sssd/0064-NEGCACHE-Always-add-root-to-the-negative-cache.patch

171 lines
6.3 KiB
Diff
Raw Normal View History

2017-09-01 18:52:07 +00:00
From 1e7b7da3aa56060c26f8ba1c08318cdee77753ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Mon, 14 Aug 2017 15:46:10 +0200
Subject: [PATCH 64/93] NEGCACHE: Always add "root" to the negative cache
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The current code only adds "root" to the negative cache in case there's
any other user or group set up in to be added.
As SSSD doesn't handle "root", it should *always* be added to the
negative cache.
Related: https://pagure.io/SSSD/sssd/issue/3460
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/responder/common/negcache.c | 88 +++++++++++++++++++++++++----------------
1 file changed, 54 insertions(+), 34 deletions(-)
diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
index 376c3e6565f218067b57f564ffab06f40e0ae0ca..fc5ae76bce2daf0575d19c89fcd4682f771cc0a2 100644
--- a/src/responder/common/negcache.c
+++ b/src/responder/common/negcache.c
@@ -771,8 +771,8 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
struct resp_ctx *rctx)
{
errno_t ret;
- bool filter_set = false;
char **filter_list = NULL;
+ char **default_list = NULL;
char *name = NULL;
struct sss_domain_info *dom = NULL;
struct sss_domain_info *domain_list = rctx->domains;
@@ -801,7 +801,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
&filter_list);
if (ret == ENOENT) continue;
if (ret != EOK) goto done;
- filter_set = true;
for (i = 0; (filter_list && filter_list[i]); i++) {
ret = sss_parse_name_for_domains(tmpctx, domain_list,
@@ -847,22 +846,9 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
/* Populate non domain-specific negative cache user entries */
ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
CONFDB_NSS_FILTER_USERS, &filter_list);
- if (ret == ENOENT) {
- if (!filter_set) {
- filter_list = talloc_array(tmpctx, char *, 2);
- if (!filter_list) {
- ret = ENOMEM;
- goto done;
- }
- filter_list[0] = talloc_strdup(tmpctx, "root");
- if (!filter_list[0]) {
- ret = ENOMEM;
- goto done;
- }
- filter_list[1] = NULL;
- }
+ if (ret != EOK && ret != ENOENT) {
+ goto done;
}
- else if (ret != EOK) goto done;
for (i = 0; (filter_list && filter_list[i]); i++) {
ret = sss_parse_name_for_domains(tmpctx, domain_list,
@@ -922,7 +908,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
}
/* Populate domain-specific negative cache group entries */
- filter_set = false;
for (dom = domain_list; dom; dom = get_next_domain(dom, 0)) {
conf_path = talloc_asprintf(tmpctx, CONFDB_DOMAIN_PATH_TMPL, dom->name);
if (!conf_path) {
@@ -935,7 +920,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
CONFDB_NSS_FILTER_GROUPS, &filter_list);
if (ret == ENOENT) continue;
if (ret != EOK) goto done;
- filter_set = true;
for (i = 0; (filter_list && filter_list[i]); i++) {
ret = sss_parse_name(tmpctx, dom->names, filter_list[i],
@@ -975,22 +959,9 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
/* Populate non domain-specific negative cache group entries */
ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
CONFDB_NSS_FILTER_GROUPS, &filter_list);
- if (ret == ENOENT) {
- if (!filter_set) {
- filter_list = talloc_array(tmpctx, char *, 2);
- if (!filter_list) {
- ret = ENOMEM;
- goto done;
- }
- filter_list[0] = talloc_strdup(tmpctx, "root");
- if (!filter_list[0]) {
- ret = ENOMEM;
- goto done;
- }
- filter_list[1] = NULL;
- }
+ if (ret != EOK && ret != ENOENT) {
+ goto done;
}
- else if (ret != EOK) goto done;
for (i = 0; (filter_list && filter_list[i]); i++) {
ret = sss_parse_name_for_domains(tmpctx, domain_list,
@@ -1049,6 +1020,55 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
}
}
+ /* SSSD doesn't handle "root", thus it'll be added to the negative cache
+ * nonetheless what's already added there. */
+ default_list = talloc_array(tmpctx, char *, 2);
+ if (default_list == NULL) {
+ ret= ENOMEM;
+ goto done;
+ }
+ default_list[0] = talloc_strdup(tmpctx, "root");
+ if (default_list[0] == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ default_list[1] = NULL;
+
+ /* Populate negative cache users and groups entries for the
+ * "default_list" */
+ for (i = 0; (default_list != NULL && default_list[i] != NULL); i++) {
+ for (dom = domain_list;
+ dom != NULL;
+ dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {
+ fqname = sss_create_internal_fqname(tmpctx,
+ default_list[i],
+ dom->name);
+ if (fqname == NULL) {
+ continue;
+ }
+
+ ret = sss_ncache_set_user(ncache, true, dom, fqname);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Failed to store permanent user filter for"
+ " [%s:%s] (%d [%s])\n",
+ dom->name, default_list[i],
+ ret, strerror(ret));
+ continue;
+ }
+
+ ret = sss_ncache_set_group(ncache, true, dom, fqname);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Failed to store permanent group filter for"
+ " [%s:%s] (%d [%s])\n",
+ dom->name, default_list[i],
+ ret, strerror(ret));
+ continue;
+ }
+ }
+ }
+
ret = EOK;
done:
--
2.14.1