|
 |
b2d430 |
From b40c53b524816f9308c90d79662f887e6a2ac1eb Mon Sep 17 00:00:00 2001
|
|
|
b2d430 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
b2d430 |
Date: Thu, 21 Jul 2016 13:33:18 +0200
|
|
|
b2d430 |
Subject: [PATCH 84/86] SIMPLE: Fail on any error parsing the access control
|
|
|
b2d430 |
list
|
|
|
b2d430 |
MIME-Version: 1.0
|
|
|
b2d430 |
Content-Type: text/plain; charset=UTF-8
|
|
|
b2d430 |
Content-Transfer-Encoding: 8bit
|
|
|
b2d430 |
|
|
|
b2d430 |
Luckily this error was hidden by the fact that SSSD didn't start at all
|
|
|
b2d430 |
when an unparseable name was encountered after startup. Otherwise, this
|
|
|
b2d430 |
would have been a security issue.
|
|
|
b2d430 |
|
|
|
b2d430 |
Nonetheless, we should just fail and deny access if we can't parse a
|
|
|
b2d430 |
name in a simple access list.
|
|
|
b2d430 |
|
|
|
b2d430 |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
b2d430 |
---
|
|
|
b2d430 |
src/providers/simple/simple_access.c | 5 ++++-
|
|
|
b2d430 |
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
b2d430 |
|
|
|
b2d430 |
diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c
|
|
|
b2d430 |
index ae90215351fe7db834898067d3b4bad71015ec5f..577e8354e9b574764734248b2bde4ef06c6fb4fc 100644
|
|
|
b2d430 |
--- a/src/providers/simple/simple_access.c
|
|
|
b2d430 |
+++ b/src/providers/simple/simple_access.c
|
|
|
b2d430 |
@@ -211,7 +211,10 @@ simple_access_handler_send(TALLOC_CTX *mem_ctx,
|
|
|
b2d430 |
|
|
|
b2d430 |
ret = simple_access_obtain_filter_lists(simple_ctx);
|
|
|
b2d430 |
if (ret != EOK) {
|
|
|
b2d430 |
- DEBUG(SSSDBG_MINOR_FAILURE, "Failed to refresh filter lists\n");
|
|
|
b2d430 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
b2d430 |
+ "Failed to refresh filter lists, denying all access\n");
|
|
|
b2d430 |
+ pd->pam_status = PAM_PERM_DENIED;
|
|
|
b2d430 |
+ goto immediately;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
simple_ctx->last_refresh_of_filter_lists = now;
|
|
|
b2d430 |
}
|
|
|
b2d430 |
--
|
|
|
b2d430 |
2.4.11
|
|
|
b2d430 |
|