summaryrefslogtreecommitdiffstats
path: root/src/util/util.h
Commit message (Collapse)AuthorAgeFilesLines
* UTIL: Remove unused functionsJakub Hrozek2016-07-071-13/+0
| | | | | | The conversion to sysdb made several functions obsolete. Remove them. Reviewed-by: Sumit Bose <sbose@redhat.com>
* LDAP: Qualify user and group names when saving the sudo usersJakub Hrozek2016-07-071-0/+3
| | | | | | | | | | | | | | | If the sudoUser values we fetch from LDAP correspond to a user or a group name per: http://www.sudo.ws/man/1.8.14/sudoers.ldap.man.html then we parse the usernames into (name,domain) tuples and store them qualified. This patch not only makes the sudo provider work with qualified names, but also makes it possible to use qualified names on the LDAP side, allowing for example AD users from different domains to access sudo rules. Reviewed-by: Sumit Bose <sbose@redhat.com>
* UTIL: Add a utility function sss_output_nameJakub Hrozek2016-07-071-0/+6
| | | | | | | | | | Adds a convenience function that will help reduce the amount of code duplication in the responders. All responders need to parse the username from the internal format, lower-case the name, if the domain is case-insensitive and then replace spaces if the responder is configured to do so. Reviewed-by: Sumit Bose <sbose@redhat.com>
* UTIL: Add a utility function to create a list of qualified namesJakub Hrozek2016-07-071-0/+6
| | | | | | | Adds a convenience wrapper around sss_create_fqname that qualifies a list of names into the format used internally in sssd. Reviewed-by: Sumit Bose <sbose@redhat.com>
* UTIL: Add function to create internal fqnameMichal Zidek2016-07-071-0/+6
| | | | | | | Add function to create internal fqname in format shortname@domname where domain portion is lowercased. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Add function to parse internal fqname formatMichal Zidek2016-07-071-0/+6
| | | | | | | | Add lightweight function to parse internal fqname format (shortname@domain). This function does not require the sss_names to be initialized. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA/AD: globally set krb5 canonicalization flagSumit Bose2016-07-061-1/+1
| | | | | | | | | | | If Kerberos principal canonicalization is configured in SSSD, currently it is the default for the IPA provider, a configuration snippet is generated for the system-wide libkrb5 configuration so that all kerberized applications will use canonicalization by default. Resolves https://fedorahosted.org/sssd/ticket/3041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Monitor: Add mode to generate confdb onlySimo Sorce2016-06-291-0/+1
| | | | | | | | | | With this mode we can add socket activated services and have systemd pre exec sssd to genrate the configuration file w/o starting the whole sssd if not necessary. https://fedorahosted.org/sssd/ticket/2243 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Util: Add watchdog helperSimo Sorce2016-06-291-0/+4
| | | | | | | | | | | | | | | | | | The watchdog uses a kernel timer to issue a signal to the process. It checks if the ticker is not being reset by the main event loop, which would indicate that the process got stuck. At the same time it sets a tevent timer to clear the watchdog ticker, so that the watchdog handler is kept happy. If the watchdog detects that the timer event failed to reset the watchdog for three times in a row then the process is killed. Normally the monitor will detect the child terminated and will rescheduled it. Related: https://fedorahosted.org/sssd/ticket/2921 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Downcast to errno_t after tevent_req_is_errorLukas Slebodnik2016-06-291-2/+7
| | | | | | | | | | | | | Functions tevent_req_is_error and _tevent_req_error use type uint64_t for error code. SSSD uses errno_t which is an alias for int. Therefore complier assumes that macro TEVENT_REQ_RETURN_ON_ERROR can return 0 due to implicit down casting from uint64_t -> int. This patch makes down casting explicit and returns EINVAL if result of downcasting is 0. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* p11: add OCSP default responder optionsSumit Bose2016-06-091-0/+2
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* p11: add no_verification optionSumit Bose2016-06-091-1/+6
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Do not leak fds in case of failures setting up a child processJakub Hrozek2016-05-311-0/+14
| | | | | | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/3006 The handling of open pipes in failure cases was suboptimal. Moreover, the faulty logic was copied all over the place. This patch introduces helper macros to: - initialize the pipe endpoints to -1 - close an open pipe fd and set it to -1 afterwards - close both ends unless already closed These macros are used in the child handling code. The patch also uses child_io_destructor in the p11_child code for safer fd handling. Reviewed-by: Petr Cech <pcech@redhat.com>
* util: make concatenate_string_array() reusableSumit Bose2016-04-131-0/+4
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Move debug part from util.h -> new debug.hLukas Slebodnik2016-03-231-118/+1
| | | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* utils: return const char ** from dup_string_listPavel Březina2016-03-141-1/+1
| | | | | | | This function is not used anywhere and const char ** suits better in my use case (next patch) so I just changed the function. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Provide varargs version of debug_fnLukas Slebodnik2016-02-231-0/+6
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Use prefix for debug functionLukas Slebodnik2016-02-231-8/+8
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* p11: enable ocsp checksSumit Bose2015-11-261-0/+3
| | | | | | | | | | | This patch enables the Online Certificate Status Protocol in NSS and adds an option to disable it if needed. To make further tuning of certificate verification more easy it is not an option on its own but an option to the new certificate_verification configuration option. Resolves https://fedorahosted.org/sssd/ticket/2812 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* util: Update get_next_domain's interfaceMichal Židek2015-10-231-1/+4
| | | | | | | | | | | | Update get next domain to be able to include disbled domains and change the interface to accept flags instead of multiple booleans. Ticket: https://fedorahosted.org/sssd/ticket/2673 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* REFACTOR: umask(077) --> umask(SSS_DFL_X_UMASK)Petr Cech2015-10-141-0/+3
| | | | | | | | | | | There are many calls of umask function with 077 argument. This patch add new constant SSS_DFL_X_UMASK which stands fot 077. So all occurences of umask(077) are replaced by constant SSS_DFL_X_UMASK. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* REFACTOR: umask(0177) --> umask(SSS_DFL_UMASK)Petr Cech2015-10-141-0/+3
| | | | | | | | | | | | There are many calls of umask function with 0177 argument. This patch add new constant SSS_DFL_UMASK which stands for 0177. So all occurences of umask(0177) (except responder code) are replaced by constant SSS_DFL_UMASK. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Convert domain->disabled into tri-state with domain statesJakub Hrozek2015-09-211-0/+3
| | | | | | | | | | | | | Required for: https://fedorahosted.org/sssd/ticket/2637 This is a first step towards making it possible for domain to be around, but not contacted by Data Provider. Also explicitly create domains as active, previously we only relied on talloc_zero marking dom->disabled as false. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* NSS: Don't ignore backslash in usernames with ldap providerLukas Slebodnik2015-09-011-0/+3
| | | | | | | | | | The regression was caused by changing default domain regex for ldap provider in ticket #2717 Resolves: https://fedorahosted.org/sssd/ticket/2772 Reviewed-by: Sumit Bose <sbose@redhat.com>
* UTIL: Provide a common interface to safely create temporary filesJakub Hrozek2015-08-141-0/+21
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* DEBUG: Add new debug category for fail over.Michal Židek2015-08-141-0/+1
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* UTIL: Add sss_filter_sanitize_exJakub Hrozek2015-07-151-0/+5
| | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 In order to support wildcard request, we need to introduce an optionally relaxed version of sss_filter_sanitize that allows to select which characters are exempt from sanitizing. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* utils: add get_last_x_chars()Sumit Bose2015-06-191-0/+2
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL/SYSDB: Move new_subdomain() to sysdb_subdomains.c and make it privateJakub Hrozek2015-06-141-11/+0
| | | | | | | | | | | In order to make updating the subdomain list a two-step process. Therefore we need to make sure that update_subdomains() is the only interface towards the SSSD that changes the subdomain list. Move the new_subdomain() function to sysdb_subdomains.c and only make it available through a private header so it's usable by unit tests. Reviewed-by: Sumit Bose <sbose@redhat.com>
* SYSDB: Store trust direction for subdomainsJakub Hrozek2015-06-141-1/+2
| | | | | | | | | | | | We need to store the subdomain trust direction in order to recover the structure after SSSD restart. The trust direction is a plain uint32_t to avoid leaking the knowledge about AD trust directions to sysdb while at the same time making it easy to compare values between sysdb and LDAP and avoid translating the values. Reviewed-by: Sumit Bose <sbose@redhat.com>
* selinux: Only call semanage if the context actually changesJakub Hrozek2015-04-141-0/+2
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2624 Add a function to query the libsemanage database for a user context and only update the database if the context differes from the one set on the server. Adds talloc dependency to libsss_semanage. Reviewed-by: Michal Židek <mzidek@redhat.com>
* UTIL: Add a simple function to get the fd of debug_fileJakub Hrozek2015-04-141-0/+1
| | | | Reviewed-by: Pavel Reichl <preichl@redhat.com>
* sdap: properly handle binary objectGuid attributeSumit Bose2015-03-201-0/+7
| | | | | | | | | | | | | | Although in the initial processing SSSD treats the binary value right at some point it mainly assumes that it is a string. Depending on the value this might end up with the correct binary value stored in the cache but in most cases there will be only a broken entry in the cache. This patch converts the binary value into a string representation which is described in [MS-DTYP] and stores the result in the cache. Resolves https://fedorahosted.org/sssd/ticket/2588 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: convert GeneralizedTime to unix timePavel Reichl2015-03-051-0/+3
| | | | | | | | New utility function *sss_utc_to_time_t* to convert GeneralizedTime to unix time. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SELINUX: Set and reset umask when caling set_seuser from deamon codeJakub Hrozek2015-01-271-0/+4
| | | | | | https://fedorahosted.org/sssd/ticket/2563 Reviewed-by: Michal Židek <mzidek@redhat.com>
* IPA: properly handle mixed-case trusted domainsSumit Bose2015-01-231-0/+3
| | | | | | | | | | | | In the SSSD cache domain names are handled case-sensitive. As a result fully-qualified names in RDN contain the domain part in the original spelling. When IPA client lookup up group-memberships on the IPA server via the extdom plugin the names returned are all lower case. To make sure new DNs are generated correctly the domain part must adjusted. Related to https://fedorahosted.org/sssd/ticket/2159 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Unify the fd_nonblocking implementationJakub Hrozek2015-01-151-0/+12
| | | | | | | The responder and child_common modules each had their own implementation. Unify it instead and add a unit test. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD/IPA: add krb5_confd_path configuration optionSumit Bose2014-11-251-0/+6
| | | | | | | | | With this new parameter the directory where Kerberos configuration snippets are created can be specified. Fixes https://fedorahosted.org/sssd/ticket/2473 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Enable views for all domainsSumit Bose2014-11-201-2/+1
| | | | | | | | | Currently views and overrides were only available for sub-domains, this patch enables the lookup for the configured domains as well. Related to https://fedorahosted.org/sssd/ticket/2481 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Add add_strings_lists() utility functionSumit Bose2014-11-051-0/+18
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* UTIL: Add a function to convert id_t from a number or a nameJakub Hrozek2014-10-221-0/+2
| | | | | | | | | | | | We need a custom function that would convert a numeric or string input into uid_t. The function will be used to drop privileges in servers and also in the PAC and IFP responders. Includes a unit test to test all code that changed as well as a fix for a misnamed attribute in the csv_to_uid_list function synopsis. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* SSSD: Chown the log filesJakub Hrozek2014-10-201-0/+1
| | | | | | | | | We need to chown the log files before dropping root to make sure they are usable by the SSSD user. Unfortunately, we can't just rely on passing the fd opened by root, because we need to be also able to rotate the log files. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* SSSD: Add the options to specify a UID and GID to run asJakub Hrozek2014-10-201-0/+7
| | | | | | | | | Adds new command line options --uid and --gid to all SSSD servers, making it possible to switch to another user ID if needed. So far all code still runs as root. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* sss_semanage: Add mlsrange parameter to set_seuserMichal Zidek2014-10-201-1/+2
| | | | | | | mlsrange parameter will be needed in IPA provider and probably at some point in the tools as well. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* util: Move semanage related functions to src/utilMichal Zidek2014-10-201-0/+4
| | | | | | These functions will be reused by IPA provider. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sysdb: add overide lookup callsSumit Bose2014-10-201-0/+3
| | | | | | | | | | | sysdb_search_user_override_by_name() and sysdb_search_group_override_by_name() search for overrides in the given view. sysdb_add_overrides_to_object() adds the data from the override object to the original object and makes them available for further processing. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Always write capathsJakub Hrozek2014-10-161-2/+1
| | | | | | | | | We used to only generate the [capaths] section on the IPA server itself, when running in a trusted setup. But we also found out that the capaths are often required to make SSO fully work, so it's better to always generate them. Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
* UTIL: Move become_user outside krb5 treeJakub Hrozek2014-10-101-0/+9
| | | | | | | | In order for several other SSSD processes to run as a non-root user, we need to move the functions to become another user to a shared space in our source tree. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* UTIL: Do not depend on monitor codeJakub Hrozek2014-10-091-0/+2
| | | | | | | Just moves code around. There should be a way to use the server.c module without linking the monitor code. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* PAM: new options pam_trusted_users & pam_public_domainsPavel Reichl2014-09-291-0/+5
| | | | | | | | | | | | | pam_public_domains option is a list of numerical UIDs or user names that are trusted. pam_public_domains option is a list of domains accessible even for untrusted users. Based on: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-18 06:05:45 +0000