sssd2.git/src/tests, branch sssd-1-9 System Security Services Daemon [okos' clone] Only try to relink ghost users if we're not enumerating 2013-04-29T18:44:19+00:00 Jakub Hrozek jhrozek@redhat.com 2013-04-29T12:37:27+00:00 3896c82a127ec0858429e04b8019773dbf7e7b92 https://fedorahosted.org/sssd/ticket/1893 When SSSD is not enumerating (which is the default), we are trying to link any "ghost" entries with a newly created user entry. However, when enumeration is on, this means a spurious search on adding any user. 
https://fedorahosted.org/sssd/ticket/1893

When SSSD is not enumerating (which is the default), we are trying to
link any "ghost" entries with a newly created user entry. However, when
enumeration is on, this means a spurious search on adding any user.
Fix simple access group control in case-insensitive domains 2013-04-15T13:03:45+00:00 Jakub Hrozek jhrozek@redhat.com 2013-04-11T07:18:56+00:00 4f57212955827a9062b150c768e8a0c2fb613193 https://fedorahosted.org/sssd/ticket/1880 In the simple access provider, we need to only canonicalize user names when comparing with values in the ACL, not when searching the cache. The sysdb searches might do a base search with a DN constructed with the username which fails if the username is lower case. 
https://fedorahosted.org/sssd/ticket/1880

In the simple access provider, we need to only canonicalize user names when
comparing with values in the ACL, not when searching the cache. The sysdb
searches might do a base search with a DN constructed with the username
which fails if the username is lower case.
Resolve GIDs in the simple access provider 2013-03-19T21:14:02+00:00 Jakub Hrozek jhrozek@redhat.com 2013-02-23T09:44:54+00:00 8b8019fe3dd1564fba657e219ec20ff816c7ffdb Changes the simple access provider's interface to be asynchronous. When the simple access provider encounters a group that has gid, but no meaningful name, it attempts to resolve the name using the be_file_account_request function. Some providers (like the AD provider) might perform initgroups without resolving the group names. In order for the simple access provider to work correctly, we need to resolve the groups before performing the access check. In AD provider, the situation is even more tricky b/c the groups HAVE name, but their name attribute is set to SID and they are set as non-POSIX 
Changes the simple access provider's interface to be asynchronous. When
the simple access provider encounters a group that has gid, but no
meaningful name, it attempts to resolve the name using the
be_file_account_request function.

Some providers (like the AD provider) might perform initgroups
without resolving the group names. In order for the simple access
provider to work correctly, we need to resolve the groups before
performing the access check. In AD provider, the situation is
even more tricky b/c the groups HAVE name, but their name
attribute is set to SID and they are set as non-POSIX
Add unit tests for simple access test by groups 2013-03-19T21:14:02+00:00 Jakub Hrozek jhrozek@redhat.com 2013-03-03T20:43:44+00:00 754b09b5444e6da88ed58d6deaed8b815e268b6b I realized that the current unit tests for the simple access provider only tested the user directives. To have a baseline and be able to detect new bugs in the upcoming patch, I implemented unit tests for the group lists, too. 
I realized that the current unit tests for the simple access provider
only tested the user directives. To have a baseline and be able to
detect new bugs in the upcoming patch, I implemented unit tests for the
group lists, too.
krb5-utils-tests: remove invalid condition 2013-03-13T12:33:54+00:00 Pavel Březina pbrezina@redhat.com 2013-03-13T10:51:18+00:00 b49ca26cebae5bdc53c08239cf19afcb9f8ff579 This condition is invalid because different_realm is not set, when EINVAL is returned. It can make the test fail sometimes. 
This condition is invalid because different_realm is not set, when
EINVAL is returned. It can make the test fail sometimes.
TOOLS: Use file descriptor to avoid races when creating a home directory 2013-01-23T12:58:16+00:00 Jakub Hrozek jhrozek@redhat.com 2013-01-20T19:27:05+00:00 3843b284cd3e8f88327772ebebc7249990fd87b9 When creating a home directory, the destination tree can be modified in various ways while it is being constructed because directory permissions are set before populating the directory. This can lead to file creation and permission changes outside the target directory tree, using hard links. This security problem was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782 
When creating a home directory, the destination tree can be modified in
various ways while it is being constructed because directory permissions
are set before populating the directory. This can lead to file creation
and permission changes outside the target directory tree, using hard links.

This security problem was assigned CVE-2013-0219

https://fedorahosted.org/sssd/ticket/1782
Refactor gid handling in the PAC responder 2013-01-08T13:57:29+00:00 Sumit Bose sbose@redhat.com 2012-12-20T20:10:49+00:00 8fe509ca10ff54bd81698e3e6ddcd2b4f711bfde Instead of using a single array of gid-domain_pointer pairs, Simo suggested to use a gid array for each domain an store it with a pointer to the domain. 
Instead of using a single array of gid-domain_pointer pairs, Simo
suggested to use a gid array for each domain an store it with a pointer
to the domain.
Add tests for get_gids_from_pac() 2013-01-08T13:57:29+00:00 Sumit Bose sbose@redhat.com 2012-12-04T12:55:13+00:00 4044e7de63f6904a9a0f8a8f7d330b58c25fff42 






Add find_domain_by_id()
2013-01-08T13:57:29+00:00

Sumit Bose
sbose@redhat.com

2012-11-26T11:33:11+00:00

2d9aa35d2102256bc7195dd1f55aa2e60149294e

Currently domains can only be searched by name in the global domain
list. To make it easier to find the domain for a given SID
find_domain_by_id() which returns a pointer to the domain or subdomain
entry in the global domain list if a matching id was found.





Currently domains can only be searched by name in the global domain
list. To make it easier to find the domain for a given SID
find_domain_by_id() which returns a pointer to the domain or subdomain
entry in the global domain list if a matching id was found.







Use struct pac_grp instead of gid_t for groups from PAC
2013-01-08T13:57:29+00:00

Sumit Bose
sbose@redhat.com

2012-11-23T17:35:08+00:00

7856e34732fdb7b80980d98f80da447a5419e8ee

To be able to handle groupmemberships from other domains more data than
just the gid must be kept for groups given in the PAC.





To be able to handle groupmemberships from other domains more data than
just the gid must be kept for groups given in the PAC.