Bug 4141 - regexec call in auth.c's auth_getperms allows wrong perms on localuser acls
: regexec call in auth.c's auth_getperms allows wrong perms on localuser acls
Status: ASSIGNED
: Replica Location
RLS
: development
: PC Linux
: P3 normal
: ---
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2006-01-06 17:02 by
Modified: 2006-06-15 14:22 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2006-01-06 17:02:06
with my gridmap entry like this,

"/DC=org/DC=doegrids/OU=Services/CN=docwriter.isi.edu" rls-service
"/DC=org/DC=doegrids/OU=People/CN=Mei-Hui Su 508922" meiOO

and rls server's acl like this, (from globus-rls-admin -c all call)

==>  doing admin -c all
  acl                      meiO: all
  acl                      rls-admin: admin
  acl                      rls-all: all
  acl                      rls-user: lrc_read lrc_update rli_read
  acl                      rls-service: lrc_read rli_read rli_update stats
  authentication           true

I was able to access the rls server as meiO instead of meiOO.
adding some debug statement into the code,

2006-01-06 14:56:24 T32771: XXX localuser is found from gridmap (meiOO)
2006-01-06 14:56:24 T32771: XXX checking with ACL: dn(meiO)
2006-01-06 14:56:24 T32771: XXX FOUND MATCH localuser(meiOO)
2006-01-06 14:56:24 T32771:
auth_getperms(/DC=org/DC=doegrids/OU=People/CN=Mei-Hui Su 508922): localuser
meiOO perms FFFF


and the source code is like this,

  if (globus_gss_assist_gridmap(dn, &localuser) != 0)
    localuser = NULL;
  if(localuser)
      logit(LOG_DEBUG, "XXX localuser is found from gridmap (%s)\n", localuser);
  while (acllist) {
    logit(LOG_DEBUG, "XXX checking with ACL: dn(%s) \n", acllist->dn);
    if (localuser && regexec(&acllist->re, localuser, 0, NULL, 0) == 0) {
      logit(LOG_DEBUG, "XXX FOUND MATCH localuser(%s)\n", localuser);
      break;
    }
    else  {
      if (regexec(&acllist->re, dn, 0, NULL, 0) == 0) {
      logit(LOG_DEBUG, "XXX FOUND MATCH dn(%s)\n", dn);
      break;
      }
    }
    acllist = acllist->nxt;
  }


and the acllist->re was created with this,

  if (regcomp(&p->re, p->dn, REG_EXTENDED|REG_NOSUB) != 0) {
------- Comment #1 From 2006-01-06 17:55:29 -------
bugzilla failed to send this out the first time
------- Comment #2 From 2006-06-15 14:22:26 -------
Just updating the Summary message.