sssd.git/src/db, branch sudo Unnamed repository; edit this file 'description' to name the repository. sysdb: sanitize search filter input 2017-10-11T15:28:53+00:00 Sumit Bose sbose@redhat.com 2017-10-05T09:07:38+00:00 1f2662c8f97c9c0fa250055d4b6750abfc6d0835 This patch sanitizes the input for sysdb searches by UPN/email, SID and UUID. This security issue was assigned CVE-2017-12173 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
This patch sanitizes the input for sysdb searches by UPN/email, SID and
UUID.

This security issue was assigned CVE-2017-12173

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
sysdb: add missing indices 2017-09-14T15:05:56+00:00 Sumit Bose sbose@redhat.com 2017-09-05T10:49:54+00:00 9acdf51bf32d7b4389f3faea0fc6b73c56b6da71 Resolves https://pagure.io/SSSD/sssd/issue/3472 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Resolves https://pagure.io/SSSD/sssd/issue/3472

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SUDO: Use initgr_with_views when looking up a sudo user 2017-09-08T15:02:49+00:00 Jakub Hrozek jhrozek@redhat.com 2017-08-22T20:32:19+00:00 dee665060ba71ff61ad223e755ae61441118fbba The sudo responder code didn't take views into account when looking for rules, which resulted in sudo rules being ignored if the user's name was overriden. Please see the ticket for a detailed info on how to reproduce the bug. Resolves: https://pagure.io/SSSD/sssd/issue/3488 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
The sudo responder code didn't take views into account when looking for
rules, which resulted in sudo rules being ignored if the user's name was
overriden.

Please see the ticket for a detailed info on how to reproduce the bug.

Resolves:
https://pagure.io/SSSD/sssd/issue/3488

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
SYSDB: Add sysdb_search_by_orig_dn() 2017-09-05T09:13:16+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-06-02T11:26:49+00:00 e5c42c2630093d3020b3c4944cce1646325bc236 Three new methods have been added to sysdb's API in order to perform search by the orig dn (which is quite common in SSSD's code base). A common/base method called sysdb_search_by_orig_dn() is the most important one and then a few other helpers for searching users and groups groups directly. Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Three new methods have been added to sysdb's API in order to perform
search by the orig dn (which is quite common in SSSD's code base).

A common/base method called sysdb_search_by_orig_dn() is the most
important one and then a few other helpers for searching users and
groups groups directly.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
SYSDB: Add sessionRecording attribute macro 2017-07-27T08:32:41+00:00 Nikolai Kondrashov Nikolai.Kondrashov@redhat.com 2017-03-17T10:35:51+00:00 90fb7d3e61423ff1375e9f552f4b58e5173ad3d1 Add a macro for sessionRecording attribute to sysdb.h. To be used for storing a boolean attribute signifying if session recording is enabled for the user. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Add a macro for sessionRecording attribute to sysdb.h.
To be used for storing a boolean attribute signifying if session
recording is enabled for the user.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Fix minor typos 2017-07-26T15:46:11+00:00 Yuri Chornoivan yurchor@ukr.net 2017-07-26T13:45:35+00:00 77e5c3fc26085f18277a70ffbd6351a8130963e7 Merges: https://pagure.io/SSSD/sssd/pull-request/3456 Reviewed-by: Michal Židek <mzidek@redhat.com> 
Merges: https://pagure.io/SSSD/sssd/pull-request/3456

Reviewed-by: Michal Židek <mzidek@redhat.com>
RESPONDER: Use fqnames as output when needed 2017-06-21T09:28:08+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-06-19T07:05:00+00:00 86526891366c4bc3e1ee861143b736d2670a6ba8 As some regressions have been caused by not handling properly naming conflicts when using shortnames, last explicitly use fully qualified names as output in the following situations: - domain resolution order is set; - a trusted domain has been using `use_fully_qualified_name = false` In both cases we want to ensure that even handling shortnames as input, the output will always be fully qualified. As part of this patch, our tests ended up being modified to reflect the changes done. In other words, the tests related to shortnames now return expect as return a fully qualified name for trusted domains. Resolves: https://pagure.io/SSSD/sssd/issue/3403 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
As some regressions have been caused by not handling properly naming
conflicts when using shortnames, last explicitly use fully qualified
names as output in the following situations:
- domain resolution order is set;
- a trusted domain has been using `use_fully_qualified_name = false`

In both cases we want to ensure that even handling shortnames as input,
the output will always be fully qualified.

As part of this patch, our tests ended up being modified to reflect the
changes done. In other words, the tests related to shortnames now return
expect as return a fully qualified name for trusted domains.

Resolves:
https://pagure.io/SSSD/sssd/issue/3403

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SYSDB: Introduce _search_{users,groups}_by_timestamp() 2017-06-15T09:01:48+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-06-07T13:07:10+00:00 41708e1e500e7cada3d3e606aa2b8b9869a5c734 These new two sysdb methods are going to be used, at least for now, uniquely and exclusively in the cleanup task. The reason for adding those is that during the cleanup task a timestamp search is done in the persistent cache, which doesn't have the updated timestamps, returning then a wrong result that ends up in having all the users being removed from the cache. The persistent cache doesn't have its entries' timestamps updated because those are kept updated in the timestamp cache, therefore these new two methods end up doing: - if the timestamp cache is present: - search for the entries solely in the timestamp cache; - get the needed attributes from these entries from the persistent cache; - otherwise: - search for the entries in the persistent cache; - merge its results with timestamp cache's results; Related: https://pagure.io/SSSD/sssd/issue/3369 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
These new two sysdb methods are going to be used, at least for now,
uniquely and exclusively in the cleanup task.

The reason for adding those is that during the cleanup task a timestamp
search is done in the persistent cache, which doesn't have the updated
timestamps, returning then a wrong result that ends up in having all the
users being removed from the cache.

The persistent cache doesn't have its entries' timestamps updated
because those are kept updated in the timestamp cache, therefore these
new two methods end up doing:
- if the timestamp cache is present:
  - search for the entries solely in the timestamp cache;
  - get the needed attributes from these entries from the persistent
    cache;
- otherwise:
  - search for the entries in the persistent cache;
  - merge its results with timestamp cache's results;

Related:
https://pagure.io/SSSD/sssd/issue/3369

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SYSDB_OPS: Invalidate a cache entry also in the ts_cache 2017-06-15T09:01:45+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-05-29T11:29:26+00:00 a71f1a655dcc2ca6dc16bb8eb1c4c9e24cfe2c3e Similarly to what has been in the previous commit (expiring an entry also in the timestamp cache), we should do the same when invalidating an entry. Related: https://pagure.io/SSSD/sssd/issue/3369 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Similarly to what has been in the previous commit (expiring an entry
also in the timestamp cache), we should do the same when invalidating an
entry.

Related:
https://pagure.io/SSSD/sssd/issue/3369

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SYSDB_OPS: Mark an entry as expired also in the timestamp cache 2017-06-15T09:01:41+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-05-29T11:32:59+00:00 9883d1e2913ff0c1db479f1ece8148e03155c7f3 As the cleanup task will start using new methods for searching the users and groups which have to be cleaned up, SSSD starts relying more in a more consistent state of the timestamp cache on pretty much everything related to the cleanup task. One of the things that would cause SSSD some problems is not having the ghost user expired in the persistent cache but not in the timestamp cache. With this patch, the entry is also expired in the timestamp cache when it's present. Related: https://pagure.io/SSSD/sssd/issue/3369 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
As the cleanup task will start using new methods for searching the users
and groups which have to be cleaned up, SSSD starts relying more in a
more consistent state of the timestamp cache on pretty much everything
related to the cleanup task.

One of the things that would cause SSSD some problems is not having the
ghost user expired in the persistent cache but not in the timestamp
cache.

With this patch, the entry is also expired in the timestamp cache when
it's present.

Related:
https://pagure.io/SSSD/sssd/issue/3369

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>