isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add support in SSSD for negated users.

Browse Source
This commit is contained in:
Todd C. Miller
2022-01-18 11:31:36 -07:00
parent e88087721b
commit 9bb3df748e
1 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
plugins/sudoers/sssd.c
View File

@@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 2003-2020 Todd C. Miller <Todd.Miller@sudo.ws> * Copyright (c) 2003-2022 Todd C. Miller <Todd.Miller@sudo.ws>
* Copyright (c) 2011 Daniel Kopecek <dkopecek@redhat.com> * Copyright (c) 2011 Daniel Kopecek <dkopecek@redhat.com>
* *
* This code is derived from software contributed by Aaron Spangler. * This code is derived from software contributed by Aaron Spangler.
@@ -189,8 +189,13 @@ sudo_sss_check_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
/* Walk through sudoUser values. */ /* Walk through sudoUser values. */
for (i = 0; val_array[i] != NULL && !ret; ++i) { for (i = 0; val_array[i] != NULL && !ret; ++i) {
const char *val = val_array[i]; const char *val = val_array[i];
bool negated = false;
sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val); sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
if (*val == '!') {
val++;
negated = false;
}
switch (*val) { switch (*val) {
case '+': case '+':
/* Netgroup spec found, check membership. */ /* Netgroup spec found, check membership. */
@@ -214,8 +219,14 @@ sudo_sss_check_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
break; break;
} }
sudo_debug_printf(SUDO_DEBUG_DIAG, sudo_debug_printf(SUDO_DEBUG_DIAG,
"sssd/ldap sudoUser '%s' ... %s (%s)", val, "sssd/ldap sudoUser '%s%s' ... %s (%s)", negated ? "!" : "",
ret ? "MATCH!" : "not", handle->pw->pw_name); val, ret ? "MATCH!" : "not", handle->pw->pw_name);
/* A negated match overrides all other entries. */
if (ret && negated) {
ret = false;
break;
}
} }
handle->fn_free_values(val_array); handle->fn_free_values(val_array);
debug_return_bool(ret); debug_return_bool(ret);