From e954facb9d0075679a8c0789a91d519653a98869 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 14 Feb 2017 15:56:34 -0700 Subject: [PATCH] List SELinux role/type for "sudo -l" with LDAP and SSSd backends. Also fix printing of the timeout. --- plugins/sudoers/ldap.c | 16 ++++++++++++++-- plugins/sudoers/sssd.c | 14 ++++++++++++++ 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c index 7a28cf116..1fa74d086 100644 --- a/plugins/sudoers/ldap.c +++ b/plugins/sudoers/ldap.c @@ -2479,8 +2479,20 @@ sudo_ldap_display_entry_short(LDAP *ld, LDAPMessage *entry, struct passwd *pw, sudo_lbuf_append(lbuf, negated ? "NOSETENV: " : "SETENV: "); else if (strcmp(val, "mail_all_cmnds") == 0 || strcmp(val, "mail_always") == 0) sudo_lbuf_append(lbuf, negated ? "NOMAIL: " : "MAIL: "); - else if (!negated && strcmp(val, "command_timeout") == 0) - sudo_lbuf_append(lbuf, "TIMEOUT=%s", val); + else if (!negated && strncmp(val, "command_timeout=", 16) == 0) + sudo_lbuf_append(lbuf, "TIMEOUT=%s ", val + 16); +#ifdef HAVE_SELINUX + else if (!negated && strncmp(val, "role=", 5) == 0) + sudo_lbuf_append(lbuf, "ROLE=%s ", val + 5); + else if (!negated && strncmp(val, "type=", 5) == 0) + sudo_lbuf_append(lbuf, "TYPE=%s ", val + 5); +#endif /* HAVE_SELINUX */ +#ifdef HAVE_PRIV_SET + else if (!negated && strncmp(val, "privs=", 6) == 0) + sudo_lbuf_append(lbuf, "PRIVS=%s ", val + 6); + else if (!negated && strncmp(val, "limitprivs=", 11) == 0) + sudo_lbuf_append(lbuf, "LIMITPRIVS=%s ", val + 11); +#endif /* HAVE_PRIV_SET */ } ldap_value_free_len(bv); } diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c index 3823d0f45..93d407c7d 100644 --- a/plugins/sudoers/sssd.c +++ b/plugins/sudoers/sssd.c @@ -1728,6 +1728,20 @@ sudo_sss_display_entry_short(struct sudo_sss_handle *handle, sudo_lbuf_append(lbuf, negated ? "NOSETENV: " : "SETENV: "); else if (strcmp(val, "mail_all_cmnds") == 0 || strcmp(val, "mail_always") == 0) sudo_lbuf_append(lbuf, negated ? "NOMAIL: " : "MAIL: "); + else if (!negated && strncmp(val, "command_timeout=", 16) == 0) + sudo_lbuf_append(lbuf, "TIMEOUT=%s ", val + 16); +#ifdef HAVE_SELINUX + else if (!negated && strncmp(val, "role=", 5) == 0) + sudo_lbuf_append(lbuf, "ROLE=%s ", val + 5); + else if (!negated && strncmp(val, "type=", 5) == 0) + sudo_lbuf_append(lbuf, "TYPE=%s ", val + 5); +#endif /* HAVE_SELINUX */ +#ifdef HAVE_PRIV_SET + else if (!negated && strncmp(val, "privs=", 6) == 0) + sudo_lbuf_append(lbuf, "PRIVS=%s ", val + 6); + else if (!negated && strncmp(val, "limitprivs=", 11) == 0) + sudo_lbuf_append(lbuf, "LIMITPRIVS=%s ", val + 11); +#endif /* HAVE_PRIV_SET */ } handle->fn_free_values(val_array); break; -- 2.40.0