[PATCH] central range check for sids2xids

Michael Adam obnox at samba.org
Wed Aug 10 08:05:56 UTC 2016


On 2016-08-10 at 09:25 +0200, Andreas Schneider wrote:
> On Tuesday, 9 August 2016 18:39:36 CEST Michael Adam wrote:
> > Hi all,
> > 
> > The attached patch introduces a central range check
> > for the unix ids produced by the id mapping backends
> > (sids2xids).
> > 
> > I noticed that some backends (at least ad and hash),
> > have no range check any more. This is dangerous
> > because it can lead to ids leaking out of id-mapping
> > that are from ranges that this backend is not
> > responsible for the backward mapping xids2sids
> > would then lead to a different sid than the one
> > started with.
> > 
> > Instead of adding this to all backends, here is
> > a patch that adds the check to the central
> > winbind code.
> > 
> > Opinions?
> 
> I missed that mail yesterday. Normally a bug should be opened before we create 
> the master patch so the bug URL is already present. We need this backported!

Yeah. I was too lazy. ;-)

It is true that this is intended to fix a misbehavior
that was spotted elsewhere, and deserves a backport and
hence a bug report.

Having a bug attached is (luckily) currently not
required for master... But I agree that it is nice
to add one before pushing to master, if we already
know that we will need a backport.... ;-)

After all, the autobuild seems to fail over
wbinfo -i in the blackbox.wbinfo(rodc:local) test
(not in the other test envs...)

So I need to track that down, and still have the
time to create the bug.

Cheers - Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160810/4fd470cf/signature.sig>


More information about the samba-technical mailing list