diff options
| author | Stephen Gallagher <sgallagh@redhat.com> | 2011-07-01 16:34:03 -0400 |
|---|---|---|
| committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-08-01 12:18:34 -0400 |
| commit | fc38b9d4e9a46c80a05003a9ff2e6d39b00ecffd (patch) | |
| tree | d0c12f88eb572ef575104897105889dc39306d32 | |
| parent | a2b1e0b4bce8281d7214329d6bc261cb8ca02784 (diff) | |
| download | sssd-fc38b9d4e9a46c80a05003a9ff2e6d39b00ecffd.tar.gz sssd-fc38b9d4e9a46c80a05003a9ff2e6d39b00ecffd.tar.xz sssd-fc38b9d4e9a46c80a05003a9ff2e6d39b00ecffd.zip | |
Treat NULL or empty rhost as unknown
Previously, we were assuming this meant it was coming from the
localhost, but this is not a safe assumption. We will now treat it
as unknown and it will fail to match any rule that requires a
specified srchost or group of srchosts.
| -rw-r--r-- | src/providers/ipa/hbac_evaluator.c | 6 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_hbac_common.c | 30 |
2 files changed, 25 insertions, 11 deletions
diff --git a/src/providers/ipa/hbac_evaluator.c b/src/providers/ipa/hbac_evaluator.c index 949f0aefd..e120d51e4 100644 --- a/src/providers/ipa/hbac_evaluator.c +++ b/src/providers/ipa/hbac_evaluator.c @@ -155,8 +155,10 @@ static bool hbac_evaluate_element(struct hbac_rule_element *rule_el, /* First check the name list */ if (rule_el->names) { for (i = 0; rule_el->names[i]; i++) { - if (strcmp(rule_el->names[i], req_el->name) == 0) { - return true; + if (req_el->name != NULL) { + if (strcmp(rule_el->names[i], req_el->name) == 0) { + return true; + } } } } diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c index f05c3e2e7..0ed08b839 100644 --- a/src/providers/ipa/ipa_hbac_common.c +++ b/src/providers/ipa/ipa_hbac_common.c @@ -558,18 +558,15 @@ hbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx, /* Get the source host */ if (pd->rhost == NULL || pd->rhost[0] == '\0') { - /* If we haven't been passed an rhost, we - * have to assume it's coming from the - * target host + /* If we haven't been passed an rhost, + * the rhost is unknown. This will fail + * to match any rule requiring the + * source host. */ - rhost = dp_opt_get_cstring(hbac_ctx->ipa_options, IPA_HOSTNAME); + rhost = NULL; } else { rhost = pd->rhost; } - if (rhost == NULL) { - ret = EINVAL; - goto done; - } ret = hbac_eval_host_element(eval_req, sysdb, domain, rhost, &eval_req->srchost); @@ -808,6 +805,19 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx, host->name = hostname; + if (host->name == NULL) { + /* We don't know the host (probably an rhost) + * So we can't determine it's groups either. + */ + host->groups = talloc_array(host, const char *, 1); + if (host->groups == NULL) { + ret = ENOMEM; + goto done; + } + host->groups[0] = NULL; + ret = EOK; + goto done; + } host_filter = talloc_asprintf(tmp_ctx, "(objectClass=%s)", @@ -862,10 +872,12 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx, } host->groups[i] = NULL; - *host_element = talloc_steal(mem_ctx, host); ret = EOK; done: + if (ret == EOK) { + *host_element = talloc_steal(mem_ctx, host); + } talloc_free(tmp_ctx); return ret; } |