summaryrefslogtreecommitdiff
path: root/source3/winbindd/winbindd_getgroups.c
diff options
context:
space:
mode:
authorMichael Adam <obnox@samba.org>2013-07-26 12:26:30 +0200
committerMichael Adam <obnox@samba.org>2013-07-29 14:42:27 +0200
commit8f8e843267636b5fea076014980031afc2c0a7b4 (patch)
tree8de6d52d1bc650831cc54ebb82d988a01d4caced /source3/winbindd/winbindd_getgroups.c
parent482212e3d348e4247759cbca9507db74f61f9703 (diff)
downloadsamba-8f8e843267636b5fea076014980031afc2c0a7b4.tar.gz
samba-8f8e843267636b5fea076014980031afc2c0a7b4.tar.bz2
samba-8f8e843267636b5fea076014980031afc2c0a7b4.zip
s3:winbind: add a warning DEBUG message when skipping a sid from the mapped GID list
This presents a potential security problem when ACLs contain DENY ACEs. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Michael Adam <obnox@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Michael Adam <obnox@samba.org> Autobuild-Date(master): Mon Jul 29 14:42:27 CEST 2013 on sn-devel-104
Diffstat (limited to 'source3/winbindd/winbindd_getgroups.c')
-rw-r--r--source3/winbindd/winbindd_getgroups.c18
1 files changed, 18 insertions, 0 deletions
diff --git a/source3/winbindd/winbindd_getgroups.c b/source3/winbindd/winbindd_getgroups.c
index 445de3dcd9..b899bebe17 100644
--- a/source3/winbindd/winbindd_getgroups.c
+++ b/source3/winbindd/winbindd_getgroups.c
@@ -174,10 +174,16 @@ static void winbindd_getgroups_sid2gid_done(struct tevent_req *subreq)
for (i=0; i < state->num_sids; i++) {
bool include_gid = false;
+ const char *debug_missing = NULL;
switch (xids[i].type) {
case ID_TYPE_NOT_SPECIFIED:
+ debug_missing = "not specified";
+ break;
case ID_TYPE_UID:
+ if (i != 0) {
+ debug_missing = "uid";
+ }
break;
case ID_TYPE_GID:
case ID_TYPE_BOTH:
@@ -186,6 +192,18 @@ static void winbindd_getgroups_sid2gid_done(struct tevent_req *subreq)
}
if (!include_gid) {
+ if (debug_missing == NULL) {
+ continue;
+ }
+
+ DEBUG(10, ("WARNING: skipping unix id (%u) for sid %s "
+ "from group list because the idmap type "
+ "is %s. "
+ "This might be a security problem when ACLs "
+ "contain DENY ACEs!\n",
+ (unsigned)xids[i].id,
+ sid_string_tos(&state->sids[i]),
+ debug_missing));
continue;
}