The Samba-Bugzilla – Attachment 12373 Details for
Bug 12155
Some idmap backends don't perform range checks for the result of sids_to_xids
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.5
idmap-v4-5.patch (text/plain), 2.95 KB, created by
Andreas Schneider
on 2016-08-17 05:35:05 UTC
(
hide
)
Description:
patch for 4.5
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2016-08-17 05:35:05 UTC
Size:
2.95 KB
patch
obsolete
>From b768b8fd444b813244a1efdf2fe4ea7b70069642 Mon Sep 17 00:00:00 2001 >From: Michael Adam <obnox@samba.org> >Date: Mon, 15 Aug 2016 23:07:33 +0200 >Subject: [PATCH 1/2] idmap: don't generally forbid id==0 from > idmap_unix_id_is_in_range() > >If the range allows it, then id==0 should not be forbidden. >This seems to have been taken in from idmap_ldap when the >function was originally created. > >See 634cd2e0451d4388c3e3f78239495cf595368b15 . >The other backends don't seem to have had that >extra check for id == 0. > >The reasoning for this change is that the range check should >apply to all cases. If the range includes the 0, then it >should be possible to get it as result. In particular, >this way, the function becomes applicable also to the >passdb backend case, e.g. in a samba4-ad-dc setup where >the Admin gets uid == 0. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12155 > >Signed-off-by: Michael Adam <obnox@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit c21976d4b1c604699299f2c0f768c1add93b349d) >--- > source3/winbindd/idmap_util.c | 5 ----- > 1 file changed, 5 deletions(-) > >diff --git a/source3/winbindd/idmap_util.c b/source3/winbindd/idmap_util.c >index 3da39e8..196b4ad 100644 >--- a/source3/winbindd/idmap_util.c >+++ b/source3/winbindd/idmap_util.c >@@ -34,11 +34,6 @@ > */ > bool idmap_unix_id_is_in_range(uint32_t id, struct idmap_domain *dom) > { >- if (id == 0) { >- /* 0 is not an allowed unix id for id mapping */ >- return false; >- } >- > if ((dom->low_id && (id < dom->low_id)) || > (dom->high_id && (id > dom->high_id))) > { >-- >2.9.2 > > >From 05d29b3a9ba7ede4416e341d4ab607192ceb69b8 Mon Sep 17 00:00:00 2001 >From: Michael Adam <obnox@samba.org> >Date: Tue, 9 Aug 2016 18:25:12 +0200 >Subject: [PATCH 2/2] idmap: centrally check that unix IDs returned by the > idmap backends are in range > >Note: in the long run, it might be good to move this kind of >exit check (before handing the result back to the client) >to the parent winbindd code. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12155 > >Signed-off-by: Michael Adam <obnox@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> > >Autobuild-User(master): Michael Adam <obnox@samba.org> >Autobuild-Date(master): Wed Aug 17 01:21:39 CEST 2016 on sn-devel-144 > >(cherry picked from commit b2bf61307cffd8ff7b6fb9852c107ab763653119) >--- > source3/winbindd/winbindd_dual_srv.c | 4 ++++ > 1 file changed, 4 insertions(+) > >diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c >index fb65e9d..0484e19 100644 >--- a/source3/winbindd/winbindd_dual_srv.c >+++ b/source3/winbindd/winbindd_dual_srv.c >@@ -189,6 +189,10 @@ NTSTATUS _wbint_Sids2UnixIDs(struct pipes_struct *p, > for (i=0; i<num_ids; i++) { > struct id_map *m = id_map_ptrs[i]; > >+ if (!idmap_unix_id_is_in_range(m->xid.id, dom)) { >+ m->status = ID_UNMAPPED; >+ } >+ > if (m->status == ID_MAPPED) { > ids[i].xid = m->xid; > } else { >-- >2.9.2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=12373">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
obnox
:
review+
abartlet
:
review-
Actions:
View
Attachments on
bug 12155
: 12373 |
12374
|
12387
|
12388
|
12420