The branch, master has been updated via 8f8e843 s3:winbind: add a warning DEBUG message when skipping a sid from the mapped GID list via 482212e s3:winbind: change getgroups to only do one sids2xids call instead of many via 6e41745 s3:winbind: fix the getgroups implementation to include the user sid's GID in case of ID_TYPE_BOTH via f62219e s3:winbind: fix gid counting and error handling in the getgroups implementation from 45f5ea0 dns: Update TODO list
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 8f8e843267636b5fea076014980031afc2c0a7b4 Author: Michael Adam <ob...@samba.org> Date: Fri Jul 26 12:26:30 2013 +0200 s3:winbind: add a warning DEBUG message when skipping a sid from the mapped GID list This presents a potential security problem when ACLs contain DENY ACEs. Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Michael Adam <ob...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Michael Adam <ob...@samba.org> Autobuild-Date(master): Mon Jul 29 14:42:27 CEST 2013 on sn-devel-104 commit 482212e3d348e4247759cbca9507db74f61f9703 Author: Michael Adam <ob...@samba.org> Date: Fri Jul 26 12:25:27 2013 +0200 s3:winbind: change getgroups to only do one sids2xids call instead of many Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Michael Adam <ob...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> commit 6e41745173989dff1b4e2f03e174e9d1020857d5 Author: Michael Adam <ob...@samba.org> Date: Fri Jul 26 11:32:34 2013 +0200 s3:winbind: fix the getgroups implementation to include the user sid's GID in case of ID_TYPE_BOTH This is important for acl checks on the unix level where only a group ace has been added to the ACL for the user sid, e.g. when accessing Files with nfs or local unix processes. Signed-off-by: Michael Adam <ob...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit f62219e71af69ec8b331500b75fd5fd77d51a636 Author: Michael Adam <ob...@samba.org> Date: Fri Jul 26 11:31:41 2013 +0200 s3:winbind: fix gid counting and error handling in the getgroups implementation Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Michael Adam <ob...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: source3/winbindd/winbindd_getgroups.c | 102 +++++++++++++++++++++++---------- 1 files changed, 71 insertions(+), 31 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/winbindd/winbindd_getgroups.c b/source3/winbindd/winbindd_getgroups.c index 1774901..b899beb 100644 --- a/source3/winbindd/winbindd_getgroups.c +++ b/source3/winbindd/winbindd_getgroups.c @@ -29,7 +29,6 @@ struct winbindd_getgroups_state { enum lsa_SidType type; int num_sids; struct dom_sid *sids; - int next_sid; int num_gids; gid_t *gids; }; @@ -124,18 +123,13 @@ static void winbindd_getgroups_gettoken_done(struct tevent_req *subreq) /* * Convert the group SIDs to gids. state->sids[0] contains the user - * sid, so start at index 1. + * sid. If the idmap backend uses ID_TYPE_BOTH, we might need the + * the id of the user sid in the list of group sids, so map the + * complete token. */ - state->gids = talloc_array(state, gid_t, state->num_sids-1); - if (tevent_req_nomem(state->gids, req)) { - return; - } - state->num_gids = 0; - state->next_sid = 1; - subreq = wb_sids2xids_send(state, state->ev, - &state->sids[state->next_sid], 1); + state->sids, state->num_sids); if (tevent_req_nomem(subreq, req)) { return; } @@ -149,38 +143,84 @@ static void winbindd_getgroups_sid2gid_done(struct tevent_req *subreq) struct winbindd_getgroups_state *state = tevent_req_data( req, struct winbindd_getgroups_state); NTSTATUS status; - struct unixid xid; + struct unixid *xids; + int i; - xid.type = ID_TYPE_NOT_SPECIFIED; - xid.id = UINT32_MAX; + xids = talloc_array(state, struct unixid, state->num_sids); + if (tevent_req_nomem(xids, req)) { + return; + } + for (i=0; i < state->num_sids; i++) { + xids[i].type = ID_TYPE_NOT_SPECIFIED; + xids[i].id = UINT32_MAX; + } - status = wb_sids2xids_recv(subreq, &xid); + status = wb_sids2xids_recv(subreq, xids); TALLOC_FREE(subreq); - if (xid.type == ID_TYPE_GID || xid.type == ID_TYPE_BOTH) { - state->gids[state->num_gids] = (gid_t)xid.id; - } else { - state->gids[state->num_gids] = (uid_t)-1; + if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) || + NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED)) + { + status = NT_STATUS_OK; } - - /* - * In case of failure, just continue with the next gid - */ - if (NT_STATUS_IS_OK(status)) { - state->num_gids += 1; + if (tevent_req_nterror(req, status)) { + return; } - state->next_sid += 1; - if (state->next_sid >= state->num_sids) { - tevent_req_done(req); + state->gids = talloc_array(state, gid_t, state->num_sids); + if (tevent_req_nomem(state->gids, req)) { return; } + state->num_gids = 0; - subreq = wb_sids2xids_send(state, state->ev, - &state->sids[state->next_sid], 1); - if (tevent_req_nomem(subreq, req)) { + for (i=0; i < state->num_sids; i++) { + bool include_gid = false; + const char *debug_missing = NULL; + + switch (xids[i].type) { + case ID_TYPE_NOT_SPECIFIED: + debug_missing = "not specified"; + break; + case ID_TYPE_UID: + if (i != 0) { + debug_missing = "uid"; + } + break; + case ID_TYPE_GID: + case ID_TYPE_BOTH: + include_gid = true; + break; + } + + if (!include_gid) { + if (debug_missing == NULL) { + continue; + } + + DEBUG(10, ("WARNING: skipping unix id (%u) for sid %s " + "from group list because the idmap type " + "is %s. " + "This might be a security problem when ACLs " + "contain DENY ACEs!\n", + (unsigned)xids[i].id, + sid_string_tos(&state->sids[i]), + debug_missing)); + continue; + } + + state->gids[state->num_gids] = (gid_t)xids[i].id; + state->num_gids += 1; + } + + /* + * This should not fail, as it does not do any reallocation, + * just updating the talloc size. + */ + state->gids = talloc_realloc(state, state->gids, gid_t, state->num_gids); + if (tevent_req_nomem(state->gids, req)) { return; } - tevent_req_set_callback(subreq, winbindd_getgroups_sid2gid_done, req); + + tevent_req_done(req); } NTSTATUS winbindd_getgroups_recv(struct tevent_req *req, -- Samba Shared Repository