Search squid archive

Re: wbinfo_group.pl - false positive under certain conditions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Adrian,

just opened the bug report #2080.

Thanks,

Isnard

On Tue, 2007-09-11 at 16:16 +0800, Adrian Chadd wrote:
> Its entirely possible you've just found and squished a bug! Cool!
> 
> Just throw it into the Squid Bugzilla (linked off the squid
> home page - http://www.squid-cache.org/) and someone will review
> and commit changes if needed.
> 
> thanks!
> 
> 
> 
> 
> Adrian
> 
> On Mon, Sep 10, 2007, Isnard Delacoste Jaquet Junior wrote:
> > Hello,
> > 
> > I'm using wbinfo_group.pl script and it works like a charm, but I ran
> > into a condition where it reveals a false positive.
> > 
> > The situation is as follows:
> > 
> > I have squid 2.6-15 running with samba 3.0.22 authenticating against a
> > AD forest which let's me authenticate users from domains other then my
> > own (I'm one of the branches), but it's not able to verify the user
> > groups. I think that's just the way it's configured. No complains.
> > Now... I found an interesting problem when I have people from other
> > domains trying to surf through squid within my domain branch. They get
> > authenticated (which is fine), and when the request gets to the point
> > where it has to verify the groups listed at the external acl and I if I
> > get an invalid group name to be verified (I mistyped the group's name in
> > squid.conf) wbinfo_group.pl runs the code bellow and returns OK instead
> > of ERR: 
> > 
> > 
> > sub check {
> >         local($user, $group) = @_;
> >         $groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
> >         chop  $groupSID;
> >         $groupGID = `wbinfo -Y "$groupSID"`;
> >         chop $groupGID;
> >         &debug( "User:  -$user-\nGroup: -$group-\nSID:
> > -$groupSID-\nGID:   -$groupGID-");
> >         # Verifica se wbinfo -r retorna grupos do usu?rio ou nada
> >         return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
> >         return 'ERR';
> > }
> > 
> > 
> > Well, I think it happens because when it runs "wbinfo -n "$group" | cut
> > -d" " -f1`" and the group can't be verified it returns an empty string
> > to the variable groupSID, which in turn returns an empty string to the
> > variable groupGID when it runs `wbinfo -Y "$groupSID"`. Since the
> > command "`wbinfo -r \Q$user\E`", which will return the groups to a given
> > user can't verify it (because of the way the forest is configured -
> > can't verify groups from different domains), and it compares with the
> > value of the groupSID variable, it matches, cause they are both empty
> > variables.
> > 
> > I altered very little of the script to be able to verify it and return
> > the right code to squid.
> > 
> > It goes like this:
> > 
> > sub check {
> >         local($user, $group) = @_;
> >         $groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
> >         chop  $groupSID;
> >         $groupGID = `wbinfo -Y "$groupSID"`;
> >         chop $groupGID;
> >         &debug( "User:  -$user-\nGroup: -$group-\nSID:
> > -$groupSID-\nGID:   -$groupGID-");
> >         return 'ERR' if($groupGID eq ""); # Verify if groupGID variable
> > is empty.
> >         return 'ERR' if(`wbinfo -r \Q$user\E` eq ""); # Verify if
> > "wbinfo -r" command returns no value.
> >         return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
> >         return 'ERR';
> > }
> > 
> > 
> > I know it comes from a broken configuration (I mistyped the group name),
> > but it might happen to others as well and perhaps go unnoticed.
> > 
> > Is it a samba thing? Am I even supposed to be talking to them instead of
> > you guys?
> > 
> > Any comments will be greatly appreciated.
> > 
> > Thanks in advance.
> > 
> > Regards,
> > 
> > Isnard Jaquet
> > 
> > 
> > 
> 


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux