[PATCH] central range check for sids2xids

Andreas Schneider asn at samba.org
Wed Aug 10 07:25:45 UTC 2016


On Tuesday, 9 August 2016 18:39:36 CEST Michael Adam wrote:
> Hi all,
> 
> The attached patch introduces a central range check
> for the unix ids produced by the id mapping backends
> (sids2xids).
> 
> I noticed that some backends (at least ad and hash),
> have no range check any more. This is dangerous
> because it can lead to ids leaking out of id-mapping
> that are from ranges that this backend is not
> responsible for the backward mapping xids2sids
> would then lead to a different sid than the one
> started with.
> 
> Instead of adding this to all backends, here is
> a patch that adds the check to the central
> winbind code.
> 
> Opinions?

I missed that mail yesterday. Normally a bug should be opened before we create 
the master patch so the bug URL is already present. We need this backported!


Please open a bug for that. Thanks!



-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org



More information about the samba-technical mailing list