diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2017-03-28 14:49:31 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2017-03-30 14:10:01 +0200 |
| commit | 901396366075dc3e3fcc0894345af1b51052ac69 (patch) | |
| tree | 44439ead685d3b3f9895306b87308f00196a74bd | |
| parent | 5f7f249f2a8a1c7284e991aa64dbf850d482b0aa (diff) | |
| download | sssd-901396366075dc3e3fcc0894345af1b51052ac69.tar.gz sssd-901396366075dc3e3fcc0894345af1b51052ac69.tar.xz sssd-901396366075dc3e3fcc0894345af1b51052ac69.zip | |
SYSDB: Only generate new UID in local domain
To avoid issues where a user with no UID but without the posix=false
flag was passed to sysdb, we only allow generating the new ID in the
local domain. This might prevent bugs where non-POSIX users would get a
UID created by sysdb which might allow accessing resources owned by that
UID.
Reviewed-by: Sumit Bose <sbose@redhat.com>
| -rw-r--r-- | src/db/sysdb_ops.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 3cf9d903f..4d7b2abd8 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -1422,6 +1422,12 @@ int sysdb_get_new_id(struct sss_domain_info *domain, return ENOMEM; } + if (strcasecmp(domain->provider, "local") != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Generating new ID is only supported in the local domain!\n"); + return ENOTSUP; + } + base_dn = sysdb_domain_dn(tmp_ctx, domain); if (!base_dn) { talloc_zfree(tmp_ctx); |