SSS_CLIENT: MC: in case mem-cache file validation fails, #7085
Conversation
andreboscatto
requested review from
thalman
and removed request for
sumit-bose
alexey-tikhonov
force-pushed
the
nss-mc
branch
from
7a7b8b7 to
75505c1
Compare
|
I added one more patch. |
|
We probably should also:
|
alexey-tikhonov
force-pushed
the
nss-mc
branch
from
dad956e to
3c3df0b
Compare
don't return anything but EINVAL, because `_nss_sss_*()` functions can have a special handling for other error codes (for ERANGE in particular).
alexey-tikhonov
force-pushed
the
nss-mc
branch
from
3c3df0b to
b9f8f1c
Compare
src/sss_client/common.c
Outdated
| @@ -767,6 +767,15 @@ static enum sss_status sss_cli_check_socket(int *errnop, | |||
| myself_ino = myself_sb.st_ino; | |||
| } | |||
|
|
|||
| /* check if the socket has beed was hijacked */ | |||
There was a problem hiding this comment.
... has been was ...
No need to fix this if this is the only change you have to do.
| if (sss_cli_sd_get() != -1) { | ||
| ret = fstat(sss_cli_sd_get(), &mypid_sb); | ||
| if ((ret != 0) || (!S_ISSOCK(mypid_sb.st_mode)) | ||
| || (mypid_sb.st_ino != sss_cli_sb->st_ino)) { |
There was a problem hiding this comment.
since inodes are local to a given device, when comparing inodes between two files its usually a good idea to compare st_dev too
There was a problem hiding this comment.
Fixed here and in sss_nss_mc_validate()
alexey-tikhonov
force-pushed
the
nss-mc
branch
from
b9f8f1c to
a285b62
Compare
Real life example would be: https://github.com/TigerVNC/tigervnc/blob/effd854bfd19654fa67ff3d39514a91a246b8ae6/unix/xserver/hw/vnc/xvnc.c#L369 - TigerVNC unconditionally overwrites fd=3 Resolves: SSSD#6986
Real life example would be: https://github.com/TigerVNC/tigervnc/blob/effd854bfd19654fa67ff3d39514a91a246b8ae6/unix/xserver/hw/vnc/xvnc.c#L369 - TigerVNC unconditionally overwrites fd=3
alexey-tikhonov
force-pushed
the
nss-mc
branch
from
a285b62 to
1bb1a09
Compare
There was a problem hiding this comment.
Hi,
thanks for adding the device check as well, ACK.
About using high fd numbers, maybe this can be used if a changes was detected and we have to re-open the file or socket again. This way we can avoid the related overhead for the well-behaving cases.
While speaking about overheads, maybe we should think about really starting to do some measurements if closing the socket/file at the end of a requeist is more expensive than all those checks.
bye,
Sumit
I tired this in #6746 It doesn't work for enumeration requests. |
alexey-tikhonov
added
Accepted
Ready to push
|
Pushed PR: #7085
|
Hi, yes, for enumaration requests we have to find a different way of keeping the state, which is currently tight to the client connection. bye, |
don't return anything but EINVAL, because
_nss_sss_*()functions can have a special handling for other error codes (for ERANGE in particular).