History log of /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c
Revision Date Author Comments Expand
dee665060ba71ff61ad223e755ae61441118fbba 08-Sep-2017 Jakub Hrozek <jhrozek@redhat.com>

SUDO: Use initgr_with_views when looking up a sudo user The sudo responder code didn't take views into account when looking for rules, which resulted in sudo rules being ignored if the user's name was overriden. Please see the ticket for a detailed info on how to reproduce the bug. Resolves: https://pagure.io/SSSD/sssd/issue/3488 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

a5f300adf19ec9c3087c62bd93a5175db799687a 18-Aug-2017 Pavel Březina <pbrezina@redhat.com>

sudo: add a threshold option to reduce size of rules refresh filter If a large number of rules is expired at one time the ldap filter may become too large to be processed by server. This commits adds a new option "sudo_threshold" to sudo responder. If the threshold is exceeded a full refreshed is done instead of rules refresh. Resolves: https://pagure.io/SSSD/sssd/issue/3478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

cee85e8fb9534ec997e5388fce59f392cf029573 30-Mar-2017 Jakub Hrozek <jhrozek@redhat.com>

CACHE_REQ: Domain type selection in cache_req Related to: https://pagure.io/SSSD/sssd/issue/3310 Adds a new enumeration cache_req_dom_type. It is a tri-state that allows the caller to select which domains can be contacted - either only POSIX, only application domains or any type. Not all plugins of cache_req have the new parameter added -- only those that are usable/useful in a non-POSIX environment. For example, it makes no sense to allow the selection for calls by ID because those are inherently POSIX-specific. Also, services or netgroups are supported only coming from POSIX domains. At the moment, the patch should not change any behaviour as all calls default to contacting POSIX domains only. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

/sssd-io/src/responder/common/cache_req/cache_req.c /sssd-io/src/responder/common/cache_req/cache_req.h /sssd-io/src/responder/common/cache_req/cache_req_private.h /sssd-io/src/responder/common/cache_req/plugins/cache_req_enum_groups.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_enum_svc.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_enum_users.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_group_by_id.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_group_by_name.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_host_by_name.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_object_by_id.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_object_by_name.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_user_by_id.c /sssd-io/src/responder/common/cache_req/plugins/cache_req_user_by_name.c /sssd-io/src/responder/ifp/ifp_groups.c /sssd-io/src/responder/ifp/ifp_users.c /sssd-io/src/responder/ifp/ifpsrv_cmd.c /sssd-io/src/responder/nss/nss_enum.c /sssd-io/src/responder/nss/nss_get_object.c /sssd-io/src/responder/pam/pamsrv_cmd.c sudosrv_get_sudorules.c /sssd-io/src/tests/cmocka/test_responder_cache_req.c
b206e1abb7f6ea373d12537b3338552aed6b656d 19-Dec-2016 Pavel Březina <pbrezina@redhat.com>

cache_req: encapsulate output data into structure In enumeration calls we want to get objects from all domains, not only from the first matched domain. We move the cache search result into a structure that contains combination of domain and ldb_result. This is preparation for enumeration support inside cache_req. Resolves: https://fedorahosted.org/sssd/ticket/3151 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

4169fb26ea2ff93c19ecdad6e09382732ea5deeb 20-Oct-2016 Pavel Březina <pbrezina@redhat.com>

cache_req: switch to new code This patch switch the old switch-based cache req code to the new plugin-based. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

c88b63b2dd82f7111abc00d93fa8db2707487572 07-Jul-2016 Sumit Bose <sbose@redhat.com>

fix some 'might be used uninitialized' warnings Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

61913b8f0d1ba54d82640500d7486fac5f72b030 07-Jul-2016 Pavel Březina <pbrezina@redhat.com>

sudo: solve problems with fully qualified names sudo expects the same name in sudo rule as login name. Therefore if fully qualified name is used or even enforced by setting use_fully_qualified_names to true or by forcing default domain with default_domain_suffix sssd is able to correctly return the rules but sudo can't match the user with contect of sudoUser attribute since it is not qualified. This patch changes the rules on the fly to avoid using names at all. We do this in two steps: 1. We fetch all rules that match current user name, id or groups and replace sudoUser attribute with sudoUser: #uid. 2. We fetch complementry rules that contain netgroups since it is expected we don't have infromation about existing netgroups in cache, sudo still needs to evaluate it for us if needed. This patch also remove test for sysdb_get_sudo_filter since it wasn't sufficient anyway and I did not rewrite it since I don't thing it is a good thing to have filter tests that depends on exact filter order. Resolves: https://fedorahosted.org/sssd/ticket/2919 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

c02b8482375837b57cb618ed56d4bede0e006d9d 18-Jun-2016 Pavel Březina <pbrezina@redhat.com>

Remove braces from DEBUG statements Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

e3bb7b3fda4697fa9c6f80107cd01dd04a20c85f 11-May-2016 Petr Cech <pcech@redhat.com>

RESPONDER: Removing ncache from sudo_ctx This patch switches ncache from sudo_ctx to resp_ctx. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

beb07d2f45856d4f3135f173cce551a2aa878f57 11-May-2016 Petr Cech <pcech@redhat.com>

RESPONDER: Removing neg_timeout from pam responder It removes neg_timeout parameter from struct pam_ctx. Timeout is handled by context of negative cache internally. This patch additioanlly removes neg_timeout from struct cache_req_state. Resolves: https://fedorahosted.org/sssd/ticket/2317 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

b3ca35780617b2e5a7637f9888b089e8e26a4e8c 19-Apr-2016 Pavel Březina <pbrezina@redhat.com>

sudo: convert get_sudorules to tevent There was a lot of confusion with different error codes and where to call sudosrv_cmd_done to finish the client request. Converting it whole to tevent makes it much more simpler to read and follow the request logic. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

15d41c8f28259061e39715acdbbbaea778b6ecc8 19-Apr-2016 Pavel Březina <pbrezina@redhat.com>

sudo: do not use tevent when parsing query Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

52300e30a0ec0bbfa1b0918ee0b495f06f5d142a 19-Apr-2016 Pavel Březina <pbrezina@redhat.com>

sudo: use cache_req for initgroups This is just blind code change, the next patch will improve it so for example we don't do initgroups during query-parsing phase. Resolves: https://fedorahosted.org/sssd/ticket/1126 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

877b92e80bde510d5cd9f03dbf01e2bcf73ab072 23-Oct-2015 Michal Židek <mzidek@redhat.com>

util: Update get_next_domain's interface Update get next domain to be able to include disbled domains and change the interface to accept flags instead of multiple booleans. Ticket: https://fedorahosted.org/sssd/ticket/2673 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

/sssd-io/src/confdb/confdb.c /sssd-io/src/db/sysdb_subdomains.c /sssd-io/src/monitor/monitor.c /sssd-io/src/providers/ad/ad_subdomains.c /sssd-io/src/providers/dp_refresh.c /sssd-io/src/providers/ipa/ipa_subdomains.c /sssd-io/src/providers/ipa/ipa_subdomains_server.c /sssd-io/src/providers/ldap/sdap_domain.c /sssd-io/src/responder/autofs/autofssrv_cmd.c /sssd-io/src/responder/common/negcache.c /sssd-io/src/responder/common/responder_cache_req.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/common/responder_get_domains.c /sssd-io/src/responder/ifp/ifp_cache.c /sssd-io/src/responder/ifp/ifp_domains.c /sssd-io/src/responder/ifp/ifp_groups.c /sssd-io/src/responder/ifp/ifp_users.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/nss/nsssrv_services.c /sssd-io/src/responder/pam/pamsrv_cmd.c sudosrv_get_sudorules.c /sssd-io/src/tests/cmocka/test_utils.c /sssd-io/src/tools/common/sss_tools.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_debuglevel.c /sssd-io/src/tools/sss_override.c /sssd-io/src/util/domain_info_utils.c /sssd-io/src/util/usertools.c /sssd-io/src/util/util.h
fb8985a3a3a267940760967beaf8af3979ce91ea 14-Oct-2015 Pavel Březina <pbrezina@redhat.com>

sudo: send original name and id with local views if possible Resolves: https://fedorahosted.org/sssd/ticket/2833 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

51a0e3a2ef9186d19cbc28d87fe6fc5d5998a0a7 14-Oct-2015 Pavel Březina <pbrezina@redhat.com>

sudo: search with view even if user is found If an overriden name is provided and the user is already cache we fail to refresh it since we won't search with VIEW flag. This patch fix it. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

52e3ee5c5ff2c5a4341041826a803ad42d2b2de7 14-Aug-2015 Pavel Březina <pbrezina@redhat.com>

sudo: use "higher value wins" when ordering rules This commit changes the default ordering logic (lower value wins) to a correct one that is used by native ldap support. It also adds a new option sudo_inverse_order to switch to the original SSSD (incorrect) behaviour if needed. Resolves: https://fedorahosted.org/sssd/ticket/2682 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

87f8bee53ee1b4ca87b602ff8536bc5fd5b5b595 17-Mar-2015 Lukas Slebodnik <lslebodn@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

/sssd-io/src/confdb/confdb_setup.c /sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_sudo.c /sssd-io/src/db/sysdb_views.c /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor_netlink.c /sssd-io/src/providers/ad/ad_common.c /sssd-io/src/providers/ad/ad_init.c /sssd-io/src/providers/ad/ad_subdomains.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/dp_dyndns.c /sssd-io/src/providers/dp_ptask.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_hbac_rules.c /sssd-io/src/providers/ipa/ipa_hostid.c /sssd-io/src/providers/ipa/ipa_selinux.c /sssd-io/src/providers/ipa/ipa_subdomains.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_wait_queue.c /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/sdap.c /sssd-io/src/providers/ldap/sdap_async.c /sssd-io/src/providers/ldap/sdap_async_connection.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_utils.c /sssd-io/src/responder/autofs/autofssrv_cmd.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pac/pacsrv_utils.c /sssd-io/src/responder/pam/pamsrv.c sudosrv_get_sudorules.c sudosrv_query.c /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/tests/krb5_child-test.c /sssd-io/src/tools/files.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/util/debug.c /sssd-io/src/util/domain_info_utils.c /sssd-io/src/util/find_uid.c /sssd-io/src/util/server.c /sssd-io/src/util/sss_ini.c /sssd-io/src/util/sss_krb5.c /sssd-io/src/util/sss_semanage.c /sssd-io/src/util/usertools.c
e15872d8e804b3a48b7bdd3f68c276b3ae8d11db 20-Oct-2014 Pavel Březina <pbrezina@redhat.com>

sudo: support views Reviewed-by: Sumit Bose <sbose@redhat.com>

3b96d478851fbbe391ab30e3d6a0afdb9ecdd4a0 13-Aug-2014 Jakub Hrozek <jhrozek@redhat.com>

SUDO: Use the override_space option https://fedorahosted.org/sssd/ticket/2397 With this path, a user whose name is "space user" would match a sudo rule while using the override_default_space option. Please note that the option is only a client-side override, so the sudoUser attribute must contain the space in order to match the original name. In other words, when substituting space ( ) for underscore (_), this attribute would match: sudoUser: space user this would not: sudoUser: space_user Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

7c30e60c525ea798aaab142766ff00eef4b5df3b 15-Jul-2014 Pavel Březina <pbrezina@redhat.com>

sudo: fetch sudoRunAs attribute This attribute was used in pre 1.7 versions of sudo and it is now deprecated by sudoRunAsUser and sudoRunAsGroup. However, some users still use this attribute so we need to support it to ensure backward compatibility. This patch makes sure that this attribute is downloaded if present and provided to sudo. Sudo than decides how to handle it. The new mapping option is not present in a man page since this attribute is deprecated in sudo for a very long time. Resolves: https://fedorahosted.org/sssd/ticket/2212 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

a3c8390d19593b1e5277d95bfb4ab206d4785150 12-Feb-2014 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

/sssd-io/src/confdb/confdb.c /sssd-io/src/confdb/confdb_setup.c /sssd-io/src/db/sysdb.c /sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_idmap.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_ranges.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/db/sysdb_selinux.c /sssd-io/src/db/sysdb_services.c /sssd-io/src/db/sysdb_ssh.c /sssd-io/src/db/sysdb_subdomains.c /sssd-io/src/db/sysdb_sudo.c /sssd-io/src/db/sysdb_upgrade.c /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor_netlink.c /sssd-io/src/monitor/monitor_sbus.c /sssd-io/src/providers/ad/ad_access.c /sssd-io/src/providers/ad/ad_common.c /sssd-io/src/providers/ad/ad_domain_info.c /sssd-io/src/providers/ad/ad_dyndns.c /sssd-io/src/providers/ad/ad_id.c /sssd-io/src/providers/ad/ad_init.c /sssd-io/src/providers/ad/ad_srv.c /sssd-io/src/providers/ad/ad_subdomains.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_callbacks.c /sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/data_provider_opts.c /sssd-io/src/providers/dp_auth_util.c /sssd-io/src/providers/dp_dyndns.c /sssd-io/src/providers/dp_pam_data_util.c /sssd-io/src/providers/dp_ptask.c /sssd-io/src/providers/dp_refresh.c /sssd-io/src/providers/fail_over.c /sssd-io/src/providers/fail_over_srv.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_auth.c /sssd-io/src/providers/ipa/ipa_autofs.c /sssd-io/src/providers/ipa/ipa_common.c /sssd-io/src/providers/ipa/ipa_config.c /sssd-io/src/providers/ipa/ipa_dyndns.c /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/ipa/ipa_hbac_hosts.c /sssd-io/src/providers/ipa/ipa_hbac_rules.c /sssd-io/src/providers/ipa/ipa_hbac_services.c /sssd-io/src/providers/ipa/ipa_hbac_users.c /sssd-io/src/providers/ipa/ipa_hostid.c /sssd-io/src/providers/ipa/ipa_hosts.c /sssd-io/src/providers/ipa/ipa_id.c /sssd-io/src/providers/ipa/ipa_idmap.c /sssd-io/src/providers/ipa/ipa_init.c /sssd-io/src/providers/ipa/ipa_netgroups.c /sssd-io/src/providers/ipa/ipa_s2n_exop.c /sssd-io/src/providers/ipa/ipa_selinux.c /sssd-io/src/providers/ipa/ipa_selinux_maps.c /sssd-io/src/providers/ipa/ipa_srv.c /sssd-io/src/providers/ipa/ipa_subdomains.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/ipa/ipa_subdomains_id.c /sssd-io/src/providers/ipa/ipa_sudo.c /sssd-io/src/providers/krb5/krb5_access.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_become_user.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_child_handler.c /sssd-io/src/providers/krb5/krb5_common.c /sssd-io/src/providers/krb5/krb5_delayed_online_authentication.c /sssd-io/src/providers/krb5/krb5_init.c /sssd-io/src/providers/krb5/krb5_init_shared.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c /sssd-io/src/providers/krb5/krb5_utils.c /sssd-io/src/providers/krb5/krb5_wait_queue.c /sssd-io/src/providers/ldap/ldap_access.c /sssd-io/src/providers/ldap/ldap_auth.c /sssd-io/src/providers/ldap/ldap_child.c /sssd-io/src/providers/ldap/ldap_common.c /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/ldap_id_cleanup.c /sssd-io/src/providers/ldap/ldap_id_enum.c /sssd-io/src/providers/ldap/ldap_id_netgroup.c /sssd-io/src/providers/ldap/ldap_id_services.c /sssd-io/src/providers/ldap/ldap_init.c /sssd-io/src/providers/ldap/sdap.c /sssd-io/src/providers/ldap/sdap_access.c /sssd-io/src/providers/ldap/sdap_async.c /sssd-io/src/providers/ldap/sdap_async_autofs.c /sssd-io/src/providers/ldap/sdap_async_connection.c /sssd-io/src/providers/ldap/sdap_async_enum.c /sssd-io/src/providers/ldap/sdap_async_groups.c /sssd-io/src/providers/ldap/sdap_async_groups_ad.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_async_initgroups_ad.c /sssd-io/src/providers/ldap/sdap_async_nested_groups.c /sssd-io/src/providers/ldap/sdap_async_netgroups.c /sssd-io/src/providers/ldap/sdap_async_services.c /sssd-io/src/providers/ldap/sdap_async_sudo.c /sssd-io/src/providers/ldap/sdap_async_sudo_hostinfo.c /sssd-io/src/providers/ldap/sdap_async_sudo_timer.c /sssd-io/src/providers/ldap/sdap_async_users.c /sssd-io/src/providers/ldap/sdap_autofs.c /sssd-io/src/providers/ldap/sdap_child_helpers.c /sssd-io/src/providers/ldap/sdap_dyndns.c /sssd-io/src/providers/ldap/sdap_fd_events.c /sssd-io/src/providers/ldap/sdap_id_op.c /sssd-io/src/providers/ldap/sdap_idmap.c /sssd-io/src/providers/ldap/sdap_range.c /sssd-io/src/providers/ldap/sdap_refresh.c /sssd-io/src/providers/ldap/sdap_reinit.c /sssd-io/src/providers/ldap/sdap_sudo.c /sssd-io/src/providers/ldap/sdap_sudo_cache.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_init.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/providers/proxy/proxy_services.c /sssd-io/src/providers/simple/simple_access.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/resolv/async_resolv.c /sssd-io/src/resolv/async_resolv_utils.c /sssd-io/src/responder/autofs/autofssrv.c /sssd-io/src/responder/autofs/autofssrv_cmd.c /sssd-io/src/responder/autofs/autofssrv_dp.c /sssd-io/src/responder/common/negcache.c /sssd-io/src/responder/common/responder_cmd.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/common/responder_get_domains.c /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_mmap_cache.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/nss/nsssrv_private.h /sssd-io/src/responder/nss/nsssrv_services.c /sssd-io/src/responder/pac/pacsrv.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pac/pacsrv_utils.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pam_helpers.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/pam/pamsrv_dp.c /sssd-io/src/responder/ssh/sshsrv.c /sssd-io/src/responder/ssh/sshsrv_cmd.c /sssd-io/src/responder/ssh/sshsrv_dp.c sudosrv.c sudosrv_cmd.c sudosrv_dp.c sudosrv_get_sudorules.c sudosrv_query.c /sssd-io/src/sbus/sbus_client.c /sssd-io/src/sbus/sssd_dbus_common.c /sssd-io/src/sbus/sssd_dbus_connection.c /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/sss_client/ssh/sss_ssh_authorizedkeys.c /sssd-io/src/sss_client/ssh/sss_ssh_knownhostsproxy.c /sssd-io/src/tests/auth-tests.c /sssd-io/src/tests/cmocka/test_dyndns.c /sssd-io/src/tests/cmocka/test_fqnames.c /sssd-io/src/tests/cmocka/test_nss_srv.c /sssd-io/src/tests/cmocka/test_utils.c /sssd-io/src/tests/common_dom.c /sssd-io/src/tests/common_tev.c /sssd-io/src/tests/debug-tests.c /sssd-io/src/tests/files-tests.c /sssd-io/src/tests/krb5_child-test.c /sssd-io/src/tests/resolv-tests.c /sssd-io/src/tests/simple_access-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tests/sysdb_ssh-tests.c /sssd-io/src/tools/files.c /sssd-io/src/tools/selinux.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_debuglevel.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_seed.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_mc_util.c /sssd-io/src/tools/tools_util.c /sssd-io/src/tools/tools_util.h /sssd-io/src/util/authtok.c /sssd-io/src/util/backup_file.c /sssd-io/src/util/check_and_open.c /sssd-io/src/util/child_common.c /sssd-io/src/util/crypto/libcrypto/crypto_base64.c /sssd-io/src/util/crypto/libcrypto/crypto_obfuscate.c /sssd-io/src/util/crypto/nss/nss_obfuscate.c /sssd-io/src/util/crypto/nss/nss_util.c /sssd-io/src/util/debug.c /sssd-io/src/util/domain_info_utils.c /sssd-io/src/util/find_uid.c /sssd-io/src/util/nscd.c /sssd-io/src/util/server.c /sssd-io/src/util/signal.c /sssd-io/src/util/sss_ini.c /sssd-io/src/util/sss_krb5.c /sssd-io/src/util/sss_krb5.h /sssd-io/src/util/sss_ldap.c /sssd-io/src/util/sss_nss.c /sssd-io/src/util/sss_selinux.c /sssd-io/src/util/sss_ssh.c /sssd-io/src/util/sss_tc_utf8.c /sssd-io/src/util/user_info_msg.c /sssd-io/src/util/usertools.c /sssd-io/src/util/util.c /sssd-io/src/util/util.h /sssd-io/src/util/util_lock.c /sssd-io/src/util/well_known_sids.c
b434b231c9da41f6c4882186eb539cb8b629661b 27-Nov-2013 Lukas Slebodnik <lslebodn@redhat.com>

Remove unused parameter from sudosrv_get_sudorules_query_cache

d115f40c7a3999e3cbe705a2ff9cf0fd493f80fb 15-Nov-2013 Michal Zidek <mzidek@redhat.com>

SYSDB: Drop the sysdb_ctx parameter - module sysdb_ops (part 2)

/sssd-io/src/db/sysdb.h /sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_services.c /sssd-io/src/db/sysdb_ssh.c /sssd-io/src/db/sysdb_sudo.c /sssd-io/src/providers/ipa/ipa_access.c /sssd-io/src/providers/ipa/ipa_hbac_common.c /sssd-io/src/providers/ipa/ipa_hbac_hosts.c /sssd-io/src/providers/ipa/ipa_hbac_services.c /sssd-io/src/providers/ipa/ipa_hbac_users.c /sssd-io/src/providers/ipa/ipa_id.c /sssd-io/src/providers/ipa/ipa_netgroups.c /sssd-io/src/providers/ipa/ipa_s2n_exop.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/ldap/ldap_auth.c /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/ldap_id_cleanup.c /sssd-io/src/providers/ldap/ldap_id_netgroup.c /sssd-io/src/providers/ldap/sdap_async_groups.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_async_initgroups_ad.c /sssd-io/src/providers/ldap/sdap_async_nested_groups.c /sssd-io/src/providers/ldap/sdap_async_netgroups.c /sssd-io/src/providers/ldap/sdap_async_users.c /sssd-io/src/providers/ldap/sdap_reinit.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pac/pacsrv_utils.c /sssd-io/src/responder/pam/pamsrv_cmd.c sudosrv_get_sudorules.c /sssd-io/src/tests/cmocka/test_nss_srv.c /sssd-io/src/tests/simple_access-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_seed.c /sssd-io/src/tools/sss_sync_ops.c
6a31a971a376a992afb838fe60b311360c970267 15-Nov-2013 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Drop the sysdb_ctx parameter from the sysdb_sudo.c module

b3292840ebaa747a9fd596ff47cc5d18198361d0 15-Nov-2013 Michal Zidek <mzidek@redhat.com>

SYSDB: Drop the sysdb_ctx parameter from the sysdb_search module

/sssd-io/src/db/sysdb.c /sssd-io/src/db/sysdb.h /sssd-io/src/db/sysdb_search.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/ipa/ipa_subdomains_ext_groups.c /sssd-io/src/providers/krb5/krb5_access.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_utils.c /sssd-io/src/providers/ldap/ldap_auth.c /sssd-io/src/providers/ldap/sdap_access.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/python/pysss.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/ssh/sshsrv_cmd.c sudosrv_get_sudorules.c /sssd-io/src/tests/cmocka/test_nss_srv.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_seed.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_sync_ops.h /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_util.c
895ba2c346beb7e55d43be3d0c7f54fd287faa74 27-Jun-2013 Pavel Březina <pbrezina@redhat.com>

sudo responder: use different callback for oob refresh https://fedorahosted.org/sssd/ticket/1693 Since we don't care about returned values from out of band refresh, we do not need to set callback data. However, this caused talloc to abort as it considers it as type mismatch when called from tevent_req_callback_data().

7486dea9f5f7b2a6fbbacc6db740a82140b6377c 20-May-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fixing critical format string issues. --missing arguments. --format '%s', but argument is integer. --wrong format string, examle: '%\n'

/sssd-io/src/db/sysdb_idmap.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_utils.c /sssd-io/src/providers/ldap/ldap_init.c /sssd-io/src/providers/ldap/sdap_async.c /sssd-io/src/providers/ldap/sdap_async_connection.c /sssd-io/src/providers/ldap/sdap_async_groups.c /sssd-io/src/providers/ldap/sdap_async_initgroups_ad.c /sssd-io/src/resolv/async_resolv.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_services.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/pam/pamsrv_dp.c sudosrv_get_sudorules.c /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/tools/files.c /sssd-io/src/tools/sss_seed.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/tools_mc_util.c /sssd-io/src/tools/tools_util.c
6a7b0edb1cbe99d4adf053849d238ba7ce1996ba 10-May-2013 Pavel Březina <pbrezina@redhat.com>

sudo responder: search rules for subdomains in parent domain subtree https://fedorahosted.org/sssd/ticket/1912 SUDO rules are stored under cn=ipa.domain,cn=sysdb tree but sobdomains users are in cn=sub.domain,cn=sysdb. When we search for rules for subdomain users we have to switch domain context to parent.

274fe6a4f8bcb23e31929430110c0b52e9ce233a 03-Apr-2013 Jakub Hrozek <jhrozek@redhat.com>

Check for correct variable name https://fedorahosted.org/sssd/ticket/1864

400833cf54777ad44247c6adaf29b586bc83eb14 07-Mar-2013 Lukas Slebodnik <lslebodn@redhat.com>

Removing unused parameter type from sudosrv_get_sudorules_query_cache() https://fedorahosted.org/sssd/ticket/1825

bfba0655bc129ebcffc20b1204e0f87549e0a74e 10-Feb-2013 Simo Sorce <simo@redhat.com>

Parent and subdomains use the same sysdb Remove code that tries to get the 'right' sysdb, as it is always going to get the same answer anyway since the recent patches to rework the domains/sysdb relationship.

0232747f04b650796db56fd7b487aee8a96fab03 10-Feb-2013 Simo Sorce <simo@redhat.com>

Add function get_next_domain() Use this function instead of explicitly calling domain->next This function allows to get the next primary domain or to descend into the subdomains and replaces also get_next_dom_or_subdom()

5ff1c3c5a12930692cb6284d14f7fda3a974af8e 22-Jan-2013 Pavel Březina <pbrezina@redhat.com>

sudo responder: change num_rules type from size_t to uint32_t https://fedorahosted.org/sssd/ticket/1779 2^32 should be enough to store sudo rules. size_t type was causing troubles on big endian architectures, because it wasn't used correctly in combination with D-Bus.

b0fa48b0d612b46a86e45f8e4b5d9feae9784c2b 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain arguments to sysdb sudo functions

770896b194b7b66b09c2a30545b4d091fd86b1f4 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_search_custom() Also changes sysdb_search_custom_by_name()

58fd3aa25c5292bc67432647ab7e5059439fcc6d 15-Jan-2013 Simo Sorce <simo@redhat.com>

Pass domain to sysdb_get<pw/gr>nam() functions Also allows us to remove sysdb_subdom_get<pw/gr>nam() wrappers and restore fqnames proper value in subdomains, by testing for a parent domain being present or not.

d5c167e5120e58828fc3a696c8a3d1d4a48c6b9b 06-Dec-2012 Pavel Březina <pbrezina@redhat.com>

sudo: print rule name if notBefore or notAfter attribute is missing ...and if sudo_timed = true. https://fedorahosted.org/sssd/ticket/1688 A comma was missing in attribute list. This caused concatenation of the two attributes so we requested one attribute called "objectClasscn". This doesn't affect functionality, only debug messages.

3a97c85760f8bc11eff59d2acd937ab62022ed2a 14-Nov-2012 Pavel Březina <pbrezina@redhat.com>

sudo: print how many rules we are refreshing or returning

d38ffc9c92daeb62de7d28c409bdaeff98f82775 14-Nov-2012 Pavel Březina <pbrezina@redhat.com>

sudo: support users from subdomains https://fedorahosted.org/sssd/ticket/1616

5a3c49e513f73c1ea2b0e756bab25839e8f35321 14-Nov-2012 Pavel Březina <pbrezina@redhat.com>

use tmp_ctx in sudosrv_get_sudorules_from_cache()

ee500ab8a901b9a9455e272f15cd2532df13a826 14-Nov-2012 Pavel Březina <pbrezina@redhat.com>

sudo: fix missing parameter in two debug messages

c01f015106b6e238d918ba4574f60bee811517ec 07-Aug-2012 Pavel Březina <pbrezina@redhat.com>

Remove SYSDB_SUDO_CACHE_OC from attribute lists It is not an attribute.

fb4e4c4eb6a6dc732370584f70d23dd4a2c5c7b6 07-Aug-2012 Pavel Březina <pbrezina@redhat.com>

Rename SYSDB_SUDO_CACHE_AT_OC to SYSDB_SUDO_CACHE_OC It does not contain name of the object class attribute but the value itself. I renamed it to avoid confusion.

898eb701893c3df1bd9f536c47555db39a10667c 09-Jul-2012 Stephen Gallagher <sgallagh@redhat.com>

Fix potential NULL-dereference Coverity #12800

29bf02dbdd8168d7be04f4f15cff4321833a71c4 09-Jul-2012 Stephen Gallagher <sgallagh@redhat.com>

Fix potential NULL-dereference Coverity #12801

20f82655b3a29cf0784ba5c912927d1ada1287df 29-Jun-2012 Pavel Březina <pbrezina@redhat.com>

sudo responder: schedule OOB full refresh when expired rule is deleted

010c35e66398bbeb82fb1b31fc619b1a9eaf2d3d 29-Jun-2012 Pavel Březina <pbrezina@redhat.com>

sudo responder: refresh expired rules

e5b34f0166ae61468e53f369578e691ddb09cdd0 29-Jun-2012 Pavel Březina <pbrezina@redhat.com>

sudo responder: update dp interface

5e7ddcae402bc284d43c5ebb5d215310a5658aba 29-Jun-2012 Pavel Březina <pbrezina@redhat.com>

sudo responder: allow fetching only expired rules in sudosrv_get_sudorules_query_cache()

f7af8c5b369938725e47585c641ae5b017d442a1 29-Jun-2012 Pavel Březina <pbrezina@redhat.com>

sudo sysdb: add expiration time to the filter

76db25eab9010a33657f35e5afc8477c996df7a3 29-Jun-2012 Pavel Březina <pbrezina@redhat.com>

sudo responder: new request enum type sss_sudo_type represents query type that comes to the responder sss_dp_sudo_type represents query type to DP that is issued by the responder I'm leaving current values of sss_dp_sudo_type untouched so the compilation is not broken. Hovewer, they will be changed to new DP types once the DP interface is updated.

46d3d2c731e8c7e138462e5b60a39a279dc77d81 29-Jun-2012 Pavel Březina <pbrezina@redhat.com>

sudo api: send uid, username and domainname https://fedorahosted.org/sssd/ticket/1239 Test client was changed accordingly. The new usage is: sss_sudo_cli username [uid] If uid is not set, getpwnam(username) is called. It will retrieve both default options and rules.

b0abb3bfdfd95951a23c9fc223c735805ffd2969 29-Jun-2012 Pavel Březina <pbrezina@redhat.com>

sudo responder: get rid of dctx where possible

710472d946f6c337a095699dfd79134fa8b9eab9 29-Jun-2012 Pavel Březina <pbrezina@redhat.com>

sudo responder: remove code duplication in commands

b7b50b21d2254a079b1b1c299909483d23db1512 29-Feb-2012 Sumit Bose <sbose@redhat.com>

Remove sysdb_get_ctx_from_list()

744dff21cc626efdc646dd293c97c6a19a9f6ed5 24-Feb-2012 Pavel Březina <pbrezina@redhat.com>

Move sudo_dom_ctx.user to local variable

278284224aa10805d58c978977e43b1d1126f9b1 24-Feb-2012 Pavel Březina <pbrezina@redhat.com>

Honor case_sensitive option in sudo responder https://fedorahosted.org/sssd/ticket/1205

699cb9781f64796af68ea620fd4952d47ac0d64a 06-Feb-2012 Pavel Březina <pbrezina@redhat.com>

SUDO Integration - fix offline behaviour

41ef946f3f74a46b9e26118116e4811e259b30ef 04-Feb-2012 Pavel Březina <pbrezina@redhat.com>

SUDO Integration - in-memory cache in responder New sudo responder option: cache_timeout https://fedorahosted.org/sssd/ticket/1111

c9b2b7f3f02bf40b698c70640f151d0113736195 31-Jan-2012 Jakub Hrozek <jhrozek@redhat.com>

Fix sudo compilation on RHEL5

c47e9d522f0d87259e5074ea643daaa3dfcb8d92 27-Jan-2012 Pavel Březina <pbrezina@redhat.com>

SUDO Integration - responder command for cn=defaults https://fedorahosted.org/sssd/ticket/1143

f6171b2bc954a367f316853ab71090eb213bdee3 27-Jan-2012 Pavel Březina <pbrezina@redhat.com>

SUDO Integration - make sysdb_get_sudo_filter() more configurable https://fedorahosted.org/sssd/ticket/1143

3b121852048a7931f8a608527b760963e2ed2bb4 27-Jan-2012 Jakub Hrozek <jhrozek@redhat.com>

Use the new SUDO request in DP and sudo responder Also remove the old request implementation https://fedorahosted.org/sssd/ticket/1115

9d1d6019a27a0ed70a665700a9f6acc55f874811 23-Jan-2012 Stephen Gallagher <sgallagh@redhat.com>

DP: Fix bugs in sss_dp_get_account_int The conversion to the tevent_req style introduced numerous bugs related to memory management of the various client requests. In some circumstances, this could cause memory corruption and segmentation faults in the NSS responder. This patch makes the following changes: 1) Rename the internal lookup from subreq to sidereq, to indicate that it is not a sub-request of the current lookup (and therefore is not cancelled if the current request is). 2) Change the handling of the callback loops since they call tevent_req_[done|error], which results in them being freed (and therefore removed from the cb_list. This was the source of the memory corruption that would occasionally result in dereferencing an unreadable request. 3) Remove the unnecessary sss_dp_get_account_int_recv() function and change sss_dp_get_account_done() so that it only frees the sidereq. All of the waiting processes have already been signaled with the final results from sss_dp_get_account_int_done()

0c7aa697991ea9df960fae14fd567ebdda3b4ff4 21-Jan-2012 Stephen Gallagher <sgallagh@redhat.com>

RESPONDER: Extend sss_dp_account_send() to include extra data Some NSS maps such as 'services' require more values to be passed to the data provider than just the name or ID. In these cases, we will amend an optional component to filter value to pass to the data provider backend.

f643754db81eeade60485bbe3d80324d889cc4f3 17-Jan-2012 Pavel Březina <pbrezina@redhat.com>

SUDO Integration review issues

20e310e32a47e861ce0c11bcd1dcf89dc78d8aba 16-Dec-2011 Jakub Hrozek <jhrozek@redhat.com>

SUDO Integration - responder - get sudo rules logic

2827b0d03f7b6bafa504d22a5d7ca39cbda048b3 16-Dec-2011 Pavel Březina <pbrezina@redhat.com>

SUDO Integration - responder