122 lines
4.3 KiB
Diff
122 lines
4.3 KiB
Diff
|
From d008c239c62ab6a467559156d5df854b099e4422 Mon Sep 17 00:00:00 2001
|
||
|
From: Adam Tkac <vonsch@gmail.com>
|
||
|
Date: Mon, 13 Apr 2015 15:00:18 +0200
|
||
|
Subject: [PATCH 61/99] Option filter_users had no effect for retrieving sudo
|
||
|
rules
|
||
|
MIME-Version: 1.0
|
||
|
Content-Type: text/plain; charset=UTF-8
|
||
|
Content-Transfer-Encoding: 8bit
|
||
|
|
||
|
Previously sssd_sudo always obtained sudo rules for user from LDAP even
|
||
|
when user was enlisted in filter_users.
|
||
|
|
||
|
Resolves https://fedorahosted.org/sssd/ticket/2625
|
||
|
|
||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||
|
(cherry picked from commit 2a25713afc6beefb11a799903a43f695c5d7a4f9)
|
||
|
---
|
||
|
src/responder/sudo/sudosrv.c | 24 ++++++++++++++++++++++++
|
||
|
src/responder/sudo/sudosrv_cmd.c | 12 ++++++++++++
|
||
|
src/responder/sudo/sudosrv_private.h | 3 +++
|
||
|
3 files changed, 39 insertions(+)
|
||
|
|
||
|
diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
|
||
|
index e480c7a43d453cffcd6ca07e41402c1cf6eef91c..bcc0a07f04bdd7dbccc3b47932a7917312395b12 100644
|
||
|
--- a/src/responder/sudo/sudosrv.c
|
||
|
+++ b/src/responder/sudo/sudosrv.c
|
||
|
@@ -27,6 +27,7 @@
|
||
|
#include "responder/common/responder_sbus.h"
|
||
|
#include "responder/sudo/sudosrv_private.h"
|
||
|
#include "providers/data_provider.h"
|
||
|
+#include "responder/common/negcache.h"
|
||
|
|
||
|
struct mon_cli_iface monitor_sudo_methods = {
|
||
|
{ &mon_cli_iface_meta, 0 },
|
||
|
@@ -113,9 +114,32 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
|
||
|
goto fail;
|
||
|
}
|
||
|
|
||
|
+ ret = sss_ncache_init(rctx, &sudo_ctx->ncache);
|
||
|
+ if (ret != EOK) {
|
||
|
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||
|
+ "fatal error initializing ncache\n");
|
||
|
+ goto fail;
|
||
|
+ }
|
||
|
+
|
||
|
sudo_ctx->rctx = rctx;
|
||
|
sudo_ctx->rctx->pvt_ctx = sudo_ctx;
|
||
|
|
||
|
+ ret = confdb_get_int(cdb, CONFDB_NSS_CONF_ENTRY,
|
||
|
+ CONFDB_NSS_ENTRY_NEG_TIMEOUT, 15,
|
||
|
+ &sudo_ctx->neg_timeout);
|
||
|
+ if (ret != EOK) {
|
||
|
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||
|
+ "fatal error getting ncache timeout\n");
|
||
|
+ goto fail;
|
||
|
+ }
|
||
|
+
|
||
|
+ sss_ncache_prepopulate(sudo_ctx->ncache, sudo_ctx->rctx->cdb, rctx);
|
||
|
+ if (ret != EOK) {
|
||
|
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
||
|
+ "failed to set ncache for sudo's filter_users\n");
|
||
|
+ goto fail;
|
||
|
+ }
|
||
|
+
|
||
|
/* Enable automatic reconnection to the Data Provider */
|
||
|
ret = confdb_get_int(sudo_ctx->rctx->cdb,
|
||
|
CONFDB_SUDO_CONF_ENTRY,
|
||
|
diff --git a/src/responder/sudo/sudosrv_cmd.c b/src/responder/sudo/sudosrv_cmd.c
|
||
|
index fd8c46d638ecbd0275b44511dbc6d31e0e316581..dd636e949200dd49c1422a5789e9328dc4b25fb0 100644
|
||
|
--- a/src/responder/sudo/sudosrv_cmd.c
|
||
|
+++ b/src/responder/sudo/sudosrv_cmd.c
|
||
|
@@ -28,6 +28,7 @@
|
||
|
#include "responder/sudo/sudosrv_private.h"
|
||
|
#include "db/sysdb_sudo.h"
|
||
|
#include "sss_client/sss_cli.h"
|
||
|
+#include "responder/common/negcache.h"
|
||
|
|
||
|
static errno_t sudosrv_cmd_send_reply(struct sudo_cmd_ctx *cmd_ctx,
|
||
|
uint8_t *response_body,
|
||
|
@@ -239,6 +240,7 @@ static void sudosrv_cmd_parse_query_done(struct tevent_req *req)
|
||
|
{
|
||
|
struct sudo_cmd_ctx *cmd_ctx = NULL;
|
||
|
struct sudo_dom_ctx *dom_ctx = NULL;
|
||
|
+ struct sudo_ctx *sudo_ctx = NULL;
|
||
|
errno_t ret;
|
||
|
|
||
|
cmd_ctx = tevent_req_callback_data(req, struct sudo_cmd_ctx);
|
||
|
@@ -278,6 +280,16 @@ static void sudosrv_cmd_parse_query_done(struct tevent_req *req)
|
||
|
dom_ctx->domain = cmd_ctx->domain != NULL ? cmd_ctx->domain
|
||
|
: cmd_ctx->cli_ctx->rctx->domains;
|
||
|
|
||
|
+ sudo_ctx = talloc_get_type(cmd_ctx->cli_ctx->rctx->pvt_ctx, struct sudo_ctx);
|
||
|
+ ret = sss_ncache_check_user(sudo_ctx->ncache, sudo_ctx->neg_timeout,
|
||
|
+ dom_ctx->domain, cmd_ctx->username);
|
||
|
+ if (ret == EEXIST) {
|
||
|
+ DEBUG(SSSDBG_TRACE_FUNC, "User [%s@%s] filtered out (ncache)\n",
|
||
|
+ cmd_ctx->username, dom_ctx->domain->name);
|
||
|
+ ret = ENOENT;
|
||
|
+ goto done;
|
||
|
+ }
|
||
|
+
|
||
|
ret = sudosrv_get_sudorules(dom_ctx);
|
||
|
|
||
|
done:
|
||
|
diff --git a/src/responder/sudo/sudosrv_private.h b/src/responder/sudo/sudosrv_private.h
|
||
|
index 71a272ab4b06864738ac86b31e89a0c45658665b..3c53755f9e8ec56f3dea52021d14b50f715a54e7 100644
|
||
|
--- a/src/responder/sudo/sudosrv_private.h
|
||
|
+++ b/src/responder/sudo/sudosrv_private.h
|
||
|
@@ -43,6 +43,9 @@ enum sss_sudo_type {
|
||
|
struct sudo_ctx {
|
||
|
struct resp_ctx *rctx;
|
||
|
|
||
|
+ int neg_timeout;
|
||
|
+ struct sss_nc_ctx *ncache;
|
||
|
+
|
||
|
/*
|
||
|
* options
|
||
|
*/
|
||
|
--
|
||
|
2.4.0
|
||
|
|