summaryrefslogtreecommitdiffstats
path: root/src/util
Commit message (Collapse)AuthorAgeFilesLines
* UTIL: Inherit ignore_group_membersJakub Hrozek2015-06-081-0/+9
| | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2644 Allows the administrators to extend ignore_group_members to subdomains as well by setting: subdomain_inherit = ignore_group_members in the domain section. Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 01c049ceef55c7bbfca1e47cecb2a0a2cf0a5d44) (cherry picked from commit 27d8524cf635d61d93c71539709a30e1205dcaf1)
* SELINUX: Avoid disconnecting disconnected handleJakub Hrozek2015-05-151-2/+7
| | | | | | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2649 libsemanage is very strict about its API usage and actually doesn't allow disconnecting a handle that is not connected. The unpatched code would fail with: selinux_child: handle.c:231: semanage_disconnect: Assertion `sh != ((void *)0) && sh->funcs != ((void *)0) && sh->funcs->disconnect != ((void *)0)' failed. If semanage_connect() failed. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> (cherry picked from commit 589a8760b38d9e2dfa278764af12d59e1487fe07)
* IPA: do not add domain name unconditionallySumit Bose2015-05-061-1/+1
| | | | | | | | | | | | | Depending on the server-side configuration the extdom plugin can return short or fully qualified names for IPA objects. The client must handle the names according to its own configuration and not add the domain part of the fully-qualified name unconditionally. Resolves https://fedorahosted.org/sssd/ticket/2647 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 3fe2e555edd3963d72483600e5d9616873afd00a) (cherry picked from commit 226224c91971247f60a86d9c46dd1402f5c29e8a)
* simple-access-provider: make user grp res more robustPavel Reichl2015-04-282-0/+2
| | | | | | | | | | | Not all user groups need to be resolved if group deny list is empty. Resolves: https://fedorahosted.org/sssd/ticket/2519 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 82a958e6592c4a4078e45b7197bbe4751b70f511) (cherry picked from commit 45a089a7bcf54e27fb46dc1a2c08c21ac07db96a)
* selinux: Only call semanage if the context actually changesJakub Hrozek2015-04-152-0/+73
| | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2624 Add a function to query the libsemanage database for a user context and only update the database if the context differes from the one set on the server. Adds talloc dependency to libsss_semanage. Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 1e0fa55fb377db788e065de917ba8e149eb56161) (cherry picked from commit 4d31f2c294db6090047e4d5348322b32ea0aaac1)
* selinux: Begin and end the transaction on the same nesting levelJakub Hrozek2015-04-151-6/+14
| | | | | | | | | | | Transaction should be started and commited on the same code nesting or abstraction level. Also, transactions are really costly with libselinux and splitting them from initialization will make init function reusable by read-only libsemanage functions. Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 748b38a7991d78cbf4726f2a14ace5e926629a54) (cherry picked from commit 9c695e3a82fe5903b36b2d514b3284efeadc908c)
* selinux: Disconnect before closing the handleJakub Hrozek2015-04-151-3/+10
| | | | | | | | | | | | | | libsemanage documentation says: ~~~~ be sure that a semanage_disconnect() was previously called if the handle was connected. ~~~~ Otherwise we get a memory leak. Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit aa00d67b2a8e07c9080e7798defdc6c774c93465) (cherry picked from commit 816d3cc041e276b138057aacb81d1a2bfb25add6)
* sdap: properly handle binary objectGuid attributeSumit Bose2015-03-272-0/+32
| | | | | | | | | | | | | | | Although in the initial processing SSSD treats the binary value right at some point it mainly assumes that it is a string. Depending on the value this might end up with the correct binary value stored in the cache but in most cases there will be only a broken entry in the cache. This patch converts the binary value into a string representation which is described in [MS-DTYP] and stores the result in the cache. Resolves https://fedorahosted.org/sssd/ticket/2588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> (cherry picked from commit 4619742836ec22edf8f9d274d928bc896c5b0883)
* test: Check ERR_LASTMichal Zidek2015-03-132-1/+2
| | | | | | Check if number of error codes and messages is the same. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* DEBUG: Add missing strings for error messagesMichal Zidek2015-03-132-1/+4
| | | | | | | | We had more error codes than corresponding messages. Also order of two messages was wrong. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* UTIL: convert GeneralizedTime to unix timePavel Reichl2015-03-064-0/+58
| | | | | | | New utility function *sss_utc_to_time_t* to convert GeneralizedTime to unix time. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: enable change phase of pw expire policy checkPavel Reichl2015-03-041-0/+3
| | | | | | | | | | | | | | | Implement new option which does checking password expiration policy in accounting phase. This allows SSSD to issue shadow expiration warning even if alternate authentication method is used. Resolves: https://fedorahosted.org/sssd/ticket/2167 Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit c9b0071bfcb8eb8c71e40248de46d23aceecc0f3) (cherry picked from commit d3f82e944dc5dab3812700a245deec4aa3245b21)
* Add missing new lines to debug messagesLukas Slebodnik2015-02-188-23/+26
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* Python3 support in SSSDBohuslav Kabrda2015-02-131-1/+15
| | | | | https://fedorahosted.org/sssd/ticket/2017 (cherry picked from commit 341a00311680a440d7f979f06c34c70d86c9367a)
* SELINUX: Set and reset umask when caling set_seuser from deamon codeJakub Hrozek2015-01-271-0/+4
| | | | | | | https://fedorahosted.org/sssd/ticket/2563 Reviewed-by: Michal Židek <mzidek@redhat.com> (cherry picked from commit 8f78b6442f3176ee43aa06704a3adb9f4ac625d6)
* IPA: properly handle mixed-case trusted domainsSumit Bose2015-01-232-0/+75
| | | | | | | | | | | | In the SSSD cache domain names are handled case-sensitive. As a result fully-qualified names in RDN contain the domain part in the original spelling. When IPA client lookup up group-memberships on the IPA server via the extdom plugin the names returned are all lower case. To make sure new DNs are generated correctly the domain part must adjusted. Related to https://fedorahosted.org/sssd/ticket/2159 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Allow dup-ing child pipe to a different FDJakub Hrozek2015-01-132-8/+26
| | | | | | | | | | | Related to: https://fedorahosted.org/sssd/ticket/2544 Adds a new function exec_child_ex and moves setting the extra_argv[] to exec_child_ex() along with specifying the input and output fds. Reviewed-by: Sumit Bose <sbose@redhat.com> (cherry picked from commit 16cb0969f0a9ea71524d852077d6a480740d4f12)
* krb5: add wrapper for krb5_kt_have_content()Sumit Bose2014-12-072-0/+42
| | | | | | | | | krb5_kt_have_content() was introduced in MIT Kerberos 1.11. For older platforms this patch adds sss_krb5_kt_have_content() as a wrapper. Resolves https://fedorahosted.org/sssd/ticket/2518 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sss_atomic_write_s() return value is signedJakub Hrozek2014-12-031-2/+2
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* Add extra_args to exec_child()Jakub Hrozek2014-12-032-3/+23
| | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2503 Currently all child processes use the same arguments, the construction of argv[] is even hardcoded in exec_child(). Add an extra_args[] array that extends the common set of argvs so that we can have child-specific arguments. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>
* Fix: always check return value of unlink()Pavel Reichl2014-11-281-2/+8
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2506 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* krb5: Check return value of sss_krb5_princ_realmLukas Slebodnik2014-11-281-0/+12
| | | | | | | | | | sss_krb5_princ_realm set output parameter realm to NULL and len to 0 in case of failure. Clang static analysers reported warning "Null pointer passed as an argument to a 'nonnull' parameter" in function match_principal. It was possible, that realm_name with value NULL could be used in strncmp. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* krb5: Check return value of krb5_principal_get_realmLukas Slebodnik2014-11-281-2/+9
| | | | | | | Function krb5_principal_get_realm can return NULL an it would case segfault in function strlen. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* util: sss_get_domain_name regex mismatch not fatalMichal Zidek2014-11-251-1/+7
| | | | | | | | | | Assume name is not FQDN if sss_parse_name fails to match domain with regular expression. Fixes: https://fedorahosted.org/sssd/ticket/2487 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* util: Special-case PCRE_ERROR_NOMATCH in sss_parse_nameMichal Zidek2014-11-253-1/+3
| | | | | | | Add new SSSD specific error code for the case when pcre_exec returns PCRE_ERROR_NOMATCH. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD/IPA: add krb5_confd_path configuration optionSumit Bose2014-11-252-3/+149
| | | | | | | | | With this new parameter the directory where Kerberos configuration snippets are created can be specified. Fixes https://fedorahosted.org/sssd/ticket/2473 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Enable views for all domainsSumit Bose2014-11-201-2/+1
| | | | | | | | | Currently views and overrides were only available for sub-domains, this patch enables the lookup for the configured domains as well. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* KRB5: Do not switch_creds() if already the specified userJakub Hrozek2014-11-181-8/+21
| | | | | | | | | | | | | | The code didn't have to handle this case previously as sssd_be was always running as root and switching to the ccache as the user logging in. Also handle NULL creds on restore_creds() in case there was no switch. One less if-condition and fewer indentation levels. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* KRB5: Move all ccache operations to krb5_child.cJakub Hrozek2014-11-182-0/+2
| | | | | | | | | | | | | | | | | | | The credential cache operations must be now performed by the krb5_child completely, because the sssd_be process might be running as the sssd user who doesn't have access to the ccaches. src/providers/krb5/krb5_ccache.c is still linked against libsss_krb5 until we fix Kerberos ticket renewal as non-root. Also includes a new error code that indicates that the back end should remove the old ccache attribute -- the child can't do that if it's running as the user. Related: https://fedorahosted.org/sssd/ticket/2370 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Move setting the SELinux context to a child processJakub Hrozek2014-11-052-0/+2
| | | | | | | | In order for the sssd_be process to run as unprivileged user, we need to move the semanage processing to a process that runs as the root user using setuid privileges. Reviewed-by: Michal Židek <mzidek@redhat.com>
* UTIL: Remove more code duplication setting up child processesJakub Hrozek2014-11-052-0/+31
| | | | | | | | All our child processes duplicated the same code that set up the debugging all around. Instead of adding yet another copy for the selinux_child, add a common utility function. Reviewed-by: Michal Židek <mzidek@redhat.com>
* UTIL: Remove code duplication of struct ioJakub Hrozek2014-11-052-0/+36
| | | | | | | | We had struct io and the associated destructor copied twice in the code already and need it again in the SELinux provider. Instead of adding another copy, move the code to a shared subtree under util/ Reviewed-by: Michal Židek <mzidek@redhat.com>
* LDAP: Move sss_krb5_verify_keytab_ex to ldap_childJakub Hrozek2014-11-052-79/+0
| | | | | | | | The function was called from one place only, so it makes no sense to keep it in a shared module. Moreover, the function should only be called from code that runs as root. Reviewed-by: Michal Židek <mzidek@redhat.com>
* Add add_strings_lists() utility functionSumit Bose2014-11-052-0/+83
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Add a function to convert id_t from a number or a nameJakub Hrozek2014-10-223-0/+47
| | | | | | | | | | | | We need a custom function that would convert a numeric or string input into uid_t. The function will be used to drop privileges in servers and also in the PAC and IFP responders. Includes a unit test to test all code that changed as well as a fix for a misnamed attribute in the csv_to_uid_list function synopsis. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* UTIL: Use a custom PID_PATH and DB_PATH when unit testing server.cJakub Hrozek2014-10-201-4/+31
| | | | | | | | | server.c used hardcoded PID_PATH and DB_PATH from config.h. Normally, this path resides in a system directory (like /var/) and should not be written to by tests. In order to specify a different one for tests, we need to conditionalize normal builds and unit test builds. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* SSSD: Chown the log filesJakub Hrozek2014-10-203-0/+40
| | | | | | | | | We need to chown the log files before dropping root to make sure they are usable by the SSSD user. Unfortunately, we can't just rely on passing the fd opened by root, because we need to be also able to rotate the log files. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* SSSD: Add the options to specify a UID and GID to run asJakub Hrozek2014-10-202-0/+15
| | | | | | | | | Adds new command line options --uid and --gid to all SSSD servers, making it possible to switch to another user ID if needed. So far all code still runs as root. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* sss_semanage: Add mlsrange parameter to set_seuserMichal Zidek2014-10-202-10/+18
| | | | | | | mlsrange parameter will be needed in IPA provider and probably at some point in the tools as well. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* util: Move semanage related functions to src/utilMichal Zidek2014-10-202-0/+364
| | | | | | These functions will be reused by IPA provider. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sysdb: add overide lookup callsSumit Bose2014-10-201-0/+3
| | | | | | | | | | | sysdb_search_user_override_by_name() and sysdb_search_group_override_by_name() search for overrides in the given view. sysdb_add_overrides_to_object() adds the data from the override object to the original object and makes them available for further processing. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* new_subdomain: copy view data from parentSumit Bose2014-10-201-0/+11
| | | | | | | Since a view applies to the whole domain-subdomain tree the view data is copied from the parent the new created domains. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Always write capathsJakub Hrozek2014-10-162-38/+34
| | | | | | | | | We used to only generate the [capaths] section on the IPA server itself, when running in a trusted setup. But we also found out that the capaths are often required to make SSO fully work, so it's better to always generate them. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* sss_get_domain_name: check for fq name firstPavel Březina2014-10-141-1/+13
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* NSS: UPN as a template expansion for homedir mappingsPavel Reichl2014-10-122-0/+12
| | | | | | | Fixes: https://fedorahosted.org/sssd/ticket/2340 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Move become_user outside krb5 treeJakub Hrozek2014-10-102-0/+207
| | | | | | | | In order for several other SSSD processes to run as a non-root user, we need to move the functions to become another user to a shared space in our source tree. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* UTIL: Do not depend on monitor codeJakub Hrozek2014-10-092-1/+37
| | | | | | | Just moves code around. There should be a way to use the server.c module without linking the monitor code. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* PAM: new options pam_trusted_users & pam_public_domainsPavel Reichl2014-09-292-0/+65
| | | | | | | | | | | | | pam_public_domains option is a list of numerical UIDs or user names that are trusted. pam_public_domains option is a list of domains accessible even for untrusted users. Based on: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* krb5: make get_primary() a public callStephen Gallagher2014-09-292-3/+13
| | | | | | | This patch changes get_primary() into sss_krb5_get_primary() so it can be used by the AD provider to get the sAMAccountName from the hostname. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Do not change SSSD domains in get_domains_headStephen Gallagher2014-09-241-3/+0
| | | | | | | | | | When there was more than one SSSD domain configured, actions performed against domains later in the list would be incorrectly told to use the first domain as the base for locating subdomains. This was because we were rewinding the ->prev list on the sss_domain_info object, which is only intended to be used by confdb code. The correct approach was to use only the parent linkage, which would take us up to the top-level domain in this SSSD domain.
generated by cgit (git 2.34.1) at 2024-06-19 16:20:21 +0000