summaryrefslogtreecommitdiff
path: root/server/responder/nss/nsssrv_cmd.c
diff options
context:
space:
mode:
Diffstat (limited to 'server/responder/nss/nsssrv_cmd.c')
-rw-r--r--server/responder/nss/nsssrv_cmd.c119
1 files changed, 91 insertions, 28 deletions
diff --git a/server/responder/nss/nsssrv_cmd.c b/server/responder/nss/nsssrv_cmd.c
index 0a4703c9..26c51fac 100644
--- a/server/responder/nss/nsssrv_cmd.c
+++ b/server/responder/nss/nsssrv_cmd.c
@@ -192,6 +192,7 @@ static int fill_pwent(struct sss_packet *packet,
int i, ret, num;
bool add_domain = info->fqnames;
const char *domain = info->name;
+ int ncret;
if (add_domain) dom_len = strlen(domain) +1;
@@ -214,16 +215,24 @@ static int fill_pwent(struct sss_packet *packet,
}
if (filter_users) {
- ret = nss_ncache_check_user(nctx->ncache,
+ ncret = nss_ncache_check_user(nctx->ncache,
nctx->neg_timeout,
domain, name);
- if (ret == EEXIST) {
+ if (ncret == EEXIST) {
DEBUG(4, ("User [%s@%s] filtered out! (negative cache)\n",
name, domain));
continue;
}
}
+ /* check that the uid is valid for this domain */
+ if ((info->id_min && (uid < info->id_min)) ||
+ (info->id_max && (uid > info->id_max))) {
+ DEBUG(4, ("User [%s@%s] filtered out! (id out of range)\n",
+ name, domain));
+ continue;
+ }
+
gecos = ldb_msg_find_attr_as_string(msg, SYSDB_GECOS, NULL);
homedir = ldb_msg_find_attr_as_string(msg, SYSDB_HOMEDIR, NULL);
shell = ldb_msg_find_attr_as_string(msg, SYSDB_SHELL, NULL);
@@ -489,6 +498,7 @@ static int nss_cmd_getpwnam(struct cli_ctx *cctx)
uint8_t *body;
size_t blen;
int ret, num, i;
+ int ncret;
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
@@ -522,9 +532,9 @@ static int nss_cmd_getpwnam(struct cli_ctx *cctx)
if (domname) {
/* verify this user has not yet been negatively cached,
* or has been permanently filtered */
- ret = nss_ncache_check_user(nctx->ncache, nctx->neg_timeout,
+ ncret = nss_ncache_check_user(nctx->ncache, nctx->neg_timeout,
domname, cmdctx->name);
- if (ret != ENOENT) {
+ if (ncret != ENOENT) {
DEBUG(3, ("User [%s] does not exist! (negative cache)\n",
rawname));
ret = ENOENT;
@@ -568,9 +578,9 @@ static int nss_cmd_getpwnam(struct cli_ctx *cctx)
for (i = 0; i < num; i++) {
/* verify this user has not yet been negatively cached,
* or has been permanently filtered */
- ret = nss_ncache_check_user(nctx->ncache, nctx->neg_timeout,
+ ncret = nss_ncache_check_user(nctx->ncache, nctx->neg_timeout,
domains[i], cmdctx->name);
- if (ret != ENOENT) {
+ if (ncret != ENOENT) {
DEBUG(3, ("User [%s] does not exist! (neg cache)\n",
rawname));
continue;
@@ -850,6 +860,7 @@ static int nss_cmd_getpwuid(struct cli_ctx *cctx)
uint8_t *body;
size_t blen;
int i, num, ret;
+ int ncret;
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
@@ -885,9 +896,9 @@ static int nss_cmd_getpwuid(struct cli_ctx *cctx)
for (i = 0; i < num; i++) {
/* verify this user has not yet been negatively cached,
* or has been permanently filtered */
- ret = nss_ncache_check_uid(nctx->ncache, nctx->neg_timeout,
+ ncret = nss_ncache_check_uid(nctx->ncache, nctx->neg_timeout,
cmdctx->id);
- if (ret != ENOENT) {
+ if (ncret != ENOENT) {
DEBUG(3, ("Uid [%lu] does not exist! (negative cache)\n",
(unsigned long)cmdctx->id));
continue;
@@ -895,6 +906,15 @@ static int nss_cmd_getpwuid(struct cli_ctx *cctx)
info = btreemap_get_value(cctx->rctx->domain_map, domains[i]);
+ /* check that the uid is valid for this domain */
+ if ((info->id_min && (cmdctx->id < info->id_min)) ||
+ (info->id_max && (cmdctx->id > info->id_max))) {
+ DEBUG(4, ("Uid [%lu] does not exist in domain [%s]! "
+ "(id out of range)\n",
+ (unsigned long)cmdctx->id, domains[i]));
+ continue;
+ }
+
cmdctx->nr++;
dctx = talloc_zero(cmdctx, struct nss_dom_ctx);
@@ -1310,15 +1330,16 @@ static int fill_grent(struct sss_packet *packet,
struct ldb_message *msg;
uint8_t *body;
const char *name;
- uint32_t gid;
+ uint32_t gid, uid;
size_t rsize, rp, blen, mnump;
- int i, j, ret, num, memnum;
+ int i, j, n, ret, num, memnum;
bool get_members;
bool skip_members;
size_t dom_len = 0;
size_t name_len;
bool add_domain = info->fqnames;
const char *domain = info->name;
+ int ncret;
if (add_domain) dom_len = strlen(domain) +1;
@@ -1355,9 +1376,9 @@ static int fill_grent(struct sss_packet *packet,
skip_members = false;
if (filter_groups) {
- ret = nss_ncache_check_group(nctx->ncache,
+ ncret = nss_ncache_check_group(nctx->ncache,
nctx->neg_timeout, domain, name);
- if (ret == EEXIST) {
+ if (ncret == EEXIST) {
DEBUG(4, ("Group [%s@%s] filtered out! (negative cache)\n",
name, domain));
skip_members = true;
@@ -1365,6 +1386,15 @@ static int fill_grent(struct sss_packet *packet,
}
}
+ /* check that the gid is valid for this domain */
+ if ((info->id_min && (gid < info->id_min)) ||
+ (info->id_max && (gid > info->id_max))) {
+ DEBUG(4, ("User [%s@%s] filtered out! (id out of range)\n",
+ name, domain));
+ skip_members = true;
+ continue;
+ }
+
/* fill in gid and name and set pointer for number of members */
name_len = strlen(name)+1;
rsize = 2 * sizeof(uint32_t) + name_len +2;
@@ -1402,8 +1432,18 @@ static int fill_grent(struct sss_packet *packet,
if (el) {
/* legacy */
memnum = el->num_values;
-
+ n = 0;
for (j = 0; j < memnum; j++) {
+
+ ncret = nss_ncache_check_user(nctx->ncache,
+ nctx->neg_timeout, domain,
+ (char *)el->values[j].data);
+ if (ncret == EEXIST) {
+ DEBUG(4, ("User [%s@%s] filtered out! (negative cache)\n",
+ name, domain));
+ continue;
+ }
+
rsize = el->values[j].length + 1;
if (add_domain) {
name_len = rsize;
@@ -1424,10 +1464,12 @@ static int fill_grent(struct sss_packet *packet,
memcpy(&body[rp], domain, dom_len);
}
body[blen-1] = '\0';
+
+ n++;
}
sss_packet_get_body(packet, &body, &blen);
- ((uint32_t *)(&body[mnump]))[0] = memnum; /* num members */
+ ((uint32_t *)(&body[mnump]))[0] = n; /* num members */
} else {
get_members = true;
@@ -1449,20 +1491,29 @@ static int fill_grent(struct sss_packet *packet,
SYSDB_USER_CLASS)) {
name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
- if (!name) {
+ uid = ldb_msg_find_attr_as_uint64(msg, SYSDB_UIDNUM, 0);
+ if (!name || !uid) {
DEBUG(1, ("Incomplete user object! Aborting\n"));
num = 0;
goto done;
}
- ret = nss_ncache_check_user(nctx->ncache,
+ ncret = nss_ncache_check_user(nctx->ncache,
nctx->neg_timeout, domain, name);
- if (ret == EEXIST) {
+ if (ncret == EEXIST) {
DEBUG(4, ("User [%s@%s] filtered out! (negative cache)\n",
name, domain));
continue;
}
+ /* check that the uid is valid for this domain */
+ if ((info->id_min && (uid < info->id_min)) ||
+ (info->id_max && (uid > info->id_max))) {
+ DEBUG(4, ("User [%s@%s] filtered out! (id out of range)\n",
+ name, domain));
+ continue;
+ }
+
rsize = strlen(name) + 1;
if (add_domain) {
name_len = rsize;
@@ -1706,6 +1757,7 @@ static int nss_cmd_getgrnam(struct cli_ctx *cctx)
uint8_t *body;
size_t blen;
int ret, num, i;
+ int ncret;
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
@@ -1738,9 +1790,9 @@ static int nss_cmd_getgrnam(struct cli_ctx *cctx)
if (domname) {
/* verify this user has not yet been negatively cached,
* or has been permanently filtered */
- ret = nss_ncache_check_group(nctx->ncache, nctx->neg_timeout,
+ ncret = nss_ncache_check_group(nctx->ncache, nctx->neg_timeout,
domname, cmdctx->name);
- if (ret != ENOENT) {
+ if (ncret != ENOENT) {
DEBUG(3, ("Group [%s] does not exist! (negative cache)\n",
rawname));
ret = ENOENT;
@@ -1783,9 +1835,9 @@ static int nss_cmd_getgrnam(struct cli_ctx *cctx)
for (i = 0; i < num; i++) {
/* verify this user has not yet been negatively cached,
* or has been permanently filtered */
- ret = nss_ncache_check_group(nctx->ncache, nctx->neg_timeout,
+ ncret = nss_ncache_check_group(nctx->ncache, nctx->neg_timeout,
domains[i], cmdctx->name);
- if (ret != ENOENT) {
+ if (ncret != ENOENT) {
DEBUG(3, ("Group [%s] does not exist! (negative cache)\n",
rawname));
continue;
@@ -2046,6 +2098,7 @@ static int nss_cmd_getgrgid(struct cli_ctx *cctx)
uint8_t *body;
size_t blen;
int i, num, ret;
+ int ncret;
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
@@ -2081,9 +2134,9 @@ static int nss_cmd_getgrgid(struct cli_ctx *cctx)
for (i = 0; i < num; i++) {
/* verify this user has not yet been negatively cached,
* or has been permanently filtered */
- ret = nss_ncache_check_gid(nctx->ncache, nctx->neg_timeout,
+ ncret = nss_ncache_check_gid(nctx->ncache, nctx->neg_timeout,
cmdctx->id);
- if (ret != ENOENT) {
+ if (ncret != ENOENT) {
DEBUG(3, ("Gid [%lu] does not exist! (negative cache)\n",
(unsigned long)cmdctx->id));
continue;
@@ -2091,6 +2144,15 @@ static int nss_cmd_getgrgid(struct cli_ctx *cctx)
info = btreemap_get_value(cctx->rctx->domain_map, domains[i]);
+ /* check that the uid is valid for this domain */
+ if ((info->id_min && (cmdctx->id < info->id_min)) ||
+ (info->id_max && (cmdctx->id > info->id_max))) {
+ DEBUG(4, ("Gid [%lu] does not exist! (id out of range)\n",
+ (unsigned long)cmdctx->id));
+ continue;
+ }
+
+
cmdctx->nr++;
dctx = talloc_zero(cmdctx, struct nss_dom_ctx);
@@ -2787,6 +2849,7 @@ static int nss_cmd_initgroups(struct cli_ctx *cctx)
uint8_t *body;
size_t blen;
int ret, num, i;
+ int ncret;
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
@@ -2813,14 +2876,14 @@ static int nss_cmd_initgroups(struct cli_ctx *cctx)
goto done;
}
DEBUG(4, ("Requesting info for [%s] from [%s]\n",
- cmdctx->name, dctx->domain->name));
+ cmdctx->name, domname ? : "<ALL>"));
if (domname) {
/* verify this user has not yet been negatively cached,
* or has been permanently filtered */
- ret = nss_ncache_check_user(nctx->ncache, nctx->neg_timeout,
+ ncret = nss_ncache_check_user(nctx->ncache, nctx->neg_timeout,
domname, cmdctx->name);
- if (ret != ENOENT) {
+ if (ncret != ENOENT) {
DEBUG(3, ("User [%s] does not exist! (negative cache)\n",
rawname));
ret = ENOENT;
@@ -2864,9 +2927,9 @@ static int nss_cmd_initgroups(struct cli_ctx *cctx)
for (i = 0; i < num; i++) {
/* verify this user has not yet been negatively cached,
* or has been permanently filtered */
- ret = nss_ncache_check_user(nctx->ncache, nctx->neg_timeout,
+ ncret = nss_ncache_check_user(nctx->ncache, nctx->neg_timeout,
domains[i], cmdctx->name);
- if (ret != ENOENT) {
+ if (ncret != ENOENT) {
DEBUG(3, ("User does not exist! (neg cache)\n"));
continue;
}