Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2018-02-14 22:14:28 +01:00 · 2018-02-14 22:14:28 +01:00 · 199a72e62a
commit 199a72e62a
parent 11c6ee78b8
2 changed files with 160 additions and 1 deletions
--- a/0082-DESKPROFILE-Add-checks-for-user-and-host-category.patch
+++ b/0082-DESKPROFILE-Add-checks-for-user-and-host-category.patch
@ -0,0 +1,154 @@
+From b72e444bc1cd2fe8d9617f09b446c678d4684fff Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
+Date: Mon, 22 Jan 2018 00:02:43 +0100
+Subject: [PATCH] DESKPROFILE: Add checks for user and host category
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+freeipa-deskprofile-plugin can have both user and host category set as
+"all" and when it happens, no users and groups or hosts or hostgroups
+are going to be set.
+
+Let's treat this expected (but so far missed) situation on SSSD side.
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3449
+
+Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+---
+ src/providers/ipa/ipa_deskprofile_rules_util.c | 100 ++++++++++++++++++++-----
+ 1 file changed, 82 insertions(+), 18 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
+index 53c433145..01b7d0527 100644
+--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
+@@ -684,6 +684,8 @@ ipa_deskprofile_rules_save_rule_to_disk(
+     TALLOC_CTX *tmp_ctx;
+     const char *rule_name;
+     const char *data;
+    const char *hostcat;
+    const char *usercat;
+     char *shortname;
+     char *domainname;
+     char *base_dn;
+@@ -722,6 +724,28 @@ ipa_deskprofile_rules_save_rule_to_disk(
+         goto done;
+     }
+ 
+    ret = sysdb_attrs_get_string(rule, IPA_HOST_CATEGORY, &hostcat);
+    if (ret == ENOENT) {
+        hostcat = NULL;
+    } else if (ret != EOK) {
+        DEBUG(SSSDBG_TRACE_FUNC,
+              "Failed to get the Desktop Profile Rule host category for rule "
+              "\"%s\" [%d]: %s\n",
+              rule_name, ret, sss_strerror(ret));
+        goto done;
+    }
+
+    ret = sysdb_attrs_get_string(rule, IPA_USER_CATEGORY, &usercat);
+    if (ret == ENOENT) {
+        usercat = NULL;
+    } else if (ret != EOK) {
+        DEBUG(SSSDBG_TRACE_FUNC,
+              "Failed to get the Desktop Profile Rule user category for rule "
+              "\"%s\" [%d]: %s\n",
+              rule_name, ret, sss_strerror(ret));
+        goto done;
+    }
+
+     rule_prio = talloc_asprintf(tmp_ctx, "%06d", prio);
+     if (rule_prio == NULL) {
+         DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate rule priority\n");
+@@ -753,26 +777,66 @@ ipa_deskprofile_rules_save_rule_to_disk(
+         goto done;
+     }
+ 
+-    ret = ipa_deskprofile_rule_check_memberuser(tmp_ctx, domain, rule,
+-                                                rule_name, rule_prio,
+-                                                base_dn, username,
+-                                                &user_prio, &group_prio);
+-    if (ret != EOK) {
+-        DEBUG(SSSDBG_CRIT_FAILURE,
+-              "ipa_deskprofile_rule_check_memberuser() failed [%d]: %s\n",
+-              ret, sss_strerror(ret));
+-        goto done;
+    if (usercat != NULL && strcasecmp(usercat, "all") == 0) {
+        user_prio = talloc_strdup(tmp_ctx, rule_prio);
+        if (user_prio == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Failed to allocate the user priority "
+                  "when user category is \"all\"\n");
+            ret = ENOMEM;
+            goto done;
+        }
+
+        group_prio = talloc_strdup(tmp_ctx, rule_prio);
+        if (group_prio == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Failed to allocate the group priority "
+                  "when user category is \"all\"\n");
+            ret = ENOMEM;
+            goto done;
+        }
+    } else {
+        ret = ipa_deskprofile_rule_check_memberuser(tmp_ctx, domain, rule,
+                                                    rule_name, rule_prio,
+                                                    base_dn, username,
+                                                    &user_prio, &group_prio);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "ipa_deskprofile_rule_check_memberuser() failed [%d]: %s\n",
+                  ret, sss_strerror(ret));
+            goto done;
+        }
+     }
+ 
+-    ret = ipa_deskprofile_rule_check_memberhost(tmp_ctx, domain, rule,
+-                                                rule_name, rule_prio,
+-                                                base_dn, hostname,
+-                                                &host_prio, &hostgroup_prio);
+-    if (ret != EOK) {
+-        DEBUG(SSSDBG_CRIT_FAILURE,
+-              "ipa_deskprofile_rule_check_memberhost() failed [%d]: %s\n",
+-              ret, sss_strerror(ret));
+-        goto done;
+    if (hostcat != NULL && strcasecmp(hostcat, "all") == 0) {
+        host_prio = talloc_strdup(tmp_ctx, rule_prio);
+        if (host_prio == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Failed to allocate the host priority "
+                  "when host category is \"all\"\n");
+            ret = ENOMEM;
+            goto done;
+        }
+
+        hostgroup_prio = talloc_strdup(tmp_ctx, rule_prio);
+        if (hostgroup_prio == NULL) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Failed to allocate the hostgroup priority "
+                  "when host category is \"all\"\n");
+            ret = ENOMEM;
+            goto done;
+        }
+    } else {
+        ret = ipa_deskprofile_rule_check_memberhost(tmp_ctx, domain, rule,
+                                                    rule_name, rule_prio,
+                                                    base_dn, hostname,
+                                                    &host_prio, &hostgroup_prio);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "ipa_deskprofile_rule_check_memberhost() failed [%d]: %s\n",
+                  ret, sss_strerror(ret));
+            goto done;
+        }
+     }
+ 
+     ret = ipa_deskprofile_get_normalized_rule_name(mem_ctx, rule_name,
+-- 
+2.14.3
+
--- a/sssd.spec
+++ b/sssd.spec
@ -34,7 +34,7 @@

 Name: sssd
 Version: 1.16.0
-Release: 11%{?dist}
+Release: 12%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@ -122,6 +122,7 @@ Patch0078: 0078-confdb-Do-not-start-implicit_files-with-proxy-domain.patch
 Patch0079: 0079-test_files_provider-Regression-test-for-implicit_fil.patch
 Patch0080: 0080-BUILD-Add-missing-libs-found-by-Wl-z-defs.patch
 Patch0081: 0081-SELINUX-Check-if-SELinux-is-managed-in-selinux_child.patch
+Patch0082: 0082-DESKPROFILE-Add-checks-for-user-and-host-category.patch

 Patch0502: 0502-SYSTEMD-Use-capabilities.patch
 Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
@ -1324,6 +1325,10 @@ fi
                                %{_libdir}/%{name}/modules/libwbclient.so

 %changelog
+* Wed Feb 14 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.0-12
+- Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile
+                           with no specific host/hostgroup set
+
 * Wed Feb 07 2018 Lukas Slebodnik <lslebodn@fedoraproject.org> - 1.16.0-11
 - Resolves: upstream#3618 - selinux_child segfaults in a docker container