diff options
| author | Pavel Reichl <preichl@redhat.com> | 2014-06-04 17:41:31 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-12-08 10:55:40 +0100 |
| commit | 79f128801d598ca57a6acebade01136525a47e00 (patch) | |
| tree | e43e969e1e791f671d8c6bbe3f752d7952458fd3 | |
| parent | 1b4bd7e378deda73a18d86e4b2998bff45883e7b (diff) | |
| download | sssd-79f128801d598ca57a6acebade01136525a47e00.tar.gz sssd-79f128801d598ca57a6acebade01136525a47e00.tar.xz sssd-79f128801d598ca57a6acebade01136525a47e00.zip | |
simple access provider: non-existing object
Resolves:
https://fedorahosted.org/sssd/ticket/2519
Not existing user/group in simple_allow_users/simple_allow_groups should not
imply access denied.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
| -rw-r--r-- | src/providers/simple/simple_access_check.c | 35 |
1 files changed, 25 insertions, 10 deletions
diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c index 13c66d58f..d66628719 100644 --- a/src/providers/simple/simple_access_check.c +++ b/src/providers/simple/simple_access_check.c @@ -24,6 +24,11 @@ #include "util/sss_utf8.h" #include "db/sysdb.h" +#define NON_EXIST_USR_ALLOW "The user %s does not exist. Possible typo in simple_allow_users.\n" +#define NON_EXIST_USR_DENY "The user %s does not exist. Possible typo in simple_deny_users.\n" +#define NON_EXIST_GRP_ALLOW "The group %s does not exist. Possible typo in simple_allow_groups.\n" +#define NON_EXIST_GRP_DENY "The group %s does not exist. Possible typo in simple_deny_groups.\n" + static bool is_posix(const struct ldb_message *group) { @@ -53,9 +58,11 @@ simple_check_users(struct simple_ctx *ctx, const char *username, domain = find_domain_by_object_name(ctx->domain, ctx->allow_users[i]); if (domain == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Invalid user %s!\n", - ctx->allow_users[i]); - return EINVAL; + DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_USR_ALLOW, + ctx->allow_users[i]); + sss_log(SSS_LOG_CRIT, NON_EXIST_USR_ALLOW, + ctx->allow_users[i]); + continue; } if (sss_string_equal(domain->case_sensitive, username, @@ -86,8 +93,10 @@ simple_check_users(struct simple_ctx *ctx, const char *username, domain = find_domain_by_object_name(ctx->domain, ctx->deny_users[i]); if (domain == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Invalid user %s!\n", - ctx->deny_users[i]); + DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_USR_DENY, + ctx->deny_users[i]); + sss_log(SSS_LOG_CRIT, NON_EXIST_USR_DENY, + ctx->deny_users[i]); return EINVAL; } @@ -125,9 +134,12 @@ simple_check_groups(struct simple_ctx *ctx, const char **group_names, domain = find_domain_by_object_name(ctx->domain, ctx->allow_groups[i]); if (domain == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Invalid group %s!\n", - ctx->allow_groups[i]); - return EINVAL; + DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_GRP_ALLOW, + ctx->allow_groups[i]); + sss_log(SSS_LOG_CRIT, NON_EXIST_GRP_ALLOW, + ctx->allow_groups[i]); + + continue; } for(j = 0; group_names[j]; j++) { @@ -158,8 +170,11 @@ simple_check_groups(struct simple_ctx *ctx, const char **group_names, domain = find_domain_by_object_name(ctx->domain, ctx->deny_groups[i]); if (domain == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Invalid group %s!\n", - ctx->deny_groups[i]); + DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_GRP_DENY, + ctx->deny_groups[i]); + sss_log(SSS_LOG_CRIT, NON_EXIST_GRP_DENY, + ctx->deny_groups[i]); + return EINVAL; } |