dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0006-sudo-format-runas-attributes-to-correct-output-name.patch

841ac7
From 3a18e33f983cd17860b6ff41f9d538ee8fcc6d98 Mon Sep 17 00:00:00 2001
841ac7
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
841ac7
Date: Wed, 27 Feb 2019 14:06:06 +0100
841ac7
Subject: [PATCH 6/6] sudo: format runas attributes to correct output name
841ac7
841ac7
sudo internally calls getpwnam and getgrnam on user and groups
841ac7
that should be used for the invoked command. Output of these calls
841ac7
is compared to values in runAsUser/Group attributes.
841ac7
841ac7
When different output format is used then what is present in LDAP,
841ac7
this comparison will fail, denying user to use sudo. Now, we convert
841ac7
these attributes into correct output name, respecting domain resolution
841ac7
order, fully qualified domains and fqname format.
841ac7
841ac7
E.g. sudo call:
841ac7
sudo -u tuser@ipa.vm -g tgroup@ipa.vm id
841ac7
841ac7
Resolves:
841ac7
https://pagure.io/SSSD/sssd/issue/3957
841ac7
841ac7
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
841ac7
(cherry picked from commit 0aa657165f189035c160beda4840e3271fc56c88)
841ac7
---
841ac7
 src/responder/sudo/sudosrv_get_sudorules.c | 101 ++++++++++++++++++++-
841ac7
 1 file changed, 99 insertions(+), 2 deletions(-)
841ac7
841ac7
diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
841ac7
index a420c76fb..d928a5ead 100644
841ac7
--- a/src/responder/sudo/sudosrv_get_sudorules.c
841ac7
+++ b/src/responder/sudo/sudosrv_get_sudorules.c
841ac7
@@ -113,6 +113,95 @@ sort_sudo_rules(struct sysdb_attrs **rules, size_t count, bool lower_wins)
841ac7
     return EOK;
841ac7
 }
841ac7
 
841ac7
+static errno_t sudosrv_format_runas(struct resp_ctx *rctx,
841ac7
+                                    struct sysdb_attrs *rule,
841ac7
+                                    const char *attr)
841ac7
+{
841ac7
+    TALLOC_CTX *tmp_ctx;
841ac7
+    struct ldb_message_element *el;
841ac7
+    struct sss_domain_info *dom;
841ac7
+    const char *value;
841ac7
+    char *fqname;
841ac7
+    unsigned int i;
841ac7
+    errno_t ret;
841ac7
+
841ac7
+    tmp_ctx = talloc_new(NULL);
841ac7
+    if (tmp_ctx == NULL) {
841ac7
+        DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory!\n");
841ac7
+        return ENOMEM;
841ac7
+    }
841ac7
+
841ac7
+    ret = sysdb_attrs_get_el_ext(rule, attr, false, &el);
841ac7
+    if (ret == ENOENT) {
841ac7
+        ret = EOK;
841ac7
+        goto done;
841ac7
+    } else if (ret != EOK) {
841ac7
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get %s attribute "
841ac7
+              "[%d]: %s\n", attr, ret, sss_strerror(ret));
841ac7
+        goto done;
841ac7
+    }
841ac7
+
841ac7
+    for (i = 0; i < el->num_values; i++) {
841ac7
+        value = (const char *)el->values[i].data;
841ac7
+        if (value == NULL) {
841ac7
+            continue;
841ac7
+        }
841ac7
+
841ac7
+        dom = find_domain_by_object_name_ex(rctx->domains, value, true);
841ac7
+        if (dom == NULL) {
841ac7
+            continue;
841ac7
+        }
841ac7
+
841ac7
+        ret = sss_output_fqname(tmp_ctx, dom, value,
841ac7
+                                rctx->override_space, &fqname);
841ac7
+        if (ret != EOK) {
841ac7
+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to convert %s to output fqname "
841ac7
+                  "[%d]: %s\n", value, ret, sss_strerror(ret));
841ac7
+            goto done;
841ac7
+        }
841ac7
+
841ac7
+        talloc_free(el->values[i].data);
841ac7
+        el->values[i].data = (uint8_t*)talloc_steal(el->values, fqname);
841ac7
+        el->values[i].length = strlen(fqname);
841ac7
+    }
841ac7
+
841ac7
+done:
841ac7
+    talloc_free(tmp_ctx);
841ac7
+
841ac7
+    return ret;
841ac7
+}
841ac7
+
841ac7
+static errno_t sudosrv_format_rules(struct resp_ctx *rctx,
841ac7
+                                    struct sysdb_attrs **rules,
841ac7
+                                    uint32_t num_rules)
841ac7
+{
841ac7
+    uint32_t i;
841ac7
+    errno_t ret;
841ac7
+
841ac7
+
841ac7
+    for (i = 0; i < num_rules; i++) {
841ac7
+        ret = sudosrv_format_runas(rctx, rules[i],
841ac7
+                                   SYSDB_SUDO_CACHE_AT_RUNAS);
841ac7
+        if (ret != EOK) {
841ac7
+            return ret;
841ac7
+        }
841ac7
+
841ac7
+        ret = sudosrv_format_runas(rctx, rules[i],
841ac7
+                                   SYSDB_SUDO_CACHE_AT_RUNASUSER);
841ac7
+        if (ret != EOK) {
841ac7
+            return ret;
841ac7
+        }
841ac7
+
841ac7
+        ret = sudosrv_format_runas(rctx, rules[i],
841ac7
+                                   SYSDB_SUDO_CACHE_AT_RUNASGROUP);
841ac7
+        if (ret != EOK) {
841ac7
+            return ret;
841ac7
+        }
841ac7
+    }
841ac7
+
841ac7
+    return ret;
841ac7
+}
841ac7
+
841ac7
 static errno_t sudosrv_query_cache(TALLOC_CTX *mem_ctx,
841ac7
                                    struct sss_domain_info *domain,
841ac7
                                    const char **attrs,
841ac7
@@ -301,6 +390,7 @@ static errno_t sudosrv_cached_rules_by_ng(TALLOC_CTX *mem_ctx,
841ac7
 }
841ac7
 
841ac7
 static errno_t sudosrv_cached_rules(TALLOC_CTX *mem_ctx,
841ac7
+                                    struct resp_ctx *rctx,
841ac7
                                     struct sss_domain_info *domain,
841ac7
                                     uid_t cli_uid,
841ac7
                                     uid_t orig_uid,
841ac7
@@ -368,6 +458,12 @@ static errno_t sudosrv_cached_rules(TALLOC_CTX *mem_ctx,
841ac7
         goto done;
841ac7
     }
841ac7
 
841ac7
+    ret = sudosrv_format_rules(rctx, rules, num_rules);
841ac7
+    if (ret != EOK) {
841ac7
+        DEBUG(SSSDBG_OP_FAILURE, "Could not format sudo rules\n");
841ac7
+        goto done;
841ac7
+    }
841ac7
+
841ac7
     *_rules = talloc_steal(mem_ctx, rules);
841ac7
     *_num_rules = num_rules;
841ac7
 
841ac7
@@ -412,6 +508,7 @@ static errno_t sudosrv_cached_defaults(TALLOC_CTX *mem_ctx,
841ac7
 }
841ac7
 
841ac7
 static errno_t sudosrv_fetch_rules(TALLOC_CTX *mem_ctx,
841ac7
+                                   struct resp_ctx *rctx,
841ac7
                                    enum sss_sudo_type type,
841ac7
                                    struct sss_domain_info *domain,
841ac7
                                    uid_t cli_uid,
841ac7
@@ -433,7 +530,7 @@ static errno_t sudosrv_fetch_rules(TALLOC_CTX *mem_ctx,
841ac7
               username, domain->name);
841ac7
         debug_name = "rules";
841ac7
 
841ac7
-        ret = sudosrv_cached_rules(mem_ctx, domain,
841ac7
+        ret = sudosrv_cached_rules(mem_ctx, rctx, domain,
841ac7
                                    cli_uid, orig_uid, username, groups,
841ac7
                                    inverse_order, &rules, &num_rules);
841ac7
 
841ac7
@@ -760,7 +857,7 @@ static void sudosrv_get_rules_done(struct tevent_req *subreq)
841ac7
               "in cache.\n");
841ac7
     }
841ac7
 
841ac7
-    ret = sudosrv_fetch_rules(state, state->type, state->domain,
841ac7
+    ret = sudosrv_fetch_rules(state, state->rctx, state->type, state->domain,
841ac7
                               state->cli_uid,
841ac7
                               state->orig_uid,
841ac7
                               state->orig_username,
841ac7
-- 
841ac7
2.19.1
841ac7