|
 |
7500e1 |
From 231d1118727b989a4af9911a45a465912fe659d6 Mon Sep 17 00:00:00 2001
|
|
|
7500e1 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
7500e1 |
Date: Fri, 12 Mar 2021 14:38:54 +0100
|
|
|
7500e1 |
Subject: [PATCH] negcache: use right domain in nss_protocol_fill_initgr()
|
|
|
7500e1 |
MIME-Version: 1.0
|
|
|
7500e1 |
Content-Type: text/plain; charset=UTF-8
|
|
|
7500e1 |
Content-Transfer-Encoding: 8bit
|
|
|
7500e1 |
|
|
|
7500e1 |
When checking if a group returned by an initgroups request is filtered
|
|
|
7500e1 |
in the negative cache the domain of the user was used. This does not
|
|
|
7500e1 |
work reliable if the user can be a member of groups from multiple
|
|
|
7500e1 |
domains.
|
|
|
7500e1 |
|
|
|
7500e1 |
With this patch th domain the group belongs to is determined and used
|
|
|
7500e1 |
while checking the negative cache.
|
|
|
7500e1 |
|
|
|
7500e1 |
Resolves: https://github.com/SSSD/sssd/issues/5534
|
|
|
7500e1 |
|
|
|
7500e1 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
7500e1 |
---
|
|
|
7500e1 |
src/db/sysdb.c | 22 ++++++++++++++++++++++
|
|
|
7500e1 |
src/db/sysdb.h | 7 +++++++
|
|
|
7500e1 |
src/responder/nss/nss_protocol_grent.c | 8 +++++---
|
|
|
7500e1 |
3 files changed, 34 insertions(+), 3 deletions(-)
|
|
|
7500e1 |
|
|
|
7500e1 |
diff --git a/src/db/sysdb.c b/src/db/sysdb.c
|
|
|
7500e1 |
index 693f687be..6001c49cb 100644
|
|
|
7500e1 |
--- a/src/db/sysdb.c
|
|
|
7500e1 |
+++ b/src/db/sysdb.c
|
|
|
7500e1 |
@@ -2139,3 +2139,25 @@ void ldb_debug_messages(void *context, enum ldb_debug_level level,
|
|
|
7500e1 |
fmt, ap);
|
|
|
7500e1 |
}
|
|
|
7500e1 |
}
|
|
|
7500e1 |
+
|
|
|
7500e1 |
+struct sss_domain_info *find_domain_by_msg(struct sss_domain_info *dom,
|
|
|
7500e1 |
+ struct ldb_message *msg)
|
|
|
7500e1 |
+{
|
|
|
7500e1 |
+ const char *name;
|
|
|
7500e1 |
+ struct sss_domain_info *obj_dom = NULL;
|
|
|
7500e1 |
+
|
|
|
7500e1 |
+ name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
|
|
|
7500e1 |
+ if (name == NULL) {
|
|
|
7500e1 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
7500e1 |
+ "Object does not have a name attribute.\n");
|
|
|
7500e1 |
+ return dom;
|
|
|
7500e1 |
+ }
|
|
|
7500e1 |
+
|
|
|
7500e1 |
+ obj_dom = find_domain_by_object_name(get_domains_head(dom), name);
|
|
|
7500e1 |
+ if (obj_dom == NULL) {
|
|
|
7500e1 |
+ DEBUG(SSSDBG_OP_FAILURE, "No domain found for [%s].\n", name);
|
|
|
7500e1 |
+ return dom;
|
|
|
7500e1 |
+ }
|
|
|
7500e1 |
+
|
|
|
7500e1 |
+ return obj_dom;
|
|
|
7500e1 |
+}
|
|
|
7500e1 |
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
|
|
7500e1 |
index a00efa55f..37a2c4124 100644
|
|
|
7500e1 |
--- a/src/db/sysdb.h
|
|
|
7500e1 |
+++ b/src/db/sysdb.h
|
|
|
7500e1 |
@@ -1532,4 +1532,11 @@ errno_t sysdb_cert_derb64_to_ldap_filter(TALLOC_CTX *mem_ctx,
|
|
|
7500e1 |
void ldb_debug_messages(void *context, enum ldb_debug_level level,
|
|
|
7500e1 |
const char *fmt, va_list ap);
|
|
|
7500e1 |
|
|
|
7500e1 |
+/* Try to detect the object domain from the object's SYSDB_NAME attribute and
|
|
|
7500e1 |
+ * return the matching sss_domain_info. This should work reliable with user
|
|
|
7500e1 |
+ * and group objects since fully-qualified names are used here. If the proper
|
|
|
7500e1 |
+ * domain cannot be detected the given domain is returned. */
|
|
|
7500e1 |
+struct sss_domain_info *find_domain_by_msg(struct sss_domain_info *dom,
|
|
|
7500e1 |
+ struct ldb_message *msg);
|
|
|
7500e1 |
+
|
|
|
7500e1 |
#endif /* __SYS_DB_H__ */
|
|
|
7500e1 |
diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
|
|
|
7500e1 |
index 135b392f7..f6e00eb10 100644
|
|
|
7500e1 |
--- a/src/responder/nss/nss_protocol_grent.c
|
|
|
7500e1 |
+++ b/src/responder/nss/nss_protocol_grent.c
|
|
|
7500e1 |
@@ -361,6 +361,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
|
|
|
7500e1 |
struct cache_req_result *result)
|
|
|
7500e1 |
{
|
|
|
7500e1 |
struct sss_domain_info *domain;
|
|
|
7500e1 |
+ struct sss_domain_info *grp_dom;
|
|
|
7500e1 |
struct ldb_message *user;
|
|
|
7500e1 |
struct ldb_message *msg;
|
|
|
7500e1 |
struct ldb_message *primary_group_msg;
|
|
|
7500e1 |
@@ -418,10 +419,11 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
|
|
|
7500e1 |
num_results = 0;
|
|
|
7500e1 |
for (i = 1; i < result->count; i++) {
|
|
|
7500e1 |
msg = result->msgs[i];
|
|
|
7500e1 |
- gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM,
|
|
|
7500e1 |
+ grp_dom = find_domain_by_msg(domain, msg);
|
|
|
7500e1 |
+ gid = sss_view_ldb_msg_find_attr_as_uint64(grp_dom, msg, SYSDB_GIDNUM,
|
|
|
7500e1 |
0);
|
|
|
7500e1 |
posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL);
|
|
|
7500e1 |
- grp_name = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_NAME,
|
|
|
7500e1 |
+ grp_name = sss_view_ldb_msg_find_attr_as_string(grp_dom, msg, SYSDB_NAME,
|
|
|
7500e1 |
NULL);
|
|
|
7500e1 |
|
|
|
7500e1 |
if (gid == 0) {
|
|
|
7500e1 |
@@ -435,7 +437,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
|
|
|
7500e1 |
}
|
|
|
7500e1 |
}
|
|
|
7500e1 |
|
|
|
7500e1 |
- if (is_group_filtered(nss_ctx->rctx->ncache, domain, grp_name, gid)) {
|
|
|
7500e1 |
+ if (is_group_filtered(nss_ctx->rctx->ncache, grp_dom, grp_name, gid)) {
|
|
|
7500e1 |
continue;
|
|
|
7500e1 |
}
|
|
|
7500e1 |
|
|
|
7500e1 |
--
|
|
|
7500e1 |
2.26.3
|
|
|
7500e1 |
|