Resolves: upstream#3595 - ID override GID from Default Trust View is not properly resolved in case domain resolution order is set

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This commit is contained in:
Fabiano Fidêncio 2018-05-14 09:16:02 +02:00
parent 1511bcd8b2
commit 5f75f7e4f2
2 changed files with 222 additions and 0 deletions

View File

@ -0,0 +1,218 @@
From e7aee44602eb36ee1e1201ad6c7234562b8bb703 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 5 Dec 2017 21:14:09 +0100
Subject: [PATCH] SYSDB: Properly handle name/gid override when using domain
resolution order
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When using name/gid override together with domain resolution order the
mpg name/gid may be returned instead of the overridden one.
In order to avoid that, let's add a check in case the domain supports
mpg so we can ensure that the originalADname and originalADgidNumber
attributes are the very same as the ones searched and then normally
proceed with the current flow in the code. In case those are not the
same, we *must* follow the code path for the non-mpg domains and then
return the proper values.
Resolves: https://pagure.io/SSSD/sssd/issue/3595
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit cf4f5e031ecbdfba0b55a4f69a06175a2e718e67)
---
src/db/sysdb.h | 2 +
src/db/sysdb_search.c | 116 ++++++++++++++++++++++++++++++++++--------
2 files changed, 97 insertions(+), 21 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 2660314a7..d9c8fd5d6 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -258,6 +258,8 @@
SYSDB_OVERRIDE_OBJECT_DN, \
SYSDB_DEFAULT_OVERRIDE_NAME, \
SYSDB_UUID, \
+ ORIGINALAD_PREFIX SYSDB_NAME, \
+ ORIGINALAD_PREFIX SYSDB_GIDNUM, \
NULL}
#define SYSDB_NETGR_ATTRS {SYSDB_NAME, SYSDB_NETGROUP_TRIPLE, \
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index b7ceb6e59..66c4977b3 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -893,8 +893,9 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,
const char *fmt_filter;
char *sanitized_name;
struct ldb_dn *base_dn;
- struct ldb_result *res;
+ struct ldb_result *res = NULL;
char *lc_sanitized_name;
+ const char *originalad_sanitized_name;
int ret;
tmp_ctx = talloc_new(NULL);
@@ -902,30 +903,67 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx,
return ENOMEM;
}
+ ret = sss_filter_sanitize_for_dom(tmp_ctx, name, domain,
+ &sanitized_name, &lc_sanitized_name);
+ if (ret != EOK) {
+ goto done;
+ }
+
if (domain->mpg) {
+ /* In case the domain supports magic private groups we *must*
+ * check whether the searched name is the very same as the
+ * originalADname attribute.
+ *
+ * In case those are not the same, we're dealing with an
+ * override and in order to return the proper overridden group
+ * we must use the very same search used by a non-mpg domain
+ */
fmt_filter = SYSDB_GRNAM_MPG_FILTER;
base_dn = sysdb_domain_dn(tmp_ctx, domain);
+ if (base_dn == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
+ LDB_SCOPE_SUBTREE, attrs, fmt_filter,
+ lc_sanitized_name, sanitized_name, sanitized_name);
+ if (ret != EOK) {
+ ret = sysdb_error_to_errno(ret);
+ goto done;
+ }
+
+ if (res->count > 0) {
+ originalad_sanitized_name = ldb_msg_find_attr_as_string(
+ res->msgs[0], ORIGINALAD_PREFIX SYSDB_NAME, NULL);
+
+ if (originalad_sanitized_name != NULL
+ && strcmp(originalad_sanitized_name, sanitized_name) != 0) {
+ fmt_filter = SYSDB_GRNAM_FILTER;
+ base_dn = sysdb_group_base_dn(tmp_ctx, domain);
+ res = NULL;
+ }
+ }
} else {
fmt_filter = SYSDB_GRNAM_FILTER;
base_dn = sysdb_group_base_dn(tmp_ctx, domain);
}
- if (!base_dn) {
+ if (base_dn == NULL) {
ret = ENOMEM;
goto done;
}
- ret = sss_filter_sanitize_for_dom(tmp_ctx, name, domain,
- &sanitized_name, &lc_sanitized_name);
- if (ret != EOK) {
- goto done;
- }
-
- ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
- LDB_SCOPE_SUBTREE, attrs, fmt_filter,
- lc_sanitized_name, sanitized_name, sanitized_name);
- if (ret) {
- ret = sysdb_error_to_errno(ret);
- goto done;
+ /* We just do the ldb_search here in case domain is *not* a MPG *or*
+ * it's a MPG and we're dealing with a overriden group, which has to
+ * use the very same filter as a non MPG domain. */
+ if (res == NULL) {
+ ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
+ LDB_SCOPE_SUBTREE, attrs, fmt_filter,
+ lc_sanitized_name, sanitized_name, sanitized_name);
+ if (ret != EOK) {
+ ret = sysdb_error_to_errno(ret);
+ goto done;
+ }
}
ret = mpg_res_convert(res);
@@ -1045,10 +1083,11 @@ int sysdb_getgrgid(TALLOC_CTX *mem_ctx,
{
TALLOC_CTX *tmp_ctx;
unsigned long int ul_gid = gid;
+ unsigned long int ul_originalad_gid;
static const char *attrs[] = SYSDB_GRSRC_ATTRS;
const char *fmt_filter;
struct ldb_dn *base_dn;
- struct ldb_result *res;
+ struct ldb_result *res = NULL;
int ret;
tmp_ctx = talloc_new(NULL);
@@ -1057,22 +1096,57 @@ int sysdb_getgrgid(TALLOC_CTX *mem_ctx,
}
if (domain->mpg) {
+ /* In case the domain supports magic private groups we *must*
+ * check whether the searched gid is the very same as the
+ * originalADgidNumber attribute.
+ *
+ * In case those are not the same, we're dealing with an
+ * override and in order to return the proper overridden group
+ * we must use the very same search used by a non-mpg domain
+ */
fmt_filter = SYSDB_GRGID_MPG_FILTER;
base_dn = sysdb_domain_dn(tmp_ctx, domain);
+ if (base_dn == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
+ LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid);
+ if (ret != EOK) {
+ ret = sysdb_error_to_errno(ret);
+ goto done;
+ }
+
+ if (res->count > 0) {
+ ul_originalad_gid = ldb_msg_find_attr_as_uint64(
+ res->msgs[0], ORIGINALAD_PREFIX SYSDB_GIDNUM, 0);
+
+ if (ul_originalad_gid != 0 && ul_originalad_gid != ul_gid) {
+ fmt_filter = SYSDB_GRGID_FILTER;
+ base_dn = sysdb_group_base_dn(tmp_ctx, domain);
+ res = NULL;
+ }
+ }
} else {
fmt_filter = SYSDB_GRGID_FILTER;
base_dn = sysdb_group_base_dn(tmp_ctx, domain);
}
- if (!base_dn) {
+ if (base_dn == NULL) {
ret = ENOMEM;
goto done;
}
- ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
- LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid);
- if (ret) {
- ret = sysdb_error_to_errno(ret);
- goto done;
+ /* We just do the ldb_search here in case domain is *not* a MPG *or*
+ * it's a MPG and we're dealing with a overriden group, which has to
+ * use the very same filter as a non MPG domain. */
+ if (res == NULL) {
+ ret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn,
+ LDB_SCOPE_SUBTREE, attrs, fmt_filter, ul_gid);
+ if (ret != EOK) {
+ ret = sysdb_error_to_errno(ret);
+ goto done;
+ }
}
ret = mpg_res_convert(res);
--
2.17.0

View File

@ -103,6 +103,7 @@ Patch0058: 0058-SYSDB-Only-check-non-POSIX-groups-for-GID-conflicts.patch
Patch0059: 0059-Do-not-keep-allocating-external-groups-on-a-long-liv.patch
Patch0060: 0060-CACHE_REQ-Do-not-fail-the-domain-locator-plugin-if-I.patch
Patch0061: 0061-NSS-nss_clear_netgroup_hash_table-do-not-free-data.patch
Patch0062: 0062-SYSDB-Properly-handle-name-gid-override-when-using-d.patch
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
@ -1321,6 +1322,9 @@ fi
first domain does not reach the second domain
- Resolves: upstream#3731 - nss_clear_netgroup_hash_table(): only remove
entries from the hash table, do not free them
- Resolves: upstream#3595 - ID override GID from Default Trust View is not
properly resolved in case domain resolution order
is set
* Sat May 05 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-4
- Resolves: rhbz#1574778 - sssd fails to download known_hosts from freeipa