diff options
author | Pavel Reichl <preichl@redhat.com> | 2014-06-04 17:41:31 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-01-13 21:00:22 +0100 |
commit | 90fe0ef10c7851fb92d69ae08290756a2e6c5b2d (patch) | |
tree | e5342a6ba1f62b247eb507498ed1012e8019d28c /src/providers/simple | |
parent | e171284d9ca72a0422c9fd44ea1ffa9ef493fd93 (diff) | |
download | sssd-90fe0ef10c7851fb92d69ae08290756a2e6c5b2d.tar.gz sssd-90fe0ef10c7851fb92d69ae08290756a2e6c5b2d.tar.xz sssd-90fe0ef10c7851fb92d69ae08290756a2e6c5b2d.zip |
simple access provider: non-existing object
Resolves:
https://fedorahosted.org/sssd/ticket/2519
Not existing user/group in simple_allow_users/simple_allow_groups should not
imply access denied.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Diffstat (limited to 'src/providers/simple')
-rw-r--r-- | src/providers/simple/simple_access_check.c | 35 |
1 files changed, 25 insertions, 10 deletions
diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c index 13c66d58f..d66628719 100644 --- a/src/providers/simple/simple_access_check.c +++ b/src/providers/simple/simple_access_check.c @@ -24,6 +24,11 @@ #include "util/sss_utf8.h" #include "db/sysdb.h" +#define NON_EXIST_USR_ALLOW "The user %s does not exist. Possible typo in simple_allow_users.\n" +#define NON_EXIST_USR_DENY "The user %s does not exist. Possible typo in simple_deny_users.\n" +#define NON_EXIST_GRP_ALLOW "The group %s does not exist. Possible typo in simple_allow_groups.\n" +#define NON_EXIST_GRP_DENY "The group %s does not exist. Possible typo in simple_deny_groups.\n" + static bool is_posix(const struct ldb_message *group) { @@ -53,9 +58,11 @@ simple_check_users(struct simple_ctx *ctx, const char *username, domain = find_domain_by_object_name(ctx->domain, ctx->allow_users[i]); if (domain == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Invalid user %s!\n", - ctx->allow_users[i]); - return EINVAL; + DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_USR_ALLOW, + ctx->allow_users[i]); + sss_log(SSS_LOG_CRIT, NON_EXIST_USR_ALLOW, + ctx->allow_users[i]); + continue; } if (sss_string_equal(domain->case_sensitive, username, @@ -86,8 +93,10 @@ simple_check_users(struct simple_ctx *ctx, const char *username, domain = find_domain_by_object_name(ctx->domain, ctx->deny_users[i]); if (domain == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Invalid user %s!\n", - ctx->deny_users[i]); + DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_USR_DENY, + ctx->deny_users[i]); + sss_log(SSS_LOG_CRIT, NON_EXIST_USR_DENY, + ctx->deny_users[i]); return EINVAL; } @@ -125,9 +134,12 @@ simple_check_groups(struct simple_ctx *ctx, const char **group_names, domain = find_domain_by_object_name(ctx->domain, ctx->allow_groups[i]); if (domain == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Invalid group %s!\n", - ctx->allow_groups[i]); - return EINVAL; + DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_GRP_ALLOW, + ctx->allow_groups[i]); + sss_log(SSS_LOG_CRIT, NON_EXIST_GRP_ALLOW, + ctx->allow_groups[i]); + + continue; } for(j = 0; group_names[j]; j++) { @@ -158,8 +170,11 @@ simple_check_groups(struct simple_ctx *ctx, const char **group_names, domain = find_domain_by_object_name(ctx->domain, ctx->deny_groups[i]); if (domain == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Invalid group %s!\n", - ctx->deny_groups[i]); + DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_GRP_DENY, + ctx->deny_groups[i]); + sss_log(SSS_LOG_CRIT, NON_EXIST_GRP_DENY, + ctx->deny_groups[i]); + return EINVAL; } |