On Fri, 2012-03-09 at 18:17 +0100, Jakub Hrozek wrote: > Hi, > > attached are two patches for issues I found in the proxy netgroups code. > > [PATCH 1/2] Fix netgroup error handling > https://fedorahosted.org/sssd/ticket/1242 > > The patch improves error handling, and, most importanly, deletes any > netgroup that might be in the cache if the search did not yield any > results. There's one catch, though. During my testing with > nss-pam-ldapd, all the NSS operations returned NSS_STATUS_SUCCESS and an > empty "struct __netgrent" structure for cases when the netgroup existed > and when the netgroup existed but had no nisNetgroupTriple attributes. > This may be a nss-pam-ldapd bug, though..is there any other back end > that could be used to test? I'd like to avoid setting up NIS :-) >
You can create /etc/netgroup and add lines like netgroupfile1 (a,b,c) (d,,e) And then use proxy_lib_name=files. It looks like that IS an nss-pam-ldapd bug. The file provider properly returns NSS_STATUS_NOTFOUND if the netgroup doesn't exist. It's not actually correct to delete the netgroup if it has no attributes. It's technically legal to have a netgroup containing no members. I'm not sure it's *useful*, but it's legal. Also, there's a segfault here if the netgroup lookup returns NSS_STATUS_NOTFOUND because you don't initialize tmp_ctx to NULL in get_netgroup(), and the goto done: tries to free it. So, nack. > [PATCH 2/2] Handle empty elements in proxy netgroups > The make_netgroup_attr() function did not check for NULL elements of > netgroup triples and could print literal "(null)" into the triple > element in the nice case and crash in the worse case. Ack.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
