sssd/0066-files-add-session-recording-flag.patch

From 46c483c09b85cecf8d1cc72618da993d8948c894 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 15 Oct 2018 20:05:09 +0200
Subject: [PATCH 82/83] files: add session recording flag

If session recording is configured for a group the NSS ans PAM
responder rely on a attribute in the cache set by the backend to
determine is session recording is configured for the user or not. This
flag is typically set during the initgroups request.

Since the files provider does not have a dedicated initgroups request
the attribute must be set otherwise. This patch sets is for all users
after the files are reloaded.

Related to https://pagure.io/SSSD/sssd/issue/3855

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/providers/data_provider/dp_iface.h     |  3 ++
 src/providers/data_provider/dp_target_id.c | 62 ++++++++++++++++++++++++++++++
 src/providers/files/files_ops.c            |  7 ++++
 3 files changed, 72 insertions(+)

diff --git a/src/providers/data_provider/dp_iface.h b/src/providers/data_provider/dp_iface.h
index d1382cd..8635ae0 100644
--- a/src/providers/data_provider/dp_iface.h
+++ b/src/providers/data_provider/dp_iface.h
@@ -188,4 +188,7 @@ errno_t
 dp_access_control_refresh_rules_recv(TALLOC_CTX *mem_ctx,
                                      struct tevent_req *req);
 
+
+errno_t
+dp_add_sr_attribute(struct be_ctx *be_ctx);
 #endif /* DP_IFACE_H_ */
diff --git a/src/providers/data_provider/dp_target_id.c b/src/providers/data_provider/dp_target_id.c
index 265788b..748d886 100644
--- a/src/providers/data_provider/dp_target_id.c
+++ b/src/providers/data_provider/dp_target_id.c
@@ -328,6 +328,68 @@ done:
     talloc_free(tmp_ctx);
 }
 
+errno_t dp_add_sr_attribute(struct be_ctx *be_ctx)
+{
+    int ret;
+    struct dp_initgr_ctx *dp_initgr_ctx = NULL;
+    TALLOC_CTX *tmp_ctx = NULL;
+    struct dp_id_data *data;
+    size_t msgs_count;
+    struct ldb_message **msgs = NULL;
+    const char *attrs[] = {SYSDB_NAME, NULL};
+    size_t c;
+
+    tmp_ctx = talloc_new(NULL);
+    if (tmp_ctx == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");
+        return ENOMEM;
+    }
+
+    ret = sysdb_search_users(tmp_ctx, be_ctx->domain, "("SYSDB_NAME "=*)", attrs,
+                            &msgs_count, &msgs);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_users failed.\n");
+        goto done;
+    }
+
+    data = talloc_zero(tmp_ctx, struct dp_id_data);
+    if (data == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    data->entry_type = BE_REQ_INITGROUPS;
+    data->filter_type = BE_FILTER_NAME;
+    data->filter_value = NULL;
+    data->extra_value = NULL;
+    data->domain = be_ctx->domain->name;
+
+    for (c = 0; c < msgs_count; c++) {
+        data->filter_value = ldb_msg_find_attr_as_string(msgs[c], SYSDB_NAME,
+                                                         NULL);
+        if (data->filter_value == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Cache object [%s] does not have a name, skipping.\n",
+                  ldb_dn_get_linearized(msgs[c]->dn));
+            continue;
+        }
+
+        talloc_free(dp_initgr_ctx);
+        ret = dp_create_initgroups_ctx(tmp_ctx, be_ctx, data, &dp_initgr_ctx);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE, "dp_create_initgroups_ctx failed.\n");
+            goto done;
+        }
+
+        dp_req_initgr_pp_sr_overlay(be_ctx->provider, dp_initgr_ctx);
+    }
+
+done:
+    talloc_free(tmp_ctx);
+
+    return ret;
+}
+
 static errno_t set_initgroups_expire_attribute(struct sss_domain_info *domain,
                                                const char *name)
 {
diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c
index f5a4029..74f77b5 100644
--- a/src/providers/files/files_ops.c
+++ b/src/providers/files/files_ops.c
@@ -26,6 +26,7 @@
 #include "db/sysdb.h"
 #include "util/inotify.h"
 #include "util/util.h"
+#include "providers/data_provider/dp_iface.h"
 
 /* When changing this constant, make sure to also adjust the files integration
  * test for reallocation branch
@@ -771,6 +772,12 @@ static errno_t sf_enum_files(struct files_id_ctx *id_ctx,
         }
     }
 
+    ret = dp_add_sr_attribute(id_ctx->be);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Failed to add session recording attribute, ignored.\n");
+    }
+
     ret = sysdb_transaction_commit(id_ctx->domain->sysdb);
     if (ret != EOK) {
         goto done;
-- 
2.9.5
Backport a bunch of upstream fixes - Resolves: upstream#3821 - crash related to sbus_router_destructor() - Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref - Resolves: upstream#3819 - sssd only sets the SELinux login context if it differs from the default - Resolves: upstream#3807 - The sbus codegen script relies on "python" which might not be available on all distributions - Resolves: upstream#3820 - sudo: search with lower cased name for case insensitive domains - Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from an allow-any default to a deny-any default when it can't find any GPOs to apply to a user login. - Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort startup - Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11 also for local account authentication - Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup - Resolves: upstream#3826 - Remove references of sss_user/group/add/del commands in man pages since local provider is deprecated - Resolves: upstream#3827 - SSSD should log to syslog if a domain is not started due to a misconfiguration - Resolves: upstream#3830 - Printing incorrect information about domain with sssctl utility - Resolves: upstream#3489 - p11_child should work wit openssl1.0+ - Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary changes in nsswitch.conf - Resovles: upstream#3650 - RFE: Require smartcard authentication - Resolves: upstream#3334 - sssctl config-check does not check any special characters in domain name of domain section - Resolves: upstream#3849 - Files: The files provider always enumerates which causes duplicate when running getent passwd - Related: upstream#3855 - session not recording for local user when groups defined - Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb - Related: upstream#3493 - Remove the pysss.local interface 2018-10-24 08:34:15 +00:00			`From 46c483c09b85cecf8d1cc72618da993d8948c894 Mon Sep 17 00:00:00 2001`
			`From: Sumit Bose <sbose@redhat.com>`
			`Date: Mon, 15 Oct 2018 20:05:09 +0200`
			`Subject: [PATCH 82/83] files: add session recording flag`

			`If session recording is configured for a group the NSS ans PAM`
			`responder rely on a attribute in the cache set by the backend to`
			`determine is session recording is configured for the user or not. This`
			`flag is typically set during the initgroups request.`

			`Since the files provider does not have a dedicated initgroups request`
			`the attribute must be set otherwise. This patch sets is for all users`
			`after the files are reloaded.`

			`Related to https://pagure.io/SSSD/sssd/issue/3855`

			`Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>`
			`---`
			`src/providers/data_provider/dp_iface.h \| 3 ++`
			`src/providers/data_provider/dp_target_id.c \| 62 ++++++++++++++++++++++++++++++`
			`src/providers/files/files_ops.c \| 7 ++++`
			`3 files changed, 72 insertions(+)`

			`diff --git a/src/providers/data_provider/dp_iface.h b/src/providers/data_provider/dp_iface.h`
			`index d1382cd..8635ae0 100644`
			`--- a/src/providers/data_provider/dp_iface.h`
			`+++ b/src/providers/data_provider/dp_iface.h`
			`@@ -188,4 +188,7 @@ errno_t`
			`dp_access_control_refresh_rules_recv(TALLOC_CTX *mem_ctx,`
			`struct tevent_req *req);`

			`+`
			`+errno_t`
			`+dp_add_sr_attribute(struct be_ctx *be_ctx);`
			`#endif /* DP_IFACE_H_ */`
			`diff --git a/src/providers/data_provider/dp_target_id.c b/src/providers/data_provider/dp_target_id.c`
			`index 265788b..748d886 100644`
			`--- a/src/providers/data_provider/dp_target_id.c`
			`+++ b/src/providers/data_provider/dp_target_id.c`
			`@@ -328,6 +328,68 @@ done:`
			`talloc_free(tmp_ctx);`
			`}`

			`+errno_t dp_add_sr_attribute(struct be_ctx *be_ctx)`
			`+{`
			`+ int ret;`
			`+ struct dp_initgr_ctx *dp_initgr_ctx = NULL;`
			`+ TALLOC_CTX *tmp_ctx = NULL;`
			`+ struct dp_id_data *data;`
			`+ size_t msgs_count;`
			`+ struct ldb_message **msgs = NULL;`
			`+ const char *attrs[] = {SYSDB_NAME, NULL};`
			`+ size_t c;`
			`+`
			`+ tmp_ctx = talloc_new(NULL);`
			`+ if (tmp_ctx == NULL) {`
			`+ DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n");`
			`+ return ENOMEM;`
			`+ }`
			`+`
			`+ ret = sysdb_search_users(tmp_ctx, be_ctx->domain, "("SYSDB_NAME "=*)", attrs,`
			`+ &msgs_count, &msgs);`
			`+ if (ret != EOK) {`
			`+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_users failed.\n");`
			`+ goto done;`
			`+ }`
			`+`
			`+ data = talloc_zero(tmp_ctx, struct dp_id_data);`
			`+ if (data == NULL) {`
			`+ ret = ENOMEM;`
			`+ goto done;`
			`+ }`
			`+`
			`+ data->entry_type = BE_REQ_INITGROUPS;`
			`+ data->filter_type = BE_FILTER_NAME;`
			`+ data->filter_value = NULL;`
			`+ data->extra_value = NULL;`
			`+ data->domain = be_ctx->domain->name;`
			`+`
			`+ for (c = 0; c < msgs_count; c++) {`
			`+ data->filter_value = ldb_msg_find_attr_as_string(msgs[c], SYSDB_NAME,`
			`+ NULL);`
			`+ if (data->filter_value == NULL) {`
			`+ DEBUG(SSSDBG_CRIT_FAILURE,`
			`+ "Cache object [%s] does not have a name, skipping.\n",`
			`+ ldb_dn_get_linearized(msgs[c]->dn));`
			`+ continue;`
			`+ }`
			`+`
			`+ talloc_free(dp_initgr_ctx);`
			`+ ret = dp_create_initgroups_ctx(tmp_ctx, be_ctx, data, &dp_initgr_ctx);`
			`+ if (ret != EOK) {`
			`+ DEBUG(SSSDBG_OP_FAILURE, "dp_create_initgroups_ctx failed.\n");`
			`+ goto done;`
			`+ }`
			`+`
			`+ dp_req_initgr_pp_sr_overlay(be_ctx->provider, dp_initgr_ctx);`
			`+ }`
			`+`
			`+done:`
			`+ talloc_free(tmp_ctx);`
			`+`
			`+ return ret;`
			`+}`
			`+`
			`static errno_t set_initgroups_expire_attribute(struct sss_domain_info *domain,`
			`const char *name)`
			`{`
			`diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c`
			`index f5a4029..74f77b5 100644`
			`--- a/src/providers/files/files_ops.c`
			`+++ b/src/providers/files/files_ops.c`
			`@@ -26,6 +26,7 @@`
			`#include "db/sysdb.h"`
			`#include "util/inotify.h"`
			`#include "util/util.h"`
			`+#include "providers/data_provider/dp_iface.h"`

			`/* When changing this constant, make sure to also adjust the files integration`
			`* test for reallocation branch`
			`@@ -771,6 +772,12 @@ static errno_t sf_enum_files(struct files_id_ctx *id_ctx,`
			`}`
			`}`

			`+ ret = dp_add_sr_attribute(id_ctx->be);`
			`+ if (ret != EOK) {`
			`+ DEBUG(SSSDBG_CRIT_FAILURE,`
			`+ "Failed to add session recording attribute, ignored.\n");`
			`+ }`
			`+`
			`ret = sysdb_transaction_commit(id_ctx->domain->sysdb);`
			`if (ret != EOK) {`
			`goto done;`
			`--`
			`2.9.5`