| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
| |
If the environment variable _SSS_MC_SPECIAL is set to "NO", the
mmap cache is skipped in the client code. The name is not very
descriptive. This patch renames the variable to SSS_NSS_USE_MEMCACHE.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
We checked only header file "sys/inotify" for detection whether inotify
works. Some platforms do not have built in inotify, but contain library,
which provides inotify-compatible interface.
This patch adds more robust detection of inotify in configuration time and
appends linker flags to Makefile if inotify is provided by library.
|
| |
|
|
|
|
|
|
| |
We used pkg-config only as a fallback if header files was not found,
but detection of library failed in case of available header file and
linking problem (missing -Ldir).
This patch prefers pkg-config.
|
| |
|
|
|
| |
We check whether HAVE_INTPTR_T is defined in definition of macro
discard_const_p, but autootols macro AC_CHECK_TYPE did not generate it.
|
| |
|
|
|
|
|
|
|
| |
If $libdir is not in default library path libunistring cannot be
found. (pkg-config can not be used in this case).
This patch helps to search libunistring in "$libdir" directory.
In refactoring part, indentation was updated to be more readable
and some duplicated parts were removed.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Function gettext needn't be included in libc, it can be part of another
library. Autotools macro AM_GNU_GETTEXT generate makefile variables
(LIBINTL, LTLIBINTL), which contain necessary linker flags.
checking for GNU gettext in libc... no
checking for iconv... yes
checking for GNU gettext in libintl... yes
checking whether to use NLS... yes
checking where the gettext function comes from... external libintl
|
| | |
|
| |
|
|
|
| |
AC_MSG_RESULT was not used everywhere after AC_MSG_CHECKING.
Therefore two lines from configure output was mixed in some cases.
|
| |
|
|
|
| |
Detect directory with python libraries and add this
directory to the list of directories to be searched for linker.
|
| |
|
|
|
|
|
|
|
|
|
| |
It is not very likely, that record will have the same hash1 and hash2, but it
is possible. In this situation, it does not make sense to remove record twice.
Function sss_mc_rm_rec_from_chain was not robust and sssd_nss could crash
in this situation. It was only possible if record was alone in chain.
Resolves:
https://fedorahosted.org/sssd/ticket/2049
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recently support was added to use also libkrb5 style expansions that
uses a %{varname} type of template.
There are a number of templates we do not care/can't expand in sssd.
The current code misses tests and failed to properly preserve some of
the templates we do not want to handle.
Addiotionally in order to be future proof this patch treats unknown
templates as pass-through templates and defer any error checking to
libkrb5, so that sssd is consistent with how kinit would behave.
Resolves:
https://fedorahosted.org/sssd/ticket/2076
|
| |
|
|
|
|
|
|
|
| |
It was discovered that duplicating files in two subpackages is not
permitted by Fedora packaging guidelines[1]. This patch moves the PAC
responder to a new sssd-common-pac subpackage that both the sssd-ipa
and sssd-ad subpackages will require.
[1] https://fedoraproject.org/wiki/Packaging:Guidelines?rd=Packaging/Guidelines#DuplicateFiles
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2063
|
| |
|
|
|
|
| |
src/providers/krb5/krb5_utils.c:193: warning: declaration of 'rewind' shadows a
global declaration
/usr/include/stdio.h:754: warning: shadowed declaration is here
|
| |
|
|
|
|
|
| |
It is better to use standard constant for maximum value of type size_t,
instead of reinventing wheel with own defined constant SIZE_T_MAX
This patch replace string "SIZE_T_MAX" -> "SIZE_MAX"
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
struct hbac_eval_req is defined in header file and it has attribute
request_time with type time_t, but header file "time.h" was not included.
It was not problem, because time.h was indirectly included by stdlib.h
(stdlib.h -> sys/types.h -> time.h) in implementation files,
but other platforms can have other dependencies among header files.
|
| | |
|
| |
|
|
|
|
|
| |
We use constant AF_INET6 in util.c, but we do not explicitly include header
file sys/socket.h. This header file was indirectly incuded by another header
file netdb.h (netdb.h -> netinet/in.h -> sys/socket.h), but other platform can
have other dependencies among header files.
|
| |
|
|
|
|
|
| |
Function monitor_config_file_fallback was defined inside of conditional
block "#ifdef HAVE_SYS_INOTIFY_H", but it was also used out of this block.
This patch move declaration of function before start of conditional build
section.
|
| |
|
|
|
|
| |
last argument of function sss_strnlen "size_t *len" is output variable.
We need to increment value of size_t being pointed to by pointer instead of
incrementing pointer.
|
| |
|
|
|
|
| |
Some platform have header file endian.h and anothers have sys/endian.h.
We nedd to use conditional build to handle it correctly, therefore new header
file sss_endian.h was created.
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/2057
|
| |
|
|
| |
ht_size is size of hash_table in bytes, but hash keys have type uint32_t
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code uses 2 hashes for each record, but only one hash table to
index them both, furthermore each record has only one single 'next'
pointer.
This means that in certain conditions a record main end up being on a
hash chain even though its hashes do not match the hash chain. This can
happen when another record 'drags' it in from another hash chain where
they both belong.
If the record without matching hashes happens to be the second of the
chain and the first record is removed, then the non matching record is
left on the wrong chain. On removal of the non-matching record the hash
chain will not be updated and the hash chain will end up pointing to an
invalid slot.
This slot may be later reused for another record and may not be the
first slot of this new record. In this case the hash chain will point to
arbitrary data and may cause issues if the slot is interpreted as the
head of a record.
By skipping any block that has no matching hashes upon removing the
first record in a chain we insure that dangling references cannot be
left in the hash table
Resolves:
https://fedorahosted.org/sssd/ticket/2049
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2059
If len % SSSSRV_PACKET_MEM_SIZE == 0 or some low number,
we can end up with totlen < len and return EINVAL.
It also does not pad the length, but usually allocates
much more memory than is desired.
len = 1024
n = 1024 % 512 + 1 = 0 + 1 = 1
totlen = 1 * 512 = 512
=> totlen < len
len = 511
n = 511 % 512 + 1 = 511 + 1
totlen = 512 * 512 = 262144
totlen is way bigger than it was supposed to be
|
| |
|
|
|
|
|
|
|
| |
Now that we use the libkrb5 defaults for the default ccname template
we do not need the patch that changes the man pages defaults nor the
configure options to change sssd defaults anymore.
Related:
https://fedorahosted.org/sssd/ticket/2036
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In order to use the same defaults in all system daemons that needs to know how
to generate or search for ccaches we introduce ode here to take advantage of
the new option called default_ccache_name provided by libkrb5.
If set this variable we establish the same default for all programs that surce
it out of krb5.conf therefore providing a consistent experience across the
system.
Related:
https://fedorahosted.org/sssd/ticket/2036
|
| |
|
|
|
|
|
|
| |
In preparation for handling some more allocations in the following patches and
fixes a curent memleak on the opts struct.
Related:
https://fedorahosted.org/sssd/ticket/2036
|
| |
|
|
| |
https://fedorahosted.org/sssd/ticket/2036
|
| |
|
|
|
|
|
|
| |
By the time that the create_ccache_in_dir() routine is called, we are
already guaranteed to have dropped privileges. This has either happened
because we dropped them before the exec() in the normal operation case
or because we dropped them explicitly after we completed the TGT
validation step if that or FAST is configured.
|
| | |
|
| |
|
|
|
|
| |
If USN attribute is not present, we call strdup on uninitialized
variable. This may cause segfault, or if we are lucky and
usn is NULL it will return ENOMEM.
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2052
|
| |
|
|
|
| |
Adds pac_cli be_client structure pointer, to indetify and log the PAC
responder termination correctly.
|
| |
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2044
|
| |
|
|
|
| |
In the KRB5_FCC_NOFILE code path _valid is not set leading to 'may be
used uninitialized' compiler warnings.
|
| |
|
|
| |
warning reported by cppcheck
|
| |
|
|
|
|
|
|
|
| |
When the user is only member of its own primary group, initgroups_dyn may
return NOTFOUND as, at least for the 'files' nss provider the code skips the
passed in group.
Resolves:
https://fedorahosted.org/sssd/ticket/2051
|
| |
|
|
|
|
|
|
| |
Use sss_atomic_write_s() instead of write() in
sss_mc_save_corrupted(). Also unlink() the file if no data
were written.
It is better to use sss_atomic_write_s instead of write
|
| | |
|
| |
|
|
|
|
| |
There was an inconsistency with how the warnings were specified and
how they were consumed by the macros. The result was that warnings were
hidden.
|
| |
|
|
|
|
|
|
| |
The FILE cache only sets the return values of _active and _bool if the
entire function succeeds. The DIR cache was setting it even on failure.
This patch makes both consistent. This will benefit static analysis
tools which would be able to detect if the variable is ever used
uninitialized anywhere.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
There was duplicated code in cc_file_check_existing() and in
cc_dir_check_existing(). I pulled them into the same function.
There are two changes made to the original code here:
1) Fixes a use-after-free bug in cc_file_check_existing(). In the
original code, we called krb5_free_context() and then used that
context immediately after that in krb5_cc_close(). This patch
corrects the ordering
2) The krb5_cc_resolve() call handles KRB5_FCC_NOFILE for all
cache types. Previously, this was only handled for DIR caches.
|
| |
|
|
|
|
| |
Kerberos now supports multiple types of collection caches, not just
DIR: caches. We should add a macro for generic collection behavior
and use that where appropriate.
|
| |
|
|
|
|
|
|
| |
Some krb5 functions needn't be available for retrieving ccache
with principal. Therefore ifdef is used to solve this situation with older
version of libkrb5. There were two functions with similar functionality
in krb5_child and krb5_utils. They were merged to one universal function, which
was moved to file src/util/sss_krb5.c
|
