summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPavel Březina <pbrezina@redhat.com>2012-01-17 12:28:33 +0100
committerStephen Gallagher <sgallagh@redhat.com>2012-01-27 09:10:37 -0500
commitf6171b2bc954a367f316853ab71090eb213bdee3 (patch)
treec3d3d9f63670d9f8237c7c21a4a964824a47f8dd
parent3d55c65fbe50074f6a63dcb8ae866c038a9e6b2b (diff)
downloadsssd-f6171b2bc954a367f316853ab71090eb213bdee3.tar.gz
sssd-f6171b2bc954a367f316853ab71090eb213bdee3.tar.bz2
sssd-f6171b2bc954a367f316853ab71090eb213bdee3.zip
SUDO Integration - make sysdb_get_sudo_filter() more configurable
https://fedorahosted.org/sssd/ticket/1143
-rw-r--r--src/db/sysdb_sudo.c99
-rw-r--r--src/db/sysdb_sudo.h15
-rw-r--r--src/responder/sudo/sudosrv_get_sudorules.c7
3 files changed, 73 insertions, 48 deletions
diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index f7e87ee4..5adde76e 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -67,76 +67,91 @@ sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username,
uid_t uid, char **groupnames, unsigned int flags,
char **_filter)
{
- TALLOC_CTX *tmp_ctx;
+ TALLOC_CTX *tmp_ctx = NULL;
+ char *filter = NULL;
+ char *specific_filter = NULL;
+ char *time_filter = NULL;
errno_t ret;
- char *filter;
- char *t;
int i;
tmp_ctx = talloc_new(NULL);
NULL_CHECK(tmp_ctx, ret, done);
- /* AND with objectclass */
- filter = talloc_asprintf(tmp_ctx, "(&(%s=%s)",
- SYSDB_OBJECTCLASS,
- SYSDB_SUDO_CACHE_AT_OC);
- NULL_CHECK(filter, ret, done);
+ /* build specific filter */
- /* And with the timed rules if requested */
- if (flags & SYSDB_SUDO_FILTER_TIMED) {
- t = get_sudo_time_filter(filter);
- filter = talloc_asprintf_append(filter, "%s", t);
- talloc_free(t);
- NULL_CHECK(filter, ret, done);
+ specific_filter = talloc_zero(tmp_ctx, char); /* assign to tmp_ctx */
+ NULL_CHECK(specific_filter, ret, done);
+
+ if (flags & SYSDB_SUDO_FILTER_INCLUDE_ALL) {
+ specific_filter = talloc_asprintf_append(specific_filter, "(%s=ALL)",
+ SYSDB_SUDO_CACHE_AT_USER);
+ NULL_CHECK(specific_filter, ret, done);
}
- /* Add global OR and the username */
- filter = talloc_asprintf_append(filter, "(|(%s=%s)",
- SYSDB_SUDO_CACHE_AT_USER,
- username);
- NULL_CHECK(filter, ret, done);
+ if (flags & SYSDB_SUDO_FILTER_INCLUDE_DFL) {
+ specific_filter = talloc_asprintf_append(specific_filter, "(%s=defaults)",
+ SYSDB_NAME);
+ NULL_CHECK(specific_filter, ret, done);
+ }
- if (uid) {
- filter = talloc_asprintf_append(filter, "(%s=#%llu)",
- SYSDB_SUDO_CACHE_AT_USER,
- (unsigned long long) uid);
- NULL_CHECK(filter, ret, done);
+ if ((flags & SYSDB_SUDO_FILTER_USERNAME) && (username != NULL)) {
+ specific_filter = talloc_asprintf_append(specific_filter, "(%s=%s)",
+ SYSDB_SUDO_CACHE_AT_USER,
+ username);
+ NULL_CHECK(specific_filter, ret, done);
+ }
+
+ if ((flags & SYSDB_SUDO_FILTER_UID) && (uid != 0)) {
+ specific_filter = talloc_asprintf_append(specific_filter, "(%s=#%llu)",
+ SYSDB_SUDO_CACHE_AT_USER,
+ (unsigned long long) uid);
+ NULL_CHECK(specific_filter, ret, done);
}
- if (groupnames) {
- for (i=0; groupnames[i]; i++) {
- filter = talloc_asprintf_append(filter, "(%s=%%%s)",
- SYSDB_SUDO_CACHE_AT_USER,
- groupnames[i]);
- NULL_CHECK(filter, ret, done);
+ if ((flags & SYSDB_SUDO_FILTER_GROUPS) && (groupnames != NULL)) {
+ for (i=0; groupnames[i] != NULL; i++) {
+ specific_filter = talloc_asprintf_append(specific_filter, "(%s=%%%s)",
+ SYSDB_SUDO_CACHE_AT_USER,
+ groupnames[i]);
+ NULL_CHECK(specific_filter, ret, done);
}
}
if (flags & SYSDB_SUDO_FILTER_NGRS) {
- filter = talloc_asprintf_append(filter, "(%s=+*)",
- SYSDB_SUDO_CACHE_AT_USER);
- NULL_CHECK(filter, ret, done);
+ specific_filter = talloc_asprintf_append(specific_filter, "(%s=+*)",
+ SYSDB_SUDO_CACHE_AT_USER);
+ NULL_CHECK(specific_filter, ret, done);
}
- if (flags & SYSDB_SUDO_FILTER_INCLUDE_ALL) {
- filter = talloc_asprintf_append(filter, "(%s=ALL)",
- SYSDB_SUDO_CACHE_AT_USER);
+ /* build time filter */
+
+ if (flags & SYSDB_SUDO_FILTER_TIMED) {
+ time_filter = get_sudo_time_filter(tmp_ctx);
+ NULL_CHECK(time_filter, ret, done);
+ }
+
+ /* build global filter */
+
+ filter = talloc_asprintf(tmp_ctx, "(&(%s=%s)",
+ SYSDB_OBJECTCLASS, SYSDB_SUDO_CACHE_AT_OC);
+ NULL_CHECK(filter, ret, done);
+
+ if (time_filter != NULL) {
+ filter = talloc_strdup_append(filter, time_filter);
NULL_CHECK(filter, ret, done);
}
- if (flags & SYSDB_SUDO_FILTER_INCLUDE_DFL) {
- filter = talloc_asprintf_append(filter, "(%s=defaults)",
- SYSDB_NAME);
+ if (specific_filter[0] != '\0') {
+ filter = talloc_asprintf_append(filter, "(|%s)", specific_filter);
NULL_CHECK(filter, ret, done);
}
- /* end the global AND and OR filters */
- filter = talloc_asprintf_append(filter, "))");
+ filter = talloc_strdup_append(filter, ")");
NULL_CHECK(filter, ret, done);
-
ret = EOK;
*_filter = talloc_steal(mem_ctx, filter);
+
done:
talloc_free(tmp_ctx);
return ret;
diff --git a/src/db/sysdb_sudo.h b/src/db/sysdb_sudo.h
index 67f9e912..b4e3eaff 100644
--- a/src/db/sysdb_sudo.h
+++ b/src/db/sysdb_sudo.h
@@ -46,10 +46,17 @@
/* When constructing a sysdb filter, OR these values to include.. */
#define SYSDB_SUDO_FILTER_NONE 0x00 /* no additional filter */
-#define SYSDB_SUDO_FILTER_NGRS 0x01 /* netgroups */
-#define SYSDB_SUDO_FILTER_TIMED 0x02 /* timed rules */
-#define SYSDB_SUDO_FILTER_INCLUDE_ALL 0x04 /* ALL */
-#define SYSDB_SUDO_FILTER_INCLUDE_DFL 0x08 /* include cn=default */
+#define SYSDB_SUDO_FILTER_USERNAME 0x01 /* username */
+#define SYSDB_SUDO_FILTER_UID 0x02 /* uid */
+#define SYSDB_SUDO_FILTER_GROUPS 0x04 /* groups */
+#define SYSDB_SUDO_FILTER_NGRS 0x08 /* netgroups */
+#define SYSDB_SUDO_FILTER_TIMED 0x10 /* timed rules */
+#define SYSDB_SUDO_FILTER_INCLUDE_ALL 0x20 /* ALL */
+#define SYSDB_SUDO_FILTER_INCLUDE_DFL 0x40 /* include cn=default */
+#define SYSDB_SUDO_FILTER_USERINFO SYSDB_SUDO_FILTER_USERNAME \
+ | SYSDB_SUDO_FILTER_UID \
+ | SYSDB_SUDO_FILTER_GROUPS \
+ | SYSDB_SUDO_FILTER_NGRS
errno_t
sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username,
diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
index fba8a85e..0b3b81e8 100644
--- a/src/responder/sudo/sudosrv_get_sudorules.c
+++ b/src/responder/sudo/sudosrv_get_sudorules.c
@@ -412,6 +412,7 @@ static errno_t sudosrv_get_sudorules_query_cache(TALLOC_CTX *mem_ctx,
size_t count;
struct sysdb_attrs **rules;
struct ldb_message **msgs;
+ unsigned int flags = SYSDB_SUDO_FILTER_NONE;
const char *attrs[] = { SYSDB_OBJECTCLASS
SYSDB_SUDO_CACHE_AT_OC,
SYSDB_SUDO_CACHE_AT_CN,
@@ -429,9 +430,11 @@ static errno_t sudosrv_get_sudorules_query_cache(TALLOC_CTX *mem_ctx,
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) return ENOMEM;
+ flags = SYSDB_SUDO_FILTER_USERINFO
+ | SYSDB_SUDO_FILTER_INCLUDE_ALL
+ | SYSDB_SUDO_FILTER_INCLUDE_DFL;
ret = sysdb_get_sudo_filter(tmp_ctx, username, uid, groupnames,
- (SYSDB_SUDO_FILTER_NGRS | SYSDB_SUDO_FILTER_INCLUDE_ALL |
- SYSDB_SUDO_FILTER_INCLUDE_DFL), &filter);
+ flags, &filter);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
("Could not construct the search filter [%d]: %s\n",