| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Due to a comparison error, the last warning when an LDAP password was in
its grace period was never displayed.
https://fedorahosted.org/sssd/ticket/1890
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1893
When SSSD is not enumerating (which is the default), we are trying to
link any "ghost" entries with a newly created user entry. However, when
enumeration is on, this means a spurious search on adding any user.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In SSSD, we use dlopen() and dlsym() in two files
src/providers/data_provider_be.c and src/providers/proxy/proxy_init.c.
Hence we should explicitly link with -ldl also in simple_access-tests.
SSSD can be compiled with two crypto libraries nss or libcrypto. NSS has
dependency nspr which depends on "libdl and libpthread" This is a reason why
compilation of test did not fail even if -ldl was not explicitly added to
simple_access_tests_LDADD. But libcrypto doesn't depend on libdl, so in
this case compilation of tests will not be successful.
Upstream nspr 4.9 has two ways have to obtain metainformation about
libraries
pkg-config and own script nspr-config. First one doesn't list "-ldl"
"-lpthread" but second one lists both "-ldl" "-lpthread"
That's also why the Ubuntu maintainer found this bug -- Fedora has got
patched version of nspr, but Debian (Ubuntu) doesn't
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1799
One peculiarity of the sysdb_attrs_get_el interface is that if the
attribute does not exist, then the attrs array is reallocated and the
element is created. But in case other pointers are already pointing
into the array, the realloc might invalidate them.
Such case was in the sdap_process_ghost_members function where if
the group had no members, the "gh" pointer requested earlier might have
been invalidated by the realloc in order to create the member element.
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1880
In the simple access provider, we need to only canonicalize user names when
comparing with values in the ACL, not when searching the cache. The sysdb
searches might do a base search with a DN constructed with the username
which fails if the username is lower case.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In krb5-libs >= 1.11, function krb5_cc_resolve verify if credential cache dir
exists. If it doesn't exist, than it will be created with process permissions
and not user permissions.
Function cc_residual_is_used has already checked for non existing
directory, but it wasn't considered to be a failure and therefore next call
of krb5_init_context will create directory with wrong permissions.
Now if directory doesn't exist, it will be handled like there was not ccache
attribute in sysdb cache. We also check if "primary" file in ccache directory
has right permissions. But we ignore missing "primary" file.
https://fedorahosted.org/sssd/ticket/1822
|
|
|
|
|
|
|
| |
krb5-1.10 used to include "struct krb5_trace_info", now krb5-1.11
includes a "krb5_trace_info" typedefed from "struct _krb5_trace_info".
Do the same in the SSSD to allow compiling with both 1.10 and 1.11.
|
|
|
|
|
|
|
| |
Do not try to remove SELinux login file if SELinux
support is not available.
https://fedorahosted.org/sssd/ticket/1868
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1869
Currently the private data passed to the PAM request is a structure
allocated on the client context. But in the odd case where the back end
would be stopped or stuck until the idle timeout hits, the DP callback
would access data that were freed when the client timed out.
This patch introduces a new structure allocated on responder context,
whose only purpose is to live as long as the request is active.
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1841
|
|
|
|
|
|
|
|
|
|
|
| |
Add option to fallback to fetch local users if rfc2307is being used.
This is useful for cases where people added local users as LDAP members
and rely on these group memberships to be maintained on the local host.
Disabled by default as it violates identity domain separation.
Ticket:
https://fedorahosted.org/sssd/ticket/1020
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes the simple access provider's interface to be asynchronous. When
the simple access provider encounters a group that has gid, but no
meaningful name, it attempts to resolve the name using the
be_file_account_request function.
Some providers (like the AD provider) might perform initgroups
without resolving the group names. In order for the simple access
provider to work correctly, we need to resolve the groups before
performing the access check. In AD provider, the situation is
even more tricky b/c the groups HAVE name, but their name
attribute is set to SID and they are set as non-POSIX
|
|
|
|
|
|
|
|
|
|
|
| |
The simple access provider unit tests now need to link against the Data
Provider when they start using the be_file_account_request() function.
But then we would start having conflicts as at least the main()
functions would clash.
If UNIT_TESTING is defined, then the data_provider_be.c module does not
contain the main() function and can be linked against directly from
another module that contains its own main() function
|
|
|
|
|
|
|
| |
I realized that the current unit tests for the simple access provider
only tested the user directives. To have a baseline and be able to
detect new bugs in the upcoming patch, I implemented unit tests for the
group lists, too.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to resolve group names in the simple access provider we need to
contact the Data Provider in a generic fashion from the access provider.
We can't call any particular implementation (like sdap_generic_send())
because we have no idea what kind of provider is configured as the
id_provider.
This patch splits introduces the be_file_account_request() function into
the data_provider_be module and makes it public.
A future patch should make the be_get_account_info function use the
be_get_account_info_send function.
|
|
|
|
|
| |
This condition is invalid because different_realm is not set, when
EINVAL is returned. It can make the test fail sometimes.
|
|
|
|
|
|
| |
This patch adds debug message for the case if sssd
fails to open old mc file for some other reason than
the file does not exist.
|
|
|
|
|
|
|
|
|
| |
File descriptors leaked every time sss_mmap_cache_reinit was
called and also the old memory cache was still maped in memory
(munmap was not called). This patch adds destructor for memory
cache context to call close() and munmap() automaticly.
https://fedorahosted.org/sssd/ticket/1826
|
| |
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1817
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1739
Pointer to packet body may change while filling packet with autofs
mount points. As a consequence, we sometimes wrote the number of
entries into invalid body and we recieved an arbitrary number
on the client side.
If the number was 0, there were some skipped entries. If the number
was greater than 0, everything worked correctly, because we iterate
through the cached entries until we reach packet length - we don't
compare to the number.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1755
sdap_find_entry_by_origDN() may return ENOENT in these
non-error scenarios:
If a member is out of scope of configured nesting level, sssd
produces few noise lines indicating failure.
The worse case is when a member is outside of configured search
bases. In this case we save the group with incomplete membership,
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1737
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1818
I have here a LDAP user entry which has this attribute
loginAllowedTimeMap::
AAAAAAAAAP///38AAP///38AAP///38AAP///38AAP///38AAAAAAAAA
In the function sysdb_attrs_add_string(), called from
sdap_attrs_add_ldap_attr(), strlen() is called on this blob, which is
the wrong thing to do. The result of strlen is then used to populate
the .v_length member of a struct ldb_val - and this will set it to
zero in this case. (There is also the problem that there may not be
a '\0' at all in the blob.)
Subsequently, .v_length being 0 makes ldb_modify(), called from
sysdb_set_entry_attr(), return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX. End
result is that users do not get stored in the sysdb, and programs like
`id` or `getent ...` show incomplete information.
The bug was encountered with sssd-1.8.5. sssd-1.5.11 seemed to behave
fine, but that may not mean that is the absolute lower boundary of
introduction of the problem.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1808
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1795
Only alpha-numeric chars, dashes and underscores are allowed in
krb5 include directory.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1805
|
|
|
|
|
| |
Found by coverity.
https://fedorahosted.org/sssd/ticket/1791
|
|
|
|
| |
Fixes build with automake 1.13 or newer.
|
| |
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1512
If directory where a ccache file was stored was missing and user
was still logged in, we erroneously considered the ccache file
still active. Thus the ccache file was not recreated and user was
unable to login.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1787
|
| |
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1783
When dn in member attribute is invalid (e.g. rdn instead of dn)
or it is outside of configured search bases, we might hit a situation
when tevent_req is marked as done before any callback could be
attached on it.
|
|
|
|
|
| |
Provides compatible declarations for modern file management functions
such as futimens or opening with the O_CLOEXEC flag
|
|
|
|
|
|
| |
intensive
https://fedorahosted.org/sssd/ticket/1732
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When creating a home directory, the destination tree can be modified in
various ways while it is being constructed because directory permissions
are set before populating the directory. This can lead to file creation
and permission changes outside the target directory tree, using hard links.
This security problem was assigned CVE-2013-0219
https://fedorahosted.org/sssd/ticket/1782
|
|
|
|
|
|
|
|
|
|
| |
The removal of a home directory is sensitive to concurrent modification
of the directory tree being removed and can unlink files outside the
directory tree.
This security issue was assigned CVE-2013-0219
https://fedorahosted.org/sssd/ticket/1782
|
|
|
|
|
|
|
|
| |
SSH requests.
This fixes CVE-2013-0220.
https://fedorahosted.org/sssd/ticket/1781
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1779
2^32 should be enough to store sudo rules. size_t type was causing
troubles on big endian architectures, because it wasn't used
correctly in combination with D-Bus.
|
|
|
|
|
|
|
|
| |
When read from the domain section, the pwd_expiration_warning was
properly converted to seconds from days, but not the
pam_pwd_expiration_warning set in the [pam] section.
https://fedorahosted.org/sssd/ticket/1773
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1776
Although cb->list got updated when the callback is removed,
this change did not propagate to be_ctx->*_cb_list which
caused dlist having invalid records.
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1775
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://fedorahosted.org/sssd/ticket/1758
The autofs entries do not have the key as an unique identifier, but
rather the full (key, value) tuple as some keys have a special meaning,
such as the direct mount key (/-) and may be present in a single map
multiple times.
Comparing the full DN that contains both the key and the value will
allow for working updates if either key or value changes.
|
|
|
|
|
|
|
|
|
| |
Related to https://fedorahosted.org/sssd/ticket/1757
Previously we would optimize the mc invalidate code for cases where the
user was a member of some groups. But if the user was removed from the
server while being in memory cache, we would only invalidate the mc
record if he was a member of at least one supplementary group.
|