From b40c53b524816f9308c90d79662f887e6a2ac1eb Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 21 Jul 2016 13:33:18 +0200 Subject: [PATCH 84/86] SIMPLE: Fail on any error parsing the access control list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Luckily this error was hidden by the fact that SSSD didn't start at all when an unparseable name was encountered after startup. Otherwise, this would have been a security issue. Nonetheless, we should just fail and deny access if we can't parse a name in a simple access list. Reviewed-by: Lukáš Slebodník --- src/providers/simple/simple_access.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c index ae90215351fe7db834898067d3b4bad71015ec5f..577e8354e9b574764734248b2bde4ef06c6fb4fc 100644 --- a/src/providers/simple/simple_access.c +++ b/src/providers/simple/simple_access.c @@ -211,7 +211,10 @@ simple_access_handler_send(TALLOC_CTX *mem_ctx, ret = simple_access_obtain_filter_lists(simple_ctx); if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, "Failed to refresh filter lists\n"); + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to refresh filter lists, denying all access\n"); + pd->pam_status = PAM_PERM_DENIED; + goto immediately; } simple_ctx->last_refresh_of_filter_lists = now; } -- 2.4.11