From bb736d3f02861366d11d2f03314295bd1c1be209 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 17 Nov 2020 12:59:23 +0100 Subject: [PATCH] nss: check if groups are filtered during initgroups MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If groups are filtered, i.e. SSSD should not handle them, they should not appear in the group list returned by an initgroups request. Resolves: https://github.com/SSSD/sssd/issues/5403 Reviewed-by: Pavel Březina (cherry picked from commit c87b2208b9a58c12eeceb5b8ccf9c34dcd835b8d) --- src/responder/nss/nss_protocol_grent.c | 35 ++++++++++++++++++++++++++ src/tests/intg/test_ldap.py | 12 +++++++++ 2 files changed, 47 insertions(+) diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c index 2367d9ecd..4c7ea9aed 100644 --- a/src/responder/nss/nss_protocol_grent.c +++ b/src/responder/nss/nss_protocol_grent.c @@ -308,6 +308,34 @@ done: return EOK; } +static bool is_group_filtered(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + const char *grp_name, gid_t gid) +{ + int ret; + + if (grp_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Group with gid [%"SPRIgid"] has no name, this should never " + "happen, trying to continue without.\n", gid); + } else { + ret = sss_ncache_check_group(ncache, domain, grp_name); + if (ret == EEXIST) { + DEBUG(SSSDBG_TRACE_FUNC, "Group [%s] is filtered out! " + "(negative cache)", grp_name); + return true; + } + } + ret = sss_ncache_check_gid(ncache, domain, gid); + if (ret == EEXIST) { + DEBUG(SSSDBG_TRACE_FUNC, "Group [%"SPRIgid"] is filtered out! " + "(negative cache)", gid); + return true; + } + + return false; +} + errno_t nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, struct nss_cmd_ctx *cmd_ctx, @@ -326,6 +354,7 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, size_t body_len; size_t rp; gid_t gid; + const char *grp_name; gid_t orig_gid; errno_t ret; int i; @@ -374,6 +403,8 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM, 0); posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL); + grp_name = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_NAME, + NULL); if (gid == 0) { if (posix != NULL && strcmp(posix, "FALSE") == 0) { @@ -386,6 +417,10 @@ nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, } } + if (is_group_filtered(nss_ctx->rctx->ncache, domain, grp_name, gid)) { + continue; + } + SAFEALIGN_COPY_UINT32(&body[rp], &gid, &rp); num_results++; diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py index 2e88ac7d1..afd23c71e 100644 --- a/src/tests/intg/test_ldap.py +++ b/src/tests/intg/test_ldap.py @@ -1190,6 +1190,18 @@ def test_nss_filters(ldap_conn, sanity_nss_filter): with pytest.raises(KeyError): grp.getgrgid(14) + # test initgroups - user1 is member of group_two_one_user_groups (2019) + # which is filtered out + (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 2001) + assert res == sssd_id.NssReturnCode.SUCCESS + + user_with_group_ids = [2001, 2012, 2015, 2017, 2018] + assert sorted(gids) == sorted(user_with_group_ids), \ + "result: %s\n expected %s" % ( + ", ".join(["%s" % s for s in sorted(gids)]), + ", ".join(["%s" % s for s in sorted(user_with_group_ids)]) + ) + @pytest.fixture def sanity_nss_filter_cached(request, ldap_conn): -- 2.21.3