From d75b796151973a5d94a79f5577c15cda6eecb5ee Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Thu, 19 Oct 2017 17:18:15 +0200

Subject: [PATCH 08/21] SYSDB: Prevent users and groups ID collision in MPG

 domains except for id_provider=local

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

This commit makes the check when adding an object in a MPG domain

stricter in the sense that not only same names are allowed in a MPG

domain, but also the same groups are not allowed either.

This commit is a backwards-incompatible change, but one that is needed,

otherwise requesting the duplicate group first and then requesting the

user entry would yield two object when searching by GID.

In order to keep backwards-compatibility, this uniqueness is NOT

enforced with id_provider=local. This constraint can be removed in

the future (or the local provider can be dropped altogether)

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

(cherry picked from commit ac962e2b286988d8666b3b81bf8b55b1705b9ac0)

---

 src/db/sysdb_ops.c | 41 ++++++++++++++++++++++++++++++++++++++---

 1 file changed, 38 insertions(+), 3 deletions(-)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c

index 0e39a629a5823ff49ed02ec4c08a21b66119f06f..2f8e36c6c9a2c2cefe4af5fb78957763304d989a 100644

--- a/src/db/sysdb_ops.c

+++ b/src/db/sysdb_ops.c

@@ -1960,16 +1960,34 @@ int sysdb_add_user(struct sss_domain_info *domain,

     }

     if (domain->mpg) {

-        /* In MPG domains you can't have groups with the same name as users,

-         * search if a group with the same name exists.

+        /* In MPG domains you can't have groups with the same name or GID

+         * as users, search if a group with the same name exists.

          * Don't worry about users, if we try to add a user with the same

          * name the operation will fail */

         ret = sysdb_search_group_by_name(tmp_ctx, domain, name, NULL, &msg;;

         if (ret != ENOENT) {

-            if (ret == EOK) ret = EEXIST;

+            if (ret == EOK) {

+                DEBUG(SSSDBG_OP_FAILURE,

+                      "Group named %s already exists in an MPG domain\n",

+                      name);

+                ret = EEXIST;

+            }

             goto done;

         }

+

+        if (strcasecmp(domain->provider, "local") != 0) {

+            ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg;;

+            if (ret != ENOENT) {

+                if (ret == EOK) {

+                    DEBUG(SSSDBG_OP_FAILURE,

+                        "Group with GID [%"SPRIgid"] already exists in an "

+                        "MPG domain\n", gid);

+                    ret = EEXIST;

+                }

+                goto done;

+            }

+        }

     }

     /* check no other user with the same uid exist */

@@ -2177,6 +2195,23 @@ int sysdb_add_group(struct sss_domain_info *domain,

             }

             goto done;

         }

+

+        if (strcasecmp(domain->provider, "local") != 0) {

+            ret = sysdb_search_user_by_uid(tmp_ctx, domain, gid, NULL, &msg;;

+            if (ret != ENOENT) {

+                if (ret == EOK) {

+                    DEBUG(SSSDBG_TRACE_LIBS,

+                          "User with the same UID exists in MPG domain: "

+                          "[%"SPRIgid"].\n", gid);

+                    ret = EEXIST;

+                } else {

+                    DEBUG(SSSDBG_TRACE_LIBS,

+                          "sysdb_search_user_by_uid failed for gid: "

+                          "[%"SPRIgid"].\n", gid);

+                }

+                goto done;

+            }

+        }

     }

     /* check no other groups with the same gid exist */

-- 

2.13.5