fixes for user and group creation in LOCAL domain

- added range check for supplied UIDs and GIDs
- initialize pc_gid to 0 to trigger gid generation

2 files changed, 20 insertions, 1 deletions

diff --git a/server/db/sysdb_ops.c b/server/db/sysdb_ops.c
index a75c3466d..7daf11706 100644
--- a/server/db/sysdb_ops.c
+++ b/server/db/sysdb_ops.c
@@ -868,6 +868,19 @@ int sysdb_add_user(struct sysdb_req *sysreq,
         return EINVAL;
     }
 
+    if (domain->id_max != 0 && (uid < domain->id_min || uid > domain->id_max)) {
+        DEBUG(2, ("Supplied uid [%d] is not in the allowed range [%d-%d].\n",
+                  uid, domain->id_min, domain->id_max));
+        return EINVAL;
+    }
+
+    if (domain->id_max != 0 && (gid < domain->id_min || gid > domain->id_max)) {
+        DEBUG(2, ("Supplied gid [%d] is not in the allowed range [%d-%d].\n",
+                  gid, domain->id_min, domain->id_max));
+        return EINVAL;
+    }
+
+
     user_ctx = talloc(sysreq, struct user_add_ctx);
     if (!user_ctx) return ENOMEM;
 
@@ -1052,6 +1065,12 @@ int sysdb_add_group(struct sysdb_req *sysreq,
         return EINVAL;
     }
 
+    if (domain->id_max != 0 && (gid < domain->id_min || gid > domain->id_max)) {
+        DEBUG(2, ("Supplied gid [%d] is not in the allowed range [%d-%d].\n",
+                  gid, domain->id_min, domain->id_max));
+        return EINVAL;
+    }
+
     group_ctx = talloc(sysreq, struct group_add_ctx);
     if (!group_ctx) return ENOMEM;
 
diff --git a/server/tools/sss_groupadd.c b/server/tools/sss_groupadd.c
index d05597164..6dde7ae83 100644
--- a/server/tools/sss_groupadd.c
+++ b/server/tools/sss_groupadd.c
@@ -77,7 +77,7 @@ static void add_group(struct sysdb_req *req, void *pvt)
 
 int main(int argc, const char **argv)
 {
-    gid_t pc_gid;
+    gid_t pc_gid = 0;
     struct poptOption long_options[] = {
         POPT_AUTOHELP
         { "gid",   'g', POPT_ARG_INT, &pc_gid, 0, "The GID of the group", NULL },