diff options
| author | Lukas Slebodnik <lslebodn@redhat.com> | 2015-07-13 10:40:06 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-08-05 12:43:42 +0200 |
| commit | 5c5a094438ac6c81d99066ec58778cab23e0a939 (patch) | |
| tree | e7b237907783045742b787c672bb2a2f8252992d /src/responder/nss/nsssrv_cmd.c | |
| parent | a45f9034e912b6242459a8d576f60ff829508bc3 (diff) | |
| download | sssd-5c5a094438ac6c81d99066ec58778cab23e0a939.tar.gz sssd-5c5a094438ac6c81d99066ec58778cab23e0a939.tar.xz sssd-5c5a094438ac6c81d99066ec58778cab23e0a939.zip | |
NSS: Initgr memory cache should work with fq names
We need to stored two versions of name to the initgroups memory cache.
Otherwise it could be stored many times if sssd is configured with
case_sensitive = false. It would be impossible to invalidate all
version of names after user login. As a result of this wrong user
groups could be returned from initgroups memory cache.
Therefore we store raw name provided by glibc function
and internal sanitized fully qualified name,
which is unique for particular user.
This patch also increase average space for initgroups
because there are also stored two quite long names in case of
fq names.
Resolves:
https://fedorahosted.org/sssd/ticket/2712
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit dda0258705de7255e6ec54b7f9adbde83a220996)
Diffstat (limited to 'src/responder/nss/nsssrv_cmd.c')
| -rw-r--r-- | src/responder/nss/nsssrv_cmd.c | 30 |
1 files changed, 25 insertions, 5 deletions
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index 0bfbf0eab..aa64432d5 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -1354,6 +1354,7 @@ static int nss_cmd_getbynam(enum sss_cli_command cmd, struct cli_ctx *cctx) } rawname = (const char *)body; + dctx->mc_name = rawname; DEBUG(SSSDBG_TRACE_FUNC, "Running command [%d] with input [%s].\n", dctx->cmdctx->cmd, rawname); @@ -3940,6 +3941,13 @@ void nss_update_initgr_memcache(struct nss_ctx *nctx, } if (changed) { + char *fq_name = sss_tc_fqname(tmp_ctx, dom->names, dom, name); + if (!fq_name) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not create fq name\n"); + goto done; + } + for (i = 0; i < gnum; i++) { id = groups[i]; @@ -3951,7 +3959,7 @@ void nss_update_initgr_memcache(struct nss_ctx *nctx, } } - to_sized_string(&delete_name, name); + to_sized_string(&delete_name, fq_name); ret = sss_mmap_cache_initgr_invalidate(nctx->initgr_mc_ctx, &delete_name); if (ret != EOK && ret != ENOENT) { @@ -3971,6 +3979,7 @@ static int fill_initgr(struct sss_packet *packet, struct sss_domain_info *dom, struct ldb_result *res, struct nss_ctx *nctx, + const char *mc_name, const char *name) { uint8_t *body; @@ -4059,9 +4068,18 @@ static int fill_initgr(struct sss_packet *packet, } if (nctx->initgr_mc_ctx) { - to_sized_string(&rawname, name); + struct sized_string unique_name; + char *fq_name = sss_tc_fqname(packet, dom->names, dom, name); + if (!fq_name) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not create fq name\n"); + return ENOMEM; + } + + to_sized_string(&rawname, mc_name); + to_sized_string(&unique_name, fq_name); ret = sss_mmap_cache_initgr_store(&nctx->initgr_mc_ctx, &rawname, - num - skipped, gids); + &unique_name, num - skipped, gids); if (ret != EOK && ret != ENOMEM) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to store user %s(%s) in mmap cache!\n", @@ -4089,7 +4107,7 @@ static int nss_cmd_initgr_send_reply(struct nss_dom_ctx *dctx) } ret = fill_initgr(cctx->creq->out, dctx->domain, dctx->res, nctx, - dctx->rawname); + dctx->mc_name, cmdctx->name); if (ret) { return ret; } @@ -4137,8 +4155,10 @@ static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx) name = sss_get_cased_name(dctx, cmdctx->name, dom->case_sensitive); if (!name) return ENOMEM; - name = sss_reverse_replace_space(dctx, name, + name = sss_reverse_replace_space(cmdctx, name, nctx->rctx->override_space); + /* save name so it can be used in initgr reply */ + cmdctx->name = name; if (name == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "sss_reverse_replace_space failed\n"); |