Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mod_authz_unixgroup - stripping domain from username breaks multi-domain environments #57

Open
3 tasks
bimimicah opened this issue Nov 22, 2024 · 0 comments
Open
3 tasks

mod_authz_unixgroup - stripping domain from username breaks multi-domain environments #57

bimimicah opened this issue Nov 22, 2024 · 0 comments
Labels
bug-security A flaw that may be a potential or confirmed security concern. information needed We need more information to resolve the issue mod_authz_unixgroup Related to the mod_authz_unixgroup sub-project, not mod_auth_external.

Comments

@bimimicah
Copy link
Collaborator

bimimicah commented Nov 22, 2024
edited
Loading

See comment by @pbiering here: #55 (comment)

See comment by @bimimicah here: #55 (comment)

What I was trying to say is that our current code (and this PR) just skips the domain (everything after the '@'), which could potentially be a security hole if the system is linked to multiple domains which both have a user with the same name.

I was wondering if the newer functions (such as getgrouplist) now support specifying domains (e.g. '[email protected]' or 'domain.com\user'), so maybe we can stop skipping the domain?

But that is beyond the scope of this PR, so we can take a look at it sometime down the road. I think this PR looks good. If there are no comments by next week, I will merge it and make a new release.

I see it also dangerous to strip the domain by default.

Either add a particular option to strip a particular domain or skip users at all having domain inside by default.

  • Test whether getgrouplist() supports domain syntax (e.g. 'user@domain' or 'domain\user')
  • if supported, remove domain stripping code
  • if not supported, develop a method to specify domain(s) that are accepted and can be stripped
@bimimicah bimimicah added bug A flaw in the existing code information needed We need more information to resolve the issue mod_authz_unixgroup Related to the mod_authz_unixgroup sub-project, not mod_auth_external. labels Nov 22, 2024
@bimimicah bimimicah mentioned this issue Nov 22, 2024
Merged
@bimimicah bimimicah added bug-security A flaw that may be a potential or confirmed security concern. information needed We need more information to resolve the issue and removed information needed We need more information to resolve the issue bug A flaw in the existing code labels Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug-security A flaw that may be a potential or confirmed security concern. information needed We need more information to resolve the issue mod_authz_unixgroup Related to the mod_authz_unixgroup sub-project, not mod_auth_external.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bimimicah