sssd.git/contrib, branch libwbclient-0.13 Unnamed repository; edit this file to name it for gitweb. MAN: sssd-secrets documentation 2016-09-30T07:09:26+00:00 Jakub Hrozek jhrozek@redhat.com 2016-08-08T15:48:51+00:00 54c64aad71e6792edb7cf99988d9a7f4bc2b0c61 Resolves: https://fedorahosted.org/sssd/ticket/3053 Documents the API and the purpose of the sssd-secrets responder. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Resolves:
    https://fedorahosted.org/sssd/ticket/3053

Documents the API and the purpose of the sssd-secrets responder.

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
SPEC: Rename python packages using macro %python_provide 2016-09-22T19:44:41+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-09-14T12:31:29+00:00 705bc4480a68f69d287b1c89fe9463a0191987c8 Fedora and epel contains macro %python_provide for simpler renaming of python packages. It will generate correct provides and obsoletes. Reviewed-by: Michal Židek <mzidek@redhat.com> 
Fedora and epel contains macro %python_provide
for simpler renaming of python packages. It will generate correct
provides and obsoletes.

Reviewed-by: Michal Židek <mzidek@redhat.com>
TESTS: Add simple test for double semicolon 2016-09-21T14:46:19+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-09-17T19:12:36+00:00 6ad1f2da4055e2cfe9bf8c79b79e408dba171691 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
TESTS: Add integration tests for the sssd-secrets 2016-09-20T15:34:39+00:00 Jakub Hrozek jhrozek@redhat.com 2016-08-08T15:49:05+00:00 db0982c52294ee5ea08ed242d27660783fde29cd Implements a simple HTTP client and uses it to talk to the sssd-secrets responder. Only the local provider is tested at the moment. Resolves: https://fedorahosted.org/sssd/ticket/3054 Reviewed-by: Petr Čech <pcech@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Implements a simple HTTP client and uses it to talk to the sssd-secrets
responder. Only the local provider is tested at the moment.

Resolves:
https://fedorahosted.org/sssd/ticket/3054

Reviewed-by: Petr Čech <pcech@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
SPEC: Fix typo in Summary 2016-08-26T13:27:15+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-08-19T16:06:45+00:00 afa6891a809db262a49f68913f82a3a6137d8e2e Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
BUILD: Allow to read private pipes for root 2016-08-26T12:29:30+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-08-19T08:46:12+00:00 f49724cd6b3e0e3274302c3d475e93f7a7094f40 Root can read anything from any directory even with permissions 000. However SELinux checks discretionary access control (DAC) and deny access if access is not allowed for root by DAC. The pam_sss use different unix socket /var/lib/sss/pipes/private/pam for user with uid 0. Therefore root need to be able read content of directory with private pipes. type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied { dac_read_search } for pid=20257 comm=vsftpd capability=dac_read_search scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied { dac_override } for pid=20257 comm=vsftpd capability=dac_override scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability Resolves: https://fedorahosted.org/sssd/ticket/3143 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Root can read anything from any directory even with permissions 000.

However SELinux checks discretionary access control (DAC)
and deny access if access is not allowed for root by DAC.
The pam_sss use different unix socket /var/lib/sss/pipes/private/pam
for user with uid 0. Therefore root need to be able read content
of directory with private pipes.

type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc:  denied
  { dac_read_search } for  pid=20257 comm=vsftpd capability=dac_read_search
  scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
  tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability

type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc:  denied
  { dac_override } for  pid=20257 comm=vsftpd capability=dac_override
  scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
  tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability

Resolves:
https://fedorahosted.org/sssd/ticket/3143

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
BUILD: Ship systemd service file for sssd-secrets 2016-08-17T14:55:31+00:00 Jakub Hrozek jhrozek@redhat.com 2016-08-15T12:10:23+00:00 733100a12138a701d0ae7ef5af2b04b08e225033 Adds two new files: sssd-secrets.socket and sssd-secrets.service. These can be used to socket-acticate the secrets responder even without explicitly starting it in the sssd config file. The specfile activates the socket after installation which means that the admin would just be able to use the secrets socket and the sssd_secrets responder would be started automatically by systemd. The sssd-secrets responder is started as root, mostly because I didn't think of an easy way to pass the uid/gid to the responders without asking about the sssd user identity in the first place. But nonetheless, the sssd-secrets responder wasn't tested as non-root and at least the initialization should be performed as root for the time being. Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Adds two new files: sssd-secrets.socket and sssd-secrets.service. These
can be used to socket-acticate the secrets responder even without
explicitly starting it in the sssd config file.

The specfile activates the socket after installation which means that
the admin would just be able to use the secrets socket and the
sssd_secrets responder would be started automatically by systemd.

The sssd-secrets responder is started as root, mostly because I didn't
think of an easy way to pass the uid/gid to the responders without
asking about the sssd user identity in the first place. But nonetheless,
the sssd-secrets responder wasn't tested as non-root and at least the
initialization should be performed as root for the time being.

Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
SPEC: Own the secrets DB path 2016-08-17T14:15:17+00:00 Jakub Hrozek jhrozek@redhat.com 2016-08-16T14:45:36+00:00 b72bf8cf70f8973d805c73a02ec681156ac9396d Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
CI: Use /bin/sh as a CONFIG SHELL 2016-07-22T06:57:05+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-07-21T15:44:58+00:00 35f29b17699c3d52f77857c530300318b14148f8 There is a bug on debian_testing in bash. sh$ valgrind /bin/bash ==25145== Memcheck, a memory error detector ==25145== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==25145== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info ==25145== Command: /bin/bash ==25145== ==25145== Invalid read of size 1 ==25145== at 0x4B90B1: ??? (in /bin/bash) ==25145== by 0x43FE9B: initialize_shell_variables (in /bin/bash) ==25145== by 0x41E4C0: ??? (in /bin/bash) ==25145== by 0x41F722: main (in /bin/bash) ==25145== Address 0x58307f8 is 8 bytes before a block of size 31 alloc'd ==25145== at 0x4C2BBCF: malloc (vg_replace_malloc.c:299) ==25145== by 0x475D1A: xmalloc (in /bin/bash) ==25145== by 0x4B7F4A: tilde_expand (in /bin/bash) ==25145== by 0x42E63D: bash_tilde_expand (in /bin/bash) ==25145== by 0x43FE79: initialize_shell_variables (in /bin/bash) ==25145== by 0x41E4C0: ??? (in /bin/bash) ==25145== by 0x41F722: main (in /bin/bash) ==25145== malloc: .././variables.c:570: assertion botched free: called with unallocated block argument last command: (null) Aborting...==25145== And /bin/bash was used as a default SHELL in scripts generated by configure+libtool. It starting to fail with the latest valgrind valgrind-3.12.0~svn20160714-1 Workaround is to use /bin/sh which is a symlink to /bin/dash Reviewed-by: Petr Cech <pcech@redhat.com> 
There is a bug on debian_testing in bash.
  sh$ valgrind /bin/bash
  ==25145== Memcheck, a memory error detector
  ==25145== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
  ==25145== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
  ==25145== Command: /bin/bash
  ==25145==
  ==25145== Invalid read of size 1
  ==25145==    at 0x4B90B1: ??? (in /bin/bash)
  ==25145==    by 0x43FE9B: initialize_shell_variables (in /bin/bash)
  ==25145==    by 0x41E4C0: ??? (in /bin/bash)
  ==25145==    by 0x41F722: main (in /bin/bash)
  ==25145==  Address 0x58307f8 is 8 bytes before a block of size 31 alloc'd
  ==25145==    at 0x4C2BBCF: malloc (vg_replace_malloc.c:299)
  ==25145==    by 0x475D1A: xmalloc (in /bin/bash)
  ==25145==    by 0x4B7F4A: tilde_expand (in /bin/bash)
  ==25145==    by 0x42E63D: bash_tilde_expand (in /bin/bash)
  ==25145==    by 0x43FE79: initialize_shell_variables (in /bin/bash)
  ==25145==    by 0x41E4C0: ??? (in /bin/bash)
  ==25145==    by 0x41F722: main (in /bin/bash)
  ==25145==

  malloc: .././variables.c:570: assertion botched
  free: called with unallocated block argument
  last command: (null)
  Aborting...==25145==

And /bin/bash was used as a default SHELL in scripts generated by
configure+libtool. It starting to fail with the latest valgrind
valgrind-3.12.0~svn20160714-1

Workaround is to use /bin/sh which is a symlink to /bin/dash

Reviewed-by: Petr Cech <pcech@redhat.com>
SPEC: Move nfsidmap plugin to separate package 2016-07-18T12:02:36+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-07-04T16:12:31+00:00 4767ba5ddf13ffe51a48634fd9907391222d967c Resolves: https://fedorahosted.org/sssd/ticket/3024 Reviewed-by: Noam Meltzer <tsnoam@gmail.com> 
Resolves:
https://fedorahosted.org/sssd/ticket/3024

Reviewed-by: Noam Meltzer <tsnoam@gmail.com>