-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > A stupid admin with ldbmodify or ldbedit could set an ID manually to 0. > I'm just covering all of our bases. > > Might as well do it right in case things change later. >
OK, modified version attached. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkrxtp4ACgkQHsardTLnvCXTfgCgsE9Ev8NbGT91v4mmXe+wOHGY vYwAn0GPmdQBoArX0h2kQgIhtu5EnIDS =hClK -----END PGP SIGNATURE-----
>From 257c7178e66685fb6cb658018b86391a2f278342 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <[email protected]> Date: Mon, 2 Nov 2009 11:40:21 +0100 Subject: [PATCH] Do not delete users, groups outside domain range Fixes: 240 --- server/tools/sss_groupdel.c | 18 ++++++++++++++++++ server/tools/sss_userdel.c | 28 +++++++++++++++++----------- 2 files changed, 35 insertions(+), 11 deletions(-) diff --git a/server/tools/sss_groupdel.c b/server/tools/sss_groupdel.c index d6e3dfd..d2b4edf 100644 --- a/server/tools/sss_groupdel.c +++ b/server/tools/sss_groupdel.c @@ -90,6 +90,24 @@ int main(int argc, const char **argv) goto fini; } + ret = sysdb_getgrnam_sync(tctx, tctx->ev, tctx->sysdb, + tctx->octx->name, tctx->local, + &tctx->octx); + if (ret != EOK) { + ERROR("Cannot find group in local domain, " + "modifying groups is allowed only in local domain\n"); + ret = EXIT_FAILURE; + goto fini; + } + + if ((tctx->octx->gid < tctx->local->id_min) || + (tctx->local->id_max && tctx->octx->gid > tctx->local->id_max)) { + ERROR("Group %s is outside the defined ID range for domain\n", + tctx->octx->name); + ret = EXIT_FAILURE; + goto fini; + } + start_transaction(tctx); if (tctx->error != EOK) { goto done; diff --git a/server/tools/sss_userdel.c b/server/tools/sss_userdel.c index d4088cb..d34466e 100644 --- a/server/tools/sss_userdel.c +++ b/server/tools/sss_userdel.c @@ -121,17 +121,23 @@ int main(int argc, const char **argv) goto fini; } - if (tctx->octx->remove_homedir) { - ret = sysdb_getpwnam_sync(tctx, - tctx->ev, - tctx->sysdb, - tctx->octx->name, - tctx->local, - &tctx->octx); - if (ret != EOK) { - /* Error message will be printed in the switch */ - goto done; - } + ret = sysdb_getpwnam_sync(tctx, + tctx->ev, + tctx->sysdb, + tctx->octx->name, + tctx->local, + &tctx->octx); + if (ret != EOK) { + /* Error message will be printed in the switch */ + goto done; + } + + if ((tctx->octx->uid < tctx->local->id_min) || + (tctx->local->id_max && tctx->octx->uid > tctx->local->id_max)) { + ERROR("User %s is outside the defined ID range for domain\n", + tctx->octx->name); + ret = EXIT_FAILURE; + goto fini; } start_transaction(tctx); -- 1.6.2.5
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
