summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPavel Březina <pbrezina@redhat.com>2012-05-11 10:26:59 +0200
committerStephen Gallagher <sgallagh@redhat.com>2012-06-29 11:37:18 -0400
commit5e7ddcae402bc284d43c5ebb5d215310a5658aba (patch)
treea3b4b970118b44b7a1a40d2bd46d15d21412a077
parentf7af8c5b369938725e47585c641ae5b017d442a1 (diff)
downloadsssd-5e7ddcae402bc284d43c5ebb5d215310a5658aba.tar.gz
sssd-5e7ddcae402bc284d43c5ebb5d215310a5658aba.tar.bz2
sssd-5e7ddcae402bc284d43c5ebb5d215310a5658aba.zip
sudo responder: allow fetching only expired rules in sudosrv_get_sudorules_query_cache()
-rw-r--r--src/responder/sudo/sudosrv_get_sudorules.c47
1 files changed, 22 insertions, 25 deletions
diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
index cd359b68..9f670b9b 100644
--- a/src/responder/sudo/sudosrv_get_sudorules.c
+++ b/src/responder/sudo/sudosrv_get_sudorules.c
@@ -408,6 +408,8 @@ sudosrv_get_sudorules_dp_callback(uint16_t err_maj, uint32_t err_min,
static errno_t sudosrv_get_sudorules_query_cache(TALLOC_CTX *mem_ctx,
struct sysdb_ctx *sysdb,
enum sss_dp_sudo_type type,
+ const char **attrs,
+ unsigned int flags,
const char *username,
uid_t uid,
char **groupnames,
@@ -421,6 +423,20 @@ static errno_t sudosrv_get_sudorules_from_cache(struct sudo_cmd_ctx *cmd_ctx)
struct sysdb_ctx *sysdb;
char **groupnames = NULL;
const char *debug_name = NULL;
+ unsigned int flags = SYSDB_SUDO_FILTER_NONE;
+ const char *attrs[] = { SYSDB_OBJECTCLASS
+ SYSDB_SUDO_CACHE_AT_OC,
+ SYSDB_SUDO_CACHE_AT_CN,
+ SYSDB_SUDO_CACHE_AT_USER,
+ SYSDB_SUDO_CACHE_AT_HOST,
+ SYSDB_SUDO_CACHE_AT_COMMAND,
+ SYSDB_SUDO_CACHE_AT_OPTION,
+ SYSDB_SUDO_CACHE_AT_RUNASUSER,
+ SYSDB_SUDO_CACHE_AT_RUNASGROUP,
+ SYSDB_SUDO_CACHE_AT_NOTBEFORE,
+ SYSDB_SUDO_CACHE_AT_NOTAFTER,
+ SYSDB_SUDO_CACHE_AT_ORDER,
+ NULL };
if (cmd_ctx->domain == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, ("Domain is not set!\n"));
@@ -451,14 +467,16 @@ static errno_t sudosrv_get_sudorules_from_cache(struct sudo_cmd_ctx *cmd_ctx)
("Unable to retrieve user info [%d]: %s\n", strerror(ret)));
goto done;
}
+ flags = SYSDB_SUDO_FILTER_USERINFO | SYSDB_SUDO_FILTER_INCLUDE_ALL;
break;
case SSS_SUDO_DEFAULTS:
debug_name = "<default options>";
+ flags = SYSDB_SUDO_FILTER_INCLUDE_DFL;
break;
}
ret = sudosrv_get_sudorules_query_cache(cmd_ctx, sysdb, cmd_ctx->type,
- cmd_ctx->orig_username,
+ attrs, flags, cmd_ctx->orig_username,
cmd_ctx->uid, groupnames,
&cmd_ctx->rules, &cmd_ctx->num_rules);
if (ret != EOK) {
@@ -482,6 +500,8 @@ sort_sudo_rules(struct sysdb_attrs **rules, size_t count);
static errno_t sudosrv_get_sudorules_query_cache(TALLOC_CTX *mem_ctx,
struct sysdb_ctx *sysdb,
enum sss_dp_sudo_type type,
+ const char **attrs,
+ unsigned int flags,
const char *username,
uid_t uid,
char **groupnames,
@@ -494,35 +514,12 @@ static errno_t sudosrv_get_sudorules_query_cache(TALLOC_CTX *mem_ctx,
size_t count;
struct sysdb_attrs **rules;
struct ldb_message **msgs;
- unsigned int flags = SYSDB_SUDO_FILTER_NONE;
- const char *attrs[] = { SYSDB_OBJECTCLASS
- SYSDB_SUDO_CACHE_AT_OC,
- SYSDB_SUDO_CACHE_AT_CN,
- SYSDB_SUDO_CACHE_AT_USER,
- SYSDB_SUDO_CACHE_AT_HOST,
- SYSDB_SUDO_CACHE_AT_COMMAND,
- SYSDB_SUDO_CACHE_AT_OPTION,
- SYSDB_SUDO_CACHE_AT_RUNASUSER,
- SYSDB_SUDO_CACHE_AT_RUNASGROUP,
- SYSDB_SUDO_CACHE_AT_NOTBEFORE,
- SYSDB_SUDO_CACHE_AT_NOTAFTER,
- SYSDB_SUDO_CACHE_AT_ORDER,
- NULL };
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) return ENOMEM;
- switch (type) {
- case SSS_SUDO_DEFAULTS:
- flags = SYSDB_SUDO_FILTER_INCLUDE_DFL;
- break;
- case SSS_SUDO_USER:
- flags = SYSDB_SUDO_FILTER_USERINFO | SYSDB_SUDO_FILTER_INCLUDE_ALL;
- break;
- }
-
ret = sysdb_get_sudo_filter(tmp_ctx, username, uid, groupnames,
- flags, 0, &filter);
+ flags, &filter);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
("Could not construct the search filter [%d]: %s\n",