>From 74a914ede65f7dcc0921ebcea0dbe3156a9c4189 Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Mon, 13 Apr 2015 15:00:18 +0200 Subject: [PATCH 12/24] Option filter_users had no effect for retrieving sudo rules MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously sssd_sudo always obtained sudo rules for user from LDAP even when user was enlisted in filter_users. Resolves https://fedorahosted.org/sssd/ticket/2625 Reviewed-by: Pavel Březina --- src/responder/sudo/sudosrv.c | 24 ++++++++++++++++++++++++ src/responder/sudo/sudosrv_cmd.c | 12 ++++++++++++ src/responder/sudo/sudosrv_private.h | 3 +++ 3 files changed, 39 insertions(+) diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c index 8a197159b23abde45953b65121ff2e3fc3f2f67a..25c9d585b8780f3a1d0dd7d246481a9d2455f8f0 100644 --- a/src/responder/sudo/sudosrv.c +++ b/src/responder/sudo/sudosrv.c @@ -27,6 +27,7 @@ #include "responder/common/responder_sbus.h" #include "responder/sudo/sudosrv_private.h" #include "providers/data_provider.h" +#include "responder/common/negcache.h" struct mon_cli_iface monitor_sudo_methods = { { &mon_cli_iface_meta, 0 }, @@ -113,9 +114,32 @@ int sudo_process_init(TALLOC_CTX *mem_ctx, goto fail; } + ret = sss_ncache_init(rctx, &sudo_ctx->ncache); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "fatal error initializing ncache\n"); + goto fail; + } + sudo_ctx->rctx = rctx; sudo_ctx->rctx->pvt_ctx = sudo_ctx; + ret = confdb_get_int(cdb, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_ENTRY_NEG_TIMEOUT, 15, + &sudo_ctx->neg_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "fatal error getting ncache timeout\n"); + goto fail; + } + + sss_ncache_prepopulate(sudo_ctx->ncache, sudo_ctx->rctx->cdb, rctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "failed to set ncache for sudo's filter_users\n"); + goto fail; + } + /* Enable automatic reconnection to the Data Provider */ ret = confdb_get_int(sudo_ctx->rctx->cdb, CONFDB_SUDO_CONF_ENTRY, diff --git a/src/responder/sudo/sudosrv_cmd.c b/src/responder/sudo/sudosrv_cmd.c index fd8c46d638ecbd0275b44511dbc6d31e0e316581..dd636e949200dd49c1422a5789e9328dc4b25fb0 100644 --- a/src/responder/sudo/sudosrv_cmd.c +++ b/src/responder/sudo/sudosrv_cmd.c @@ -28,6 +28,7 @@ #include "responder/sudo/sudosrv_private.h" #include "db/sysdb_sudo.h" #include "sss_client/sss_cli.h" +#include "responder/common/negcache.h" static errno_t sudosrv_cmd_send_reply(struct sudo_cmd_ctx *cmd_ctx, uint8_t *response_body, @@ -239,6 +240,7 @@ static void sudosrv_cmd_parse_query_done(struct tevent_req *req) { struct sudo_cmd_ctx *cmd_ctx = NULL; struct sudo_dom_ctx *dom_ctx = NULL; + struct sudo_ctx *sudo_ctx = NULL; errno_t ret; cmd_ctx = tevent_req_callback_data(req, struct sudo_cmd_ctx); @@ -278,6 +280,16 @@ static void sudosrv_cmd_parse_query_done(struct tevent_req *req) dom_ctx->domain = cmd_ctx->domain != NULL ? cmd_ctx->domain : cmd_ctx->cli_ctx->rctx->domains; + sudo_ctx = talloc_get_type(cmd_ctx->cli_ctx->rctx->pvt_ctx, struct sudo_ctx); + ret = sss_ncache_check_user(sudo_ctx->ncache, sudo_ctx->neg_timeout, + dom_ctx->domain, cmd_ctx->username); + if (ret == EEXIST) { + DEBUG(SSSDBG_TRACE_FUNC, "User [%s@%s] filtered out (ncache)\n", + cmd_ctx->username, dom_ctx->domain->name); + ret = ENOENT; + goto done; + } + ret = sudosrv_get_sudorules(dom_ctx); done: diff --git a/src/responder/sudo/sudosrv_private.h b/src/responder/sudo/sudosrv_private.h index 71a272ab4b06864738ac86b31e89a0c45658665b..3c53755f9e8ec56f3dea52021d14b50f715a54e7 100644 --- a/src/responder/sudo/sudosrv_private.h +++ b/src/responder/sudo/sudosrv_private.h @@ -43,6 +43,9 @@ enum sss_sudo_type { struct sudo_ctx { struct resp_ctx *rctx; + int neg_timeout; + struct sss_nc_ctx *ncache; + /* * options */ -- 2.4.3