summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorPavel Březina <pbrezina@redhat.com>2012-05-14 16:28:58 +0200
committerStephen Gallagher <sgallagh@redhat.com>2012-06-29 11:37:18 -0400
commitdfafb437f49d31e015184e212571e9917aa94eef (patch)
tree9e94be124051e1257b0113ae26276fe524cff8e2 /src
parent20f82655b3a29cf0784ba5c912927d1ada1287df (diff)
downloadsssd-dfafb437f49d31e015184e212571e9917aa94eef.tar.gz
sssd-dfafb437f49d31e015184e212571e9917aa94eef.tar.bz2
sssd-dfafb437f49d31e015184e212571e9917aa94eef.zip
sudo: clean up
Diffstat (limited to 'src')
-rw-r--r--src/config/SSSDConfig/__init__.py.in1
-rw-r--r--src/config/etc/sssd.api.conf1
-rw-r--r--src/db/sysdb_sudo.c206
-rw-r--r--src/db/sysdb_sudo.h6
-rw-r--r--src/providers/data_provider.h7
-rw-r--r--src/providers/dp_backend.h4
6 files changed, 2 insertions, 223 deletions
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 30de27a1..2bd6e349 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -81,7 +81,6 @@ option_strings = {
# [sudo]
'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
- 'sudo_cache_timeout' : _('How many seconds to keep sudorules cached before asking the provider again'),
# [autofs]
'autofs_negative_timeout' : _('Negative cache timeout length (seconds)'),
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index 2cf5713f..f1cd067d 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -54,7 +54,6 @@ get_domains_timeout = int, None, false
[sudo]
# sudo service
sudo_timed = bool, None, false
-sudo_cache_timeout = int, None, false
[autofs]
# autofs service
diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
index 0f9d9994..be7df651 100644
--- a/src/db/sysdb_sudo.c
+++ b/src/db/sysdb_sudo.c
@@ -534,57 +534,6 @@ errno_t sysdb_sudo_get_last_full_refresh(struct sysdb_ctx *sysdb, time_t *value)
value);
}
-char **sysdb_sudo_build_sudouser(TALLOC_CTX *mem_ctx, const char *username,
- uid_t uid, char **groupnames, bool include_all)
-{
- char **sudouser = NULL;
- int count = 0;
- errno_t ret;
- int i;
-
- if (username == NULL || uid == 0) {
- return NULL;
- }
-
- count = include_all ? 3 : 2;
- sudouser = talloc_array(NULL, char*, count + 1);
- NULL_CHECK(sudouser, ret, done);
-
- sudouser[0] = talloc_strdup(sudouser, username);
- NULL_CHECK(sudouser[0], ret, done);
-
- sudouser[1] = talloc_asprintf(sudouser, "#%llu", (unsigned long long)uid);
- NULL_CHECK(sudouser[1], ret, done);
-
- if (include_all) {
- sudouser[2] = talloc_strdup(sudouser, "ALL");
- NULL_CHECK(sudouser[2], ret, done);
- }
-
- if (groupnames != NULL) {
- for (i = 0; groupnames[i] != NULL; i++) {
- count++;
- sudouser = talloc_realloc(NULL, sudouser, char*, count + 1);
- NULL_CHECK(sudouser, ret, done);
-
- sudouser[count - 1] = talloc_asprintf(sudouser, "%s", groupnames[i]);
- NULL_CHECK(sudouser[count - 1], ret, done);
- }
- }
-
- sudouser[count] = NULL;
-
- ret = EOK;
-
-done:
- if (ret != EOK) {
- talloc_free(sudouser);
- return NULL;
- }
-
- return talloc_steal(mem_ctx, sudouser);
-}
-
/* ==================== Purge functions ==================== */
errno_t sysdb_sudo_purge_all(struct sysdb_ctx *sysdb)
@@ -694,158 +643,3 @@ done:
talloc_free(tmp_ctx);
return ret;
}
-
-errno_t sysdb_sudo_purge_bysudouser(struct sysdb_ctx *sysdb,
- char **sudouser)
-{
- TALLOC_CTX *tmp_ctx = NULL;
- char *filter = NULL;
- char *value = NULL;
- const char *rule_name = NULL;
- struct ldb_message_element *attr = NULL;
- struct ldb_message *msg = NULL;
- struct ldb_message **rules = NULL;
- size_t num_rules;
- errno_t ret;
- errno_t sret;
- int lret;
- int i, j, k;
- bool in_transaction = false;
- const char *attrs[] = { SYSDB_OBJECTCLASS,
- SYSDB_NAME,
- SYSDB_SUDO_CACHE_AT_USER,
- NULL };
-
- if (sudouser == NULL || sudouser[0] == NULL) {
- return EOK;
- }
-
- tmp_ctx = talloc_new(NULL);
- NULL_CHECK(tmp_ctx, ret, done);
-
- /* create search filter */
- filter = talloc_strdup(tmp_ctx, "(|");
- NULL_CHECK(filter, ret, done);
- for (i = 0; sudouser[i] != NULL; i++) {
- filter = talloc_asprintf_append(filter, "(%s=%s)",
- SYSDB_SUDO_CACHE_AT_USER, sudouser[i]);
- NULL_CHECK(filter, ret, done);
- }
- filter = talloc_strdup_append(filter, ")");
- NULL_CHECK(filter, ret, done);
-
- /* search the rules */
- ret = sysdb_search_custom(tmp_ctx, sysdb, filter, SUDORULE_SUBDIR, attrs,
- &num_rules, &rules);
- if (ret != EOK && ret != ENOENT) {
- DEBUG(SSSDBG_CRIT_FAILURE, ("Error looking up SUDO rules"));
- goto done;
- } if (ret == ENOENT) {
- DEBUG(SSSDBG_TRACE_FUNC, ("No rules matched\n"));
- ret = EOK;
- goto done;
- }
-
- ret = sysdb_transaction_start(sysdb);
- if (ret != EOK) {
- goto done;
- }
- in_transaction = true;
-
- /*
- * remove values from sudoUser and delete the rule
- * if the attribute is empty afterwards
- */
-
- for (i = 0; i < num_rules; i++) {
- /* find name */
- rule_name = ldb_msg_find_attr_as_string(rules[i], SYSDB_NAME, NULL);
- if (rule_name == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, ("A rule without a name?\n"));
- /* skip this one but still delete other entries */
- continue;
- }
-
- /* find sudoUser */
- attr = ldb_msg_find_element(rules[i], SYSDB_SUDO_CACHE_AT_USER);
- if (attr == NULL) {
- /* this should never happen because we search by this attribute */
- DEBUG(SSSDBG_CRIT_FAILURE, ("BUG: sudoUser attribute is missing\n"));
- continue;
- }
-
- /* create message */
- msg = ldb_msg_new(tmp_ctx);
- NULL_CHECK(msg, ret, done);
-
- msg->dn = ldb_dn_new_fmt(msg, sysdb->ldb, SYSDB_TMPL_CUSTOM, rule_name,
- SUDORULE_SUBDIR, sysdb->domain->name);
- NULL_CHECK(msg->dn, ret, done);
-
- /* create empty sudoUser */
- lret = ldb_msg_add_empty(msg, SYSDB_SUDO_CACHE_AT_USER,
- LDB_FLAG_MOD_DELETE, NULL);
- if (lret != LDB_SUCCESS) {
- ret = sysdb_error_to_errno(lret);
- goto done;
- }
-
- /* filter values */
- for (j = 0; j < attr->num_values; j++) {
- value = (char*)(attr->values[j].data);
- for (k = 0; sudouser[k] != NULL; k++) {
- if (strcmp(value, sudouser[k]) == 0) {
- /* delete value from cache */
- lret = ldb_msg_add_string(msg, SYSDB_SUDO_CACHE_AT_USER,
- sudouser[k]);
- if (lret != LDB_SUCCESS) {
- ret = sysdb_error_to_errno(lret);
- goto done;
- }
- break;
- }
- }
- }
-
- /* update the cache */
- if (msg->elements[0].num_values == attr->num_values) {
- /* sudoUser would remain empty, delete the rule */
- ret = sysdb_sudo_purge_byname(sysdb, rule_name);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, ("Could not delete rule %s\n",
- rule_name));
- goto done;
- }
- } else {
- /* sudoUser will not be empty, modify the rule */
- DEBUG(SSSDBG_TRACE_INTERNAL, ("Modifying sudoUser of rule %s\n",
- rule_name));
- lret = ldb_modify(sysdb->ldb, msg);
- if (lret != LDB_SUCCESS) {
- DEBUG(SSSDBG_OP_FAILURE, ("Could not modify rule %s\n",
- rule_name));
- ret = sysdb_error_to_errno(lret);
- goto done;
- }
- }
-
- talloc_free(msg);
- }
-
- ret = sysdb_transaction_commit(sysdb);
- if (ret == EOK) {
- in_transaction = false;
- }
-
-done:
- if (in_transaction) {
- sret = sysdb_transaction_cancel(sysdb);
- if (sret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, ("Could not cancel transaction\n"));
- }
- }
-
- talloc_free(tmp_ctx);
- return ret;
-}
-
diff --git a/src/db/sysdb_sudo.h b/src/db/sysdb_sudo.h
index b8ed2bc4..0d11b110 100644
--- a/src/db/sysdb_sudo.h
+++ b/src/db/sysdb_sudo.h
@@ -86,9 +86,6 @@ sysdb_save_sudorule(struct sysdb_ctx *sysdb_ctx,
errno_t sysdb_sudo_set_last_full_refresh(struct sysdb_ctx *sysdb, time_t value);
errno_t sysdb_sudo_get_last_full_refresh(struct sysdb_ctx *sysdb, time_t *value);
-char **sysdb_sudo_build_sudouser(TALLOC_CTX *mem_ctx, const char *username,
- uid_t uid, char **groupnames, bool include_all);
-
errno_t sysdb_sudo_purge_all(struct sysdb_ctx *sysdb);
errno_t sysdb_sudo_purge_byname(struct sysdb_ctx *sysdb,
@@ -97,7 +94,4 @@ errno_t sysdb_sudo_purge_byname(struct sysdb_ctx *sysdb,
errno_t sysdb_sudo_purge_byfilter(struct sysdb_ctx *sysdb,
const char *filter);
-errno_t sysdb_sudo_purge_bysudouser(struct sysdb_ctx *sysdb,
- char **sudoUser);
-
#endif /* _SYSDB_SUDO_H_ */
diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h
index 8c46115b..b783081b 100644
--- a/src/providers/data_provider.h
+++ b/src/providers/data_provider.h
@@ -138,11 +138,8 @@
#define BE_REQ_INITGROUPS 0x0003
#define BE_REQ_NETGROUP 0x0004
#define BE_REQ_SERVICES 0x0005
-#define BE_REQ_SUDO_ALL 0x0006
-#define BE_REQ_SUDO_DEFAULTS 0x0007
-#define BE_REQ_SUDO_USER 0x0008
-#define BE_REQ_SUDO_FULL 0x0100 /* todo: change it after clean up */
-#define BE_REQ_SUDO_RULES 0x0200 /* todo: change it after clean up */
+#define BE_REQ_SUDO_FULL 0x0006
+#define BE_REQ_SUDO_RULES 0x0007
#define BE_REQ_AUTOFS 0x0009
#define BE_REQ_HOST 0x0010
#define BE_REQ_FAST 0x1000
diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h
index 2c56f147..6e5c6e1a 100644
--- a/src/providers/dp_backend.h
+++ b/src/providers/dp_backend.h
@@ -159,10 +159,6 @@ struct be_acct_req {
struct be_sudo_req {
uint32_t type;
char **rules;
-
- char *username;
- uid_t uid;
- char **groups;
};
struct be_autofs_req {