sssd.git/src/sss_client/common.c, branch prompting Unnamed repository; edit this file to name it for gitweb. CLIENT: Retry request after EPIPE 2016-03-11T10:46:15+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-02-17T14:21:55+00:00 6748a4c9d75db997c724c1dcea541e0047742f52 We have a function sss_cli_check_socket which checks socket in client code. The socket is reopened in case of some issues e.g. responder terminated connections ... We use syscall poll for checking status of socket. It's not 100% reliable method because there is still chance that responder will terminate socket after this check. Here is a schema of sss_*_make_request functions: sss_cli_check_socket sss_cli_make_request_nochecks { sss_cli_send_req { poll send } sss_cli_recv_rep { poll read } } The syscall pool does not return EPIPE directly but we convert special revents from poll to EPIPE. As it was mentioned earlier, checking of socket in the sss_cli_check_socket is not 100% reliable. It can happen very rarely due to TOCTOU issue (Time of check to time of use) We can return EPIPE from the sss_cli_make_request_nochecks function in case of failure in poll in sss_cli_send_req. The send function in sss_cli_send_req can also return EPIPE is responder close socket in the same time. The send function can succeed in sss_cli_send_req but it does not mean that responder read the message. It can happen that timer for closing socket can be handled before reading a message. Therefore there is a still a chance that we might return EPIPE in case of failure in poll in sss_cli_recv_rep. Therefore we need to reconnect to responder(sss_cli_check_socket) in case of EPIPE returned from sss_cli_make_request_nochecks and try to do the same request one more time. Resolves: https://fedorahosted.org/sssd/ticket/2626 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
We have a function sss_cli_check_socket which checks
socket in client code. The socket is reopened in case of some
issues e.g. responder terminated connections ...

We use syscall poll for checking status of socket.
It's not 100% reliable method because there is still
chance that responder will terminate socket after this check.

Here is a schema of sss_*_make_request functions:
    sss_cli_check_socket
    sss_cli_make_request_nochecks {
       sss_cli_send_req {
           poll
           send
       }
       sss_cli_recv_rep {
           poll
           read
       }
    }

The syscall pool does not return EPIPE directly but we convert
special revents from poll to EPIPE. As it was mentioned earlier,
checking of socket in the sss_cli_check_socket is not 100% reliable.
It can happen very rarely due to TOCTOU issue (Time of check to time of use)

We can return EPIPE from the sss_cli_make_request_nochecks function
in case of failure in poll in sss_cli_send_req. The send function
in sss_cli_send_req can also return EPIPE is responder close socket
in the same time. The send function can succeed in sss_cli_send_req
but it does not mean that responder read the message. It can happen
that timer for closing socket can be handled before reading a message.
Therefore there is a still a chance that we might return EPIPE in case
of failure in poll in sss_cli_recv_rep.

Therefore we need to reconnect to responder(sss_cli_check_socket)
in case of EPIPE returned from sss_cli_make_request_nochecks and
try to do the same request one more time.

Resolves:
https://fedorahosted.org/sssd/ticket/2626

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
CLIENT: Reduce code duplication 2016-03-11T10:46:11+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-02-26T15:06:50+00:00 a452d199bc125e8d53033d7c00383b4a275ab85e Patch for #2626 will be simpler with this small refactoring Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Patch for #2626 will be simpler with this small refactoring

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Fix minor typos 2015-07-23T09:10:16+00:00 Yuri Chornoivan yurchor@ukr.net 2015-06-26T05:52:12+00:00 f91029dd8d7dbc026a5c73e222926db957240cb4 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
sss_client: Use unique lock for memory cache 2015-07-03T13:17:08+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-06-30T18:19:42+00:00 0ed6114c6b2cc9d7e0c09842d19f0987e9ebbb4a Previously the sma lock was used as for communication with responder. However it would cause a deadlock in case of re-checking memcache after acquiring the lock and before communication with responder.. Required by: https://fedorahosted.org/sssd/ticket/2581 Reviewed-by: Michal Židek <mzidek@redhat.com> 
Previously the sma lock was used as for communication with
responder. However it would cause a deadlock in case of
re-checking memcache after acquiring the lock and before communication with
responder..

Required by:
https://fedorahosted.org/sssd/ticket/2581

Reviewed-by: Michal Židek <mzidek@redhat.com>
CLIENT: Clear errno with enabled sss-default-nss-plugin 2015-04-07T12:44:51+00:00 Lukas Slebodnik lslebodn@redhat.com 2015-04-07T08:53:12+00:00 d51bc5f43fffa516446ef62c2b860be9fa939c9d Although errno was cleared in function sss_nss_make_request some sss glic functions set errno with value of output argument errnop. Reproducer: * sssd compiled with enabled option sss-default-nss-plugin * sss is the last value in group (/etc/nsswitch.conf) * sssd-client is installed but sssd is stopped. C-program: #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <grp.h> int main(int argc, char *argv[]) { struct group *p_group; setgrent(); while (1) { errno = 0; /* initialize for getgrent() */ p_group = getgrent(); if (p_group == NULL) { if (errno == 0) { break; /* end of groups */ } else { perror("getgrent"); printf("getgrent error %d \n", errno); endgrent(); exit(-2); } } printf("getgrent() OK group(%d) = %s \n", p_group->gr_gid, p_group->gr_name); } exit(0); } Resolves: https://fedorahosted.org/sssd/ticket/2619 Reviewed-by: Pavel Reichl <preichl@redhat.com> 
Although errno was cleared in function sss_nss_make_request
some sss glic functions set errno with value of output argument errnop.

Reproducer:
* sssd compiled with enabled option sss-default-nss-plugin
* sss is the last value in group (/etc/nsswitch.conf)
* sssd-client is installed but sssd is stopped.

C-program:
  #include <stdio.h>
  #include <stdlib.h>
  #include <errno.h>
  #include <grp.h>

  int main(int argc, char *argv[])
  {
      struct group *p_group;

      setgrent();
      while (1) {
          errno = 0;  /* initialize for  getgrent() */
          p_group = getgrent();
          if (p_group == NULL) {
              if (errno == 0) {
                      break;   /* end of groups */
              } else {
                  perror("getgrent");
                  printf("getgrent error %d \n", errno);
                  endgrent();
                  exit(-2);
              }
          }
          printf("getgrent() OK group(%d) = %s \n",
                 p_group->gr_gid, p_group->gr_name);
      }

      exit(0);
  }

Resolves:
https://fedorahosted.org/sssd/ticket/2619

Reviewed-by: Pavel Reichl <preichl@redhat.com>
Open the PAC socket from krb5_child before dropping root 2015-01-21T10:25:49+00:00 Jakub Hrozek jhrozek@redhat.com 2015-01-20T17:06:49+00:00 858e750c3d4fe54e50616a1ed1e101469503c070 The PAC responder by default allows only connections from the root user. This patch opens the socket to the PAC responder before the krb5_child drops privileges so the connection seemingly comes from root. https://fedorahosted.org/sssd/ticket/2559 Reviewed-by: Sumit Bose <sbose@redhat.com> 
The PAC responder by default allows only connections from the root user.
This patch opens the socket to the PAC responder before the krb5_child
drops privileges so the connection seemingly comes from root.

https://fedorahosted.org/sssd/ticket/2559

Reviewed-by: Sumit Bose <sbose@redhat.com>
sss_client: Work around glibc bug 2014-12-08T20:47:36+00:00 Lukas Slebodnik lslebodn@redhat.com 2014-11-18T11:02:10+00:00 5bb0c0596765dd5dd1973b7fc2d1e830bca3e345 glibc is inconsistent with how it treats and returns NSS_STATUS_UNAVAIL. The sss nss plugin is present in nsswitch by default on some platforms due to glibc caching and problem with long living applications (e.g. GNOME). But sssd needn't be configuread and it cause problems in some programs. In this situation, the SSSD nss plugin should behave as if it was functioning but had no data even thought sssd is not running. The errors have to be passed from nss plugin up to the user with minimal moidiffication. Thanks to Stephen Gallagher for initial patch. Resolves: https://fedorahosted.org/sssd/ticket/2439 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
glibc is inconsistent with how it treats and returns NSS_STATUS_UNAVAIL.

The sss nss plugin is present in nsswitch by default on some platforms
due to glibc caching and problem with long living applications (e.g. GNOME).
But sssd needn't be configuread and it cause problems in some programs.
In this situation, the SSSD nss plugin should behave as if it was functioning
but had no data even thought sssd is not running. The errors have to be passed
from nss plugin up to the user with minimal moidiffication.

Thanks to Stephen Gallagher for initial patch.

Resolves:
https://fedorahosted.org/sssd/ticket/2439

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Use pattern #elif defined(identifier) 2014-03-14T13:16:33+00:00 Lukas Slebodnik lslebodn@redhat.com 2013-12-09T21:06:40+00:00 fa0938a6e3cb928602633c3da0b909deb269369d We had in source code following pattern #elif HAVE_<name> It worked because undefined identifier(in some cases) was evaluated to 0. But we do not care about value of HAVE_SOMETHING. We just need to know whether identifier was defined. There is not equivalent to #ifdef (short for of #if definded) We need to use long form: #elif defined HAVE_<name> It causes also compiler warning with enabled compiler flag -Wundef. Reviewed-by: Pavel Reichl <preichl@redhat.com> 
We had in source code following pattern #elif HAVE_<name>
It worked because undefined identifier(in some cases) was evaluated to 0.
But we do not care about value of HAVE_SOMETHING. We just need to know
whether identifier was defined.

There is not equivalent to #ifdef (short for of #if definded)
We need to use long form: #elif defined HAVE_<name>

It causes also compiler warning with enabled compiler flag -Wundef.

Reviewed-by: Pavel Reichl <preichl@redhat.com>
sss_client: Use SAFEALIGN_COPY_<type> macros where appropriate. 2013-12-03T13:41:15+00:00 Michal Zidek mzidek@redhat.com 2013-08-21T15:17:06+00:00 a171d77f40aa92e240e91aa4bafe5a392a98b5a2 resolves: https://fedorahosted.org/sssd/ticket/1359 
resolves:
https://fedorahosted.org/sssd/ticket/1359
CLIENT: Fix non gnu sss_strnlen implementation 2013-08-28T20:02:49+00:00 Lukas Slebodnik lslebodn@redhat.com 2013-08-28T06:31:17+00:00 c08e3aca5a8f3869e47c42bded962292cffccce6 last argument of function sss_strnlen "size_t *len" is output variable. We need to increment value of size_t being pointed to by pointer instead of incrementing pointer. 
last argument of function sss_strnlen "size_t *len" is output variable.
We need to increment value of size_t being pointed to by pointer instead of
incrementing pointer.