|
|
fd2fe89 |
From 999420ed67439bb662e92b47792a06310d173c53 Mon Sep 17 00:00:00 2001
|
|
|
fd2fe89 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
fd2fe89 |
Date: Mon, 26 Mar 2018 11:36:00 +0200
|
|
|
fd2fe89 |
Subject: [PATCH] IPA: Qualify the externalUser sudo attribute
|
|
|
fd2fe89 |
MIME-Version: 1.0
|
|
|
fd2fe89 |
Content-Type: text/plain; charset=UTF-8
|
|
|
fd2fe89 |
Content-Transfer-Encoding: 8bit
|
|
|
fd2fe89 |
|
|
|
fd2fe89 |
We broke the externalUser support with the introduction of the fully
|
|
|
fd2fe89 |
qualified attributes, because the provider was saving the data verbatim,
|
|
|
fd2fe89 |
but the sudo responder expects a fully qualified name.
|
|
|
fd2fe89 |
|
|
|
fd2fe89 |
Reproducer:
|
|
|
fd2fe89 |
on the server:
|
|
|
fd2fe89 |
ipa sudocmd-add --desc='For reading log files' /usr/bin/less
|
|
|
fd2fe89 |
ipa sudorule-add readfiles
|
|
|
fd2fe89 |
ipa sudorule-add-user --users=lcluser
|
|
|
fd2fe89 |
ipa sudorule-mod --hostcat=all readfiles
|
|
|
fd2fe89 |
|
|
|
fd2fe89 |
then on the client:
|
|
|
fd2fe89 |
configure sssd with:
|
|
|
fd2fe89 |
id_provider = files
|
|
|
fd2fe89 |
sudo_provider = ipa
|
|
|
fd2fe89 |
ipa_domain = ipa.test
|
|
|
fd2fe89 |
|
|
|
fd2fe89 |
run:
|
|
|
fd2fe89 |
sudo useradd lcluser
|
|
|
fd2fe89 |
sudo passwd lcluser
|
|
|
fd2fe89 |
su - lcluser
|
|
|
fd2fe89 |
sudo -l
|
|
|
fd2fe89 |
|
|
|
fd2fe89 |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
fd2fe89 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
fd2fe89 |
(cherry picked from commit 0f6b5b02afb35caae774ff4d52854a844d49f52e)
|
|
|
fd2fe89 |
---
|
|
|
fd2fe89 |
src/providers/ipa/ipa_sudo_conversion.c | 11 ++++++++++-
|
|
|
fd2fe89 |
1 file changed, 10 insertions(+), 1 deletion(-)
|
|
|
fd2fe89 |
|
|
|
fd2fe89 |
diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c
|
|
|
fd2fe89 |
index a96ae3447..bfa66b2c6 100644
|
|
|
fd2fe89 |
--- a/src/providers/ipa/ipa_sudo_conversion.c
|
|
|
fd2fe89 |
+++ b/src/providers/ipa/ipa_sudo_conversion.c
|
|
|
fd2fe89 |
@@ -873,6 +873,15 @@ convert_user_fqdn(TALLOC_CTX *mem_ctx,
|
|
|
fd2fe89 |
return fqdn;
|
|
|
fd2fe89 |
}
|
|
|
fd2fe89 |
|
|
|
fd2fe89 |
+static const char *
|
|
|
fd2fe89 |
+convert_ext_user(TALLOC_CTX *mem_ctx,
|
|
|
fd2fe89 |
+ struct ipa_sudo_conv *conv,
|
|
|
fd2fe89 |
+ const char *value,
|
|
|
fd2fe89 |
+ bool *skip_entry)
|
|
|
fd2fe89 |
+{
|
|
|
fd2fe89 |
+ return sss_create_internal_fqname(mem_ctx, value, conv->dom->name);
|
|
|
fd2fe89 |
+}
|
|
|
fd2fe89 |
+
|
|
|
fd2fe89 |
static const char *
|
|
|
fd2fe89 |
convert_group(TALLOC_CTX *mem_ctx,
|
|
|
fd2fe89 |
struct ipa_sudo_conv *conv,
|
|
|
fd2fe89 |
@@ -959,7 +968,7 @@ convert_attributes(struct ipa_sudo_conv *conv,
|
|
|
fd2fe89 |
{SYSDB_IPA_SUDORULE_RUNASEXTUSER, SYSDB_SUDO_CACHE_AT_RUNASUSER , NULL},
|
|
|
fd2fe89 |
{SYSDB_IPA_SUDORULE_RUNASEXTGROUP, SYSDB_SUDO_CACHE_AT_RUNASGROUP , NULL},
|
|
|
fd2fe89 |
{SYSDB_IPA_SUDORULE_RUNASEXTUSERGROUP, SYSDB_SUDO_CACHE_AT_RUNASUSER , convert_runasextusergroup},
|
|
|
fd2fe89 |
- {SYSDB_IPA_SUDORULE_EXTUSER, SYSDB_SUDO_CACHE_AT_USER , NULL},
|
|
|
fd2fe89 |
+ {SYSDB_IPA_SUDORULE_EXTUSER, SYSDB_SUDO_CACHE_AT_USER , convert_ext_user},
|
|
|
fd2fe89 |
{SYSDB_IPA_SUDORULE_ALLOWCMD, SYSDB_IPA_SUDORULE_ORIGCMD , NULL},
|
|
|
fd2fe89 |
{SYSDB_IPA_SUDORULE_DENYCMD, SYSDB_IPA_SUDORULE_ORIGCMD , NULL},
|
|
|
fd2fe89 |
{NULL, NULL, NULL}};
|
|
|
fd2fe89 |
--
|
|
|
fd2fe89 |
2.14.3
|
|
|
fd2fe89 |
|