1dedfbb334
Resolves: upstream#3588 - sssd_nss consumes more memory until restarted
or machine swaps
Resolves: failure in glibc tests
https://sourceware.org/bugzilla/show_bug.cgi?id=22530
Resolves: upstream#3451 - When sssd is configured with id_provider proxy and
auth_provider ldap, login fails if the LDAP server
is not allowing anonymous binds
Resolves: upstream#3285 - SSSD needs restart after incorrect clock is
corrected with AD
Resolves: upstream#3586 - Give a more detailed debug and system-log message
if krb5_init_context() failed
Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet
in /etc/systemd/system
Backport few upstream features from 1.16.1
97 lines
3.6 KiB
Diff
97 lines
3.6 KiB
Diff
From 561b887c08c6199a50f1295071626b3e9040a7d1 Mon Sep 17 00:00:00 2001
|
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
Date: Thu, 19 Oct 2017 17:18:15 +0200
|
|
Subject: [PATCH 07/79] SYSDB: Prevent users and groups ID collision in MPG
|
|
domains except for id_provider=local
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
This commit makes the check when adding an object in a MPG domain
|
|
stricter in the sense that not only same names are allowed in a MPG
|
|
domain, but also the same groups are not allowed either.
|
|
|
|
This commit is a backwards-incompatible change, but one that is needed,
|
|
otherwise requesting the duplicate group first and then requesting the
|
|
user entry would yield two object when searching by GID.
|
|
|
|
In order to keep backwards-compatibility, this uniqueness is NOT
|
|
enforced with id_provider=local. This constraint can be removed in
|
|
the future (or the local provider can be dropped altogether)
|
|
|
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
---
|
|
src/db/sysdb_ops.c | 41 ++++++++++++++++++++++++++++++++++++++---
|
|
1 file changed, 38 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
|
index 0e39a629a5823ff49ed02ec4c08a21b66119f06f..2f8e36c6c9a2c2cefe4af5fb78957763304d989a 100644
|
|
--- a/src/db/sysdb_ops.c
|
|
+++ b/src/db/sysdb_ops.c
|
|
@@ -1960,16 +1960,34 @@ int sysdb_add_user(struct sss_domain_info *domain,
|
|
}
|
|
|
|
if (domain->mpg) {
|
|
- /* In MPG domains you can't have groups with the same name as users,
|
|
- * search if a group with the same name exists.
|
|
+ /* In MPG domains you can't have groups with the same name or GID
|
|
+ * as users, search if a group with the same name exists.
|
|
* Don't worry about users, if we try to add a user with the same
|
|
* name the operation will fail */
|
|
|
|
ret = sysdb_search_group_by_name(tmp_ctx, domain, name, NULL, &msg);
|
|
if (ret != ENOENT) {
|
|
- if (ret == EOK) ret = EEXIST;
|
|
+ if (ret == EOK) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
+ "Group named %s already exists in an MPG domain\n",
|
|
+ name);
|
|
+ ret = EEXIST;
|
|
+ }
|
|
goto done;
|
|
}
|
|
+
|
|
+ if (strcasecmp(domain->provider, "local") != 0) {
|
|
+ ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
|
|
+ if (ret != ENOENT) {
|
|
+ if (ret == EOK) {
|
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
+ "Group with GID [%"SPRIgid"] already exists in an "
|
|
+ "MPG domain\n", gid);
|
|
+ ret = EEXIST;
|
|
+ }
|
|
+ goto done;
|
|
+ }
|
|
+ }
|
|
}
|
|
|
|
/* check no other user with the same uid exist */
|
|
@@ -2177,6 +2195,23 @@ int sysdb_add_group(struct sss_domain_info *domain,
|
|
}
|
|
goto done;
|
|
}
|
|
+
|
|
+ if (strcasecmp(domain->provider, "local") != 0) {
|
|
+ ret = sysdb_search_user_by_uid(tmp_ctx, domain, gid, NULL, &msg);
|
|
+ if (ret != ENOENT) {
|
|
+ if (ret == EOK) {
|
|
+ DEBUG(SSSDBG_TRACE_LIBS,
|
|
+ "User with the same UID exists in MPG domain: "
|
|
+ "[%"SPRIgid"].\n", gid);
|
|
+ ret = EEXIST;
|
|
+ } else {
|
|
+ DEBUG(SSSDBG_TRACE_LIBS,
|
|
+ "sysdb_search_user_by_uid failed for gid: "
|
|
+ "[%"SPRIgid"].\n", gid);
|
|
+ }
|
|
+ goto done;
|
|
+ }
|
|
+ }
|
|
}
|
|
|
|
/* check no other groups with the same gid exist */
|
|
--
|
|
2.15.1
|
|
|