LDAP sudoers doesn't support negated users, groups or netgroups.

This commit is contained in:
Todd C. Miller
2016-06-12 09:36:19 -06:00
parent 63a2428892
commit d9e14bc659

View File

@@ -777,7 +777,7 @@ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
static bool static bool
sudo_sss_check_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) sudo_sss_check_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
{ {
int matched = UNSPEC; int ret = false;
char **val_array; char **val_array;
int i; int i;
debug_decl(sudo_sss_check_user, SUDOERS_DEBUG_SSSD); debug_decl(sudo_sss_check_user, SUDOERS_DEBUG_SSSD);
@@ -798,43 +798,38 @@ sudo_sss_check_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
} }
/* Walk through sudoUser values. */ /* Walk through sudoUser values. */
for (i = 0; val_array[i] != NULL && matched != false; ++i) { for (i = 0; val_array[i] != NULL && !ret; ++i) {
bool negated = false;
const char *val = val_array[i]; const char *val = val_array[i];
sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val); sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
if (*val == '!') {
val++;
negated = true;
}
switch (*val) { switch (*val) {
case '+': case '+':
/* Netgroup spec found, check membership. */ /* Netgroup spec found, check membership. */
if (netgr_matches(val, def_netgroup_tuple ? handle->host : NULL, if (netgr_matches(val, def_netgroup_tuple ? handle->host : NULL,
def_netgroup_tuple ? handle->shost : NULL, handle->pw->pw_name)) { def_netgroup_tuple ? handle->shost : NULL, handle->pw->pw_name)) {
matched = !negated; ret = true;
} }
break; break;
case '%': case '%':
/* User group found, check membership. */ /* User group found, check membership. */
if (usergr_matches(val, handle->pw->pw_name, handle->pw)) { if (usergr_matches(val, handle->pw->pw_name, handle->pw)) {
matched = !negated; ret = true;
} }
break; break;
default: default:
/* Not a netgroup or user group. */ /* Not a netgroup or user group. */
if (strcmp(val, "ALL") == 0 || if (strcmp(val, "ALL") == 0 ||
userpw_matches(val, handle->pw->pw_name, handle->pw)) { userpw_matches(val, handle->pw->pw_name, handle->pw)) {
matched = !negated; ret = true;
} }
break; break;
} }
sudo_debug_printf(SUDO_DEBUG_DIAG, sudo_debug_printf(SUDO_DEBUG_DIAG,
"sssd/ldap sudoUser '%s' ... %s (%s)", val_array[i], "sssd/ldap sudoUser '%s' ... %s (%s)", val,
matched == true ? "MATCH!" : "not", handle->pw->pw_name); ret ? "MATCH!" : "not", handle->pw->pw_name);
} }
handle->fn_free_values(val_array); handle->fn_free_values(val_array);
debug_return_bool(matched == true); debug_return_bool(ret);
} }
static int static int