summaryrefslogtreecommitdiffstats
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* TOOLS: Compile on old platforms such as RHEL5Jakub Hrozek2013-01-291-37/+140
| | | | | Provides compatible declarations for modern file management functions such as futimens or opening with the O_CLOEXEC flag
* TOOLS: Use file descriptor to avoid races when creating a home directoryOndrej Kos2013-01-294-381/+379
| | | | | | | | | | | | | When creating a home directory, the destination tree can be modified in various ways while it is being constructed because directory permissions are set before populating the directory. This can lead to file creation and permission changes outside the target directory tree, using hard links. This security problem was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782
* TOOLS: Use openat/unlinkat when removing the homedirJakub Hrozek2013-01-291-42/+41
| | | | | | | | | | The removal of a home directory is sensitive to concurrent modification of the directory tree being removed and can unlink files outside the directory tree. This security issue was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782
* nested groups: fix group lookup hangs if member dn is incorrectPavel Březina2013-01-291-0/+24
| | | | | | | | | https://fedorahosted.org/sssd/ticket/1783 When dn in member attribute is invalid (e.g. rdn instead of dn) or it is outside of configured search bases, we might hit a situation when tevent_req is marked as done before any callback could be attached on it.
* Restart services with a delay in case they are restarted too oftenOndrej Kos2013-01-291-14/+59
| | | | | | | | | | | | In case a service is restarted while the DP is not ready yet, it gets restarted again immediatelly, which means the DP might still not be ready. The allowed number of restarts is then depleted quickly. This patch changes the restart mechanism such that the first restart happens immediatelly, the second is scheduled after 2 second, then 4 etc.. https://fedorahosted.org/sssd/ticket/1528
* Check that strings do not go beyond the end of the packet body in autofs and ↵Jan Cholasta2013-01-292-7/+7
| | | | | | | | SSH requests. This fixes CVE-2013-0220. https://fedorahosted.org/sssd/ticket/1781
* sssd_pam: Cleanup requests cache on sbus reconectSimo Sorce2013-01-291-1/+4
| | | | | | | | | The pam responder was not properly configured to recover from a backend disconnect. The connections that were in flight before the disconnection were never freed and new requests for the same user would just pile up on top of the now phantom requests. Fixes: https://fedorahosted.org/sssd/ticket/1655
* NSS: Fix netgroup midpoint cache refreshJakub Hrozek2013-01-293-3/+3
| | | | | | | | https://fedorahosted.org/sssd/ticket/1683 The result of the percent calculation was always 0 as it used plain ints. The patch switches to using explicit floats to avoid reintroducing the bug again even with brackets.
* responder_dp: Add timeout to side requetsSimo Sorce2013-01-291-1/+25
| | | | | | | This is an additional proteciont in case the provider misbheaves to avoid having requests pending forever. Fixes: https://fedorahosted.org/sssd/ticket/1717
* Do not always return PAM_SYSTEM_ERR when offline krb5 authentication failsJakub Hrozek2013-01-293-18/+56
|
* Free the internal DP requestJakub Hrozek2013-01-291-0/+8
|
* LDAP: Check validity of naming_contextJakub Hrozek2013-01-291-1/+1
| | | | | | | https://fedorahosted.org/sssd/ticket/1581 If the namingContext attribute had no values or multiple values, then our code would dereference a NULL pointer.
* LDAP: Handle empty namingContexts values safelyStephen Gallagher2013-01-291-0/+8
| | | | | | | | Certain LDAP servers can return an empty string as the value of namingContexts. We need to treat these as NULL so that we can fail gracefully. https://fedorahosted.org/sssd/ticket/1542
* Initialize Kerberos ticket renewal in the IPA providerJakub Hrozek2012-10-111-0/+13
| | | | | | Fixes https://fedorahosted.org/sssd/ticket/1526 in the 1.8 branch
* FO: Check server validity before setting statussssd-1_8_5Jakub Hrozek2012-10-037-33/+49
| | | | | | | | | | | | | | | | | The list of resolved servers is allocated on the back end context and kept in the fo_service structure. However, a single request often resolves a server and keeps a pointer until the end of a request and only then gives feedback about the server based on the request result. This presents a big race condition in case the SRV resolution is used. When there are requests coming in in parallel, it is possible that an incoming request will invalidate a server until another request that holds a pointer to the original server is able to give a feedback. This patch simply checks if a server is in the list of servers maintained by a service before reading its status. https://fedorahosted.org/sssd/ticket/1364
* KRB5: Return PAM_AUTH_ERR on incorrect passwordJakub Hrozek2012-09-211-30/+39
| | | | https://fedorahosted.org/sssd/ticket/1515
* Move SELinux processing from session to account PAM stackTimo Aaltonen2012-09-071-66/+66
| | | | | | | Stops the session stack from returning an error when SELinux is not used. Partial backport from commit 7016947229edcaa268a82bf69fde37e521b13233
* Use PTHREAD_MUTEX_ROBUST to avoid deadlock in the clientJakub Hrozek2012-09-071-6/+90
| | | | https://fedorahosted.org/sssd/ticket/1460
* Fixed wrong number in shadowLastChangeJan Zeleny2012-09-071-1/+2
| | | | | The attribute is supposed to contain number of days since the epoch, not the number of seconds.
* KRB5: Only return PAM error for unreachable kpasswd when performing chpassJakub Hrozek2012-09-071-2/+4
| | | | https://fedorahosted.org/sssd/ticket/1452
* SYSDB: Make sysdb_attrs_get_el_int() publicJakub Hrozek2012-08-212-8/+10
| | | | Also rename it to sysdb_attrs_get_el_ext()
* Process all groups from a single nesting levelJakub Hrozek2012-08-211-4/+14
| | | | | | | | https://bugzilla.redhat.com/show_bug.cgi?id=846664 If the first group was cached when processing the nested group membership, we would call tevent_req_done, effectivelly marking the whole nesting level as done.
* Make the client idle timeout configurableStephen Gallagher2012-06-187-5/+43
|
* Add support for terminating idle connectionsShantanu Goel2012-06-182-2/+67
|
* Do not send SIGPIPE on disconnectionShantanu Goel2012-06-181-6/+21
| | | | | | | | Note we set MSG_NOSIGNAL to avoid having to fiddle with signal masks but also do not want to die in case SIGPIPE gets raised and the application does not handle it.
* Log message if close() fails in destructor.Shantanu Goel2012-06-181-1/+12
|
* Set return errno to the value prior to calling close().Shantanu Goel2012-06-181-2/+2
|
* Send the correct enumeration requestJakub Hrozek2012-06-181-1/+1
| | | | https://fedorahosted.org/sssd/ticket/1329
* Provide "service filter" for SELinux contextJan Zeleny2012-06-141-0/+28
| | | | | | | At this moment we will support only asterisk, designating "all services". https://fedorahosted.org/sssd/ticket/1360
* Use HTML_TIMESTAMP instead of HTML_FOOTER_DESCRIPTIONJakub Hrozek2012-06-133-9/+12
| | | | https://fedorahosted.org/sssd/ticket/1271
* SSH: Don't abort connection in sss_ssh_knownhostsproxy when DNS records are ↵Jan Cholasta2012-05-311-36/+49
| | | | | | missing https://fedorahosted.org/sssd/ticket/1356
* SSH: Supress error message output in sss_ssh_knownhostsproxyJan Cholasta2012-05-312-15/+8
|
* SSH: Update sss_ssh_knownhostsproxy manual pageJan Cholasta2012-05-311-1/+1
| | | | | Don't use GlobalKnownHostsFile2 in ssh_config, as it has been deprecated in OpenSSH 5.9.
* Updating translations for 1.8.4 releasesssd-1_8_4Stephen Gallagher2012-05-3010-56/+718
|
* Revert the client packet length, too, after reverting the packet protocolJakub Hrozek2012-05-291-1/+1
|
* NSS: Restore original protocol for getservbyportStephen Gallagher2012-05-252-3/+4
| | | | When fixing an endianness bug, we changed the protocol unnecessarily.
* Send 16bit protocol numbers from the sss_clientJakub Hrozek2012-05-252-7/+8
| | | | https://fedorahosted.org/sssd/ticket/1348
* Use sized_string correctly in FQDN domainsJakub Hrozek2012-05-231-2/+2
|
* Fixed issue in SELinux user mapsJan Zeleny2012-05-221-0/+2
| | | | | | There was an issue when IPA provider didn't set PAM_SUCCESS when successfully finished loading SELinux user maps. This lead to the map not being read in the responder.
* LDAP nested groups: Do not process callback with _post deep in the nested ↵Jakub Hrozek2012-05-221-12/+10
| | | | | | structure https://fedorahosted.org/sssd/ticket/1343
* Remove erroneous failure message in find_principal_in_keytabStef Walter2012-05-222-2/+4
| | | | | * When it's actually a failure, then the callers will print a message. Fine tune this.
* If canon'ing principals, write ccache with updated default principalStef Walter2012-05-222-3/+8
| | | | | | | | | | | * When calling krb5_get_init_creds_keytab() with krb5_get_init_creds_opt_set_canonicalize() the credential principal can get updated. * Create the cache file with the correct default credential. * LDAP GSSAPI SASL would fail due to the mismatched credentials before this patch. https://bugzilla.redhat.com/show_bug.cgi?id=811518
* KRB5: Avoid NULL-dereference with empty keytabStephen Gallagher2012-05-221-7/+13
| | | | https://fedorahosted.org/sssd/ticket/1330
* Limit krb5_get_init_creds_keytab() to etypes in keytabStef Walter2012-05-224-0/+181
| | | | | | | | | * Load the enctypes for the keys in the keytab and pass them to krb5_get_init_creds_keytab(). * This fixes the problem where the server offers a enctype that krb5 supports, but we don't have a key for in the keytab. https://bugzilla.redhat.com/show_bug.cgi?id=811375
* Warn to syslog when dereference requests failAriel Barria2012-05-221-2/+2
|
* NSS: Expire in-memory netgroup cache before the nowait timeoutStephen Gallagher2012-05-161-1/+9
| | | | | | | | The fact that we were keeping it in memory for the full duration of the cache timeout meant that we would never reap the benefits of the midpoint cache refresh. https://fedorahosted.org/sssd/ticket/1340
* Use the sysdb attribute name, not LDAP attribute nameJakub Hrozek2012-05-162-2/+2
|
* Potential NULL dereference in proxy providerAriel Barria2012-05-141-1/+1
|
* murmurhash: Relax inline requirementStephen Gallagher2012-05-111-2/+2
|
* SYSDB: Handle user and group renames betterJakub Hrozek2012-05-112-7/+182
| | | | | | | | | | | | Fixes a regression in the local domain tools where sss_groupadd no longer detected a GID duplicate. The check for EEXIST is moved one level up into more high level function. The patch also adds the same rename support for users. I found it odd that we allowed a rename of groups but not users. There is a catch when storing a user -- his cached password would be gone. I think that renaming a user is such a rare operation that it's not severe, plus there is a warning in the logs.