From a63e00fd3464524c012687c85cd67fa0468ba913 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 25 Mar 2020 12:10:35 +0100
Subject: [PATCH] sysdb: check if the id override belongs to requested domain

Steps to reproduce:
1. Setup an id override (administrator@ad.vm: uid -> 10001)
2. Request user by name to fill cache
```
$ id Administrator@ad.vm
uid=10001(administrator@ad.vm) ...
```
3. Request user by id and see that domain part is missing
```
$ id 10001
uid=10001(administrator) ...
```

First, the uid is looked up in IPA domain and the override object is
found when we hit `sysdb_search_override_by_id` because id values are
not qualified. Therefore the origin object (administrator@ad.vm) is
returned as part of IPA domain.

We need to check if the original object belongs to the requested domain.

Resolves:
https://pagure.io/SSSD/sssd/issue/4173

Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
(cherry picked from commit 1b84c3a1f17f59e134bb882f0f15109d18599193)
---
 src/db/sysdb_views.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c
index 73213ae28..08c31c9b0 100644
--- a/src/db/sysdb_views.c
+++ b/src/db/sysdb_views.c
@@ -1261,6 +1261,7 @@ static errno_t sysdb_search_override_by_id(TALLOC_CTX *mem_ctx,
     int ret;
     const char *orig_obj_dn;
     const char *filter;
+    const struct ldb_val *orig_domain;
 
     tmp_ctx = talloc_new(NULL);
     if (!tmp_ctx) {
@@ -1330,6 +1331,23 @@ static errno_t sysdb_search_override_by_id(TALLOC_CTX *mem_ctx,
             goto done;
         }
 
+        /* Check if the found override object belongs to an object in this
+         * domain. The base dn is in the form:
+         * name=user@domain,cn=users,cn=domain,cn=sysdb
+         * = 0              = 1      = 2       = 3
+         */
+        orig_domain = ldb_dn_get_component_val(base_dn, 2);
+        if (orig_domain == NULL || !orig_domain->length) {
+            DEBUG(SSSDBG_OP_FAILURE, "Invalid original object DN\n");
+            ret = EINVAL;
+            goto done;
+        }
+
+        if (strcmp((const char*)orig_domain->data, domain->name) != 0) {
+            ret = ENOENT;
+            goto done;
+        }
+
         ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &orig_res, base_dn,
                          LDB_SCOPE_BASE, attrs, NULL);
         if (ret != LDB_SUCCESS) {
-- 
2.21.1