|
 |
836b22 |
From a63e00fd3464524c012687c85cd67fa0468ba913 Mon Sep 17 00:00:00 2001
|
|
|
836b22 |
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
|
836b22 |
Date: Wed, 25 Mar 2020 12:10:35 +0100
|
|
|
836b22 |
Subject: [PATCH] sysdb: check if the id override belongs to requested domain
|
|
|
836b22 |
|
|
|
836b22 |
Steps to reproduce:
|
|
|
836b22 |
1. Setup an id override (administrator@ad.vm: uid -> 10001)
|
|
|
836b22 |
2. Request user by name to fill cache
|
|
|
836b22 |
```
|
|
|
836b22 |
$ id Administrator@ad.vm
|
|
|
836b22 |
uid=10001(administrator@ad.vm) ...
|
|
|
836b22 |
```
|
|
|
836b22 |
3. Request user by id and see that domain part is missing
|
|
|
836b22 |
```
|
|
|
836b22 |
$ id 10001
|
|
|
836b22 |
uid=10001(administrator) ...
|
|
|
836b22 |
```
|
|
|
836b22 |
|
|
|
836b22 |
First, the uid is looked up in IPA domain and the override object is
|
|
|
836b22 |
found when we hit `sysdb_search_override_by_id` because id values are
|
|
|
836b22 |
not qualified. Therefore the origin object (administrator@ad.vm) is
|
|
|
836b22 |
returned as part of IPA domain.
|
|
|
836b22 |
|
|
|
836b22 |
We need to check if the original object belongs to the requested domain.
|
|
|
836b22 |
|
|
|
836b22 |
Resolves:
|
|
|
836b22 |
https://pagure.io/SSSD/sssd/issue/4173
|
|
|
836b22 |
|
|
|
836b22 |
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
|
|
|
836b22 |
(cherry picked from commit 1b84c3a1f17f59e134bb882f0f15109d18599193)
|
|
|
836b22 |
---
|
|
|
836b22 |
src/db/sysdb_views.c | 18 ++++++++++++++++++
|
|
|
836b22 |
1 file changed, 18 insertions(+)
|
|
|
836b22 |
|
|
|
836b22 |
diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
|
|
|
836b22 |
index 73213ae28..08c31c9b0 100644
|
|
|
836b22 |
--- a/src/db/sysdb_views.c
|
|
|
836b22 |
+++ b/src/db/sysdb_views.c
|
|
|
836b22 |
@@ -1261,6 +1261,7 @@ static errno_t sysdb_search_override_by_id(TALLOC_CTX *mem_ctx,
|
|
|
836b22 |
int ret;
|
|
|
836b22 |
const char *orig_obj_dn;
|
|
|
836b22 |
const char *filter;
|
|
|
836b22 |
+ const struct ldb_val *orig_domain;
|
|
|
836b22 |
|
|
|
836b22 |
tmp_ctx = talloc_new(NULL);
|
|
|
836b22 |
if (!tmp_ctx) {
|
|
|
836b22 |
@@ -1330,6 +1331,23 @@ static errno_t sysdb_search_override_by_id(TALLOC_CTX *mem_ctx,
|
|
|
836b22 |
goto done;
|
|
|
836b22 |
}
|
|
|
836b22 |
|
|
|
836b22 |
+ /* Check if the found override object belongs to an object in this
|
|
|
836b22 |
+ * domain. The base dn is in the form:
|
|
|
836b22 |
+ * name=user@domain,cn=users,cn=domain,cn=sysdb
|
|
|
836b22 |
+ * = 0 = 1 = 2 = 3
|
|
|
836b22 |
+ */
|
|
|
836b22 |
+ orig_domain = ldb_dn_get_component_val(base_dn, 2);
|
|
|
836b22 |
+ if (orig_domain == NULL || !orig_domain->length) {
|
|
|
836b22 |
+ DEBUG(SSSDBG_OP_FAILURE, "Invalid original object DN\n");
|
|
|
836b22 |
+ ret = EINVAL;
|
|
|
836b22 |
+ goto done;
|
|
|
836b22 |
+ }
|
|
|
836b22 |
+
|
|
|
836b22 |
+ if (strcmp((const char*)orig_domain->data, domain->name) != 0) {
|
|
|
836b22 |
+ ret = ENOENT;
|
|
|
836b22 |
+ goto done;
|
|
|
836b22 |
+ }
|
|
|
836b22 |
+
|
|
|
836b22 |
ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &orig_res, base_dn,
|
|
|
836b22 |
LDB_SCOPE_BASE, attrs, NULL);
|
|
|
836b22 |
if (ret != LDB_SUCCESS) {
|
|
|
836b22 |
--
|
|
|
836b22 |
2.21.1
|
|
|
836b22 |
|