version 1.3, 2007/11/27 16:22:14 |
version 1.4, 2007/12/03 15:09:47 |
|
|
#include "parse.h" |
#include "parse.h" |
|
|
#ifndef lint |
#ifndef lint |
__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.16 2007/09/04 14:58:46 millert Exp $"; |
__unused static const char rcsid[] = "$Sudo: ldap.c,v 1.11.2.20 2007/11/27 17:06:54 millert Exp $"; |
#endif /* lint */ |
#endif /* lint */ |
|
|
#ifndef LINE_MAX |
#ifndef LINE_MAX |
|
|
/* walk through values */ |
/* walk through values */ |
for (p = v; p && *p && !ret; p++) { |
for (p = v; p && *p && !ret; p++) { |
/* match any or address or netgroup or hostname */ |
/* match any or address or netgroup or hostname */ |
if (!strcasecmp(*p, "ALL") || addr_matches(*p) || |
if (!strcmp(*p, "ALL") || addr_matches(*p) || |
netgr_matches(*p, user_host, user_shost, NULL) || |
netgr_matches(*p, user_host, user_shost, NULL) || |
!hostname_matches(user_shost, user_host, *p)) |
!hostname_matches(user_shost, user_host, *p)) |
ret = TRUE; |
ret = TRUE; |
|
|
* Walk through search results and return TRUE if we have a command match. |
* Walk through search results and return TRUE if we have a command match. |
*/ |
*/ |
int |
int |
sudo_ldap_check_command(ld, entry) |
sudo_ldap_check_command(ld, entry, setenv_implied) |
LDAP *ld; |
LDAP *ld; |
LDAPMessage *entry; |
LDAPMessage *entry; |
|
int *setenv_implied; |
{ |
{ |
char *allowed_cmnd, *allowed_args, **v = NULL, **p = NULL; |
char *allowed_cmnd, *allowed_args, **v = NULL, **p = NULL; |
int foundbang, ret = FALSE; |
int foundbang, ret = FALSE; |
|
|
/* get_first_entry */ |
/* get_first_entry */ |
for (p = v; p && *p && ret >= 0; p++) { |
for (p = v; p && *p && ret >= 0; p++) { |
/* Match against ALL ? */ |
/* Match against ALL ? */ |
if (!strcasecmp(*p, "ALL")) { |
if (!strcmp(*p, "ALL")) { |
ret = TRUE; |
ret = TRUE; |
|
if (setenv_implied != NULL) |
|
*setenv_implied = TRUE; |
DPRINTF(("ldap sudoCommand '%s' ... MATCH!", *p), 2); |
DPRINTF(("ldap sudoCommand '%s' ... MATCH!", *p), 2); |
continue; |
continue; |
} |
} |
|
|
LDAPMessage *entry = NULL, *result = NULL; /* used for searches */ |
LDAPMessage *entry = NULL, *result = NULL; /* used for searches */ |
char *filt; /* used to parse attributes */ |
char *filt; /* used to parse attributes */ |
int rc, ret = FALSE, do_netgr; /* temp/final return values */ |
int rc, ret = FALSE, do_netgr; /* temp/final return values */ |
|
int setenv_implied; |
int ldap_user_matches = FALSE, ldap_host_matches = FALSE; /* flags */ |
int ldap_user_matches = FALSE, ldap_host_matches = FALSE; /* flags */ |
|
|
/* Open a connection to the LDAP server. */ |
/* Open a connection to the LDAP server. */ |
|
|
* user netgroups. Then we take the netgroups returned and |
* user netgroups. Then we take the netgroups returned and |
* try to match them against the username. |
* try to match them against the username. |
*/ |
*/ |
|
setenv_implied = FALSE; |
for (do_netgr = 0; !ret && do_netgr < 2; do_netgr++) { |
for (do_netgr = 0; !ret && do_netgr < 2; do_netgr++) { |
filt = do_netgr ? estrdup("sudoUser=+*") : sudo_ldap_build_pass1(); |
filt = do_netgr ? estrdup("sudoUser=+*") : sudo_ldap_build_pass1(); |
DPRINTF(("ldap search '%s'", filt), 1); |
DPRINTF(("ldap search '%s'", filt), 1); |
|
|
/* add matches for listing later */ |
/* add matches for listing later */ |
sudo_ldap_add_match(ld, entry, pwflag) && |
sudo_ldap_add_match(ld, entry, pwflag) && |
/* verify command match */ |
/* verify command match */ |
sudo_ldap_check_command(ld, entry) && |
sudo_ldap_check_command(ld, entry, &setenv_implied) && |
/* verify runas match */ |
/* verify runas match */ |
sudo_ldap_check_runas(ld, entry) |
sudo_ldap_check_runas(ld, entry) |
) { |
) { |
/* We have a match! */ |
/* We have a match! */ |
DPRINTF(("Perfect Matched!"), 1); |
DPRINTF(("Perfect Matched!"), 1); |
/* pick up any options */ |
/* pick up any options */ |
|
if (setenv_implied) |
|
def_setenv = TRUE; |
sudo_ldap_parse_options(ld, entry); |
sudo_ldap_parse_options(ld, entry); |
/* make sure we don't reenter loop */ |
/* make sure we don't reenter loop */ |
ret = VALIDATE_OK; |
ret = VALIDATE_OK; |