[SSSD] [PATCH] Do not delete users, groups outside domain range

[Jakub Hrozek]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fixes: #240
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkrxfaEACgkQHsardTLnvCV42ACfR7q6eEBeOIXtxntfXVT9SjzD
7moAoNlJLNnYWsxt5ouosuC8xn/DU6p6
=MVy0
-----END PGP SIGNATURE-----

>From 1a558b9024bee8d27d5c689939274b5f0f135aee Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Mon, 2 Nov 2009 11:40:21 +0100
Subject: [PATCH] Do not delete users, groups outside domain range

Fixes: 240
---
 server/tools/sss_groupdel.c |   17 +++++++++++++++++
 server/tools/sss_userdel.c  |   27 ++++++++++++++++-----------
 2 files changed, 33 insertions(+), 11 deletions(-)

diff --git a/server/tools/sss_groupdel.c b/server/tools/sss_groupdel.c
index d6e3dfd..80e2244 100644
--- a/server/tools/sss_groupdel.c
+++ b/server/tools/sss_groupdel.c
@@ -90,6 +90,23 @@ int main(int argc, const char **argv)
         goto fini;
     }
 
+    ret = sysdb_getgrnam_sync(tctx, tctx->ev, tctx->sysdb,
+                              tctx->octx->name, tctx->local,
+                              &tctx->octx);
+    if (ret != EOK) {
+        ERROR("Cannot find group in local domain, "
+              "modifying groups is allowed only in local domain\n");
+        ret = EXIT_FAILURE;
+        goto fini;
+    }
+
+    if (id_in_range(tctx->octx->gid, tctx->octx->domain) != EOK) {
+        ERROR("Group %s is outside the defined ID range for domain\n",
+              tctx->octx->name);
+        ret = EXIT_FAILURE;
+        goto fini;
+    }
+
     start_transaction(tctx);
     if (tctx->error != EOK) {
         goto done;
diff --git a/server/tools/sss_userdel.c b/server/tools/sss_userdel.c
index d4088cb..9266e6b 100644
--- a/server/tools/sss_userdel.c
+++ b/server/tools/sss_userdel.c
@@ -121,17 +121,22 @@ int main(int argc, const char **argv)
         goto fini;
     }
 
-    if (tctx->octx->remove_homedir) {
-        ret = sysdb_getpwnam_sync(tctx,
-                                  tctx->ev,
-                                  tctx->sysdb,
-                                  tctx->octx->name,
-                                  tctx->local,
-                                  &tctx->octx);
-        if (ret != EOK) {
-            /* Error message will be printed in the switch */
-            goto done;
-        }
+    ret = sysdb_getpwnam_sync(tctx,
+                              tctx->ev,
+                              tctx->sysdb,
+                              tctx->octx->name,
+                              tctx->local,
+                              &tctx->octx);
+    if (ret != EOK) {
+        /* Error message will be printed in the switch */
+        goto done;
+    }
+
+    if (id_in_range(tctx->octx->uid, tctx->octx->domain) != EOK) {
+        ERROR("User %s is outside the defined ID range for domain\n",
+              tctx->octx->name);
+        ret = EXIT_FAILURE;
+        goto fini;
     }
 
     start_transaction(tctx);
-- 
1.6.2.5


_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel