SSSD / sssd

Clone

4c09cd0 CACHE_REQ_SEARCH: Check for filtered users/groups also on cache_req_send()

1 file Authored by fidencio 6 years ago, Committed by lslebodn 6 years ago,
raw patch tree parent
1 file changed. 4 lines added. 0 lines removed.
src/responder/common/cache_req/cache_req_search.c
file modified
+4 -0 
    CACHE_REQ_SEARCH: Check for filtered users/groups also on cache_req_send()
    
    cache_req_send() may take some shortcuts in case the object is found in
    the cache and it's still valid.
    
    This behaviour may lead to exposing filtered users and groups when
    they're searched by their uid/gid.
    
    A solution for this issue was proposed on 4ef0b19a but, unfortunately,
    didn't take into consideration that this shortcut could be taken.
    
    There are basically two really easy ways to test this issue:
     1) Using enumeration:
        - Set "enumerate = True" in the domain section
        - restart SSSD cleaning up the cache;
        - getent passwd <uid of a user who is part of the filter_users>
        - Wait a little bit till the entry_negative_timeout is expired
        - getent passwd <same uid used above>
    
     2) Not using enumeration:
       - getent passwd <uid of a user who is part of the filter_users>
       - Wait a little bit till the entry_negative_timeout is expired
       - getent passwd <same uid used above>
    
    A test covering this code path will be added in the follow-up commit.
    
    Resolves:
    https://pagure.io/SSSD/sssd/issue/3362
    
    Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
    Reviewed-by: Pavel Březina <pbrezina@redhat.com>
file modified
+4 -0
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.