8729726fc1
- major changes & fixes: - LDAP SASL support now works properly with Kerberos - root may no longer change its SELinux role without entering a password - user messages are now always displayed in the user's locale, even when the same message is being logged or mailed in a different locale. - log files created by sudo now explicitly have the group set to group ID 0 rather than relying on BSD group semantics - sudo now stores its libexec files in a sudo subdirectory instead of in libexec itself - system_group and group_file sudoers group provider plugins are now installed by default - the paths to ldap.conf and ldap.secret may now be specified as arguments to the sudoers plugin in the sudo.conf file - ...and many new features and settings. See the upstream ChangeLog for the full list. - several sssd support fixes - added patch to make uid/gid specification parsing more strict (don't accept an invalid number as uid/gid) - use the _pkgdocdir macro (see https://fedoraproject.org/wiki/Changes/UnversionedDocdirs) - fixed several bugs found by the clang static analyzer - added %post dependency on chmod
120 lines
3.6 KiB
Diff
120 lines
3.6 KiB
Diff
diff -up sudo-1.8.8/plugins/sudoers/sssd.c.sssdfixes sudo-1.8.8/plugins/sudoers/sssd.c
|
|
--- sudo-1.8.8/plugins/sudoers/sssd.c.sssdfixes 2013-09-30 23:18:49.641913457 +0200
|
|
+++ sudo-1.8.8/plugins/sudoers/sssd.c 2013-09-30 23:25:54.819376696 +0200
|
|
@@ -534,30 +534,31 @@ sudo_sss_check_runas_group(struct sudo_s
|
|
* Walk through search results and return true if we have a runas match,
|
|
* else false. RunAs info is optional.
|
|
*/
|
|
-static int
|
|
+static bool
|
|
sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
|
|
{
|
|
- int ret;
|
|
+ bool ret;
|
|
debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD);
|
|
|
|
if (rule == NULL)
|
|
- debug_return_int(false);
|
|
+ debug_return_bool(false);
|
|
|
|
ret = sudo_sss_check_runas_user(handle, rule) != false &&
|
|
sudo_sss_check_runas_group(handle, rule) != false;
|
|
|
|
- debug_return_int(ret);
|
|
+ debug_return_bool(ret);
|
|
}
|
|
|
|
-static int
|
|
+static bool
|
|
sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
|
|
{
|
|
char **val_array, *val;
|
|
- int ret = false, i;
|
|
+ bool ret = false;
|
|
+ int i;
|
|
debug_decl(sudo_sss_check_host, SUDO_DEBUG_SSSD);
|
|
|
|
if (rule == NULL)
|
|
- debug_return_int(ret);
|
|
+ debug_return_bool(ret);
|
|
|
|
/* get the values from the rule */
|
|
switch (handle->fn_get_values(rule, "sudoHost", &val_array))
|
|
@@ -566,10 +567,10 @@ sudo_sss_check_host(struct sudo_sss_hand
|
|
break;
|
|
case ENOENT:
|
|
sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
|
|
- debug_return_int(false);
|
|
+ debug_return_bool(false);
|
|
default:
|
|
sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0");
|
|
- debug_return_int(ret);
|
|
+ debug_return_bool(ret);
|
|
}
|
|
|
|
/* walk through values */
|
|
@@ -589,7 +590,52 @@ sudo_sss_check_host(struct sudo_sss_hand
|
|
|
|
handle->fn_free_values(val_array);
|
|
|
|
- debug_return_int(ret);
|
|
+ debug_return_bool(ret);
|
|
+}
|
|
+
|
|
+/*
|
|
+ * Look for netgroup specifcations in the sudoUser attribute and
|
|
+ * if found, filter according to netgroup membership.
|
|
+ * returns:
|
|
+ * true -> netgroup spec found && negroup member
|
|
+ * false -> netgroup spec found && not a meber of netgroup
|
|
+ * true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception)
|
|
+ */
|
|
+bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
|
|
+{
|
|
+ bool ret = false, netgroup_spec_found = false;
|
|
+ char **val_array, *val;
|
|
+ int i;
|
|
+ debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD);
|
|
+
|
|
+ if (!handle || !rule)
|
|
+ debug_return_bool(ret);
|
|
+
|
|
+ switch (handle->fn_get_values(rule, "sudoUser", &val_array)) {
|
|
+ case 0:
|
|
+ break;
|
|
+ case ENOENT:
|
|
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
|
|
+ debug_return_bool(ret);
|
|
+ default:
|
|
+ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
|
|
+ debug_return_bool(ret);
|
|
+ }
|
|
+
|
|
+ for (i = 0; val_array[i] != NULL && !ret; ++i) {
|
|
+ val = val_array[i];
|
|
+ if (*val == '+') {
|
|
+ netgroup_spec_found = true;
|
|
+ }
|
|
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
|
|
+ if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, user_name)) {
|
|
+ ret = true;
|
|
+ sudo_debug_printf(SUDO_DEBUG_DIAG,
|
|
+ "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name);
|
|
+ }
|
|
+ }
|
|
+ handle->fn_free_values(val_array);
|
|
+ debug_return_bool(netgroup_spec_found ? ret : true);
|
|
}
|
|
|
|
static int
|
|
@@ -599,7 +645,8 @@ sudo_sss_result_filterp(struct sudo_sss_
|
|
(void)unused;
|
|
debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
|
|
|
|
- if (sudo_sss_check_host(handle, rule))
|
|
+ if (sudo_sss_check_host(handle, rule) &&
|
|
+ sudo_sss_filter_user_netgroup(handle, rule))
|
|
debug_return_int(1);
|
|
else
|
|
debug_return_int(0);
|