sssd.git/src/responder/nss, branch token2 System Security Services Daemon [okos' clone] NSS: Descend into subdomains if enumerate=true 2013-08-28T16:08:42+00:00 Jakub Hrozek jhrozek@redhat.com 2013-08-21T14:27:50+00:00 8b9fc71516a3da83b6e0e551ec0ad9aaa19bc7bc Since we now store the enumerate flag in sysdb for subdomains, we can always descend to all available subdomains and if they do not allow enumeration, simply skip them. 
Since we now store the enumerate flag in sysdb for subdomains, we can
always descend to all available subdomains and if they do not allow
enumeration, simply skip them.
mmap_cache: Use stricter check for hash keys. 2013-08-28T14:47:41+00:00 Lukas Slebodnik lslebodn@redhat.com 2013-08-19T05:24:46+00:00 b8d0374cd23db90fce203292ff547641f62e338a ht_size is size of hash_table in bytes, but hash keys have type uint32_t 
ht_size is size of hash_table in bytes, but hash keys have type uint32_t
mmap_cache: Skip records which doesn't have same hash 2013-08-28T14:43:50+00:00 Lukas Slebodnik lslebodn@redhat.com 2013-08-19T03:39:28+00:00 4662725ffef62b3b2502481438effa7c8fef9f80 The code uses 2 hashes for each record, but only one hash table to index them both, furthermore each record has only one single 'next' pointer. This means that in certain conditions a record main end up being on a hash chain even though its hashes do not match the hash chain. This can happen when another record 'drags' it in from another hash chain where they both belong. If the record without matching hashes happens to be the second of the chain and the first record is removed, then the non matching record is left on the wrong chain. On removal of the non-matching record the hash chain will not be updated and the hash chain will end up pointing to an invalid slot. This slot may be later reused for another record and may not be the first slot of this new record. In this case the hash chain will point to arbitrary data and may cause issues if the slot is interpreted as the head of a record. By skipping any block that has no matching hashes upon removing the first record in a chain we insure that dangling references cannot be left in the hash table Resolves: https://fedorahosted.org/sssd/ticket/2049 
The code uses 2 hashes for each record, but only one hash table to
index them both, furthermore each record has only one single 'next'
pointer.

This means that in certain conditions a record main end up being on a
hash chain even though its hashes do not match the hash chain. This can
happen when another record 'drags' it in from another hash chain where
they both belong.

If the record without matching hashes happens to be the second of the
chain and the first record is removed, then the non matching record is
left on the wrong chain. On removal of the non-matching record the hash
chain will not be updated and the hash chain will end up pointing to an
invalid slot.
This slot may be later reused for another record and may not be the
first slot of this new record. In this case the hash chain will point to
arbitrary data and may cause issues if the slot is interpreted as the
head of a record.

By skipping any block that has no matching hashes upon removing the
first record in a chain we insure that dangling references cannot be
left in the hash table

Resolves:
https://fedorahosted.org/sssd/ticket/2049
mmap_cache: Use sss_atomic_write_s instead of write. 2013-08-22T17:42:31+00:00 Michal Zidek mzidek@redhat.com 2013-08-21T13:26:36+00:00 1f7fb30cc25765e54841e5d5f4192c12e3b29a16 Use sss_atomic_write_s() instead of write() in sss_mc_save_corrupted(). Also unlink() the file if no data were written. It is better to use sss_atomic_write_s instead of write 
Use sss_atomic_write_s() instead of write() in
sss_mc_save_corrupted(). Also unlink() the file if no data
were written.

It is better to use sss_atomic_write_s instead of write
mmap_cache: Store corrupted mmap cache before reset 2013-08-19T20:24:41+00:00 Michal Zidek mzidek@redhat.com 2013-08-12T14:23:59+00:00 f9091077bfbb09f052d08e25ac5e00af0baa6dfb This patch adds function to store corrupted mmap cache file to disk for further analysis. 
This patch adds function to store corrupted mmap cache file to
disk for further analysis.
mmap_cache: Use better checks for corrupted mc in responder 2013-08-19T18:51:03+00:00 Michal Zidek mzidek@redhat.com 2013-08-15T14:08:17+00:00 441e6050f4b67134d15862e401b4c4e8546d7387 We introduced new way to check integrity of memcache in the client code. We should use similiar checks in the responder. 
We introduced new way to check integrity of memcache in the
client code. We should use similiar checks in the responder.
mmap_cache: Off by one error. 2013-08-19T18:51:03+00:00 Michal Zidek mzidek@redhat.com 2013-08-14T16:22:06+00:00 13df7b9e400211c717284fb841c849ba034ed348 Removes off by one error when using macro MC_SIZE_TO_SLOTS and adds new macro MC_SLOT_WITHIN_BOUNDS. 
Removes off by one error when using macro MC_SIZE_TO_SLOTS
and adds new macro MC_SLOT_WITHIN_BOUNDS.
fill_initgr: add original primary GID if available 2013-08-19T10:53:49+00:00 Sumit Bose sbose@redhat.com 2013-08-14T15:13:13+00:00 39f13b3bf5b3cf79f5f16575403f03b539300dc7 In some cases when MPG domains are used the information about the original primary group of a user cannot be determined by looking at the explicit group memberships. In those cases the GID related to the original primary group is stored in a special attribute of the user object. This patch adds the GID of the original primary group when available and needed. Fixes https://fedorahosted.org/sssd/ticket/2027 
In some cases when MPG domains are used the information about the
original primary group of a user cannot be determined by looking at
the explicit group memberships. In those cases the GID related to the
original primary group is stored in a special attribute of the user
object.

This patch adds the GID of the original primary group when available and
needed.

Fixes https://fedorahosted.org/sssd/ticket/2027
mmap_cache: Check if slot and name_ptr are not invalid. 2013-08-11T18:36:21+00:00 Michal Zidek mzidek@redhat.com 2013-08-05T18:59:33+00:00 9028706a00da1bc48547e74aa872c825ac15adb2 This patch prevents jumping outside of allocated memory in case of corrupted slot or name_ptr values. It is not proper solution, just hotfix until we find out what is the root cause of ticket https://fedorahosted.org/sssd/ticket/2018 
This patch prevents jumping outside of allocated memory in
case of corrupted slot or name_ptr values. It is not proper
solution, just hotfix until we find out what is the root cause
of ticket https://fedorahosted.org/sssd/ticket/2018
NSS: Clear cached netgroups if a request comes in from the sss_cache 2013-08-07T22:38:31+00:00 Lukas Slebodnik lslebodn@redhat.com 2013-07-29T13:24:34+00:00 db440b3ba6b848010cf2a1fe9f76db394ce860da In order for sss_cache to work correctly, we must also signal the nss responder to invalidate the hash table requests. https://fedorahosted.org/sssd/ticket/1759 
In order for sss_cache to work correctly, we must also signal the nss
responder to invalidate the hash table requests.

https://fedorahosted.org/sssd/ticket/1759