[SSSD] [PATCH]simple provider: Don't treat primary GID lookup failures as fatal

Mon, 25 Apr 2011 12:35:45 -0700 

If the user's primary GID was not provided by the SSSD domain, we would
throw an error and fail the access check.

This is not a security vulnerability, as it would never allow an
unauthorized user access, it would only deny access to valid users.

>From 27151ee3254a645f9f8f35fe668d366938163f17 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgall...@redhat.com>
Date: Mon, 25 Apr 2011 15:23:38 -0400
Subject: [PATCH] simple provider: Don't treat primary GID lookup failures as
 fatal

---
 src/providers/simple/simple_access.c |   32 +++++++++++++++++++-------------
 1 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c
index a54bad0001c75cf22cbb01874a8549718e50e931..e2fc0755ccbe9cc19675d1adce06741e59a7eccb 100644
--- a/src/providers/simple/simple_access.c
+++ b/src/providers/simple/simple_access.c
@@ -158,22 +158,28 @@ errno_t simple_access_check(struct simple_ctx *ctx, const char *username,
     if (ret != EOK) {
         DEBUG(1, ("Could not look up primary group [%lu]: [%d][%s]\n",
                   gid, ret, strerror(ret)));
-        goto done;
-    }
+        /* We have to treat this as non-fatal, because the primary
+         * group may be local to the machine and not available in
+         * our ID provider.
+         */
+    } else {
+        primary_group = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
+        if (!primary_group) {
+            ret = EINVAL;
+            goto done;
+        }
 
-    primary_group = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
-    if (!primary_group) {
-        ret = EINVAL;
-        goto done;
-    }
+        groups[j] = talloc_strdup(tmp_ctx, primary_group);
+        if (!groups[j]) {
+            ret = ENOMEM;
+            goto done;
+        }
+        j++;
 
-    groups[j] = talloc_strdup(tmp_ctx, primary_group);
-    if (!groups[j]) {
-        ret = ENOMEM;
-        goto done;
+        talloc_zfree(msg);
     }
-    groups[j+1] = NULL;
-    talloc_zfree(msg);
+
+    groups[j] = NULL;
 
     /* Now process allow and deny group rules
      * If access was already granted above, we'll skip
-- 
1.7.4.4


_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to