Support for using SSSD (http://fedorahosted.org/sssd/) as a sudoers

data source.  From Daniel Kopecek and Pavel Brezina.

INSTALL

@@ -201,6 +201,15 @@ Special features/options:
 	this file instead of /etc/ldap.secret to read the secret password
 	when rootbinddn is specified in the ldap config file.
 
+  --with-sssd
+        Enable support for using the System Security Services Daemon
+        (SSSD) as a sudoers data source.  For more informaton on
+        SSD, see http://fedorahosted.org/sssd/
+
+  --with-sssd-lib=PATH
+        Specify the path to the SSSD shared library, which is loaded
+        at run-time.
+
   --with-nsswitch[=PATH]
 	Path to nsswitch.conf or "no" to disable nsswitch support.
 	If specified, sudo uses this file instead of /etc/nsswitch.conf.

NEWS

@@ -42,6 +42,9 @@ What's new in Sudo 1.8.6?
    used to give a user the ability to run a command as themselves
    but with an expanded privilege set.
 
+ * Support for using the System Security Services Daemon (SSSD) as
+   a source of sudoers data.
+
 What's new in Sudo 1.8.5p2?
 
  * Fixed use of the SUDO_ASKPASS environment variable which was

common/sudo_debug.c

@@ -101,6 +101,7 @@ const char *const sudo_debug_subsystems[] = {
     "perms",
     "plugin",
     "hooks",
+    "sssd",
     NULL
 };
 

configure

@@ -661,6 +661,7 @@ editor
 secure_path
 netsvc_conf
 nsswitch_conf
+sssd_lib
 ldap_secret
 ldap_conf
 path_info
@@ -722,6 +723,7 @@ mansectform
 mansectsu
 devdir
 SEMAN
+PSMAN
 LCMAN
 BAMAN
 DEVEL
@@ -805,6 +807,8 @@ with_rpath
 with_blibpath
 with_bsm_audit
 with_linux_audit
+with_sssd
+with_sssd_lib
 with_incpath
 with_libpath
 with_libraries
@@ -1583,6 +1587,8 @@ Optional Packages:
   --with-blibpath=PATH    pass -blibpath flag to ld for additional lib paths
   --with-bsm-audit        enable BSM audit support
   --with-linux-audit      enable Linux audit support
+  --with-sssd             enable SSSD support
+  --with-sssd-lib         path to the SSSD library
   --with-incpath          additional places to look for include files
   --with-libpath          additional places to look for libraries
   --with-libraries        additional libraries to link with
@@ -2904,6 +2910,8 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;}
 
 
 
+
+
 
 
 
@@ -2962,6 +2970,7 @@ DEVEL=
 LDAP="#"
 BAMAN=0
 LCMAN=0
+PSMAN=0
 SEMAN=0
 LIBINTL=
 ZLIB=
@@ -3912,6 +3921,34 @@ fi
 
 
 
+# Check whether --with-sssd was given.
+if test "${with_sssd+set}" = set; then :
+  withval=$with_sssd; case $with_sssd in
+    yes)	SUDOERS_OBJS="${SUDOERS_OBJS} sssd.lo"
+		$as_echo "#define HAVE_SSSD 1" >>confdefs.h
+
+		;;
+    no)		;;
+    *)		as_fn_error $? "\"--with-sssd does not take an argument.\"" "$LINENO" 5
+		;;
+esac
+fi
+
+
+
+# Check whether --with-sssd-lib was given.
+if test "${with_sssd_lib+set}" = set; then :
+  withval=$with_sssd_lib;
+fi
+
+sssd_lib="\"LIBDIR\""
+test -n "$with_sssd_lib" && sssd_lib="$with_sssd_lib"
+cat >>confdefs.h <<EOF
+#define _PATH_SSSD_LIB "$sssd_lib"
+EOF
+
+
+
 # Check whether --with-incpath was given.
 if test "${with_incpath+set}" = set; then :
   withval=$with_incpath; case $with_incpath in
@@ -13860,7 +13897,7 @@ if test "x$ac_cv_func_priv_set" = xyes; then :
   cat >>confdefs.h <<_ACEOF
 #define HAVE_PRIV_SET 1
 _ACEOF
-
+ PSMAN=1
 fi
 done
 
@@ -23099,5 +23136,6 @@ fi
 
 
 
+
 
 

configure.in

@@ -113,6 +113,7 @@ AC_SUBST([root_sudo])
 AC_SUBST([path_info])
 AC_SUBST([ldap_conf])
 AC_SUBST([ldap_secret])
+AC_SUBST([sssd_lib])
 AC_SUBST([nsswitch_conf])
 AC_SUBST([netsvc_conf])
 AC_SUBST([secure_path])
@@ -301,6 +302,24 @@ AC_ARG_WITH(linux-audit, [AS_HELP_STRING([--with-linux-audit], [enable Linux aud
 		;;
 esac])
 
+dnl
+dnl Handle SSSD support.
+dnl
+AC_ARG_WITH(sssd, [AS_HELP_STRING([--with-sssd], [enable SSSD support])],
+[case $with_sssd in
+    yes)	SUDOERS_OBJS="${SUDOERS_OBJS} sssd.lo"
+		AC_DEFINE(HAVE_SSSD)
+		;;
+    no)		;;
+    *)		AC_MSG_ERROR(["--with-sssd does not take an argument."])
+		;;
+esac])
+
+AC_ARG_WITH(sssd-lib, [AS_HELP_STRING([--with-sssd-lib], [path to the SSSD library])])
+sssd_lib="\"LIBDIR\""
+test -n "$with_sssd_lib" && sssd_lib="$with_sssd_lib"
+SUDO_DEFINE_UNQUOTED(_PATH_SSSD_LIB, "$sssd_lib", [Path to the SSSD library])
+
 AC_ARG_WITH(incpath, [AS_HELP_STRING([--with-incpath], [additional places to look for include files])],
 [case $with_incpath in
     yes)	AC_MSG_ERROR(["must give --with-incpath an argument."])
@@ -3559,6 +3578,7 @@ AH_TEMPLATE(HAVE_LBER_H, [Define to 1 if your LDAP needs <lber.h>. (OpenLDAP doe
 AH_TEMPLATE(HAVE_LDAP, [Define to 1 if you use LDAP for sudoers.])
 AH_TEMPLATE(HAVE_LIBINTL_H, [Define to 1 if you have the <libintl.h> header file.])
 AH_TEMPLATE(HAVE_LINUX_AUDIT, [Define to 1 to enable Linux audit support.])
+AH_TEMPLATE(HAVE_SSSD, [Define to 1 to enable SSSD support.])
 AH_TEMPLATE(HAVE_OPIE, [Define to 1 if you use NRL OPIE.])
 AH_TEMPLATE(HAVE_PAM, [Define to 1 if you use PAM authentication.])
 AH_TEMPLATE(HAVE_PAM_LOGIN, [Define to 1 if you use a specific PAM session for sudo -i.])

doc/CONTRIBUTORS

@@ -21,6 +21,7 @@ you believe you should be listed, please send a note to sudo@sudo.ws.
     Keith Garry Boyce
     Michael Brantley
     Rob Braun
+    Pavel Brezina
     Piete Brooks
     Jerry Brown
     Michael E Burr

include/sudo_debug.h

@@ -71,6 +71,7 @@
 #define SUDO_DEBUG_PERMS	(23<<6)	/* uid/gid swapping functions */
 #define SUDO_DEBUG_PLUGIN	(24<<6)	/* main plugin functions */
 #define SUDO_DEBUG_HOOKS	(25<<6)	/* hook functions */
+#define SUDO_DEBUG_SSSD		(26<<6) /* sudoers SSSD */
 #define SUDO_DEBUG_ALL		0xfff0	/* all subsystems */
 
 /* Flag to include string version of errno in debug info. */

mkdep.pl

@@ -52,7 +52,7 @@ sub mkdep {
     $makefile =~ s:\@DEV\@::g;
     $makefile =~ s:\@COMMON_OBJS\@:aix.lo:;
     $makefile =~ s:\@SUDO_OBJS\@:preload.o selinux.o sesh.o sudo_noexec.lo:;
-    $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo plugin_error.lo:;
+    $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo plugin_error.lo sssd.lo:;
     # XXX - fill in AUTH_OBJS from contents of the auth dir instead
     $makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:;
     $makefile =~ s:\@LTLIBOBJS\@:closefrom.lo dlopen.lo fnmatch.lo getcwd.lo getgrouplist.lo getline.lo getprogname.lo glob.lo isblank.lo memrchr.lo mksiglist.lo mktemp.lo nanosleep.lo pw_dup.lo siglist.lo snprintf.lo strlcat.lo strlcpy.lo strsignal.lo utimes.lo globtest.o fnm_test.o:;

pathnames.h.in

@@ -157,6 +157,10 @@
 #undef	_PATH_LDAP_SECRET
 #endif /* _PATH_LDAP_SECRET */
 
+#ifndef _PATH_SSSD_LIB
+#undef  _PATH_SSSD_LIB
+#endif /* _PATH_SSSD_LIB */
+
 #ifndef _PATH_NSSWITCH_CONF
 #undef	_PATH_NSSWITCH_CONF
 #endif /* _PATH_NSSWITCH_CONF */

plugins/sudoers/Makefile.in

@@ -32,6 +32,7 @@ top_srcdir = @top_srcdir@
 incdir = $(top_srcdir)/include
 docdir = @docdir@
 timedir = @timedir@
+libdir = @libdir@
 cross_compiling = @CROSS_COMPILING@
 
 # Compiler & tools to use
@@ -52,7 +53,7 @@ SUDOERS_LIBS = @SUDOERS_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ $(LIBS) $(NET_LIBS) @ZL
 REPLAY_LIBS = @REPLAY_LIBS@ @ZLIB@
 
 # C preprocessor flags
-CPPFLAGS = -I$(incdir) -I$(top_builddir) -I$(devdir) -I$(srcdir) -I$(top_srcdir) @CPPFLAGS@
+CPPFLAGS = -I$(incdir) -I$(top_builddir) -I$(devdir) -I$(srcdir) -I$(top_srcdir) -DLIBDIR=\"$(libdir)\" @CPPFLAGS@
 
 # Usually -O and/or -g
 CFLAGS = @CFLAGS@
@@ -719,6 +720,15 @@ sia.lo: $(authdir)/sia.c $(top_builddir)/config.h $(srcdir)/sudoers.h \
         $(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
         $(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(authdir)/sia.c
+sssd.lo: $(srcdir)/sssd.c $(top_builddir)/config.h \
+         $(top_srcdir)/compat/dlfcn.h $(srcdir)/sudoers.h \
+         $(top_srcdir)/compat/stdbool.h $(top_builddir)/pathnames.h \
+         $(incdir)/missing.h $(incdir)/error.h $(incdir)/alloc.h \
+         $(incdir)/list.h $(incdir)/fileops.h $(srcdir)/defaults.h \
+         $(devdir)/def_data.h $(srcdir)/logging.h $(srcdir)/sudo_nss.h \
+         $(incdir)/sudo_plugin.h $(incdir)/sudo_debug.h $(incdir)/gettext.h \
+         $(srcdir)/parse.h $(incdir)/lbuf.h $(incdir)/sudo_debug.h
+	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(DEFS) $(srcdir)/sssd.c
 sudo_auth.lo: $(authdir)/sudo_auth.c $(top_builddir)/config.h \
               $(srcdir)/sudoers.h $(top_srcdir)/compat/stdbool.h \
               $(top_builddir)/pathnames.h $(incdir)/missing.h \

plugins/sudoers/sudo_nss.c

@@ -47,8 +47,11 @@ extern struct sudo_nss sudo_nss_file;
 #ifdef HAVE_LDAP
 extern struct sudo_nss sudo_nss_ldap;
 #endif
+#ifdef HAVE_SSSD
+extern struct sudo_nss sudo_nss_sss;
+#endif
 
-#if defined(HAVE_LDAP) && defined(_PATH_NSSWITCH_CONF)
+#if (defined(HAVE_LDAP) || defined(HAVE_SSSD)) && defined(_PATH_NSSWITCH_CONF)
 /*
  * Read in /etc/nsswitch.conf
  * Returns a tail queue of matches.
@@ -58,6 +61,9 @@ sudo_read_nss(void)
 {
     FILE *fp;
     char *cp;
+#ifdef HAVE_SSSD
+    bool saw_sss = false;
+#endif
     bool saw_files = false;
     bool saw_ldap = false;
     bool got_match = false;
@@ -84,6 +90,11 @@ sudo_read_nss(void)
 	    } else if (strcasecmp(cp, "ldap") == 0 && !saw_ldap) {
 		tq_append(&snl, &sudo_nss_ldap);
 		got_match = true;
+#ifdef HAVE_SSSD
+	    } else if (strcasecmp(cp, "sss") == 0 && !saw_sss) {
+		tq_append(&snl, &sudo_nss_sss);
+		got_match = true;
+#endif
 	    } else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) {
 		/* NOTFOUND affects the most recent entry */
 		tq_last(&snl)->ret_if_notfound = true;
@@ -104,9 +115,9 @@ nomatch:
     debug_return_ptr(&snl);
 }
 
-#else /* HAVE_LDAP && _PATH_NSSWITCH_CONF */
+#else /* (HAVE_LDAP || HAVE_SSSD) && _PATH_NSSWITCH_CONF */
 
-# if defined(HAVE_LDAP) && defined(_PATH_NETSVC_CONF)
+# if (defined(HAVE_LDAP) || defined(HAVE_SSSD)) && defined(_PATH_NETSVC_CONF)
 
 /*
  * Read in /etc/netsvc.conf (like nsswitch.conf on AIX)
@@ -117,6 +128,9 @@ sudo_read_nss(void)
 {
     FILE *fp;
     char *cp, *ep;
+#ifdef HAVE_SSSD
+    bool saw_sss = false;
+#endif
     bool saw_files = false;
     bool saw_ldap = false;
     bool got_match = false;
@@ -156,6 +170,13 @@ sudo_read_nss(void)
 		tq_append(&snl, &sudo_nss_ldap);
 		got_match = true;
 		ep = &cp[4];
+#ifdef HAVE_SSSD
+	    } else if (!saw_sss && strncasecmp(cp, "sss", 3) == 0 &&
+		(isspace((unsigned char)cp[3]) || cp[3] == '\0')) {
+		tq_append(&snl, &sudo_nss_sss);
+		got_match = true;
+		ep = &cp[3];
+#endif
 	    } else {
 		got_match = false;
 	    }
@@ -195,6 +216,9 @@ sudo_read_nss(void)
     static struct sudo_nss_list snl;
     debug_decl(sudo_read_nss, SUDO_DEBUG_NSS)
 
+#  ifdef HAVE_SSSD
+    tq_append(&snl, &sudo_nss_sss);
+#  endif
 #  ifdef HAVE_LDAP
     tq_append(&snl, &sudo_nss_ldap);
 #  endif

plugins/sudoers/sudoers.c

@@ -145,6 +145,7 @@ sudoers_policy_open(unsigned int version, sudo_conv_t conversation,
     volatile int sources = 0;
     sigaction_t sa;
     struct sudo_nss *nss;
+    struct sudo_nss *nss_next;
     debug_decl(sudoers_policy_open, SUDO_DEBUG_PLUGIN)
 
     sudo_version = version;
@@ -201,12 +202,15 @@ sudoers_policy_open(unsigned int version, sudo_conv_t conversation,
     set_perms(PERM_ROOT);
 
     /* Open and parse sudoers, set global defaults */
-    tq_foreach_fwd(snl, nss) {
+    for (nss = snl->first; nss != NULL; nss = nss_next) {
-	if (nss->open(nss) == 0 && nss->parse(nss) == 0) {
+        nss_next = nss->next;
-	    sources++;
+        if (nss->open(nss) == 0 && nss->parse(nss) == 0) {
-	    if (nss->setdefs(nss) != 0)
+            sources++;
-		log_error(NO_STDERR, _("problem with defaults entries"));
+            if (nss->setdefs(nss) != 0)
-	}
+                log_error(NO_STDERR, _("problem with defaults entries"));
+        } else {
+            tq_remove(snl, nss);
+        }
     }
     if (sources == 0) {
 	warningx(_("no valid sudoers sources found, quitting"));