From 1e7b7da3aa56060c26f8ba1c08318cdee77753ea Mon Sep 17 00:00:00 2001
From: Fabiano Fidêncio <fidencio@redhat.com>
Date: Mon, 14 Aug 2017 15:46:10 +0200
Subject: NEGCACHE: Always add "root" to the negative cache
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The current code only adds "root" to the negative cache in case there's
any other user or group set up in to be added.

As SSSD doesn't handle "root", it should *always* be added to the
negative cache.

Related: https://pagure.io/SSSD/sssd/issue/3460

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/responder/common/negcache.c | 88 +++++++++++++++++++++++++----------------
 1 file changed, 54 insertions(+), 34 deletions(-)

(limited to 'src')

diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c
index 376c3e656..fc5ae76bc 100644
--- a/src/responder/common/negcache.c
+++ b/src/responder/common/negcache.c
@@ -771,8 +771,8 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
                                struct resp_ctx *rctx)
 {
     errno_t ret;
-    bool filter_set = false;
     char **filter_list = NULL;
+    char **default_list = NULL;
     char *name = NULL;
     struct sss_domain_info *dom = NULL;
     struct sss_domain_info *domain_list = rctx->domains;
@@ -801,7 +801,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
                                         &filter_list);
         if (ret == ENOENT) continue;
         if (ret != EOK) goto done;
-        filter_set = true;
 
         for (i = 0; (filter_list && filter_list[i]); i++) {
             ret = sss_parse_name_for_domains(tmpctx, domain_list,
@@ -847,22 +846,9 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
     /* Populate non domain-specific negative cache user entries */
     ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
                                     CONFDB_NSS_FILTER_USERS, &filter_list);
-    if (ret == ENOENT) {
-        if (!filter_set) {
-            filter_list = talloc_array(tmpctx, char *, 2);
-            if (!filter_list) {
-                ret = ENOMEM;
-                goto done;
-            }
-            filter_list[0] = talloc_strdup(tmpctx, "root");
-            if (!filter_list[0]) {
-                ret = ENOMEM;
-                goto done;
-            }
-            filter_list[1] = NULL;
-        }
+    if (ret != EOK && ret != ENOENT) {
+        goto done;
     }
-    else if (ret != EOK) goto done;
 
     for (i = 0; (filter_list && filter_list[i]); i++) {
         ret = sss_parse_name_for_domains(tmpctx, domain_list,
@@ -922,7 +908,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
     }
 
     /* Populate domain-specific negative cache group entries */
-    filter_set = false;
     for (dom = domain_list; dom; dom = get_next_domain(dom, 0)) {
         conf_path = talloc_asprintf(tmpctx, CONFDB_DOMAIN_PATH_TMPL, dom->name);
         if (!conf_path) {
@@ -935,7 +920,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
                                         CONFDB_NSS_FILTER_GROUPS, &filter_list);
         if (ret == ENOENT) continue;
         if (ret != EOK) goto done;
-        filter_set = true;
 
         for (i = 0; (filter_list && filter_list[i]); i++) {
             ret = sss_parse_name(tmpctx, dom->names, filter_list[i],
@@ -975,22 +959,9 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
     /* Populate non domain-specific negative cache group entries */
     ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY,
                                     CONFDB_NSS_FILTER_GROUPS, &filter_list);
-    if (ret == ENOENT) {
-        if (!filter_set) {
-            filter_list = talloc_array(tmpctx, char *, 2);
-            if (!filter_list) {
-                ret = ENOMEM;
-                goto done;
-            }
-            filter_list[0] = talloc_strdup(tmpctx, "root");
-            if (!filter_list[0]) {
-                ret = ENOMEM;
-                goto done;
-            }
-            filter_list[1] = NULL;
-        }
+    if (ret != EOK && ret != ENOENT) {
+        goto done;
     }
-    else if (ret != EOK) goto done;
 
     for (i = 0; (filter_list && filter_list[i]); i++) {
         ret = sss_parse_name_for_domains(tmpctx, domain_list,
@@ -1049,6 +1020,55 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache,
         }
     }
 
+    /* SSSD doesn't handle "root", thus it'll be added to the negative cache
+     * nonetheless what's already added there. */
+    default_list = talloc_array(tmpctx, char *, 2);
+    if (default_list == NULL) {
+        ret= ENOMEM;
+        goto done;
+    }
+    default_list[0] = talloc_strdup(tmpctx, "root");
+    if (default_list[0] == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+    default_list[1] = NULL;
+
+    /* Populate negative cache users and groups entries for the
+     * "default_list" */
+    for (i = 0; (default_list != NULL && default_list[i] != NULL); i++) {
+        for (dom = domain_list;
+             dom != NULL;
+             dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) {
+            fqname = sss_create_internal_fqname(tmpctx,
+                                                default_list[i],
+                                                dom->name);
+            if (fqname == NULL) {
+                continue;
+            }
+
+            ret = sss_ncache_set_user(ncache, true, dom, fqname);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_MINOR_FAILURE,
+                      "Failed to store permanent user filter for"
+                      " [%s:%s] (%d [%s])\n",
+                      dom->name, default_list[i],
+                      ret, strerror(ret));
+                continue;
+            }
+
+            ret = sss_ncache_set_group(ncache, true, dom, fqname);
+            if (ret != EOK) {
+                DEBUG(SSSDBG_MINOR_FAILURE,
+                      "Failed to store permanent group filter for"
+                      " [%s:%s] (%d [%s])\n",
+                      dom->name, default_list[i],
+                      ret, strerror(ret));
+                continue;
+            }
+        }
+    }
+
     ret = EOK;
 
 done:
-- 
cgit