static errno_t proxy_process_missing_users(struct sysdb_ctx *sysdb,
struct sss_domain_info *domain,
struct sysdb_attrs *group_attrs,
struct group *grp,
time_t now)
{
errno_t ret;
size_t i;
TALLOC_CTX *tmp_ctx = NULL;
struct ldb_message *msg;
if (!sysdb || !grp) return EINVAL;
tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) return ENOMEM;
for (i = 0; grp->gr_mem[i]; i++) {
ret = sysdb_search_user_by_name(tmp_ctx, domain, grp->gr_mem[i],
NULL, &msg);
if (ret == EOK) {
/* Member already exists in the cache */
DEBUG(SSSDBG_TRACE_INTERNAL,
"Member [%s] already cached\n", grp->gr_mem[i]);
/* clean up */
talloc_zfree(msg);
continue;
} else if (ret == ENOENT) {
/* No entry for this user. Create a ghost user */
DEBUG(SSSDBG_TRACE_LIBS,
"Member [%s] not cached, creating ghost user entry\n",
grp->gr_mem[i]);
ret = sysdb_attrs_add_string(group_attrs, SYSDB_GHOST, grp->gr_mem[i]);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
"Cannot store ghost user entry: [%d]: %s\n",
ret, strerror(ret));
goto done;
}
} else {
/* Unexpected error */
DEBUG(SSSDBG_MINOR_FAILURE,
"Error searching cache for user [%s]: [%s]\n",
grp->gr_mem[i], strerror(ret));
goto done;
}
}
ret = EOK;
done:
talloc_free(tmp_ctx);
return ret;
}
static errno_t find_user_entry(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
struct dp_id_data *ar,
struct ldb_message **_msg)
{
const char *user_attrs[] = { SYSDB_NAME, SYSDB_OBJECTCATEGORY,
SYSDB_PAC_BLOB, SYSDB_PAC_BLOB_EXPIRE,
NULL };
struct ldb_message *msg;
struct ldb_result *res;
int ret;
TALLOC_CTX *tmp_ctx = NULL;
if (dom == NULL || ar == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "Missing arguments.\n");
return EINVAL;
}
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
return ENOMEM;
}
if (ar->extra_value && strcmp(ar->extra_value, EXTRA_NAME_IS_UPN) == 0) {
ret = sysdb_search_user_by_upn(tmp_ctx, dom, false, ar->filter_value,
user_attrs, &msg);
} else {
switch (ar->filter_type) {
case BE_FILTER_SECID:
ret = sysdb_search_user_by_sid_str(tmp_ctx, dom, ar->filter_value,
user_attrs, &msg);
break;
case BE_FILTER_UUID:
ret = sysdb_search_object_by_uuid(tmp_ctx, dom, ar->filter_value,
user_attrs, &res);
if (ret == EOK) {
if (res->count == 1) {
msg = res->msgs[0];
} else {
talloc_free(res);
DEBUG(SSSDBG_CRIT_FAILURE,
"Search by UUID returned multiple results.\n");
ret = EINVAL;
goto done;
}
}
break;
case BE_FILTER_NAME:
ret = sysdb_search_user_by_name(tmp_ctx, dom, ar->filter_value,
user_attrs, &msg);
break;
default:
DEBUG(SSSDBG_OP_FAILURE, "Unsupported filter type [%d].\n",
ar->filter_type);
ret = EINVAL;
goto done;
}
}
if (ret != EOK) {
if (ret == ENOENT) {
DEBUG(SSSDBG_TRACE_ALL, "No user found with filter [%s].\n",
ar->filter_value);
} else {
DEBUG(SSSDBG_OP_FAILURE,
"Looking up user in cache with filter [%s] failed.\n",
ar->filter_value);
}
goto done;
}
*_msg = talloc_steal(mem_ctx, msg);
ret = EOK;
done:
talloc_free(tmp_ctx);
return ret;
}
errno_t
sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx,
struct sss_domain_info *domain,
const char *username, uid_t *_uid,
char ***groupnames)
{
TALLOC_CTX *tmp_ctx;
errno_t ret;
struct ldb_message *msg;
struct ldb_message *group_msg = NULL;
char **sysdb_groupnames = NULL;
const char *primary_group = NULL;
struct ldb_message_element *groups;
uid_t uid = 0;
gid_t gid = 0;
size_t num_groups = 0;
int i;
const char *attrs[] = { SYSDB_MEMBEROF,
SYSDB_GIDNUM,
SYSDB_UIDNUM,
NULL };
const char *group_attrs[] = { SYSDB_NAME,
NULL };
tmp_ctx = talloc_new(NULL);
NULL_CHECK(tmp_ctx, ret, done);
ret = sysdb_search_user_by_name(tmp_ctx, domain, username, attrs, &msg);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Error looking up user %s\n", username);
goto done;
}
if (_uid != NULL) {
uid = ldb_msg_find_attr_as_uint64(msg, SYSDB_UIDNUM, 0);
if (!uid) {
DEBUG(SSSDBG_CRIT_FAILURE, "A user with no UID?\n");
ret = EIO;
goto done;
}
}
/* resolve secondary groups */
if (groupnames != NULL) {
groups = ldb_msg_find_element(msg, SYSDB_MEMBEROF);
if (!groups || groups->num_values == 0) {
/* No groups for this user in sysdb currently */
sysdb_groupnames = NULL;
num_groups = 0;
} else {
num_groups = groups->num_values;
sysdb_groupnames = talloc_array(tmp_ctx, char *, num_groups + 1);
NULL_CHECK(sysdb_groupnames, ret, done);
/* Get a list of the groups by groupname only */
for (i = 0; i < groups->num_values; i++) {
ret = sysdb_group_dn_name(domain->sysdb,
sysdb_groupnames,
(const char *)groups->values[i].data,
&sysdb_groupnames[i]);
if (ret != EOK) {
ret = ENOMEM;
goto done;
}
}
sysdb_groupnames[groups->num_values] = NULL;
}
}
errno_t simple_access_check(struct simple_ctx *ctx, const char *username,
bool *access_granted)
{
int i, j;
errno_t ret;
TALLOC_CTX *tmp_ctx = NULL;
const char *user_attrs[] = { SYSDB_MEMBEROF,
SYSDB_GIDNUM,
NULL };
const char *group_attrs[] = { SYSDB_NAME,
NULL };
struct ldb_message *msg;
struct ldb_message_element *el;
char **groups;
const char *primary_group;
gid_t gid;
bool matched;
*access_granted = false;
/* First, check whether the user is in the allowed users list */
if (ctx->allow_users != NULL) {
for(i = 0; ctx->allow_users[i] != NULL; i++) {
if (strcmp(username, ctx->allow_users[i]) == 0) {
DEBUG(9, ("User [%s] found in allow list, access granted.\n",
username));
/* Do not return immediately on explicit allow
* We need to make sure none of the user's groups
* are denied.
*/
*access_granted = true;
}
}
} else if (!ctx->allow_groups) {
/* If neither allow rule is in place, we'll assume allowed
* unless a deny rule disables us below.
*/
*access_granted = true;
}
/* Next check whether this user has been specifically denied */
if (ctx->deny_users != NULL) {
for(i = 0; ctx->deny_users[i] != NULL; i++) {
if (strcmp(username, ctx->deny_users[i]) == 0) {
DEBUG(9, ("User [%s] found in deny list, access denied.\n",
username));
/* Return immediately on explicit denial */
*access_granted = false;
return EOK;
}
}
}
if (!ctx->allow_groups && !ctx->deny_groups) {
/* There are no group restrictions, so just return
* here with whatever we've decided.
*/
return EOK;
}
/* Now get a list of this user's groups and check those against the
* simple_allow_groups list.
*/
tmp_ctx = talloc_new(NULL);
if (!tmp_ctx) {
ret = ENOMEM;
goto done;
}
ret = sysdb_search_user_by_name(tmp_ctx, ctx->sysdb,
username, user_attrs, &msg);
if (ret != EOK) {
DEBUG(1, ("Could not look up username [%s]: [%d][%s]\n",
username, ret, strerror(ret)));
goto done;
}
/* Construct a list of the user's groups */
el = ldb_msg_find_element(msg, SYSDB_MEMBEROF);
if (el && el->num_values) {
/* Get the groups from the memberOf entries
* Allocate the array with room for both the NULL
* terminator and the primary group
*/
groups = talloc_array(tmp_ctx, char *, el->num_values + 2);
if (!groups) {
ret = ENOMEM;
goto done;
}
for (j = 0; j < el->num_values; j++) {
ret = sysdb_group_dn_name(
ctx->sysdb, tmp_ctx,
(char *)el->values[j].data,
&groups[j]);
if (ret != EOK) {
goto done;
}
}
} else {
