-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One of my previous patches disallowed adding users and groups outside known domains but I forgot disallowing modifying, deleting, etc.
Fixes: ticket #114 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkqOZ7QACgkQHsardTLnvCWAyACePh6G5RKsvhlIVSKwRfeASHw3 rGAAn0XX6gphj2xLgPOvRb1NS9JboqWZ =J7zs -----END PGP SIGNATURE-----
>From 642a57b199d8817596874f5d2ea9b264838fa290 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Fri, 21 Aug 2009 11:18:49 +0200 Subject: [PATCH] Disallow all legacy operations outside domains One of the previous patches disallowed adding users and groups outside known domains but it was missing disallowing modifying, deleting, etc. Fixes: ticket #114 --- server/tools/sss_groupdel.c | 6 +++++- server/tools/sss_groupmod.c | 6 +++++- server/tools/sss_userdel.c | 6 +++++- server/tools/sss_usermod.c | 6 +++++- 4 files changed, 20 insertions(+), 4 deletions(-) diff --git a/server/tools/sss_groupdel.c b/server/tools/sss_groupdel.c index 2c6d049..a70e415 100644 --- a/server/tools/sss_groupdel.c +++ b/server/tools/sss_groupdel.c @@ -141,7 +141,6 @@ int main(int argc, const char **argv) break; case ID_IN_LEGACY_LOCAL: - case ID_OUTSIDE: ret = groupdel_legacy(data); if(ret != EOK) { ERROR("Cannot delete group from domain using the legacy tools\n"); @@ -150,6 +149,11 @@ int main(int argc, const char **argv) } break; /* Also delete possible cached entries in sysdb */ + case ID_OUTSIDE: + ERROR("The selected GID is outside all domain ranges\n"); + ret = EXIT_FAILURE; + goto fini; + case ID_IN_OTHER: DEBUG(1, ("Cannot remove group from domain %s\n", data->domain->name)); ERROR("Unsupported domain type\n"); diff --git a/server/tools/sss_groupmod.c b/server/tools/sss_groupmod.c index 4f681ea..2fc985b 100644 --- a/server/tools/sss_groupmod.c +++ b/server/tools/sss_groupmod.c @@ -222,13 +222,17 @@ int main(int argc, const char **argv) break; case ID_IN_LEGACY_LOCAL: - case ID_OUTSIDE: ret = groupmod_legacy(data->ctx, data, data->domain); if(ret != EOK) { ERROR("Cannot delete group from domain using the legacy tools\n"); } goto fini; + case ID_OUTSIDE: + ERROR("The selected GID is outside all domain ranges\n"); + ret = EXIT_FAILURE; + goto fini; + case ID_IN_OTHER: DEBUG(1, ("Cannot modify group from domain %s\n", data->domain->name)); ERROR("Unsupported domain type\n"); diff --git a/server/tools/sss_userdel.c b/server/tools/sss_userdel.c index 38bb83b..bc08990 100644 --- a/server/tools/sss_userdel.c +++ b/server/tools/sss_userdel.c @@ -140,7 +140,6 @@ int main(int argc, const char **argv) break; case ID_IN_LEGACY_LOCAL: - case ID_OUTSIDE: ret = userdel_legacy(data); if(ret != EOK) { ERROR("Cannot delete user from domain using the legacy tools\n"); @@ -149,6 +148,11 @@ int main(int argc, const char **argv) } break; /* Also delete possible cached entries in sysdb */ + case ID_OUTSIDE: + ERROR("The selected UID is outside all domain ranges\n"); + ret = EXIT_FAILURE; + goto fini; + case ID_IN_OTHER: DEBUG(1, ("Cannot remove user from domain %s\n", data->domain->name)); ERROR("Unsupported domain type\n"); diff --git a/server/tools/sss_usermod.c b/server/tools/sss_usermod.c index 23ae3cc..cdc8e3f 100644 --- a/server/tools/sss_usermod.c +++ b/server/tools/sss_usermod.c @@ -290,7 +290,6 @@ int main(int argc, const char **argv) break; case ID_IN_LEGACY_LOCAL: - case ID_OUTSIDE: ret = usermod_legacy(data->ctx, data, pc_uid, pc_gid, pc_gecos, pc_home, pc_shell, pc_lock, data->domain); if(ret != EOK) { @@ -298,6 +297,11 @@ int main(int argc, const char **argv) } goto fini; + case ID_OUTSIDE: + ERROR("The selected UID is outside all domain ranges\n"); + ret = EXIT_FAILURE; + goto fini; + case ID_IN_OTHER: DEBUG(1, ("Cannot modify user from domain %s\n", data->domain->name)); ERROR("Unsupported domain type\n"); -- 1.6.2.5
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel