On Fri, Jul 29, 2016 at 11:44:53AM +0200, Lukas Slebodnik wrote:
On (26/07/16 15:00), Jakub Hrozek wrote:
>Hi,
>
>please see the attached patches. I'm not sure how this bug got in,
>because in the patch that broke the functionality
>(eef359b508b898ae99d2bf292a43f0f295a2ba5e) I said in the commit message
>that I did the change that is only implemented in the first attached
>patch. My guess is that the rebasing after the DP patches were merged
>went wrong.
>
>To make sure we don't regress, I added more tests and switched the tests
>to calling the DP handler.
>From 9a60d3ed8bd2b0eeb51dff2c6f78771e0d29245e Mon Sep 17 00:00:00 2001
>From: Jakub Hrozek <jhrozek(a)redhat.com>
>Date: Thu, 21 Jul 2016 12:18:01 +0200
>Subject: [PATCH 1/4] SIMPLE: Do not parse names on startup
>
>It's not required to parse names on SSSD startup in the simple access
>provider. We can instead just parse the name when the access request is
>processed.
>
>Resolves:
>https://fedorahosted.org/sssd/ticket/3101
>---
> src/providers/simple/simple_access.c | 7 -------
> 1 file changed, 7 deletions(-)
>
>diff --git a/src/providers/simple/simple_access.c
b/src/providers/simple/simple_access.c
>index
cb72ada20727c63452936647876ef297106e17b0..ae90215351fe7db834898067d3b4bad71015ec5f 100644
>--- a/src/providers/simple/simple_access.c
>+++ b/src/providers/simple/simple_access.c
>@@ -284,7 +284,6 @@ errno_t sssm_simple_access_init(TALLOC_CTX *mem_ctx,
> struct dp_method *dp_methods)
> {
> struct simple_ctx *ctx;
>- errno_t ret;
>
> ctx = talloc_zero(mem_ctx, struct simple_ctx);
> if (ctx == NULL) {
>@@ -296,12 +295,6 @@ errno_t sssm_simple_access_init(TALLOC_CTX *mem_ctx,
> ctx->be_ctx = be_ctx;
> ctx->last_refresh_of_filter_lists = 0;
>
>- ret = simple_access_obtain_filter_lists(ctx);
>- if (ret != EOK) {
>- talloc_free(ctx);
>- return ret;
>- }
>-
> dp_set_method(dp_methods, DPM_ACCESS_HANDLER,
> simple_access_handler_send, simple_access_handler_recv, ctx,
> struct simple_ctx, struct pam_data, struct pam_data *);
>--
>2.4.11
>
ACK
>From 5aeeedbb85e068ff1241868cf91596817540b009 Mon Sep 17 00:00:00 2001
>From: Jakub Hrozek <jhrozek(a)redhat.com>
>Date: Thu, 21 Jul 2016 13:33:18 +0200
>Subject: [PATCH 2/4] SIMPLE: Fail on any error parsing the access control list
>
>Luckily this error was hidden by the fact that SSSD didn't start at all
>when an unparseable name was encountered after startup. Otherwise, this
>would have been a security issue.
>
>Nonetheless, we should just fail and deny access if we can't parse a
>name in a simple access list.
>---
> src/providers/simple/simple_access.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
>diff --git a/src/providers/simple/simple_access.c
b/src/providers/simple/simple_access.c
>index
ae90215351fe7db834898067d3b4bad71015ec5f..577e8354e9b574764734248b2bde4ef06c6fb4fc 100644
>--- a/src/providers/simple/simple_access.c
>+++ b/src/providers/simple/simple_access.c
>@@ -211,7 +211,10 @@ simple_access_handler_send(TALLOC_CTX *mem_ctx,
>
> ret = simple_access_obtain_filter_lists(simple_ctx);
> if (ret != EOK) {
>- DEBUG(SSSDBG_MINOR_FAILURE, "Failed to refresh filter
lists\n");
>+ DEBUG(SSSDBG_CRIT_FAILURE,
>+ "Failed to refresh filter lists, denying all
access\n");
>+ pd->pam_status = PAM_PERM_DENIED;
>+ goto immediately;
> }
I didn't test but Do we really need it.
I think that unparsable names are covered by #2519
@see
https://git.fedorahosted.org/cgit/sssd.git/commit/?id=79f128801d598ca57a6...
IIRC the intention of #2519 was to be strict only for deny rules.
There might be typos in allow rules because it isn't a security bug.
If you prefer, I can return an error code only from failures parsing the
deny list, but according to my testing without this patch, a user was
allowed access if an unparseable name was in the deny list. Try to
remove this hunk and run the tests from the last patch..
and commit says not existing user/group in
simple_allow_users/simple_allow_groups should not imply access denied.
Yes, I'm fine with skipping failures in allow, but not in deny (I really
wish we didn't have any deny rules anywhere in the SSSD access providers..)
>From 5bd29f76a8aee228b3ce07e2ec6453f7374a4acc Mon Sep 17 00:00:00 2001
>From: Jakub Hrozek <jhrozek(a)redhat.com>
>Date: Tue, 26 Jul 2016 12:13:43 +0200
>Subject: [PATCH 3/4] SIMPLE: Make the DP handlers testable
>
>To make it possible to call the whole DP handler in the unit test, not
>just the evaluator part.
>---
> Makefile.am | 1 +
> src/providers/simple/simple_access.c | 5 ++--
> src/providers/simple/simple_access_pvt.h | 43 ++++++++++++++++++++++++++++++++
> 3 files changed, 47 insertions(+), 2 deletions(-)
> create mode 100644 src/providers/simple/simple_access_pvt.h
>
>diff --git a/Makefile.am b/Makefile.am
>index
3d84bd868a8d0b8f9df329aa8978c215ba750a45..5d1d671096f986d9387e6199112c017e9bf30e1b 100644
>--- a/Makefile.am
>+++ b/Makefile.am
>@@ -665,6 +665,7 @@ dist_noinst_HEADERS = \
> src/providers/fail_over_srv.h \
> src/util/child_common.h \
> src/providers/simple/simple_access.h \
>+ src/providers/simple/simple_access_pvt.h \
> src/providers/krb5/krb5_auth.h \
> src/providers/krb5/krb5_common.h \
> src/providers/krb5/krb5_utils.h \
>diff --git a/src/providers/simple/simple_access.c
b/src/providers/simple/simple_access.c
>index
577e8354e9b574764734248b2bde4ef06c6fb4fc..521beee84833b47b547bd1045c24e3384aa4d9a5 100644
>--- a/src/providers/simple/simple_access.c
>+++ b/src/providers/simple/simple_access.c
>@@ -22,6 +22,7 @@
> #include <security/pam_modules.h>
>
> #include "providers/simple/simple_access.h"
>+#include "providers/simple/simple_access_pvt.h"
> #include "util/sss_utf8.h"
> #include "providers/backend.h"
> #include "db/sysdb.h"
>@@ -176,7 +177,7 @@ struct simple_access_handler_state {
>
> static void simple_access_handler_done(struct tevent_req *subreq);
>
>-static struct tevent_req *
>+struct tevent_req *
> simple_access_handler_send(TALLOC_CTX *mem_ctx,
> struct simple_ctx *simple_ctx,
> struct pam_data *pd,
>@@ -265,7 +266,7 @@ done:
> tevent_req_done(req);
> }
>
>-static errno_t
>+errno_t
> simple_access_handler_recv(TALLOC_CTX *mem_ctx,
> struct tevent_req *req,
> struct pam_data **_data)
>diff --git a/src/providers/simple/simple_access_pvt.h
b/src/providers/simple/simple_access_pvt.h
>new file mode 100644
>index
0000000000000000000000000000000000000000..c133e1c5531be35861178e0b23aa7a09db9f7703
>--- /dev/null
>+++ b/src/providers/simple/simple_access_pvt.h
>@@ -0,0 +1,43 @@
>+/*
>+ SSSD
>+
>+ Simple access control
>+
>+ Copyright (C) Sumit Bose <sbose(a)redhat.com> 2010
>+
Looks like a copy&paste issue.
Should we use Author + copyright to RH for new files?
I prefer not to use the author tag at all to be honest. I never know who to
put there. In this case, I only moved some declarations, I didn't 'create'
the code, so I copied the author tag from the person who really wrote it.
I'm fine with dropping the author line.
>+ This program is free software; you can redistribute it and/or modify
>+ it under the terms of the GNU General Public License as published by
>+ the Free Software Foundation; either version 3 of the License, or
>+ (at your option) any later version.
>+
>+ This program is distributed in the hope that it will be useful,
>+ but WITHOUT ANY WARRANTY; without even the implied warranty of
>+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
>+ GNU General Public License for more details.
>+
>+ You should have received a copy of the GNU General Public License
>+ along with this program. If not, see <
http://www.gnu.org/licenses/>.
>+*/
>+
>+#ifndef __SIMPLE_ACCESS_PVT_H__
>+#define __SIMPLE_ACCESS_PVT_H__
>+
>+#include "providers/data_provider/dp.h"
>+
>+/* We only 'export' the functions in a private header file to be able to
call
>+ * them from unit tests
>+ */
>+struct tevent_req *
>+simple_access_handler_send(TALLOC_CTX *mem_ctx,
>+ struct simple_ctx *simple_ctx,
>+ struct pam_data *pd,
>+ struct dp_req_params *params);
>+
>+errno_t
>+simple_access_handler_recv(TALLOC_CTX *mem_ctx,
>+ struct tevent_req *req,
>+ struct pam_data **_data);
>+
>+int simple_access_obtain_filter_lists(struct simple_ctx *ctx);
>+
>+#endif /* __SIMPLE_ACCESS_PVT_H__ */
>--
>2.4.11
>
>From c01d768243e16fba9d1078b8a6b64b7d7ee1f43a Mon Sep 17 00:00:00 2001
>From: Jakub Hrozek <jhrozek(a)redhat.com>
>Date: Tue, 26 Jul 2016 12:14:47 +0200
>Subject: [PATCH 4/4] TESTS: Use the DP handlers in simple provider tests, add
> more tests
>
>Use the full simple access control handlers, just like SSSD does in the
>tests.
>---
Let's discuss patch #2 first.