summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* sysdb: try dealing with binary-content attributessssd-1-8Jan Engelhardt2013-02-264-7/+17
| | | | | | | | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1818 I have here a LDAP user entry which has this attribute loginAllowedTimeMap:: AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA In the function sysdb_attrs_add_string(), called from sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is the wrong thing to do. The result of strlen is then used to populate the .v_length member of a struct ldb_val - and this will set it to zero in this case. (There is also the problem that there may not be a '\0' at all in the blob.) Subsequently, .v_length being 0 makes ldb_modify(), called from sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End result is that users do not get stored in the sysdb, and programs like `id` or `getent ...` show incomplete information. The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave fine, but that may not mean that is the absolute lower boundary of introduction of the problem.
* SSSD fails to store users if any of the requested attribute is empty.Michal Zidek2013-02-211-0/+6
| | | | https://fedorahosted.org/sssd/ticket/1440
* Updating the version for the 1.8.7 releaseJakub Hrozek2013-01-291-1/+1
|
* Include the auth_utils.h header in the distributionsssd-1_8_6Jakub Hrozek2013-01-291-0/+1
|
* TOOLS: Compile on old platforms such as RHEL5Jakub Hrozek2013-01-292-37/+144
| | | | | Provides compatible declarations for modern file management functions such as futimens or opening with the O_CLOEXEC flag
* TOOLS: Use file descriptor to avoid races when creating a home directoryOndrej Kos2013-01-295-382/+382
| | | | | | | | | | | | | When creating a home directory, the destination tree can be modified in various ways while it is being constructed because directory permissions are set before populating the directory. This can lead to file creation and permission changes outside the target directory tree, using hard links. This security problem was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782
* TOOLS: Use openat/unlinkat when removing the homedirJakub Hrozek2013-01-291-42/+41
| | | | | | | | | | The removal of a home directory is sensitive to concurrent modification of the directory tree being removed and can unlink files outside the directory tree. This security issue was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782
* nested groups: fix group lookup hangs if member dn is incorrectPavel Březina2013-01-291-0/+24
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1783 When dn in member attribute is invalid (e.g. rdn instead of dn) or it is outside of configured search bases, we might hit a situation when tevent_req is marked as done before any callback could be attached on it.
* Restart services with a delay in case they are restarted too oftenOndrej Kos2013-01-291-14/+59
| | | | | | | | | | | | In case a service is restarted while the DP is not ready yet, it gets restarted again immediatelly, which means the DP might still not be ready. The allowed number of restarts is then depleted quickly. This patch changes the restart mechanism such that the first restart happens immediatelly, the second is scheduled after 2 second, then 4 etc.. https://fedorahosted.org/sssd/ticket/1528
* Check that strings do not go beyond the end of the packet body in autofs and ↵Jan Cholasta2013-01-292-7/+7
| | | | | | | | SSH requests. This fixes CVE-2013-0220. https://fedorahosted.org/sssd/ticket/1781
* link sss_ssh_authorizedkeys and sss_ssh_knownhostsproxy with -lpthreadTimo Aaltonen2013-01-291-0/+2
| | | | | | | | There used to be an overlinked dependency that's gone now, so to fix a build error add CLIENT_LIBS to sss_ssh_knownhostsproxy_LDFLAGS. v2: Fix sss_ssh_authorizedkeys linking as well.
* sssd_pam: Cleanup requests cache on sbus reconectSimo Sorce2013-01-291-1/+4
| | | | | | | | | The pam responder was not properly configured to recover from a backend disconnect. The connections that were in flight before the disconnection were never freed and new requests for the same user would just pile up on top of the now phantom requests. Fixes: https://fedorahosted.org/sssd/ticket/1655
* NSS: Fix netgroup midpoint cache refreshJakub Hrozek2013-01-293-3/+3
| | | | | | | | https://fedorahosted.org/sssd/ticket/1683 The result of the percent calculation was always 0 as it used plain ints. The patch switches to using explicit floats to avoid reintroducing the bug again even with brackets.
* responder_dp: Add timeout to side requetsSimo Sorce2013-01-291-1/+25
| | | | | | | This is an additional proteciont in case the provider misbheaves to avoid having requests pending forever. Fixes: https://fedorahosted.org/sssd/ticket/1717
* Do not always return PAM_SYSTEM_ERR when offline krb5 authentication failsJakub Hrozek2013-01-293-18/+56
|
* Free the internal DP requestJakub Hrozek2013-01-291-0/+8
|
* LDAP: Check validity of naming_contextJakub Hrozek2013-01-291-1/+1
| | | | | | | https://fedorahosted.org/sssd/ticket/1581 If the namingContext attribute had no values or multiple values, then our code would dereference a NULL pointer.
* LDAP: Handle empty namingContexts values safelyStephen Gallagher2013-01-291-0/+8
| | | | | | | | Certain LDAP servers can return an empty string as the value of namingContexts. We need to treat these as NULL so that we can fail gracefully. https://fedorahosted.org/sssd/ticket/1542
* Initialize Kerberos ticket renewal in the IPA providerJakub Hrozek2012-10-111-0/+13
| | | | | | Fixes https://fedorahosted.org/sssd/ticket/1526 in the 1.8 branch
* Updating the version for the 1.8.6 releaseJakub Hrozek2012-10-071-1/+1
|
* FO: Check server validity before setting statussssd-1_8_5Jakub Hrozek2012-10-037-33/+49
| | | | | | | | | | | | | | | | | The list of resolved servers is allocated on the back end context and kept in the fo_service structure. However, a single request often resolves a server and keeps a pointer until the end of a request and only then gives feedback about the server based on the request result. This presents a big race condition in case the SRV resolution is used. When there are requests coming in in parallel, it is possible that an incoming request will invalidate a server until another request that holds a pointer to the original server is able to give a feedback. This patch simply checks if a server is in the list of servers maintained by a service before reading its status. https://fedorahosted.org/sssd/ticket/1364
* KRB5: Return PAM_AUTH_ERR on incorrect passwordJakub Hrozek2012-09-211-30/+39
| | | | https://fedorahosted.org/sssd/ticket/1515
* Move SELinux processing from session to account PAM stackTimo Aaltonen2012-09-071-66/+66
| | | | | | | Stops the session stack from returning an error when SELinux is not used. Partial backport from commit 7016947229edcaa268a82bf69fde37e521b13233
* Use PTHREAD_MUTEX_ROBUST to avoid deadlock in the clientJakub Hrozek2012-09-073-8/+114
| | | | https://fedorahosted.org/sssd/ticket/1460
* Fixed wrong number in shadowLastChangeJan Zeleny2012-09-071-1/+2
| | | | | The attribute is supposed to contain number of days since the epoch, not the number of seconds.
* KRB5: Only return PAM error for unreachable kpasswd when performing chpassJakub Hrozek2012-09-071-2/+4
| | | | https://fedorahosted.org/sssd/ticket/1452
* SYSDB: Make sysdb_attrs_get_el_int() publicJakub Hrozek2012-08-212-8/+10
| | | | Also rename it to sysdb_attrs_get_el_ext()
* Process all groups from a single nesting levelJakub Hrozek2012-08-211-4/+14
| | | | | | | | https://bugzilla.redhat.com/show_bug.cgi?id=846664 If the first group was cached when processing the nested group membership, we would call tevent_req_done, effectivelly marking the whole nesting level as done.
* Make the client idle timeout configurableStephen Gallagher2012-06-187-5/+43
|
* Add support for terminating idle connectionsShantanu Goel2012-06-182-2/+67
|
* Do not send SIGPIPE on disconnectionShantanu Goel2012-06-181-6/+21
| | | | | | | | Note we set MSG_NOSIGNAL to avoid having to fiddle with signal masks but also do not want to die in case SIGPIPE gets raised and the application does not handle it.
* Log message if close() fails in destructor.Shantanu Goel2012-06-181-1/+12
|
* Set return errno to the value prior to calling close().Shantanu Goel2012-06-181-2/+2
|
* Send the correct enumeration requestJakub Hrozek2012-06-181-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1329
* Provide "service filter" for SELinux contextJan Zeleny2012-06-141-0/+28
| | | | | | | At this moment we will support only asterisk, designating "all services". https://fedorahosted.org/sssd/ticket/1360
* Use HTML_TIMESTAMP instead of HTML_FOOTER_DESCRIPTIONJakub Hrozek2012-06-133-9/+12
| | | | https://fedorahosted.org/sssd/ticket/1271
* SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS records are ↵Jan Cholasta2012-05-311-36/+49
| | | | | | missing https://fedorahosted.org/sssd/ticket/1356
* SSH: Supress error message output in sss_ssh_knownhostsproxyJan Cholasta2012-05-312-15/+8
|
* SSH: Update sss_ssh_knownhostsproxy manual pageJan Cholasta2012-05-311-1/+1
| | | | | Don't use GlobalKnownHostsFile2 in ssh_config, as it has been deprecated in OpenSSH 5.9.
* Bumping version to 1.8.5Stephen Gallagher2012-05-301-1/+1
|
* Updating translations for 1.8.4 releasesssd-1_8_4Stephen Gallagher2012-05-3027-438/+1236
|
* Revert the client packet length, too, after reverting the packet protocolJakub Hrozek2012-05-291-1/+1
|
* NSS: Restore original protocol for getservbyportStephen Gallagher2012-05-252-3/+4
| | | | When fixing an endianness bug, we changed the protocol unnecessarily.
* Send 16bit protocol numbers from the sss_clientJakub Hrozek2012-05-252-7/+8
| | | | https://fedorahosted.org/sssd/ticket/1348
* Use sized_string correctly in FQDN domainsJakub Hrozek2012-05-231-2/+2
|
* Fixed issue in SELinux user mapsJan Zeleny2012-05-221-0/+2
| | | | | | There was an issue when IPA provider didn't set PAM_SUCCESS when successfully finished loading SELinux user maps. This lead to the map not being read in the responder.
* LDAP nested groups: Do not process callback with _post deep in the nested ↵Jakub Hrozek2012-05-221-12/+10
| | | | | | structure https://fedorahosted.org/sssd/ticket/1343
* Remove erroneous failure message in find_principal_in_keytabStef Walter2012-05-222-2/+4
| | | | | * When it's actually a failure, then the callers will print a message. Fine tune this.
* If canon'ing principals, write ccache with updated default principalStef Walter2012-05-222-3/+8
| | | | | | | | | | | * When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518
* KRB5: Avoid NULL-dereference with empty keytabStephen Gallagher2012-05-221-7/+13
| | | | https://fedorahosted.org/sssd/ticket/1330
generated by cgit (git 2.34.1) at 2024-04-16 06:07:09 +0000