diff -u sssd-1.11.8/debian/changelog sssd-1.11.8/debian/changelog --- sssd-1.11.8/debian/changelog +++ sssd-1.11.8/debian/changelog @@ -1,3 +1,10 @@ +sssd (1.11.8-0ubuntu0.3) trusty; urgency=medium + + * d/p/fix-upstream-2519.diff SSSD should not fail authentication when only + allow rules are used (LP: #1640805) + + -- Christian Ehrhardt Fri, 11 Nov 2016 09:23:35 +0100 + sssd (1.11.8-0ubuntu0.2) trusty; urgency=medium * control: Drop check from build-depends (ftbfs). diff -u sssd-1.11.8/debian/patches/series sssd-1.11.8/debian/patches/series --- sssd-1.11.8/debian/patches/series +++ sssd-1.11.8/debian/patches/series @@ -4,0 +5 @@ +fix-upstream-2519.diff only in patch2: unchanged: --- sssd-1.11.8.orig/debian/patches/fix-upstream-2519.diff +++ sssd-1.11.8/debian/patches/fix-upstream-2519.diff @@ -0,0 +1,170 @@ +Description: SSSD should not fail authentication when only allow rules are used + +Backport from upstream issue fix 2519 that slipped into the last bugfix update. +This consists of two parts that got upstream in 1.12.3 and 1.12.5. + +Signed-off-by: Christian Ehrhardt + +Origin: https://fedorahosted.org/sssd/ticket/2519 +Author: Christian Ehrhardt +Last-Update: 2016-11-14 +--- a/src/providers/simple/simple_access_check.c ++++ b/src/providers/simple/simple_access_check.c +@@ -24,6 +24,11 @@ + #include "util/sss_utf8.h" + #include "db/sysdb.h" + ++#define NON_EXIST_USR_ALLOW "The user %s does not exist. Possible typo in simple_allow_users.\n" ++#define NON_EXIST_USR_DENY "The user %s does not exist. Possible typo in simple_deny_users.\n" ++#define NON_EXIST_GRP_ALLOW "The group %s does not exist. Possible typo in simple_allow_groups.\n" ++#define NON_EXIST_GRP_DENY "The group %s does not exist. Possible typo in simple_deny_groups.\n" ++ + static bool + is_posix(const struct ldb_message *group) + { +@@ -53,9 +58,11 @@ + domain = find_subdomain_by_object_name(ctx->domain, + ctx->allow_users[i]); + if (domain == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Invalid user %s!\n", +- ctx->allow_users[i]); +- return EINVAL; ++ DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_USR_ALLOW, ++ ctx->allow_users[i]); ++ sss_log(SSS_LOG_CRIT, NON_EXIST_USR_ALLOW, ++ ctx->allow_users[i]); ++ continue; + } + + if (sss_string_equal(domain->case_sensitive, username, +@@ -86,8 +93,10 @@ + domain = find_subdomain_by_object_name(ctx->domain, + ctx->deny_users[i]); + if (domain == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Invalid user %s!\n", +- ctx->deny_users[i]); ++ DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_USR_DENY, ++ ctx->deny_users[i]); ++ sss_log(SSS_LOG_CRIT, NON_EXIST_USR_DENY, ++ ctx->deny_users[i]); + return EINVAL; + } + +@@ -125,9 +134,12 @@ + domain = find_subdomain_by_object_name(ctx->domain, + ctx->allow_groups[i]); + if (domain == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Invalid group %s!\n", +- ctx->allow_groups[i]); +- return EINVAL; ++ DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_GRP_ALLOW, ++ ctx->allow_groups[i]); ++ sss_log(SSS_LOG_CRIT, NON_EXIST_GRP_ALLOW, ++ ctx->allow_groups[i]); ++ ++ continue; + } + + for(j = 0; group_names[j]; j++) { +@@ -158,8 +170,11 @@ + domain = find_subdomain_by_object_name(ctx->domain, + ctx->deny_groups[i]); + if (domain == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Invalid group %s!\n", +- ctx->deny_groups[i]); ++ DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_GRP_DENY, ++ ctx->deny_groups[i]); ++ sss_log(SSS_LOG_CRIT, NON_EXIST_GRP_DENY, ++ ctx->deny_groups[i]); ++ + return EINVAL; + } + +@@ -379,6 +394,8 @@ + + const char **group_names; + size_t num_names; ++ ++ bool failed_to_resolve_groups; + }; + + static void simple_check_get_groups_next(struct tevent_req *subreq); +@@ -414,6 +431,7 @@ + + state->ev = ev; + state->ctx = ctx; ++ state->failed_to_resolve_groups = false; + + DEBUG(SSSDBG_TRACE_LIBS, "Looking up groups for user %s\n", username); + +@@ -532,11 +550,10 @@ + DEBUG(SSSDBG_OP_FAILURE, + "Could not resolve name of group with GID %"SPRIgid"\n", + state->lookup_groups[state->giter].gid); +- tevent_req_error(req, ret); +- return; ++ state->failed_to_resolve_groups = true; ++ } else { ++ state->num_names++; + } +- +- state->num_names++; + state->giter++; + + if (state->giter < state->num_groups) { +@@ -670,6 +687,9 @@ + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_group_names = talloc_steal(mem_ctx, state->group_names); ++ if (state->failed_to_resolve_groups) { ++ return ERR_SIMPLE_GROUPS_MISSING; ++ } + return EOK; + } + +@@ -759,12 +779,25 @@ + + /* We know the names now. Run the check. */ + ret = simple_check_get_groups_recv(subreq, state, &state->group_names); ++ + talloc_zfree(subreq); + if (ret == ENOENT) { + /* If the user wasn't found, just shortcut */ + state->access_granted = false; + tevent_req_done(req); + return; ++ } else if (ret == ERR_SIMPLE_GROUPS_MISSING) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Could not collect groups of user %s\n", state->username); ++ if (state->ctx->deny_groups == NULL) { ++ DEBUG(SSSDBG_TRACE_FUNC, ++ "But no deny groups were defined so we can continue.\n"); ++ } else { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Some deny groups were defined, we can't continue\n"); ++ tevent_req_error(req, ret); ++ return; ++ } + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not collect groups of user %s\n", state->username); +--- a/src/util/util_errors.c ++++ b/src/util/util_errors.c +@@ -60,6 +60,7 @@ + { "Bus message has no sender" }, /* ERR_SBUS_NO_SENDER */ + { "Cannot connect to system bus" }, /* ERR_NO_SYSBUS */ + { "LDAP search returned a referral" }, /* ERR_REFERRAL */ ++ { "Failed to resolve one of user groups." }, /* ERR_SIMPLE_GROUPS_MISSING */ + }; + + +--- a/src/util/util_errors.h ++++ b/src/util/util_errors.h +@@ -82,6 +82,7 @@ + ERR_SBUS_NO_SENDER, + ERR_NO_SYSBUS, + ERR_REFERRAL, ++ ERR_SIMPLE_GROUPS_MISSING, + ERR_LAST /* ALWAYS LAST */ + }; +