summaryrefslogtreecommitdiffstats
path: root/Makefile.am
Commit message (Collapse)AuthorAgeFilesLines
* selinux: Only call semanage if the context actually changesJakub Hrozek2015-04-151-0/+5
| | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2624 Add a function to query the libsemanage database for a user context and only update the database if the context differes from the one set on the server. Adds talloc dependency to libsss_semanage. Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 1e0fa55fb377db788e065de917ba8e149eb56161) (cherry picked from commit 4d31f2c294db6090047e4d5348322b32ea0aaac1)
* SDAP: Extract filtering AD group to functionLukas Slebodnik2015-04-141-0/+2
| | | | | | | | Patch remove code duplication. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit bad2fc8133d941e5a6c8d8016c9689e039265c61) (cherry picked from commit bdd031d274659263db5f28408d8b75c63d3485a0)
* sdap: properly handle binary objectGuid attributeSumit Bose2015-03-271-0/+16
| | | | | | | | | | | | | | | Although in the initial processing SSSD treats the binary value right at some point it mainly assumes that it is a string. Depending on the value this might end up with the correct binary value stored in the cache but in most cases there will be only a broken entry in the cache. This patch converts the binary value into a string representation which is described in [MS-DTYP] and stores the result in the cache. Resolves https://fedorahosted.org/sssd/ticket/2588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 4619742836ec22edf8f9d274d928bc896c5b0883)
* SDAP: Lock out ssh keys when account naturally expiresPavel Reichl2015-03-061-4/+9
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2534 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: convert GeneralizedTime to unix timePavel Reichl2015-03-061-3/+6
| | | | | | | New utility function *sss_utc_to_time_t* to convert GeneralizedTime to unix time. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: refactor pwexpire policyPavel Reichl2015-03-041-0/+1
| | | | | | | | | | | Move part of pwexpire policy code to a separate function. Relates to: https://fedorahosted.org/sssd/ticket/2167 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit cdaa29d2c5724a4c72bfa0f42284ccfac3d5a464) (cherry picked from commit 8b353dd2b90b7ab222acdea726ab7e8681752237)
* FO: Use SRV TTL in fail over codeJakub Hrozek2015-03-031-0/+19
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/1884 Removes the hardcoded SRV TTL timeout and uses TTL from the DNS instead. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 8df69bbc58c2f4d3f0b34be9756d9ddf24b1db6d)
* BUILD: Include python-test.py in the tarballJakub Hrozek2015-02-131-1/+3
| | | | (cherry picked from commit 51d65c4ad15c2cc23f38fa09dd6efeb15e4f3e86)
* RESOLV: Add an internal function to read TTL from a DNS packetJakub Hrozek2015-02-111-0/+27
| | | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/1884 Adds an internal resolver function that reads the TTL for SRV records as specified by RFC-2181. Several internal c-ares definitions are used until c-ares contains a function that exposes all this information via a parsing function. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit bf54fbed126ec3d459af40ea370ffadacd31c76d)
* BUILD: Install libsss_crypt after its dependenciesLukas Slebodnik2014-12-111-33/+34
| | | | | | | | | | | | | | A library should not be installed before it's internal dependencies otherwise there is an error in make distcheck. libtool: install: error: relink `libsss_crypt.la' with the above command before installing it It would be sufficient just to change order of libraries in automake variable pkglib_LTLIBRARIES, but it's better to have internal libraries on the one place. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Fix dependencies of internal sss librariesLukas Slebodnik2014-12-081-1/+14
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAKE: Fix linking of test_child_commonLukas Slebodnik2014-12-081-1/+7
| | | | | | | | | | | | | | | | | | | | Compilation of test_child_common failed with linker flag --as-needned due to cyclic dependencies between libsss_child.so and libsss_util.so CCLD test_child_common ./.libs/libsss_child.so: undefined reference to `sss_hash_create' ./.libs/libsss_child.so: undefined reference to `hash_lookup' ./.libs/libsss_child.so: undefined reference to `BlockSignals' ./.libs/libsss_child.so: undefined reference to `hash_delete' ./.libs/libsss_child.so: undefined reference to `hash_enter' ./.libs/libsss_child.so: undefined reference to `hash_error_string' ./.libs/libsss_child.so: undefined reference to `sss_atomic_io_s' ./.libs/libsss_child.so: undefined reference to `sss_strerror' collect2: error: ld returned 1 exit status This patch is temporary workaround. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Rename test-child to dummy-childJakub Hrozek2014-12-041-4/+4
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TESTS: Build test_child even without cmockaJakub Hrozek2014-12-041-1/+4
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TESTS: Basic child testsJakub Hrozek2014-12-031-0/+25
| | | | | | The child_common.c module had no unit tests, yet we need to amend it. Reviewed-by: Sumit Bose <sbose@redhat.com>
* BUILD: restrict perms. when installing from sourcePavel Reichl2014-12-021-0/+6
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2467 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* krb5_child: become user earlierSumit Bose2014-12-021-0/+1
| | | | | | | The host keytab and the FAST credential cache are copied into memory early at startup to allow to drop privileges earlier. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ldap_child: copy keytab into memory to drop privileges earlierSumit Bose2014-12-021-0/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: add copy_keytab_into_memory()Sumit Bose2014-12-021-0/+18
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: add copy_ccache_into_memory()Sumit Bose2014-12-021-0/+18
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: do not fail if checking the old ccache failedSumit Bose2014-12-021-0/+1
| | | | | | https://fedorahosted.org/sssd/ticket/2510 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* tests: be_ptaskPavel Březina2014-11-281-0/+16
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/1939 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* be_ptask: create a private header filePavel Březina2014-11-281-0/+1
| | | | | | This is done so we gain access to the be_ptask structure in unit tests. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Fix KRB5_CONF_PATHSumit Bose2014-11-251-0/+1
| | | | | | | Currently a shell/Makefile variable is used in the definition of KRB5_CONF_PATH for C code. This patch replaces it with a complier macro. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa: add split_ipa_anchor()Sumit Bose2014-11-201-0/+2
| | | | | | | | | This call extracts the domain and the UUID part from an IPA override anchor. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* BUILD: Touch files in DESTDIRJakub Hrozek2014-11-181-6/+6
| | | | | | | Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* BUILD: Make chown of files to sssd user non-fatalJakub Hrozek2014-11-181-3/+3
| | | | | | | | | | | | In build environments, we can't assume the sssd user will be created prior to installing the package, so we can't chown the files. RPM will own the files instead in this case. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* BUILD: Use separate chown to make changing ownership to the sssd user non-fatalJakub Hrozek2014-11-181-17/+18
| | | | | | | | | | | | | | | When the SSSD is built in the build system using a non-root user, the user doesn't exist in the build system and file ownership will be maintained by the downstream packaging instead. We need to make sure that setting the ownership to the sssd user is a separate step from creating the directories in this case in order to make failure to set the ownership non-fatal. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Move all ccache operations to krb5_child.cJakub Hrozek2014-11-181-2/+11
| | | | | | | | | | | | | | | | | | | The credential cache operations must be now performed by the krb5_child completely, because the sssd_be process might be running as the sssd user who doesn't have access to the ccaches. src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5 until we fix Kerberos ticket renewal as non-root. Also includes a new error code that indicates that the back end should remove the old ccache attribute -- the child can't do that if it's running as the user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Move ccache-related functions to krb5_ccache.cJakub Hrozek2014-11-181-0/+4
| | | | | | | | | | | | | Add a new module krb5_ccache.c that contains all ccache-related operations. The only user of this module shall be krb5_child.c as the other modules will run unprivileged and accessing the ccache requires either privileges of root or the ccache owner. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* BUILD: Install krb5_child as suid if running under non-privileged userJakub Hrozek2014-11-181-0/+2
| | | | | | | | | | | If sssd_be is running unprivileged, then krb5_child must be setuid to be able to access the keytab and become arbitrary user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Move setting the SELinux context to a child processJakub Hrozek2014-11-051-0/+27
| | | | | | | | In order for the sssd_be process to run as unprivileged user, we need to move the semanage processing to a process that runs as the root user using setuid privileges. Reviewed-by: Michal Židek <mzidek@redhat.com>
* LDAP: Drop privileges after kinit in ldap_childJakub Hrozek2014-11-051-1/+3
| | | | | | | | After ldap_child initializes privileges using root-owned keytab, it drops privileges to the SSSD user, minimizing the amount of code that runs as root. Reviewed-by: Michal Židek <mzidek@redhat.com>
* BUILD: Install ldap_child and as setuid if running under non-privileged userJakub Hrozek2014-11-051-0/+5
| | | | | | | | The ldap_child permissions should be 4750, owned by root.sssd, to make sure only root and sssd can execute the child and if executed by sssd, the child will run as root. Reviewed-by: Michal Židek <mzidek@redhat.com>
* Add test for sysdb_add_overrides_to_object()Sumit Bose2014-11-051-0/+16
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Add parse_attr_list_ex() helper functionSumit Bose2014-11-051-1/+4
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* BUILD: Add a config option for sssd user, own private directories as the userJakub Hrozek2014-10-221-6/+17
| | | | | | | | | | | Adds a new configure-time option that lets you select the user to run SSSD as. The default is 'root' for backwards compatibility. The directories the deamon stores its private data at are also created as owned by this user during install time. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* SSSD: Add the options to specify a UID and GID to run asJakub Hrozek2014-10-201-2/+5
| | | | | | | | | Adds new command line options --uid and --gid to all SSSD servers, making it possible to switch to another user ID if needed. So far all code still runs as root. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* util: Move semanage related functions to src/utilMichal Zidek2014-10-201-9/+28
| | | | | | These functions will be reused by IPA provider. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* views: add ipa_get_ad_override_send()Sumit Bose2014-10-161-0/+1
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sysdb: add sysdb_update_view_name()Sumit Bose2014-10-161-0/+1
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sss_nss_idmap: add sss_nss_getorigbyname()Sumit Bose2014-10-141-1/+1
| | | | | | | | | | | | | This patch adds an interface to the new SSS_NSS_GETORIGBYNAME request of the nss responder to libsss_nss_idmap. The main use case for this new call is to replace sss_nss_getsidbyname() in the extdom plugin on the FreeIPA server to get more information about the given object than just the SID which is not available with the default POSIX interfaces. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* TESTS: Add a test to change user IDsJakub Hrozek2014-10-101-0/+3
| | | | | | | Adds a unit test using the nss_wrapper and uid_wrapper libraries that exercises the ability to become another user. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* UTIL: Move become_user outside krb5 treeJakub Hrozek2014-10-101-8/+12
| | | | | | | | In order for several other SSSD processes to run as a non-root user, we need to move the functions to become another user to a shared space in our source tree. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* BUILD: Use $(MKDIR_P) in Makefile.amJakub Hrozek2014-10-061-13/+16
| | | | | | | | | It was suggested by the Fedora automake maintainer to use the autoconf macro $(MKDIR_P) instead of calling "mkdir -p" directly as the macro is more portable and might actually expand to something else than "mkdir -p" on some platforms (usually it would be a variant of install.sh) Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* CI: Add Valgrind suppression supportNikolai Kondrashov2014-09-221-1/+3
| | | | | | | | | | | | | | | | Add an empty Valgrind suppressions file, use it when invoking Valgrind. This prepares for addition of Valgrind suppressions for current false positives and issues that cannot be fixed, preparing for enforcing Valgrind check. Make Valgrind output a suppression for every error and make it output used suppression names and counts at the end of each run. This simplifies discovery and addition of new suppressions and removal of unused ones. Related to https://fedorahosted.org/sssd/ticket/2428 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* libwbclient: avoid collision with Samba versionSumit Bose2014-09-081-4/+8
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sss_sifp: bump version to 0:1:0Pavel Březina2014-09-081-1/+1
| | | | | | Interface did not change, only the code. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* libwbclient: make build optionalSumit Bose2014-09-021-8/+11
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* NFSv4 client: add to build systemNoam Meltzer2014-09-021-0/+24
| | | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Roland Mainz <rmainz@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-08 02:09:01 +0000