URL: https://github.com/SSSD/sssd/pull/574 Author: fidencio Title: #574: cache_req: Don't force a fqname for files provider output Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/574/head:pr574 git checkout pr574
From 35ee3987e93104013a010404d4e3dc39346bfcdd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Mon, 21 May 2018 12:43:53 +0200 Subject: [PATCH 1/2] cache_req: Don't force a fqname for files provider output MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As we're enforcing the output of files provider to be fully-qualified we can face some weirdness when using domain_resolution_order as: [user@implicit_files@machine]$ This is not only not coherent but also causes issues when the local user, which is managed by the files provider, tries to do a `sudo su`. As the most common scenario for *local* users is to have the user (non-fully-qualified) in sudoers and, as sudo simply compares usernames, changing the output from non fully-qualified to fully-qualified would break this scenario, not allowing the user which has sudo access to use sudo. In order to avoid the issues described above, let's just not force the output of the files provider to be fully-qualified. Signed-off-by: Fabiano FidĂȘncio <fiden...@redhat.com> Resolves: https://pagure.io/SSSD/sssd/issue/3743 --- src/responder/common/cache_req/cache_req_domain.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c index 15893ba54..e7bcd8000 100644 --- a/src/responder/common/cache_req/cache_req_domain.c +++ b/src/responder/common/cache_req/cache_req_domain.c @@ -202,9 +202,14 @@ cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx, /* when using the domain resolution order, using shortnames as input * is allowed by default. However, we really want to use the fully * qualified name as output in order to avoid conflicts whith users - * who have the very same name. */ + * who have the very same name. + * + * NOTE: we do *not* want to use fully qualified names for the + * files provider.*/ if (resolution_order != NULL) { - sss_domain_info_set_output_fqnames(cr_domain->domain, true); + if (strcmp(cr_domain->domain->provider, "files") != 0) { + sss_domain_info_set_output_fqnames(cr_domain->domain, true); + } } DLIST_ADD_END(cr_domains, cr_domain, struct cache_req_domain *); From 10c167f1c1642cebd94d37b73ee558766a1d86ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Mon, 21 May 2018 16:33:04 +0200 Subject: [PATCH 2/2] tests: Add a test for files provider + domain resolution order MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Fabiano FidĂȘncio <fiden...@redhat.com> Resolves: https://pagure.io/SSSD/sssd/issue/3743 --- src/tests/intg/test_files_provider.py | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py index cc9c1f1c7..5c95c68d2 100644 --- a/src/tests/intg/test_files_provider.py +++ b/src/tests/intg/test_files_provider.py @@ -294,6 +294,22 @@ def no_sssd_conf(request): return None +@pytest.fixture +def domain_resolution_order(request): + conf = unindent("""\ + [sssd] + domains = files + services = nss + domain_resolution_order = foo + + [domain/files] + id_provider = files + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + def setup_pw_with_list(request, user_list): pwd_ops = passwd_ops_setup(request) for user in user_list: @@ -1173,3 +1189,12 @@ def test_multiple_files_created_after_startup(add_user_with_canary, check_user(ALT_USER1) check_group(ALT_GROUP1) + + +def test_files_with_domain_resolution_order(add_user_with_canary, + domain_resolution_order): + """ + Test that when using domain_resolution_order the user won't be using + its fully-qualified name. + """ + check_user(USER1)
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/FDEYB2V6VIBLBZPCQ5OPA6VXEESFVZS7/
