439450 – memberOf: A circular grouping causes groups to be listed as memberOf themselves

Bug 439450 - memberOf: A circular grouping causes groups to be listed as memberOf themselves

Summary: memberOf: A circular grouping causes groups to be listed as memberOf themselves

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	389
Classification:	Retired
Component:	Server - memberOf Plug-in
Sub Component:
Version:	1.1.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nathan Kinder
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	249650 429034 FDS1.2.0
TreeView+	depends on / blocked

Reported:	2008-03-28 18:29 UTC by Nathan Kinder
Modified:	2015-01-04 23:31 UTC (History)
CC List:	2 users (show)
Fixed In Version:	8.1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-04-29 23:03:27 UTC
Embargoed:

Attachments	(Terms of Use)
CVS Diffs (2.85 KB, patch) 2008-03-28 21:07 UTC, Nathan Kinder	no flags	Details \| Diff
View All

Description Nathan Kinder 2008-03-28 18:29:02 UTC

If you create a circular grouping (two groups with each other listed as
members), then each group will have itself listed as the value of a memberOf
attribute.  We don't prevent someone from creating a circular grouping, but we
shouldn't list a group as a memberOf itself.

Comment 1 Nathan Kinder 2008-03-28 20:30:18 UTC

To reproduce:

- Create the following two group entries:

  dn: cn=group1,dc=example,dc=com
  objectclass: top
  objectClass: groupOfNames
  objectClass: inetUser
  cn: group1

  dn: cn=group2,dc=example,dc=com
  objectclass: top
  objectClass: groupOfNames
  objectClass: inetUser
  cn: group2

- Make group2 a member of group1:

  dn: cn=group1,dc=example,dc=com
  changetype: modify
  add: member
  member: cn=group2,dc=example,dc=com

- Make group1 a member of group2:

  dn: cn=group2,dc=example,dc=com
  changetype: modify
  add: member
  member: cn=group1,dc=example,dc=com

- At this point, both groups will have themselves listed as a member:

  dn: cn=group1,dc=example,dc=com
  member: cn=group2,dc=example,dc=com
  memberof: cn=group1,dc=example,dc=com
  memberof: cn=group2,dc=example,dc=com

  dn: cn=group2,dc=example,dc=com
  member: cn=group1,dc=example,dc=com
  memberof: cn=group1,dc=example,dc=com
  memberof: cn=group2,dc=example,dc=com

Comment 2 Nathan Kinder 2008-03-28 21:07:08 UTC

Created attachment 299521 [details]
CVS Diffs

When we are done recursing through a nested group, we finally update the group
entry itself.  Before doing any update to the group entry itself, we should
check to see if we're trying to do do an operation on the entry using itself as
the value for memberOf.  There was a similar check in the code already, but it
was only for a fixup operation for add modify operations.  This check needs to
be performed for all modify operation types earlier in the code.

Comment 3 Nathan Kinder 2008-03-28 21:46:15 UTC

Checked into ldapserver (HEAD).  Thanks to Simo for his review!

Checking in memberof.c;
/cvs/dirsec/ldapserver/ldap/servers/plugins/memberof/memberof.c,v  <--  memberof.c
new revision: 1.4; previous revision: 1.3
done

Comment 4 Nathan Kinder 2008-03-28 21:46:33 UTC

Checked into FreeIPA as changeset 745.

Comment 5 Yi Zhang 2008-04-04 18:09:13 UTC

qa verified, bug closed
build used: 4-4-2008 daily build

Comment 7 Chandrasekar Kannan 2009-04-29 23:03:27 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html

Note You need to log in before you can comment on or make changes to this bug.