sssd/0007-SYSDB-Prevent-users-and-groups-ID-collision-in-MPG-d.patch
Lukas Slebodnik 1dedfbb334 Resolves: upstream#3523 - ABRT crash - /usr/libexec/sssd/sssd_nss in setnetgrent_result_timeout
Resolves: upstream#3588 - sssd_nss consumes more memory until restarted
                          or machine swaps
Resolves: failure in glibc tests
          https://sourceware.org/bugzilla/show_bug.cgi?id=22530
Resolves: upstream#3451 - When sssd is configured with id_provider proxy and
                          auth_provider ldap, login fails if the LDAP server
                          is not allowing anonymous binds
Resolves: upstream#3285 - SSSD needs restart after incorrect clock is
                          corrected with AD
Resolves: upstream#3586 - Give a more detailed debug and system-log message
                          if krb5_init_context() failed
Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet
                         in /etc/systemd/system
Backport few upstream features from 1.16.1
2017-12-04 21:42:37 +01:00

97 lines
3.6 KiB
Diff

From 561b887c08c6199a50f1295071626b3e9040a7d1 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 19 Oct 2017 17:18:15 +0200
Subject: [PATCH 07/79] SYSDB: Prevent users and groups ID collision in MPG
domains except for id_provider=local
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This commit makes the check when adding an object in a MPG domain
stricter in the sense that not only same names are allowed in a MPG
domain, but also the same groups are not allowed either.
This commit is a backwards-incompatible change, but one that is needed,
otherwise requesting the duplicate group first and then requesting the
user entry would yield two object when searching by GID.
In order to keep backwards-compatibility, this uniqueness is NOT
enforced with id_provider=local. This constraint can be removed in
the future (or the local provider can be dropped altogether)
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
---
src/db/sysdb_ops.c | 41 ++++++++++++++++++++++++++++++++++++++---
1 file changed, 38 insertions(+), 3 deletions(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 0e39a629a5823ff49ed02ec4c08a21b66119f06f..2f8e36c6c9a2c2cefe4af5fb78957763304d989a 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -1960,16 +1960,34 @@ int sysdb_add_user(struct sss_domain_info *domain,
}
if (domain->mpg) {
- /* In MPG domains you can't have groups with the same name as users,
- * search if a group with the same name exists.
+ /* In MPG domains you can't have groups with the same name or GID
+ * as users, search if a group with the same name exists.
* Don't worry about users, if we try to add a user with the same
* name the operation will fail */
ret = sysdb_search_group_by_name(tmp_ctx, domain, name, NULL, &msg);
if (ret != ENOENT) {
- if (ret == EOK) ret = EEXIST;
+ if (ret == EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Group named %s already exists in an MPG domain\n",
+ name);
+ ret = EEXIST;
+ }
goto done;
}
+
+ if (strcasecmp(domain->provider, "local") != 0) {
+ ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
+ if (ret != ENOENT) {
+ if (ret == EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Group with GID [%"SPRIgid"] already exists in an "
+ "MPG domain\n", gid);
+ ret = EEXIST;
+ }
+ goto done;
+ }
+ }
}
/* check no other user with the same uid exist */
@@ -2177,6 +2195,23 @@ int sysdb_add_group(struct sss_domain_info *domain,
}
goto done;
}
+
+ if (strcasecmp(domain->provider, "local") != 0) {
+ ret = sysdb_search_user_by_uid(tmp_ctx, domain, gid, NULL, &msg);
+ if (ret != ENOENT) {
+ if (ret == EOK) {
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "User with the same UID exists in MPG domain: "
+ "[%"SPRIgid"].\n", gid);
+ ret = EEXIST;
+ } else {
+ DEBUG(SSSDBG_TRACE_LIBS,
+ "sysdb_search_user_by_uid failed for gid: "
+ "[%"SPRIgid"].\n", gid);
+ }
+ goto done;
+ }
+ }
}
/* check no other groups with the same gid exist */
--
2.15.1