[PATCH] central range check for sids2xids
Volker Lendecke
vl at samba.org
Wed Aug 10 07:47:56 UTC 2016
On Tue, Aug 09, 2016 at 06:39:36PM +0200, Michael Adam wrote:
> The attached patch introduces a central range check
> for the unix ids produced by the id mapping backends
> (sids2xids).
>
> I noticed that some backends (at least ad and hash),
> have no range check any more. This is dangerous
> because it can lead to ids leaking out of id-mapping
> that are from ranges that this backend is not
> responsible for the backward mapping xids2sids
> would then lead to a different sid than the one
> started with.
>
> Instead of adding this to all backends, here is
> a patch that adds the check to the central
> winbind code.
>
> Opinions?
Can we do all of that in the parent? Keep the children as simple as
possible?
Thanks,
Volker
More information about the samba-technical
mailing list