sudo_ldap_check_non_unix_group: pass nss pointer to netgr_matches()
This allows us to use the LDAP-specific version of innetgr() when possible. Also enable "use_netgroups" by default even on systems without innetgr() since we can now query netgroups directly via LDAP.
This commit is contained in:
Todd C. Miller
@@ -539,9 +539,6 @@ init_defaults(void)
|
||||
#ifdef HAVE_SELINUX
|
||||
def_selinux = true;
|
||||
#endif
|
||||
#ifdef HAVE_INNETGR
|
||||
def_use_netgroups = true;
|
||||
#endif
|
||||
#ifdef _PATH_SUDO_ADMIN_FLAG
|
||||
if ((def_admin_flag = strdup(_PATH_SUDO_ADMIN_FLAG)) == NULL)
|
||||
goto oom;
|
||||
@@ -550,6 +547,7 @@ init_defaults(void)
|
||||
goto oom;
|
||||
def_intercept_type = dso;
|
||||
def_intercept_verify = true;
|
||||
def_use_netgroups = true;
|
||||
def_netgroup_tuple = false;
|
||||
def_sudoedit_checkdir = true;
|
||||
def_iolog_mode = S_IRUSR|S_IWUSR;
|
||||
|
||||
@@ -297,8 +297,11 @@ sudo_ldap_get_values_len(LDAP *ld, LDAPMessage *entry, const char *attr, int *rc
|
||||
* A matching entry that is negated will always return false.
|
||||
*/
|
||||
static int
|
||||
sudo_ldap_check_non_unix_group(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
|
||||
sudo_ldap_check_non_unix_group(const struct sudo_nss *nss, LDAPMessage *entry,
|
||||
struct passwd *pw)
|
||||
{
|
||||
struct sudo_ldap_handle *handle = nss->handle;
|
||||
LDAP *ld = handle->ld;
|
||||
struct berval **bv, **p;
|
||||
bool ret = false;
|
||||
int rc;
|
||||
@@ -325,8 +328,7 @@ sudo_ldap_check_non_unix_group(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
|
||||
negated = true;
|
||||
}
|
||||
if (*val == '+') {
|
||||
/* Custom innetgr() function not used here. */
|
||||
if (netgr_matches(NULL, val,
|
||||
if (netgr_matches(nss, val,
|
||||
def_netgroup_tuple ? user_runhost : NULL,
|
||||
def_netgroup_tuple ? user_srunhost : NULL, pw->pw_name))
|
||||
ret = true;
|
||||
@@ -1845,7 +1847,7 @@ sudo_ldap_result_get(const struct sudo_nss *nss, struct passwd *pw)
|
||||
LDAP_FOREACH(entry, ld, result) {
|
||||
if (pass != 0) {
|
||||
/* Check non-unix group in 2nd pass. */
|
||||
switch (sudo_ldap_check_non_unix_group(ld, entry, pw)) {
|
||||
switch (sudo_ldap_check_non_unix_group(nss, entry, pw)) {
|
||||
case -1:
|
||||
goto oom;
|
||||
case false:
|
||||
|
||||
@@ -671,7 +671,7 @@ sudo_getdomainname(void)
|
||||
* in which case that argument is not checked...
|
||||
*/
|
||||
bool
|
||||
netgr_matches(struct sudo_nss *nss, const char *netgr,
|
||||
netgr_matches(const struct sudo_nss *nss, const char *netgr,
|
||||
const char *lhost, const char *shost, const char *user)
|
||||
{
|
||||
const char *domain;
|
||||
|
||||
@@ -435,7 +435,7 @@ struct group;
|
||||
struct passwd;
|
||||
bool group_matches(const char *sudoers_group, const struct group *gr);
|
||||
bool hostname_matches(const char *shost, const char *lhost, const char *pattern);
|
||||
bool netgr_matches(struct sudo_nss *nss, const char *netgr, const char *lhost, const char *shost, const char *user);
|
||||
bool netgr_matches(const struct sudo_nss *nss, const char *netgr, const char *lhost, const char *shost, const char *user);
|
||||
bool usergr_matches(const char *group, const char *user, const struct passwd *pw);
|
||||
bool userpw_matches(const char *sudoers_user, const char *user, const struct passwd *pw);
|
||||
int cmnd_matches(const struct sudoers_parse_tree *parse_tree, const struct member *m, const char *runchroot, struct cmnd_info *info);
|
||||
|
||||
Reference in New Issue
Block a user