Bug 4141 – regexec call in auth.c's auth_getperms allows wrong perms on localuser acls

Bug 4141 - regexec call in auth.c's auth_getperms allows wrong perms on localuser acls

Summary:

regexec call in auth.c's auth_getperms allows wrong perms on localuser acls

Status:	ASSIGNED

Product:	Replica Location
Component:	RLS
Version:	development
Platform:	PC Linux

Importance:	P3 normal
Target Milestone:	---
Assigned To:	Rob S

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2006-01-06 17:02 by mei-hui su
Modified:	2006-06-15 14:22 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From mei-hui su 2006-01-06 17:02:06

with my gridmap entry like this,

"/DC=org/DC=doegrids/OU=Services/CN=docwriter.isi.edu" rls-service
"/DC=org/DC=doegrids/OU=People/CN=Mei-Hui Su 508922" meiOO

and rls server's acl like this, (from globus-rls-admin -c all call)

==>  doing admin -c all
  acl                      meiO: all
  acl                      rls-admin: admin
  acl                      rls-all: all
  acl                      rls-user: lrc_read lrc_update rli_read
  acl                      rls-service: lrc_read rli_read rli_update stats
  authentication           true

I was able to access the rls server as meiO instead of meiOO.
adding some debug statement into the code,

2006-01-06 14:56:24 T32771: XXX localuser is found from gridmap (meiOO)
2006-01-06 14:56:24 T32771: XXX checking with ACL: dn(meiO)
2006-01-06 14:56:24 T32771: XXX FOUND MATCH localuser(meiOO)
2006-01-06 14:56:24 T32771:
auth_getperms(/DC=org/DC=doegrids/OU=People/CN=Mei-Hui Su 508922): localuser
meiOO perms FFFF


and the source code is like this,

  if (globus_gss_assist_gridmap(dn, &localuser) != 0)
    localuser = NULL;
  if(localuser)
      logit(LOG_DEBUG, "XXX localuser is found from gridmap (%s)\n", localuser);
  while (acllist) {
    logit(LOG_DEBUG, "XXX checking with ACL: dn(%s) \n", acllist->dn);
    if (localuser && regexec(&acllist->re, localuser, 0, NULL, 0) == 0) {
      logit(LOG_DEBUG, "XXX FOUND MATCH localuser(%s)\n", localuser);
      break;
    }
    else  {
      if (regexec(&acllist->re, dn, 0, NULL, 0) == 0) {
      logit(LOG_DEBUG, "XXX FOUND MATCH dn(%s)\n", dn);
      break;
      }
    }
    acllist = acllist->nxt;
  }


and the acllist->re was created with this,

  if (regcomp(&p->re, p->dn, REG_EXTENDED|REG_NOSUB) != 0) {

------- Comment #1 From mei-hui su 2006-01-06 17:55:29 -------

bugzilla failed to send this out the first time

------- Comment #2 From Rob S 2006-06-15 14:22:26 -------

Just updating the Summary message.