dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Blob Blame History Raw
From 79f128801d598ca57a6acebade01136525a47e00 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <preichl@redhat.com>
Date: Wed, 4 Jun 2014 17:41:31 +0100
Subject: [PATCH] simple access provider: non-existing object
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Resolves:
https://fedorahosted.org/sssd/ticket/2519

Not existing user/group in simple_allow_users/simple_allow_groups should not
imply access denied.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
 src/providers/simple/simple_access_check.c | 35 +++++++++++++++++++++---------
 1 file changed, 25 insertions(+), 10 deletions(-)

diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c
index 13c66d58f71225a6c458c19e7fb9d26fd15c08ea..d6662871948afffa2cd822614a671149d2f3bf1a 100644
--- a/src/providers/simple/simple_access_check.c
+++ b/src/providers/simple/simple_access_check.c
@@ -24,6 +24,11 @@
 #include "util/sss_utf8.h"
 #include "db/sysdb.h"
 
+#define NON_EXIST_USR_ALLOW "The user %s does not exist. Possible typo in simple_allow_users.\n"
+#define NON_EXIST_USR_DENY  "The user %s does not exist. Possible typo in simple_deny_users.\n"
+#define NON_EXIST_GRP_ALLOW "The group %s does not exist. Possible typo in simple_allow_groups.\n"
+#define NON_EXIST_GRP_DENY  "The group %s does not exist. Possible typo in simple_deny_groups.\n"
+
 static bool
 is_posix(const struct ldb_message *group)
 {
@@ -53,9 +58,11 @@ simple_check_users(struct simple_ctx *ctx, const char *username,
             domain = find_domain_by_object_name(ctx->domain,
                                                 ctx->allow_users[i]);
             if (domain == NULL) {
-                DEBUG(SSSDBG_CRIT_FAILURE, "Invalid user %s!\n",
-                                            ctx->allow_users[i]);
-                return EINVAL;
+                DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_USR_ALLOW,
+                      ctx->allow_users[i]);
+                sss_log(SSS_LOG_CRIT, NON_EXIST_USR_ALLOW,
+                        ctx->allow_users[i]);
+                continue;
             }
 
             if (sss_string_equal(domain->case_sensitive, username,
@@ -86,8 +93,10 @@ simple_check_users(struct simple_ctx *ctx, const char *username,
             domain = find_domain_by_object_name(ctx->domain,
                                                 ctx->deny_users[i]);
             if (domain == NULL) {
-                DEBUG(SSSDBG_CRIT_FAILURE, "Invalid user %s!\n",
-                                            ctx->deny_users[i]);
+                DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_USR_DENY,
+                      ctx->deny_users[i]);
+                sss_log(SSS_LOG_CRIT, NON_EXIST_USR_DENY,
+                        ctx->deny_users[i]);
                 return EINVAL;
             }
 
@@ -125,9 +134,12 @@ simple_check_groups(struct simple_ctx *ctx, const char **group_names,
             domain = find_domain_by_object_name(ctx->domain,
                                                 ctx->allow_groups[i]);
             if (domain == NULL) {
-                DEBUG(SSSDBG_CRIT_FAILURE, "Invalid group %s!\n",
-                                            ctx->allow_groups[i]);
-                return EINVAL;
+                DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_GRP_ALLOW,
+                      ctx->allow_groups[i]);
+                sss_log(SSS_LOG_CRIT, NON_EXIST_GRP_ALLOW,
+                        ctx->allow_groups[i]);
+
+                continue;
             }
 
             for(j = 0; group_names[j]; j++) {
@@ -158,8 +170,11 @@ simple_check_groups(struct simple_ctx *ctx, const char **group_names,
             domain = find_domain_by_object_name(ctx->domain,
                                                 ctx->deny_groups[i]);
             if (domain == NULL) {
-                DEBUG(SSSDBG_CRIT_FAILURE, "Invalid group %s!\n",
-                                            ctx->deny_groups[i]);
+                DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_GRP_DENY,
+                      ctx->deny_groups[i]);
+                sss_log(SSS_LOG_CRIT, NON_EXIST_GRP_DENY,
+                        ctx->deny_groups[i]);
+
                 return EINVAL;
             }
 
-- 
1.9.3