summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2011-07-01 16:34:03 -0400
committerStephen Gallagher <sgallagh@redhat.com>2011-08-01 12:18:34 -0400
commitfc38b9d4e9a46c80a05003a9ff2e6d39b00ecffd (patch)
treed0c12f88eb572ef575104897105889dc39306d32
parenta2b1e0b4bce8281d7214329d6bc261cb8ca02784 (diff)
downloadsssd-fc38b9d4e9a46c80a05003a9ff2e6d39b00ecffd.tar.gz
sssd-fc38b9d4e9a46c80a05003a9ff2e6d39b00ecffd.tar.xz
sssd-fc38b9d4e9a46c80a05003a9ff2e6d39b00ecffd.zip
Treat NULL or empty rhost as unknown
Previously, we were assuming this meant it was coming from the localhost, but this is not a safe assumption. We will now treat it as unknown and it will fail to match any rule that requires a specified srchost or group of srchosts.
-rw-r--r--src/providers/ipa/hbac_evaluator.c6
-rw-r--r--src/providers/ipa/ipa_hbac_common.c30
2 files changed, 25 insertions, 11 deletions
diff --git a/src/providers/ipa/hbac_evaluator.c b/src/providers/ipa/hbac_evaluator.c
index 949f0aefd..e120d51e4 100644
--- a/src/providers/ipa/hbac_evaluator.c
+++ b/src/providers/ipa/hbac_evaluator.c
@@ -155,8 +155,10 @@ static bool hbac_evaluate_element(struct hbac_rule_element *rule_el,
/* First check the name list */
if (rule_el->names) {
for (i = 0; rule_el->names[i]; i++) {
- if (strcmp(rule_el->names[i], req_el->name) == 0) {
- return true;
+ if (req_el->name != NULL) {
+ if (strcmp(rule_el->names[i], req_el->name) == 0) {
+ return true;
+ }
}
}
}
diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
index f05c3e2e7..0ed08b839 100644
--- a/src/providers/ipa/ipa_hbac_common.c
+++ b/src/providers/ipa/ipa_hbac_common.c
@@ -558,18 +558,15 @@ hbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx,
/* Get the source host */
if (pd->rhost == NULL || pd->rhost[0] == '\0') {
- /* If we haven't been passed an rhost, we
- * have to assume it's coming from the
- * target host
+ /* If we haven't been passed an rhost,
+ * the rhost is unknown. This will fail
+ * to match any rule requiring the
+ * source host.
*/
- rhost = dp_opt_get_cstring(hbac_ctx->ipa_options, IPA_HOSTNAME);
+ rhost = NULL;
} else {
rhost = pd->rhost;
}
- if (rhost == NULL) {
- ret = EINVAL;
- goto done;
- }
ret = hbac_eval_host_element(eval_req, sysdb, domain,
rhost, &eval_req->srchost);
@@ -808,6 +805,19 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx,
host->name = hostname;
+ if (host->name == NULL) {
+ /* We don't know the host (probably an rhost)
+ * So we can't determine it's groups either.
+ */
+ host->groups = talloc_array(host, const char *, 1);
+ if (host->groups == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ host->groups[0] = NULL;
+ ret = EOK;
+ goto done;
+ }
host_filter = talloc_asprintf(tmp_ctx,
"(objectClass=%s)",
@@ -862,10 +872,12 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx,
}
host->groups[i] = NULL;
- *host_element = talloc_steal(mem_ctx, host);
ret = EOK;
done:
+ if (ret == EOK) {
+ *host_element = talloc_steal(mem_ctx, host);
+ }
talloc_free(tmp_ctx);
return ret;
}