summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* TESTS: Add a chpass test to krb5_childkrb5testJakub Hrozek2014-10-302-9/+54
|
* TESTS: Add a cwrap-enabled test for krb5_childJakub Hrozek2014-10-305-4/+258
| | | | | | Adds two Python scripts -- one that runs a KDC on non-privileged port and one that talks to this KDC using the krb5_child test program we developed earlier.
* TESTS: Fix krb5_child testJakub Hrozek2014-10-301-1/+18
| | | | | The krb5_child tests wasn't run automatically on every build and as a result, wasn't maintained properly.
* NOUPSTREAM: Default to root if sssd user is not specifiedJakub Hrozek2014-10-301-1/+1
|
* BE: Make struct bet_queue_item private to sssd_beJakub Hrozek2014-10-302-10/+10
|
* BE: Become a regular user after initializationJakub Hrozek2014-10-301-0/+13
| | | | | | Some parts of initialization (Kerberos ticket renewal, checking the keytab for the right principal) still require the root privileges. Drop privileges after initializing the back ends.
* KRB5: Do not switch_creds() if already the specified userJakub Hrozek2014-10-302-7/+27
| | | | | | | | The code didn't have to handle this case previously as sssd_be was always running as root and switching to the ccache as the user logging in. Also handle NULL creds on restore_creds() in case there was no switch. One less if-condition and fewer indentation levels.
* KRB5: Move all ccache operations to krb5_child.cJakub Hrozek2014-10-307-206/+223
| | | | | | | | | | | | | The credential cache operations must be now performed by the krb5_child completely, because the sssd_be process might be running as the sssd user who doesn't have access to the ccaches. src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5 until we fix Kerberos ticket renewal as non-root. Also includes a new error code that indicates that the back end should remove the old ccache attribute -- the child can't do that if it's running as the user.
* KRB5: Move checking for illegal RE to krb5_utils.cJakub Hrozek2014-10-305-89/+68
| | | | | | Otherwise we would have to link krb5_child with pcre and transfer the regex, which wold be cumbersome. Check for illegal patterns when expanding the template instead.
* KRB5: Move ccache-related functions to krb5_ccache.cJakub Hrozek2014-10-3011-708/+787
| | | | | | | Add a new module krb5_ccache.c that contains all ccache-related operations. The only user of this module shall be krb5_child.c as the other modules will run unprivileged and accessing the keytab requires either privileges of root or the ccache owner.
* KRB5: Drop privileges in the child, not the back endJakub Hrozek2014-10-302-20/+43
| | | | | | | | | | | | In future patches, sssd_be will be running as a non-privileged user, who will execute the setuid krb5_child. In this case, the child will start as root and drop the privileges as soon as possible. However, we need to also remove the privilege drop in sssd_be, because if we dropped to the user who is authenticating, we wouldn't be even allowed to execute krb5_child. The krb5_child permissions should be 4750, owned by root.sssd, to make sure only root and sssd can execute the child and if executed by sssd, the child will run as root.
* BUILD: Install krb5_child as suid if running under non-privileged userJakub Hrozek2014-10-301-0/+2
| | | | | If sssd_be is running unprivileged, then krb5_child must be setuid to be able to access the keytab and become arbitrary user.
* IPA: Move setting the SELinux context to a child processJakub Hrozek2014-10-295-20/+688
| | | | | | In order for the sssd_be process to run as unprivileged user, we need to move the semanage processing to a process that runs as the root user using setuid privileges.
* UTIL: Remove more code duplication setting up child processesJakub Hrozek2014-10-295-58/+42
| | | | | | All our child processes duplicated the same code that set up the debugging all around. Instead of adding yet another copy for the selinux_child, add a common utility function.
* UTIL: Remove code duplication of struct ioJakub Hrozek2014-10-294-76/+41
| | | | | | We had struct io and the associated destructor copied twice in the code already and need it again in the SELinux provider. Instead of adding another copy, move the code to a shared subtree under util/
* LDAP: Drop privileges after kinit in ldap_childJakub Hrozek2014-10-293-35/+67
| | | | | | After ldap_child initializes privileges using root-owned keytab, it drops privileges to the SSSD user, minimizing the amount of code that runs as root.
* LDAP: read the correct data type from ldap_child's input bufferJakub Hrozek2014-10-291-2/+2
| | | | The back end wrote uint32_t, the ldap_child process would read int32_t.
* LDAP: Move sss_krb5_verify_keytab_ex to ldap_childJakub Hrozek2014-10-293-80/+79
| | | | | | The function was called from one place only, so it makes no sense to keep it in a shared module. Moreover, the function should only be called from code that runs as root.
* BUILD: Install ldap_child and as setuid if running under non-privileged userJakub Hrozek2014-10-291-0/+5
| | | | | | The ldap_child permissions should be 4750, owned by root.sssd, to make sure only root and sssd can execute the child and if executed by sssd, the child will run as root.
* KRB5: Add utility function to get a list of principals from keytabJakub Hrozek2014-10-291-1/+115
|
* nss: preserve service name in getsrv callMichal Zidek2014-10-291-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | About case_sensitive=preserving and services. The name of the service can be preserved in result of 'getent service'. However we should still lowercase the protocol and service aliases because they serve as keys in some queries to sysdb. The lowercasing is done by the provider already. If we did not do that, we would lose case insesnsitivity. With this patch the responder preserves the case of service name and protocol, to match the case that is stored in the sysdb (however the protocol is already lowercased by provider, so it was done only for consistent use of the case_sensitive=preserve option in the responders and only the case of name is the same as in ldap). Fixes: https://fedorahosted.org/sssd/ticket/2460 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* RESPONDERS: Set default value for umaskPavel Reichl2014-10-298-0/+18
| | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2468 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* RESPONDERS: Don't hard-code umask value in utility functionPavel Reichl2014-10-291-4/+4
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2468 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* BUILD: Fix linking cwrap tests with -Wl,--as-neededLukas Slebodnik2014-10-271-1/+1
| | | | | | | | | | | CCLD responder_common-tests .libs/libsss_util.so: undefined reference to `sss_base64_encode' .libs/libsss_util.so: undefined reference to `s3crypt_gen_salt' .libs/libsss_util.so: undefined reference to `sss_base64_decode' .libs/libsss_util.so: undefined reference to `s3crypt_sha512' collect2: error: ld returned 1 exit status Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* RESPONDERS: refactor create_pipe_fd()Pavel Reichl2014-10-272-10/+13
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2470 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sdap_print_server: use getpeername() to get server addressSumit Bose2014-10-271-1/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* nss: group enumeration fixSumit Bose2014-10-271-0/+3
| | | | | | | | | | The view/override patches introduced and issue with group enumeration where all groups are returned with the same name. This patch should fix it. Fixes: https://fedorahosted.org/sssd/ticket/2475 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TESTS: Add tests for the views-related option mapsJakub Hrozek2014-10-221-1/+2
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SBUS: Fix error handling after closing containerLukas Slebodnik2014-10-221-0/+2
| | | | | | | | If function dbus_message_iter_close_container fail the return variable ret will be set to EINVAL, but function will not be immediately terminated. "goto done" was missing. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* pyhbac,pysss: fix reference leaksPavel Reichl2014-10-222-12/+20
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/1195 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* GPO: Terminate request on errorJakub Hrozek2014-10-221-0/+2
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* NSS: Possibility to use any shells in 'allowed_shells'Denis Kutin2014-10-222-6/+23
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2219 Signed-off-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>
* MAN PAGE: modified sssd-ldap.5.xml for sssd ticket #2451Dan Lavu2014-10-221-1/+25
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2451 Added a configuration example at the bottom for 'ldap_access_order = lockout'. Also added a line to note that 'ldap_access_provider = ldap' must be specified for this feature to work. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SPEC: Print testsuite log for failed testLukas Slebodnik2014-10-221-1/+1
| | | | | | | | | | Starting from Automake 1.13, the parallel testsuite harness has been made the default one; this harness is quite silent. VERBOSE=yes will displays the logs of the non-passed tests (i.e., only of the failed or skipped ones, or of the ones that passed unexpectedly). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SSH: Run the ssh responder as the SSSD userJakub Hrozek2014-10-222-2/+4
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* SUDO: Run the sudo responder as the SSSD userJakub Hrozek2014-10-222-2/+3
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* PAC: Run the pac responder as the SSSD userJakub Hrozek2014-10-222-2/+4
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* AUTOFS: Run the autofs responder as the SSSD userJakub Hrozek2014-10-222-2/+3
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* PAM: Run pam responder as nonrootMichal Zidek2014-10-222-2/+3
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* PAM: Create pipe file descriptors before privileges are droppedMichal Zidek2014-10-221-4/+26
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* responders: Do not initialize pipe fd if already presentMichal Zidek2014-10-229-14/+24
| | | | | | | | Allow to skip initialization of pipe file descriptor if the responder context already has one. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* TEST: Unit test for create_pipe_fdJakub Hrozek2014-10-221-0/+91
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* responder_common: Create fd for pipe in helperMichal Zidek2014-10-222-72/+65
| | | | | | | | Move creating of file descriptor for pipes into helper function and make this function public. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* NSS: Run as a user specified by monitorJakub Hrozek2014-10-222-1/+5
| | | | | | | | | Adds the NSS responder to the list of services known to work as a non-root user and becomes the specified user after starting the NSS responder. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* SYSDB: Allow calling chown on the sysdb file from monitorMichal Zidek2014-10-223-1/+32
| | | | | | | | Sysdb must be accessible for the nonroot sssd processes. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* MONITOR: Allow confdb to be accessed by nonroot userMichal Zidek2014-10-221-1/+12
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* BE: Own the sbus socket as the SSSD userJakub Hrozek2014-10-223-4/+22
| | | | | | | | | In some cases, the back end might still be running as root, but the responder would be running unprivileged. In this case, we need to allow connecting from the SSSD user ID. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* SBUS: Allow connections from other UIDsJakub Hrozek2014-10-223-0/+27
| | | | | | | | | Unless dbus_connection_set_unix_user_function() is used, D-Bus only allows connections from UID 0. This patch adds a custom checker function that allows either UID 0 or the pre-configured SSSD user ID. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* SBUS: Chown the sbus socket if neededJakub Hrozek2014-10-227-9/+39
| | | | | | | | | When setting up the sbus server, we might need to chown the sbus socket to make sure non-root peers, running as the SSSD user are able to access the file. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* SSSD: Load a user to run a service as from configurationJakub Hrozek2014-10-226-0/+73
| | | | | | | | | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2370 Adds a option, user to run as, that is specified in the [sssd] section. When this option is specified, SSSD will run as this user and his private group. When these are not specified, SSSD will run as the configure-time user and group (usually root). Currently all services and providers are started as root. There is a temporary svc_supported_as_nonroot() function that returns true for a service if that service runs and was tested as nonroot and false otherwise. Currently this function always returns false, but will be amended in future patches. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-08 04:35:09 +0000