summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Views: apply user SSH public key overrideSumit Bose2014-11-055-40/+126
| | | | | | | | | | | | | With this patch the SSH public key override attribute is read from the FreeIPA server and saved in the cache with the other override data. Since it is possible to have multiple public SSH keys this override value does not replace any other data but will be added to existing values. Fixes https://fedorahosted.org/sssd/ticket/2454 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb_add_overrides_to_object: add new parameter and multi-value supportSumit Bose2014-11-054-26/+44
| | | | | | | | | | With the new parameter an attribute list other than the default one can be used. Override attributes with multiple values (e.g. SSH public keys) are now supported as well. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sysdb_get_user_attr_with_views: add mandatory override attributesSumit Bose2014-11-051-39/+8
| | | | | | | | | | | | This patch add another attribute with is needs for override processing to the attribute list of sysdb_get_user_attr_with_views(). With two attribute it does not seem useful to check for existence and add each of the attributes conditionally. With this patch they are added unconditionally if the domain has views. Additionally the attributes are not removed in the end because it is expected that they do not cause any harm. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* nss: return user_attributes in origbyname requestSumit Bose2014-11-052-30/+223
| | | | | | | | | | | | | To allow IPA clients to offer special attributes of AD users form trusted domain the extdom plugin on the IPA server must send them to the clients. The extdom plugin already uses sss_nss_getorigbyname() to get attributes like the SID and the user principal name. This patch adds the attributes given by the NSS/IFP user_attributes option to the list of attributes returned by sss_nss_getorigbyname(). Fixes https://fedorahosted.org/sssd/ticket/2464 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* nss: parse user_attributes optionSumit Bose2014-11-053-0/+48
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Add parse_attr_list_ex() helper functionSumit Bose2014-11-056-117/+212
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: inherit ldap_user_extra_attrs to AD subdomainsSumit Bose2014-11-051-0/+31
| | | | | | | | | | | | | | Currently the component of the IPA provider which reads the AD user and group attributes in ipa-server-mode uses default settings for the LDAP related attributes. As a result even if ldap_user_extra_attrs is defined in sssd.conf no extra attributes are read from AD. With the patch the value if ldap_user_extra_attrs is inherited to the AD subdomains to allow them to read extra attributes as well. Related to https://fedorahosted.org/sssd/ticket/2464 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Add add_strings_lists() utility functionSumit Bose2014-11-053-0/+194
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA: use ipaUserGroup object class for groupsPavel Březina2014-11-051-1/+1
| | | | | | | | | | | | | dfb34c6c82ed5014599bf70de6791e6d79106fc2 changed object class of IPA groups from posixGroups to more general groupOfNames. However, this object class is used also for roles, permissions and privileges which caused SSSD to consider those objects to be groups as well during initgroups. Resolves: https://fedorahosted.org/sssd/ticket/2471 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* NSS: disable midpoint refresh for netgroupsPavel Reichl2014-11-041-14/+43
| | | | | | | | | | Disable midpoint refresh for netgroups if periodical refresh of expired netgroups is enabled (refresh_expired_interval) Resolves: https://fedorahosted.org/sssd/ticket/2102 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* CONFDB: Detect&fix misconf opt refresh_expired_intervalPavel Reichl2014-11-041-0/+15
| | | | | | | Related to: https://fedorahosted.org/sssd/ticket/2102 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* memberof: check for empty arrays to avoid segfaultsSumit Bose2014-11-041-2/+2
| | | | | | | | | | The arrays with members to add or delete may be empty, i.e. have 0 entries. In this case further processing should be skipped to avoid segfaults later on. Fixes (hopefully) https://fedorahosted.org/sssd/ticket/2430 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MONITOR: Fix warning may be used uninitializedMichal Zidek2014-10-311-1/+3
| | | | | | | | | | | | | | | This warning is caused be change 579e5d4b7a3ca161ea7518b2996905fa22c15995 "MONITOR: Allow confdb to be accessed by nonroot user" src/monitor/monitor.c: In function ‘main’: src/monitor/monitor.c:2953:24: error: ‘monitor’ may be used uninitialized in this function [-Werror=maybe-uninitialized] monitor->is_daemon = !opt_interactive; ^ cc1: all warnings being treated as errors Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Rename user_dom into obj_domJakub Hrozek2014-10-301-12/+12
| | | | | | | | There was a variable in the IPA subdomain code named user_dom, however, it was used in code that processes both users and groups, which was confusing. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IPA: Don't fail the request when BE doesn't find the objectJakub Hrozek2014-10-301-4/+6
| | | | | | | | The IPA subdomain code treated ENOENT as a fatal error, which resulted in a loud error message and the whole request being aborted. This patch ignores ENOENT. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IFP: Fix typo in debug messageSumit Bose2014-10-301-1/+1
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* nss: preserve service name in getsrv callMichal Zidek2014-10-291-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | About case_sensitive=preserving and services. The name of the service can be preserved in result of 'getent service'. However we should still lowercase the protocol and service aliases because they serve as keys in some queries to sysdb. The lowercasing is done by the provider already. If we did not do that, we would lose case insesnsitivity. With this patch the responder preserves the case of service name and protocol, to match the case that is stored in the sysdb (however the protocol is already lowercased by provider, so it was done only for consistent use of the case_sensitive=preserve option in the responders and only the case of name is the same as in ldap). Fixes: https://fedorahosted.org/sssd/ticket/2460 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* RESPONDERS: Set default value for umaskPavel Reichl2014-10-298-0/+18
| | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2468 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* RESPONDERS: Don't hard-code umask value in utility functionPavel Reichl2014-10-291-4/+4
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2468 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* BUILD: Fix linking cwrap tests with -Wl,--as-neededLukas Slebodnik2014-10-271-1/+1
| | | | | | | | | | | CCLD responder_common-tests .libs/libsss_util.so: undefined reference to `sss_base64_encode' .libs/libsss_util.so: undefined reference to `s3crypt_gen_salt' .libs/libsss_util.so: undefined reference to `sss_base64_decode' .libs/libsss_util.so: undefined reference to `s3crypt_sha512' collect2: error: ld returned 1 exit status Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* RESPONDERS: refactor create_pipe_fd()Pavel Reichl2014-10-272-10/+13
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2470 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* sdap_print_server: use getpeername() to get server addressSumit Bose2014-10-271-1/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* nss: group enumeration fixSumit Bose2014-10-271-0/+3
| | | | | | | | | | The view/override patches introduced and issue with group enumeration where all groups are returned with the same name. This patch should fix it. Fixes: https://fedorahosted.org/sssd/ticket/2475 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TESTS: Add tests for the views-related option mapsJakub Hrozek2014-10-221-1/+2
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* SBUS: Fix error handling after closing containerLukas Slebodnik2014-10-221-0/+2
| | | | | | | | If function dbus_message_iter_close_container fail the return variable ret will be set to EINVAL, but function will not be immediately terminated. "goto done" was missing. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* pyhbac,pysss: fix reference leaksPavel Reichl2014-10-222-12/+20
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/1195 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* GPO: Terminate request on errorJakub Hrozek2014-10-221-0/+2
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* NSS: Possibility to use any shells in 'allowed_shells'Denis Kutin2014-10-222-6/+23
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2219 Signed-off-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>
* MAN PAGE: modified sssd-ldap.5.xml for sssd ticket #2451Dan Lavu2014-10-221-1/+25
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2451 Added a configuration example at the bottom for 'ldap_access_order = lockout'. Also added a line to note that 'ldap_access_provider = ldap' must be specified for this feature to work. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SPEC: Print testsuite log for failed testLukas Slebodnik2014-10-221-1/+1
| | | | | | | | | | Starting from Automake 1.13, the parallel testsuite harness has been made the default one; this harness is quite silent. VERBOSE=yes will displays the logs of the non-passed tests (i.e., only of the failed or skipped ones, or of the ones that passed unexpectedly). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SSH: Run the ssh responder as the SSSD userJakub Hrozek2014-10-222-2/+4
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* SUDO: Run the sudo responder as the SSSD userJakub Hrozek2014-10-222-2/+3
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* PAC: Run the pac responder as the SSSD userJakub Hrozek2014-10-222-2/+4
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* AUTOFS: Run the autofs responder as the SSSD userJakub Hrozek2014-10-222-2/+3
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* PAM: Run pam responder as nonrootMichal Zidek2014-10-222-2/+3
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* PAM: Create pipe file descriptors before privileges are droppedMichal Zidek2014-10-221-4/+26
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* responders: Do not initialize pipe fd if already presentMichal Zidek2014-10-229-14/+24
| | | | | | | | Allow to skip initialization of pipe file descriptor if the responder context already has one. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* TEST: Unit test for create_pipe_fdJakub Hrozek2014-10-221-0/+91
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* responder_common: Create fd for pipe in helperMichal Zidek2014-10-222-72/+65
| | | | | | | | Move creating of file descriptor for pipes into helper function and make this function public. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* NSS: Run as a user specified by monitorJakub Hrozek2014-10-222-1/+5
| | | | | | | | | Adds the NSS responder to the list of services known to work as a non-root user and becomes the specified user after starting the NSS responder. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* SYSDB: Allow calling chown on the sysdb file from monitorMichal Zidek2014-10-223-1/+32
| | | | | | | | Sysdb must be accessible for the nonroot sssd processes. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* MONITOR: Allow confdb to be accessed by nonroot userMichal Zidek2014-10-221-1/+12
| | | | | Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* BE: Own the sbus socket as the SSSD userJakub Hrozek2014-10-223-4/+22
| | | | | | | | | In some cases, the back end might still be running as root, but the responder would be running unprivileged. In this case, we need to allow connecting from the SSSD user ID. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* SBUS: Allow connections from other UIDsJakub Hrozek2014-10-223-0/+27
| | | | | | | | | Unless dbus_connection_set_unix_user_function() is used, D-Bus only allows connections from UID 0. This patch adds a custom checker function that allows either UID 0 or the pre-configured SSSD user ID. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* SBUS: Chown the sbus socket if neededJakub Hrozek2014-10-227-9/+39
| | | | | | | | | When setting up the sbus server, we might need to chown the sbus socket to make sure non-root peers, running as the SSSD user are able to access the file. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* SSSD: Load a user to run a service as from configurationJakub Hrozek2014-10-226-0/+73
| | | | | | | | | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2370 Adds a option, user to run as, that is specified in the [sssd] section. When this option is specified, SSSD will run as this user and his private group. When these are not specified, SSSD will run as the configure-time user and group (usually root). Currently all services and providers are started as root. There is a temporary svc_supported_as_nonroot() function that returns true for a service if that service runs and was tested as nonroot and false otherwise. Currently this function always returns false, but will be amended in future patches. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* RPM: Change file ownership to sssd.sssdJakub Hrozek2014-10-221-11/+15
| | | | | | | | | | | | | Adds a private SSSD user in the %pre section of SSSD specfile. Also changes the ownership of SSSD private directories to sssd.sssd. Does not change the configure time default, so SSSD will still run as root. The file and directory ownership does not widen, because the directories are still only accessible by the private user (whose shell is /sbin/nologin) and of course the root user. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* BUILD: Add a config option for sssd user, own private directories as the userJakub Hrozek2014-10-223-6/+37
| | | | | | | | | | | Adds a new configure-time option that lets you select the user to run SSSD as. The default is 'root' for backwards compatibility. The directories the deamon stores its private data at are also created as owned by this user during install time. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* UTIL: Add a function to convert id_t from a number or a nameJakub Hrozek2014-10-229-13/+360
| | | | | | | | | | | | We need a custom function that would convert a numeric or string input into uid_t. The function will be used to drop privileges in servers and also in the PAC and IFP responders. Includes a unit test to test all code that changed as well as a fix for a misnamed attribute in the csv_to_uid_list function synopsis. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* CI: Remove Clang analyzerNikolai Kondrashov2014-10-223-60/+5
| | | | | | | Remove Clang analyzer run from contrib/ci/run as it takes a long time (5-8 minutes) and its results are unused. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-11 08:38:56 +0000