git.samba.org / metze / samba / wip.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 482212e)
s3:winbind: add a warning DEBUG message when skipping a sid from the mapped GID list
authorMichael Adam <obnox@samba.org>
Fri, 26 Jul 2013 10:26:30 +0000 (12:26 +0200)
committerMichael Adam <obnox@samba.org>
Mon, 29 Jul 2013 12:42:27 +0000 (14:42 +0200)
This presents a potential security problem when ACLs contain DENY ACEs.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Mon Jul 29 14:42:27 CEST 2013 on sn-devel-104

source3/winbindd/winbindd_getgroups.c patch | blob | history

diff --git a/source3/winbindd/winbindd_getgroups.c b/source3/winbindd/winbindd_getgroups.c
index 445de3dcd9792b9c9836082177d0541bc099d7f8..b899bebe17035c191fb5d03bee8b27ebb4d7567f 100644 (file)
--- a/source3/winbindd/winbindd_getgroups.c
+++ b/source3/winbindd/winbindd_getgroups.c
@@ -174,10 +174,16 @@ static void winbindd_getgroups_sid2gid_done(struct tevent_req *subreq)
 
        for (i=0; i < state->num_sids; i++) {
                bool include_gid = false;
+               const char *debug_missing = NULL;
 
                switch (xids[i].type) {
                case ID_TYPE_NOT_SPECIFIED:
+                       debug_missing = "not specified";
+                       break;
                case ID_TYPE_UID:
+                       if (i != 0) {
+                               debug_missing = "uid";
+                       }
                        break;
                case ID_TYPE_GID:
                case ID_TYPE_BOTH:
@@ -186,6 +192,18 @@ static void winbindd_getgroups_sid2gid_done(struct tevent_req *subreq)
                }
 
                if (!include_gid) {
+                       if (debug_missing == NULL) {
+                               continue;
+                       }
+
+                       DEBUG(10, ("WARNING: skipping unix id (%u) for sid %s "
+                                  "from group list because the idmap type "
+                                  "is %s. "
+                                  "This might be a security problem when ACLs "
+                                  "contain DENY ACEs!\n",
+                                  (unsigned)xids[i].id,
+                                  sid_string_tos(&state->sids[i]),
+                                  debug_missing));
                        continue;
                }
 
Work in progress branches