sssd.git/src/responder, branch memberof_default_view Unnamed repository; edit this file to name it for gitweb. SSH-CERT: always initialize cert_verify_opts 2016-07-07T16:13:27+00:00 Sumit Bose sbose@redhat.com 2016-06-17T11:50:55+00:00 ecd48ae244dbb6490989752fba99b58d84babfa6 Currently cert_verify_opts is only initialized when there is an option in the config file. This might cause issues later when the struct is accessed. Since parse_cert_verify_opts() can already handle an empty option the additional check is not needed at all. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Currently cert_verify_opts is only initialized when there is an option
in the config file. This might cause issues later when the struct is
accessed. Since parse_cert_verify_opts() can already handle an empty
option the additional check is not needed at all.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Fix packet size calculation in sss_packet_new 2016-07-07T10:52:01+00:00 Nikolai Kondrashov Nikolai.Kondrashov@redhat.com 2016-07-07T09:48:42+00:00 740bfe1a5bf519de8e13bdce5c4143b0f24d7433 Use division instead of modulo while rounding the created packet size up to a multiple of SSSSRV_PACKET_MEM_SIZE in sss_packet_new. This fixes potentially packet buffer overflows with certain body sizes. Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Use division instead of modulo while rounding the created packet size up
to a multiple of SSSSRV_PACKET_MEM_SIZE in sss_packet_new. This fixes
potentially packet buffer overflows with certain body sizes.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
fix some 'might be used uninitialized' warnings 2016-07-07T08:30:32+00:00 Sumit Bose sbose@redhat.com 2016-07-05T11:22:05+00:00 c88b63b2dd82f7111abc00d93fa8db2707487572 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SUDO: Add more low-level tracing messages 2016-07-07T08:30:29+00:00 Jakub Hrozek jhrozek@redhat.com 2016-07-02T13:41:28+00:00 573e86dc3156e481ce53d39ac901da2e99cfa0ca Just adds more debugging messages that are handy in seeing what gets passed between sudo responder and client. Reviewed-by: Sumit Bose <sbose@redhat.com> 
Just adds more debugging messages that are handy in seeing what gets
passed between sudo responder and client.

Reviewed-by: Sumit Bose <sbose@redhat.com>
sudo: solve problems with fully qualified names 2016-07-07T08:30:26+00:00 Pavel Březina pbrezina@redhat.com 2016-05-26T09:37:30+00:00 61913b8f0d1ba54d82640500d7486fac5f72b030 sudo expects the same name in sudo rule as login name. Therefore if fully qualified name is used or even enforced by setting use_fully_qualified_names to true or by forcing default domain with default_domain_suffix sssd is able to correctly return the rules but sudo can't match the user with contect of sudoUser attribute since it is not qualified. This patch changes the rules on the fly to avoid using names at all. We do this in two steps: 1. We fetch all rules that match current user name, id or groups and replace sudoUser attribute with sudoUser: #uid. 2. We fetch complementry rules that contain netgroups since it is expected we don't have infromation about existing netgroups in cache, sudo still needs to evaluate it for us if needed. This patch also remove test for sysdb_get_sudo_filter since it wasn't sufficient anyway and I did not rewrite it since I don't thing it is a good thing to have filter tests that depends on exact filter order. Resolves: https://fedorahosted.org/sssd/ticket/2919 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
sudo expects the same name in sudo rule as login name. Therefore
if fully qualified name is used or even enforced by setting
use_fully_qualified_names to true or by forcing default domain
with default_domain_suffix sssd is able to correctly return the
rules but sudo can't match the user with contect of sudoUser
attribute since it is not qualified.

This patch changes the rules on the fly to avoid using names at all.
We do this in two steps:
1. We fetch all rules that match current user name, id or groups and
   replace sudoUser attribute with sudoUser: #uid.
2. We fetch complementry rules that contain netgroups since it is
   expected we don't have infromation about existing netgroups in
   cache, sudo still needs to evaluate it for us if needed.

This patch also remove test for sysdb_get_sudo_filter since it wasn't
sufficient anyway and I did not rewrite it since I don't thing it
is a good thing to have filter tests that depends on exact filter
order.

Resolves:
https://fedorahosted.org/sssd/ticket/2919

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SYSDB: Remove useless parameter from sysdb_init() 2016-07-07T08:29:49+00:00 Jakub Hrozek jhrozek@redhat.com 2016-06-29T14:18:12+00:00 ebbeac5c6b8b87ab478ee5a04ec48fbbba0c9efc The function sysdb_init() is never used to allow upgrade, so the allow_upgrade parameter was pointless. Reviewed-by: Sumit Bose <sbose@redhat.com> 
The function sysdb_init() is never used to allow upgrade, so the
allow_upgrade parameter was pointless.

Reviewed-by: Sumit Bose <sbose@redhat.com>
IFP: Amend the InfoPipe responder for fqdns 2016-07-07T08:29:30+00:00 Jakub Hrozek jhrozek@redhat.com 2016-06-28T12:43:33+00:00 d0faaf01fd24a935d9779032886d228b3861fa48 Parses the internal sysdb names and puts them on the bus using the sss_output_name() helper. Previously, the raw sysdb names were used. Reviewed-by: Sumit Bose <sbose@redhat.com> 
Parses the internal sysdb names and puts them on the bus using the
sss_output_name() helper. Previously, the raw sysdb names were used.

Reviewed-by: Sumit Bose <sbose@redhat.com>
RESPONDERS: Return the sysdb name from cache_req 2016-07-07T08:29:17+00:00 Jakub Hrozek jhrozek@redhat.com 2016-06-22T05:22:59+00:00 d20a56f2f05a011e62ba921e70124583e3c5b652 name.name is the input name. Since cache_req is an internal interface, we need to return the sysdb name instead. Reviewed-by: Sumit Bose <sbose@redhat.com> 
name.name is the input name. Since cache_req is an internal interface,
we need to return the sysdb name instead.

Reviewed-by: Sumit Bose <sbose@redhat.com>
SSH: Use a qualified name for user searches in the SSH responder 2016-07-07T08:26:26+00:00 Jakub Hrozek jhrozek@redhat.com 2016-06-14T10:16:24+00:00 8e8dda8561e89276a891495ae84eefe2b2170193 The name is converted from whatever we receive on input to the internal format before processing the data further. Reviewed-by: Sumit Bose <sbose@redhat.com> 
The name is converted from whatever we receive on input to the internal
format before processing the data further.

Reviewed-by: Sumit Bose <sbose@redhat.com>
PAM: Use qualified names internally in the PAM responder 2016-07-07T08:26:20+00:00 Jakub Hrozek jhrozek@redhat.com 2016-03-15T13:29:02+00:00 2b62d5a414b8b7dba4f714dc5033e28dc4b1f4fe The name is converted from whatever we receive on input to the internal format before processing the data further. Reviewed-by: Sumit Bose <sbose@redhat.com> 
The name is converted from whatever we receive on input to the internal
format before processing the data further.

Reviewed-by: Sumit Bose <sbose@redhat.com>