sudo sysdb: add expiration time to the filter

2 files changed, 9 insertions, 0 deletions

diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index 586e9588..0f9d9994 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -201,6 +201,7 @@ sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username,
     TALLOC_CTX *tmp_ctx = NULL;
     char *filter = NULL;
     char *specific_filter = NULL;
+    time_t now;
     errno_t ret;
     int i;
 
@@ -264,6 +265,13 @@ sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username,
         NULL_CHECK(filter, ret, done);
     }
 
+    if (flags & SYSDB_SUDO_FILTER_ONLY_EXPIRED) {
+        now = time(NULL);
+        filter = talloc_asprintf_append(filter, "(&(%s<=%lld))",
+                                        SYSDB_CACHE_EXPIRE, (long long)now);
+        NULL_CHECK(filter, ret, done);
+    }
+
     filter = talloc_strdup_append(filter, ")");
     NULL_CHECK(filter, ret, done);
 
diff --git a/src/db/sysdb_sudo.h b/src/db/sysdb_sudo.h
index 4a392675..b8ed2bc4 100644
--- a/src/db/sysdb_sudo.h
+++ b/src/db/sysdb_sudo.h
@@ -53,6 +53,7 @@
 #define SYSDB_SUDO_FILTER_UID            0x02       /* uid                  */
 #define SYSDB_SUDO_FILTER_GROUPS         0x04       /* groups               */
 #define SYSDB_SUDO_FILTER_NGRS           0x08       /* netgroups            */
+#define SYSDB_SUDO_FILTER_ONLY_EXPIRED   0x10       /* only expired         */
 #define SYSDB_SUDO_FILTER_INCLUDE_ALL    0x20       /* ALL                  */
 #define SYSDB_SUDO_FILTER_INCLUDE_DFL    0x40       /* include cn=default   */
 #define SYSDB_SUDO_FILTER_USERINFO       SYSDB_SUDO_FILTER_USERNAME \