From fc38b9d4e9a46c80a05003a9ff2e6d39b00ecffd Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Fri, 1 Jul 2011 16:34:03 -0400
Subject: Treat NULL or empty rhost as unknown

Previously, we were assuming this meant it was coming from the
localhost, but this is not a safe assumption. We will now treat it
as unknown and it will fail to match any rule that requires a
specified srchost or group of srchosts.
---
 src/providers/ipa/hbac_evaluator.c  |  6 ++++--
 src/providers/ipa/ipa_hbac_common.c | 30 +++++++++++++++++++++---------
 2 files changed, 25 insertions(+), 11 deletions(-)

(limited to 'src')

diff --git a/src/providers/ipa/hbac_evaluator.c b/src/providers/ipa/hbac_evaluator.c
index 949f0aefd..e120d51e4 100644
--- a/src/providers/ipa/hbac_evaluator.c
+++ b/src/providers/ipa/hbac_evaluator.c
@@ -155,8 +155,10 @@ static bool hbac_evaluate_element(struct hbac_rule_element *rule_el,
     /* First check the name list */
     if (rule_el->names) {
         for (i = 0; rule_el->names[i]; i++) {
-            if (strcmp(rule_el->names[i], req_el->name) == 0) {
-                return true;
+            if (req_el->name != NULL) {
+                if (strcmp(rule_el->names[i], req_el->name) == 0) {
+                    return true;
+                }
             }
         }
     }
diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
index f05c3e2e7..0ed08b839 100644
--- a/src/providers/ipa/ipa_hbac_common.c
+++ b/src/providers/ipa/ipa_hbac_common.c
@@ -558,18 +558,15 @@ hbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx,
 
     /* Get the source host */
     if (pd->rhost == NULL || pd->rhost[0] == '\0') {
-            /* If we haven't been passed an rhost, we
-             * have to assume it's coming from the
-             * target host
+            /* If we haven't been passed an rhost,
+             * the rhost is unknown. This will fail
+             * to match any rule requiring the
+             * source host.
              */
-        rhost = dp_opt_get_cstring(hbac_ctx->ipa_options, IPA_HOSTNAME);
+        rhost = NULL;
     } else {
         rhost = pd->rhost;
     }
-    if (rhost == NULL) {
-        ret = EINVAL;
-        goto done;
-    }
 
     ret = hbac_eval_host_element(eval_req, sysdb, domain,
                                  rhost, &eval_req->srchost);
@@ -808,6 +805,19 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx,
 
     host->name = hostname;
 
+    if (host->name == NULL) {
+        /* We don't know the host (probably an rhost)
+         * So we can't determine it's groups either.
+         */
+        host->groups = talloc_array(host, const char *, 1);
+        if (host->groups == NULL) {
+            ret = ENOMEM;
+            goto done;
+        }
+        host->groups[0] = NULL;
+        ret = EOK;
+        goto done;
+    }
 
     host_filter = talloc_asprintf(tmp_ctx,
                                   "(objectClass=%s)",
@@ -862,10 +872,12 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx,
     }
     host->groups[i] = NULL;
 
-    *host_element = talloc_steal(mem_ctx, host);
     ret = EOK;
 
 done:
+    if (ret == EOK) {
+        *host_element = talloc_steal(mem_ctx, host);
+    }
     talloc_free(tmp_ctx);
     return ret;
 }
-- 
cgit