On Fri, 2012-03-09 at 18:17 +0100, Jakub Hrozek wrote:
Hi,
attached are two patches for issues I found in the proxy netgroups code.
[PATCH 1/2] Fix netgroup error handling
https://fedorahosted.org/sssd/ticket/1242
The patch improves error handling, and, most importanly, deletes any
netgroup that might be in the cache if the search did not yield any
results. There's one catch, though. During my testing with
nss-pam-ldapd, all the NSS operations returned NSS_STATUS_SUCCESS and an
empty "struct __netgrent" structure for cases when the netgroup existed
and when the netgroup existed but had no nisNetgroupTriple attributes.
This may be a nss-pam-ldapd bug, though..is there any other back end
that could be used to test? I'd like to avoid setting up NIS :-)
You can create /etc/netgroup and add lines like
netgroupfile1 (a,b,c) (d,,e)
And then use proxy_lib_name=files.
It looks like that IS an nss-pam-ldapd bug. The file provider properly
returns NSS_STATUS_NOTFOUND if the netgroup doesn't exist.
It's not actually correct to delete the netgroup if it has no
attributes. It's technically legal to have a netgroup containing no
members. I'm not sure it's *useful*, but it's legal.
Also, there's a segfault here if the netgroup lookup returns
NSS_STATUS_NOTFOUND because you don't initialize tmp_ctx to NULL in
get_netgroup(), and the goto done: tries to free it.
So, nack.
[PATCH 2/2] Handle empty elements in proxy netgroups
The make_netgroup_attr() function did not check for NULL elements of
netgroup triples and could print literal "(null)" into the triple
element in the nice case and crash in the worse case.
Ack.