On Fri, Mar 09, 2012 at 02:10:43PM -0500, Stephen Gallagher wrote:
On Fri, 2012-03-09 at 18:17 +0100, Jakub Hrozek wrote:
> Hi,
>
> attached are two patches for issues I found in the proxy netgroups code.
>
> [PATCH 1/2] Fix netgroup error handling
>
https://fedorahosted.org/sssd/ticket/1242
>
> The patch improves error handling, and, most importanly, deletes any
> netgroup that might be in the cache if the search did not yield any
> results. There's one catch, though. During my testing with
> nss-pam-ldapd, all the NSS operations returned NSS_STATUS_SUCCESS and an
> empty "struct __netgrent" structure for cases when the netgroup existed
> and when the netgroup existed but had no nisNetgroupTriple attributes.
> This may be a nss-pam-ldapd bug, though..is there any other back end
> that could be used to test? I'd like to avoid setting up NIS :-)
>
You can create /etc/netgroup and add lines like
netgroupfile1 (a,b,c) (d,,e)
And then use proxy_lib_name=files.
It looks like that IS an nss-pam-ldapd bug. The file provider properly
returns NSS_STATUS_NOTFOUND if the netgroup doesn't exist.
Yes, I'll bring that up with nss-pam-ldapd upstream.
It's not actually correct to delete the netgroup if it has no
attributes. It's technically legal to have a netgroup containing no
members. I'm not sure it's *useful*, but it's legal.
Also, there's a segfault here if the netgroup lookup returns
NSS_STATUS_NOTFOUND because you don't initialize tmp_ctx to NULL in
get_netgroup(), and the goto done: tries to free it.
So, nack.
> [PATCH 2/2] Handle empty elements in proxy netgroups
> The make_netgroup_attr() function did not check for NULL elements of
> netgroup triples and could print literal "(null)" into the triple
> element in the nice case and crash in the worse case.
Ack.
Fixed & attached both patches even though only patch #1 changed.