|
 |
6cf099 |
From 7c3fefc9c840fd0eb46048d7d2be0a0b8347f713 Mon Sep 17 00:00:00 2001
|
|
|
6cf099 |
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
|
6cf099 |
Date: Wed, 29 Jul 2015 14:51:30 +0200
|
|
|
6cf099 |
Subject: [PATCH 53/57] sudo: use "higher value wins" when ordering rules
|
|
|
6cf099 |
|
|
|
6cf099 |
This commit changes the default ordering logic (lower value wins) to
|
|
|
6cf099 |
a correct one that is used by native ldap support. It also adds a new
|
|
|
6cf099 |
option sudo_inverse_order to switch to the original SSSD (incorrect)
|
|
|
6cf099 |
behaviour if needed.
|
|
|
6cf099 |
|
|
|
6cf099 |
Resolves:
|
|
|
6cf099 |
https://fedorahosted.org/sssd/ticket/2682
|
|
|
6cf099 |
|
|
|
6cf099 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
6cf099 |
---
|
|
|
6cf099 |
src/confdb/confdb.h | 2 ++
|
|
|
6cf099 |
src/config/SSSDConfig/__init__.py.in | 1 +
|
|
|
6cf099 |
src/config/etc/sssd.api.conf | 1 +
|
|
|
6cf099 |
src/responder/sudo/sudosrv.c | 11 ++++++
|
|
|
6cf099 |
src/responder/sudo/sudosrv_get_sudorules.c | 54 ++++++++++++++++++++++++------
|
|
|
6cf099 |
src/responder/sudo/sudosrv_private.h | 1 +
|
|
|
6cf099 |
6 files changed, 60 insertions(+), 10 deletions(-)
|
|
|
6cf099 |
|
|
|
6cf099 |
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
|
6cf099 |
index df454337ab4d89c5857e73ee0e5392c2b4bba8b4..9aa264899e789f2491b9873daf44bb55aff1c95d 100644
|
|
|
6cf099 |
--- a/src/confdb/confdb.h
|
|
|
6cf099 |
+++ b/src/confdb/confdb.h
|
|
|
6cf099 |
@@ -124,6 +124,8 @@
|
|
|
6cf099 |
#define CONFDB_DEFAULT_SUDO_CACHE_TIMEOUT 180
|
|
|
6cf099 |
#define CONFDB_SUDO_TIMED "sudo_timed"
|
|
|
6cf099 |
#define CONFDB_DEFAULT_SUDO_TIMED false
|
|
|
6cf099 |
+#define CONFDB_SUDO_INVERSE_ORDER "sudo_inverse_order"
|
|
|
6cf099 |
+#define CONFDB_DEFAULT_SUDO_INVERSE_ORDER false
|
|
|
6cf099 |
|
|
|
6cf099 |
/* autofs */
|
|
|
6cf099 |
#define CONFDB_AUTOFS_CONF_ENTRY "config/autofs"
|
|
|
6cf099 |
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
|
|
6cf099 |
index 7d361026c09ce8fd8d6a69f6bb3f3817bc3d68ba..fed2682f121103cefa27e689b29ce29b7d28f968 100644
|
|
|
6cf099 |
--- a/src/config/SSSDConfig/__init__.py.in
|
|
|
6cf099 |
+++ b/src/config/SSSDConfig/__init__.py.in
|
|
|
6cf099 |
@@ -92,6 +92,7 @@ option_strings = {
|
|
|
6cf099 |
|
|
|
6cf099 |
# [sudo]
|
|
|
6cf099 |
'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
|
|
|
6cf099 |
+ 'sudo_inverse_order' : _('If true, SSSD will switch back to lower-wins ordering logic'),
|
|
|
6cf099 |
|
|
|
6cf099 |
# [autofs]
|
|
|
6cf099 |
'autofs_negative_timeout' : _('Negative cache timeout length (seconds)'),
|
|
|
6cf099 |
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
|
|
6cf099 |
index cf6ce63012176d49f757afbc8a343b24aef869e8..2e5b02e3e30c13f805e172eab481f7501f57bb05 100644
|
|
|
6cf099 |
--- a/src/config/etc/sssd.api.conf
|
|
|
6cf099 |
+++ b/src/config/etc/sssd.api.conf
|
|
|
6cf099 |
@@ -63,6 +63,7 @@ pam_account_expired_message = str, None, false
|
|
|
6cf099 |
[sudo]
|
|
|
6cf099 |
# sudo service
|
|
|
6cf099 |
sudo_timed = bool, None, false
|
|
|
6cf099 |
+sudo_inverse_order = bool, None, false
|
|
|
6cf099 |
|
|
|
6cf099 |
[autofs]
|
|
|
6cf099 |
# autofs service
|
|
|
6cf099 |
diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
|
|
|
6cf099 |
index 2499586eb11e49f8652ce62e53c88d7a2e54fb32..ff5d92e7005db9f6e883c78cf1a6218e9a150e0a 100644
|
|
|
6cf099 |
--- a/src/responder/sudo/sudosrv.c
|
|
|
6cf099 |
+++ b/src/responder/sudo/sudosrv.c
|
|
|
6cf099 |
@@ -167,6 +167,17 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
|
|
|
6cf099 |
goto fail;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
+ /* Get sudo_inverse_order option */
|
|
|
6cf099 |
+ ret = confdb_get_bool(sudo_ctx->rctx->cdb,
|
|
|
6cf099 |
+ CONFDB_SUDO_CONF_ENTRY, CONFDB_SUDO_INVERSE_ORDER,
|
|
|
6cf099 |
+ CONFDB_DEFAULT_SUDO_INVERSE_ORDER,
|
|
|
6cf099 |
+ &sudo_ctx->inverse_order);
|
|
|
6cf099 |
+ if (ret != EOK) {
|
|
|
6cf099 |
+ DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) [%s]\n",
|
|
|
6cf099 |
+ ret, strerror(ret));
|
|
|
6cf099 |
+ goto fail;
|
|
|
6cf099 |
+ }
|
|
|
6cf099 |
+
|
|
|
6cf099 |
ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL);
|
|
|
6cf099 |
if (ret != EOK) {
|
|
|
6cf099 |
DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n");
|
|
|
6cf099 |
diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
|
|
|
6cf099 |
index 34d63bd74741c3cab5168fd0b0108cb05528d218..a0b09e69b71f963c353c9c6331c0708cc364924c 100644
|
|
|
6cf099 |
--- a/src/responder/sudo/sudosrv_get_sudorules.c
|
|
|
6cf099 |
+++ b/src/responder/sudo/sudosrv_get_sudorules.c
|
|
|
6cf099 |
@@ -325,6 +325,7 @@ static errno_t sudosrv_get_sudorules_query_cache(TALLOC_CTX *mem_ctx,
|
|
|
6cf099 |
const char *username,
|
|
|
6cf099 |
uid_t uid,
|
|
|
6cf099 |
char **groupnames,
|
|
|
6cf099 |
+ bool inverse_order,
|
|
|
6cf099 |
struct sysdb_attrs ***_rules,
|
|
|
6cf099 |
uint32_t *_count);
|
|
|
6cf099 |
|
|
|
6cf099 |
@@ -386,6 +387,7 @@ errno_t sudosrv_get_rules(struct sudo_cmd_ctx *cmd_ctx)
|
|
|
6cf099 |
cmd_ctx->domain, attrs, flags,
|
|
|
6cf099 |
cmd_ctx->orig_username,
|
|
|
6cf099 |
cmd_ctx->uid, groupnames,
|
|
|
6cf099 |
+ cmd_ctx->sudo_ctx->inverse_order,
|
|
|
6cf099 |
&expired_rules, &expired_rules_num);
|
|
|
6cf099 |
if (ret != EOK) {
|
|
|
6cf099 |
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to retrieve expired sudo rules "
|
|
|
6cf099 |
@@ -597,6 +599,7 @@ static errno_t sudosrv_get_sudorules_from_cache(TALLOC_CTX *mem_ctx,
|
|
|
6cf099 |
cmd_ctx->domain, attrs, flags,
|
|
|
6cf099 |
cmd_ctx->orig_username,
|
|
|
6cf099 |
cmd_ctx->uid, groupnames,
|
|
|
6cf099 |
+ cmd_ctx->sudo_ctx->inverse_order,
|
|
|
6cf099 |
&rules, &num_rules);
|
|
|
6cf099 |
if (ret != EOK) {
|
|
|
6cf099 |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
6cf099 |
@@ -622,7 +625,7 @@ done:
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
static errno_t
|
|
|
6cf099 |
-sort_sudo_rules(struct sysdb_attrs **rules, size_t count);
|
|
|
6cf099 |
+sort_sudo_rules(struct sysdb_attrs **rules, size_t count, bool higher_wins);
|
|
|
6cf099 |
|
|
|
6cf099 |
static errno_t sudosrv_get_sudorules_query_cache(TALLOC_CTX *mem_ctx,
|
|
|
6cf099 |
struct sss_domain_info *domain,
|
|
|
6cf099 |
@@ -631,6 +634,7 @@ static errno_t sudosrv_get_sudorules_query_cache(TALLOC_CTX *mem_ctx,
|
|
|
6cf099 |
const char *username,
|
|
|
6cf099 |
uid_t uid,
|
|
|
6cf099 |
char **groupnames,
|
|
|
6cf099 |
+ bool inverse_order,
|
|
|
6cf099 |
struct sysdb_attrs ***_rules,
|
|
|
6cf099 |
uint32_t *_count)
|
|
|
6cf099 |
{
|
|
|
6cf099 |
@@ -680,7 +684,7 @@ static errno_t sudosrv_get_sudorules_query_cache(TALLOC_CTX *mem_ctx,
|
|
|
6cf099 |
goto done;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
- ret = sort_sudo_rules(rules, count);
|
|
|
6cf099 |
+ ret = sort_sudo_rules(rules, count, inverse_order);
|
|
|
6cf099 |
if (ret != EOK) {
|
|
|
6cf099 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
6cf099 |
"Could not sort rules by sudoOrder\n");
|
|
|
6cf099 |
@@ -697,7 +701,7 @@ done:
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
static int
|
|
|
6cf099 |
-sudo_order_cmp_fn(const void *a, const void *b)
|
|
|
6cf099 |
+sudo_order_cmp(const void *a, const void *b, bool lower_wins)
|
|
|
6cf099 |
{
|
|
|
6cf099 |
struct sysdb_attrs *r1, *r2;
|
|
|
6cf099 |
uint32_t o1, o2;
|
|
|
6cf099 |
@@ -730,19 +734,49 @@ sudo_order_cmp_fn(const void *a, const void *b)
|
|
|
6cf099 |
return 0;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
- if (o1 > o2) {
|
|
|
6cf099 |
- return 1;
|
|
|
6cf099 |
- } else if (o1 < o2) {
|
|
|
6cf099 |
- return -1;
|
|
|
6cf099 |
+ if (lower_wins) {
|
|
|
6cf099 |
+ /* The lowest value takes priority. Original wrong SSSD behaviour. */
|
|
|
6cf099 |
+ if (o1 > o2) {
|
|
|
6cf099 |
+ return 1;
|
|
|
6cf099 |
+ } else if (o1 < o2) {
|
|
|
6cf099 |
+ return -1;
|
|
|
6cf099 |
+ }
|
|
|
6cf099 |
+ } else {
|
|
|
6cf099 |
+ /* The higher value takes priority. Standard LDAP behaviour. */
|
|
|
6cf099 |
+ if (o1 < o2) {
|
|
|
6cf099 |
+ return 1;
|
|
|
6cf099 |
+ } else if (o1 > o2) {
|
|
|
6cf099 |
+ return -1;
|
|
|
6cf099 |
+ }
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
return 0;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
|
|
|
6cf099 |
+static int
|
|
|
6cf099 |
+sudo_order_low_cmp_fn(const void *a, const void *b)
|
|
|
6cf099 |
+{
|
|
|
6cf099 |
+ return sudo_order_cmp(a, b, true);
|
|
|
6cf099 |
+}
|
|
|
6cf099 |
+
|
|
|
6cf099 |
+static int
|
|
|
6cf099 |
+sudo_order_high_cmp_fn(const void *a, const void *b)
|
|
|
6cf099 |
+{
|
|
|
6cf099 |
+ return sudo_order_cmp(a, b, false);
|
|
|
6cf099 |
+}
|
|
|
6cf099 |
+
|
|
|
6cf099 |
static errno_t
|
|
|
6cf099 |
-sort_sudo_rules(struct sysdb_attrs **rules, size_t count)
|
|
|
6cf099 |
+sort_sudo_rules(struct sysdb_attrs **rules, size_t count, bool lower_wins)
|
|
|
6cf099 |
{
|
|
|
6cf099 |
- qsort(rules, count, sizeof(struct sysdb_attrs *),
|
|
|
6cf099 |
- sudo_order_cmp_fn);
|
|
|
6cf099 |
+ if (lower_wins) {
|
|
|
6cf099 |
+ DEBUG(SSSDBG_TRACE_FUNC, "Sorting rules with lower-wins logic\n");
|
|
|
6cf099 |
+ qsort(rules, count, sizeof(struct sysdb_attrs *),
|
|
|
6cf099 |
+ sudo_order_low_cmp_fn);
|
|
|
6cf099 |
+ } else {
|
|
|
6cf099 |
+ DEBUG(SSSDBG_TRACE_FUNC, "Sorting rules with higher-wins logic\n");
|
|
|
6cf099 |
+ qsort(rules, count, sizeof(struct sysdb_attrs *),
|
|
|
6cf099 |
+ sudo_order_high_cmp_fn);
|
|
|
6cf099 |
+ }
|
|
|
6cf099 |
+
|
|
|
6cf099 |
return EOK;
|
|
|
6cf099 |
}
|
|
|
6cf099 |
diff --git a/src/responder/sudo/sudosrv_private.h b/src/responder/sudo/sudosrv_private.h
|
|
|
6cf099 |
index 3c53755f9e8ec56f3dea52021d14b50f715a54e7..186ed2cb5114d00524b41b801b5f32bac50f7153 100644
|
|
|
6cf099 |
--- a/src/responder/sudo/sudosrv_private.h
|
|
|
6cf099 |
+++ b/src/responder/sudo/sudosrv_private.h
|
|
|
6cf099 |
@@ -50,6 +50,7 @@ struct sudo_ctx {
|
|
|
6cf099 |
* options
|
|
|
6cf099 |
*/
|
|
|
6cf099 |
bool timed;
|
|
|
6cf099 |
+ bool inverse_order;
|
|
|
6cf099 |
};
|
|
|
6cf099 |
|
|
|
6cf099 |
struct sudo_cmd_ctx {
|
|
|
6cf099 |
--
|
|
|
6cf099 |
2.4.3
|
|
|
6cf099 |
|