IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipa-kdb: fix delegation acl check

Browse Source 
We need to check for a matching acl only if one match hasn't already been
found, otherwise results are unpredictable and order dependent.
This commit is contained in:
Simo Sorce
2012-02-28 10:47:18 -05:00
parent 33c29033c8
commit 372d67ae81
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
daemons/ipa-kdb/ipa_kdb_delegation.c
View File

@@ -140,7 +140,8 @@ static krb5_error_code ipadb_match_acl(krb5_context kcontext,
switch (ret) { switch (ret) {
case 0: case 0:
for (dres = deref_results; dres; dres = dres->next) { for (dres = deref_results; dres; dres = dres->next) {
if (strcasecmp(dres->derefAttr, "ipaAllowToImpersonate") == 0) { if (client_found == false &&
strcasecmp(dres->derefAttr, "ipaAllowToImpersonate") == 0) {
/* NOTE: client_missing is used to signal that the /* NOTE: client_missing is used to signal that the
* attribute was completely missing. This signals that * attribute was completely missing. This signals that
* ANY client is allowed to be impersonated. * ANY client is allowed to be impersonated.
@@ -148,7 +149,8 @@ static krb5_error_code ipadb_match_acl(krb5_context kcontext,
client_missing = false; client_missing = false;
client_found = ipadb_match_member(client_princ, dres); client_found = ipadb_match_member(client_princ, dres);
} }
if (strcasecmp(dres->derefAttr, "ipaAllowedTarget") == 0) { if (target_found == false &&
strcasecmp(dres->derefAttr, "ipaAllowedTarget") == 0) {
target_found = ipadb_match_member(target_princ, dres); target_found = ipadb_match_member(target_princ, dres);
} }
} }