Bug#581199: libnfsidmap2: Virtual domains/users handling with at sign in idmap

Mon, 30 Oct 2017 22:09:41 -0700 

Package: libnfsidmap
Version: 0.25-5
Followup-For: Bug #581199
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu bionic ubuntu-patch
Dear Maintainer,

Idmap fails to map uid to localname or vice versa in case an 'at' (@)
sign is included in the localname. That issue can occur in
environments with multiple domains for example.

I believe the bug has been in libnfsidmap for at least 7.5 years since
version 0.20-1.

Idmap looks for the first occurrence of and @ sign in the name string
and assumes that the @ sign is the one of user@virtual_domain rather than
using the one of username@idmap_domain (user@virtual_domain@idmap_domain).

As a result, the UIDs / GIDs cannot be resolved and the ownerships are
reported as 'nobody'.

The attached patch has been submitted to Ubuntu to be included in the
Xenial release.

Thanks for considering the patch.

Kind regards,
Uli Felzmann


-- System Information:
Debian Release: stretch/sid
  APT prefers xenial-updates
  APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 
'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.10.0-37-generic (SMP w/8 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru libnfsidmap-0.25/debian/patches/03-nss.patch libnfsidmap-0.25/debian/patches/03-nss.patch
--- libnfsidmap-0.25/debian/patches/03-nss.patch	1970-01-01 10:00:00.000000000 +1000
+++ libnfsidmap-0.25/debian/patches/03-nss.patch	2017-10-31 13:24:33.000000000 +1100
@@ -0,0 +1,23 @@
+## Description: add some description
+## Origin/Author: add some origin or author
+## Bug: bug URL
+--- a/nss.c
++++ b/nss.c
+@@ -135,7 +135,7 @@
+ 	char *l = NULL;
+ 	int len;
+ 
+-	c = strchr(name, '@');
++	c = strrchr(name, '@');
+ 	if (c == NULL && domain != NULL)
+ 		goto out;
+ 	if (c == NULL && domain == NULL) {
+@@ -276,7 +276,7 @@
+ 		return -EINVAL;
+ 
+ 	/* get princ's realm */
+-	princ_realm = strstr(princ, "@");
++	princ_realm = strrchr(princ, '@');
+ 	if (princ_realm == NULL)
+ 		return -EINVAL;
+ 	princ_realm++;
diff -Nru libnfsidmap-0.25/debian/patches/series libnfsidmap-0.25/debian/patches/series
--- libnfsidmap-0.25/debian/patches/series	2013-05-25 10:52:12.000000000 +1000
+++ libnfsidmap-0.25/debian/patches/series	2017-10-31 13:23:36.000000000 +1100
@@ -1,2 +1,3 @@
 01-661215-wrong-double-ldap-check.patch
 02-idmapd.conf.5.patch
+03-nss.patch

Reply via email to