Blame SOURCES/0009-sysdb-check-if-the-id-override-belongs-to-requested-.patch

836b22
From a63e00fd3464524c012687c85cd67fa0468ba913 Mon Sep 17 00:00:00 2001
836b22
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
836b22
Date: Wed, 25 Mar 2020 12:10:35 +0100
836b22
Subject: [PATCH] sysdb: check if the id override belongs to requested domain
836b22
836b22
Steps to reproduce:
836b22
1. Setup an id override (administrator@ad.vm: uid -> 10001)
836b22
2. Request user by name to fill cache
836b22
```
836b22
$ id Administrator@ad.vm
836b22
uid=10001(administrator@ad.vm) ...
836b22
```
836b22
3. Request user by id and see that domain part is missing
836b22
```
836b22
$ id 10001
836b22
uid=10001(administrator) ...
836b22
```
836b22
836b22
First, the uid is looked up in IPA domain and the override object is
836b22
found when we hit `sysdb_search_override_by_id` because id values are
836b22
not qualified. Therefore the origin object (administrator@ad.vm) is
836b22
returned as part of IPA domain.
836b22
836b22
We need to check if the original object belongs to the requested domain.
836b22
836b22
Resolves:
836b22
https://pagure.io/SSSD/sssd/issue/4173
836b22
836b22
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
836b22
(cherry picked from commit 1b84c3a1f17f59e134bb882f0f15109d18599193)
836b22
---
836b22
 src/db/sysdb_views.c | 18 ++++++++++++++++++
836b22
 1 file changed, 18 insertions(+)
836b22
836b22
diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
836b22
index 73213ae28..08c31c9b0 100644
836b22
--- a/src/db/sysdb_views.c
836b22
+++ b/src/db/sysdb_views.c
836b22
@@ -1261,6 +1261,7 @@ static errno_t sysdb_search_override_by_id(TALLOC_CTX *mem_ctx,
836b22
     int ret;
836b22
     const char *orig_obj_dn;
836b22
     const char *filter;
836b22
+    const struct ldb_val *orig_domain;
836b22
 
836b22
     tmp_ctx = talloc_new(NULL);
836b22
     if (!tmp_ctx) {
836b22
@@ -1330,6 +1331,23 @@ static errno_t sysdb_search_override_by_id(TALLOC_CTX *mem_ctx,
836b22
             goto done;
836b22
         }
836b22
 
836b22
+        /* Check if the found override object belongs to an object in this
836b22
+         * domain. The base dn is in the form:
836b22
+         * name=user@domain,cn=users,cn=domain,cn=sysdb
836b22
+         * = 0              = 1      = 2       = 3
836b22
+         */
836b22
+        orig_domain = ldb_dn_get_component_val(base_dn, 2);
836b22
+        if (orig_domain == NULL || !orig_domain->length) {
836b22
+            DEBUG(SSSDBG_OP_FAILURE, "Invalid original object DN\n");
836b22
+            ret = EINVAL;
836b22
+            goto done;
836b22
+        }
836b22
+
836b22
+        if (strcmp((const char*)orig_domain->data, domain->name) != 0) {
836b22
+            ret = ENOENT;
836b22
+            goto done;
836b22
+        }
836b22
+
836b22
         ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &orig_res, base_dn,
836b22
                          LDB_SCOPE_BASE, attrs, NULL);
836b22
         if (ret != LDB_SUCCESS) {
836b22
-- 
836b22
2.21.1
836b22