Do not crash on resolving a group SID in IPA server mode

This commit is contained in:
Jakub Hrozek 2014-08-22 15:29:14 +02:00
parent a6a5820ca0
commit 34e089bd00
2 changed files with 74 additions and 1 deletions

View File

@ -0,0 +1,69 @@
From 82347f452febe3cbffc36b0a3308ffb462515442 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 12 Aug 2014 10:32:33 +0200
Subject: [PATCH] IPA: handle searches by SID in apply_subdomain_homedir
https://fedorahosted.org/sssd/ticket/2391
apply_subdomain_homedir() didn't handle the situation where an entity
that doesn't match was requested from the cache. For user and group
lookups this wasn't a problem because the negative match was caught
sooner.
But SID lookups can match either user or group. When a group SID was
requested, the preceding LDAP request matched the SID and stored the
group in the cache. Then apply_subdomain_homedir() only tried to search
user by SID, didn't find the entry and accessed a NULL pointer.
A simple reproducer is:
$ python
>>> import pysss_nss_idmap
>>> pysss_nss_idmap.getnamebysid(group_sid)
The group_sid can be anything, including Domain Users (XXX-513)
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/providers/ipa/ipa_subdomains_id.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c
index 113bc6c06f82bc631b3efa92b87a1cadc7f22605..659bc7c2cba4fd9e4d8b07d79efaa6feede35cb9 100644
--- a/src/providers/ipa/ipa_subdomains_id.c
+++ b/src/providers/ipa/ipa_subdomains_id.c
@@ -498,6 +498,9 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
if (filter_type == BE_FILTER_NAME) {
ret = sysdb_getpwnam(mem_ctx, dom, filter_value, &res);
+ if (res && res->count == 0) {
+ ret = ENOENT;
+ }
} else if (filter_type == BE_FILTER_IDNUM) {
errno = 0;
uid = strtouint32(filter_value, NULL, 10);
@@ -506,6 +509,9 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
goto done;
}
ret = sysdb_getpwuid(mem_ctx, dom, uid, &res);
+ if (res && res->count == 0) {
+ ret = ENOENT;
+ }
} else if (filter_type == BE_FILTER_SECID) {
ret = sysdb_search_user_by_sid_str(mem_ctx, dom, filter_value,
attrs, &msg);
@@ -521,10 +527,9 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
"Failed to make request to our cache: [%d]: [%s]\n",
ret, sss_strerror(ret));
goto done;
- }
-
- if ((res && res->count == 0) || (msg && msg->num_elements == 0)) {
- ret = ENOENT;
+ } else if (ret == ENOENT) {
+ DEBUG(SSSDBG_TRACE_FUNC, "Cannot find [%s] with search type [%d]\n",
+ filter_value, filter_type);
goto done;
}
--
1.9.3

View File

@ -14,7 +14,7 @@
Name: sssd Name: sssd
Version: 1.12.0 Version: 1.12.0
Release: 6%{?dist} Release: 7%{?dist}
Group: Applications/System Group: Applications/System
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPLv3+ License: GPLv3+
@ -23,6 +23,7 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ### ### Patches ###
Patch0001: 0001-IPA-handle-searches-by-SID-in-apply_subdomain_homedi.patch
### Dependencies ### ### Dependencies ###
Requires: sssd-common = %{version}-%{release} Requires: sssd-common = %{version}-%{release}
@ -804,6 +805,9 @@ fi
%postun -n libsss_idmap -p /sbin/ldconfig %postun -n libsss_idmap -p /sbin/ldconfig
%changelog %changelog
* Fri Aug 22 2014 Jakub Hrozek <jhrozek@redhat.com> - 1.12.0-7
- Do not crash on resolving a group SID in IPA server mode
* Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.12.0-6 * Mon Aug 18 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.12.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild