| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
Adds a new option -Z to sss_useradd and sss_usermod. This option allows
user to specify the SELinux login context for the user. On deleting the
user with sss_userdel, the login mapping is deleted, so subsequent
adding of the same user would result in the default login context unless
-Z is specified again.
MLS security is not supported as of this patch.
|
| |
|
|
| |
Fix whitespace errors
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a small window between running lstat() on a filename and
opening it where it's possible for the file to have been modified.
We were protecting against this by saving the stat data from the
original file and verifying that it was the same file (by device
and inode) when we opened it again, but this is an imperfect
solution, as it is still possible for an attacker to modify the
permissions during this window.
It is much better to simply open the file and test on the active
file descriptor.
Resolves https://fedorahosted.org/sssd/ticket/425 incidentally, as
without the initial lstat, we are implicitly accepting symlinks
and only verifying the target file.
|
| |
|
|
|
|
|
|
|
|
| |
sss_userdel now warns if the deleted user was logged in at the time of
deletion.
Also adds a new parameter --kick to userdel that kills all user
processes before actually deleting ther user.
Fixes: #229
|
| |
|
|
| |
Fixes: #231
|
| |
|
|
|
|
|
|
|
| |
There was a faulty check in get_domain() that led to the
*_provider options being re-added, sometimes after options related
to them had already been set. If those options had a default
value, they would be overwritten by the default.
Fixes: https://fedorahosted.org/sssd/ticket/441
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The PAM standard allows for messages of any length to be returned
to the client. We were discarding all messages of length greater
than 255. This patch dynamically allocates the message buffers so
we can pass the complete message.
This resolves https://fedorahosted.org/sssd/ticket/432
|
| | |
|
| |
|
|
|
|
| |
- use domain_to_basedn() to construct LDAP search paths for IPA HBAC
- move domain_to_basedn() to a separate file to simplify the build of
a test
|
| |
|
|
| |
The krb5 options were out of sync, causing a runtime abort.
|
| | |
|
| |
|
|
|
|
|
| |
Packages /etc/rwtab.d/sssd file that allows SSSD to run on a read-only
root filesystem.
Fixes: #428
|
| |
|
|
| |
This patch removes some tab-indentations from pamsrv.c, too.
|
| |
|
|
|
|
|
| |
This option is needed for the rare case where a poll() call during
ldap_sasl_interactive_bind_s() is interrupted by a signal.
LDAP_OPT_RESTART enables the handling of the EINTR error instead of
returning an error.
|
| |
|
|
|
|
|
|
|
|
| |
In an environment with slave KDCs and a central server where password
changes are allowed the request for a new TGT immediately after the
password change should be made against this server, because the slave
server might not know the new password.
To achieve this the Kerberos localtor plugin now returns the address of
the kpasswd server as master_kdc.
|
| | |
|
| |
|
|
|
|
|
|
| |
Display warnings about remaining grace logins and password
expiration to the user, when LDAP Password Policies are used.
Improved detection if LDAP Password policies are supported by
LDAP Server.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commits cleans up 3 segfaults/valgrind errors due to access
to freed memory.
1. The spy wasn't clearing conn_spy causing the svc_destructor to try
to clear the spy destructor when the spy was already freed
2. get_config_service was not setting the svc_destrcutor on services
depending on the orderof frees at exit this was causing the spy
destructor to try to access freed memory because it was not
neutralized when the service was freed.
3. at exit the mt_ctx could be freed before services causing the
svc_destrcutor to try to access freed memory when removing the
service from the service list in the monitor context.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
- catch all errors of send() and recv(), not only EAGAIN
- check if send() or recv() return EWOULDBLOCK or EINTR
- remove unused parameter from client_send() and client_recv()
- fix a debugging message
|
| |
|
|
|
|
| |
buf needs to be 32 bit aligned on ARM. Also made the fix on the server side.
Signed-off-by: George McCollister <George.McCollister@gmail.com>
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
dbus_connection_send_with_reply() will report success and return
a NULL pending_reply when the connection is not open for
communication. This patch creates a new wrapper around
dbus_connection_send_with_reply() to properly detect this
condition and report it as an error.
|
| | |
|
| |
|
|
|
| |
When changing an expired password (during e.g. login) the PAM module needs
to prompt for the old password even when running as root.
|
| | |
|
| |
|
|
|
| |
When changing passwords, treat SDAP_AUTH_PW_EXPIRED as a successful
authentication in SSS_PAM_CHAUTHTOK_PRELIM.
|
| |
|
|
|
|
| |
When the user's password is expired it might also be indicated by
the bind operation returning "INVALID_CREDENTIALS" with the ppolicy
control's errorcode set to "PP_passwordExpired".
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Fixes: #221
|
| | |
|
