sssd2.git, branch sssd-1-8

sysdb: try dealing with binary-content attributes

2013-02-26T16:22:16+00:00

https://fedorahosted.org/sssd/ticket/1818

I have here a LDAP user entry which has this attribute

	loginAllowedTimeMap::
	 AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA

In the function sysdb_attrs_add_string(), called from
sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is
the wrong thing to do. The result of strlen is then used to populate
the .v_length member of a struct ldb_val - and this will set it to
zero in this case. (There is also the problem that there may not be
a '\0' at all in the blob.)

Subsequently, .v_length being 0 makes ldb_modify(), called from
sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End
result is that users do not get stored in the sysdb, and programs like
`id` or `getent ...` show incomplete information.

The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave
fine, but that may not mean that is the absolute lower boundary of
introduction of the problem.

SSSD fails to store users if any of the requested attribute is empty.

2013-02-21T10:14:08+00:00

https://fedorahosted.org/sssd/ticket/1440

Updating the version for the 1.8.7 release

2013-01-29T16:12:24+00:00

Include the auth_utils.h header in the distribution

2013-01-29T15:49:26+00:00

TOOLS: Compile on old platforms such as RHEL5

2013-01-29T15:18:28+00:00

Provides compatible declarations for modern file management functions
such as futimens or opening with the O_CLOEXEC flag

TOOLS: Use file descriptor to avoid races when creating a home directory

2013-01-29T15:18:18+00:00

When creating a home directory, the destination tree can be modified in
various ways while it is being constructed because directory
permissions
are set before populating the directory. This can lead to file creation
and permission changes outside the target directory tree, using hard
links.

This security problem was assigned CVE-2013-0219

https://fedorahosted.org/sssd/ticket/1782

TOOLS: Use openat/unlinkat when removing the homedir

2013-01-29T15:18:03+00:00

The removal of a home directory is sensitive to concurrent modification
of the directory tree being removed and can unlink files outside the
directory tree.

This security issue was assigned CVE-2013-0219

https://fedorahosted.org/sssd/ticket/1782

nested groups: fix group lookup hangs if member dn is incorrect

2013-01-29T14:44:36+00:00

https://fedorahosted.org/sssd/ticket/1783

When dn in member attribute is invalid (e.g. rdn instead of dn)
or it is outside of configured search bases, we might hit a situation
when tevent_req is marked as done before any callback could be
attached on it.

Restart services with a delay in case they are restarted too often

2013-01-29T13:05:29+00:00

In case a service is restarted while the DP is not ready yet, it gets
restarted again immediatelly, which means the DP might still not be
ready. The allowed number of restarts is then depleted quickly.

This patch changes the restart mechanism such that the first restart
happens immediatelly, the second is scheduled after 2 second, then 4
etc..

https://fedorahosted.org/sssd/ticket/1528

Check that strings do not go beyond the end of the packet body in autofs and SSH requests.

2013-01-29T12:58:38+00:00

This fixes CVE-2013-0220.

https://fedorahosted.org/sssd/ticket/1781