LDAP sudoers doesn't support negated users, groups or netgroups.
This commit is contained in:
@@ -777,7 +777,7 @@ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
|
|||||||
static bool
|
static bool
|
||||||
sudo_sss_check_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
|
sudo_sss_check_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
|
||||||
{
|
{
|
||||||
int matched = UNSPEC;
|
int ret = false;
|
||||||
char **val_array;
|
char **val_array;
|
||||||
int i;
|
int i;
|
||||||
debug_decl(sudo_sss_check_user, SUDOERS_DEBUG_SSSD);
|
debug_decl(sudo_sss_check_user, SUDOERS_DEBUG_SSSD);
|
||||||
@@ -798,43 +798,38 @@ sudo_sss_check_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Walk through sudoUser values. */
|
/* Walk through sudoUser values. */
|
||||||
for (i = 0; val_array[i] != NULL && matched != false; ++i) {
|
for (i = 0; val_array[i] != NULL && !ret; ++i) {
|
||||||
bool negated = false;
|
|
||||||
const char *val = val_array[i];
|
const char *val = val_array[i];
|
||||||
|
|
||||||
sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
|
sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
|
||||||
if (*val == '!') {
|
|
||||||
val++;
|
|
||||||
negated = true;
|
|
||||||
}
|
|
||||||
switch (*val) {
|
switch (*val) {
|
||||||
case '+':
|
case '+':
|
||||||
/* Netgroup spec found, check membership. */
|
/* Netgroup spec found, check membership. */
|
||||||
if (netgr_matches(val, def_netgroup_tuple ? handle->host : NULL,
|
if (netgr_matches(val, def_netgroup_tuple ? handle->host : NULL,
|
||||||
def_netgroup_tuple ? handle->shost : NULL, handle->pw->pw_name)) {
|
def_netgroup_tuple ? handle->shost : NULL, handle->pw->pw_name)) {
|
||||||
matched = !negated;
|
ret = true;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case '%':
|
case '%':
|
||||||
/* User group found, check membership. */
|
/* User group found, check membership. */
|
||||||
if (usergr_matches(val, handle->pw->pw_name, handle->pw)) {
|
if (usergr_matches(val, handle->pw->pw_name, handle->pw)) {
|
||||||
matched = !negated;
|
ret = true;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
/* Not a netgroup or user group. */
|
/* Not a netgroup or user group. */
|
||||||
if (strcmp(val, "ALL") == 0 ||
|
if (strcmp(val, "ALL") == 0 ||
|
||||||
userpw_matches(val, handle->pw->pw_name, handle->pw)) {
|
userpw_matches(val, handle->pw->pw_name, handle->pw)) {
|
||||||
matched = !negated;
|
ret = true;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
sudo_debug_printf(SUDO_DEBUG_DIAG,
|
sudo_debug_printf(SUDO_DEBUG_DIAG,
|
||||||
"sssd/ldap sudoUser '%s' ... %s (%s)", val_array[i],
|
"sssd/ldap sudoUser '%s' ... %s (%s)", val,
|
||||||
matched == true ? "MATCH!" : "not", handle->pw->pw_name);
|
ret ? "MATCH!" : "not", handle->pw->pw_name);
|
||||||
}
|
}
|
||||||
handle->fn_free_values(val_array);
|
handle->fn_free_values(val_array);
|
||||||
debug_return_bool(matched == true);
|
debug_return_bool(ret);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
|
Reference in New Issue
Block a user