isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

In sudo_netgroup_lookup() only build up the search filter once

Browse Source 
instead of once per netgroup_base.
This commit is contained in:
Todd C. Miller
2016-01-11 16:35:05 -07:00
parent 7c454656d5
commit 55fdf66c1d
1 changed files with 81 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

163
plugins/sudoers/ldap.c
View File

@@ -1392,96 +1392,92 @@ sudo_netgroup_lookup(LDAP *ld, struct passwd *pw,
/* Use NIS domain if set, else wildcard match. */ /* Use NIS domain if set, else wildcard match. */
domain = sudo_getdomainname(); domain = sudo_getdomainname();
STAILQ_FOREACH(base, &ldap_conf.netgroup_base, entries) { /* Build query, using NIS domain if it is set. */
DPRINTF1("searching from netgroup_base '%s'", base->val); if (domain != NULL) {
filt_len = sizeof("(nisNetgroupTriple=\\28,,\\29)") - 1 +
/* Build query, using NIS domain if it is set. */ sudo_ldap_value_len(pw->pw_name);
/* XXX - move outside foreach */ if (user_runhost == user_srunhost) {
if (domain != NULL) { filt_len *= 4;
filt_len = sizeof("(nisNetgroupTriple=\\28,,\\29)") - 1 + filt_len += 2 * sudo_ldap_value_len(user_srunhost);
sudo_ldap_value_len(pw->pw_name); filt_len += 2 * sudo_ldap_value_len(domain);
if (user_runhost == user_srunhost) { } else {
filt_len *= 4; filt_len *= 6;
filt_len += 2 * sudo_ldap_value_len(user_srunhost); filt_len += 2 * sudo_ldap_value_len(user_srunhost);
filt_len += 2 * sudo_ldap_value_len(domain); filt_len += 2 * sudo_ldap_value_len(user_runhost);
} else { filt_len += 3 * sudo_ldap_value_len(domain);
filt_len *= 6; }
filt_len += 2 * sudo_ldap_value_len(user_srunhost); filt_len += 7 + strlen(ldap_conf.netgroup_search_filter);
filt_len += 2 * sudo_ldap_value_len(user_runhost); if ((filt = malloc(filt_len)) == NULL)
filt_len += 3 * sudo_ldap_value_len(domain); goto oom;
} CHECK_STRLCPY(filt, "(&", filt_len);
filt_len += 7 + strlen(ldap_conf.netgroup_search_filter); CHECK_STRLCAT(filt, ldap_conf.netgroup_search_filter, filt_len);
if ((filt = malloc(filt_len)) == NULL) CHECK_STRLCAT(filt, "(|(nisNetgroupTriple=\\28,", filt_len);
goto oom; CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
CHECK_STRLCPY(filt, "(&", filt_len); CHECK_STRLCAT(filt, ",", filt_len);
CHECK_STRLCAT(filt, ldap_conf.netgroup_search_filter, filt_len); CHECK_LDAP_VCAT(filt, domain, filt_len);
CHECK_STRLCAT(filt, "(|(nisNetgroupTriple=\\28,", filt_len); CHECK_STRLCAT(filt, "\\29)(nisNetgroupTriple=\\28", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len); CHECK_LDAP_VCAT(filt, user_srunhost, filt_len);
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
if (user_runhost != user_srunhost) {
CHECK_STRLCAT(filt, ",", filt_len); CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, domain, filt_len); CHECK_LDAP_VCAT(filt, domain, filt_len);
CHECK_STRLCAT(filt, "\\29)(nisNetgroupTriple=\\28", filt_len); CHECK_STRLCAT(filt, "\\29)(nisNetgroupTriple=\\28", filt_len);
CHECK_LDAP_VCAT(filt, user_srunhost, filt_len); CHECK_LDAP_VCAT(filt, user_runhost, filt_len);
CHECK_STRLCAT(filt, ",", filt_len); CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len); CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
if (user_runhost != user_srunhost) {
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, domain, filt_len);
CHECK_STRLCAT(filt, "\\29)(nisNetgroupTriple=\\28", filt_len);
CHECK_LDAP_VCAT(filt, user_runhost, filt_len);
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
}
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, domain, filt_len);
CHECK_STRLCAT(filt, "\\29)(nisNetgroupTriple=\\28,", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
CHECK_STRLCAT(filt, ",\\29)(nisNetgroupTriple=\\28", filt_len);
CHECK_LDAP_VCAT(filt, user_srunhost, filt_len);
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
if (user_runhost != user_srunhost) {
CHECK_STRLCAT(filt, ",\\29)(nisNetgroupTriple=\\28", filt_len);
CHECK_LDAP_VCAT(filt, user_runhost, filt_len);
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
}
CHECK_STRLCAT(filt, ",\\29)))", filt_len);
} else {
filt_len = sizeof("(nisNetgroupTriple=\\28,,*\\29)") - 1 +
sudo_ldap_value_len(pw->pw_name);
if (user_runhost == user_srunhost) {
filt_len *= 2;
filt_len += sudo_ldap_value_len(user_srunhost);
} else {
filt_len *= 3;
filt_len += sudo_ldap_value_len(user_srunhost);
filt_len += sudo_ldap_value_len(user_runhost);
}
filt_len += 7 + strlen(ldap_conf.netgroup_search_filter);
if ((filt = malloc(filt_len)) == NULL)
goto oom;
CHECK_STRLCPY(filt, "(&", filt_len);
CHECK_STRLCAT(filt, ldap_conf.netgroup_search_filter, filt_len);
CHECK_STRLCAT(filt, "(|(nisNetgroupTriple=\\28,", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
CHECK_STRLCAT(filt, ",*\\29)(nisNetgroupTriple=\\28", filt_len);
CHECK_LDAP_VCAT(filt, user_srunhost, filt_len);
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
if (user_runhost != user_srunhost) {
CHECK_STRLCAT(filt, ",*\\29)(nisNetgroupTriple=\\28", filt_len);
CHECK_LDAP_VCAT(filt, user_runhost, filt_len);
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
}
CHECK_STRLCAT(filt, ",*\\29)))", filt_len);
} }
/* XXX - refactor duplicated code */ CHECK_STRLCAT(filt, ",", filt_len);
DPRINTF1("ldap netgroup search filter: '%s'", filt); CHECK_LDAP_VCAT(filt, domain, filt_len);
result = NULL; CHECK_STRLCAT(filt, "\\29)(nisNetgroupTriple=\\28,", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
CHECK_STRLCAT(filt, ",\\29)(nisNetgroupTriple=\\28", filt_len);
CHECK_LDAP_VCAT(filt, user_srunhost, filt_len);
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
if (user_runhost != user_srunhost) {
CHECK_STRLCAT(filt, ",\\29)(nisNetgroupTriple=\\28", filt_len);
CHECK_LDAP_VCAT(filt, user_runhost, filt_len);
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
}
CHECK_STRLCAT(filt, ",\\29)))", filt_len);
} else {
filt_len = sizeof("(nisNetgroupTriple=\\28,,*\\29)") - 1 +
sudo_ldap_value_len(pw->pw_name);
if (user_runhost == user_srunhost) {
filt_len *= 2;
filt_len += sudo_ldap_value_len(user_srunhost);
} else {
filt_len *= 3;
filt_len += sudo_ldap_value_len(user_srunhost);
filt_len += sudo_ldap_value_len(user_runhost);
}
filt_len += 7 + strlen(ldap_conf.netgroup_search_filter);
if ((filt = malloc(filt_len)) == NULL)
goto oom;
CHECK_STRLCPY(filt, "(&", filt_len);
CHECK_STRLCAT(filt, ldap_conf.netgroup_search_filter, filt_len);
CHECK_STRLCAT(filt, "(|(nisNetgroupTriple=\\28,", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
CHECK_STRLCAT(filt, ",*\\29)(nisNetgroupTriple=\\28", filt_len);
CHECK_LDAP_VCAT(filt, user_srunhost, filt_len);
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
if (user_runhost != user_srunhost) {
CHECK_STRLCAT(filt, ",*\\29)(nisNetgroupTriple=\\28", filt_len);
CHECK_LDAP_VCAT(filt, user_runhost, filt_len);
CHECK_STRLCAT(filt, ",", filt_len);
CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
}
CHECK_STRLCAT(filt, ",*\\29)))", filt_len);
}
DPRINTF1("ldap netgroup search filter: '%s'", filt);
STAILQ_FOREACH(base, &ldap_conf.netgroup_base, entries) {
DPRINTF1("searching from netgroup_base '%s'", base->val);
rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt, rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt,
NULL, 0, NULL, NULL, tvp, 0, &result); NULL, 0, NULL, NULL, tvp, 0, &result);
free(filt);
if (rc != LDAP_SUCCESS) { if (rc != LDAP_SUCCESS) {
DPRINTF1("ldap netgroup search failed: %s", ldap_err2string(rc)); DPRINTF1("ldap netgroup search failed: %s", ldap_err2string(rc));
ldap_msgfree(result); ldap_msgfree(result);
@@ -1516,6 +1512,7 @@ sudo_netgroup_lookup(LDAP *ld, struct passwd *pw,
} }
} }
ldap_msgfree(result); ldap_msgfree(result);
result = NULL;
/* Check for nested netgroups in what we added. */ /* Check for nested netgroups in what we added. */
ng = old_tail ? STAILQ_NEXT(old_tail, entries) : STAILQ_FIRST(netgroups); ng = old_tail ? STAILQ_NEXT(old_tail, entries) : STAILQ_FIRST(netgroups);
@@ -1524,9 +1521,11 @@ sudo_netgroup_lookup(LDAP *ld, struct passwd *pw,
debug_return_bool(false); debug_return_bool(false);
} }
} }
free(filt);
debug_return_bool(true); debug_return_bool(true);
oom: oom:
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
free(filt);
ldap_msgfree(result); ldap_msgfree(result);
debug_return_bool(false); debug_return_bool(false);
overflow: overflow: