rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0058-nss-check-if-groups-are-filtered-during-initgroups.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   74fd628592e6b0b1e50c5c91c536e37bc6e18acf
  2.   SOURCES
  3.   0058-nss-check-if-groups-are-filtered-during-initgroups.patch
Blob History Raw
74fd62 
From bb736d3f02861366d11d2f03314295bd1c1be209 Mon Sep 17 00:00:00 2001
74fd62 
From: Sumit Bose <sbose@redhat.com>
74fd62 
Date: Tue, 17 Nov 2020 12:59:23 +0100
74fd62 
Subject: [PATCH] nss: check if groups are filtered during initgroups
74fd62 
MIME-Version: 1.0
74fd62 
Content-Type: text/plain; charset=UTF-8
74fd62 
Content-Transfer-Encoding: 8bit
74fd62
74fd62 
If groups are filtered, i.e. SSSD should not handle them, they should
74fd62 
not appear in the group list returned by an initgroups request.
74fd62
74fd62 
Resolves: https://github.com/SSSD/sssd/issues/5403
74fd62
74fd62 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
74fd62 
(cherry picked from commit c87b2208b9a58c12eeceb5b8ccf9c34dcd835b8d)
74fd62 
---
74fd62 
 src/responder/nss/nss_protocol_grent.c | 35 ++++++++++++++++++++++++++
74fd62 
 src/tests/intg/test_ldap.py            | 12 +++++++++
74fd62 
 2 files changed, 47 insertions(+)
74fd62
74fd62 
diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
74fd62 
index 2367d9ecd..4c7ea9aed 100644
74fd62 
--- a/src/responder/nss/nss_protocol_grent.c
74fd62 
+++ b/src/responder/nss/nss_protocol_grent.c
74fd62 
@@ -308,6 +308,34 @@ done:
74fd62 
     return EOK;
74fd62 
 }
74fd62
74fd62 
+static bool is_group_filtered(struct sss_nc_ctx *ncache,
74fd62 
+                              struct sss_domain_info *domain,
74fd62 
+                              const char *grp_name, gid_t gid)
74fd62 
+{
74fd62 
+    int ret;
74fd62 
+
74fd62 
+    if (grp_name == NULL) {
74fd62 
+        DEBUG(SSSDBG_CRIT_FAILURE,
74fd62 
+              "Group with gid [%"SPRIgid"] has no name, this should never "
74fd62 
+              "happen, trying to continue without.\n", gid);
74fd62 
+    } else {
74fd62 
+        ret = sss_ncache_check_group(ncache, domain, grp_name);
74fd62 
+        if (ret == EEXIST) {
74fd62 
+            DEBUG(SSSDBG_TRACE_FUNC, "Group [%s] is filtered out! "
74fd62 
+                                     "(negative cache)", grp_name);
74fd62 
+            return true;
74fd62 
+        }
74fd62 
+    }
74fd62 
+    ret = sss_ncache_check_gid(ncache, domain, gid);
74fd62 
+    if (ret == EEXIST) {
74fd62 
+        DEBUG(SSSDBG_TRACE_FUNC, "Group [%"SPRIgid"] is filtered out! "
74fd62 
+                                 "(negative cache)", gid);
74fd62 
+        return true;
74fd62 
+    }
74fd62 
+
74fd62 
+    return false;
74fd62 
+}
74fd62 
+
74fd62 
 errno_t
74fd62 
 nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
74fd62 
                          struct nss_cmd_ctx *cmd_ctx,
74fd62 
@@ -326,6 +354,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
74fd62 
     size_t body_len;
74fd62 
     size_t rp;
74fd62 
     gid_t gid;
74fd62 
+    const char *grp_name;
74fd62 
     gid_t orig_gid;
74fd62 
     errno_t ret;
74fd62 
     int i;
74fd62 
@@ -374,6 +403,8 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
74fd62 
         gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM,
74fd62 
                                                    0);
74fd62 
         posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL);
74fd62 
+        grp_name = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_NAME,
74fd62 
+                                                        NULL);
74fd62
74fd62 
         if (gid == 0) {
74fd62 
             if (posix != NULL && strcmp(posix, "FALSE") == 0) {
74fd62 
@@ -386,6 +417,10 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
74fd62 
             }
74fd62 
         }
74fd62
74fd62 
+        if (is_group_filtered(nss_ctx->rctx->ncache, domain, grp_name, gid)) {
74fd62 
+            continue;
74fd62 
+        }
74fd62 
+
74fd62 
         SAFEALIGN_COPY_UINT32(&body[rp], &gid, &rp);
74fd62 
         num_results++;
74fd62
74fd62 
diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py
74fd62 
index 2e88ac7d1..afd23c71e 100644
74fd62 
--- a/src/tests/intg/test_ldap.py
74fd62 
+++ b/src/tests/intg/test_ldap.py
74fd62 
@@ -1190,6 +1190,18 @@ def test_nss_filters(ldap_conn, sanity_nss_filter):
74fd62 
     with pytest.raises(KeyError):
74fd62 
         grp.getgrgid(14)
74fd62
74fd62 
+    # test initgroups - user1 is member of group_two_one_user_groups (2019)
74fd62 
+    # which is filtered out
74fd62 
+    (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 2001)
74fd62 
+    assert res == sssd_id.NssReturnCode.SUCCESS
74fd62 
+
74fd62 
+    user_with_group_ids = [2001, 2012, 2015, 2017, 2018]
74fd62 
+    assert sorted(gids) == sorted(user_with_group_ids), \
74fd62 
+        "result: %s\n expected %s" % (
74fd62 
+            ", ".join(["%s" % s for s in sorted(gids)]),
74fd62 
+            ", ".join(["%s" % s for s in sorted(user_with_group_ids)])
74fd62 
+        )
74fd62 
+
74fd62
74fd62 
 @pytest.fixture
74fd62 
 def sanity_nss_filter_cached(request, ldap_conn):
74fd62 
--
74fd62 
2.21.3
74fd62

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation