss->handle);
debug_return_int(0);
}
@@ -231,11 +320,11 @@ static int sudo_sss_setdefs(struct sudo_
sudo_debug_printf(1, "Looking for cn=defaults");
- if (sss_sudo_send_recv_defaults(handle->pw->pw_uid, handle->pw->pw_name,
+ if (handle->fn_send_recv_defaults(handle->pw->pw_uid, handle->pw->pw_name,
&sss_error, &handle->domainname,
&sss_result) != 0)
{
- sudo_debug_printf(2, "sss_sudo_send_recv_defaults: != 0, sss_error=%u", sss_error);
+ sudo_debug_printf(2, "handle->fn_send_recv_defaults: != 0, sss_error=%u", sss_error);
debug_return_int(-1);
}
@@ -250,10 +339,10 @@ static int sudo_sss_setdefs(struct sudo_
for (i = 0; i < sss_result->num_rules; ++i) {
sudo_debug_printf(1, "Parsing cn=defaults, %d/%d", i, sss_result->num_rules);
sss_rule = sss_result->rules + i;
- sudo_sss_parse_options(sss_rule);
+ sudo_sss_parse_options(handle, sss_rule);
}
- sss_sudo_free_result(sss_result);
+ handle->fn_free_result(sss_result);
debug_return_int(0);
}
@@ -276,7 +365,7 @@ static int sudo_sss_checkpw(struct sudo_
}
static int
-sudo_sss_check_runas_user(struct sss_sudo_rule *sss_rule)
+sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *sss_rule)
{
char **val_array = NULL;
char *val;
@@ -287,7 +376,7 @@ sudo_sss_check_runas_user(struct sss_sud
debug_return_int(UNSPEC);
/* get the runas user from the entry */
- switch (sss_sudo_get_values(sss_rule, "sudoRunAsUser", &val_array))
+ switch (handle->fn_get_values(sss_rule, "sudoRunAsUser", &val_array))
{
case 0:
break;
@@ -295,7 +384,7 @@ sudo_sss_check_runas_user(struct sss_sud
sudo_debug_printf(2, "No result. Trying old style (sudoRunAs)");
/* try old style */
- switch (sss_sudo_get_values(sss_rule, "sudoRunAs", &val_array))
+ switch (handle->fn_get_values(sss_rule, "sudoRunAs", &val_array))
{
case 0:
break;
@@ -307,12 +396,12 @@ sudo_sss_check_runas_user(struct sss_sud
*/
return !strcasecmp(runas_pw->pw_name, def_runas_default);
default:
- sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAs): != 0");
+ sudo_debug_printf(2, "handle->fn_get_values(sudoRunAs): != 0");
debug_return_int(UNSPEC);
}
break;
default:
- sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsUser): != 0");
+ sudo_debug_printf(2, "handle->fn_get_values(sudoRunAsUser): != 0");
debug_return_int(UNSPEC);
}
@@ -373,13 +462,13 @@ sudo_sss_check_runas_user(struct sss_sud
sudo_debug_printf(2, "sssd/ldap sudoRunAsUser '%s' ... %s", val, ret ? "MATCH!" : "not");
}
- sss_sudo_free_values(val_array); /* cleanup */
+ handle->fn_free_values(val_array); /* cleanup */
debug_return_int(ret);
}
static int
-sudo_sss_check_runas_group(struct sss_sudo_rule *rule)
+sudo_sss_check_runas_group(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
{
char **val_array = NULL;
char *val;
@@ -391,7 +480,7 @@ sudo_sss_check_runas_group(struct sss_su
debug_return_int(UNSPEC);
/* get the values from the entry */
- switch (sss_sudo_get_values(rule, "sudoRunAsGroup", &val_array))
+ switch (handle->fn_get_values(rule, "sudoRunAsGroup", &val_array))
{
case 0:
break;
@@ -399,7 +488,7 @@ sudo_sss_check_runas_group(struct sss_su
sudo_debug_printf(2, "No result.");
debug_return_int(false);
default:
- sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsGroup): != 0");
+ sudo_debug_printf(2, "handle->fn_get_values(sudoRunAsGroup): != 0");
debug_return_int(UNSPEC);
}
@@ -414,7 +503,7 @@ sudo_sss_check_runas_group(struct sss_su
sudo_debug_printf(2, "sssd/ldap sudoRunAsGroup '%s' ... %s", val, ret ? "MATCH!" : "not");
}
- sss_sudo_free_values(val_array);
+ handle->fn_free_values(val_array);
debug_return_int(ret);
}
@@ -424,7 +513,7 @@ sudo_sss_check_runas_group(struct sss_su
* else false. RunAs info is optional.
*/
static int
-sudo_sss_check_runas(struct sss_sudo_rule *rule)
+sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
{
int ret;
debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD);
@@ -432,13 +521,13 @@ sudo_sss_check_runas(struct sss_sudo_rul
if (rule == NULL)
debug_return_int(false);
- ret = sudo_sss_check_runas_user(rule) != false &&
- sudo_sss_check_runas_group(rule) != false;
+ ret = sudo_sss_check_runas_user(handle, rule) != false &&
+ sudo_sss_check_runas_group(handle, rule) != false;
debug_return_int(ret);
}
-static int sudo_sss_check_host(struct sss_sudo_rule *rule)
+static int sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
{
char **val_array, *val;
int ret = false, i;
@@ -448,7 +537,7 @@ static int sudo_sss_check_host(struct ss
debug_return_int(ret);
/* get the values from the rule */
- switch (sss_sudo_get_values(rule, "sudoHost", &val_array))
+ switch (handle->fn_get_values(rule, "sudoHost", &val_array))
{
case 0:
break;
@@ -456,7 +545,7 @@ static int sudo_sss_check_host(struct ss
sudo_debug_printf(2, "No result.");
debug_return_int(false);
default:
- sudo_debug_printf(2, "sss_sudo_get_values(sudoHost): != 0");
+ sudo_debug_printf(2, "handle->fn_get_values(sudoHost): != 0");
debug_return_int(ret);
}
@@ -474,17 +563,17 @@ static int sudo_sss_check_host(struct ss
sudo_debug_printf(2, "sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not");
}
- sss_sudo_free_values(val_array);
+ handle->fn_free_values(val_array);
debug_return_int(ret);
}
-static int sudo_sss_result_filterp(struct sss_sudo_rule *rule, void *unused)
+static int sudo_sss_result_filterp(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule, void *unused)
{
(void)unused;
debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
- if (sudo_sss_check_host(rule))
+ if (sudo_sss_check_host(handle, rule))
debug_return_int(1);
else
debug_return_int(0);
@@ -505,7 +594,7 @@ static struct sss_sudo_result *sudo_sss_
u_sss_result = f_sss_result = NULL;
- switch (ret = sss_sudo_send_recv(handle->pw->pw_uid, handle->pw->pw_name,
+ switch (ret = handle->fn_send_recv(handle->pw->pw_uid, handle->pw->pw_name,
handle->domainname, &sss_error, &u_sss_result))
{
case 0:
@@ -530,11 +619,11 @@ static struct sss_sudo_result *sudo_sss_
}
break;
default:
- sudo_debug_printf(2, "sss_sudo_send_recv: != 0: ret=%d", ret);
+ sudo_debug_printf(2, "handle->fn_send_recv: != 0: ret=%d", ret);
debug_return_ptr(NULL);
}
- f_sss_result = sudo_sss_filter_result(u_sss_result, sudo_sss_result_filterp,
+ f_sss_result = sudo_sss_filter_result(handle, u_sss_result, sudo_sss_result_filterp,
_SUDO_SSS_FILTER_INCLUDE, NULL);
if (f_sss_result != NULL)
@@ -547,7 +636,7 @@ static struct sss_sudo_result *sudo_sss_
sudo_debug_printf(3, "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)",
u_sss_result, u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules);
- sss_sudo_free_result(u_sss_result);
+ handle->fn_free_result(u_sss_result);
debug_return_ptr(f_sss_result);
}
@@ -557,7 +646,7 @@ static struct sss_sudo_result *sudo_sss_
* Returns true if found and allowed, false if negated, else UNSPEC.
*/
static int
-sudo_sss_check_bool(struct sss_sudo_rule *rule, char *option)
+sudo_sss_check_bool(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule, char *option)
{
char ch, *var, **val_array = NULL;
int i, ret = UNSPEC;
@@ -566,7 +655,7 @@ sudo_sss_check_bool(struct sss_sudo_rule
if (rule == NULL)
debug_return_int(ret);
- switch (sss_sudo_get_values(rule, "sudoOption", &val_array))
+ switch (handle->fn_get_values(rule, "sudoOption", &val_array))
{
case 0:
break;
@@ -574,7 +663,7 @@ sudo_sss_check_bool(struct sss_sudo_rule
sudo_debug_printf(2, "No result.");
debug_return_int(ret);
default:
- sudo_debug_printf(2, "sss_sudo_get_values: != 0");
+ sudo_debug_printf(2, "handle->fn_get_values: != 0");
debug_return_int(ret);
}
@@ -589,7 +678,7 @@ sudo_sss_check_bool(struct sss_sudo_rule
ret = (ch != '!');
}
- sss_sudo_free_values(val_array);
+ handle->fn_free_values(val_array);
debug_return_int(ret);
}
@@ -599,7 +688,7 @@ sudo_sss_check_bool(struct sss_sudo_rule
* false if disallowed and UNSPEC if not matched.
*/
static int
-sudo_sss_check_command(struct sss_sudo_rule *rule, int *setenv_implied)
+sudo_sss_check_command(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule, int *setenv_implied)
{
char **val_array = NULL, *val;
char *allowed_cmnd, *allowed_args;
@@ -609,7 +698,7 @@ sudo_sss_check_command(struct sss_sudo_r
if (rule == NULL)
debug_return_int(ret);
- switch (sss_sudo_get_values(rule, "sudoCommand", &val_array))
+ switch (handle->fn_get_values(rule, "sudoCommand", &val_array))
{
case 0:
break;
@@ -617,7 +706,7 @@ sudo_sss_check_command(struct sss_sudo_r
sudo_debug_printf(2, "No result.");
debug_return_int(ret);
default:
- sudo_debug_printf(2, "sss_sudo_get_values: != 0");
+ sudo_debug_printf(2, "handle->fn_get_values: != 0");
debug_return_int(ret);
}
@@ -662,13 +751,13 @@ sudo_sss_check_command(struct sss_sudo_r
efree(allowed_cmnd); /* cleanup */
}
- sss_sudo_free_values(val_array); /* more cleanup */
+ handle->fn_free_values(val_array); /* more cleanup */
debug_return_int(ret);
}
static void
-sudo_sss_parse_options(struct sss_sudo_rule *rule)
+sudo_sss_parse_options(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
{
int i;
char op, *v, *val;
@@ -678,7 +767,7 @@ sudo_sss_parse_options(struct sss_sudo_r
if (rule == NULL)
debug_return;
- switch (sss_sudo_get_values(rule, "sudoOption", &val_array))
+ switch (handle->fn_get_values(rule, "sudoOption", &val_array))
{
case 0:
break;
@@ -686,7 +775,7 @@ sudo_sss_parse_options(struct sss_sudo_r
sudo_debug_printf(2, "No result.");
debug_return;
default:
- sudo_debug_printf(2, "sss_sudo_get_values(sudoOption): != 0");
+ sudo_debug_printf(2, "handle->fn_get_values(sudoOption): != 0");
debug_return;
}
@@ -718,7 +807,7 @@ sudo_sss_parse_options(struct sss_sudo_r
efree(v);
}
- sss_sudo_free_values(val_array);
+ handle->fn_free_values(val_array);
debug_return;
}
@@ -726,6 +815,7 @@ static int sudo_sss_lookup(struct sudo_n
{
int rc, setenv_implied;
+ struct sudo_sss_handle *handle = nss->handle;
struct sss_sudo_result *sss_result = NULL;
struct sss_sudo_rule *rule;
uint32_t i, state = 0;
@@ -750,12 +840,12 @@ static int sudo_sss_lookup(struct sudo_n
rule = sss_result->rules + i;
if ((pwcheck == any && doauth != false) ||
(pwcheck == all && doauth == false)) {
- doauth = sudo_sss_check_bool(rule, "authenticate");
+ doauth = sudo_sss_check_bool(handle, rule, "authenticate");
}
/* Only check the command when listing another user. */
if (user_uid == 0 || list_pw == NULL ||
user_uid == list_pw->pw_uid ||
- sudo_sss_check_command(rule, NULL)) {
+ sudo_sss_check_command(handle, rule, NULL)) {
matched = true;
break;
}
@@ -791,9 +881,9 @@ static int sudo_sss_lookup(struct sudo_n
if (sss_result != NULL) {
for (i = 0; i < sss_result->num_rules; i++) {
rule = sss_result->rules + i;
- if (!sudo_sss_check_runas(rule))
+ if (!sudo_sss_check_runas(handle, rule))
continue;
- rc = sudo_sss_check_command(rule, &setenv_implied);
+ rc = sudo_sss_check_command(handle, rule, &setenv_implied);
if (rc != UNSPEC) {
/* We have a match. */
sudo_debug_printf(1, "Command %sallowed", rc == true ? "" : "NOT ");
@@ -802,7 +892,7 @@ static int sudo_sss_lookup(struct sudo_n
/* Apply entry-specific options. */
if (setenv_implied)
def_setenv = true;
- sudo_sss_parse_options(rule);
+ sudo_sss_parse_options(handle, rule);
#ifdef HAVE_SELINUX
/* Set role and type if not specified on command line. */
if (user_role == NULL)
@@ -865,8 +955,8 @@ static int sudo_sss_display_cmnd(struct
for (i = 0; i < sss_result->num_rules; i++) {
rule = sss_result->rules + i;
- if (sudo_sss_check_command(rule, NULL) &&
- sudo_sss_check_runas(rule)) {
+ if (sudo_sss_check_command(handle, rule, NULL) &&
+ sudo_sss_check_runas(handle, rule)) {
found = true;
goto done;
}
@@ -878,7 +968,7 @@ done:
user_args ? " " : "", user_args ? user_args : "");
if (sss_result != NULL)
- sss_sudo_free_result(sss_result);
+ handle->fn_free_result(sss_result);
debug_return_int(!found);
}
@@ -901,11 +991,11 @@ static int sudo_sss_display_defaults(str
if (handle == NULL)
goto done;
- if (sss_sudo_send_recv_defaults(pw->pw_uid, pw->pw_name,
+ if (handle->fn_send_recv_defaults(pw->pw_uid, pw->pw_name,
&sss_error, &handle->domainname,
&sss_result) != 0)
{
- sudo_debug_printf(2, "sss_sudo_send_recv_defaults: !=0, sss_error=%u", sss_error);
+ sudo_debug_printf(2, "handle->fn_send_recv_defaults: !=0, sss_error=%u", sss_error);
goto done;
}
@@ -922,7 +1012,7 @@ static int sudo_sss_display_defaults(str
for (i = 0; i < sss_result->num_rules; ++i) {
rule = sss_result->rules + i;
- switch (sss_sudo_get_values(rule, "sudoOption", &val_array))
+ switch (handle->fn_get_values(rule, "sudoOption", &val_array))
{
case 0:
break;
@@ -930,7 +1020,7 @@ static int sudo_sss_display_defaults(str
sudo_debug_printf(2, "No result.");
continue;
default:
- sudo_debug_printf(2, "sss_sudo_get_values: != 0");
+ sudo_debug_printf(2, "handle->fn_get_values: != 0");
continue;
}
@@ -946,11 +1036,11 @@ static int sudo_sss_display_defaults(str
count++;
}
- sss_sudo_free_values(val_array);
+ handle->fn_free_values(val_array);
val_array = NULL;
}
- sss_sudo_free_result(sss_result);
+ handle->fn_free_result(sss_result);
done:
debug_return_int(count);
}
@@ -963,7 +1053,7 @@ static int sudo_sss_display_bound_defaul
debug_return_int(0);
}
-static int sudo_sss_display_entry_long(struct sss_sudo_rule *rule, struct lbuf *lbuf)
+static int sudo_sss_display_entry_long(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule, struct lbuf *lbuf)
{
char **val_array = NULL;
int count = 0, i;
@@ -971,94 +1061,94 @@ static int sudo_sss_display_entry_long(s
/* get the RunAsUser Values from the entry */
lbuf_append(lbuf, " RunAsUsers: ");
- switch (sss_sudo_get_values(rule, "sudoRunAsUser", &val_array))
+ switch (handle->fn_get_values(rule, "sudoRunAsUser", &val_array))
{
case 0:
for (i = 0; val_array[i] != NULL; ++i)
lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]);
- sss_sudo_free_values(val_array);
+ handle->fn_free_values(val_array);
break;
case ENOENT:
- switch (sss_sudo_get_values(rule, "sudoRunAs", &val_array))
+ switch (handle->fn_get_values(rule, "sudoRunAs", &val_array))
{
case 0:
for (i = 0; val_array[i] != NULL; ++i)
lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]);
- sss_sudo_free_values(val_array);
+ handle->fn_free_values(val_array);
break;
case ENOENT:
sudo_debug_printf(2, "No result.");
lbuf_append(lbuf, "%s", def_runas_default);
break;
default:
- sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAs): != 0");
+ sudo_debug_printf(2, "handle->fn_get_values(sudoRunAs): != 0");
debug_return_int(count);
}
break;
default:
- sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsUser): != 0");
+ sudo_debug_printf(2, "handle->fn_get_values(sudoRunAsUser): != 0");
debug_return_int(count);
}
lbuf_append(lbuf, "\n");
/* get the RunAsGroup Values from the entry */
- switch (sss_sudo_get_values(rule, "sudoRunAsGroup", &val_array))
+ switch (handle->fn_get_values(rule, "sudoRunAsGroup", &val_array))
{
case 0:
lbuf_append(lbuf, " RunAsGroups: ");
for (i = 0; val_array[i] != NULL; ++i)
lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]);
- sss_sudo_free_values(val_array);
+ handle->fn_free_values(val_array);
lbuf_append(lbuf, "\n");
break;
case ENOENT:
sudo_debug_printf(2, "No result.");
break;
default:
- sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsGroup): != 0");
+ sudo_debug_printf(2, "handle->fn_get_values(sudoRunAsGroup): != 0");
debug_return_int(count);
}
/* get the Option Values from the entry */
- switch (sss_sudo_get_values(rule, "sudoOption", &val_array))
+ switch (handle->fn_get_values(rule, "sudoOption", &val_array))
{
case 0:
lbuf_append(lbuf, " Options: ");
for (i = 0; val_array[i] != NULL; ++i)
lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]);
- sss_sudo_free_values(val_array);
+ handle->fn_free_values(val_array);
lbuf_append(lbuf, "\n");
break;
case ENOENT:
sudo_debug_printf(2, "No result.");
break;
default:
- sudo_debug_printf(2, "sss_sudo_get_values(sudoOption): != 0");
+ sudo_debug_printf(2, "handle->fn_get_values(sudoOption): != 0");
debug_return_int(count);
}
/* Get the command values from the entry. */
- switch (sss_sudo_get_values(rule, "sudoCommand", &val_array)) {
+ switch (handle->fn_get_values(rule, "sudoCommand", &val_array)) {
case 0:
lbuf_append(lbuf, _(" Commands:\n"));
for (i = 0; val_array[i] != NULL; ++i) {
lbuf_append(lbuf, "\t%s\n", val_array[i]);
count++;
}
- sss_sudo_free_values(val_array);
+ handle->fn_free_values(val_array);
break;
case ENOENT:
sudo_debug_printf(2, "No result.");
break;
default:
- sudo_debug_printf(2, "sss_sudo_get_values(sudoCommand): != 0");
+ sudo_debug_printf(2, "handle->fn_get_values(sudoCommand): != 0");
debug_return_int(count);
}
debug_return_int(count);
}
-static int sudo_sss_display_entry_short(struct sss_sudo_rule *rule, struct lbuf *lbuf)
+static int sudo_sss_display_entry_short(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule, struct lbuf *lbuf)
{
char **val_array = NULL;
int count = 0, i;
@@ -1067,58 +1157,58 @@ static int sudo_sss_display_entry_short(
lbuf_append(lbuf, " (");
/* get the RunAsUser Values from the entry */
- switch (sss_sudo_get_values(rule, "sudoRunAsUser", &val_array))
+ switch (handle->fn_get_values(rule, "sudoRunAsUser", &val_array))
{
case 0:
for (i = 0; val_array[i] != NULL; ++i)
lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]);
- sss_sudo_free_values(val_array);
+ handle->fn_free_values(val_array);
break;
case ENOENT:
sudo_debug_printf(2, "No result. Trying old style (sudoRunAs).");
/* try old style */
- switch (sss_sudo_get_values(rule, "sudoRunAs", &val_array))
+ switch (handle->fn_get_values(rule, "sudoRunAs", &val_array))
{
case 0:
for (i = 0; val_array[i] != NULL; ++i)
lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]);
- sss_sudo_free_values(val_array);
+ handle->fn_free_values(val_array);
break;
case ENOENT:
sudo_debug_printf(2, "No result.");
lbuf_append(lbuf, "%s", def_runas_default);
break;
default:
- sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAs): != 0");
+ sudo_debug_printf(2, "handle->fn_get_values(sudoRunAs): != 0");
debug_return_int(count);
}
break;
default:
- sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsUser): != 0");
+ sudo_debug_printf(2, "handle->fn_get_values(sudoRunAsUser): != 0");
debug_return_int(count);
}
/* get the RunAsGroup Values from the entry */
- switch (sss_sudo_get_values(rule, "sudoRunAsGroup", &val_array))
+ switch (handle->fn_get_values(rule, "sudoRunAsGroup", &val_array))
{
case 0:
lbuf_append(lbuf, " : ");
for (i = 0; val_array[i] != NULL; ++i)
lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]);
- sss_sudo_free_values(val_array);
+ handle->fn_free_values(val_array);
break;
case ENOENT:
sudo_debug_printf(2, "No result.");
break;
default:
- sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsGroup): != 0");
+ sudo_debug_printf(2, "handle->fn_get_values(sudoRunAsGroup): != 0");
debug_return_int(count);
}
lbuf_append(lbuf, ") ");
/* get the Option Values from the entry */
- switch (sss_sudo_get_values(rule, "sudoOption", &val_array))
+ switch (handle->fn_get_values(rule, "sudoOption", &val_array))
{
case 0:
for (i = 0; val_array[i] != NULL; ++i) {
@@ -1136,30 +1226,30 @@ static int sudo_sss_display_entry_short(
"NOSETENV: " : "SETENV: ");
}
- sss_sudo_free_values(val_array);
+ handle->fn_free_values(val_array);
break;
case ENOENT:
sudo_debug_printf(2, "No result.");
break;
default:
- sudo_debug_printf(2, "sss_sudo_get_values(sudoOption): != 0");
+ sudo_debug_printf(2, "handle->fn_get_values(sudoOption): != 0");
debug_return_int(count);
}
/* get the Command Values from the entry */
- switch (sss_sudo_get_values(rule, "sudoCommand", &val_array)) {
+ switch (handle->fn_get_values(rule, "sudoCommand", &val_array)) {
case 0:
for (i = 0; val_array[i] != NULL; ++i) {
lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]);
count++;
}
- sss_sudo_free_values(val_array);
+ handle->fn_free_values(val_array);
break;
case ENOENT:
sudo_debug_printf(2, "No result.");
break;
default:
- sudo_debug_printf(2, "sss_sudo_get_values(sudoCommand): != 0");
+ sudo_debug_printf(2, "handle->fn_get_values(sudoCommand): != 0");
debug_return_int(count);
}
lbuf_append(lbuf, "\n");
@@ -1193,13 +1283,13 @@ static int sudo_sss_display_privs(struct
for (i = 0; i < sss_result->num_rules; ++i) {
rule = sss_result->rules + i;
if (long_list)
- count += sudo_sss_display_entry_long(rule, lbuf);
+ count += sudo_sss_display_entry_long(handle, rule, lbuf);
else
- count += sudo_sss_display_entry_short(rule, lbuf);
+ count += sudo_sss_display_entry_short(handle, rule, lbuf);
}
if (sss_result != NULL)
- sss_sudo_free_result(sss_result);
+ handle->fn_free_result(sss_result);
debug_return_int(count);
}

43
sudo-1.8.5-sssd-handle-sss_ret-correctly.patch
View File

@ -1,43 +0,0 @@
diff -rup original/plugins/sudoers/sssd.c new/plugins/sudoers/sssd.c
--- original/plugins/sudoers/sssd.c 2012-07-18 13:17:53.026208728 +0200
+++ new/plugins/sudoers/sssd.c 2012-07-18 13:35:59.780623153 +0200
@@ -239,6 +239,14 @@ static int sudo_sss_setdefs(struct sudo_
debug_return_int(-1);
}
+ if (sss_error == ENOENT) {
+ sudo_debug_printf(2, "The user was not found in SSSD.");
+ debug_return_int(-1);
+ } else if(sss_error != 0) {
+ sudo_debug_printf(2, "sss_error=%u\n", sss_error);
+ debug_return_int(-1);
+ }
+
for (i = 0; i < sss_result->num_rules; ++i) {
sudo_debug_printf(1, "Parsing cn=defaults, %d/%d", i, sss_result->num_rules);
sss_rule = sss_result->rules + i;
@@ -515,7 +523,7 @@ static struct sss_sudo_result *sudo_sss_
}
break;
case ENOENT:
- sudo_debug_printf(2, "No result.");
+ sudo_debug_printf(2, "The user was not found in SSSD.");
default:
sudo_debug_printf(2, "sss_error=%u\n", sss_error);
debug_return_ptr(NULL);
@@ -901,6 +909,14 @@ static int sudo_sss_display_defaults(str
goto done;
}
+ if (sss_error == ENOENT) {
+ sudo_debug_printf(2, "The user was not found in SSSD.");
+ goto done;
+ } else if(sss_error != 0) {
+ sudo_debug_printf(2, "sss_error=%u\n", sss_error);
+ goto done;
+ }
+
handle->pw = pw;
for (i = 0; i < sss_result->num_rules; ++i) {

1327
sudo-1.8.5-sssd-support.patch
View File

File diff suppressed because it is too large Load Diff

600
sudo-1.8.5-sssd-use-sudo_debug_printf.patch
View File

@ -1,600 +0,0 @@
diff -rup original/plugins/sudoers/sssd.c new/plugins/sudoers/sssd.c
--- original/plugins/sudoers/sssd.c 2012-07-17 10:50:20.110201384 +0200
+++ new/plugins/sudoers/sssd.c 2012-07-17 11:09:31.213626613 +0200
@@ -56,11 +56,6 @@
#include "lbuf.h"
#include "sudo_debug.h"
-extern int debug_level;
-#define __sssd_debug debug_level
-
-#define DPRINTF(level, fmt, ...) if (__sssd_debug >= (level)) warningx("%s:%d: "fmt, __PRETTY_FUNCTION__, __LINE__, ##__VA_ARGS__)
-
/* sudo_nss implementation */
static int sudo_sss_open(struct sudo_nss *nss);
static int sudo_sss_close(struct sudo_nss *nss);
@@ -88,8 +83,8 @@ static void sudo_sss_attrcpy(struct sss_
int i;
debug_decl(sudo_sss_attrcpy, SUDO_DEBUG_SSSD)
- DPRINTF(3, "dst=%p, src=%p", dst, src);
- DPRINTF(2, "emalloc: cnt=%d", src->num_values);
+ sudo_debug_printf(3, "dst=%p, src=%p", dst, src);
+ sudo_debug_printf(2, "emalloc: cnt=%d", src->num_values);
dst->name = strdup(src->name);
dst->num_values = src->num_values;
@@ -106,8 +101,8 @@ static void sudo_sss_rulecpy(struct sss_
int i;
debug_decl(sudo_sss_rulecpy, SUDO_DEBUG_SSSD)
- DPRINTF(3, "dst=%p, src=%p", dst, src);
- DPRINTF(2, "emalloc: cnt=%d", src->num_attrs);
+ sudo_debug_printf(3, "dst=%p, src=%p", dst, src);
+ sudo_debug_printf(2, "emalloc: cnt=%d", src->num_attrs);
dst->num_attrs = src->num_attrs;
dst->attrs = emalloc(sizeof(struct sss_sudo_attr) * dst->num_attrs);
@@ -132,13 +127,13 @@ static struct sss_sudo_result *sudo_sss_
int i, l, r;
debug_decl(sudo_sss_filter_result, SUDO_DEBUG_SSSD)
- DPRINTF(3, "in_res=%p, count=%u, act=%s",
+ sudo_debug_printf(3, "in_res=%p, count=%u, act=%s",
in_res, in_res->num_rules, act == _SUDO_SSS_FILTER_EXCLUDE ? "EXCLUDE" : "INCLUDE");
if (in_res == NULL)
debug_return_ptr(NULL);
- DPRINTF(3, "emalloc: cnt=%d", in_res->num_rules);
+ sudo_debug_printf(3, "emalloc: cnt=%d", in_res->num_rules);
out_res = emalloc(sizeof(struct sss_sudo_result));
out_res->rules = in_res->num_rules > 0 ? emalloc(sizeof(struct sss_sudo_rule) * in_res->num_rules) : NULL;
@@ -150,7 +145,7 @@ static struct sss_sudo_result *sudo_sss_
if (( r && act == _SUDO_SSS_FILTER_INCLUDE) ||
(!r && act == _SUDO_SSS_FILTER_EXCLUDE))
{
- DPRINTF(3, "COPY (%s): %p[%u] => %p[%u] (= %p)",
+ sudo_debug_printf(3, "COPY (%s): %p[%u] => %p[%u] (= %p)",
act == _SUDO_SSS_FILTER_EXCLUDE ? "not excluded" : "included",
in_res->rules, i, out_res->rules, l, in_res->rules + i);
@@ -160,7 +155,7 @@ static struct sss_sudo_result *sudo_sss_
}
if (l < in_res->num_rules) {
- DPRINTF(3, "reallocating result: %p (count: %u -> %u)", out_res->rules, in_res->num_rules, l);
+ sudo_debug_printf(3, "reallocating result: %p (count: %u -> %u)", out_res->rules, in_res->num_rules, l);
out_res->rules = realloc(out_res->rules, sizeof(struct sss_sudo_rule) * l);
}
@@ -201,7 +196,7 @@ static int sudo_sss_open(struct sudo_nss
handle->pw = sudo_user.pw;
nss->handle = handle;
- DPRINTF(3, "handle=%p", handle);
+ sudo_debug_printf(3, "handle=%p", handle);
debug_return_int(0);
}
@@ -234,18 +229,18 @@ static int sudo_sss_setdefs(struct sudo_
if (handle == NULL)
debug_return_int(-1);
- DPRINTF(1, "Looking for cn=defaults");
+ sudo_debug_printf(1, "Looking for cn=defaults");
if (sss_sudo_send_recv_defaults(handle->pw->pw_uid, handle->pw->pw_name,
&sss_error, &handle->domainname,
&sss_result) != 0)
{
- DPRINTF(2, "sss_sudo_send_recv_defaults: != 0, sss_error=%u", sss_error);
+ sudo_debug_printf(2, "sss_sudo_send_recv_defaults: != 0, sss_error=%u", sss_error);
debug_return_int(-1);
}
for (i = 0; i < sss_result->num_rules; ++i) {
- DPRINTF(1, "Parsing cn=defaults, %d/%d", i, sss_result->num_rules);
+ sudo_debug_printf(1, "Parsing cn=defaults, %d/%d", i, sss_result->num_rules);
sss_rule = sss_result->rules + i;
sudo_sss_parse_options(sss_rule);
}
@@ -262,7 +257,7 @@ static int sudo_sss_checkpw(struct sudo_
if (pw->pw_name != handle->pw->pw_name ||
pw->pw_uid != handle->pw->pw_uid)
{
- DPRINTF(1, "Requested name or uid don't match the initial once, reinitializing...");
+ sudo_debug_printf(1, "Requested name or uid don't match the initial once, reinitializing...");
handle->pw = pw;
if (sudo_sss_setdefs(nss) != 0)
@@ -289,7 +284,7 @@ sudo_sss_check_runas_user(struct sss_sud
case 0:
break;
case ENOENT:
- DPRINTF(2, "No result. Trying old style (sudoRunAs)");
+ sudo_debug_printf(2, "No result. Trying old style (sudoRunAs)");
/* try old style */
switch (sss_sudo_get_values(sss_rule, "sudoRunAs", &val_array))
@@ -297,19 +292,19 @@ sudo_sss_check_runas_user(struct sss_sud
case 0:
break;
case ENOENT:
- DPRINTF(2, "No result. Matching against runas_default");
+ sudo_debug_printf(2, "No result. Matching against runas_default");
/*
* If there are no runas entries, match runas_default against
* what the user specified on the command line.
*/
return !strcasecmp(runas_pw->pw_name, def_runas_default);
default:
- DPRINTF(2, "sss_sudo_get_values(sudoRunAs): != 0");
+ sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAs): != 0");
debug_return_int(UNSPEC);
}
break;
default:
- DPRINTF(2, "sss_sudo_get_values(sudoRunAsUser): != 0");
+ sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsUser): != 0");
debug_return_int(UNSPEC);
}
@@ -334,40 +329,40 @@ sudo_sss_check_runas_user(struct sss_sud
for (i = 0; val_array[i] != NULL && !ret; ++i) {
val = val_array[i];
- DPRINTF(3, "val[%d]=%s", i, val);
+ sudo_debug_printf(3, "val[%d]=%s", i, val);
switch (val[0]) {
case '+':
- DPRINTF(3, "netgr_");
+ sudo_debug_printf(3, "netgr_");
if (netgr_matches(val, NULL, NULL, runas_pw->pw_name)) {
- DPRINTF(3, "=> match");
+ sudo_debug_printf(3, "=> match");
ret = true;
}
break;
case '%':
- DPRINTF(3, "usergr_");
+ sudo_debug_printf(3, "usergr_");
if (usergr_matches(val, runas_pw->pw_name, runas_pw)) {
- DPRINTF(3, "=> match");
+ sudo_debug_printf(3, "=> match");
ret = true;
}
break;
case 'A':
if (strcmp(val, "ALL") == 0) {
- DPRINTF(3, "ALL => match");
+ sudo_debug_printf(3, "ALL => match");
ret = true;
break;
}
/* FALLTHROUGH */
- DPRINTF(3, "FALLTHROUGH");
+ sudo_debug_printf(3, "FALLTHROUGH");
default:
if (strcasecmp(val, runas_pw->pw_name) == 0) {
- DPRINTF(3, "%s == %s (pw_name) => match", val, runas_pw->pw_name);
+ sudo_debug_printf(3, "%s == %s (pw_name) => match", val, runas_pw->pw_name);
ret = true;
}
break;
}
- DPRINTF(2, "sssd/ldap sudoRunAsUser '%s' ... %s", val, ret ? "MATCH!" : "not");
+ sudo_debug_printf(2, "sssd/ldap sudoRunAsUser '%s' ... %s", val, ret ? "MATCH!" : "not");
}
sss_sudo_free_values(val_array); /* cleanup */
@@ -393,22 +388,22 @@ sudo_sss_check_runas_group(struct sss_su
case 0:
break;
case ENOENT:
- DPRINTF(2, "No result.");
+ sudo_debug_printf(2, "No result.");
debug_return_int(false);
default:
- DPRINTF(2, "sss_sudo_get_values(sudoRunAsGroup): != 0");
+ sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsGroup): != 0");
debug_return_int(UNSPEC);
}
/* walk through values returned, looking for a match */
for (i = 0; val_array[i] != NULL; ++i) {
val = val_array[i];
- DPRINTF(3, "val[%d]=%s", i, val);
+ sudo_debug_printf(3, "val[%d]=%s", i, val);
if (strcmp(val, "ALL") == 0 || group_matches(val, runas_gr))
ret = true;
- DPRINTF(2, "sssd/ldap sudoRunAsGroup '%s' ... %s", val, ret ? "MATCH!" : "not");
+ sudo_debug_printf(2, "sssd/ldap sudoRunAsGroup '%s' ... %s", val, ret ? "MATCH!" : "not");
}
sss_sudo_free_values(val_array);
@@ -450,17 +445,17 @@ static int sudo_sss_check_host(struct ss
case 0:
break;
case ENOENT:
- DPRINTF(2, "No result.");
+ sudo_debug_printf(2, "No result.");
debug_return_int(false);
default:
- DPRINTF(2, "sss_sudo_get_values(sudoHost): != 0");
+ sudo_debug_printf(2, "sss_sudo_get_values(sudoHost): != 0");
debug_return_int(ret);
}
/* walk through values */
for (i = 0; val_array[i] != NULL; ++i) {
val = val_array[i];
- DPRINTF(3, "val[%d]=%s", i, val);
+ sudo_debug_printf(3, "val[%d]=%s", i, val);
/* match any or address or netgroup or hostname */
if (!strcmp(val, "ALL") || addr_matches(val) ||
@@ -468,7 +463,7 @@ static int sudo_sss_check_host(struct ss
hostname_matches(user_shost, user_host, val))
ret = true;
- DPRINTF(2, "sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not");
+ sudo_debug_printf(2, "sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not");
}
sss_sudo_free_values(val_array);
@@ -497,8 +492,8 @@ static struct sss_sudo_result *sudo_sss_
if (sudo_sss_checkpw(nss, pw) != 0)
debug_return_ptr(NULL);
- DPRINTF(1, " username=%s", handle->pw->pw_name);
- DPRINTF(1, "domainname=%s", handle->domainname);
+ sudo_debug_printf(1, " username=%s", handle->pw->pw_name);
+ sudo_debug_printf(1, "domainname=%s", handle->domainname);
u_sss_result = f_sss_result = NULL;
@@ -510,24 +505,24 @@ static struct sss_sudo_result *sudo_sss_
case 0:
if (u_sss_result != NULL) {
if (state != NULL) {
- DPRINTF(3, "state |= USERMATCH");
+ sudo_debug_printf(3, "state |= USERMATCH");
*state |= _SUDO_SSS_STATE_USERMATCH;
}
- DPRINTF(2, "Received %u rule(s)", u_sss_result->num_rules);
+ sudo_debug_printf(2, "Received %u rule(s)", u_sss_result->num_rules);
} else {
- DPRINTF(2, "Internal error: u_sss_result == NULL && sss_error == 0");
+ sudo_debug_printf(2, "Internal error: u_sss_result == NULL && sss_error == 0");
debug_return_ptr(NULL);
}
break;
case ENOENT:
- DPRINTF(2, "No result.");
+ sudo_debug_printf(2, "No result.");
default:
- DPRINTF(2, "sss_error=%u\n", sss_error);
+ sudo_debug_printf(2, "sss_error=%u\n", sss_error);
debug_return_ptr(NULL);
}
break;
default:
- DPRINTF(2, "sss_sudo_send_recv: != 0: ret=%d", ret);
+ sudo_debug_printf(2, "sss_sudo_send_recv: != 0: ret=%d", ret);
debug_return_ptr(NULL);
}
@@ -537,11 +532,11 @@ static struct sss_sudo_result *sudo_sss_
if (f_sss_result != NULL)
if (f_sss_result->num_rules > 0)
if (state != NULL) {
- DPRINTF(3, "state |= HOSTMATCH");
+ sudo_debug_printf(3, "state |= HOSTMATCH");
*state |= _SUDO_SSS_STATE_HOSTMATCH;
}
- DPRINTF(3, "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)",
+ sudo_debug_printf(3, "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)",
u_sss_result, u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules);
sss_sudo_free_result(u_sss_result);
@@ -568,17 +563,17 @@ sudo_sss_check_bool(struct sss_sudo_rule
case 0:
break;
case ENOENT:
- DPRINTF(2, "No result.");
+ sudo_debug_printf(2, "No result.");
debug_return_int(ret);
default:
- DPRINTF(2, "sss_sudo_get_values: != 0");
+ sudo_debug_printf(2, "sss_sudo_get_values: != 0");
debug_return_int(ret);
}
/* walk through options */
for (i = 0; val_array[i] != NULL; ++i) {
var = val_array[i];
- DPRINTF(2, "sssd/ldap sudoOption: '%s'", var);
+ sudo_debug_printf(2, "sssd/ldap sudoOption: '%s'", var);
if ((ch = *var) == '!')
var++;
@@ -611,24 +606,24 @@ sudo_sss_check_command(struct sss_sudo_r
case 0:
break;
case ENOENT:
- DPRINTF(2, "No result.");
+ sudo_debug_printf(2, "No result.");
debug_return_int(ret);
default:
- DPRINTF(2, "sss_sudo_get_values: != 0");
+ sudo_debug_printf(2, "sss_sudo_get_values: != 0");
debug_return_int(ret);
}
for (i = 0; val_array[i] != NULL && ret != false; ++i) {
val = val_array[i];
- DPRINTF(3, "val[%d]=%s", i, val);
+ sudo_debug_printf(3, "val[%d]=%s", i, val);
/* Match against ALL ? */
if (!strcmp(val, "ALL")) {
ret = true;
if (setenv_implied != NULL)
*setenv_implied = true;
- DPRINTF(2, "sssd/ldap sudoCommand '%s' ... MATCH!", val);
+ sudo_debug_printf(2, "sssd/ldap sudoCommand '%s' ... MATCH!", val);
continue;
}
@@ -655,7 +650,7 @@ sudo_sss_check_command(struct sss_sudo_r
ret = foundbang ? false : true;
}
- DPRINTF(2, "sssd/ldap sudoCommand '%s' ... %s", val, ret == true ? "MATCH!" : "not");
+ sudo_debug_printf(2, "sssd/ldap sudoCommand '%s' ... %s", val, ret == true ? "MATCH!" : "not");
efree(allowed_cmnd); /* cleanup */
}
@@ -680,16 +675,16 @@ sudo_sss_parse_options(struct sss_sudo_r
case 0:
break;
case ENOENT:
- DPRINTF(2, "No result.");
+ sudo_debug_printf(2, "No result.");
debug_return;
default:
- DPRINTF(2, "sss_sudo_get_values(sudoOption): != 0");
+ sudo_debug_printf(2, "sss_sudo_get_values(sudoOption): != 0");
debug_return;
}
/* walk through options */
for (i = 0; val_array[i] != NULL; i++) {
- DPRINTF(2, "sssd/ldap sudoOption: '%s'", val_array[i]);
+ sudo_debug_printf(2, "sssd/ldap sudoOption: '%s'", val_array[i]);
v = estrdup(val_array[i]);
/* check for equals sign past first char */
@@ -741,7 +736,7 @@ static int sudo_sss_lookup(struct sudo_n
enum def_tuple pwcheck =
(pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple;
- DPRINTF(2, "perform search for pwflag %d", pwflag);
+ sudo_debug_printf(2, "perform search for pwflag %d", pwflag);
if (sss_result != NULL) {
for (i = 0; i < sss_result->num_rules; i++) {
rule = sss_result->rules + i;
@@ -782,7 +777,7 @@ static int sudo_sss_lookup(struct sudo_n
goto done;
}
- DPRINTF(1, "searching SSSD/LDAP for sudoers entries");
+ sudo_debug_printf(1, "searching SSSD/LDAP for sudoers entries");
setenv_implied = false;
if (sss_result != NULL) {
@@ -793,9 +788,9 @@ static int sudo_sss_lookup(struct sudo_n
rc = sudo_sss_check_command(rule, &setenv_implied);
if (rc != UNSPEC) {
/* We have a match. */
- DPRINTF(1, "Command %sallowed", rc == true ? "" : "NOT ");
+ sudo_debug_printf(1, "Command %sallowed", rc == true ? "" : "NOT ");
if (rc == true) {
- DPRINTF(3, "SSSD rule: %p", rule);
+ sudo_debug_printf(3, "SSSD rule: %p", rule);
/* Apply entry-specific options. */
if (setenv_implied)
def_setenv = true;
@@ -818,7 +813,7 @@ static int sudo_sss_lookup(struct sudo_n
}
}
done:
- DPRINTF(1, "Done with LDAP searches");
+ sudo_debug_printf(1, "Done with LDAP searches");
if (!ISSET(ret, VALIDATE_OK)) {
/* No matching entries. */
@@ -831,7 +826,7 @@ done:
if (state & _SUDO_SSS_STATE_HOSTMATCH)
CLR(ret, FLAG_NO_HOST);
- DPRINTF(3, "sudo_sss_lookup(%d)=0x%02x", pwflag, ret);
+ sudo_debug_printf(3, "sudo_sss_lookup(%d)=0x%02x", pwflag, ret);
debug_return_int(ret);
}
@@ -854,7 +849,7 @@ static int sudo_sss_display_cmnd(struct
* The sudo_sss_result_get() function returns all nodes that match
* the user and the host.
*/
- DPRINTF(1, "sssd/ldap search for command list");
+ sudo_debug_printf(1, "sssd/ldap search for command list");
sss_result = sudo_sss_result_get(nss, pw, NULL);
if (sss_result == NULL)
@@ -902,7 +897,7 @@ static int sudo_sss_display_defaults(str
&sss_error, &handle->domainname,
&sss_result) != 0)
{
- DPRINTF(2, "sss_sudo_send_recv_defaults: !=0, sss_error=%u", sss_error);
+ sudo_debug_printf(2, "sss_sudo_send_recv_defaults: !=0, sss_error=%u", sss_error);
goto done;
}
@@ -916,10 +911,10 @@ static int sudo_sss_display_defaults(str
case 0:
break;
case ENOENT:
- DPRINTF(2, "No result.");
+ sudo_debug_printf(2, "No result.");
continue;
default:
- DPRINTF(2, "sss_sudo_get_values: != 0");
+ sudo_debug_printf(2, "sss_sudo_get_values: != 0");
continue;
}
@@ -976,16 +971,16 @@ static int sudo_sss_display_entry_long(s
sss_sudo_free_values(val_array);
break;
case ENOENT:
- DPRINTF(2, "No result.");
+ sudo_debug_printf(2, "No result.");
lbuf_append(lbuf, "%s", def_runas_default);
break;
default:
- DPRINTF(2, "sss_sudo_get_values(sudoRunAs): != 0");
+ sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAs): != 0");
debug_return_int(count);
}
break;
default:
- DPRINTF(2, "sss_sudo_get_values(sudoRunAsUser): != 0");
+ sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsUser): != 0");
debug_return_int(count);
}
lbuf_append(lbuf, "\n");
@@ -1001,10 +996,10 @@ static int sudo_sss_display_entry_long(s
lbuf_append(lbuf, "\n");
break;
case ENOENT:
- DPRINTF(2, "No result.");
+ sudo_debug_printf(2, "No result.");
break;
default:
- DPRINTF(2, "sss_sudo_get_values(sudoRunAsGroup): != 0");
+ sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsGroup): != 0");
debug_return_int(count);
}
@@ -1019,10 +1014,10 @@ static int sudo_sss_display_entry_long(s
lbuf_append(lbuf, "\n");
break;
case ENOENT:
- DPRINTF(2, "No result.");
+ sudo_debug_printf(2, "No result.");
break;
default:
- DPRINTF(2, "sss_sudo_get_values(sudoOption): != 0");
+ sudo_debug_printf(2, "sss_sudo_get_values(sudoOption): != 0");
debug_return_int(count);
}
@@ -1037,10 +1032,10 @@ static int sudo_sss_display_entry_long(s
sss_sudo_free_values(val_array);
break;
case ENOENT:
- DPRINTF(2, "No result.");
+ sudo_debug_printf(2, "No result.");
break;
default:
- DPRINTF(2, "sss_sudo_get_values(sudoCommand): != 0");
+ sudo_debug_printf(2, "sss_sudo_get_values(sudoCommand): != 0");
debug_return_int(count);
}
@@ -1064,7 +1059,7 @@ static int sudo_sss_display_entry_short(
sss_sudo_free_values(val_array);
break;
case ENOENT:
- DPRINTF(2, "No result. Trying old style (sudoRunAs).");
+ sudo_debug_printf(2, "No result. Trying old style (sudoRunAs).");
/* try old style */
switch (sss_sudo_get_values(rule, "sudoRunAs", &val_array))
{
@@ -1074,16 +1069,16 @@ static int sudo_sss_display_entry_short(
sss_sudo_free_values(val_array);
break;
case ENOENT:
- DPRINTF(2, "No result.");
+ sudo_debug_printf(2, "No result.");
lbuf_append(lbuf, "%s", def_runas_default);
break;
default:
- DPRINTF(2, "sss_sudo_get_values(sudoRunAs): != 0");
+ sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAs): != 0");
debug_return_int(count);
}
break;
default:
- DPRINTF(2, "sss_sudo_get_values(sudoRunAsUser): != 0");
+ sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsUser): != 0");
debug_return_int(count);
}
@@ -1097,10 +1092,10 @@ static int sudo_sss_display_entry_short(
sss_sudo_free_values(val_array);
break;
case ENOENT:
- DPRINTF(2, "No result.");
+ sudo_debug_printf(2, "No result.");
break;
default:
- DPRINTF(2, "sss_sudo_get_values(sudoRunAsGroup): != 0");
+ sudo_debug_printf(2, "sss_sudo_get_values(sudoRunAsGroup): != 0");
debug_return_int(count);
}
@@ -1128,10 +1123,10 @@ static int sudo_sss_display_entry_short(
sss_sudo_free_values(val_array);
break;
case ENOENT:
- DPRINTF(2, "No result.");
+ sudo_debug_printf(2, "No result.");
break;
default:
- DPRINTF(2, "sss_sudo_get_values(sudoOption): != 0");
+ sudo_debug_printf(2, "sss_sudo_get_values(sudoOption): != 0");
debug_return_int(count);
}
@@ -1145,10 +1140,10 @@ static int sudo_sss_display_entry_short(
sss_sudo_free_values(val_array);
break;
case ENOENT:
- DPRINTF(2, "No result.");
+ sudo_debug_printf(2, "No result.");
break;
default:
- DPRINTF(2, "sss_sudo_get_values(sudoCommand): != 0");
+ sudo_debug_printf(2, "sss_sudo_get_values(sudoCommand): != 0");
debug_return_int(count);
}
lbuf_append(lbuf, "\n");
@@ -1171,7 +1166,7 @@ static int sudo_sss_display_privs(struct
if (sudo_sss_checkpw(nss, pw) != 0)
debug_return_int(-1);
- DPRINTF(2, "sssd/ldap search for command list");
+ sudo_debug_printf(2, "sssd/ldap search for command list");
sss_result = sudo_sss_result_get(nss, pw, NULL);

31
sudo-1.8.6-pipelist.patch Normal file
View File

@ -0,0 +1,31 @@
diff -up sudo-1.8.6/plugins/sudoers/sudo_nss.c.pipelist sudo-1.8.6/plugins/sudoers/sudo_nss.c
--- sudo-1.8.6/plugins/sudoers/sudo_nss.c.pipelist 2012-09-06 14:27:34.467290727 +0200
+++ sudo-1.8.6/plugins/sudoers/sudo_nss.c 2012-09-06 14:27:39.877315395 +0200
@@ -18,6 +18,8 @@
#include <sys/types.h>
#include <sys/param.h>
+#include <sys/stat.h>
+
#include <stdio.h>
#ifdef STDC_HEADERS
# include <stdlib.h>
@@ -257,11 +259,15 @@ display_privs(struct sudo_nss_list *snl,
{
struct sudo_nss *nss;
struct lbuf defs, privs;
- int count, olen;
+ struct stat sb;
+ int cols, count, olen;
debug_decl(display_privs, SUDO_DEBUG_NSS)
- lbuf_init(&defs, output, 4, NULL, sudo_user.cols);
- lbuf_init(&privs, output, 4, NULL, sudo_user.cols);
+ cols = sudo_user.cols;
+ if (fstat(STDOUT_FILENO, &sb) == 0 && S_ISFIFO(sb.st_mode))
+ cols = 0;
+ lbuf_init(&defs, output, 4, NULL, cols);
+ lbuf_init(&privs, output, 4, NULL, cols);
/* Display defaults from all sources. */
lbuf_append(&defs, _("Matching Defaults entries for %s on this host:\n"),

35
sudo.spec
View File

@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users
Name: sudo
Version: 1.8.5
Release: 4%{?dist}
Version: 1.8.6
Release: 1%{?dist}
License: ISC
Group: Applications/System
URL: http://www.courtesan.com/sudo/
@ -25,23 +25,8 @@ BuildRequires: gettext
Patch1: sudo-1.6.7p5-strip.patch
# configure.in fix
Patch2: sudo-1.7.2p1-envdebug.patch
# add m4/ to paths in aclocal.m4
Patch3: sudo-1.7.4p3-m4path.patch
# disable word wrapping if the ouput is piped
Patch4: sudo-1.8.5-pipelist.patch
# SSSD support
Patch5: sudo-1.8.5-sssd-support.patch
# Add SSSD debug subsystem
Patch6: sudo-1.8.5-add-sssd-debug-subsystem.patch
# Use sudo_debug_printf instead of DPRINTF in sssd.c
Patch7: sudo-1.8.5-sssd-use-sudo_debug_printf.patch
# Handle sss_ret correctly in sssd.c to avoid segfault
# when user is not found in sssd
Patch8: sudo-1.8.5-sssd-handle-sss_ret-correctly.patch
# dlopen libsss_sudo
Patch9: sudo-1.8.5-sssd-dlopen-lib.patch
# remove source when nss->open() fails
Patch10: sudo-1.8.5-remove-source-when-open-failed.patch
Patch3: sudo-1.8.6-pipelist.patch
%description
Sudo (superuser do) allows a system administrator to give certain
@ -68,17 +53,10 @@ plugins that use %{name}.
%patch1 -p1 -b .strip
%patch2 -p1 -b .envdebug
%patch3 -p1 -b .m4path
%patch4 -p1 -b .pipelist
%patch5 -p1 -b .sssd-support
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch3 -p1 -b .pipelist
%build
autoreconf -fv --install
autoreconf -I m4 -fv --install
%ifarch s390 s390x sparc64
F_PIE=-fPIE
@ -185,6 +163,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/sudo_plugin.8*
%changelog
* Thu Sep 6 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6-1
- update to 1.8.6
* Thu Jul 26 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.5-4
- added patches that fix & improve SSSD support (thanks to pbrezina@redhat.com)
- re-enabled SSSD support