On Tue, Oct 16, 2012 at 11:47:12AM +0200, Stef Walter wrote: > When I have the following in a domain in sssd.conf: > > access_provider = simple > simple_allow_users = > > ... any user is allowed to log in, despite the list being empty. The > documentation states: > > · If either or both "allow" lists are provided, all users are denied > unless they appear in the list. > > The list is provided, albeit empty. The simple access provider > however treats it as if it is not provided. > > Since sssd.conf is often machine driven, this sort of unexpected > behavior leads to security problems like: removing a user from the > simple_allow_users acl leads to any user being allowed. > > I've worked around this behavior in realmd, by using a comma: > > Bug: https://bugs.freedesktop.org/show_bug.cgi?id=56027 > Patch: https://bugs.freedesktop.org/attachment.cgi?id=68615 > > Attached is a rough patch to sssd which fixes the problem. If you > think it's worth fixing, I'll do more testing on it. > > Cheers, > > Stef
I was wondering for a while whether to change the behaviour directly in confdb_get_string_as_list() but I think the attached patch takes a better approach because the other consumers of confdb_get_string_as_list() do not see any difference between empty and missing parameter. The patch works as advertized, there is just one compilation warning: src/providers/simple/simple_access.c: In function 'get_conf_list_or_empty': src/providers/simple/simple_access.c:284:9: warning: unused variable 'r' [-Wunused-variable] _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
