diff options
author | Fabiano FidĂȘncio <fidencio@redhat.com> | 2016-09-23 15:23:23 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-10-03 15:32:33 +0200 |
commit | efc65e78fa4e01e6cecc8690a9899af61213be62 (patch) | |
tree | 2093b436620d0164bfc352aac3a1981a6c438baf /src/responder/secrets | |
parent | d806427f200dc1ffd44d37724eb40125af5cc8c2 (diff) | |
download | sssd-efc65e78fa4e01e6cecc8690a9899af61213be62.tar.gz sssd-efc65e78fa4e01e6cecc8690a9899af61213be62.tar.xz sssd-efc65e78fa4e01e6cecc8690a9899af61213be62.zip |
SECRETS: Add a configurable depth limit for nested containers
Resolves:
https://fedorahosted.org/sssd/ticket/3168
Signed-off-by: Fabiano FidĂȘncio <fidencio@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/responder/secrets')
-rw-r--r-- | src/responder/secrets/local.c | 26 | ||||
-rw-r--r-- | src/responder/secrets/providers.c | 1 | ||||
-rw-r--r-- | src/responder/secrets/secsrv.c | 13 | ||||
-rw-r--r-- | src/responder/secrets/secsrv.h | 1 |
4 files changed, 41 insertions, 0 deletions
diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c index 484e40643..ec8453798 100644 --- a/src/responder/secrets/local.c +++ b/src/responder/secrets/local.c @@ -29,6 +29,7 @@ struct local_context { struct ldb_context *ldb; struct sec_data master_key; + int containers_nest_level; }; static int local_decrypt(struct local_context *lctx, TALLOC_CTX *mem_ctx, @@ -332,6 +333,26 @@ done: return ret; } +static int local_db_check_containers_nest_level(struct local_context *lctx, + struct ldb_dn *leaf_dn) +{ + int nest_level; + + /* We need do not care for the synthetic containers that constitute the + * base path (cn=<uidnumber>,cn=user,cn=secrets). */ + nest_level = ldb_dn_get_comp_num(leaf_dn) - 3; + if (nest_level > lctx->containers_nest_level) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot create a nested container of depth %d as the maximum" + "allowed number of nested containers is %d.\n", + nest_level, lctx->containers_nest_level); + + return ERR_SEC_INVALID_CONTAINERS_NEST_LEVEL; + } + + return EOK; +} + static int local_db_put_simple(TALLOC_CTX *mem_ctx, struct local_context *lctx, const char *req_path, @@ -447,6 +468,9 @@ static int local_db_create(TALLOC_CTX *mem_ctx, ret = local_db_check_containers(msg, lctx, msg->dn); if (ret != EOK) goto done; + ret = local_db_check_containers_nest_level(lctx, msg->dn); + if (ret != EOK) goto done; + ret = ldb_msg_add_string(msg, "type", "container"); if (ret != EOK) goto done; @@ -708,6 +732,8 @@ int local_secrets_provider_handle(struct sec_ctx *sctx, return EIO; } + lctx->containers_nest_level = sctx->containers_nest_level; + lctx->master_key.data = talloc_size(lctx, MKEY_SIZE); if (!lctx->master_key.data) return ENOMEM; lctx->master_key.length = MKEY_SIZE; diff --git a/src/responder/secrets/providers.c b/src/responder/secrets/providers.c index 4c6019886..aedb49a15 100644 --- a/src/responder/secrets/providers.c +++ b/src/responder/secrets/providers.c @@ -306,6 +306,7 @@ enum sec_http_status_codes sec_errno_to_http_status(errno_t err) case EISDIR: return STATUS_405; case EMEDIUMTYPE: + case ERR_SEC_INVALID_CONTAINERS_NEST_LEVEL: return STATUS_406; case EEXIST: return STATUS_409; diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c index eb194a179..4bbc1dc90 100644 --- a/src/responder/secrets/secsrv.c +++ b/src/responder/secrets/secsrv.c @@ -29,6 +29,7 @@ #include "resolv/async_resolv.h" #define DEFAULT_SEC_FD_LIMIT 2048 +#define DEFAULT_SEC_CONTAINERS_NEST_LEVEL 4 static int sec_get_config(struct sec_ctx *sctx) { @@ -45,6 +46,18 @@ static int sec_get_config(struct sec_ctx *sctx) goto fail; } + ret = confdb_get_int(sctx->rctx->cdb, + sctx->rctx->confdb_service_path, + CONFDB_SEC_CONTAINERS_NEST_LEVEL, + DEFAULT_SEC_CONTAINERS_NEST_LEVEL, + &sctx->containers_nest_level); + + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get containers' maximum depth\n"); + goto fail; + } + ret = confdb_get_int(sctx->rctx->cdb, sctx->rctx->confdb_service_path, CONFDB_RESPONDER_CLI_IDLE_TIMEOUT, CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT, diff --git a/src/responder/secrets/secsrv.h b/src/responder/secrets/secsrv.h index ace30f86a..8ef89ab2e 100644 --- a/src/responder/secrets/secsrv.h +++ b/src/responder/secrets/secsrv.h @@ -38,6 +38,7 @@ struct sec_ctx { struct resolv_ctx *resctx; struct resp_ctx *rctx; int fd_limit; + int containers_nest_level; struct provider_handle **providers; }; |