From 5aeeedbb85e068ff1241868cf91596817540b009 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 21 Jul 2016 13:33:18 +0200 Subject: [PATCH 2/4] SIMPLE: Fail on any error parsing the access control list Luckily this error was hidden by the fact that SSSD didn't start at all when an unparseable name was encountered after startup. Otherwise, this would have been a security issue. Nonetheless, we should just fail and deny access if we can't parse a name in a simple access list. --- src/providers/simple/simple_access.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c index ae90215351fe7db834898067d3b4bad71015ec5f..577e8354e9b574764734248b2bde4ef06c6fb4fc 100644 --- a/src/providers/simple/simple_access.c +++ b/src/providers/simple/simple_access.c @@ -211,7 +211,10 @@ simple_access_handler_send(TALLOC_CTX *mem_ctx, ret = simple_access_obtain_filter_lists(simple_ctx); if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, "Failed to refresh filter lists\n"); + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to refresh filter lists, denying all access\n"); + pd->pam_status = PAM_PERM_DENIED; + goto immediately; } simple_ctx->last_refresh_of_filter_lists = now; } -- 2.4.11