From c87b2208b9a58c12eeceb5b8ccf9c34dcd835b8d Mon Sep 17 00:00:00 2001

From: Sumit Bose <sbose@redhat.com>

Date: Tue, 17 Nov 2020 12:59:23 +0100

Subject: [PATCH] nss: check if groups are filtered during initgroups

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

If groups are filtered, i.e. SSSD should not handle them, they should

not appear in the group list returned by an initgroups request.

Resolves: https://github.com/SSSD/sssd/issues/5403

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

---

 src/responder/nss/nss_protocol_grent.c | 35 ++++++++++++++++++++++++++

 src/tests/intg/test_ldap.py            | 12 +++++++++

 2 files changed, 47 insertions(+)

diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c

index 8f1d3fe81..135b392f7 100644

--- a/src/responder/nss/nss_protocol_grent.c

+++ b/src/responder/nss/nss_protocol_grent.c

@@ -326,6 +326,34 @@ done:

     return EOK;

 }

+static bool is_group_filtered(struct sss_nc_ctx *ncache,

+                              struct sss_domain_info *domain,

+                              const char *grp_name, gid_t gid)

+{

+    int ret;

+

+    if (grp_name == NULL) {

+        DEBUG(SSSDBG_CRIT_FAILURE,

+              "Group with gid [%"SPRIgid"] has no name, this should never "

+              "happen, trying to continue without.\n", gid);

+    } else {

+        ret = sss_ncache_check_group(ncache, domain, grp_name);

+        if (ret == EEXIST) {

+            DEBUG(SSSDBG_TRACE_FUNC, "Group [%s] is filtered out! "

+                                     "(negative cache)", grp_name);

+            return true;

+        }

+    }

+    ret = sss_ncache_check_gid(ncache, domain, gid);

+    if (ret == EEXIST) {

+        DEBUG(SSSDBG_TRACE_FUNC, "Group [%"SPRIgid"] is filtered out! "

+                                 "(negative cache)", gid);

+        return true;

+    }

+

+    return false;

+}

+

 errno_t

 nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,

                          struct nss_cmd_ctx *cmd_ctx,

@@ -344,6 +372,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,

     size_t body_len;

     size_t rp;

     gid_t gid;

+    const char *grp_name;

     gid_t orig_gid;

     errno_t ret;

     int i;

@@ -392,6 +421,8 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,

         gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM,

                                                    0);

         posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL);

+        grp_name = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_NAME,

+                                                        NULL);

         if (gid == 0) {

             if (posix != NULL && strcmp(posix, "FALSE") == 0) {

@@ -404,6 +435,10 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,

             }

         }

+        if (is_group_filtered(nss_ctx->rctx->ncache, domain, grp_name, gid)) {

+            continue;

+        }

+

         SAFEALIGN_COPY_UINT32(&body[rp], &gid, &rp);

         num_results++;

diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py

index 194d7d9cc..6a78c960f 100644

--- a/src/tests/intg/test_ldap.py

+++ b/src/tests/intg/test_ldap.py

@@ -1190,6 +1190,18 @@ def test_nss_filters(ldap_conn, sanity_nss_filter):

     with pytest.raises(KeyError):

         grp.getgrgid(14)

+    # test initgroups - user1 is member of group_two_one_user_groups (2019)

+    # which is filtered out

+    (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 2001)

+    assert res == sssd_id.NssReturnCode.SUCCESS

+

+    user_with_group_ids = [2001, 2012, 2015, 2017, 2018]

+    assert sorted(gids) == sorted(user_with_group_ids), \

+        "result: %s\n expected %s" % (

+            ", ".join(["%s" % s for s in sorted(gids)]),

+            ", ".join(["%s" % s for s in sorted(user_with_group_ids)])

+        )

+

 @pytest.fixture

 def sanity_nss_filter_cached(request, ldap_conn):

-- 

2.21.3