#1018 HBAC rule evaluation does not properly handle host groups
Closed: Fixed None Opened 12 years ago by sgallagh.

https://bugzilla.redhat.com/show_bug.cgi?id=741751

Description of problem:
HBAC rules configured on a FreeIPA server can be set up to limit access to particular hosts or groups of hosts. There is a bug in SSSD that fails to properly process host-groups. The effect of this is that users cannot log into the machine unless it is specified explicitly (instead of as a member of a hostgroup) in the rule.

Version-Release number of selected component (if applicable):
sssd-1.5.1-52.el6

How reproducible:
Every time

Steps to Reproduce:
1. On the FreeIPA server, create a hostgroup and add a host to it.
2. Create an HBAC rule that allows access based on the hostgroup above (set all other features of the rule to the ALL hostcat for easy testing.
3. Disable all other rules (so only this one is active).
4. On the client host, attempt to log in with a valid FreeIPA user.

Actual results:
The user is denied.

Expected results:
The user is granted access.


Additional info:

Fixed by:
- 3b6d344 (master)
- 45e8217 (sssd-1-6)
- 28a9f96 (sssd-1-5)

coverity: =>
description: https://bugzilla.redhat.com/show_bug.cgi?id=741751

{{{
Description of problem:
HBAC rules configured on a FreeIPA server can be set up to limit access to particular hosts or groups of hosts. There is a bug in SSSD that fails to properly process host-groups. The effect of this is that users cannot log into the machine unless it is specified explicitly (instead of as a member of a hostgroup) in the rule.

Version-Release number of selected component (if applicable):
sssd-1.5.1-52.el6

How reproducible:
Every time

Steps to Reproduce:
1. On the FreeIPA server, create a hostgroup and add a host to it.
2. Create an HBAC rule that allows access based on the hostgroup above (set all other features of the rule to the ALL hostcat for easy testing.
3. Disable all other rules (so only this one is active).
4. On the client host, attempt to log in with a valid FreeIPA user.

Actual results:
The user is denied.

Expected results:
The user is granted access.

Additional info:
}}}
=> https://bugzilla.redhat.com/show_bug.cgi?id=741751

{{{
Description of problem:
HBAC rules configured on a FreeIPA server can be set up to limit access to particular hosts or groups of hosts. There is a bug in SSSD that fails to properly process host-groups. The effect of this is that users cannot log into the machine unless it is specified explicitly (instead of as a member of a hostgroup) in the rule.

Version-Release number of selected component (if applicable):
sssd-1.5.1-52.el6

How reproducible:
Every time

Steps to Reproduce:
1. On the FreeIPA server, create a hostgroup and add a host to it.
2. Create an HBAC rule that allows access based on the hostgroup above (set all other features of the rule to the ALL hostcat for easy testing.
3. Disable all other rules (so only this one is active).
4. On the client host, attempt to log in with a valid FreeIPA user.

Actual results:
The user is denied.

Expected results:
The user is granted access.

Additional info:
}}}

patch: => 1
resolution: => fixed
rhbz: =>
status: new => closed
tests: => 0
testsupdated: => 0
upgrade: => 0

Metadata Update from @sgallagh:
- Issue set to the milestone: SSSD 1.5.14

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2060

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata