summaryrefslogtreecommitdiffstats
path: root/src/responder/nss
Commit message (Collapse)AuthorAgeFilesLines
* Check slot validity before MC_SLOT_TO_PTR.Michal Zidek2013-09-231-15/+75
| | | | | resolves: https://fedorahosted.org/sssd/ticket/2049
* mmap_cache: Do not remove record from chain twiceLukas Slebodnik2013-09-091-0/+6
| | | | | | | | | | | It is not very likely, that record will have the same hash1 and hash2, but it is possible. In this situation, it does not make sense to remove record twice. Function sss_mc_rm_rec_from_chain was not robust and sssd_nss could crash in this situation. It was only possible if record was alone in chain. Resolves: https://fedorahosted.org/sssd/ticket/2049
* mmap_cache: Use stricter check for hash keys.Lukas Slebodnik2013-08-281-4/+6
| | | | ht_size is size of hash_table in bytes, but hash keys have type uint32_t
* mmap_cache: Skip records which doesn't have same hashLukas Slebodnik2013-08-281-2/+34
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The code uses 2 hashes for each record, but only one hash table to index them both, furthermore each record has only one single 'next' pointer. This means that in certain conditions a record main end up being on a hash chain even though its hashes do not match the hash chain. This can happen when another record 'drags' it in from another hash chain where they both belong. If the record without matching hashes happens to be the second of the chain and the first record is removed, then the non matching record is left on the wrong chain. On removal of the non-matching record the hash chain will not be updated and the hash chain will end up pointing to an invalid slot. This slot may be later reused for another record and may not be the first slot of this new record. In this case the hash chain will point to arbitrary data and may cause issues if the slot is interpreted as the head of a record. By skipping any block that has no matching hashes upon removing the first record in a chain we insure that dangling references cannot be left in the hash table Resolves: https://fedorahosted.org/sssd/ticket/2049
* mmap_cache: Store corrupted mmap cache before resetMichal Zidek2013-08-191-0/+66
| | | | | This patch adds function to store corrupted mmap cache file to disk for further analysis.
* mmap_cache: Use better checks for corrupted mc in responderMichal Zidek2013-08-191-3/+53
| | | | | We introduced new way to check integrity of memcache in the client code. We should use similiar checks in the responder.
* mmap_cache: Off by one error.Michal Zidek2013-08-191-6/+6
| | | | | Removes off by one error when using macro MC_SIZE_TO_SLOTS and adds new macro MC_SLOT_WITHIN_BOUNDS.
* mmap_cache: Check if slot and name_ptr are not invalid.Michal Zidek2013-08-112-2/+54
| | | | | | | This patch prevents jumping outside of allocated memory in case of corrupted slot or name_ptr values. It is not proper solution, just hotfix until we find out what is the root cause of ticket https://fedorahosted.org/sssd/ticket/2018
* Handle too many results from getnetgr.Lukas Slebodnik2013-08-081-1/+13
|
* Do not call sss_cmd_done in function check_cache.Lukas Slebodnik2013-08-081-6/+0
| | | | | | | | Function sysdb_getpwnam return more results than 1 and therefore sss_cmd_done was called. Inside of function sss_cmd_done memory was freed, but this freed memory was used in caller functions, therefore sssd crashed. https://fedorahosted.org/sssd/ticket/1980
* NSS: Clear cached netgroups if a request comes in from the sss_cacheLukas Slebodnik2013-08-083-0/+54
| | | | | | | In order for sss_cache to work correctly, we must also signal the nss responder to invalidate the hash table requests. https://fedorahosted.org/sssd/ticket/1759
* NSS: allow removing entries from netgroup hash tableLukas Slebodnik2013-08-083-1/+32
| | | | | | | | | There is a timed desctructor in the nss responder that, when the entry timeout passes, removes the netgroup from the hash table while the netgroup is freed. This patch adds a hash delete callback so that if the netgroup is removed from the hash table with hash_delete, its hash table pointer will be invalidated. Later, when the entry is being freed, the destructor won't attempt to remove it from the hash table.
* Add ignore_group_members option.Paul B. Henson2013-05-311-16/+19
| | | | https://fedorahosted.org/sssd/ticket/1376
* Debug message in sss_mc_create_file.Michal Zidek2013-03-071-0/+5
| | | | | | This patch adds debug message for the case if sssd fails to open old mc file for some other reason than the file does not exist.
* File descriptor leak in nss responder.Michal Zidek2013-03-071-18/+43
| | | | | | | | | File descriptors leaked every time sss_mmap_cache_reinit was called and also the old memory cache was still maped in memory (munmap was not called). This patch adds destructor for memory cache context to call close() and munmap() automaticly. https://fedorahosted.org/sssd/ticket/1826
* NSS: Add original homedir to home directory template optionsStephen Gallagher2013-02-101-5/+6
| | | | https://fedorahosted.org/sssd/ticket/1805
* Invalidate user entry even if there are no groupsJakub Hrozek2013-01-161-6/+1
| | | | | | | | | Related to https://fedorahosted.org/sssd/ticket/1757 Previously we would optimize the mc invalidate code for cases where the user was a member of some groups. But if the user was removed from the server while being in memory cache, we would only invalidate the mc record if he was a member of at least one supplementary group.
* NSS: invalidate memcache user entry on initgr, tooJakub Hrozek2013-01-161-0/+11
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1757 When the user entry was missing completely after initgroups, we would never invalidate the user entry from cache. This led to dangling cache entried in memory cache if the user was removed from the server while still being in memory cache.
* memcache: add macro that validates record lengthPavel Březina2013-01-071-2/+1
|
* sss_userdel and sss_groupdel with use_fully_qualified_namesMichal Zidek2013-01-071-15/+50
| | | | | If use_fully_qualified_names is used, we need to pass fqdn to sss_mmap_cache_*_invalidate.
* mmap cache: invalidate cache on fatal errorSimo Sorce2012-12-203-10/+30
| | | | | | | | | | If a fatal EFAULT error is returned by the internal function that frees used memory invalidate the whole cache and reinit it. This way we avoid further corruption and insure clients see consistent data. Also insure we use the right context in init() and we use talloc_zfree() in reinit so that if the init() later fails we do not leave around a pointer to free memory in the callers.
* Carefully check records when forcibly invalidatingSimo Sorce2012-12-201-18/+101
| | | | | | | | | | | | We should never try to invalidate an already invalid record as internal pointers will not be consistent. Carefully test that the record really is valid when we are fishing for free space, and properly invalidate records or return a fatal error if something goes wrong. In order to make the code more robust always invalidate the whole data space on initialization by setting all bits to 1, and make sure to invalidate the whole last allocated slot by converting rec->len to the number of slots instead of just the space used.
* Update free table when records are invalidated.Simo Sorce2012-12-201-14/+23
| | | | | We were holding up slots when entries were invalidated directly an not through our primitive garbage collection scheme.
* nss_mc: Add extra checks when dereferencing recordsSimo Sorce2012-12-201-0/+12
| | | | | | | Although it should enver happen that we pass in an invalid hash it is always better to just not do anything than access memory ouf of the hash table. It can lead to segfaults, or worse referencing memory that should not be touched.
* sssd_nss: Plug memory leaksSimo Sorce2012-12-191-2/+11
| | | | | A recent patch introduced a glaring memory leak in the routines that clean up memcache memory on initgroups calls.
* RESPONDERS: Create a common file with service names and versionsJakub Hrozek2012-12-182-3/+1
| | | | | | | The monitor sends calls different sbus methods to different responders. Instead of including headers of the particular responders directly in monitor, which breaks layering a little, create a common header file that will be included from src/responder/common/
* Allow mmap calls to gracefully return absent ctxSimo Sorce2012-12-141-0/+25
| | | | | This is to allow to freely call mc functions even if initialization failed. They will now gracefully fail instead of segfaulting.
* sssd_nss: Remove entries from memory cache if not found in sysdbMichal Zidek2012-12-131-0/+23
| | | | | Functions nss_cmd_getXXnam remove entries from memory cache if not found in sysdb cache of a local domain.
* NSS: Fix the error handler in sss_mc_create_fileJakub Hrozek2012-12-111-10/+16
| | | | | | | https://fedorahosted.org/sssd/ticket/1704 The function is short enough so that we can simply stick with return and release resources before returning as appropriate.
* Hook for mmap cache update on initgroup callsSimo Sorce2012-12-053-0/+147
| | | | | This set of functions enumerate the user's groups and invalidate them all if the list does not matches what we get from the caller.
* Hook to perform a mmap cache update from sssd_nssSimo Sorce2012-12-053-0/+118
| | | | | This set of functions enumerate each user/group from all domains and invalidate any mmap cache record that matches.
* mmap cache: public functions to invalidate recordsSimo Sorce2012-12-052-0/+135
| | | | | | These functions can be called from the nss responder to invalidate records that have ceased to exist or that need to be refreshed the first time an application needs them.
* NSS: Fix netgroup midpoint cache refreshJakub Hrozek2012-12-042-2/+2
| | | | | | | | https://fedorahosted.org/sssd/ticket/1683 The result of the percent calculation was always 0 as it used plain ints. The patch switches to using explicit floats to avoid reintroducing the bug again even with brackets.
* Refactor the way subdomain accounts are savedSimo Sorce2012-11-191-3/+7
| | | | | | | | | | | | | | | | | The original sysdb code had a strong assumption that only users from one domain are saved in the databse, with the subdomain feature, we have changed reality, but have not adjusted all the code arund the sysdb calls to not rely on the original assumption. One of the side effects of this incongrunece is that currently group memberships do not return fully qualified names for subdomain users as they should. In oreder to fix this and other potential issues surrounding the violation of the original assumption, we need to fully qualify subdomain user names. By savin them fully qualified we do not risk aliasing local users and have group memberhips or other name based matching code mistake a domain user with subdomain usr or vice versa.
* sss_cache: Remove fastcache even if sssd is not running.Michal Zidek2012-11-061-3/+23
| | | | https://fedorahosted.org/sssd/ticket/1584
* Fix two errors in the nss responderSumit Bose2012-10-231-1/+3
| | | | | | | | | One is a copy-and-paste error which was introduce by 1774ee9a61b9d691dadd1a0538f32bcdcc84f72f. The second fixes a missing explicit setting of the return value. In the case where we want fully qualified names ret contains the number of characters from the last snprintf() which is almost ever not 0.
* Allow setting the default_shell option per-domain as wellJakub Hrozek2012-10-181-1/+3
| | | | https://fedorahosted.org/sssd/ticket/1583
* Check for subdomains if getpwuid or getgrgid are the first requestsSumit Bose2012-10-121-0/+72
| | | | Fixes https://fedorahosted.org/sssd/ticket/1561
* nss_cmd_retpwent(): do not go into infinite loop if n < 0Pavel Březina2012-10-111-0/+8
| | | | https://fedorahosted.org/sssd/ticket/1551
* Fix typosYuri Chornoivan2012-10-091-1/+1
|
* Fix few coding style issuesPavel Březina2012-10-021-1/+1
|
* Add new option default_domain_suffixSumit Bose2012-10-013-8/+18
|
* sss_cache tool invalidates records in memory cache.Michal Zidek2012-09-243-2/+126
|
* NSS: Fix off-by-one error in parse_getservbynameJakub Hrozek2012-09-131-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1438
* NSS: Add override_shell optionStephen Gallagher2012-07-203-2/+18
| | | | | | | | | If override_shell is specified in the [nss] section, all users managed by SSSD will have their shell set to this value. If it is specified in the [domain/DOMAINNAME] section, it will apply to only that domain (and override the [nss] value, if any). https://fedorahosted.org/sssd/ticket/1087
* Fix uninitialized valuesNick Guay2012-07-181-3/+3
| | | | https://fedorahosted.org/sssd/ticket/1379
* Add newline to DEBUG messagesJakub Hrozek2012-07-121-2/+2
|
* Fix re_expression matching with subdomainsJan Zeleny2012-06-212-37/+99
| | | | | | | | | | | This patch fixes an issue which resulted in a need to initialize responder with data from local domain, otherwise it would not correctly detect requests for subdomains. Similar situation can occur if new subdomain is added at runtime. The solution is to ask for a list of subdomains in case there is a candidate domain identified in the process of matching re_expressions with given name.
* Move some debug lines to new debug log levelsStef Walter2012-06-201-1/+1
| | | | | | | * These are common lines of debug output when starting up sssd https://bugzilla.redhat.com/show_bug.cgi?id=811113
* Make re_expression and full_name_format per domain optionsStef Walter2012-06-124-20/+21
| | | | | | | | | | | * Allows different user/domain qualified names for different domains. For example Domain\User or user@domain. * The global re_expression and full_name_format options remain as defaults for the domains. * Subdomains get the re_expression and full_name_format of their parent domain. https://bugzilla.redhat.com/show_bug.cgi?id=811663
generated by cgit (git 2.34.1) at 2024-05-02 19:21:03 +0000