From b40c53b524816f9308c90d79662f887e6a2ac1eb Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 21 Jul 2016 13:33:18 +0200
Subject: [PATCH 84/86] SIMPLE: Fail on any error parsing the access control
 list
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Luckily this error was hidden by the fact that SSSD didn't start at all
when an unparseable name was encountered after startup. Otherwise, this
would have been a security issue.

Nonetheless, we should just fail and deny access if we can't parse a
name in a simple access list.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
 src/providers/simple/simple_access.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c
index ae90215351fe7db834898067d3b4bad71015ec5f..577e8354e9b574764734248b2bde4ef06c6fb4fc 100644
--- a/src/providers/simple/simple_access.c
+++ b/src/providers/simple/simple_access.c
@@ -211,7 +211,10 @@ simple_access_handler_send(TALLOC_CTX *mem_ctx,
 
         ret = simple_access_obtain_filter_lists(simple_ctx);
         if (ret != EOK) {
-            DEBUG(SSSDBG_MINOR_FAILURE, "Failed to refresh filter lists\n");
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Failed to refresh filter lists, denying all access\n");
+            pd->pam_status = PAM_PERM_DENIED;
+            goto immediately;
         }
         simple_ctx->last_refresh_of_filter_lists = now;
     }
-- 
2.4.11