|
 |
ecf709 |
From 79f389eb400eddc133824b079f8bd49ced24643b Mon Sep 17 00:00:00 2001
|
|
|
ecf709 |
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
|
ecf709 |
Date: Wed, 17 May 2017 14:43:39 +0200
|
|
|
ecf709 |
Subject: [PATCH 169/169] CACHE_REQ_SEARCH: Check for filtered users/groups
|
|
|
ecf709 |
also on cache_req_send()
|
|
|
ecf709 |
MIME-Version: 1.0
|
|
|
ecf709 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ecf709 |
Content-Transfer-Encoding: 8bit
|
|
|
ecf709 |
|
|
|
ecf709 |
cache_req_send() may take some shortcuts in case the object is found in
|
|
|
ecf709 |
the cache and it's still valid.
|
|
|
ecf709 |
|
|
|
ecf709 |
This behaviour may lead to exposing filtered users and groups when
|
|
|
ecf709 |
they're searched by their uid/gid.
|
|
|
ecf709 |
|
|
|
ecf709 |
A solution for this issue was proposed on 4ef0b19a but, unfortunately,
|
|
|
ecf709 |
didn't take into consideration that this shortcut could be taken.
|
|
|
ecf709 |
|
|
|
ecf709 |
There are basically two really easy ways to test this issue:
|
|
|
ecf709 |
1) Using enumeration:
|
|
|
ecf709 |
- Set "enumerate = True" in the domain section
|
|
|
ecf709 |
- restart SSSD cleaning up the cache;
|
|
|
ecf709 |
- getent passwd <uid of a user who is part of the filter_users>
|
|
|
ecf709 |
- Wait a little bit till the entry_negative_timeout is expired
|
|
|
ecf709 |
- getent passwd <same uid used above>
|
|
|
ecf709 |
|
|
|
ecf709 |
2) Not using enumeration:
|
|
|
ecf709 |
- getent passwd <uid of a user who is part of the filter_users>
|
|
|
ecf709 |
- Wait a little bit till the entry_negative_timeout is expired
|
|
|
ecf709 |
- getent passwd <same uid used above>
|
|
|
ecf709 |
|
|
|
ecf709 |
A test covering this code path will be added in the follow-up commit.
|
|
|
ecf709 |
|
|
|
ecf709 |
Resolves:
|
|
|
ecf709 |
https://pagure.io/SSSD/sssd/issue/3362
|
|
|
ecf709 |
|
|
|
ecf709 |
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
ecf709 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
ecf709 |
(cherry picked from commit 4c09cd008967c5c0ec358dc658ffc6fc1cef2697)
|
|
|
ecf709 |
---
|
|
|
ecf709 |
src/responder/common/cache_req/cache_req_search.c | 4 ++++
|
|
|
ecf709 |
1 file changed, 4 insertions(+)
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/responder/common/cache_req/cache_req_search.c b/src/responder/common/cache_req/cache_req_search.c
|
|
|
ecf709 |
index d3aaa7542ddfd28716fbf9cdcedfeadb649dbaa0..56d0345cd8f98de574961d3c9628ae7a4c24f9be 100644
|
|
|
ecf709 |
--- a/src/responder/common/cache_req/cache_req_search.c
|
|
|
ecf709 |
+++ b/src/responder/common/cache_req/cache_req_search.c
|
|
|
ecf709 |
@@ -334,6 +334,10 @@ cache_req_search_send(TALLOC_CTX *mem_ctx,
|
|
|
ecf709 |
|
|
|
ecf709 |
done:
|
|
|
ecf709 |
if (ret == EOK) {
|
|
|
ecf709 |
+ ret = cache_req_search_ncache_filter(state, cr, &state->result);
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ if (ret == EOK) {
|
|
|
ecf709 |
tevent_req_done(req);
|
|
|
ecf709 |
} else {
|
|
|
ecf709 |
tevent_req_error(req, ret);
|
|
|
ecf709 |
--
|
|
|
ecf709 |
2.9.4
|
|
|
ecf709 |
|