| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Considering that sysdb.c is about utilities around our cache and that
sysdb_ops.c is about operations on objects, seems that add_string()
could fit better in sysdb.c.
This move is a suggestion from Jakub Hrozek.
Related: https://fedorahosted.org/sssd/ticket/1656
Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
| |
Resolves https://fedorahosted.org/sssd/ticket/3015
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Before scheduling the adcli renewal task, check if the renewal program
(typically adcli) is accessible. If not, do dot schedule the renewal
task at all.
Resolves:
https://fedorahosted.org/sssd/ticket/3016
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
When exec() fails, we should not attempt to continue, but just kill the
forked process. The patch adds this logic to the exec_child() and
exec_child_ex() functions to avoid code duplication
Resolves:
https://fedorahosted.org/sssd/ticket/3016
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
src/tools/files.c: In function ‘copy_file_contents’:
src/tools/files.c:413:12: error: ‘ret’ may be used uninitialized in this
function [-Werror=maybe-uninitialized]
return ret;
^~~
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
There is redudant function responder_get_neg_timeout_from_confdb().
This patch removes it.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
This patch switches ncache from sudo_ctx to resp_ctx.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
This patch switches ncache from pam_ctx to resp_ctx.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
This patch switches ncache from pac_ctx to resp_ctx.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
This patch switches ncache from ifp_ctx to resp_ctx.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
This patch switches ncache from nss_ctx to resp_ctx.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
| |
Preparation for initialization of negative cache in common responder.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Timeout of negative cahce is handled by internal negative cache
context. This patch removes neg_timeout from struct nss_ctx.
Resolves:
https://fedorahosted.org/sssd/ticket/2317
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Timeout of negative cache is handled by context of negative cache
itself. This patch removes neg_timeout parameter from ifp_ctx and from
ifp_user_get_attr_state.
Resolves:
https://fedorahosted.org/sssd/ticket/2317
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Timout of negative cache is handled by context of negative cache. So
this parameter is not needed now.
Resolves:
https://fedorahosted.org/sssd/ticket/2137
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
It removes neg_timeout parameter from pac responder. Timeout is handled
by internall structure of negative cache.
Resolves:
https://fedorahosted.org/sssd/ticket/2317
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It removes neg_timeout parameter from struct pam_ctx. Timeout is
handled by context of negative cache internally.
This patch additioanlly removes neg_timeout from struct cache_req_state.
Resolves:
https://fedorahosted.org/sssd/ticket/2317
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
It adds new function to negative cache API:
* int sss_ncache_get_timeout(struct sss_nc_ctx *ctx);
Resolves:
https://fedorahosted.org/sssd/ticket/2317
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It removes timeout parameter from check functions of negative cache.
Timeout is set ny init function and it is handled internally.
API change:
* int sss_ncache_check_...(struct sss_nc_ctx *ctx,
int ttl, <----- timeout vanished
struct sss_domain_info *dom,
...);
Resolves:
https://fedorahosted.org/sssd/ticket/2317
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It adds timeout of negative cache to handling
struct sss_nc_ctx.
There is one change in API of negatice cache:
* int sss_ncache_init(TALLOC_CTX *memctx,
uint32_t timeout, <----- new
struct sss_nc_ctx **_ctx);
There is also one new function in common/responder:
* errno_t responder_get_neg_timeout_from_confdb(struct confdb_ctx *cdb,
uint32_t *ncache_timeout);
Resolves:
https://fedorahosted.org/sssd/ticket/2317
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
Resolves:
https://fedorahosted.org/sssd/ticket/3010
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch makes SSSD possibly useful "out of the box" by allowing
packagers to provide a default config file located in $LIBDIR/sssd/conf
that will be copied by the monitor to /etc/sssd if no file already
exists in that location. This will make it possible to have SSSD set up
to have distribution-specific default configuration, such as enabling
the proxy provider to cache /etc/passwd (such as in the provided
example in this patch).
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
| |
New name is SSSD_CONFIG_FILE. This is done because we will start to
ship a static default configuration in addition to the runtime
configuration.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This is a precursor to supporting a static default configuration file.
We need to be able to copy the default into the mutable location if the
infopipe is asked to modify it.
This patch opens both the source and destination files together in order
to avoid time-of-check/time-of-use bugs.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
| |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
In most cases when sbus request parsing finishes, the request is handled
internally and a reply is sent to the caller. However, in handlers that
are parsed and handled completely manually, we might want to be notified
about this case so that the called of sbus_request_parse_or_finish()
aborts the request and doesn't proceed with using the sbus request which
is already freed internally in sbus_request_parse_or_finish().
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
| |
The PubkeyAgent option is not supported for some time and references to
it should be removed from our man pages.
Reviewed-by: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
| |
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Ubuntu systems use "unity" as their screen-locker. Without this in the
defaults, people often get locked out of their machines when the screen
locks.
Resolves:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1578415
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
| |
There were duplicaton of mock_rctx().
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Debug message has been doubled.
At a low level, we have a very accurate debug messsage with description
of situation (in confdb_get_int()). At higher level we informe about
the fatal crash, if it happend.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
As suggested by Rob in
https://fedorahosted.org/sssd/ticket/1907#comment:2
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Since commit 5a5f1e1053415efaa99bb4d5bc7ce7ac0a95b757 the view name
lookup is the last step in the subdomain lookup request. In case of an
error the request should be finished and no previous step should be
called again.
Resolves https://fedorahosted.org/sssd/ticket/2993
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Most linux distribution create local users from UID 1000.
We used similar UID space in sssd but it might caused
issues in add remove tests becuase sssd in cwrap enviroment
run in the same PID space. If sssd try to remove user
with uid 1001 it will fail because the local user with the same UID
is active and sssd does not remove active users.
Reviewed-by: Petr Cech <pcech@redhat.com>
|
| |
|
|
| |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This patch adds new functionality to sss_cach for invalidation of given
sudo rule or all sudo rules.
Resolves:
https://fedorahosted.org/sssd/ticket/2081
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Refactor of sss_cache tool.
Resolves:
https://fedorahosted.org/sssd/ticket/2081
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
There are tests functions of sysdb_sudo_rules.
Resolves:
https://fedorahosted.org/sssd/ticket/2081
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch adds two new functions into public
API of sysdb_sudo:
* sysdb_search_sudo_rules
* sysdb_set_sudo_rule_attr
Resolves:
https://fedorahosted.org/sssd/ticket/2081
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
If ttl = -1 then function sss_ncache_check_str() returns EEXIST without
checking negcache. This behaviour is out of logic.
We use ttl = 0 for permanent caching.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
There were sss_ncache_*_uid() functions instead of
sss_ncache_*_gid() functions.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
There was a lot of confusion with different error codes
and where to call sudosrv_cmd_done to finish the client
request. Converting it whole to tevent makes it much
more simpler to read and follow the request logic.
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This is just blind code change, the next patch will improve it so
for example we don't do initgroups during query-parsing phase.
Resolves:
https://fedorahosted.org/sssd/ticket/1126
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
| |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
During a pre-authentication request there are always messages like:
... [krb5_auth_store_creds] (0x0010): unsupported PAM command [249].
... [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work.
This patch removes them.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Error: NULL_RETURNS (CWE-476): [#def31]
sssd-1.13.4/src/providers/ipa/ipa_sudo_conversion.c:964:
returned_null: "ipa_sudo_conv_lookup" returns null.
sssd-1.13.4/src/providers/ipa/ipa_sudo_conversion.c:149:9:
return_null: Explicitly returning null.
sssd-1.13.4/src/providers/ipa/ipa_sudo_conversion.c:964:
var_assigned: Assigning: "cmdgroup" = null return value
from "ipa_sudo_conv_lookup".
sssd-1.13.4/src/providers/ipa/ipa_sudo_conversion.c:966:
dereference: Dereferencing a null pointer "cmdgroup".
# 964| cmdgroup = ipa_sudo_conv_lookup(conv->cmdgroups, listitem->dn);
# 965|
# 966|-> ret = add_strings_lists(mem_ctx, values, cmdgroup->expanded,
# 967| false, discard_const(&values));
# 968| if (ret != EOK) {
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function sysdb_search_custom cannot return EOK
and together set output argument count to zero.
This case is already handled in function sysdb_search_entry
which is used inside sysdb_search_custom.
Such useless test can just cause read of unitialized variable
in case of other errors returned from sysdb_search_custom.
Error: UNINIT (CWE-457): [#def1]
sssd-1.13.4/src/db/sysdb_sudo.c:678:
var_decl: Declaring variable "count" without initializer.
sssd-1.13.4/src/db/sysdb_sudo.c:698:
uninit_use: Using uninitialized value "count".
# 696| SUDORULE_SUBDIR, attrs,
# 697| &count, &msgs);
# 698|-> if (ret == ENOENT || count == 0) {
# 699| DEBUG(SSSDBG_TRACE_FUNC, "No rules matched\n");
# 700| ret = EOK;
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
