X-Git-Url: https://git.gag.com/?a=blobdiff_plain;f=plugins%2Fsudoers%2Fsudo_nss.c;h=83a3fe912a5d51794a198c8b697a1b62498a5309;hb=98b9fd63cd28a3636a7cd24641b8f497eaadcd50;hp=d8ed0f5de19f3855554d0f249fc5764c96fd417c;hpb=ef258354719127382087c58e5c0f83ee45c958f6;p=debian%2Fsudo

diff --git a/plugins/sudoers/sudo_nss.c b/plugins/sudoers/sudo_nss.c
index d8ed0f5..83a3fe9 100644
--- a/plugins/sudoers/sudo_nss.c
+++ b/plugins/sudoers/sudo_nss.c
@@ -18,6 +18,8 @@
 
 #include <sys/types.h>
 #include <sys/param.h>
+#include <sys/stat.h>
+
 #include <stdio.h>
 #ifdef STDC_HEADERS
 # include <stdlib.h>
@@ -47,8 +49,11 @@ extern struct sudo_nss sudo_nss_file;
 #ifdef HAVE_LDAP
 extern struct sudo_nss sudo_nss_ldap;
 #endif
+#ifdef HAVE_SSSD
+extern struct sudo_nss sudo_nss_sss;
+#endif
 
-#if defined(HAVE_LDAP) && defined(_PATH_NSSWITCH_CONF)
+#if (defined(HAVE_LDAP) || defined(HAVE_SSSD)) && defined(_PATH_NSSWITCH_CONF)
 /*
  * Read in /etc/nsswitch.conf
  * Returns a tail queue of matches.
@@ -58,6 +63,9 @@ sudo_read_nss(void)
 {
     FILE *fp;
     char *cp;
+#ifdef HAVE_SSSD
+    bool saw_sss = false;
+#endif
     bool saw_files = false;
     bool saw_ldap = false;
     bool got_match = false;
@@ -81,13 +89,24 @@ sudo_read_nss(void)
 	    if (strcasecmp(cp, "files") == 0 && !saw_files) {
 		tq_append(&snl, &sudo_nss_file);
 		got_match = true;
+#ifdef HAVE_LDAP
 	    } else if (strcasecmp(cp, "ldap") == 0 && !saw_ldap) {
 		tq_append(&snl, &sudo_nss_ldap);
 		got_match = true;
+#endif
+#ifdef HAVE_SSSD
+	    } else if (strcasecmp(cp, "sss") == 0 && !saw_sss) {
+		tq_append(&snl, &sudo_nss_sss);
+		got_match = true;
+#endif
 	    } else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) {
 		/* NOTFOUND affects the most recent entry */
 		tq_last(&snl)->ret_if_notfound = true;
 		got_match = false;
+	    } else if (strcasecmp(cp, "[SUCCESS=return]") == 0 && got_match) {
+		/* SUCCESS affects the most recent entry */
+		tq_last(&snl)->ret_if_found = true;
+		got_match = false;
 	    } else
 		got_match = false;
 	}
@@ -104,9 +123,9 @@ nomatch:
     debug_return_ptr(&snl);
 }
 
-#else /* HAVE_LDAP && _PATH_NSSWITCH_CONF */
+#else /* (HAVE_LDAP || HAVE_SSSD) && _PATH_NSSWITCH_CONF */
 
-# if defined(HAVE_LDAP) && defined(_PATH_NETSVC_CONF)
+# if (defined(HAVE_LDAP) || defined(HAVE_SSSD)) && defined(_PATH_NETSVC_CONF)
 
 /*
  * Read in /etc/netsvc.conf (like nsswitch.conf on AIX)
@@ -117,6 +136,9 @@ sudo_read_nss(void)
 {
     FILE *fp;
     char *cp, *ep;
+#ifdef HAVE_SSSD
+    bool saw_sss = false;
+#endif
     bool saw_files = false;
     bool saw_ldap = false;
     bool got_match = false;
@@ -151,11 +173,20 @@ sudo_read_nss(void)
 		tq_append(&snl, &sudo_nss_file);
 		got_match = true;
 		ep = &cp[5];
+#ifdef HAVE_LDAP
 	    } else if (!saw_ldap && strncasecmp(cp, "ldap", 4) == 0 &&
 		(isspace((unsigned char)cp[4]) || cp[4] == '\0')) {
 		tq_append(&snl, &sudo_nss_ldap);
 		got_match = true;
 		ep = &cp[4];
+#endif
+#ifdef HAVE_SSSD
+	    } else if (!saw_sss && strncasecmp(cp, "sss", 3) == 0 &&
+		(isspace((unsigned char)cp[3]) || cp[3] == '\0')) {
+		tq_append(&snl, &sudo_nss_sss);
+		got_match = true;
+		ep = &cp[3];
+#endif
 	    } else {
 		got_match = false;
 	    }
@@ -195,6 +226,9 @@ sudo_read_nss(void)
     static struct sudo_nss_list snl;
     debug_decl(sudo_read_nss, SUDO_DEBUG_NSS)
 
+#  ifdef HAVE_SSSD
+    tq_append(&snl, &sudo_nss_sss);
+#  endif
 #  ifdef HAVE_LDAP
     tq_append(&snl, &sudo_nss_ldap);
 #  endif
@@ -233,11 +267,15 @@ display_privs(struct sudo_nss_list *snl, struct passwd *pw)
 {
     struct sudo_nss *nss;
     struct lbuf defs, privs;
-    int count, olen;
+    struct stat sb;
+    int cols, count, olen;
     debug_decl(display_privs, SUDO_DEBUG_NSS)
 
-    lbuf_init(&defs, output, 4, NULL, sudo_user.cols);
-    lbuf_init(&privs, output, 4, NULL, sudo_user.cols);
+    cols = sudo_user.cols;
+    if (fstat(STDOUT_FILENO, &sb) == 0 && S_ISFIFO(sb.st_mode))
+	cols = 0;
+    lbuf_init(&defs, output, 4, NULL, cols);
+    lbuf_init(&privs, output, 4, NULL, cols);
 
     /* Display defaults from all sources. */
     lbuf_append(&defs, _("Matching Defaults entries for %s on this host:\n"),
@@ -272,13 +310,14 @@ display_privs(struct sudo_nss_list *snl, struct passwd *pw)
     tq_foreach_fwd(snl, nss) {
 	count += nss->display_privs(nss, pw, &privs);
     }
-    if (count) {
-	lbuf_print(&defs);
-	lbuf_print(&privs);
-    } else {
-	printf(_("User %s is not allowed to run sudo on %s.\n"), pw->pw_name,
-	    user_shost);
+    if (count == 0) {
+	defs.len = 0;
+	privs.len = 0;
+	lbuf_append(&privs, _("User %s is not allowed to run sudo on %s.\n"),
+	    pw->pw_name, user_shost);
     }
+    lbuf_print(&defs);
+    lbuf_print(&privs);
 
     lbuf_destroy(&defs);
     lbuf_destroy(&privs);