| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/2232
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit ffa42f689dded74b0c0b0451bff3516bc4003179)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The functions strdup and strncmp are used in pam_test_client,
but header file string.h was not included directly in this file.
The header file string.h was indirectly included by the header file
security/pam_client.h.
src/sss_client/pam_test_client.c: In function 'main':
src/sss_client/pam_test_client.c:45:
error: implicit declaration of function 'strdup'
src/sss_client/pam_test_client.c:45:
warning: incompatible implicit declaration of built-in function 'strdup'
src/sss_client/pam_test_client.c:49:
warning: incompatible implicit declaration of built-in function 'strdup'
src/sss_client/pam_test_client.c:52:
warning: incompatible implicit declaration of built-in function 'strdup'
src/sss_client/pam_test_client.c:64:
error: implicit declaration of function 'strncmp'
gmake[2]: *** [src/sss_client/pam_test_client.o] Error 1
sh-4.2$ nm --undefined-only ./pam_test_client | grep -E "strdup|strncmp"
U __strdup@@GLIBC_2.2.5
U strncmp@@GLIBC_2.2.5
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 654f1abaec4e26453cb88ef02a8a71ba9aea0026)
|
|
|
|
|
|
|
|
| |
This part was introduced in commit dba7903ba7fc04bc331004b0453938c116be3663
"PAM: close socket fd with pam_set_data"
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit a4b2352c97053c79fd0d78d0dd647beed69b17e5)
|
|
|
|
|
|
|
|
|
|
|
|
| |
If initialisation fails in function _sss_setautomntent, context will not be
initialized and automount client will crash.
The function _sss_endautomntent should not try to dereference NULL pointer.
Resolves:
https://fedorahosted.org/sssd/ticket/2288
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 01f0d708fddfd50bdbb36a63737dcdc2c2fbd28d)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The return value of function sss_autofs_make_request was not checked.
(returned value was SSS_STATUS_UNAVAIL)
Unfotunatelly, errnop was zero; buffer "repbuf" was not initialised
and automount crashed in sss_autofs plugin.
Resolves:
https://fedorahosted.org/sssd/ticket/2288
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 71bcdde36bcfd8cb797777062208a85bf6337dec)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a script to update DEBUG macro invocations to use it as a variadic
macro, supplying format string and its arguments directly, instead of
wrapping them in parens.
This script was used to update the code
(identical to commit a3c8390d19593b1e5277d95bfb4ab206d4785150):
grep -rwl --include '*.[hc]' DEBUG . |
while read f; do
mv "$f"{,.orig}
perl -e \
'use strict;
use File::Slurp;
my $text=read_file(\*STDIN);
$text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs;
print $text;' < "$f.orig" > "$f"
rm "$f.orig"
done
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2271
The current krb5_child code attempts to get a TGT for the convenience of
the user using the new password after a password change operation.
However, an OTP should never be used twice, which means we can't perform
the kinit operation after chpass is finished. Instead, we only print a
PAM information instructing the user to log out and back in manually.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2232
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit d987dba42894aceff106d557b13812092028cc29)
|
|
|
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 3b35ff47651e4893ce537a273466766b962362da)
|
|
|
|
|
| |
resolves:
https://fedorahosted.org/sssd/ticket/2049
|
|
|
|
|
|
| |
If the environment variable _SSS_MC_SPECIAL is set to "NO", the
mmap cache is skipped in the client code. The name is not very
descriptive. This patch renames the variable to SSS_NSS_USE_MEMCACHE.
|
|
|
|
|
|
| |
last argument of function sss_strnlen "size_t *len" is output variable.
We need to increment value of size_t being pointed to by pointer instead of
incrementing pointer.
|
|
|
|
|
| |
Removes off by one error when using macro MC_SIZE_TO_SLOTS
and adds new macro MC_SLOT_WITHIN_BOUNDS.
|
|
|
|
|
| |
We had pattern in client code with 3 conditions
that can be replaced with one.
|
|
|
|
|
|
|
|
| |
data->name value must be checked to prevent segfaults in
case of corrupted memory cache.
resolves:
https://fedorahosted.org/sssd/ticket/2018
|
|
|
|
|
|
|
| |
This patch prevents jumping outside of allocated memory in
case of corrupted slot or name_ptr values. It is not proper
solution, just hotfix until we find out what is the root cause
of ticket https://fedorahosted.org/sssd/ticket/2018
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch modifies the PAC responder so that it can be used with the AD
provider as well. The main difference is that the POSIX UIDs and GIDs
are now lookup up with the help of the SID instead of being calculated
algorithmically. This was necessary because the AD provider allows
either algorithmic mapping or reading the value from attributes stored
in AD.
Fixes https://fedorahosted.org/sssd/ticket/1558
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1772
SAFEALIGN macros have been renamed in this patch to
make it easy to pick the right macro when data is copied
from byte buffer to a variable or vice versa.
The renamed macros are placed in new header file to
avoid code duplication (the old ones were defined in
two files, one for the client code and one for the rest
of sssd).
|
|
|
|
|
| |
Instead of appending @domain to names when the --domain option of sss_ssh_* is
used, put domain name in a separate field in client requests.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch add a library for client side lookups for a SID or with a
SID through the calls:
- sss_nss_getsidbyname
- sss_nss_getsidbyid
- sss_nss_getnamebysid
- sss_nss_getidbysid
The library is called libsss_nss_idmap and the contributed spec file
will create two new packages libsss_nss_idmap and
libsss_nss_idmap-devel.
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1889
Fixes two minor coverity issues.
|
|
|
|
|
|
|
|
|
|
| |
Adding missing dependencies for linker. Missing dependency was
introduced by commit 22d381367c27910fe82f476a76b9f4ede555e35a
in changed file src/sss_client/nss_mc_common.c
All function declaration for io.c was moved from util.h to separate file io.h,
https://fedorahosted.org/sssd/ticket/1838
|
|
|
|
|
|
|
|
|
| |
Header file "providers.h" is not included in any other
file and function "dp_process_init" declared in this header file
has no implementation.
Header file protos.h is not also included in any other file and even
hole content is commented out.
|
|
|
|
|
|
|
|
| |
Functions open_cloexec and openat_cloexec were renamed with prefix
"sss_" and moved to separete file. Replacing duplicated code of
function sss_open_cloexec everywhere in the source code.
https://fedorahosted.org/sssd/ticket/1794
|
|
|
|
|
|
|
|
|
|
|
| |
krb5 1.11 adds support for a new method for responding to
structured data queries. This method, called the responder,
provides an alternative to the prompter interface.
This patch adds support for this method. It takes the password
and provides it via a responder instead of the prompter. In the
case of OTP authentication, it also disables the caching of
credentials (since the credentials are one-time only).
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1819
|
|
|
|
| |
This reverts commit 30c76633788c498b7d34e7e5944a3d36f26ec2db.
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1748
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1724
|
|
|
|
|
|
|
| |
We have 2 places where we memcpy memory and need barriers protection.
Use a macro so we can consolidate code in one place.
Second fix for: https://fedorahosted.org/sssd/ticket/1694
|
|
|
|
| |
Fixes https://fedorahosted.org/sssd/ticket/1694
|
| |
|
|
|
|
| |
Eliminates a compiler warning
|
|
|
|
|
|
|
|
| |
This caused troubles with subdomain users and it is not really
necessary. This patch does not change the protocol itself, that
should be done on the earliest possible occasion.
Part of https://fedorahosted.org/sssd/ticket/1616
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1495
|
|
|
|
|
| |
* Protect the fd with a mutex when closing
* Set it to a safe value after closing
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1569
|
|
|
|
|
|
|
|
|
|
|
| |
This cause troubles when we send data to a pipe and close the
file descriptor before data is read. The pipe is still readable,
but POLLHUP is detected and we fail to read them.
For example, this may cause a user beeing unable to log in.
Now if POLLHUP appears, we read the pipe and then close it on
the client side too.
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1460
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1415
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The idea is to rename session provider to selinux provider. Processing
of SELinux rules has to be performed in account stack in order to ensure
that pam_selinux (which is the first module in PAM session stack) will
get the correct input from SSSD.
Processing of account PAM stack is bound to access provider. That means
we need to have two providers executed when SSS_PAM_ACCT_MGMT message
is received from PAM responder. Change in data_provider_be.c ensures
just that - after access provider finishes its actions, the control is
given to selinux provider and only after this provider finishes is the
result returned to PAM responder.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1379
|
|
|
|
| |
SIGSEGV occured when sss_sudo_cli was run without any arguments.
|