| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1932
There is a rather strange workaround in the nested groups processing
code that calls tevent_req_post outside _send(). However, it broke in
certain situations where the tevent_req_call resulted in req being freed,
which freed state by extension and then the subsequent _post call was a
use-after-free. This patch saves the two variables used outside state so
that it's safe to use them even after the callback.
|
|
|
|
| |
This patch remove unused functions sdap_parse_user and sdap_parse_group
|
|
|
|
|
|
|
|
| |
We did not set port status for metaservers (srv servers)
in fo_reset_services().
Fixes:
https://fedorahosted.org/sssd/ticket/1933
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1947
Otherwise we will do the SRV expansion once again:
1. leaving the old servers in server list
2. meta server is not inserted back in the list, the newly found
servers are inserted behind meta server, meta server is orphaned
and the new servers are forgotten
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1947
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1737
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1817
|
|
|
|
|
|
|
|
|
| |
This commit adds new option ldap_disable_range_retrieval with default value
FALSE. If this option is enabled, large groups(>1500) will not be retrieved and
behaviour will be similar like was before commit ae8d047122c
"LDAP: Handle very large Active Directory groups"
https://fedorahosted.org/sssd/ticket/1823
|
|
|
|
|
|
|
|
|
| |
File descriptors leaked every time sss_mmap_cache_reinit was
called and also the old memory cache was still maped in memory
(munmap was not called). This patch adds destructor for memory
cache context to call close() and munmap() automaticly.
https://fedorahosted.org/sssd/ticket/1826
|
|
|
|
|
|
| |
This patch adds debug message for the case if sssd
fails to open old mc file for some other reason than
the file does not exist.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1710
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1841
|
|
|
|
|
|
|
|
|
|
|
| |
Storing cyclic groups into sysdb can cause adding ghost members,
which has already been stored. Function ldb_modify will fail
with error [Attribute or value exists].
With permisive control, duplicated attributes will be skipped
as if it was never added.
https://fedorahosted.org/sssd/ticket/1846
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1886
|
|
|
|
|
|
|
| |
Due to a comparison error, the last warning when an LDAP password was in
its grace period was never displayed.
https://fedorahosted.org/sssd/ticket/1890
|
|
|
|
|
|
|
|
| |
Function sysdb_getpwnam return more results than 1 and therefore sss_cmd_done
was called. Inside of function sss_cmd_done memory was freed,
but this freed memory was used in caller functions, therefore sssd crashed.
https://fedorahosted.org/sssd/ticket/1980
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1959
|
|
|
|
|
|
|
| |
Previously, these contained hard-coded paths. Now they are
populated correctly by the configure script.
https://fedorahosted.org/sssd/ticket/1986
|
| |
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1912
Patch that converts subdomain usernames into fully qualified format
made it to the 1.9 branch but sudo wasn't aware of it. This patch
changes sysdb_getpwnam call to sysdb_subdom_getpwnam which converts
username into fqn if the domain is subdomain.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1376
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1805
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1693
Since we don't care about returned values from out of band refresh,
we do not need to set callback data. However, this caused talloc
to abort as it considers it as type mismatch when called from
tevent_req_callback_data().
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2005
Some users were confused by our description of min_id/max_id and thought
the limits only applied to returning entries from the NSS responder.
However, the limits are actually enforced on the back end side, so the
entries are not even saved to cache.
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1806
The IPA provider attempted to store the original value of member
attribute to the cache. That caused the memberof plugin to process the
values which was really CPU intensive.
|
|
|
|
|
|
|
| |
In order for sss_cache to work correctly, we must also signal the nss
responder to invalidate the hash table requests.
https://fedorahosted.org/sssd/ticket/1759
|
|
|
|
|
|
|
|
|
| |
There is a timed desctructor in the nss responder that, when the
entry timeout passes, removes the netgroup from the hash table while
the netgroup is freed. This patch adds a hash delete callback so that if the
netgroup is removed from the hash table with hash_delete, its hash table
pointer will be invalidated. Later, when the entry is being freed, the
destructor won't attempt to remove it from the hash table.
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/2031
|
|
|
|
|
|
| |
intensive
https://fedorahosted.org/sssd/ticket/1732
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1869
Currently the private data passed to the PAM request is a structure
allocated on the client context. But in the odd case where the back end
would be stopped or stuck until the idle timeout hits, the DP callback
would access data that were freed when the client timed out.
This patch introduces a new structure allocated on responder context,
whose only purpose is to live as long as the request is active.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1739
Pointer to packet body may change while filling packet with autofs
mount points. As a consequence, we sometimes wrote the number of
entries into invalid body and we recieved an arbitrary number
on the client side.
If the number was 0, there were some skipped entries. If the number
was greater than 0, everything worked correctly, because we iterate
through the cached entries until we reach packet length - we don't
compare to the number.
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1893
When SSSD is not enumerating (which is the default), we are trying to
link any "ghost" entries with a newly created user entry. However, when
enumeration is on, this means a spurious search on adding any user.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1799
One peculiarity of the sysdb_attrs_get_el interface is that if the
attribute does not exist, then the attrs array is reallocated and the
element is created. But in case other pointers are already pointing
into the array, the realloc might invalidate them.
Such case was in the sdap_process_ghost_members function where if
the group had no members, the "gh" pointer requested earlier might have
been invalidated by the realloc in order to create the member element.
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1880
In the simple access provider, we need to only canonicalize user names when
comparing with values in the ACL, not when searching the cache. The sysdb
searches might do a base search with a DN constructed with the username
which fails if the username is lower case.
|
|
|
|
|
|
|
|
|
|
|
| |
Add option to fallback to fetch local users if rfc2307is being used.
This is useful for cases where people added local users as LDAP members
and rely on these group memberships to be maintained on the local host.
Disabled by default as it violates identity domain separation.
Ticket:
https://fedorahosted.org/sssd/ticket/1020
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes the simple access provider's interface to be asynchronous. When
the simple access provider encounters a group that has gid, but no
meaningful name, it attempts to resolve the name using the
be_file_account_request function.
Some providers (like the AD provider) might perform initgroups
without resolving the group names. In order for the simple access
provider to work correctly, we need to resolve the groups before
performing the access check. In AD provider, the situation is
even more tricky b/c the groups HAVE name, but their name
attribute is set to SID and they are set as non-POSIX
|
|
|
|
|
|
|
|
|
|
|
| |
The simple access provider unit tests now need to link against the Data
Provider when they start using the be_file_account_request() function.
But then we would start having conflicts as at least the main()
functions would clash.
If UNIT_TESTING is defined, then the data_provider_be.c module does not
contain the main() function and can be linked against directly from
another module that contains its own main() function
|
|
|
|
|
|
|
| |
I realized that the current unit tests for the simple access provider
only tested the user directives. To have a baseline and be able to
detect new bugs in the upcoming patch, I implemented unit tests for the
group lists, too.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to resolve group names in the simple access provider we need to
contact the Data Provider in a generic fashion from the access provider.
We can't call any particular implementation (like sdap_generic_send())
because we have no idea what kind of provider is configured as the
id_provider.
This patch splits introduces the be_file_account_request() function into
the data_provider_be module and makes it public.
A future patch should make the be_get_account_info function use the
be_get_account_info_send function.
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1808
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1783
When dn in member attribute is invalid (e.g. rdn instead of dn)
or it is outside of configured search bases, we might hit a situation
when tevent_req is marked as done before any callback could be
attached on it.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When creating a home directory, the destination tree can be modified in
various ways while it is being constructed because directory permissions
are set before populating the directory. This can lead to file creation
and permission changes outside the target directory tree, using hard links.
This security problem was assigned CVE-2013-0219
https://fedorahosted.org/sssd/ticket/1782
|
|
|
|
|
|
|
|
|
|
| |
The removal of a home directory is sensitive to concurrent modification
of the directory tree being removed and can unlink files outside the
directory tree.
This security issue was assigned CVE-2013-0219
https://fedorahosted.org/sssd/ticket/1782
|
|
|
|
|
|
|
|
| |
SSH requests.
This fixes CVE-2013-0220.
https://fedorahosted.org/sssd/ticket/1781
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1779
2^32 should be enough to store sudo rules. size_t type was causing
troubles on big endian architectures, because it wasn't used
correctly in combination with D-Bus.
Resolved Conflicts:
src/responder/sudo/sudosrv_get_sudorules.c
|
|
|
|
|
|
|
|
| |
When read from the domain section, the pwd_expiration_warning was
properly converted to seconds from days, but not the
pam_pwd_expiration_warning set in the [pam] section.
https://fedorahosted.org/sssd/ticket/1773
|