version 1.1.1.3, 2013/10/14 07:56:35
|
version 1.1.1.4, 2014/06/15 16:12:54
|
Line 40
|
Line 40
|
#ifdef HAVE_UNISTD_H |
#ifdef HAVE_UNISTD_H |
# include <unistd.h> |
# include <unistd.h> |
#endif /* HAVE_UNISTD_H */ |
#endif /* HAVE_UNISTD_H */ |
#if TIME_WITH_SYS_TIME | #ifdef TIME_WITH_SYS_TIME |
# include <time.h> |
# include <time.h> |
#endif |
#endif |
#ifdef HAVE_DLOPEN |
|
# include <dlfcn.h> |
|
#else |
|
# include "compat/dlfcn.h" |
|
#endif |
|
#include <ctype.h> |
#include <ctype.h> |
#include <pwd.h> |
#include <pwd.h> |
#include <grp.h> |
#include <grp.h> |
Line 58
|
Line 53
|
#include "sudoers.h" |
#include "sudoers.h" |
#include "parse.h" |
#include "parse.h" |
#include "lbuf.h" |
#include "lbuf.h" |
|
#include "sudo_dso.h" |
#include "sudo_debug.h" |
#include "sudo_debug.h" |
|
|
/* SSSD <--> SUDO interface - do not change */ |
/* SSSD <--> SUDO interface - do not change */ |
Line 179 sudo_sss_filter_result(struct sudo_sss_handle *handle,
|
Line 175 sudo_sss_filter_result(struct sudo_sss_handle *handle,
|
debug_decl(sudo_sss_filter_result, SUDO_DEBUG_SSSD) |
debug_decl(sudo_sss_filter_result, SUDO_DEBUG_SSSD) |
|
|
sudo_debug_printf(SUDO_DEBUG_DEBUG, "in_res=%p, count=%u, act=%s", |
sudo_debug_printf(SUDO_DEBUG_DEBUG, "in_res=%p, count=%u, act=%s", |
in_res, in_res->num_rules, | in_res, in_res ? in_res->num_rules : 0, |
act == _SUDO_SSS_FILTER_EXCLUDE ? "EXCLUDE" : "INCLUDE"); |
act == _SUDO_SSS_FILTER_EXCLUDE ? "EXCLUDE" : "INCLUDE"); |
|
|
if (in_res == NULL) |
if (in_res == NULL) |
Line 226 sudo_sss_filter_result(struct sudo_sss_handle *handle,
|
Line 222 sudo_sss_filter_result(struct sudo_sss_handle *handle,
|
} |
} |
|
|
struct sudo_nss sudo_nss_sss = { |
struct sudo_nss sudo_nss_sss = { |
&sudo_nss_sss, | { NULL, NULL }, |
NULL, | |
sudo_sss_open, |
sudo_sss_open, |
sudo_sss_close, |
sudo_sss_close, |
sudo_sss_parse, |
sudo_sss_parse, |
Line 251 static int sudo_sss_open(struct sudo_nss *nss)
|
Line 246 static int sudo_sss_open(struct sudo_nss *nss)
|
handle = emalloc(sizeof(struct sudo_sss_handle)); |
handle = emalloc(sizeof(struct sudo_sss_handle)); |
|
|
/* Load symbols */ |
/* Load symbols */ |
handle->ssslib = dlopen(path, RTLD_LAZY); | handle->ssslib = sudo_dso_load(path, SUDO_DSO_LAZY); |
if (handle->ssslib == NULL) { |
if (handle->ssslib == NULL) { |
warningx(_("unable to dlopen %s: %s"), path, dlerror()); | warningx(U_("unable to load %s: %s"), path, sudo_dso_strerror()); |
warningx(_("unable to initialize SSS source. Is SSSD installed on your machine?")); | warningx(U_("unable to initialize SSS source. Is SSSD installed on your machine?")); |
debug_return_int(EFAULT); |
debug_return_int(EFAULT); |
} |
} |
|
|
handle->fn_send_recv = dlsym(handle->ssslib, "sss_sudo_send_recv"); | handle->fn_send_recv = |
| sudo_dso_findsym(handle->ssslib, "sss_sudo_send_recv"); |
if (handle->fn_send_recv == NULL) { |
if (handle->fn_send_recv == NULL) { |
warningx(_("unable to find symbol \"%s\" in %s"), path, | warningx(U_("unable to find symbol \"%s\" in %s"), path, |
"sss_sudo_send_recv"); |
"sss_sudo_send_recv"); |
debug_return_int(EFAULT); |
debug_return_int(EFAULT); |
} |
} |
|
|
handle->fn_send_recv_defaults = |
handle->fn_send_recv_defaults = |
dlsym(handle->ssslib, "sss_sudo_send_recv_defaults"); | sudo_dso_findsym(handle->ssslib, "sss_sudo_send_recv_defaults"); |
if (handle->fn_send_recv_defaults == NULL) { |
if (handle->fn_send_recv_defaults == NULL) { |
warningx(_("unable to find symbol \"%s\" in %s"), path, | warningx(U_("unable to find symbol \"%s\" in %s"), path, |
"sss_sudo_send_recv_defaults"); |
"sss_sudo_send_recv_defaults"); |
debug_return_int(EFAULT); |
debug_return_int(EFAULT); |
} |
} |
|
|
handle->fn_free_result = dlsym(handle->ssslib, "sss_sudo_free_result"); | handle->fn_free_result = |
| sudo_dso_findsym(handle->ssslib, "sss_sudo_free_result"); |
if (handle->fn_free_result == NULL) { |
if (handle->fn_free_result == NULL) { |
warningx(_("unable to find symbol \"%s\" in %s"), path, | warningx(U_("unable to find symbol \"%s\" in %s"), path, |
"sss_sudo_free_result"); |
"sss_sudo_free_result"); |
debug_return_int(EFAULT); |
debug_return_int(EFAULT); |
} |
} |
|
|
handle->fn_get_values = dlsym(handle->ssslib, "sss_sudo_get_values"); | handle->fn_get_values = |
| sudo_dso_findsym(handle->ssslib, "sss_sudo_get_values"); |
if (handle->fn_get_values == NULL) { |
if (handle->fn_get_values == NULL) { |
warningx(_("unable to find symbol \"%s\" in %s"), path, | warningx(U_("unable to find symbol \"%s\" in %s"), path, |
"sss_sudo_get_values"); |
"sss_sudo_get_values"); |
debug_return_int(EFAULT); |
debug_return_int(EFAULT); |
} |
} |
|
|
handle->fn_free_values = dlsym(handle->ssslib, "sss_sudo_free_values"); | handle->fn_free_values = |
| sudo_dso_findsym(handle->ssslib, "sss_sudo_free_values"); |
if (handle->fn_free_values == NULL) { |
if (handle->fn_free_values == NULL) { |
warningx(_("unable to find symbol \"%s\" in %s"), path, | warningx(U_("unable to find symbol \"%s\" in %s"), path, |
"sss_sudo_free_values"); |
"sss_sudo_free_values"); |
debug_return_int(EFAULT); |
debug_return_int(EFAULT); |
} |
} |
Line 311 static int sudo_sss_close(struct sudo_nss *nss)
|
Line 310 static int sudo_sss_close(struct sudo_nss *nss)
|
|
|
if (nss && nss->handle) { |
if (nss && nss->handle) { |
handle = nss->handle; |
handle = nss->handle; |
dlclose(handle->ssslib); | sudo_dso_unload(handle->ssslib); |
| efree(nss->handle); |
} |
} |
|
|
efree(nss->handle); |
|
debug_return_int(0); |
debug_return_int(0); |
} |
} |
|
|
Line 534 sudo_sss_check_runas_group(struct sudo_sss_handle *han
|
Line 532 sudo_sss_check_runas_group(struct sudo_sss_handle *han
|
* Walk through search results and return true if we have a runas match, |
* Walk through search results and return true if we have a runas match, |
* else false. RunAs info is optional. |
* else false. RunAs info is optional. |
*/ |
*/ |
static int | static bool |
sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) |
sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) |
{ |
{ |
int ret; | bool ret; |
debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD); |
debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD); |
|
|
if (rule == NULL) |
if (rule == NULL) |
debug_return_int(false); | debug_return_bool(false); |
|
|
ret = sudo_sss_check_runas_user(handle, rule) != false && |
ret = sudo_sss_check_runas_user(handle, rule) != false && |
sudo_sss_check_runas_group(handle, rule) != false; |
sudo_sss_check_runas_group(handle, rule) != false; |
|
|
debug_return_int(ret); | debug_return_bool(ret); |
} |
} |
|
|
static int | static bool |
sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) |
sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) |
{ |
{ |
char **val_array, *val; |
char **val_array, *val; |
int ret = false, i; | bool ret = false; |
| int i; |
debug_decl(sudo_sss_check_host, SUDO_DEBUG_SSSD); |
debug_decl(sudo_sss_check_host, SUDO_DEBUG_SSSD); |
|
|
if (rule == NULL) |
if (rule == NULL) |
debug_return_int(ret); | debug_return_bool(ret); |
|
|
/* get the values from the rule */ |
/* get the values from the rule */ |
switch (handle->fn_get_values(rule, "sudoHost", &val_array)) |
switch (handle->fn_get_values(rule, "sudoHost", &val_array)) |
Line 566 sudo_sss_check_host(struct sudo_sss_handle *handle, st
|
Line 565 sudo_sss_check_host(struct sudo_sss_handle *handle, st
|
break; |
break; |
case ENOENT: |
case ENOENT: |
sudo_debug_printf(SUDO_DEBUG_INFO, "No result."); |
sudo_debug_printf(SUDO_DEBUG_INFO, "No result."); |
debug_return_int(false); | debug_return_bool(false); |
default: |
default: |
sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0"); |
sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0"); |
debug_return_int(ret); | debug_return_bool(ret); |
} |
} |
|
|
/* walk through values */ |
/* walk through values */ |
Line 589 sudo_sss_check_host(struct sudo_sss_handle *handle, st
|
Line 588 sudo_sss_check_host(struct sudo_sss_handle *handle, st
|
|
|
handle->fn_free_values(val_array); |
handle->fn_free_values(val_array); |
|
|
debug_return_int(ret); | debug_return_bool(ret); |
} |
} |
|
|
|
/* |
|
* Look for netgroup specifcations in the sudoUser attribute and |
|
* if found, filter according to netgroup membership. |
|
* returns: |
|
* true -> netgroup spec found && netgroup member |
|
* false -> netgroup spec found && not a member of netgroup |
|
* true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception) |
|
*/ |
|
static bool |
|
sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) |
|
{ |
|
bool ret = false, netgroup_spec_found = false; |
|
char **val_array, *val; |
|
int i; |
|
debug_decl(sudo_sss_filter_user_netgroup, SUDO_DEBUG_SSSD); |
|
|
|
if (!handle || !rule) |
|
debug_return_bool(ret); |
|
|
|
switch (handle->fn_get_values(rule, "sudoUser", &val_array)) { |
|
case 0: |
|
break; |
|
case ENOENT: |
|
sudo_debug_printf(SUDO_DEBUG_INFO, "No result."); |
|
debug_return_bool(ret); |
|
default: |
|
sudo_debug_printf(SUDO_DEBUG_INFO, |
|
"handle->fn_get_values(sudoUser): != 0"); |
|
debug_return_bool(ret); |
|
} |
|
|
|
for (i = 0; val_array[i] != NULL && !ret; ++i) { |
|
val = val_array[i]; |
|
if (*val == '+') { |
|
netgroup_spec_found = true; |
|
} |
|
sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val); |
|
if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, handle->pw->pw_name)) { |
|
ret = true; |
|
sudo_debug_printf(SUDO_DEBUG_DIAG, |
|
"sssd/ldap sudoUser '%s' ... MATCH! (%s)", |
|
val, handle->pw->pw_name); |
|
break; |
|
} |
|
} |
|
handle->fn_free_values(val_array); |
|
debug_return_bool(netgroup_spec_found ? ret : true); |
|
} |
|
|
static int |
static int |
sudo_sss_result_filterp(struct sudo_sss_handle *handle, |
sudo_sss_result_filterp(struct sudo_sss_handle *handle, |
struct sss_sudo_rule *rule, void *unused) |
struct sss_sudo_rule *rule, void *unused) |
Line 599 sudo_sss_result_filterp(struct sudo_sss_handle *handle
|
Line 647 sudo_sss_result_filterp(struct sudo_sss_handle *handle
|
(void)unused; |
(void)unused; |
debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD); |
debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD); |
|
|
if (sudo_sss_check_host(handle, rule)) | if (sudo_sss_check_host(handle, rule) && |
| sudo_sss_filter_user_netgroup(handle, rule)) |
debug_return_int(1); |
debug_return_int(1); |
else |
else |
debug_return_int(0); |
debug_return_int(0); |
Line 617 sudo_sss_result_get(struct sudo_nss *nss, struct passw
|
Line 666 sudo_sss_result_get(struct sudo_nss *nss, struct passw
|
debug_return_ptr(NULL); |
debug_return_ptr(NULL); |
|
|
sudo_debug_printf(SUDO_DEBUG_DIAG, " username=%s", handle->pw->pw_name); |
sudo_debug_printf(SUDO_DEBUG_DIAG, " username=%s", handle->pw->pw_name); |
sudo_debug_printf(SUDO_DEBUG_DIAG, "domainname=%s", handle->domainname); | sudo_debug_printf(SUDO_DEBUG_DIAG, "domainname=%s", |
| handle->domainname ? handle->domainname : "NULL"); |
|
|
u_sss_result = f_sss_result = NULL; |
u_sss_result = f_sss_result = NULL; |
|
|
Line 664 sudo_sss_result_get(struct sudo_nss *nss, struct passw
|
Line 714 sudo_sss_result_get(struct sudo_nss *nss, struct passw
|
*state |= _SUDO_SSS_STATE_HOSTMATCH; |
*state |= _SUDO_SSS_STATE_HOSTMATCH; |
} |
} |
} |
} |
|
sudo_debug_printf(SUDO_DEBUG_DEBUG, |
|
"u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result, |
|
u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules); |
|
} else { |
|
sudo_debug_printf(SUDO_DEBUG_DEBUG, |
|
"u_sss_result=(%p, %u) => f_sss_result=NULL", u_sss_result, |
|
u_sss_result->num_rules); |
} |
} |
|
|
sudo_debug_printf(SUDO_DEBUG_DEBUG, |
|
"u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result, |
|
u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules); |
|
|
|
handle->fn_free_result(u_sss_result); |
handle->fn_free_result(u_sss_result); |
|
|