| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When creating a home directory, the destination tree can be modified in
various ways while it is being constructed because directory
permissions
are set before populating the directory. This can lead to file creation
and permission changes outside the target directory tree, using hard
links.
This security problem was assigned CVE-2013-0219
https://fedorahosted.org/sssd/ticket/1782
|
|
|
|
|
| |
Allows to be more concise in tests and more defensive in resolve
callbacks
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/943
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/943
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several parts of the HBAC python bindings did not work with old Python
versions, such as the one shipped in RHEL5.
The changes include:
* a compatibility wrapper around python set object
* PyModule_AddIntMacro compat macro
* Py_ssize_t compat definition
* Do not use PyUnicode_FromFormat
* several function prototypes and structures used to have "char
arguments where they have "const char *" in recent versions.
This caused compilation warnings this patch mitigates by using
the discard_const hack on python 2.4
|
|
|
|
|
|
|
|
|
| |
These changes were proposed during a review:
* Change the signature of str_concat_sequence() to const char *
* use a getsetter for HbacRule.enabled to allow string true/false and
integer 1/0 in addition to bool
* fix a minor memory leak (HbacRequest.rule_name)
* remove overzealous discard consts
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Conflicts:
src/providers/fail_over.c
|
| |
|
| |
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/807
|
|
|
|
|
|
|
|
| |
Sometimes, a value in LDAP will cease to exist (the classic
example being shadowExpire). We need to make sure we purge that
value from SSSD's sysdb as well.
https://fedorahosted.org/sssd/ticket/750
|
|
|
|
|
|
| |
Specially crafted packages might lead to an integer overflow and the
parsing of the input buffer might not continue as expected. This issue
was identified by Sebastian Krahmer <krahmer@suse.de>.
|
|
|
|
| |
Includes a unit test
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/714
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/732
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/728
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds simple_allow_groups and simple_deny_groups options
to the simple access provider. It makes it possible to grant or
deny access based on a user's group memberships within the domain.
This patch makes one minor change to previous functionality: now
all deny rules will supersede allow rules. Previously, if both
simple_allow_users and simple_deny_users were set with the same
value, the allow would win.
https://fedorahosted.org/sssd/ticket/440
|
|
|
|
|
|
| |
It was decided that IPA HBAC will move to a different format to specify
time ranges in access control rules. The evaluation based on the old
format is not needed anymore.
|
| |
|
| |
|
| |
|
|
|
|
| |
Also adds a unit test.
|
| |
|
|
|
|
|
|
|
|
| |
Previously, it assumed that all members were users. This changes
the interface so that either a user or a group can be specified.
Also, it eliminates the need for a memory context to be passed,
since the internal memory should be self-contained.
|
|
|
|
| |
Useful for optimizing the initgroups operation.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Additionally the handling of errno and the errno_t return value of
functions is fixed in krb5_common.c.
|
| |
|
| |
|
|
|
|
| |
This might be useful for examining the test database manually with LDB tools
|
|
|
|
|
|
|
| |
Adds two utility functions to obfuscate a password and inverse to
extract the cleartext password back.
So far, only NSS-based implementation is provided.
|
|
|
|
|
|
|
|
| |
This function will take a user, a list of groups that this user
should be added to and a list of groups the user should be removed
from and will recursively call sysdb_[add|remove]_group_member
Includes a unit test
|
|
|
|
| |
Includes a unit test
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/542
|
|
|
|
| |
Fixes: #535
|
|
|
|
|
|
|
| |
If the configuration option krb5_store_password_if_offline is set to
true and the backend is offline the plain text user password is stored
and used to request a TGT if the backend becomes online. If available
the Linux kernel key retention service is used.
|
|
|
|
|
|
|
|
|
|
| |
RFC 2782 defines a way to sort replies to a SRV query. In short, the
algorithm sorts all replies by priority and then does a weight-based
selection for every priority level.
For details, please see the sections "Usage rules" for overview of the
algorithm and section "The 'Weight' field" for description on the weight
selection.
|
|
|
|
|
|
| |
When we converted to the synchronous sysdb interface, the
synchronous-simulating function test_loop() became unnecessary,
but we forgot to remove it.
|
|
|
|
| |
This commit completes the migration to a synchronous sysdb
|