From dbb263dddce4febf97add4ac5ef6e0aa2ced9f03 Mon Sep 17 00:00:00 2001 From: Pavel Reichl Date: Mon, 20 Apr 2015 11:33:29 -0400 Subject: simple-access-provider: make user grp res more robust Not all user groups need to be resolved if group deny list is empty. Resolves: https://fedorahosted.org/sssd/ticket/2519 Reviewed-by: Jakub Hrozek (cherry picked from commit 82a958e6592c4a4078e45b7197bbe4751b70f511) (cherry picked from commit 45a089a7bcf54e27fb46dc1a2c08c21ac07db96a) --- src/providers/simple/simple_access_check.c | 26 ++++++++++++++++++++++---- src/util/util_errors.c | 1 + src/util/util_errors.h | 1 + 3 files changed, 24 insertions(+), 4 deletions(-) diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c index c8217f6d4..14d833be2 100644 --- a/src/providers/simple/simple_access_check.c +++ b/src/providers/simple/simple_access_check.c @@ -395,6 +395,8 @@ struct simple_check_groups_state { const char **group_names; size_t num_names; + + bool failed_to_resolve_groups; }; static void simple_check_get_groups_next(struct tevent_req *subreq); @@ -430,6 +432,7 @@ simple_check_get_groups_send(TALLOC_CTX *mem_ctx, state->ev = ev; state->ctx = ctx; + state->failed_to_resolve_groups = false; DEBUG(SSSDBG_TRACE_LIBS, "Looking up groups for user %s\n", username); @@ -548,11 +551,10 @@ static void simple_check_get_groups_next(struct tevent_req *subreq) DEBUG(SSSDBG_OP_FAILURE, "Could not resolve name of group with GID %"SPRIgid"\n", state->lookup_groups[state->giter].gid); - tevent_req_error(req, ret); - return; + state->failed_to_resolve_groups = true; + } else { + state->num_names++; } - - state->num_names++; state->giter++; if (state->giter < state->num_groups) { @@ -686,6 +688,9 @@ simple_check_get_groups_recv(struct tevent_req *req, TEVENT_REQ_RETURN_ON_ERROR(req); *_group_names = talloc_steal(mem_ctx, state->group_names); + if (state->failed_to_resolve_groups) { + return ERR_SIMPLE_GROUPS_MISSING; + } return EOK; } @@ -775,12 +780,25 @@ static void simple_access_check_done(struct tevent_req *subreq) /* We know the names now. Run the check. */ ret = simple_check_get_groups_recv(subreq, state, &state->group_names); + talloc_zfree(subreq); if (ret == ENOENT) { /* If the user wasn't found, just shortcut */ state->access_granted = false; tevent_req_done(req); return; + } else if (ret == ERR_SIMPLE_GROUPS_MISSING) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not collect groups of user %s\n", state->username); + if (state->ctx->deny_groups == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "But no deny groups were defined so we can continue.\n"); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Some deny groups were defined, we can't continue\n"); + tevent_req_error(req, ret); + return; + } } else if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Could not collect groups of user %s\n", state->username); diff --git a/src/util/util_errors.c b/src/util/util_errors.c index dad988bce..e608bdd3a 100644 --- a/src/util/util_errors.c +++ b/src/util/util_errors.c @@ -69,6 +69,7 @@ struct err_string error_to_str[] = { { "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */ { "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */ { "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */ + { "Failed to resolve one of user groups." }, /* ERR_SIMPLE_GROUPS_MISSING */ { "ERR_LAST" } /* ERR_LAST */ }; diff --git a/src/util/util_errors.h b/src/util/util_errors.h index 5d657c707..00e5ffb4c 100644 --- a/src/util/util_errors.h +++ b/src/util/util_errors.h @@ -91,6 +91,7 @@ enum sssd_errors { ERR_SELINUX_CONTEXT, ERR_REGEX_NOMATCH, ERR_TIMESPEC_NOT_SUPPORTED, + ERR_SIMPLE_GROUPS_MISSING, ERR_LAST /* ALWAYS LAST */ }; -- cgit