URL: https://github.com/SSSD/sssd/pull/326 Author: amitkumar50 Title: #326: IPA: check if IPA hostname is a FQDN Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/326/head:pr326 git checkout pr326
From 066d723adee0a142107914ec64b001a9571e7f9c Mon Sep 17 00:00:00 2001 From: AmitKumar <amitk...@redhat.com> Date: Wed, 19 Jul 2017 22:14:24 +0530 Subject: [PATCH 1/2] IPA: check if IPA hostname is a FQDN Some users change the IPA hostname post-install which results in strange bugs. Code change make sure that the ipa_hostname contains at least one domain component. Resolves: https://pagure.io/SSSD/sssd/issue/1946 --- src/providers/ipa/ipa_access.c | 6 ++++++ src/providers/ipa/ipa_common.c | 16 ++++++++++++++++ src/providers/ipa/ipa_common.h | 1 + 3 files changed, 23 insertions(+) diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c index 9682613e9..12c570b3f 100644 --- a/src/providers/ipa/ipa_access.c +++ b/src/providers/ipa/ipa_access.c @@ -355,6 +355,12 @@ static void ipa_fetch_hbac_services_done(struct tevent_req *subreq) ret = EINVAL; goto done; } + if(!ipa_check_fqdn(ipa_hostname)){ + DEBUG(SSSDBG_CRIT_FAILURE, + "ipa_hostname is not Fully Qualified Domain Name.\n"); + ret = ERR_WRONG_NAME_FORMAT; + goto done; + } for (i = 0; i < state->host_count; i++) { ret = sysdb_attrs_get_string(state->hosts[i], SYSDB_FQDN, &hostname); diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index 657994508..f27f81e8a 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -37,6 +37,16 @@ #include "providers/ipa/ipa_opts.h" +bool ipa_check_fqdn(const char *str){ + const char ch = '.'; + char *ret; + ret = strchr(str, ch); + if(ret){ + return true; + } + return false; +} + int ipa_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, const char *conf_path, @@ -93,6 +103,12 @@ int ipa_get_options(TALLOC_CTX *memctx, goto done; } } + if(!ipa_check_fqdn(ipa_hostname)){ + DEBUG(SSSDBG_CRIT_FAILURE, + "ipa_hostname is not Fully Qualified Domain Name.\n"); + ret = ERR_WRONG_NAME_FORMAT; + goto done; + } /* First check whether the realm has been manually specified */ realm = dp_opt_get_string(opts->basic, IPA_KRB5_REALM); diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index add9df876..f9a2390b9 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -290,6 +290,7 @@ errno_t ipa_idmap_init(TALLOC_CTX *mem_ctx, struct sdap_id_ctx *id_ctx, struct sdap_idmap_ctx **_idmap_ctx); +bool ipa_check_fqdn(const char *str); struct krb5_ctx *ipa_init_get_krb5_auth_ctx(void *data); #endif /* _IPA_COMMON_H_ */ From dd425e53b80281fb3f73649744ee4a190b722ad8 Mon Sep 17 00:00:00 2001 From: AmitKumar <amitk...@redhat.com> Date: Mon, 31 Jul 2017 20:41:19 +0530 Subject: [PATCH 2/2] IPA: check if IPA hostname is a FQDN Some users change the IPA hostname post-install which results in strange bugs. Code change make sure that the ipa_hostname contains at least one domain component. Resolves: https://pagure.io/SSSD/sssd/issue/1946 --- src/providers/ipa/ipa_access.c | 6 ------ src/providers/ipa/ipa_common.c | 16 ---------------- src/providers/ipa/ipa_common.h | 2 -- src/providers/ipa/ipa_init.c | 17 +++++++++++++++++ 4 files changed, 17 insertions(+), 24 deletions(-) diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c index 12c570b3f..9682613e9 100644 --- a/src/providers/ipa/ipa_access.c +++ b/src/providers/ipa/ipa_access.c @@ -355,12 +355,6 @@ static void ipa_fetch_hbac_services_done(struct tevent_req *subreq) ret = EINVAL; goto done; } - if(!ipa_check_fqdn(ipa_hostname)){ - DEBUG(SSSDBG_CRIT_FAILURE, - "ipa_hostname is not Fully Qualified Domain Name.\n"); - ret = ERR_WRONG_NAME_FORMAT; - goto done; - } for (i = 0; i < state->host_count; i++) { ret = sysdb_attrs_get_string(state->hosts[i], SYSDB_FQDN, &hostname); diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c index f27f81e8a..657994508 100644 --- a/src/providers/ipa/ipa_common.c +++ b/src/providers/ipa/ipa_common.c @@ -37,16 +37,6 @@ #include "providers/ipa/ipa_opts.h" -bool ipa_check_fqdn(const char *str){ - const char ch = '.'; - char *ret; - ret = strchr(str, ch); - if(ret){ - return true; - } - return false; -} - int ipa_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, const char *conf_path, @@ -103,12 +93,6 @@ int ipa_get_options(TALLOC_CTX *memctx, goto done; } } - if(!ipa_check_fqdn(ipa_hostname)){ - DEBUG(SSSDBG_CRIT_FAILURE, - "ipa_hostname is not Fully Qualified Domain Name.\n"); - ret = ERR_WRONG_NAME_FORMAT; - goto done; - } /* First check whether the realm has been manually specified */ realm = dp_opt_get_string(opts->basic, IPA_KRB5_REALM); diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index f9a2390b9..8b34c2f75 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -290,7 +290,5 @@ errno_t ipa_idmap_init(TALLOC_CTX *mem_ctx, struct sdap_id_ctx *id_ctx, struct sdap_idmap_ctx **_idmap_ctx); -bool ipa_check_fqdn(const char *str); - struct krb5_ctx *ipa_init_get_krb5_auth_ctx(void *data); #endif /* _IPA_COMMON_H_ */ diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c index 7dec4d1fb..7726d52ab 100644 --- a/src/providers/ipa/ipa_init.c +++ b/src/providers/ipa/ipa_init.c @@ -231,6 +231,17 @@ static errno_t ipa_init_dyndns(struct be_ctx *be_ctx, return EOK; } +static bool ipa_check_fqdn(const char *str) +{ + const char ch = '.'; + char *ret; + ret = strchr(str, ch); + if (ret != NULL) { + return true; + } + return false; +} + static errno_t ipa_init_server_mode(struct be_ctx *be_ctx, struct ipa_options *ipa_options, struct ipa_id_ctx *ipa_id_ctx) @@ -258,6 +269,12 @@ static errno_t ipa_init_server_mode(struct be_ctx *be_ctx, sites_enabled = dp_opt_get_bool(ipa_options->basic, IPA_ENABLE_DNS_SITES); dnsdomain = dp_opt_get_string(be_ctx->be_res->opts, DP_RES_OPT_DNS_DOMAIN); + if (!ipa_check_fqdn(hostname)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ipa_hostname is not Fully Qualified Domain Name.\n"); + return EFAULT; + } + if (srv_in_server_list(ipa_servers) || sites_enabled) { DEBUG(SSSDBG_MINOR_FAILURE, "SRV resolution or IPA sites enabled " "on the IPA server. Site discovery of trusted AD servers "
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
