sssd.git/src/providers/proxy, branch master sssd with jhrozek's patches PROXY: Do not register signal with SA_SIGINFO 2015-05-31T17:35:57+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-05-28T14:28:08+00:00 df233bce93c6e6752cf22cd4244c85c94d68b17b Argument "siginfo_t *siginfo" (void *__siginfo) was not used in signal handlers pc_init_sig_handler, proxy_child_sig_handler. siginfo is mostly used for additional information for about signal and precesses (@see man 2 sigaction) and we store needed information in custom context (private_data); It's tevent style. Why backend crashed: proxy_child_init_send creates request; forks a process and register handler for signal SIGCHLD. Talloc parent of tevent_signal is previously created request. If proxy_child fails (return code is not 0) then SIGCHLD is received handler pc_init_sig_handler is called. However pc_init_sig_handler can call tevent_req_error for request which calls request callback and released request. tevent_signal_destructor was called as a part of releasing tevent_signal. The destructor cleared siginfo in ring buffer for first time. Then tevent tried to clear the same siginfo in ring buffer for the secont time after returning from signal hander (pc_init_sig_handler). But it was already cleared and it caused dereference of NULL pointer. Resolves: https://fedorahosted.org/sssd/ticket/2654 Reviewed-by: Michal Židek <mzidek@redhat.com> 
Argument "siginfo_t *siginfo" (void *__siginfo) was not used in
signal handlers pc_init_sig_handler, proxy_child_sig_handler.

siginfo is mostly used for additional information for about signal
and precesses (@see man 2 sigaction) and we store needed information
in custom context (private_data); It's tevent style.

Why backend crashed:
proxy_child_init_send creates request; forks a process and register
handler for signal SIGCHLD. Talloc parent of tevent_signal is previously
created request.

If proxy_child fails (return code is not 0) then SIGCHLD is received
handler pc_init_sig_handler is called. However pc_init_sig_handler can call
tevent_req_error for request which calls request callback and released
request.

tevent_signal_destructor was called as a part of releasing
tevent_signal. The destructor cleared siginfo in ring buffer for first time.
Then tevent tried to clear the same siginfo in ring buffer for the secont time
after returning from signal hander (pc_init_sig_handler). But it was already
cleared and it caused dereference of NULL pointer.

Resolves:
https://fedorahosted.org/sssd/ticket/2654

Reviewed-by: Michal Židek <mzidek@redhat.com>
PROXY: proxy_child should work in non-root mode 2015-05-31T17:35:27+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-05-27T12:49:14+00:00 1370bcccaed090f36d75e8a8cebb320ea1612b7e According to design page[1], proxy_child should run with root privileges in non-root mode however proxy_child did not have setuid bit. After setting setuid bit proxy_child will be executed with extra privileges. The effective user ID will be 0 but effective group ID will be still the same as egid of sssd_be. Therefore gid of private pipe for proxy_child should be the same. Otherwise proxy_child will fail due to wrong permissions of unix pipe (sbus_client_init -> check_file) [1] https://fedorahosted.org/sssd/wiki/DesignDocs/NotRootSSSD Resolves: https://fedorahosted.org/sssd/ticket/2655 Reviewed-by: Michal Židek <mzidek@redhat.com> 
According to design page[1], proxy_child should run
with root privileges in non-root mode however proxy_child
did not have setuid bit.

After setting setuid bit proxy_child will be executed with extra privileges.
The effective user ID will be 0 but effective group ID will be still
the same as egid of sssd_be. Therefore gid of private pipe for
proxy_child should be the same. Otherwise proxy_child will fail
due to wrong permissions of unix pipe (sbus_client_init -> check_file)

[1] https://fedorahosted.org/sssd/wiki/DesignDocs/NotRootSSSD

Resolves:
https://fedorahosted.org/sssd/ticket/2655

Reviewed-by: Michal Židek <mzidek@redhat.com>
PROXY: add missing space in debug message 2015-02-27T09:51:18+00:00 Pavel Reichl preichl@redhat.com 2015-02-27T09:25:46+00:00 18e24f20a4aef66a4899367a0775a98ab2acd18e Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Fix warning: equality comparison with extraneous parentheses 2015-02-11T19:38:42+00:00 Lukas Slebodnik lslebodn@redhat.com 2014-09-15T14:05:30+00:00 5085d263f2f084778b1314fc5e808668c3758d82 Example of warning: src/sss_client/libwbclient/wbc_pwd_sssd.c:246:23: error: equality comparison with extraneous parentheses [-Werror,-Wparentheses-equality] if (((wbc_status) == WBC_ERR_SUCCESS)) { ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~ src/sss_client/libwbclient/wbc_pwd_sssd.c:246:23: note: remove extraneous parentheses around the comparison to silence this warning if (((wbc_status) == WBC_ERR_SUCCESS)) { ~ ^ ~ src/sss_client/libwbclient/wbc_pwd_sssd.c:246:23: note: use '=' to turn this equality comparison into an assignment if (((wbc_status) == WBC_ERR_SUCCESS)) { ^~ = The reason is definition of some macros which were used in if conditions. Reviewed-by: Michal Židek <mzidek@redhat.com> 
Example of warning:
src/sss_client/libwbclient/wbc_pwd_sssd.c:246:23:
  error: equality comparison with extraneous parentheses
  [-Werror,-Wparentheses-equality]
    if (((wbc_status) == WBC_ERR_SUCCESS)) {
         ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~
src/sss_client/libwbclient/wbc_pwd_sssd.c:246:23:
  note: remove extraneous parentheses around the comparison
  to silence this warning
    if (((wbc_status) == WBC_ERR_SUCCESS)) {
        ~             ^                 ~
src/sss_client/libwbclient/wbc_pwd_sssd.c:246:23:
  note: use '=' to turn this equality comparison into an assignment
    if (((wbc_status) == WBC_ERR_SUCCESS)) {
                      ^~
                      =

The reason is definition of some macros which were used in if conditions.

Reviewed-by: Michal Židek <mzidek@redhat.com>
PROXY: Fix use after free 2015-01-29T10:55:16+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-01-24T14:17:35+00:00 33889b2ad764beb6b129f5211b1fab9790da8884 The dbus_req and associated talloc context are no longer valid after execution of the function sbus_request_return_and_finish even if error code was returned. ==32479== Invalid read of size 8 ==32479== at 0x131F275F: client_registration (proxy_init.c:474) ==32479== by 0x529709E: sbus_request_invoke_or_finish (sssd_dbus_request.c:69) ==32479== by 0x52949B3: sbus_handler_got_caller_id (sssd_dbus_connection.c:555) ==32479== by 0x89B27E3: tevent_common_loop_immediate (tevent_immediate.c:135) ==32479== by 0x89B70CD: epoll_event_loop_once (tevent_epoll.c:907) ==32479== by 0x89B57D6: std_event_loop_once (tevent_standard.c:114) ==32479== by 0x89B1FBC: _tevent_loop_once (tevent.c:530) ==32479== by 0x89B215A: tevent_common_loop_wait (tevent.c:634) ==32479== by 0x89B5776: std_event_loop_wait (tevent_standard.c:140) ==32479== by 0x529E255: server_loop (server.c:668) ==32479== by 0x40DBC5: main (data_provider_be.c:2915) ==32479== Address 0xb700858 is 104 bytes inside a block of size 136 free'd ==32479== at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==32479== by 0x8BBE462: _talloc_free (in /usr/lib64/libtalloc.so.2.1.1) ==32479== by 0x52971A4: sbus_request_finish (sssd_dbus_request.c:95) ==32479== by 0x529731A: sbus_request_return_and_finish (sssd_dbus_request.c:119) ==32479== by 0x131F264D: client_registration (proxy_init.c:443) ==32479== by 0x529709E: sbus_request_invoke_or_finish (sssd_dbus_request.c:69) ==32479== by 0x52949B3: sbus_handler_got_caller_id (sssd_dbus_connection.c:555) ==32479== by 0x89B27E3: tevent_common_loop_immediate (tevent_immediate.c:135) ==32479== by 0x89B70CD: epoll_event_loop_once (tevent_epoll.c:907) ==32479== by 0x89B57D6: std_event_loop_once (tevent_standard.c:114) ==32479== by 0x89B1FBC: _tevent_loop_once (tevent.c:530) ==32479== by 0x89B215A: tevent_common_loop_wait (tevent.c:634) Resolves: https://fedorahosted.org/sssd/ticket/2573 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
The dbus_req and associated talloc context are no longer valid after
execution of the function sbus_request_return_and_finish even if error code
was returned.

==32479== Invalid read of size 8
==32479==    at 0x131F275F: client_registration (proxy_init.c:474)
==32479==    by 0x529709E: sbus_request_invoke_or_finish (sssd_dbus_request.c:69)
==32479==    by 0x52949B3: sbus_handler_got_caller_id (sssd_dbus_connection.c:555)
==32479==    by 0x89B27E3: tevent_common_loop_immediate (tevent_immediate.c:135)
==32479==    by 0x89B70CD: epoll_event_loop_once (tevent_epoll.c:907)
==32479==    by 0x89B57D6: std_event_loop_once (tevent_standard.c:114)
==32479==    by 0x89B1FBC: _tevent_loop_once (tevent.c:530)
==32479==    by 0x89B215A: tevent_common_loop_wait (tevent.c:634)
==32479==    by 0x89B5776: std_event_loop_wait (tevent_standard.c:140)
==32479==    by 0x529E255: server_loop (server.c:668)
==32479==    by 0x40DBC5: main (data_provider_be.c:2915)
==32479==  Address 0xb700858 is 104 bytes inside a block of size 136 free'd
==32479==    at 0x4C2AD17: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32479==    by 0x8BBE462: _talloc_free (in /usr/lib64/libtalloc.so.2.1.1)
==32479==    by 0x52971A4: sbus_request_finish (sssd_dbus_request.c:95)
==32479==    by 0x529731A: sbus_request_return_and_finish (sssd_dbus_request.c:119)
==32479==    by 0x131F264D: client_registration (proxy_init.c:443)
==32479==    by 0x529709E: sbus_request_invoke_or_finish (sssd_dbus_request.c:69)
==32479==    by 0x52949B3: sbus_handler_got_caller_id (sssd_dbus_connection.c:555)
==32479==    by 0x89B27E3: tevent_common_loop_immediate (tevent_immediate.c:135)
==32479==    by 0x89B70CD: epoll_event_loop_once (tevent_epoll.c:907)
==32479==    by 0x89B57D6: std_event_loop_once (tevent_standard.c:114)
==32479==    by 0x89B1FBC: _tevent_loop_once (tevent.c:530)
==32479==    by 0x89B215A: tevent_common_loop_wait (tevent.c:634)

Resolves:
https://fedorahosted.org/sssd/ticket/2573

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
sbus: add new iface via sbus_conn_register_iface() 2015-01-23T20:29:17+00:00 Pavel Březina pbrezina@redhat.com 2014-12-10T18:24:58+00:00 9fa95168d80beba04b333b06edc492ecb8b085a1 Rename sbus_conn_add_interface() to sbus_conn_register_iface() and remove sbus_new_interface() calls since it is just one more unnecessary call outside the sbus code. The function sbus_new_interface() is made static and used directly in sbus_conn_register_iface(). The name was chosen to better describe what the function is doing. That it registers an interface on a given object path. The same interface can be used with different paths so it is not really about adding an interface. Preparation for: https://fedorahosted.org/sssd/ticket/2339 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Rename sbus_conn_add_interface() to sbus_conn_register_iface()
and remove sbus_new_interface() calls since it is just one more
unnecessary call outside the sbus code.

The function sbus_new_interface() is made static and used
directly in sbus_conn_register_iface().

The name was chosen to better describe what the function is
doing. That it registers an interface on a given object path.
The same interface can be used with different paths so it is
not really about adding an interface.

Preparation for:
https://fedorahosted.org/sssd/ticket/2339

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
PROXY: Preserve service name in proxy provider 2014-11-13T18:37:07+00:00 Michal Zidek mzidek@redhat.com 2014-11-06T18:25:59+00:00 38429c99bf5af14c2d6bae6ddcf70974fdd103cc Fixes: https://fedorahosted.org/sssd/ticket/2461 Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Fixes:
https://fedorahosted.org/sssd/ticket/2461

Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
proxy: Do not try to store same alias twice 2014-11-13T18:36:56+00:00 Michal Zidek mzidek@redhat.com 2014-10-31T15:39:25+00:00 22e074249928605a1d5b926274ae2efb1596bc73 LDB does not store attributes if they have the same name and value and errors out instead. Fixes: https://fedorahosted.org/sssd/ticket/2461 Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
LDB does not store attributes if they have the
same name and value and errors out instead.

Fixes:
https://fedorahosted.org/sssd/ticket/2461

Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SBUS: Chown the sbus socket if needed 2014-10-22T13:44:17+00:00 Jakub Hrozek jhrozek@redhat.com 2014-10-07T09:30:01+00:00 5960687483a5d3d99093c9d6ab64e11c9bde7f7b When setting up the sbus server, we might need to chown the sbus socket to make sure non-root peers, running as the SSSD user are able to access the file. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
When setting up the sbus server, we might need to chown the sbus socket
to make sure non-root peers, running as the SSSD user are able to access
the file.

Reviewed-by: Pavel Reichl <preichl@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
SSSD: Add the options to specify a UID and GID to run as 2014-10-20T19:43:40+00:00 Jakub Hrozek jhrozek@redhat.com 2014-10-06T14:28:13+00:00 ac40d2f2b2b2fc35c95389f5e28febd580bd2b7a Adds new command line options --uid and --gid to all SSSD servers, making it possible to switch to another user ID if needed. So far all code still runs as root. Reviewed-by: Pavel Reichl <preichl@redhat.com> 
Adds new command line options --uid and --gid to all SSSD servers,
making it possible to switch to another user ID if needed.

So far all code still runs as root.

Reviewed-by: Pavel Reichl <preichl@redhat.com>