[PATCH] central range check for sids2xids

[Michael Adam]

Hi all,

The attached patch introduces a central range check
for the unix ids produced by the id mapping backends
(sids2xids).

I noticed that some backends (at least ad and hash),
have no range check any more. This is dangerous
because it can lead to ids leaking out of id-mapping
that are from ranges that this backend is not
responsible for the backward mapping xids2sids
would then lead to a different sid than the one
started with.

Instead of adding this to all backends, here is
a patch that adds the check to the central
winbind code.

Opinions?

Thanks - Michael
-------------- next part --------------
From 1e16a960e0c33a27dc5f224538ec5e67f1975471 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox at samba.org>
Date: Tue, 9 Aug 2016 18:25:12 +0200
Subject: [PATCH] idmap: centrally check that unix IDs returned by the idmap
 backends are in range

Signed-off-by: Michael Adam <obnox at samba.org>
---
 source3/winbindd/winbindd_dual_srv.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index fb65e9d..0484e19 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -189,6 +189,10 @@ NTSTATUS _wbint_Sids2UnixIDs(struct pipes_struct *p,
 	for (i=0; i<num_ids; i++) {
 		struct id_map *m = id_map_ptrs[i];
 
+		if (!idmap_unix_id_is_in_range(m->xid.id, dom)) {
+			m->status = ID_UNMAPPED;
+		}
+
 		if (m->status == ID_MAPPED) {
 			ids[i].xid = m->xid;
 		} else {
-- 
2.5.5

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160809/a46a0ef6/signature.sig>