URL: https://github.com/SSSD/sssd/pull/464 Author: fidencio Title: #464: SYSDB: Properly handle name/gid override when using domain resolution order Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/464/head:pr464 git checkout pr464
From 0d14ff55953749030f49a846695920501102ec2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Tue, 5 Dec 2017 21:14:09 +0100 Subject: [PATCH] SYSDB: Properly handle name/gid override when using domain resolution order MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When using name/gid override together with domain resolution order the mpg name/gid may be returned instead of the overridden one. In order to avoid that, let's add a check in case the domain supports mpg so we can ensure that the originalADname and originalADgidNumber attributes are the very same as the ones searched and then normally proceed with the current flow in the code. In case those are not the same, we *must* follow the code path for the non-mpg domains and then return the proper values. Resolves: https://pagure.io/SSSD/sssd/issue/3595 Signed-off-by: Fabiano FidĂȘncio <fiden...@redhat.com> --- src/db/sysdb.h | 2 ++ src/db/sysdb_search.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 70 insertions(+), 6 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index fd18ecefe..33004c6b9 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -258,6 +258,8 @@ SYSDB_OVERRIDE_OBJECT_DN, \ SYSDB_DEFAULT_OVERRIDE_NAME, \ SYSDB_UUID, \ + ORIGINALAD_PREFIX SYSDB_NAME, \ + ORIGINALAD_PREFIX SYSDB_GIDNUM, \ NULL} #define SYSDB_NETGR_ATTRS {SYSDB_NAME, SYSDB_NETGROUP_TRIPLE, \ diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index a6a81e23d..0defa2f5f 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -892,6 +892,7 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx, struct ldb_dn *base_dn; struct ldb_result *res; char *lc_sanitized_name; + const char *originalad_sanitized_name; int ret; tmp_ctx = talloc_new(NULL); @@ -899,10 +900,47 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx, return ENOMEM; } + ret = sss_filter_sanitize_for_dom(tmp_ctx, name, domain, + &sanitized_name, &lc_sanitized_name); + if (ret != EOK) { + goto done; + } + if (domain->mpg) { + /* In case the domain supports magic private groups we *must* + * check whether the searched name is the very same as the + * originalADname attribute. + * + * In case those are not the same, we're dealing with an + * override and in order to return the proper overridden group + * we must use the very same search used by a non-mpg domain + */ fmt_filter = SYSDB_GRNAM_MPG_FILTER; base_dn = ldb_dn_new_fmt(tmp_ctx, domain->sysdb->ldb, SYSDB_DOM_BASE, domain->name); + if (base_dn == NULL) { + ret = ENOMEM; + goto done; + } + + ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn, + LDB_SCOPE_SUBTREE, attrs, fmt_filter, + lc_sanitized_name, sanitized_name, sanitized_name); + if (ret != EOK) { + ret = sysdb_error_to_errno(ret); + goto done; + } + + if (res->count > 0) { + originalad_sanitized_name = ldb_msg_find_attr_as_string( + res->msgs[0], ORIGINALAD_PREFIX SYSDB_NAME, NULL); + + if (originalad_sanitized_name != NULL + && strcmp(originalad_sanitized_name, sanitized_name) != 0) { + fmt_filter = SYSDB_GRNAM_FILTER; + base_dn = sysdb_group_base_dn(tmp_ctx, domain); + } + } } else { fmt_filter = SYSDB_GRNAM_FILTER; base_dn = sysdb_group_base_dn(tmp_ctx, domain); @@ -912,12 +950,6 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx, goto done; } - ret = sss_filter_sanitize_for_dom(tmp_ctx, name, domain, - &sanitized_name, &lc_sanitized_name); - if (ret != EOK) { - goto done; - } - ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn, LDB_SCOPE_SUBTREE, attrs, fmt_filter, lc_sanitized_name, sanitized_name, sanitized_name); @@ -1043,6 +1075,7 @@ int sysdb_getgrgid(TALLOC_CTX *mem_ctx, { TALLOC_CTX *tmp_ctx; unsigned long int ul_gid = gid; + unsigned long int ul_originalad_gid; static const char *attrs[] = SYSDB_GRSRC_ATTRS; const char *fmt_filter; struct ldb_dn *base_dn; @@ -1055,9 +1088,38 @@ int sysdb_getgrgid(TALLOC_CTX *mem_ctx, } if (domain->mpg) { + /* In case the domain supports magic private groups we *must* + * check whether the searched gid is the very same as the + * originalADgidNumber attribute. + * + * In case those are not the same, we're dealing with an + * override and in order to return the proper overridden group + * we must use the very same search used by a non-mpg domain + */ fmt_filter = SYSDB_GRGID_MPG_FILTER; base_dn = ldb_dn_new_fmt(tmp_ctx, domain->sysdb->ldb, SYSDB_DOM_BASE, domain->name); + if (base_dn == NULL) { + ret = ENOMEM; + goto done; + } + + ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn, + LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid); + if (ret != EOK) { + ret = sysdb_error_to_errno(ret); + goto done; + } + + if (res->count > 0) { + ul_originalad_gid = ldb_msg_find_attr_as_uint64( + res->msgs[0], ORIGINALAD_PREFIX SYSDB_GIDNUM, 0); + + if (ul_originalad_gid != 0 && ul_originalad_gid != ul_gid) { + fmt_filter = SYSDB_GRGID_FILTER; + base_dn = sysdb_group_base_dn(tmp_ctx, domain); + } + } } else { fmt_filter = SYSDB_GRGID_FILTER; base_dn = sysdb_group_base_dn(tmp_ctx, domain);
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org