| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1818
I have here a LDAP user entry which has this attribute
loginAllowedTimeMap::
AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA
In the function sysdb_attrs_add_string(), called from
sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is
the wrong thing to do. The result of strlen is then used to populate
the .v_length member of a struct ldb_val - and this will set it to
zero in this case. (There is also the problem that there may not be
a '\0' at all in the blob.)
Subsequently, .v_length being 0 makes ldb_modify(), called from
sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End
result is that users do not get stored in the sysdb, and programs like
`id` or `getent ...` show incomplete information.
The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave
fine, but that may not mean that is the absolute lower boundary of
introduction of the problem.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1440
|
| |
|
| |
|
|
|
|
|
| |
Provides compatible declarations for modern file management functions
such as futimens or opening with the O_CLOEXEC flag
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When creating a home directory, the destination tree can be modified in
various ways while it is being constructed because directory
permissions
are set before populating the directory. This can lead to file creation
and permission changes outside the target directory tree, using hard
links.
This security problem was assigned CVE-2013-0219
https://fedorahosted.org/sssd/ticket/1782
|
|
|
|
|
|
|
|
|
|
| |
The removal of a home directory is sensitive to concurrent modification
of the directory tree being removed and can unlink files outside the
directory tree.
This security issue was assigned CVE-2013-0219
https://fedorahosted.org/sssd/ticket/1782
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1783
When dn in member attribute is invalid (e.g. rdn instead of dn)
or it is outside of configured search bases, we might hit a situation
when tevent_req is marked as done before any callback could be
attached on it.
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case a service is restarted while the DP is not ready yet, it gets
restarted again immediatelly, which means the DP might still not be
ready. The allowed number of restarts is then depleted quickly.
This patch changes the restart mechanism such that the first restart
happens immediatelly, the second is scheduled after 2 second, then 4
etc..
https://fedorahosted.org/sssd/ticket/1528
|
|
|
|
|
|
|
|
| |
SSH requests.
This fixes CVE-2013-0220.
https://fedorahosted.org/sssd/ticket/1781
|
|
|
|
|
|
|
|
| |
There used to be an overlinked dependency that's gone now, so
to fix a build error add CLIENT_LIBS to sss_ssh_knownhostsproxy_LDFLAGS.
v2:
Fix sss_ssh_authorizedkeys linking as well.
|
|
|
|
|
|
|
|
|
| |
The pam responder was not properly configured to recover from a backend
disconnect. The connections that were in flight before the disconnection
were never freed and new requests for the same user would just pile up on
top of the now phantom requests.
Fixes: https://fedorahosted.org/sssd/ticket/1655
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1683
The result of the percent calculation was always 0 as it used plain
ints. The patch switches to using explicit floats to avoid reintroducing
the bug again even with brackets.
|
|
|
|
|
|
|
| |
This is an additional proteciont in case the provider misbheaves to avoid
having requests pending forever.
Fixes: https://fedorahosted.org/sssd/ticket/1717
|
| |
|
| |
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1581
If the namingContext attribute had no values or multiple values, then
our code would dereference a NULL pointer.
|
|
|
|
|
|
|
|
| |
Certain LDAP servers can return an empty string as the value of
namingContexts. We need to treat these as NULL so that we can fail
gracefully.
https://fedorahosted.org/sssd/ticket/1542
|
|
|
|
|
|
| |
Fixes
https://fedorahosted.org/sssd/ticket/1526
in the 1.8 branch
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The list of resolved servers is allocated on the back end context and
kept in the fo_service structure. However, a single request often
resolves a server and keeps a pointer until the end of a request and
only then gives feedback about the server based on the request result.
This presents a big race condition in case the SRV resolution is used.
When there are requests coming in in parallel, it is possible that an
incoming request will invalidate a server until another request that
holds a pointer to the original server is able to give a feedback.
This patch simply checks if a server is in the list of servers
maintained by a service before reading its status.
https://fedorahosted.org/sssd/ticket/1364
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1515
|
|
|
|
|
|
|
| |
Stops the session stack from returning an error when SELinux is not
used.
Partial backport from commit 7016947229edcaa268a82bf69fde37e521b13233
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1460
|
|
|
|
|
| |
The attribute is supposed to contain number of days since the epoch, not
the number of seconds.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1452
|
|
|
|
| |
Also rename it to sysdb_attrs_get_el_ext()
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=846664
If the first group was cached when processing the nested group membership,
we would call tevent_req_done, effectivelly marking the whole nesting
level as done.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Note we set MSG_NOSIGNAL to avoid
having to fiddle with signal masks
but also do not want to die in case
SIGPIPE gets raised and the application
does not handle it.
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1329
|
|
|
|
|
|
|
| |
At this moment we will support only asterisk, designating "all
services".
https://fedorahosted.org/sssd/ticket/1360
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1271
|
|
|
|
|
|
| |
missing
https://fedorahosted.org/sssd/ticket/1356
|
| |
|
|
|
|
|
| |
Don't use GlobalKnownHostsFile2 in ssh_config, as it has been deprecated in
OpenSSH 5.9.
|
| |
|
| |
|
| |
|
|
|
|
| |
When fixing an endianness bug, we changed the protocol unnecessarily.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1348
|
| |
|
|
|
|
|
|
| |
There was an issue when IPA provider didn't set PAM_SUCCESS when
successfully finished loading SELinux user maps. This lead to the map
not being read in the responder.
|
|
|
|
|
|
| |
structure
https://fedorahosted.org/sssd/ticket/1343
|
|
|
|
|
| |
* When it's actually a failure, then the callers will print
a message. Fine tune this.
|
|
|
|
|
|
|
|
|
|
|
| |
* When calling krb5_get_init_creds_keytab() with
krb5_get_init_creds_opt_set_canonicalize() the credential
principal can get updated.
* Create the cache file with the correct default credential.
* LDAP GSSAPI SASL would fail due to the mismatched credentials
before this patch.
https://bugzilla.redhat.com/show_bug.cgi?id=811518
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1330
|