sssd.git/src/tests, branch rhel5.10 System Security Services Daemon [okos' clone] TOOLS: Use file descriptor to avoid races when creating a home directory 2013-05-16T09:06:07+00:00 Ondrej Kos okos@redhat.com 2013-02-07T10:26:45+00:00 c7b75b4069e53ab7e3013641782cd6a0958a77ff When creating a home directory, the destination tree can be modified in various ways while it is being constructed because directory permissions are set before populating the directory. This can lead to file creation and permission changes outside the target directory tree, using hard links. This security problem was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782 
When creating a home directory, the destination tree can be modified in
various ways while it is being constructed because directory
permissions
are set before populating the directory. This can lead to file creation
and permission changes outside the target directory tree, using hard
links.

This security problem was assigned CVE-2013-0219

https://fedorahosted.org/sssd/ticket/1782
Only do one cycle when resolving a server 2012-06-04T18:18:47+00:00 Jakub Hrozek jhrozek@redhat.com 2012-06-04T09:07:19+00:00 0d2c1deeb761144a671ce37fa39ed8bc6667936f Rename fo_get_server_name to fo_get_server_str_name fo_get_server_name() getter for a server name Allows to be more concise in tests and more defensive in resolve callbacks Only do one cycle when resolving a server https://fedorahosted.org/sssd/ticket/1214 Detect cycle in the fail over on subsequent resolve requests only 
Rename fo_get_server_name to fo_get_server_str_name

fo_get_server_name() getter for a server name

Allows to be more concise in tests and more defensive in resolve
callbacks

Only do one cycle when resolving a server

https://fedorahosted.org/sssd/ticket/1214

Detect cycle in the fail over on subsequent resolve requests only
Append PID to sbus server socket name, let clients use a symlink 2011-10-26T14:29:39+00:00 Jakub Hrozek jhrozek@redhat.com 2011-10-05T15:52:06+00:00 910f14ced1b5b7783f13f26b4ead776b96f567d5 Add option to follow symlinks to check_file() Append PID to sbus server socket name, let clients use a symlink https://fedorahosted.org/sssd/ticket/1034 
Add option to follow symlinks to check_file()

Append PID to sbus server socket name, let clients use a symlink

https://fedorahosted.org/sssd/ticket/1034
Provide python bindings for the HBAC evaluator library 2011-10-26T14:29:38+00:00 Jakub Hrozek jhrozek@redhat.com 2011-05-30T07:57:19+00:00 817d3fe806506c637988cf99c7ab774345292e05 Fixes for python HBAC bindings These changes were proposed during a review: * Change the signature of str_concat_sequence() to const char * * use a getsetter for HbacRule.enabled to allow string true/false and integer 1/0 in addition to bool * fix a minor memory leak (HbacRequest.rule_name) * remove overzealous discard consts Fix python HBAC bindings for python <= 2.4 Several parts of the HBAC python bindings did not work with old Python versions, such as the one shipped in RHEL5. The changes include: * a compatibility wrapper around python set object * PyModule_AddIntMacro compat macro * Py_ssize_t compat definition * Do not use PyUnicode_FromFormat * several function prototypes and structures used to have "char arguments where they have "const char *" in recent versions. This caused compilation warnings this patch mitigates by using the discard_const hack on python 2.4 Remove dead code from python HBAC bindings https://fedorahosted.org/sssd/ticket/935 Handle allocation error in python HBAC bindings https://fedorahosted.org/sssd/ticket/934 HBAC rule validation Python bindings https://fedorahosted.org/sssd/ticket/943 
Fixes for python HBAC bindings

These changes were proposed during a review:
 * Change the signature of str_concat_sequence() to const char *
 * use a getsetter for HbacRule.enabled to allow string true/false and
   integer 1/0 in addition to bool
 * fix a minor memory leak (HbacRequest.rule_name)
 * remove overzealous discard consts

Fix python HBAC bindings for python <= 2.4

Several parts of the HBAC python bindings did not work with old Python
versions, such as the one shipped in RHEL5.

The changes include:
* a compatibility wrapper around python set object
* PyModule_AddIntMacro compat macro
* Py_ssize_t compat definition
* Do not use PyUnicode_FromFormat
* several function prototypes and structures used to have "char
  arguments where they have "const char *" in recent versions.
  This caused compilation warnings this patch mitigates by using
  the discard_const hack on python 2.4

Remove dead code from python HBAC bindings

https://fedorahosted.org/sssd/ticket/935

Handle allocation error in python HBAC bindings

https://fedorahosted.org/sssd/ticket/934

HBAC rule validation Python bindings

https://fedorahosted.org/sssd/ticket/943
Rewrite HBAC rule evaluator 2011-10-26T14:29:38+00:00 Stephen Gallagher sgallagh@redhat.com 2011-06-07T02:26:28+00:00 9a58bc432bb9bc4ae4c452c5e600c94d4fc1c5a0 Add helper function msgs2attrs_array This function converts a list of ldb_messages into a list of sysdb_attrs. Conflicts: src/providers/ldap/ldap_common.c src/providers/ldap/ldap_common.h Add HBAC evaluator and tests Add helper functions for looking up HBAC rule components Remove old HBAC implementation Add new HBAC lookup and evaluation routines Conflicts: Makefile.am Add ipa_hbac_refresh option This option describes the time between refreshes of the HBAC rules on the IPA server. Add ipa_hbac_treat_deny_as option By default, we will treat the presence of any DENY rule as denying all users. This option will allow the admin to explicitly ignore DENY rules during a transitional period. Treat NULL or empty rhost as unknown Previously, we were assuming this meant it was coming from the localhost, but this is not a safe assumption. We will now treat it as unknown and it will fail to match any rule that requires a specified srchost or group of srchosts. libipa_hbac: Support case-insensitive comparisons with UTF8 UTF8 HBAC test Fix memory leak in ipa_hbac_evaluate_rules https://fedorahosted.org/sssd/ticket/933 Fix incorrect NULL check in ipa_hbac_common.c https://fedorahosted.org/sssd/ticket/936 Require matched version and release for libipa_hbac Add rule validator to libipa_hbac https://fedorahosted.org/sssd/ticket/943 
Add helper function msgs2attrs_array

This function converts a list of ldb_messages into a list of
sysdb_attrs.

Conflicts:

	src/providers/ldap/ldap_common.c
	src/providers/ldap/ldap_common.h

Add HBAC evaluator and tests

Add helper functions for looking up HBAC rule components

Remove old HBAC implementation

Add new HBAC lookup and evaluation routines

Conflicts:

	Makefile.am

Add ipa_hbac_refresh option

This option describes the time between refreshes of the HBAC rules
on the IPA server.

Add ipa_hbac_treat_deny_as option

By default, we will treat the presence of any DENY rule as denying
all users. This option will allow the admin to explicitly ignore
DENY rules during a transitional period.

Treat NULL or empty rhost as unknown

Previously, we were assuming this meant it was coming from the
localhost, but this is not a safe assumption. We will now treat it
as unknown and it will fail to match any rule that requires a
specified srchost or group of srchosts.

libipa_hbac: Support case-insensitive comparisons with UTF8

UTF8 HBAC test

Fix memory leak in ipa_hbac_evaluate_rules

https://fedorahosted.org/sssd/ticket/933

Fix incorrect NULL check in ipa_hbac_common.c

https://fedorahosted.org/sssd/ticket/936

Require matched version and release for libipa_hbac

Add rule validator to libipa_hbac

https://fedorahosted.org/sssd/ticket/943
Honor the TTL value of SRV record lookups 2011-10-26T14:29:37+00:00 Jakub Hrozek jhrozek@redhat.com 2011-06-10T12:01:17+00:00 5644466f51273d55ba2b4b2931fada06c2d837fe Add new resolv_hostent data structure and utility functions Resolve hosts by name from files into resolv_hostent Resolve hosts by name from DNS into resolv_hostent Switch resolver to using resolv_hostent and honor TTL Conflicts: src/providers/fail_over.c Provide TTL structure names for c-ares < 1.7 https://fedorahosted.org/sssd/ticket/898 In c-ares 1.7, the upstream renamed the addrttl/addr6ttl structures to ares_addrttl/ares_addr6ttl so they are in the ares_ namespace. Because they are committed to stable ABI, the contents are the same, just the name changed -- so it is safe to just #define the new name for older c-ares version in case the new one is not detected in configure time. 
Add new resolv_hostent data structure and utility functions

Resolve hosts by name from files into resolv_hostent

Resolve hosts by name from DNS into resolv_hostent

Switch resolver to using resolv_hostent and honor TTL

Conflicts:

	src/providers/fail_over.c

Provide TTL structure names for c-ares < 1.7

https://fedorahosted.org/sssd/ticket/898

In c-ares 1.7, the upstream renamed the addrttl/addr6ttl structures to
ares_addrttl/ares_addr6ttl so they are in the ares_ namespace.

Because they are committed to stable ABI, the contents are the same, just
the name changed -- so it is safe to just #define the new name for older
c-ares version in case the new one is not detected in configure time.
Handle non-POSIX groups in nesting 2011-10-26T14:29:37+00:00 Jan Zeleny jzeleny@redhat.com 2011-05-23T11:08:01+00:00 9c47bdef9d2d67e7fed31201f7007b7dd9e85903 Added sysdb_attrs_get_bool() function Non-posix group processing - sysdb changes Non-posix group processing - ldap provider and nss responder 
Added sysdb_attrs_get_bool() function

Non-posix group processing - sysdb changes

Non-posix group processing - ldap provider and nss responder
Clear up -Wunused-but-set-variable warnings 2011-10-26T14:28:56+00:00 Stephen Gallagher sgallagh@redhat.com 2011-02-10T19:24:19+00:00 aa1c87cdcfbecb50b26f1a2fbe5d9a902ea45547 






Use fake groups during IPA initgroups
2011-03-23T10:48:36+00:00

Jakub Hrozek
jhrozek@redhat.com

2011-03-17T16:54:06+00:00

851e91d2f5959db4d1001c80d46bab349de4ffa2

Add originalDN to fake groups

Use fake groups during IPA schema initgroups

https://fedorahosted.org/sssd/ticket/822

Use sysdb_attrs_primary_name() in sdap_initgr_nested_store_group





Add originalDN to fake groups

Use fake groups during IPA schema initgroups

https://fedorahosted.org/sssd/ticket/822

Use sysdb_attrs_primary_name() in sdap_initgr_nested_store_group







Use realm for basedn instead of IPA domain
2011-03-07T19:58:16+00:00

Jakub Hrozek
jhrozek@redhat.com

2011-02-23T16:40:44+00:00

1184c6ef1c36fbd2304fe18ff7720fceada1aab0

https://fedorahosted.org/sssd/ticket/807





https://fedorahosted.org/sssd/ticket/807