From 34e089bd0084324c36ab40993a45f64e513bac42 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 22 Aug 2014 15:29:14 +0200 Subject: [PATCH] Do not crash on resolving a group SID in IPA server mode --- ...hes-by-SID-in-apply_subdomain_homedi.patch | 69 +++++++++++++++++++ sssd.spec | 6 +- 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 0001-IPA-handle-searches-by-SID-in-apply_subdomain_homedi.patch diff --git a/0001-IPA-handle-searches-by-SID-in-apply_subdomain_homedi.patch b/0001-IPA-handle-searches-by-SID-in-apply_subdomain_homedi.patch new file mode 100644 index 0000000..3d94b32 --- /dev/null +++ b/0001-IPA-handle-searches-by-SID-in-apply_subdomain_homedi.patch @@ -0,0 +1,69 @@ +From 82347f452febe3cbffc36b0a3308ffb462515442 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 12 Aug 2014 10:32:33 +0200 +Subject: [PATCH] IPA: handle searches by SID in apply_subdomain_homedir + +https://fedorahosted.org/sssd/ticket/2391 + +apply_subdomain_homedir() didn't handle the situation where an entity +that doesn't match was requested from the cache. For user and group +lookups this wasn't a problem because the negative match was caught +sooner. + +But SID lookups can match either user or group. When a group SID was +requested, the preceding LDAP request matched the SID and stored the +group in the cache. Then apply_subdomain_homedir() only tried to search +user by SID, didn't find the entry and accessed a NULL pointer. + +A simple reproducer is: +$ python +>>> import pysss_nss_idmap +>>> pysss_nss_idmap.getnamebysid(group_sid) + +The group_sid can be anything, including Domain Users (XXX-513) + +Reviewed-by: Jakub Hrozek +--- + src/providers/ipa/ipa_subdomains_id.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c +index 113bc6c06f82bc631b3efa92b87a1cadc7f22605..659bc7c2cba4fd9e4d8b07d79efaa6feede35cb9 100644 +--- a/src/providers/ipa/ipa_subdomains_id.c ++++ b/src/providers/ipa/ipa_subdomains_id.c +@@ -498,6 +498,9 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + + if (filter_type == BE_FILTER_NAME) { + ret = sysdb_getpwnam(mem_ctx, dom, filter_value, &res); ++ if (res && res->count == 0) { ++ ret = ENOENT; ++ } + } else if (filter_type == BE_FILTER_IDNUM) { + errno = 0; + uid = strtouint32(filter_value, NULL, 10); +@@ -506,6 +509,9 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + goto done; + } + ret = sysdb_getpwuid(mem_ctx, dom, uid, &res); ++ if (res && res->count == 0) { ++ ret = ENOENT; ++ } + } else if (filter_type == BE_FILTER_SECID) { + ret = sysdb_search_user_by_sid_str(mem_ctx, dom, filter_value, + attrs, &msg); +@@ -521,10 +527,9 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + "Failed to make request to our cache: [%d]: [%s]\n", + ret, sss_strerror(ret)); + goto done; +- } +- +- if ((res && res->count == 0) || (msg && msg->num_elements == 0)) { +- ret = ENOENT; ++ } else if (ret == ENOENT) { ++ DEBUG(SSSDBG_TRACE_FUNC, "Cannot find [%s] with search type [%d]\n", ++ filter_value, filter_type); + goto done; + } + +-- +1.9.3 diff --git a/sssd.spec b/sssd.spec index 202495a..0ec2551 100644 --- a/sssd.spec +++ b/sssd.spec @@ -14,7 +14,7 @@ Name: sssd Version: 1.12.0 -Release: 6%{?dist} +Release: 7%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -23,6 +23,7 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### +Patch0001: 0001-IPA-handle-searches-by-SID-in-apply_subdomain_homedi.patch ### Dependencies ### Requires: sssd-common = %{version}-%{release} @@ -804,6 +805,9 @@ fi %postun -n libsss_idmap -p /sbin/ldconfig %changelog +* Fri Aug 22 2014 Jakub Hrozek - 1.12.0-7 +- Do not crash on resolving a group SID in IPA server mode + * Mon Aug 18 2014 Fedora Release Engineering - 1.12.0-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild