From b40c53b524816f9308c90d79662f887e6a2ac1eb Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 21 Jul 2016 13:33:18 +0200
Subject: [PATCH 84/86] SIMPLE: Fail on any error parsing the access control
list
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Luckily this error was hidden by the fact that SSSD didn't start at all
when an unparseable name was encountered after startup. Otherwise, this
would have been a security issue.
Nonetheless, we should just fail and deny access if we can't parse a
name in a simple access list.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/providers/simple/simple_access.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c
index ae90215351fe7db834898067d3b4bad71015ec5f..577e8354e9b574764734248b2bde4ef06c6fb4fc 100644
--- a/src/providers/simple/simple_access.c
+++ b/src/providers/simple/simple_access.c
@@ -211,7 +211,10 @@ simple_access_handler_send(TALLOC_CTX *mem_ctx,
ret = simple_access_obtain_filter_lists(simple_ctx);
if (ret != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE, "Failed to refresh filter lists\n");
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Failed to refresh filter lists, denying all access\n");
+ pd->pam_status = PAM_PERM_DENIED;
+ goto immediately;
}
simple_ctx->last_refresh_of_filter_lists = now;
}
--
2.4.11