URL: https://github.com/SSSD/sssd/pull/5404 Author: sumit-bose Title: #5404: nss: check if groups are filtered during initgroups Action: opened
PR body: """ If groups are filtered, i.e. SSSD should not handle them, they should not appear in the group list returned by an initgroups request. Resolves: https://github.com/SSSD/sssd/issues/5403 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5404/head:pr5404 git checkout pr5404
From c157e7af9ef4d51b1402b382ed34d8e2c39aeb95 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Tue, 17 Nov 2020 12:59:23 +0100 Subject: [PATCH] nss: check if groups are filtered during initgroups If groups are filtered, i.e. SSSD should not handle them, they should not appear in the group list returned by an initgroups request. Resolves: https://github.com/SSSD/sssd/issues/5403 --- src/responder/nss/nss_protocol_grent.c | 35 ++++++++++++++++++++++++++ src/tests/intg/test_ldap.py | 12 +++++++++ 2 files changed, 47 insertions(+) diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c index 8f1d3fe81d..135b392f74 100644 --- a/src/responder/nss/nss_protocol_grent.c +++ b/src/responder/nss/nss_protocol_grent.c @@ -326,6 +326,34 @@ nss_protocol_fill_grent(struct nss_ctx *nss_ctx, return EOK; } +static bool is_group_filtered(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + const char *grp_name, gid_t gid) +{ + int ret; + + if (grp_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Group with gid [%"SPRIgid"] has no name, this should never " + "happen, trying to continue without.\n", gid); + } else { + ret = sss_ncache_check_group(ncache, domain, grp_name); + if (ret == EEXIST) { + DEBUG(SSSDBG_TRACE_FUNC, "Group [%s] is filtered out! " + "(negative cache)", grp_name); + return true; + } + } + ret = sss_ncache_check_gid(ncache, domain, gid); + if (ret == EEXIST) { + DEBUG(SSSDBG_TRACE_FUNC, "Group [%"SPRIgid"] is filtered out! " + "(negative cache)", gid); + return true; + } + + return false; +} + errno_t nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, struct nss_cmd_ctx *cmd_ctx, @@ -344,6 +372,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, size_t body_len; size_t rp; gid_t gid; + const char *grp_name; gid_t orig_gid; errno_t ret; int i; @@ -392,6 +421,8 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM, 0); posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL); + grp_name = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_NAME, + NULL); if (gid == 0) { if (posix != NULL && strcmp(posix, "FALSE") == 0) { @@ -404,6 +435,10 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, } } + if (is_group_filtered(nss_ctx->rctx->ncache, domain, grp_name, gid)) { + continue; + } + SAFEALIGN_COPY_UINT32(&body[rp], &gid, &rp); num_results++; diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py index 194d7d9ccd..6a78c960fd 100644 --- a/src/tests/intg/test_ldap.py +++ b/src/tests/intg/test_ldap.py @@ -1190,6 +1190,18 @@ def test_nss_filters(ldap_conn, sanity_nss_filter): with pytest.raises(KeyError): grp.getgrgid(14) + # test initgroups - user1 is member of group_two_one_user_groups (2019) + # which is filtered out + (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 2001) + assert res == sssd_id.NssReturnCode.SUCCESS + + user_with_group_ids = [2001, 2012, 2015, 2017, 2018] + assert sorted(gids) == sorted(user_with_group_ids), \ + "result: %s\n expected %s" % ( + ", ".join(["%s" % s for s in sorted(gids)]), + ", ".join(["%s" % s for s in sorted(user_with_group_ids)]) + ) + @pytest.fixture def sanity_nss_filter_cached(request, ldap_conn):
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
