Compare commits
1 commit
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
51bf3807ad |
2 changed files with 134 additions and 1 deletions
127
sudo-1.8.8-sssdfixes.patch
Normal file
127
sudo-1.8.8-sssdfixes.patch
Normal file
|
|
@ -0,0 +1,127 @@
|
|||
--- sudo-1.8.6p7/plugins/sudoers/sssd.c.sssd 2013-02-25 21:42:44.000000000 +0200
|
||||
+++ sudo-1.8.6p7/plugins/sudoers/sssd.c 2013-12-19 13:24:26.851998107 +0200
|
||||
@@ -345,7 +345,7 @@ static int sudo_sss_setdefs(struct sudo_
|
||||
|
||||
if (sss_error == ENOENT) {
|
||||
sudo_debug_printf(SUDO_DEBUG_INFO, "The user was not found in SSSD.");
|
||||
- debug_return_int(-1);
|
||||
+ debug_return_int(0);
|
||||
} else if(sss_error != 0) {
|
||||
sudo_debug_printf(SUDO_DEBUG_INFO, "sss_error=%u\n", sss_error);
|
||||
debug_return_int(-1);
|
||||
@@ -529,30 +529,31 @@ sudo_sss_check_runas_group(struct sudo_s
|
||||
* Walk through search results and return true if we have a runas match,
|
||||
* else false. RunAs info is optional.
|
||||
*/
|
||||
-static int
|
||||
+static bool
|
||||
sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
|
||||
{
|
||||
- int ret;
|
||||
+ bool ret;
|
||||
debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD);
|
||||
|
||||
if (rule == NULL)
|
||||
- debug_return_int(false);
|
||||
+ debug_return_bool(false);
|
||||
|
||||
ret = sudo_sss_check_runas_user(handle, rule) != false &&
|
||||
sudo_sss_check_runas_group(handle, rule) != false;
|
||||
|
||||
- debug_return_int(ret);
|
||||
+ debug_return_bool(ret);
|
||||
}
|
||||
|
||||
-static int
|
||||
+static bool
|
||||
sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
|
||||
{
|
||||
char **val_array, *val;
|
||||
- int ret = false, i;
|
||||
+ bool ret = false;
|
||||
+ int i;
|
||||
debug_decl(sudo_sss_check_host, SUDO_DEBUG_SSSD);
|
||||
|
||||
if (rule == NULL)
|
||||
- debug_return_int(ret);
|
||||
+ debug_return_bool(ret);
|
||||
|
||||
/* get the values from the rule */
|
||||
switch (handle->fn_get_values(rule, "sudoHost", &val_array))
|
||||
@@ -561,10 +562,10 @@ sudo_sss_check_host(struct sudo_sss_hand
|
||||
break;
|
||||
case ENOENT:
|
||||
sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
|
||||
- debug_return_int(false);
|
||||
+ debug_return_bool(false);
|
||||
default:
|
||||
sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0");
|
||||
- debug_return_int(ret);
|
||||
+ debug_return_bool(ret);
|
||||
}
|
||||
|
||||
/* walk through values */
|
||||
@@ -584,7 +585,52 @@ sudo_sss_check_host(struct sudo_sss_hand
|
||||
|
||||
handle->fn_free_values(val_array);
|
||||
|
||||
- debug_return_int(ret);
|
||||
+ debug_return_bool(ret);
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Look for netgroup specifcations in the sudoUser attribute and
|
||||
+ * if found, filter according to netgroup membership.
|
||||
+ * returns:
|
||||
+ * true -> netgroup spec found && negroup member
|
||||
+ * false -> netgroup spec found && not a meber of netgroup
|
||||
+ * true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception)
|
||||
+ */
|
||||
+bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
|
||||
+{
|
||||
+ bool ret = false, netgroup_spec_found = false;
|
||||
+ char **val_array, *val;
|
||||
+ int i;
|
||||
+ debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD);
|
||||
+
|
||||
+ if (!handle || !rule)
|
||||
+ debug_return_bool(ret);
|
||||
+
|
||||
+ switch (handle->fn_get_values(rule, "sudoUser", &val_array)) {
|
||||
+ case 0:
|
||||
+ break;
|
||||
+ case ENOENT:
|
||||
+ sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
|
||||
+ debug_return_bool(ret);
|
||||
+ default:
|
||||
+ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
|
||||
+ debug_return_bool(ret);
|
||||
+ }
|
||||
+
|
||||
+ for (i = 0; val_array[i] != NULL && !ret; ++i) {
|
||||
+ val = val_array[i];
|
||||
+ if (*val == '+') {
|
||||
+ netgroup_spec_found = true;
|
||||
+ }
|
||||
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
|
||||
+ if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, user_name)) {
|
||||
+ ret = true;
|
||||
+ sudo_debug_printf(SUDO_DEBUG_DIAG,
|
||||
+ "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name);
|
||||
+ }
|
||||
+ }
|
||||
+ handle->fn_free_values(val_array);
|
||||
+ debug_return_bool(netgroup_spec_found ? ret : true);
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -594,7 +640,8 @@ sudo_sss_result_filterp(struct sudo_sss_
|
||||
(void)unused;
|
||||
debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
|
||||
|
||||
- if (sudo_sss_check_host(handle, rule))
|
||||
+ if (sudo_sss_check_host(handle, rule) &&
|
||||
+ sudo_sss_filter_user_netgroup(handle, rule))
|
||||
debug_return_int(1);
|
||||
else
|
||||
debug_return_int(0);
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
Summary: Allows restricted root access for specified users
|
||||
Name: sudo
|
||||
Version: 1.8.6p7
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: ISC
|
||||
Group: Applications/System
|
||||
URL: http://www.courtesan.com/sudo/
|
||||
|
|
@ -26,6 +26,8 @@ BuildRequires: zlib-devel
|
|||
Patch1: sudo-1.6.7p5-strip.patch
|
||||
# configure.in fix
|
||||
Patch2: sudo-1.7.2p1-envdebug.patch
|
||||
# sssd fixes from 1.8.8
|
||||
Patch3: sudo-1.8.8-sssdfixes.patch
|
||||
|
||||
%description
|
||||
Sudo (superuser do) allows a system administrator to give certain
|
||||
|
|
@ -52,6 +54,7 @@ plugins that use %{name}.
|
|||
|
||||
%patch1 -p1 -b .strip
|
||||
%patch2 -p1 -b .envdebug
|
||||
%patch3 -p1 -b .sssd
|
||||
|
||||
%build
|
||||
autoreconf -I m4 -fv --install
|
||||
|
|
@ -164,6 +167,9 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%{_mandir}/man8/sudo_plugin.8*
|
||||
|
||||
%changelog
|
||||
* Thu Dec 19 2013 Alexander Bokovoy <abokovoy@redhat.com> - 1.8.6p7-2
|
||||
- Backport SSSD changes, fixes #1000362
|
||||
|
||||
* Thu Feb 28 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-1
|
||||
- update to 1.8.6p7
|
||||
- fixes CVE-2013-1775 and CVE-2013-1776
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue