Search squid archive

Re: wbinfo_group.pl - false positive under certain conditions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If you fix stuff like this then please lodge a Squid Bugzilla bug entry!




Adrian

On Tue, Sep 11, 2007, Stefano Fraccaro wrote:
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
>   <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
> </head>
> <body bgcolor="#ffffff" text="#000000">
> Hi,<br>
> &nbsp;&nbsp;&nbsp; in my installation I have resolved the same problem... the script
> receive 3 parameters (0 user group)&nbsp; than the 2 expected (user, group)
> ... I have resolved adding a trash variable and ignoring the first
> parameter (always zero)&nbsp;&nbsp; <br>
> <br>
> ;-)<br>
> <br>
> Stefano <br>
> <br>
> <br>
> <br>
> Adrian Chadd ha scritto:
> <blockquote cite="mid:20070911081617.GA24709@xxxxxxxxxxxxxxxxxxxxxxxxx"
>  type="cite">
>   <pre wrap="">Its entirely possible you've just found and squished a bug! Cool!
> 
> Just throw it into the Squid Bugzilla (linked off the squid
> home page - <a class="moz-txt-link-freetext" href="http://www.squid-cache.org/";>http://www.squid-cache.org/</a>) and someone will review
> and commit changes if needed.
> 
> thanks!
> 
> 
> 
> 
> Adrian
> 
> On Mon, Sep 10, 2007, Isnard Delacoste Jaquet Junior wrote:
>   </pre>
>   <blockquote type="cite">
>     <pre wrap="">Hello,
> 
> I'm using wbinfo_group.pl script and it works like a charm, but I ran
> into a condition where it reveals a false positive.
> 
> The situation is as follows:
> 
> I have squid 2.6-15 running with samba 3.0.22 authenticating against a
> AD forest which let's me authenticate users from domains other then my
> own (I'm one of the branches), but it's not able to verify the user
> groups. I think that's just the way it's configured. No complains.
> Now... I found an interesting problem when I have people from other
> domains trying to surf through squid within my domain branch. They get
> authenticated (which is fine), and when the request gets to the point
> where it has to verify the groups listed at the external acl and I if I
> get an invalid group name to be verified (I mistyped the group's name in
> squid.conf) wbinfo_group.pl runs the code bellow and returns OK instead
> of ERR: 
> 
> 
> sub check {
>         local($user, $group) = @_;
>         $groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
>         chop  $groupSID;
>         $groupGID = `wbinfo -Y "$groupSID"`;
>         chop $groupGID;
>         &amp;debug( "User:  -$user-\nGroup: -$group-\nSID:
> -$groupSID-\nGID:   -$groupGID-");
>         # Verifica se wbinfo -r retorna grupos do usu?rio ou nada
>         return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
>         return 'ERR';
> }
> 
> 
> Well, I think it happens because when it runs "wbinfo -n "$group" | cut
> -d" " -f1`" and the group can't be verified it returns an empty string
> to the variable groupSID, which in turn returns an empty string to the
> variable groupGID when it runs `wbinfo -Y "$groupSID"`. Since the
> command "`wbinfo -r \Q$user\E`", which will return the groups to a given
> user can't verify it (because of the way the forest is configured -
> can't verify groups from different domains), and it compares with the
> value of the groupSID variable, it matches, cause they are both empty
> variables.
> 
> I altered very little of the script to be able to verify it and return
> the right code to squid.
> 
> It goes like this:
> 
> sub check {
>         local($user, $group) = @_;
>         $groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
>         chop  $groupSID;
>         $groupGID = `wbinfo -Y "$groupSID"`;
>         chop $groupGID;
>         &amp;debug( "User:  -$user-\nGroup: -$group-\nSID:
> -$groupSID-\nGID:   -$groupGID-");
>         return 'ERR' if($groupGID eq ""); # Verify if groupGID variable
> is empty.
>         return 'ERR' if(`wbinfo -r \Q$user\E` eq ""); # Verify if
> "wbinfo -r" command returns no value.
>         return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
>         return 'ERR';
> }
> 
> 
> I know it comes from a broken configuration (I mistyped the group name),
> but it might happen to others as well and perhaps go unnoticed.
> 
> Is it a samba thing? Am I even supposed to be talking to them instead of
> you guys?
> 
> Any comments will be greatly appreciated.
> 
> Thanks in advance.
> 
> Regards,
> 
> Isnard Jaquet
> 
> 
> 
>     </pre>
>   </blockquote>
>   <pre wrap=""><!---->
>   </pre>
> </blockquote>
> <br>
> </body>
> </html>

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level bandwidth-capped VPSes available in WA -

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux