From b5c3597d0a13256d381b60ba24838d64edfb68df Mon Sep 17 00:00:00 2001 From: Fabiano FidĂȘncio Date: Feb 27 2018 12:54:47 +0000 Subject: SYSDB_VIEWS: Remove sshPublicKey attribute when it's not set We have to explicitly remove 'sshPublicKey' attribute from an override in case it's not set, otherwise we may ended up in a situation where a ssh key is removed from IPA but it'll still be present in SSSD's server cache, allowing then users to ssh to a machine even having a key that has already been removed from IPA. Related: https://pagure.io/SSSD/sssd/issue/3602 Signed-off-by: Fabiano FidĂȘncio Reviewed-by: Sumit Bose (cherry picked from commit d0d3631242178f0b6fccf08baeca1a57f28771fa) --- diff --git a/src/db/sysdb_views.c b/src/db/sysdb_views.c index 9dc48f5..4ffbeb3 100644 --- a/src/db/sysdb_views.c +++ b/src/db/sysdb_views.c @@ -725,6 +725,8 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain, SYSDB_USER_CERT, NULL }; bool override_attrs_found = false; + struct ldb_message_element el_del = { 0, SYSDB_SSH_PUBKEY, 0, NULL }; + struct sysdb_attrs del_attrs = { 1, &el_del }; if (override_attrs == NULL) { /* nothing to do */ @@ -794,7 +796,17 @@ errno_t sysdb_apply_default_override(struct sss_domain_info *domain, el->values[d].data, ldb_dn_get_linearized(obj_dn)); } } - } else if (ret != ENOENT) { + } else if (ret == ENOENT) { + if (strcmp(allowed_attrs[c], SYSDB_SSH_PUBKEY) == 0) { + ret = sysdb_set_entry_attr(domain->sysdb, obj_dn, &del_attrs, + SYSDB_MOD_DEL); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_set_entry_attr failed.\n"); + goto done; + } + } + } else { DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_el_ext failed.\n"); goto done; }