File 0001-Fix-sdap_access_host-No-matching-host-rule... of Package sssd.29965

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-Fix-sdap_access_host-No-matching-host-rule-found.patch of Package sssd.29965

From d7aa6fa169896179e57eeae59c5cf0420d109ff0 Mon Sep 17 00:00:00 2001
From: David Mulder <dmulder@samba.org>
Date: Thu, 25 Aug 2022 08:10:30 -0600
Subject: [PATCH] Fix sdap_access_host No matching host rule found

Canonicalize the hostname to ensure we have the
FQDN.

Signed-off-by: David Mulder <dmulder@samba.org>
---
 src/providers/ldap/sdap_access.c | 68 ++++++++++++++++++++------------
 1 file changed, 43 insertions(+), 25 deletions(-)

diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c
index 495d44cfd..0442de74b 100644
--- a/src/providers/ldap/sdap_access.c
+++ b/src/providers/ldap/sdap_access.c
@@ -1242,34 +1242,11 @@ done:
     return ret;
 }
 
-static errno_t sdap_access_host(struct ldb_message *user_entry)
+static errno_t sdap_access_host_comp(struct ldb_message_element *el, char *hostname)
 {
-    errno_t ret;
-    struct ldb_message_element *el;
+    errno_t ret = ENOENT;
     unsigned int i;
     char *host;
-    char hostname[HOST_NAME_MAX + 1];
-
-    el = ldb_msg_find_element(user_entry, SYSDB_AUTHORIZED_HOST);
-    if (!el || el->num_values == 0) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "Missing hosts. Access denied\n");
-        return ERR_ACCESS_DENIED;
-    }
-
-    if (gethostname(hostname, sizeof(hostname)) == -1) {
-        DEBUG(SSSDBG_CRIT_FAILURE,
-              "Unable to get system hostname. Access denied\n");
-        return ERR_ACCESS_DENIED;
-    }
-    hostname[HOST_NAME_MAX] = '\0';
-
-    /* FIXME: PADL's pam_ldap also calls gethostbyname() on the hostname
-     *        in some attempt to get aliases and/or FQDN for the machine.
-     *        Not sure this is a good idea, but we might want to add it in
-     *        order to be compatible...
-     */
-
-    ret = ENOENT;
 
     for (i = 0; i < el->num_values; i++) {
         host = (char *)el->values[i].data;
@@ -1296,6 +1273,47 @@ static errno_t sdap_access_host(struct ldb_message *user_entry)
             ret = EOK;
         }
     }
+    return ret;
+}
+
+static errno_t sdap_access_host(struct ldb_message *user_entry)
+{
+    errno_t ret;
+    struct ldb_message_element *el;
+    char hostname[HOST_NAME_MAX + 1];
+    struct addrinfo *res = NULL;
+    struct addrinfo hints;
+
+    el = ldb_msg_find_element(user_entry, SYSDB_AUTHORIZED_HOST);
+    if (!el || el->num_values == 0) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Missing hosts. Access denied\n");
+        return ERR_ACCESS_DENIED;
+    }
+
+    if (gethostname(hostname, sizeof(hostname)) == -1) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Unable to get system hostname. Access denied\n");
+        return ERR_ACCESS_DENIED;
+    }
+    hostname[HOST_NAME_MAX] = '\0';
+
+    /* Canonicalize the hostname */
+    memset(&hints, 0, sizeof(struct addrinfo));
+    hints.ai_socktype = SOCK_DGRAM;
+    hints.ai_flags = AI_CANONNAME;
+    ret = getaddrinfo(hostname, NULL, &hints, &res);
+    if (ret != 0) {
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "Failed to canonicalize hostname\n");
+        freeaddrinfo(res);
+        res = NULL;
+    }
+
+    ret = sdap_access_host_comp(el, hostname);
+    if (ret == ENOENT && res != NULL && res->ai_canonname != NULL) {
+        ret = sdap_access_host_comp(el, res->ai_canonname);
+    }
+    freeaddrinfo(res);
 
     if (ret == ENOENT) {
         DEBUG(SSSDBG_CONF_SETTINGS, "No matching host rule found\n");
-- 
2.37.2

Places

File 0001-Fix-sdap_access_host-No-matching-host-rule-found.patch of Package sssd.29965

Places