sssd.git - sssd with jhrozek's patches

	Commit message (Collapse)	Author	Age	Files	Lines
*	Fix memory hierarchy in subdomains discovery	Jakub Hrozek	2012-10-11	1	-116/+160
\| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1571 The patch changes the subdomains discovery to use the tevent_req style. Previously, the code violated several rules which made the code very unreadable and led to memory hierarchy issues and use-after-free errors.
*	nss_cmd_retpwent(): do not go into infinite loop if n < 0	Pavel Březina	2012-10-11	1	-0/+8
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1551
*	do not call dp callbacks when responder is shutting down	Pavel Březina	2012-10-11	3	-0/+25
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1514 We were experiencing crash duting responder shut down. This happened when there were some unresolved dp request during the shut down. The memory hierarchy is main_ctx->specific_ctx->rctx, where specific_ctx may be one of the pam, nss, sudo, etc. contexts. If we try to call dp request callback as a result of responder termination, the specific context is already semi freed, which may cause crash.
*	Fix typos	Yuri Chornoivan	2012-10-09	2	-2/+2
\|
*	Fix uninitialized pointer read in ssh_host_pubkeys_update_known_hosts	Jakub Hrozek	2012-10-09	1	-1/+2
\|
*	SSH: Expire hosts in known_hosts	Jan Cholasta	2012-10-05	3	-1/+21
\|
*	SSH: Refactor sysdb and related code	Jan Cholasta	2012-10-05	2	-73/+52
\|
*	Fix few coding style issues	Pavel Březina	2012-10-02	1	-1/+1
\|
*	Use flat name for master domain as well	Sumit Bose	2012-10-01	2	-1/+18
\|
*	Add new option default_domain_suffix	Sumit Bose	2012-10-01	10	-24/+65
\|
*	SYSDB: Remove unnecessary domain parameter from several sysdb calls	Jakub Hrozek	2012-09-24	2	-6/+2
\| \| \| \| \|	The domain can be read from the sysdb object. Removing the domain string makes the API more self-contained.
*	sss_cache tool invalidates records in memory cache.	Michal Zidek	2012-09-24	3	-2/+126
\|
*	SSH: Fix possible infinite loop when updating known_hosts	Jan Cholasta	2012-09-20	1	-3/+1
\|
*	SELinux: Always use the default if it exists on the server	Jakub Hrozek	2012-09-13	1	-22/+21
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1513 This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045 During an e-mail discussion, it was decided that * if the default is set in the IPA config object, the SSSD would use that default no matter what * if the default is not set (aka empty or missing), the SSSD would just use the system default and skip creating the login file altogether
*	NSS: Fix off-by-one error in parse_getservbyname	Jakub Hrozek	2012-09-13	1	-1/+1
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1438
*	SSH: Simplify public key formatting function	Jan Cholasta	2012-09-04	1	-4/+2
\|
*	SSH: Return error code in SSH utility functions	Jan Cholasta	2012-09-04	1	-6/+7
\|
*	Check if the SELinux login directory exists	Jakub Hrozek	2012-09-04	1	-3/+3
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1492
*	accept_fd_handler: add missing return	Sumit Bose	2012-08-21	1	-0/+1
\|
*	Only create the SELinux login file if there are mappings on the server	Jakub Hrozek	2012-08-16	1	-45/+77
\| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1455 In case there are no rules on the IPA server, we must simply avoid generating the login file. That would make us fall back to the system-wide default defined in /etc/selinux/targeted/seusers. The IPA default must be only used if there are rules on the server, but none matches.
*	Do not try to remove the temp login file if already renamed	Jakub Hrozek	2012-08-16	1	-2/+3
\| \| \| \| \| \| \| \| \|	write_selinux_string() would try to unlink the temporary file even after it was renamed. Failure to unlink the file would not be fatal, but would produce a confusing error message. Also don't use "0" for the default fd number, that's reserved for stdin. Using -1 is safer.
*	Build SELinux code in responder conditionally	Jakub Hrozek	2012-08-16	1	-0/+7
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1480
*	Fix LOCAL domain lookups	Pavel Březina	2012-08-15	1	-19/+22
\| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1436 Now subdomains are not evaluated for local domains.
*	Remove SYSDB_SUDO_CACHE_OC from attribute lists	Pavel Březina	2012-08-07	1	-1/+0
\| \| \| \|	It is not an attribute.
*	Rename SYSDB_SUDO_CACHE_AT_OC to SYSDB_SUDO_CACHE_OC	Pavel Březina	2012-08-07	1	-1/+1
\| \| \| \| \|	It does not contain name of the object class attribute but the value itself. I renamed it to avoid confusion.
*	Change subdomain_info	Simo Sorce	2012-08-01	1	-1/+1
\| \| \| \| \|	Rename the structure to use a standard name prefix so it is properly name-spaced, in preparation for changing the structure itself.
*	Fix bad check	Jakub Hrozek	2012-08-01	1	-1/+1
\|
*	Write SELinux config files in responder instead of PAM module	Jan Zeleny	2012-07-27	1	-5/+95
\|
*	Move SELinux processing from session to account PAM stack	Jan Zeleny	2012-07-27	1	-1/+2
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	The idea is to rename session provider to selinux provider. Processing of SELinux rules has to be performed in account stack in order to ensure that pam_selinux (which is the first module in PAM session stack) will get the correct input from SSSD. Processing of account PAM stack is bound to access provider. That means we need to have two providers executed when SSS_PAM_ACCT_MGMT message is received from PAM responder. Change in data_provider_be.c ensures just that - after access provider finishes its actions, the control is given to selinux provider and only after this provider finishes is the result returned to PAM responder.
*	NSS: Add override_shell option	Stephen Gallagher	2012-07-20	3	-2/+18
\| \| \| \| \| \| \| \| \|	If override_shell is specified in the [nss] section, all users managed by SSSD will have their shell set to this value. If it is specified in the [domain/DOMAINNAME] section, it will apply to only that domain (and override the [nss] value, if any). https://fedorahosted.org/sssd/ticket/1087
*	PAM: Fix off-by-one-error in the SELinux session code	Jakub Hrozek	2012-07-18	1	-1/+1
\|
*	Fix uninitialized values	Nick Guay	2012-07-18	3	-5/+5
\| \| \| \|	https://fedorahosted.org/sssd/ticket/1379
*	Add newline to DEBUG messages	Jakub Hrozek	2012-07-12	1	-2/+2
\|
*	Fix segfault when using local provider	Stephen Gallagher	2012-07-10	1	-6/+5
\| \| \| \| \| \| \| \| \|	The name context was not being initialized for local provider domains because it was handled after skipping over the back-end initialization routine. This patch moves the name context init routine to occur earlier. https://fedorahosted.org/sssd/ticket/1412
*	pac responder: limit access by checking UIDs	Sumit Bose	2012-07-10	3	-4/+161
\| \| \| \| \| \| \| \| \| \| \| \|	A check for allowed UIDs is added in the common responder code directly after accept(). If the platform does not support reading the UID of the peer but allowed UIDs are configured, access is denied. Currently only the PAC responder sets the allowed UIDs for a socket. The default is that only root is allowed to access the socket of the PAC responder. Fixes: https://fedorahosted.org/sssd/ticket/1382
*	Fix potential NULL-dereference	Stephen Gallagher	2012-07-09	1	-1/+2
\| \| \| \|	Coverity #12800
*	Fix potential NULL-dereference	Stephen Gallagher	2012-07-09	1	-1/+3
\| \| \| \|	Coverity #12801
*	Set file descriptor limits in pac responder	Sumit Bose	2012-07-06	1	-0/+15
\|
*	sudo responder: schedule OOB full refresh when expired rule is deleted	Pavel Březina	2012-06-29	2	-4/+40
\|
*	sudo responder: refresh expired rules	Pavel Březina	2012-06-29	1	-31/+106
\|
*	sudo responder: update dp interface	Pavel Březina	2012-06-29	3	-34/+72
\|
*	sudo responder: allow fetching only expired rules in ↵	Pavel Březina	2012-06-29	1	-25/+22
\| \| \| \|	sudosrv_get_sudorules_query_cache()
*	sudo sysdb: add expiration time to the filter	Pavel Březina	2012-06-29	1	-1/+1
\|
*	sudo responder: new request enum type	Pavel Březina	2012-06-29	3	-13/+19
\| \| \| \| \| \| \| \| \|	sss_sudo_type represents query type that comes to the responder sss_dp_sudo_type represents query type to DP that is issued by the responder I'm leaving current values of sss_dp_sudo_type untouched so the compilation is not broken. Hovewer, they will be changed to new DP types once the DP interface is updated.
*	sudo responder: discard in-memory cache	Pavel Březina	2012-06-29	3	-375/+0
\|
*	sudo responder: change protocol version to 1	Pavel Březina	2012-06-29	1	-0/+9
\|
*	sudo api: send uid, username and domainname	Pavel Březina	2012-06-29	4	-109/+102
\| \| \| \| \| \| \| \| \| \| \|	https://fedorahosted.org/sssd/ticket/1239 Test client was changed accordingly. The new usage is: sss_sudo_cli username [uid] If uid is not set, getpwnam(username) is called. It will retrieve both default options and rules.
*	sudo responder: get rid of dctx where possible	Pavel Březina	2012-06-29	3	-93/+102
\|
*	sudo responder: remove code duplication in commands	Pavel Březina	2012-06-29	4	-277/+283
\|
*	SELinux user maps: pick just one map	Jan Zeleny	2012-06-25	1	-12/+11
\| \| \| \| \| \| \| \| \|	This patch modifies behavior of SSSD when putting together content of the file for pam_selinux. SSSD will now pick only the first user map in the priority list which matches to the user logging in. Other maps are ignored. https://fedorahosted.org/sssd/ticket/1360