-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/03/2014 08:26 AM, Pavel Reichl wrote:
Hello,
I noticed that if using simple access provider and having
non-existing group or user in access/deny list then access will be
denied and "su: System error" will be printed.
I think it's OK to simply skip non-existing objects on allow_list.
I'm not so sure what to do in case of deny lists. Should we also
just skip them or should we deny the user and print more
appropriate message ("su: Permission denied")?
I agree that skipping (and logging) on allow lists is fine.
For deny lists, it implies that either 1) the admin typoed the
user/group name in the list or 2) that the user/group was removed from
LDAP.
In the first case, we're potentially dealing with privilege leakage
(someone who shouldn't have access has it due to an admin
misconfiguration). In the second case, this is perhaps just normal
operating changes and shouldn't require client modification.
As I type this, I become more certain that the correct approach here
should be to log this with a better message (in both
SSSDBG_CRIT_FAILURE and sss_log) and just proceed as if it didn't exist.
A better message would perhaps be:
"The [user|group] %s does not exist. Possible typo in
simple_[allow|deny]_[users|groups]"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlOOJ20ACgkQeiVVYja6o6PokQCbBW5QhOdG3gUxhLCfeAdVpH17
tgoAn3KOpFCc4+UJp8DSkO8WBs9IHlJ6
=9Tmj
-----END PGP SIGNATURE-----