|
 |
71e593 |
From 2b8665e50f601e2b707b0bc77690821211a79e2d Mon Sep 17 00:00:00 2001
|
|
|
71e593 |
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
|
71e593 |
Date: Thu, 6 Sep 2018 13:38:56 +0200
|
|
|
71e593 |
Subject: [PATCH] sudo: respect case sensitivity in sudo responder
|
|
|
71e593 |
MIME-Version: 1.0
|
|
|
71e593 |
Content-Type: text/plain; charset=UTF-8
|
|
|
71e593 |
Content-Transfer-Encoding: 8bit
|
|
|
71e593 |
|
|
|
71e593 |
If the domain is not case sensitive and the case of the original user
|
|
|
71e593 |
or group name differs from the name in the rule we failed to find the
|
|
|
71e593 |
rule.
|
|
|
71e593 |
|
|
|
71e593 |
Now we filter the rule only with lower cased values in such domain.
|
|
|
71e593 |
|
|
|
71e593 |
Steps to reproduce:
|
|
|
71e593 |
1. Add user/group with upper case, e.g. USER-1
|
|
|
71e593 |
2. Add sudo rule with lower cased name, e.g. sudoUser: user-1
|
|
|
71e593 |
3. Login to system with lower case, e.g. user-1
|
|
|
71e593 |
4. Run sudo -l
|
|
|
71e593 |
|
|
|
71e593 |
Without the patch, rule is not found.
|
|
|
71e593 |
|
|
|
71e593 |
Resolves:
|
|
|
71e593 |
https://pagure.io/SSSD/sssd/issue/3820
|
|
|
71e593 |
|
|
|
71e593 |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
71e593 |
(cherry picked from commit d7f0b58e2896ed2ef9ed5a390815c1e4df6caaee)
|
|
|
71e593 |
---
|
|
|
71e593 |
src/db/sysdb_sudo.c | 17 ++++++++++++++---
|
|
|
71e593 |
1 file changed, 14 insertions(+), 3 deletions(-)
|
|
|
71e593 |
|
|
|
71e593 |
diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c
|
|
|
71e593 |
index 3ad462d8fd131bfc6bc5aa15bc48346d64241ee6..19ed97b8666c92c491131765398423062791ba0a 100644
|
|
|
71e593 |
--- a/src/db/sysdb_sudo.c
|
|
|
71e593 |
+++ b/src/db/sysdb_sudo.c
|
|
|
71e593 |
@@ -418,7 +418,17 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
|
|
|
71e593 |
ret = EINVAL;
|
|
|
71e593 |
goto done;
|
|
|
71e593 |
}
|
|
|
71e593 |
- DEBUG(SSSDBG_TRACE_FUNC, "original name: %s\n", orig_name);
|
|
|
71e593 |
+
|
|
|
71e593 |
+ DEBUG(SSSDBG_TRACE_FUNC, "Original name: %s\n", orig_name);
|
|
|
71e593 |
+
|
|
|
71e593 |
+ orig_name = sss_get_cased_name(tmp_ctx, orig_name, domain->case_sensitive);
|
|
|
71e593 |
+ if (orig_name == NULL) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n");
|
|
|
71e593 |
+ ret = ENOMEM;
|
|
|
71e593 |
+ goto done;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ DEBUG(SSSDBG_TRACE_FUNC, "Cased name: %s\n", orig_name);
|
|
|
71e593 |
|
|
|
71e593 |
if (_uid != NULL) {
|
|
|
71e593 |
uid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, 0);
|
|
|
71e593 |
@@ -450,8 +460,9 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
|
|
|
71e593 |
continue;
|
|
|
71e593 |
}
|
|
|
71e593 |
|
|
|
71e593 |
- sysdb_groupnames[num_groups] = talloc_strdup(sysdb_groupnames,
|
|
|
71e593 |
- groupname);
|
|
|
71e593 |
+ sysdb_groupnames[num_groups] = \
|
|
|
71e593 |
+ sss_get_cased_name(sysdb_groupnames, groupname,
|
|
|
71e593 |
+ domain->case_sensitive);
|
|
|
71e593 |
if (sysdb_groupnames[num_groups] == NULL) {
|
|
|
71e593 |
DEBUG(SSSDBG_MINOR_FAILURE, "Cannot strdup %s\n", groupname);
|
|
|
71e593 |
continue;
|
|
|
71e593 |
--
|
|
|
71e593 |
2.14.4
|
|
|
71e593 |
|