summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/providers/ipa/hbac_evaluator.c6
-rw-r--r--src/providers/ipa/ipa_hbac_common.c30
2 files changed, 25 insertions, 11 deletions
diff --git a/src/providers/ipa/hbac_evaluator.c b/src/providers/ipa/hbac_evaluator.c
index 949f0aef..e120d51e 100644
--- a/src/providers/ipa/hbac_evaluator.c
+++ b/src/providers/ipa/hbac_evaluator.c
@@ -155,8 +155,10 @@ static bool hbac_evaluate_element(struct hbac_rule_element *rule_el,
/* First check the name list */
if (rule_el->names) {
for (i = 0; rule_el->names[i]; i++) {
- if (strcmp(rule_el->names[i], req_el->name) == 0) {
- return true;
+ if (req_el->name != NULL) {
+ if (strcmp(rule_el->names[i], req_el->name) == 0) {
+ return true;
+ }
}
}
}
diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
index f05c3e2e..0ed08b83 100644
--- a/src/providers/ipa/ipa_hbac_common.c
+++ b/src/providers/ipa/ipa_hbac_common.c
@@ -558,18 +558,15 @@ hbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx,
/* Get the source host */
if (pd->rhost == NULL || pd->rhost[0] == '\0') {
- /* If we haven't been passed an rhost, we
- * have to assume it's coming from the
- * target host
+ /* If we haven't been passed an rhost,
+ * the rhost is unknown. This will fail
+ * to match any rule requiring the
+ * source host.
*/
- rhost = dp_opt_get_cstring(hbac_ctx->ipa_options, IPA_HOSTNAME);
+ rhost = NULL;
} else {
rhost = pd->rhost;
}
- if (rhost == NULL) {
- ret = EINVAL;
- goto done;
- }
ret = hbac_eval_host_element(eval_req, sysdb, domain,
rhost, &eval_req->srchost);
@@ -808,6 +805,19 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx,
host->name = hostname;
+ if (host->name == NULL) {
+ /* We don't know the host (probably an rhost)
+ * So we can't determine it's groups either.
+ */
+ host->groups = talloc_array(host, const char *, 1);
+ if (host->groups == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ host->groups[0] = NULL;
+ ret = EOK;
+ goto done;
+ }
host_filter = talloc_asprintf(tmp_ctx,
"(objectClass=%s)",
@@ -862,10 +872,12 @@ hbac_eval_host_element(TALLOC_CTX *mem_ctx,
}
host->groups[i] = NULL;
- *host_element = talloc_steal(mem_ctx, host);
ret = EOK;
done:
+ if (ret == EOK) {
+ *host_element = talloc_steal(mem_ctx, host);
+ }
talloc_free(tmp_ctx);
return ret;
}