sssd.git/contrib, branch nonroot sssd with jhrozek's patches BUILD: Install krb5_child as suid if running under non-privileged user 2014-11-18T19:33:11+00:00 Jakub Hrozek jhrozek@redhat.com 2014-10-24T20:44:17+00:00 a60f4bb6b321298eb4d1c1c33d1897049a83d357 If sssd_be is running unprivileged, then krb5_child must be setuid to be able to access the keytab and become arbitrary user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
If sssd_be is running unprivileged, then krb5_child must be setuid to be
able to access the keytab and become arbitrary user.

Related:
https://fedorahosted.org/sssd/ticket/2370

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
CI: Build sssd on debian with samba support 2014-11-11T11:49:46+00:00 Lukas Slebodnik lslebodn@redhat.com 2014-10-13T12:00:12+00:00 494b227b13bb635b8ed03ce94b674ae87009681e Missing dependency, libini_config >= 1.1 is in debian testing for some time. Reviewed-by: Michal Židek <mzidek@redhat.com> 
Missing dependency, libini_config >= 1.1 is in debian testing
for some time.

Reviewed-by: Michal Židek <mzidek@redhat.com>
IPA: Move setting the SELinux context to a child process 2014-11-05T18:55:09+00:00 Jakub Hrozek jhrozek@redhat.com 2014-10-20T21:16:40+00:00 f3a25949de81f80c136bb073e4a8f504b080c20c In order for the sssd_be process to run as unprivileged user, we need to move the semanage processing to a process that runs as the root user using setuid privileges. Reviewed-by: Michal Židek <mzidek@redhat.com> 
In order for the sssd_be process to run as unprivileged user, we need to
move the semanage processing to a process that runs as the root user
using setuid privileges.

Reviewed-by: Michal Židek <mzidek@redhat.com>
BUILD: Install ldap_child and as setuid if running under non-privileged user 2014-11-05T18:54:46+00:00 Jakub Hrozek jhrozek@redhat.com 2014-10-11T18:22:42+00:00 45414c12aa933a33d9a635cc212c448c858c6bab The ldap_child permissions should be 4750, owned by root.sssd, to make sure only root and sssd can execute the child and if executed by sssd, the child will run as root. Reviewed-by: Michal Židek <mzidek@redhat.com> 
The ldap_child permissions should be 4750, owned by root.sssd,
to make sure only root and sssd can execute the child and if executed by
sssd, the child will run as root.

Reviewed-by: Michal Židek <mzidek@redhat.com>
SPEC: Print testsuite log for failed test 2014-10-22T14:35:41+00:00 Lukas Slebodnik lslebodn@redhat.com 2014-10-16T17:55:55+00:00 9ec9f2dd850eef9e124f9064121e1909230a9888 Starting from Automake 1.13, the parallel testsuite harness has been made the default one; this harness is quite silent. VERBOSE=yes will displays the logs of the non-passed tests (i.e., only of the failed or skipped ones, or of the ones that passed unexpectedly). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Starting from Automake 1.13, the parallel testsuite harness has been made
the default one; this harness is quite silent.

VERBOSE=yes will displays the logs of the non-passed tests (i.e., only
of the failed or skipped ones, or of the ones that passed unexpectedly).

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
RPM: Change file ownership to sssd.sssd 2014-10-22T13:44:11+00:00 Jakub Hrozek jhrozek@redhat.com 2014-08-05T11:53:20+00:00 fa24dabfd480e1ce346009336c7979ab59520c44 Adds a private SSSD user in the %pre section of SSSD specfile. Also changes the ownership of SSSD private directories to sssd.sssd. Does not change the configure time default, so SSSD will still run as root. The file and directory ownership does not widen, because the directories are still only accessible by the private user (whose shell is /sbin/nologin) and of course the root user. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Adds a private SSSD user in the %pre section of SSSD specfile. Also
changes the ownership of SSSD private directories to sssd.sssd.

Does not change the configure time default, so SSSD will still run as
root. The file and directory ownership does not widen, because the
directories are still only accessible by the private user (whose shell
is /sbin/nologin) and of course the root user.

Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
CI: Remove Clang analyzer 2014-10-22T10:55:26+00:00 Nikolai Kondrashov Nikolai.Kondrashov@redhat.com 2014-10-17T08:41:05+00:00 e373fffbb8e06d0d7682d095c734e8df8a499ba0 Remove Clang analyzer run from contrib/ci/run as it takes a long time (5-8 minutes) and its results are unused. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Remove Clang analyzer run from contrib/ci/run as it takes a long time
(5-8 minutes) and its results are unused.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
RPM: Package the libsss_semanage.so library 2014-10-20T20:34:15+00:00 Jakub Hrozek jhrozek@redhat.com 2014-10-20T20:22:09+00:00 b2636dab7c08a2ccc10edc1f3a83a6622543e21b Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
TESTS: Add a test to change user IDs 2014-10-10T11:56:08+00:00 Jakub Hrozek jhrozek@redhat.com 2014-07-27T12:44:24+00:00 428db8a58c0c149d5efccc6d788f70916c1d34d7 Adds a unit test using the nss_wrapper and uid_wrapper libraries that exercises the ability to become another user. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Adds a unit test using the nss_wrapper and uid_wrapper libraries that
exercises the ability to become another user.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
CI: Don't say Valgrind is ignored in README.md 2014-09-25T08:03:37+00:00 Nikolai Kondrashov Nikolai.Kondrashov@redhat.com 2014-09-22T15:21:57+00:00 d9666fa22117f016b2b9c6640563a983b8e4c64e Reviewed-by: Michal Židek <mzidek@redhat.com> 
Reviewed-by: Michal Židek <mzidek@redhat.com>