mirror of
https://github.com/sudo-project/sudo.git
synced 2025-08-22 01:49:11 +00:00
Use the value of ipa_hostname from /etc/sssd/sssd.conf if present
instead of the system hostname.
This commit is contained in:
Todd C. Miller
parent
ccf88d3bb2
commit
9b027676c0
4
INSTALL
4
INSTALL
@ -341,6 +341,10 @@ Optional features:
|
||||
(SSSD) as a sudoers data source. For more information on
|
||||
SSD, see http://fedorahosted.org/sssd/
|
||||
|
||||
--with-sssd-conf=PATH
|
||||
Specify the path to the SSSD configuration file, if different
|
||||
from the default value of /etc/sssd/sssd.conf.
|
||||
|
||||
--with-sssd-lib=PATH
|
||||
Specify the path to the SSSD shared library, which is loaded
|
||||
at run-time.
|
||||
|
||||
15
configure
vendored
15
configure
vendored
@ -852,6 +852,7 @@ with_bsm_audit
|
||||
with_linux_audit
|
||||
with_solaris_audit
|
||||
with_sssd
|
||||
with_sssd_conf
|
||||
with_sssd_lib
|
||||
with_incpath
|
||||
with_libpath
|
||||
@ -1653,6 +1654,7 @@ Optional Packages:
|
||||
--with-linux-audit enable Linux audit support
|
||||
--with-solaris-audit enable Solaris audit support
|
||||
--with-sssd enable SSSD support
|
||||
--with-sssd-conf path to the SSSD config file
|
||||
--with-sssd-lib path to the SSSD library
|
||||
--with-incpath additional places to look for include files
|
||||
--with-libpath additional places to look for libraries
|
||||
@ -4371,6 +4373,19 @@ fi
|
||||
|
||||
|
||||
|
||||
# Check whether --with-sssd-conf was given.
|
||||
if test "${with_sssd_conf+set}" = set; then :
|
||||
withval=$with_sssd_conf;
|
||||
fi
|
||||
|
||||
sssd_conf="/etc/sssd/sssd.conf"
|
||||
test -n "$with_sssd_conf" && sssd_conf="$with_sssd_conf"
|
||||
cat >>confdefs.h <<EOF
|
||||
#define _PATH_SSSD_CONF "$sssd_conf"
|
||||
EOF
|
||||
|
||||
|
||||
|
||||
# Check whether --with-sssd-lib was given.
|
||||
if test "${with_sssd_lib+set}" = set; then :
|
||||
withval=$with_sssd_lib;
|
||||
|
||||
@ -366,6 +366,11 @@ AC_ARG_WITH(sssd, [AS_HELP_STRING([--with-sssd], [enable SSSD support])],
|
||||
;;
|
||||
esac])
|
||||
|
||||
AC_ARG_WITH(sssd-conf, [AS_HELP_STRING([--with-sssd-conf], [path to the SSSD config file])])
|
||||
sssd_conf="/etc/sssd/sssd.conf"
|
||||
test -n "$with_sssd_conf" && sssd_conf="$with_sssd_conf"
|
||||
SUDO_DEFINE_UNQUOTED(_PATH_SSSD_CONF, "$sssd_conf", [Path to the SSSD config file])
|
||||
|
||||
AC_ARG_WITH(sssd-lib, [AS_HELP_STRING([--with-sssd-lib], [path to the SSSD library])])
|
||||
sssd_lib="\"LIBDIR\""
|
||||
test -n "$with_sssd_lib" && sssd_lib="$with_sssd_lib"
|
||||
|
||||
@ -167,6 +167,10 @@
|
||||
# undef _PATH_LDAP_SECRET
|
||||
#endif /* _PATH_LDAP_SECRET */
|
||||
|
||||
#ifndef _PATH_SSSD_CONF
|
||||
# undef _PATH_SSSD_CONF
|
||||
#endif /* _PATH_SSSD_CONF */
|
||||
|
||||
#ifndef _PATH_SSSD_LIB
|
||||
# undef _PATH_SSSD_LIB
|
||||
#endif /* _PATH_SSSD_LIB */
|
||||
|
||||
@ -82,6 +82,8 @@ typedef void (*sss_sudo_free_values_t)(char**);
|
||||
|
||||
struct sudo_sss_handle {
|
||||
char *domainname;
|
||||
char *host;
|
||||
char *shost;
|
||||
struct passwd *pw;
|
||||
void *ssslib;
|
||||
sss_sudo_send_recv_t fn_send_recv;
|
||||
@ -295,6 +297,62 @@ sudo_sss_filter_result(struct sudo_sss_handle *handle,
|
||||
debug_return_ptr(out_res);
|
||||
}
|
||||
|
||||
static int
|
||||
get_ipa_hostname(char **shostp, char **lhostp)
|
||||
{
|
||||
size_t linesize = 0;
|
||||
char *lhost = NULL;
|
||||
char *shost = NULL;
|
||||
char *line = NULL;
|
||||
int ret = false;
|
||||
ssize_t len;
|
||||
FILE *fp;
|
||||
debug_decl(get_ipa_hostname, SUDOERS_DEBUG_SSSD)
|
||||
|
||||
fp = fopen(_PATH_SSSD_CONF, "r");
|
||||
if (fp != NULL) {
|
||||
while ((len = getline(&line, &linesize, fp)) != -1) {
|
||||
char *cp = line;
|
||||
|
||||
/* Trim trailing and leading spaces. */
|
||||
while (isspace((unsigned char)line[len - 1]))
|
||||
line[--len] = '\0';
|
||||
while (isspace((unsigned char)*cp))
|
||||
cp++;
|
||||
|
||||
/*
|
||||
* Match ipa_hostname = foo
|
||||
* Note: currently ignores the domain (XXX)
|
||||
*/
|
||||
if (strncmp(cp, "ipa_hostname", 12) == 0 &&
|
||||
(isblank((unsigned char)cp[12]) || cp[12] == '=')) {
|
||||
cp += 13;
|
||||
while (isblank((unsigned char)*cp) || *cp == '=')
|
||||
cp++;
|
||||
lhost = strdup(cp);
|
||||
if (lhost != NULL && (cp = strchr(lhost, '.')) != NULL) {
|
||||
shost = strndup(lhost, (size_t)(cp - lhost));
|
||||
} else {
|
||||
shost = lhost;
|
||||
}
|
||||
if (shost != NULL && lhost != NULL) {
|
||||
*shostp = shost;
|
||||
*lhostp = lhost;
|
||||
ret = true;
|
||||
} else {
|
||||
free(shost);
|
||||
free(lhost);
|
||||
ret = -1;
|
||||
}
|
||||
}
|
||||
break;
|
||||
}
|
||||
fclose(fp);
|
||||
free(line);
|
||||
}
|
||||
debug_return_int(ret);
|
||||
}
|
||||
|
||||
struct sudo_nss sudo_nss_sss = {
|
||||
{ NULL, NULL },
|
||||
sudo_sss_open,
|
||||
@ -381,9 +439,23 @@ sudo_sss_open(struct sudo_nss *nss)
|
||||
}
|
||||
|
||||
handle->domainname = NULL;
|
||||
handle->host = user_runhost;
|
||||
handle->shost = user_srunhost;
|
||||
handle->pw = sudo_user.pw;
|
||||
nss->handle = handle;
|
||||
|
||||
/*
|
||||
* If runhost is the same as the local host, check for ipa_hostname
|
||||
* in sssd.conf and use it in preference to user_runhost.
|
||||
*/
|
||||
if (strcmp(user_runhost, user_host) == 0) {
|
||||
if (get_ipa_hostname(&handle->shost, &handle->host) == -1) {
|
||||
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
|
||||
free(handle);
|
||||
debug_return_int(ENOMEM);
|
||||
}
|
||||
}
|
||||
|
||||
sudo_debug_printf(SUDO_DEBUG_DEBUG, "handle=%p", handle);
|
||||
|
||||
debug_return_int(0);
|
||||
@ -544,8 +616,8 @@ sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *
|
||||
switch (val[0]) {
|
||||
case '+':
|
||||
sudo_debug_printf(SUDO_DEBUG_DEBUG, "netgr_");
|
||||
if (netgr_matches(val, def_netgroup_tuple ? user_runhost : NULL,
|
||||
def_netgroup_tuple ? user_srunhost : NULL, runas_pw->pw_name)) {
|
||||
if (netgr_matches(val, def_netgroup_tuple ? handle->host : NULL,
|
||||
def_netgroup_tuple ? handle->shost : NULL, runas_pw->pw_name)) {
|
||||
sudo_debug_printf(SUDO_DEBUG_DEBUG, "=> match");
|
||||
ret = true;
|
||||
}
|
||||
@ -674,9 +746,9 @@ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
|
||||
|
||||
/* match any or address or netgroup or hostname */
|
||||
if (strcmp(val, "ALL") == 0 || addr_matches(val) ||
|
||||
netgr_matches(val, user_runhost, user_srunhost,
|
||||
netgr_matches(val, handle->host, handle->shost,
|
||||
def_netgroup_tuple ? handle->pw->pw_name : NULL) ||
|
||||
hostname_matches(user_srunhost, user_runhost, val))
|
||||
hostname_matches(handle->shost, handle->host, val))
|
||||
ret = true;
|
||||
|
||||
sudo_debug_printf(SUDO_DEBUG_INFO,
|
||||
@ -729,8 +801,8 @@ sudo_sss_check_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
|
||||
switch (*val) {
|
||||
case '+':
|
||||
/* Netgroup spec found, check membership. */
|
||||
if (netgr_matches(val, def_netgroup_tuple ? user_runhost : NULL,
|
||||
def_netgroup_tuple ? user_srunhost : NULL, handle->pw->pw_name)) {
|
||||
if (netgr_matches(val, def_netgroup_tuple ? handle->host : NULL,
|
||||
def_netgroup_tuple ? handle->shost : NULL, handle->pw->pw_name)) {
|
||||
matched = !negated;
|
||||
}
|
||||
break;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user