[SCM] Samba Shared Repository - branch master updated
Michael Adam
obnox at samba.org
Mon Jul 29 06:43:02 MDT 2013
The branch, master has been updated
via 8f8e843 s3:winbind: add a warning DEBUG message when skipping a sid from the mapped GID list
via 482212e s3:winbind: change getgroups to only do one sids2xids call instead of many
via 6e41745 s3:winbind: fix the getgroups implementation to include the user sid's GID in case of ID_TYPE_BOTH
via f62219e s3:winbind: fix gid counting and error handling in the getgroups implementation
from 45f5ea0 dns: Update TODO list
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8f8e843267636b5fea076014980031afc2c0a7b4
Author: Michael Adam <obnox at samba.org>
Date: Fri Jul 26 12:26:30 2013 +0200
s3:winbind: add a warning DEBUG message when skipping a sid from the mapped GID list
This presents a potential security problem when ACLs contain DENY ACEs.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Michael Adam <obnox at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Michael Adam <obnox at samba.org>
Autobuild-Date(master): Mon Jul 29 14:42:27 CEST 2013 on sn-devel-104
commit 482212e3d348e4247759cbca9507db74f61f9703
Author: Michael Adam <obnox at samba.org>
Date: Fri Jul 26 12:25:27 2013 +0200
s3:winbind: change getgroups to only do one sids2xids call instead of many
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Michael Adam <obnox at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 6e41745173989dff1b4e2f03e174e9d1020857d5
Author: Michael Adam <obnox at samba.org>
Date: Fri Jul 26 11:32:34 2013 +0200
s3:winbind: fix the getgroups implementation to include the user sid's GID in case of ID_TYPE_BOTH
This is important for acl checks on the unix level where only a group ace
has been added to the ACL for the user sid, e.g. when accessing Files with
nfs or local unix processes.
Signed-off-by: Michael Adam <obnox at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f62219e71af69ec8b331500b75fd5fd77d51a636
Author: Michael Adam <obnox at samba.org>
Date: Fri Jul 26 11:31:41 2013 +0200
s3:winbind: fix gid counting and error handling in the getgroups implementation
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Michael Adam <obnox at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/winbindd/winbindd_getgroups.c | 102 +++++++++++++++++++++++----------
1 files changed, 71 insertions(+), 31 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/winbindd/winbindd_getgroups.c b/source3/winbindd/winbindd_getgroups.c
index 1774901..b899beb 100644
--- a/source3/winbindd/winbindd_getgroups.c
+++ b/source3/winbindd/winbindd_getgroups.c
@@ -29,7 +29,6 @@ struct winbindd_getgroups_state {
enum lsa_SidType type;
int num_sids;
struct dom_sid *sids;
- int next_sid;
int num_gids;
gid_t *gids;
};
@@ -124,18 +123,13 @@ static void winbindd_getgroups_gettoken_done(struct tevent_req *subreq)
/*
* Convert the group SIDs to gids. state->sids[0] contains the user
- * sid, so start at index 1.
+ * sid. If the idmap backend uses ID_TYPE_BOTH, we might need the
+ * the id of the user sid in the list of group sids, so map the
+ * complete token.
*/
- state->gids = talloc_array(state, gid_t, state->num_sids-1);
- if (tevent_req_nomem(state->gids, req)) {
- return;
- }
- state->num_gids = 0;
- state->next_sid = 1;
-
subreq = wb_sids2xids_send(state, state->ev,
- &state->sids[state->next_sid], 1);
+ state->sids, state->num_sids);
if (tevent_req_nomem(subreq, req)) {
return;
}
@@ -149,38 +143,84 @@ static void winbindd_getgroups_sid2gid_done(struct tevent_req *subreq)
struct winbindd_getgroups_state *state = tevent_req_data(
req, struct winbindd_getgroups_state);
NTSTATUS status;
- struct unixid xid;
+ struct unixid *xids;
+ int i;
- xid.type = ID_TYPE_NOT_SPECIFIED;
- xid.id = UINT32_MAX;
+ xids = talloc_array(state, struct unixid, state->num_sids);
+ if (tevent_req_nomem(xids, req)) {
+ return;
+ }
+ for (i=0; i < state->num_sids; i++) {
+ xids[i].type = ID_TYPE_NOT_SPECIFIED;
+ xids[i].id = UINT32_MAX;
+ }
- status = wb_sids2xids_recv(subreq, &xid);
+ status = wb_sids2xids_recv(subreq, xids);
TALLOC_FREE(subreq);
- if (xid.type == ID_TYPE_GID || xid.type == ID_TYPE_BOTH) {
- state->gids[state->num_gids] = (gid_t)xid.id;
- } else {
- state->gids[state->num_gids] = (uid_t)-1;
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED) ||
+ NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
+ {
+ status = NT_STATUS_OK;
}
-
- /*
- * In case of failure, just continue with the next gid
- */
- if (NT_STATUS_IS_OK(status)) {
- state->num_gids += 1;
+ if (tevent_req_nterror(req, status)) {
+ return;
}
- state->next_sid += 1;
- if (state->next_sid >= state->num_sids) {
- tevent_req_done(req);
+ state->gids = talloc_array(state, gid_t, state->num_sids);
+ if (tevent_req_nomem(state->gids, req)) {
return;
}
+ state->num_gids = 0;
- subreq = wb_sids2xids_send(state, state->ev,
- &state->sids[state->next_sid], 1);
- if (tevent_req_nomem(subreq, req)) {
+ for (i=0; i < state->num_sids; i++) {
+ bool include_gid = false;
+ const char *debug_missing = NULL;
+
+ switch (xids[i].type) {
+ case ID_TYPE_NOT_SPECIFIED:
+ debug_missing = "not specified";
+ break;
+ case ID_TYPE_UID:
+ if (i != 0) {
+ debug_missing = "uid";
+ }
+ break;
+ case ID_TYPE_GID:
+ case ID_TYPE_BOTH:
+ include_gid = true;
+ break;
+ }
+
+ if (!include_gid) {
+ if (debug_missing == NULL) {
+ continue;
+ }
+
+ DEBUG(10, ("WARNING: skipping unix id (%u) for sid %s "
+ "from group list because the idmap type "
+ "is %s. "
+ "This might be a security problem when ACLs "
+ "contain DENY ACEs!\n",
+ (unsigned)xids[i].id,
+ sid_string_tos(&state->sids[i]),
+ debug_missing));
+ continue;
+ }
+
+ state->gids[state->num_gids] = (gid_t)xids[i].id;
+ state->num_gids += 1;
+ }
+
+ /*
+ * This should not fail, as it does not do any reallocation,
+ * just updating the talloc size.
+ */
+ state->gids = talloc_realloc(state, state->gids, gid_t, state->num_gids);
+ if (tevent_req_nomem(state->gids, req)) {
return;
}
- tevent_req_set_callback(subreq, winbindd_getgroups_sid2gid_done, req);
+
+ tevent_req_done(req);
}
NTSTATUS winbindd_getgroups_recv(struct tevent_req *req,
--
Samba Shared Repository
More information about the samba-cvs
mailing list