|
 |
44f86b |
From 48f27f74c9a9d5aebf8d2be941dfb282578ba9ba Mon Sep 17 00:00:00 2001
|
|
|
44f86b |
From: Sumit Bose <sbose@redhat.com>
|
|
|
44f86b |
Date: Fri, 12 Mar 2021 14:38:54 +0100
|
|
|
44f86b |
Subject: [PATCH] negcache: use right domain in nss_protocol_fill_initgr()
|
|
|
44f86b |
|
|
|
44f86b |
When checking if a group returned by an initgroups request is filtered
|
|
|
44f86b |
in the negative cache the domain of the user was used. This does not
|
|
|
44f86b |
work reliable if the user can be a member of groups from multiple
|
|
|
44f86b |
domains.
|
|
|
44f86b |
|
|
|
44f86b |
With this patch th domain the group belongs to is determined and used
|
|
|
44f86b |
while checking the negative cache.
|
|
|
44f86b |
|
|
|
44f86b |
Resolves: https://github.com/SSSD/sssd/issues/5534
|
|
|
44f86b |
(cherry picked from commit 231d1118727b989a4af9911a45a465912fe659d6 with changes)
|
|
|
44f86b |
|
|
|
44f86b |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
44f86b |
---
|
|
|
44f86b |
src/db/sysdb.c | 22 ++++++++++++++++++++++
|
|
|
44f86b |
src/db/sysdb.h | 7 +++++++
|
|
|
44f86b |
src/responder/nss/nss_protocol_grent.c | 8 +++++---
|
|
|
44f86b |
3 files changed, 34 insertions(+), 3 deletions(-)
|
|
|
44f86b |
|
|
|
44f86b |
diff --git a/src/db/sysdb.c b/src/db/sysdb.c
|
|
|
44f86b |
index 279bd5839..f9929c7ba 100644
|
|
|
44f86b |
--- a/src/db/sysdb.c
|
|
|
44f86b |
+++ b/src/db/sysdb.c
|
|
|
44f86b |
@@ -1978,3 +1978,25 @@ done:
|
|
|
44f86b |
talloc_free(tmp_ctx);
|
|
|
44f86b |
return differs;
|
|
|
44f86b |
}
|
|
|
44f86b |
+
|
|
|
44f86b |
+struct sss_domain_info *find_domain_by_msg(struct sss_domain_info *dom,
|
|
|
44f86b |
+ struct ldb_message *msg)
|
|
|
44f86b |
+{
|
|
|
44f86b |
+ const char *name;
|
|
|
44f86b |
+ struct sss_domain_info *obj_dom = NULL;
|
|
|
44f86b |
+
|
|
|
44f86b |
+ name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
|
|
|
44f86b |
+ if (name == NULL) {
|
|
|
44f86b |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
44f86b |
+ "Object does not have a name attribute.\n");
|
|
|
44f86b |
+ return dom;
|
|
|
44f86b |
+ }
|
|
|
44f86b |
+
|
|
|
44f86b |
+ obj_dom = find_domain_by_object_name(get_domains_head(dom), name);
|
|
|
44f86b |
+ if (obj_dom == NULL) {
|
|
|
44f86b |
+ DEBUG(SSSDBG_OP_FAILURE, "No domain found for [%s].\n", name);
|
|
|
44f86b |
+ return dom;
|
|
|
44f86b |
+ }
|
|
|
44f86b |
+
|
|
|
44f86b |
+ return obj_dom;
|
|
|
44f86b |
+}
|
|
|
44f86b |
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
|
|
44f86b |
index 679763bad..d47099eff 100644
|
|
|
44f86b |
--- a/src/db/sysdb.h
|
|
|
44f86b |
+++ b/src/db/sysdb.h
|
|
|
44f86b |
@@ -1505,4 +1505,11 @@ errno_t sysdb_handle_original_uuid(const char *orig_name,
|
|
|
44f86b |
struct sysdb_attrs *dest_attrs,
|
|
|
44f86b |
const char *dest_name);
|
|
|
44f86b |
|
|
|
44f86b |
+/* Try to detect the object domain from the object's SYSDB_NAME attribute and
|
|
|
44f86b |
+ * return the matching sss_domain_info. This should work reliable with user
|
|
|
44f86b |
+ * and group objects since fully-qualified names are used here. If the proper
|
|
|
44f86b |
+ * domain cannot be detected the given domain is returned. */
|
|
|
44f86b |
+struct sss_domain_info *find_domain_by_msg(struct sss_domain_info *dom,
|
|
|
44f86b |
+ struct ldb_message *msg);
|
|
|
44f86b |
+
|
|
|
44f86b |
#endif /* __SYS_DB_H__ */
|
|
|
44f86b |
diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c
|
|
|
44f86b |
index 4c7ea9aed..e4494826a 100644
|
|
|
44f86b |
--- a/src/responder/nss/nss_protocol_grent.c
|
|
|
44f86b |
+++ b/src/responder/nss/nss_protocol_grent.c
|
|
|
44f86b |
@@ -343,6 +343,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
|
|
|
44f86b |
struct cache_req_result *result)
|
|
|
44f86b |
{
|
|
|
44f86b |
struct sss_domain_info *domain;
|
|
|
44f86b |
+ struct sss_domain_info *grp_dom;
|
|
|
44f86b |
struct ldb_message *user;
|
|
|
44f86b |
struct ldb_message *msg;
|
|
|
44f86b |
struct ldb_message *primary_group_msg;
|
|
|
44f86b |
@@ -400,10 +401,11 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
|
|
|
44f86b |
num_results = 0;
|
|
|
44f86b |
for (i = 1; i < result->count; i++) {
|
|
|
44f86b |
msg = result->msgs[i];
|
|
|
44f86b |
- gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM,
|
|
|
44f86b |
+ grp_dom = find_domain_by_msg(domain, msg);
|
|
|
44f86b |
+ gid = sss_view_ldb_msg_find_attr_as_uint64(grp_dom, msg, SYSDB_GIDNUM,
|
|
|
44f86b |
0);
|
|
|
44f86b |
posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL);
|
|
|
44f86b |
- grp_name = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_NAME,
|
|
|
44f86b |
+ grp_name = sss_view_ldb_msg_find_attr_as_string(grp_dom, msg, SYSDB_NAME,
|
|
|
44f86b |
NULL);
|
|
|
44f86b |
|
|
|
44f86b |
if (gid == 0) {
|
|
|
44f86b |
@@ -417,7 +419,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx,
|
|
|
44f86b |
}
|
|
|
44f86b |
}
|
|
|
44f86b |
|
|
|
44f86b |
- if (is_group_filtered(nss_ctx->rctx->ncache, domain, grp_name, gid)) {
|
|
|
44f86b |
+ if (is_group_filtered(nss_ctx->rctx->ncache, grp_dom, grp_name, gid)) {
|
|
|
44f86b |
continue;
|
|
|
44f86b |
}
|
|
|
44f86b |
|
|
|
44f86b |
--
|
|
|
44f86b |
2.26.3
|
|
|
44f86b |
|