static errno_t proxy_process_missing_users(struct sysdb_ctx *sysdb, struct sss_domain_info *domain, struct sysdb_attrs *group_attrs, struct group *grp, time_t now) { errno_t ret; size_t i; TALLOC_CTX *tmp_ctx = NULL; struct ldb_message *msg; if (!sysdb || !grp) return EINVAL; tmp_ctx = talloc_new(NULL); if (!tmp_ctx) return ENOMEM; for (i = 0; grp->gr_mem[i]; i++) { ret = sysdb_search_user_by_name(tmp_ctx, domain, grp->gr_mem[i], NULL, &msg); if (ret == EOK) { /* Member already exists in the cache */ DEBUG(SSSDBG_TRACE_INTERNAL, "Member [%s] already cached\n", grp->gr_mem[i]); /* clean up */ talloc_zfree(msg); continue; } else if (ret == ENOENT) { /* No entry for this user. Create a ghost user */ DEBUG(SSSDBG_TRACE_LIBS, "Member [%s] not cached, creating ghost user entry\n", grp->gr_mem[i]); ret = sysdb_attrs_add_string(group_attrs, SYSDB_GHOST, grp->gr_mem[i]); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, "Cannot store ghost user entry: [%d]: %s\n", ret, strerror(ret)); goto done; } } else { /* Unexpected error */ DEBUG(SSSDBG_MINOR_FAILURE, "Error searching cache for user [%s]: [%s]\n", grp->gr_mem[i], strerror(ret)); goto done; } } ret = EOK; done: talloc_free(tmp_ctx); return ret; }
static errno_t find_user_entry(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, struct dp_id_data *ar, struct ldb_message **_msg) { const char *user_attrs[] = { SYSDB_NAME, SYSDB_OBJECTCATEGORY, SYSDB_PAC_BLOB, SYSDB_PAC_BLOB_EXPIRE, NULL }; struct ldb_message *msg; struct ldb_result *res; int ret; TALLOC_CTX *tmp_ctx = NULL; if (dom == NULL || ar == NULL) { DEBUG(SSSDBG_OP_FAILURE, "Missing arguments.\n"); return EINVAL; } tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); return ENOMEM; } if (ar->extra_value && strcmp(ar->extra_value, EXTRA_NAME_IS_UPN) == 0) { ret = sysdb_search_user_by_upn(tmp_ctx, dom, false, ar->filter_value, user_attrs, &msg); } else { switch (ar->filter_type) { case BE_FILTER_SECID: ret = sysdb_search_user_by_sid_str(tmp_ctx, dom, ar->filter_value, user_attrs, &msg); break; case BE_FILTER_UUID: ret = sysdb_search_object_by_uuid(tmp_ctx, dom, ar->filter_value, user_attrs, &res); if (ret == EOK) { if (res->count == 1) { msg = res->msgs[0]; } else { talloc_free(res); DEBUG(SSSDBG_CRIT_FAILURE, "Search by UUID returned multiple results.\n"); ret = EINVAL; goto done; } } break; case BE_FILTER_NAME: ret = sysdb_search_user_by_name(tmp_ctx, dom, ar->filter_value, user_attrs, &msg); break; default: DEBUG(SSSDBG_OP_FAILURE, "Unsupported filter type [%d].\n", ar->filter_type); ret = EINVAL; goto done; } } if (ret != EOK) { if (ret == ENOENT) { DEBUG(SSSDBG_TRACE_ALL, "No user found with filter [%s].\n", ar->filter_value); } else { DEBUG(SSSDBG_OP_FAILURE, "Looking up user in cache with filter [%s] failed.\n", ar->filter_value); } goto done; } *_msg = talloc_steal(mem_ctx, msg); ret = EOK; done: talloc_free(tmp_ctx); return ret; }
errno_t sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, const char *username, uid_t *_uid, char ***groupnames) { TALLOC_CTX *tmp_ctx; errno_t ret; struct ldb_message *msg; struct ldb_message *group_msg = NULL; char **sysdb_groupnames = NULL; const char *primary_group = NULL; struct ldb_message_element *groups; uid_t uid = 0; gid_t gid = 0; size_t num_groups = 0; int i; const char *attrs[] = { SYSDB_MEMBEROF, SYSDB_GIDNUM, SYSDB_UIDNUM, NULL }; const char *group_attrs[] = { SYSDB_NAME, NULL }; tmp_ctx = talloc_new(NULL); NULL_CHECK(tmp_ctx, ret, done); ret = sysdb_search_user_by_name(tmp_ctx, domain, username, attrs, &msg); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Error looking up user %s\n", username); goto done; } if (_uid != NULL) { uid = ldb_msg_find_attr_as_uint64(msg, SYSDB_UIDNUM, 0); if (!uid) { DEBUG(SSSDBG_CRIT_FAILURE, "A user with no UID?\n"); ret = EIO; goto done; } } /* resolve secondary groups */ if (groupnames != NULL) { groups = ldb_msg_find_element(msg, SYSDB_MEMBEROF); if (!groups || groups->num_values == 0) { /* No groups for this user in sysdb currently */ sysdb_groupnames = NULL; num_groups = 0; } else { num_groups = groups->num_values; sysdb_groupnames = talloc_array(tmp_ctx, char *, num_groups + 1); NULL_CHECK(sysdb_groupnames, ret, done); /* Get a list of the groups by groupname only */ for (i = 0; i < groups->num_values; i++) { ret = sysdb_group_dn_name(domain->sysdb, sysdb_groupnames, (const char *)groups->values[i].data, &sysdb_groupnames[i]); if (ret != EOK) { ret = ENOMEM; goto done; } } sysdb_groupnames[groups->num_values] = NULL; } }
errno_t simple_access_check(struct simple_ctx *ctx, const char *username, bool *access_granted) { int i, j; errno_t ret; TALLOC_CTX *tmp_ctx = NULL; const char *user_attrs[] = { SYSDB_MEMBEROF, SYSDB_GIDNUM, NULL }; const char *group_attrs[] = { SYSDB_NAME, NULL }; struct ldb_message *msg; struct ldb_message_element *el; char **groups; const char *primary_group; gid_t gid; bool matched; *access_granted = false; /* First, check whether the user is in the allowed users list */ if (ctx->allow_users != NULL) { for(i = 0; ctx->allow_users[i] != NULL; i++) { if (strcmp(username, ctx->allow_users[i]) == 0) { DEBUG(9, ("User [%s] found in allow list, access granted.\n", username)); /* Do not return immediately on explicit allow * We need to make sure none of the user's groups * are denied. */ *access_granted = true; } } } else if (!ctx->allow_groups) { /* If neither allow rule is in place, we'll assume allowed * unless a deny rule disables us below. */ *access_granted = true; } /* Next check whether this user has been specifically denied */ if (ctx->deny_users != NULL) { for(i = 0; ctx->deny_users[i] != NULL; i++) { if (strcmp(username, ctx->deny_users[i]) == 0) { DEBUG(9, ("User [%s] found in deny list, access denied.\n", username)); /* Return immediately on explicit denial */ *access_granted = false; return EOK; } } } if (!ctx->allow_groups && !ctx->deny_groups) { /* There are no group restrictions, so just return * here with whatever we've decided. */ return EOK; } /* Now get a list of this user's groups and check those against the * simple_allow_groups list. */ tmp_ctx = talloc_new(NULL); if (!tmp_ctx) { ret = ENOMEM; goto done; } ret = sysdb_search_user_by_name(tmp_ctx, ctx->sysdb, username, user_attrs, &msg); if (ret != EOK) { DEBUG(1, ("Could not look up username [%s]: [%d][%s]\n", username, ret, strerror(ret))); goto done; } /* Construct a list of the user's groups */ el = ldb_msg_find_element(msg, SYSDB_MEMBEROF); if (el && el->num_values) { /* Get the groups from the memberOf entries * Allocate the array with room for both the NULL * terminator and the primary group */ groups = talloc_array(tmp_ctx, char *, el->num_values + 2); if (!groups) { ret = ENOMEM; goto done; } for (j = 0; j < el->num_values; j++) { ret = sysdb_group_dn_name( ctx->sysdb, tmp_ctx, (char *)el->values[j].data, &groups[j]); if (ret != EOK) { goto done; } } } else {