1b78263838
Updated. Enjoy! OBS-URL: https://build.opensuse.org/request/show/998277 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=215
117 lines
6.1 KiB
Diff
117 lines
6.1 KiB
Diff
From 7f9ea23e7447b8e1308fc282cd13b6cf5d39d3c4 Mon Sep 17 00:00:00 2001
|
|
From: William Brown <wbrown@suse.de>
|
|
Date: Mon, 25 Jul 2022 15:21:39 +1000
|
|
Subject: [PATCH] Update sudoUser to be utf8 in ldap schemas
|
|
|
|
In most unix-style LDAP servers, uid is a utf8 string defined by
|
|
OID 1.3.6.1.4.1.1466.115.121.1.15. However, sudoUser was defined
|
|
as an IA5 String (OID 1.3.6.1.4.1.1466.115.121.1.26) which meant
|
|
that sudoUser could only represent a subset of possible values.
|
|
|
|
In some cases when using sudoers.ldap, the uid from the machine
|
|
which was utf8 was fed back into sudo which would then issue a
|
|
search for sudoUsers. If this uid contained utf8 characters, the
|
|
ldap server would refuse to match into sudoUsers because these
|
|
were limited to IA5.
|
|
|
|
This is a safe-forward upgrade as IA5 is a subset of UTF8 meaning
|
|
that this change will not impact existing deployments and their
|
|
rules.
|
|
---
|
|
docs/schema.OpenLDAP | 14 +++++++-------
|
|
docs/schema.iPlanet | 6 +++---
|
|
docs/schema.olcSudo | 14 +++++++-------
|
|
3 files changed, 17 insertions(+), 17 deletions(-)
|
|
|
|
diff --git a/docs/schema.OpenLDAP b/docs/schema.OpenLDAP
|
|
index e1d525f84..451c5250a 100644
|
|
--- a/docs/schema.OpenLDAP
|
|
+++ b/docs/schema.OpenLDAP
|
|
@@ -7,9 +7,9 @@
|
|
attributetype ( 1.3.6.1.4.1.15953.9.1.1
|
|
NAME 'sudoUser'
|
|
DESC 'User(s) who may run sudo'
|
|
- EQUALITY caseExactIA5Match
|
|
- SUBSTR caseExactIA5SubstringsMatch
|
|
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
+ EQUALITY caseExactMatch
|
|
+ SUBSTR caseExactSubstringsMatch
|
|
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|
|
|
attributetype ( 1.3.6.1.4.1.15953.9.1.2
|
|
NAME 'sudoHost'
|
|
@@ -39,14 +39,14 @@ attributetype ( 1.3.6.1.4.1.15953.9.1.5
|
|
attributetype ( 1.3.6.1.4.1.15953.9.1.6
|
|
NAME 'sudoRunAsUser'
|
|
DESC 'User(s) impersonated by sudo'
|
|
- EQUALITY caseExactIA5Match
|
|
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
+ EQUALITY caseExactMatch
|
|
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|
|
|
attributetype ( 1.3.6.1.4.1.15953.9.1.7
|
|
NAME 'sudoRunAsGroup'
|
|
DESC 'Group(s) impersonated by sudo'
|
|
- EQUALITY caseExactIA5Match
|
|
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
+ EQUALITY caseExactMatch
|
|
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|
|
|
attributetype ( 1.3.6.1.4.1.15953.9.1.8
|
|
NAME 'sudoNotBefore'
|
|
diff --git a/docs/schema.iPlanet b/docs/schema.iPlanet
|
|
index e51286436..56ad02bc0 100644
|
|
--- a/docs/schema.iPlanet
|
|
+++ b/docs/schema.iPlanet
|
|
@@ -1,11 +1,11 @@
|
|
dn: cn=schema
|
|
-attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
|
|
+attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' )
|
|
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
|
|
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
|
|
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
|
|
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
|
|
-attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
|
|
-attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
|
|
+attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' )
|
|
+attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' )
|
|
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
|
|
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
|
|
attributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
|
|
diff --git a/docs/schema.olcSudo b/docs/schema.olcSudo
|
|
index 8748dfc2a..8948ca4ae 100644
|
|
--- a/docs/schema.olcSudo
|
|
+++ b/docs/schema.olcSudo
|
|
@@ -9,9 +9,9 @@ cn: sudoschema
|
|
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1
|
|
NAME 'sudoUser'
|
|
DESC 'User(s) who may run sudo'
|
|
- EQUALITY caseExactIA5Match
|
|
- SUBSTR caseExactIA5SubstringsMatch
|
|
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
+ EQUALITY caseExactMatch
|
|
+ SUBSTR caseExactSubstringsMatch
|
|
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|
#
|
|
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2
|
|
NAME 'sudoHost'
|
|
@@ -41,14 +41,14 @@ olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5
|
|
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6
|
|
NAME 'sudoRunAsUser'
|
|
DESC 'User(s) impersonated by sudo'
|
|
- EQUALITY caseExactIA5Match
|
|
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
+ EQUALITY caseExactMatch
|
|
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|
#
|
|
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7
|
|
NAME 'sudoRunAsGroup'
|
|
DESC 'Group(s) impersonated by sudo'
|
|
- EQUALITY caseExactIA5Match
|
|
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
|
+ EQUALITY caseExactMatch
|
|
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
|
#
|
|
olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8
|
|
NAME 'sudoNotBefore'
|