dee665060ba71ff61ad223e755ae61441118fbba |
|
08-Sep-2017 |
Jakub Hrozek <jhrozek@redhat.com> |
SUDO: Use initgr_with_views when looking up a sudo user
The sudo responder code didn't take views into account when looking for
rules, which resulted in sudo rules being ignored if the user's name was
overriden.
Please see the ticket for a detailed info on how to reproduce the bug.
Resolves:
https://pagure.io/SSSD/sssd/issue/3488
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
a5ecc93abb01cece628fdef04ebad43bba267419 |
|
10-Feb-2017 |
Jakub Hrozek <jhrozek@redhat.com> |
SUDO: Only store lowercased attribute value once
The current code doesn't handle the situation where lowercasing the
sudoUser attribute would yield the same value again.
For example:
sudoUser: TUSER
sudoUser tuser
would break.
This patch switches to using the utility function
sysdb_attrs_add_lower_case_string() which already checks for duplicates.
Resolves:
https://fedorahosted.org/sssd/ticket/3301
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
7e23edbaa7a6bbd0b461d5792535896b6a77928b |
|
23-Nov-2016 |
Petr Čech <pcech@redhat.com> |
SYSDB: Fixing of sudorule without a sudoUser
This patch solved a regression caused by the recent patches
to lowercase sudoUser -- in case sudoUser is missing completely,
we abort the processing of this rule and all others.
With this patch, we return ERR_MALFORMED_ENTRY and gracefully
skip the malformed rule instead.
Resolves:
https://fedorahosted.org/sssd/ticket/3241
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
f4a1046bb88d7a0ab3617e49ae94bfa849d10645 |
|
08-Nov-2016 |
Petr Čech <pcech@redhat.com> |
SYSDB: Adding lowercase sudoUser form
If domain is not case sensitive we add lowercase form of usernames
to sudoUser attributes. So we actually able to apply sudoRule on
user Administrator@... with login admnistrator@...
Resolves:
https://fedorahosted.org/sssd/ticket/3203
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
61913b8f0d1ba54d82640500d7486fac5f72b030 |
|
07-Jul-2016 |
Pavel Březina <pbrezina@redhat.com> |
sudo: solve problems with fully qualified names
sudo expects the same name in sudo rule as login name. Therefore
if fully qualified name is used or even enforced by setting
use_fully_qualified_names to true or by forcing default domain
with default_domain_suffix sssd is able to correctly return the
rules but sudo can't match the user with contect of sudoUser
attribute since it is not qualified.
This patch changes the rules on the fly to avoid using names at all.
We do this in two steps:
1. We fetch all rules that match current user name, id or groups and
replace sudoUser attribute with sudoUser: #uid.
2. We fetch complementry rules that contain netgroups since it is
expected we don't have infromation about existing netgroups in
cache, sudo still needs to evaluate it for us if needed.
This patch also remove test for sysdb_get_sudo_filter since it wasn't
sufficient anyway and I did not rewrite it since I don't thing it
is a good thing to have filter tests that depends on exact filter
order.
Resolves:
https://fedorahosted.org/sssd/ticket/2919
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
e2d26e97d62f06f65e8228b28746471cc5f73fe5 |
|
20-Apr-2016 |
Petr Cech <pcech@redhat.com> |
SYSDB: Add new funtions into sysdb_sudo
This patch adds two new functions into public
API of sysdb_sudo:
* sysdb_search_sudo_rules
* sysdb_set_sudo_rule_attr
Resolves:
https://fedorahosted.org/sssd/ticket/2081
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
aeb3cef10158a1c621d58c6d982e53569e40c6c0 |
|
18-Apr-2016 |
Lukas Slebodnik <lslebodn@redhat.com> |
SYSDB_SUDO: Remove useless test
The function sysdb_search_custom cannot return EOK
and together set output argument count to zero.
This case is already handled in function sysdb_search_entry
which is used inside sysdb_search_custom.
Such useless test can just cause read of unitialized variable
in case of other errors returned from sysdb_search_custom.
Error: UNINIT (CWE-457): [#def1]
sssd-1.13.4/src/db/sysdb_sudo.c:678:
var_decl: Declaring variable "count" without initializer.
sssd-1.13.4/src/db/sysdb_sudo.c:698:
uninit_use: Using uninitialized value "count".
# 696| SUDORULE_SUBDIR, attrs,
# 697| &count, &msgs);
# 698|-> if (ret == ENOENT || count == 0) {
# 699| DEBUG(SSSDBG_TRACE_FUNC, "No rules matched\n");
# 700| ret = EOK;
Reviewed-by: Pavel Březina <pbrezina@redhat.com> |
68abbe716bed7c8d6790d9bec168ef44469306a1 |
|
19-Jan-2016 |
Pavel Březina <pbrezina@redhat.com> |
SUDO: make sudo sysdb interface more reusable
Reviewed-by: Sumit Bose <sbose@redhat.com> |
c526cd124515cc2d44a413dcbfd4a74ddb490150 |
|
13-Apr-2015 |
Pavel Březina <pbrezina@redhat.com> |
sudo: sanitize filter values
Resolves:
https://fedorahosted.org/sssd/ticket/2613
Reviewed-by: Pavel Reichl <preichl@redhat.com> |
87f8bee53ee1b4ca87b602ff8536bc5fd5b5b595 |
|
17-Mar-2015 |
Lukas Slebodnik <lslebodn@redhat.com> |
Add missing new lines to debug messages
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
04d138472cc086fb7961f0d378852b09961b1a33 |
|
11-Mar-2015 |
Lukas Slebodnik <lslebodn@redhat.com> |
Log reason in debug message why ldb_modify failed
Reviewed-by: Sumit Bose <sbose@redhat.com> |
5389b3714be747f1a11ac51beb0c5988cfb6c240 |
|
27-May-2014 |
Lukas Slebodnik <lslebodn@redhat.com> |
Don't use macro _XOPEN_SOURCE for function strptime
We detect all necessary feature macros in configure script
using AC_USE_SYSTEM_EXTENSIONS or AC_GNU_SOURCE.
This patch replaces all definitions of macro _XOPEN_SOURCE with
header file config.h
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> |
a3c8390d19593b1e5277d95bfb4ab206d4785150 |
|
12-Feb-2014 |
Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> |
Make DEBUG macro invocations variadic
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.
This script was used to update the code:
grep -rwl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e \
'use strict;
use File::Slurp;
my $text=read_file(\*STDIN);
$text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
print $text;' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com> |
e6f4dbf8474e928ca7da33d6be18e94cbc66a5de |
|
29-Jan-2014 |
Pavel Březina <pbrezina@redhat.com> |
sudo: memset tm when converting time attributes
strptime() which is used to parse LDAP time value does not initialize
all fields of tm structure (especially tm_isdst). This results in
random behavior - when the tm is converted into timestamp via mktime(),
the result depends on current value of tm_isdst.
Resolves:
https://fedorahosted.org/sssd/ticket/2213 |
e2ac9be4f293b96f3c8992f1171e44bc1da5cfca |
|
15-Nov-2013 |
Michal Zidek <mzidek@redhat.com> |
SYSDB: Drop redundant sysdb_ctx parameter from sysdb.c |
d115f40c7a3999e3cbe705a2ff9cf0fd493f80fb |
|
15-Nov-2013 |
Michal Zidek <mzidek@redhat.com> |
SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2) |
6a31a971a376a992afb838fe60b311360c970267 |
|
15-Nov-2013 |
Jakub Hrozek <jhrozek@redhat.com> |
SYSDB: Drop the sysdb_ctx parameter from the sysdb_sudo.c module |
4c08db0fb0dda3d27b1184248ca5c800d7ce23f0 |
|
15-Nov-2013 |
Michal Zidek <mzidek@redhat.com> |
SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 1) |
5ac292b5faea231d93c0cd0f58d0f2f1776a7120 |
|
04-Oct-2013 |
Stephen Gallagher <sgallagh@redhat.com> |
SYSDB: Fix incorrect DEBUG message
A bad comparison resulted in the sysdb_sudo_check_time() function
always printing a debug message saying that the time matched.
Resolves:
Coverity Issue #12031 |
55fdd0d28e7c88f333ad78183b0ba37a1da34160 |
|
01-Oct-2013 |
Pavel Březina <pbrezina@redhat.com> |
sudo: improve time restrictions debug messages |
d1f3610aefcb634f212d4c099fac102b3e4dee59 |
|
01-Oct-2013 |
Pavel Březina <pbrezina@redhat.com> |
sudo: allow specifying only one time restriction
https://fedorahosted.org/sssd/ticket/2100 |
5ff1c3c5a12930692cb6284d14f7fda3a974af8e |
|
22-Jan-2013 |
Pavel Březina <pbrezina@redhat.com> |
sudo responder: change num_rules type from size_t to uint32_t
https://fedorahosted.org/sssd/ticket/1779
2^32 should be enough to store sudo rules. size_t type was causing
troubles on big endian architectures, because it wasn't used
correctly in combination with D-Bus. |
b0fa48b0d612b46a86e45f8e4b5d9feae9784c2b |
|
15-Jan-2013 |
Simo Sorce <simo@redhat.com> |
Add domain arguments to sysdb sudo functions |
a703ed242523c145133f522085ee3180452b3743 |
|
15-Jan-2013 |
Simo Sorce <simo@redhat.com> |
Add domain to sysdb_delete_custom |
770896b194b7b66b09c2a30545b4d091fd86b1f4 |
|
15-Jan-2013 |
Simo Sorce <simo@redhat.com> |
Add domain argument to sysdb_search_custom()
Also changes sysdb_search_custom_by_name() |
dd7192379e5fc5bb852863e60ad4b6a20c5da183 |
|
15-Jan-2013 |
Simo Sorce <simo@redhat.com> |
Add domain argument to sysdb_store_custom() |
5d72a91a37273c8c874640906fd2f7a70e606812 |
|
15-Jan-2013 |
Simo Sorce <simo@redhat.com> |
Add domain to sysdb_search_group_by_gid()
Also remove unused sysdb_search_domgroup_by_gid() |
2ce00e0d3896bb42db169d1e79553a81ca837a22 |
|
15-Jan-2013 |
Simo Sorce <simo@redhat.com> |
Add domain to sysdb_search_user_by_name()
Also remove unused sysdb_search_domuser_by_name() |
9675bccabff4e79d224f64611ad9ff3e073b488e |
|
15-Jan-2013 |
Simo Sorce <simo@redhat.com> |
Make sysdb_custom_subtree_dn() require a domain. |
80941dd89fd8bc7c4a1272c304f737ce0fd5fc54 |
|
19-Dec-2012 |
Sumit Bose <sbose@redhat.com> |
Fix a 'shadows a global declaration' warning |
5a2cce34cf8843613b0b9dfde054b3d471dd5f3a |
|
13-Dec-2012 |
Pavel Březina <pbrezina@redhat.com> |
sudo: support generalized time format
https://fedorahosted.org/sssd/ticket/1712
The timestamp doesn't have to be in the form yyyymmddHHMMSSZ any
more. It can be in any form of generalized time format. |
e7b5b99e5a5d276f32039c4fb8b21ba51bdb1537 |
|
13-Dec-2012 |
Pavel Březina <pbrezina@redhat.com> |
sudo: include primary group in user group list
https://fedorahosted.org/sssd/ticket/1677 |
9bdb93119ceaf9e2bbcec0c0a4747f1a04b48a12 |
|
13-Dec-2012 |
Pavel Březina <pbrezina@redhat.com> |
sysdb_get_sudo_user_info() initialize attrs on declaration |
95f5e7963a36b7b68859ce91ae4b232088bbaa09 |
|
24-Sep-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
SYSDB: Remove unnecessary domain parameter from several sysdb calls
The domain can be read from the sysdb object. Removing the domain string
makes the API more self-contained. |
3a59cbd0b7b9c5dd3c62ac1679876070c264d80f |
|
04-Sep-2012 |
Michal Zidek <mzidek@redhat.com> |
Unify usage of sysdb transactions (part 2). |
c01f015106b6e238d918ba4574f60bee811517ec |
|
07-Aug-2012 |
Pavel Březina <pbrezina@redhat.com> |
Remove SYSDB_SUDO_CACHE_OC from attribute lists
It is not an attribute. |
fb4e4c4eb6a6dc732370584f70d23dd4a2c5c7b6 |
|
07-Aug-2012 |
Pavel Březina <pbrezina@redhat.com> |
Rename SYSDB_SUDO_CACHE_AT_OC to SYSDB_SUDO_CACHE_OC
It does not contain name of the object class attribute but the value
itself. I renamed it to avoid confusion. |
8bbf89c5ab798c112773fe23515c3a9df56dde71 |
|
18-Jul-2012 |
Nick Guay <nguay@redhat.com> |
Fix uninitialized values
https://fedorahosted.org/sssd/ticket/1379 |
dfafb437f49d31e015184e212571e9917aa94eef |
|
29-Jun-2012 |
Pavel Březina <pbrezina@redhat.com> |
sudo: clean up |
f7af8c5b369938725e47585c641ae5b017d442a1 |
|
29-Jun-2012 |
Pavel Březina <pbrezina@redhat.com> |
sudo sysdb: add expiration time to the filter |
0f808798eefaedc3eb241f26aa49680d87f22336 |
|
29-Jun-2012 |
Pavel Březina <pbrezina@redhat.com> |
sysdb: remove sudo_set/get_refreshed |
44749ce0c1fee9babee80060fa0db99eebb2ab51 |
|
29-Jun-2012 |
Pavel Březina <pbrezina@redhat.com> |
sysdb: add getter/setter for last sudo full refresh time |
cda8ff6cfdef22356dc3c06ec5204344912f0f0b |
|
29-Jun-2012 |
Pavel Březina <pbrezina@redhat.com> |
sudo sysdb: make sysdb_get_sudo_user_info more configurable |
2d34690ae92215d355b0272001d9e68214dc80f6 |
|
10-May-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
sysdb: return proper error code from sysdb_sudo_purge_all |
69e7d6649b58c66675ef38084868fc5356c5a240 |
|
02-May-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
SUDO: Return ret, not EOK
This patch fixes bad refactoring - the function used to return value
directly on error and EOK as the last statement. If was then converted
into using goto label, but the last statement was still returning EOK
instead of the value it should. |
f5d4b05027acce06e3509ecb68869d1c7ef37180 |
|
17-Feb-2012 |
Pavel Březina <pbrezina@redhat.com> |
Redesign purging of the sudo cache
https://fedorahosted.org/sssd/ticket/1173 |
db419c61035cb262010cc8d5a4047191c2b60f05 |
|
10-Feb-2012 |
Pavel Březina <pbrezina@redhat.com> |
Improve debug messages in sysdb_sudo_check_time() |
ed44814e0e7ff9f0ef7ffc98fab7d9542a7822df |
|
06-Feb-2012 |
Pavel Březina <pbrezina@redhat.com> |
SUDO Integration - sysdb_sudo_check_time() fix |
4be402505ba20b43361753f0e6e1589c9b029e81 |
|
04-Feb-2012 |
Jakub Hrozek <jhrozek@redhat.com> |
Fixes for sudo_timed
https://fedorahosted.org/sssd/ticket/1116 |
c9aab1c04c399ca2d1abef74f6df22ced34983dc |
|
04-Feb-2012 |
Pavel Březina <pbrezina@redhat.com> |
SUDO Integration - responder 'sudo_timed' option
https://fedorahosted.org/sssd/ticket/1116 |
f6171b2bc954a367f316853ab71090eb213bdee3 |
|
27-Jan-2012 |
Pavel Březina <pbrezina@redhat.com> |
SUDO Integration - make sysdb_get_sudo_filter() more configurable
https://fedorahosted.org/sssd/ticket/1143 |
1a542b3698d8c42cf075b722f8838f106eb09fcc |
|
17-Jan-2012 |
Pavel Březina <pbrezina@redhat.com> |
SUDO Integration - functions for manipulating with 'refreshed' attribute
https://fedorahosted.org/sssd/ticket/1110 |
f643754db81eeade60485bbe3d80324d889cc4f3 |
|
17-Jan-2012 |
Pavel Březina <pbrezina@redhat.com> |
SUDO Integration review issues |
3f98cdc011bb4e8cd22c088f288b0bcdb6452492 |
|
16-Dec-2011 |
Jakub Hrozek <jhrozek@redhat.com> |
SUDO Integration - sysdb interface |