rpms
/
sssd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

New upstream release 1.15.3 

https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_3.html
(cherry picked from commit 39ce513212)
(cherry picked from commit b263f398aa)
This commit is contained in:
Lukas Slebodnik 2017-07-25 14:24:33 +02:00
parent 332956cf99
commit 2642a32949
11 changed files with 98 additions and 754 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -76,3 +76,4 @@ sssd-1.2.91.tar.gz
/sssd-1.15.0.tar.gz
/sssd-1.15.1.tar.gz
/sssd-1.15.2.tar.gz
/sssd-1.15.3.tar.gz

68
0001-responders-do-not-leak-selinux-context-on-clients-de.patch
View File

@ -1,68 +0,0 @@
From 408edbc9ef7b7467c153f2498d7034962222664c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 3 Apr 2017 12:56:01 +0200
Subject: [PATCH 1/2] responders: do not leak selinux context on clients
destruction
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The SELinux context created in get_client_cred is not talloc bound and
we were leaking it if available with each client's destruction.
Resolves:
https://pagure.io/SSSD/sssd/issue/3360
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/responder/common/responder_common.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
index 76f43609651217e537ffa515aaf5b5caa98a2e90..b5b4a3284cf288f1bd328fee83877e9ba6cb61e4 100644
--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
@@ -97,7 +97,7 @@ static errno_t get_client_cred(struct cli_ctx *cctx)
SEC_CTX secctx;
int ret;
- cctx->creds = talloc(cctx, struct cli_creds);
+ cctx->creds = talloc_zero(cctx, struct cli_creds);
if (!cctx->creds) return ENOMEM;
#ifdef HAVE_UCRED
@@ -464,6 +464,22 @@ static void client_fd_handler(struct tevent_context *ev,
static errno_t setup_client_idle_timer(struct cli_ctx *cctx);
+static int cli_ctx_destructor(struct cli_ctx *cctx)
+{
+ if (cctx->creds == NULL) {
+ return 0;
+ }
+
+ if (cctx->creds->selinux_ctx == NULL) {
+ return 0;
+ }
+
+ SELINUX_context_free(cctx->creds->selinux_ctx);
+ cctx->creds->selinux_ctx = NULL;
+
+ return 0;
+}
+
struct accept_fd_ctx {
struct resp_ctx *rctx;
bool is_private;
@@ -520,6 +536,8 @@ static void accept_fd_handler(struct tevent_context *ev,
return;
}
+ talloc_set_destructor(cctx, cli_ctx_destructor);
+
len = sizeof(cctx->addr);
cctx->cfd = accept(fd, (struct sockaddr *)&cctx->addr, &len);
if (cctx->cfd == -1) {
--
2.12.2

210
0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch
View File

@ -1,210 +0,0 @@
From 3ebb0b03c35c5b733d7bdb53b434950711461bbb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 8 Feb 2017 12:01:37 +0100
Subject: [PATCH 2/2] selinux: Do not fail if SELinux is not managed
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Previously we failed if semanage_is_managed returned 0 or -1 (not
managed or error). With this patch we only fail in case of error and
continue normally if selinux is not managed by libsemanage at all.
Resolves:
https://fedorahosted.org/sssd/ticket/3297
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
Makefile.am | 1 +
src/providers/ipa/selinux_child.c | 9 ++++--
src/util/sss_semanage.c | 61 +++++++++++++++++++++++++--------------
src/util/util_errors.c | 1 +
src/util/util_errors.h | 1 +
5 files changed, 49 insertions(+), 24 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 45b04de2638a745a189c0b4e5794ccd29913b10d..fed51a9d09d867856cbf26bfcd99df3b89d4859d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -3827,6 +3827,7 @@ selinux_child_SOURCES = \
src/util/sss_semanage.c \
src/util/atomic_io.c \
src/util/util.c \
+ src/util/util_errors.c \
$(NULL)
selinux_child_CFLAGS = \
$(AM_CFLAGS) \
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
index 380005c7ad3269fc8113c62ceef30b076455b5dd..f8dd3954a7244df2dcbb910aabf8888f41306c09 100644
--- a/src/providers/ipa/selinux_child.c
+++ b/src/providers/ipa/selinux_child.c
@@ -174,14 +174,19 @@ static bool seuser_needs_update(struct input_buffer *ibuf)
ret = get_seuser(ibuf, ibuf->username, &db_seuser, &db_mls_range);
DEBUG(SSSDBG_TRACE_INTERNAL,
- "get_seuser: ret: %d seuser: %s mls: %s\n",
- ret, db_seuser ? db_seuser : "unknown",
+ "get_seuser: ret: %d msg: [%s] seuser: %s mls: %s\n",
+ ret, sss_strerror(ret),
+ db_seuser ? db_seuser : "unknown",
db_mls_range ? db_mls_range : "unknown");
if (ret == EOK && db_seuser && db_mls_range &&
strcmp(db_seuser, ibuf->seuser) == 0 &&
strcmp(db_mls_range, ibuf->mls_range) == 0) {
needs_update = false;
}
+ /* OR */
+ if (ret == ERR_SELINUX_NOT_MANAGED) {
+ needs_update = false;
+ }
talloc_free(db_seuser);
talloc_free(db_mls_range);
diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
index fe06bee1dfec3abca3aa3cd5e85e55386ac11343..0da97aad4d8eba733b131c2749932e03ca4242c4 100644
--- a/src/util/sss_semanage.c
+++ b/src/util/sss_semanage.c
@@ -73,7 +73,7 @@ static void sss_semanage_close(semanage_handle_t *handle)
semanage_handle_destroy(handle);
}
-static semanage_handle_t *sss_semanage_init(void)
+static int sss_semanage_init(semanage_handle_t **_handle)
{
int ret;
semanage_handle_t *handle = NULL;
@@ -81,7 +81,8 @@ static semanage_handle_t *sss_semanage_init(void)
handle = semanage_handle_create();
if (!handle) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n");
- return NULL;
+ ret = EIO;
+ goto done;
}
semanage_msg_set_callback(handle,
@@ -89,28 +90,41 @@ static semanage_handle_t *sss_semanage_init(void)
NULL);
ret = semanage_is_managed(handle);
- if (ret != 1) {
- DEBUG(SSSDBG_CRIT_FAILURE, "SELinux policy not managed\n");
- goto fail;
+ if (ret == 0) {
+ DEBUG(SSSDBG_TRACE_FUNC, "SELinux policy not managed via libsemanage\n");
+ ret = ERR_SELINUX_NOT_MANAGED;
+ goto done;
+ } else if (ret == -1) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Call to semanage_is_managed failed\n");
+ ret = EIO;
+ goto done;
}
ret = semanage_access_check(handle);
if (ret < SEMANAGE_CAN_READ) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n");
- goto fail;
+ ret = EACCES;
+ goto done;
}
ret = semanage_connect(handle);
if (ret != 0) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot estabilish SELinux management connection\n");
- goto fail;
+ ret = EIO;
+ goto done;
}
- return handle;
-fail:
- sss_semanage_close(handle);
- return NULL;
+ ret = EOK;
+
+done:
+ if (ret != EOK) {
+ sss_semanage_close(handle);
+ } else {
+ *_handle = handle;
+ }
+
+ return ret;
}
static int sss_semanage_user_add(semanage_handle_t *handle,
@@ -228,10 +242,11 @@ int set_seuser(const char *login_name, const char *seuser_name,
return EOK;
}
- handle = sss_semanage_init();
- if (!handle) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n");
- ret = EIO;
+ ret = sss_semanage_init(&handle);
+ if (ret == ERR_SELINUX_NOT_MANAGED) {
+ goto done;
+ } else if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
goto done;
}
@@ -295,10 +310,11 @@ int del_seuser(const char *login_name)
int ret;
int exists = 0;
- handle = sss_semanage_init();
- if (!handle) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n");
- ret = EIO;
+ ret = sss_semanage_init(&handle);
+ if (ret == ERR_SELINUX_NOT_MANAGED) {
+ goto done;
+ } else if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
goto done;
}
@@ -377,10 +393,11 @@ int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name,
semanage_seuser_t *sm_user = NULL;
semanage_seuser_key_t *sm_key = NULL;
- sm_handle = sss_semanage_init();
- if (sm_handle == NULL) {
+ ret = sss_semanage_init(&sm_handle);
+ if (ret == ERR_SELINUX_NOT_MANAGED) {
+ goto done;
+ } else if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
- ret = EIO;
goto done;
}
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index 17388c997db5315c2491af1021e75aff07632488..97a7853827bb3a4a9c49f0306ca52be0f9aa8389 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -74,6 +74,7 @@ struct err_string error_to_str[] = {
{ "Cannot connect to system bus" }, /* ERR_NO_SYSBUS */
{ "LDAP search returned a referral" }, /* ERR_REFERRAL */
{ "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */
+ { "SELinux is not managed by libsemanage" }, /* ERR_SELINUX_NOT_MANAGED */
{ "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */
{ "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */
{ "Invalid SSSD configuration detected" }, /* ERR_INVALID_CONFIG */
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index 7aacad26084a3a2af6333988f07db865f6a4d299..8d0d99b4cc86812d9c67d9319a23055c1c8fa4dc 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -96,6 +96,7 @@ enum sssd_errors {
ERR_NO_SYSBUS,
ERR_REFERRAL,
ERR_SELINUX_CONTEXT,
+ ERR_SELINUX_NOT_MANAGED,
ERR_REGEX_NOMATCH,
ERR_TIMESPEC_NOT_SUPPORTED,
ERR_INVALID_CONFIG,
--
2.12.2

60
0003-krb5-return-to-responder-that-pkinit-is-not-availabl.patch
View File

@ -1,60 +0,0 @@
From 1c551b1373799643f3e9ba4f696d21b8fc57dafd Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 16 Mar 2017 20:43:08 +0100
Subject: [PATCH] krb5: return to responder that pkinit is not available
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If pkinit is not available for a user but other authentication methods
are SSSD should still fall back to local certificate based
authentication if Smartcard credentials are provided.
Resolves https://pagure.io/SSSD/sssd/issue/3343
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/providers/krb5/krb5_child.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 777a25f2a0ea434dde12d2396f6a35c2a1b86cd0..a4128dda6b0861a95dba223047d66c4158b1afb6 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -42,6 +42,10 @@
#define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw"
+#define IS_SC_AUTHTOK(tok) ( \
+ sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \
+ || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD)
+
enum k5c_fast_opt {
K5C_FAST_NEVER,
K5C_FAST_TRY,
@@ -1529,12 +1533,17 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
* pre-auth module is missing or no Smartcard is inserted and only
* pkinit is available KRB5_PREAUTH_FAILED is returned.
* ERR_NO_AUTH_METHOD_AVAILABLE is used to indicate to the
- * frontend that local authentication might be tried. */
+ * frontend that local authentication might be tried.
+ * Same is true if Smartcard credentials are given but only other
+ * authentication methods are available. */
if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
&& kerr == KRB5_PREAUTH_FAILED
- && kr->password_prompting == false
- && kr->otp == false
- && kr->pkinit_prompting == false) {
+ && kr->pkinit_prompting == false
+ && (( kr->password_prompting == false
+ && kr->otp == false)
+ || ((kr->otp == true
+ || kr->password_prompting == true)
+ && IS_SC_AUTHTOK(kr->pd->authtok))) ) {
return ERR_NO_AUTH_METHOD_AVAILABLE;
}
return kerr;
--
2.12.2

51
0004-ssh-tools-The-ai-structure-is-not-an-array.patch
View File

@ -1,51 +0,0 @@
From 08084b1179bb9fc38bc22b464b3d44907107bfd3 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 25 Apr 2017 12:39:32 +0000
Subject: [PATCH 4/6] ssh tools: The ai structure is not an array,
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This structure is actually a linked list, so do not mislead readers by
treating it as an array.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
index adb82288d435cefccf7e23e6ed2b2c551798a7f8..310243c2fc8091f711559d4afb412e619af687ad 100644
--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
@@ -268,10 +268,10 @@ int main(int argc, const char **argv)
DEBUG(SSSDBG_OP_FAILURE,
"getaddrinfo() failed (%d): %s\n", ret, gai_strerror(ret));
} else {
- host = ai[0].ai_canonname;
+ host = ai->ai_canonname;
}
} else {
- ret = getnameinfo(ai[0].ai_addr, ai[0].ai_addrlen,
+ ret = getnameinfo(ai->ai_addr, ai->ai_addrlen,
canonhost, NI_MAXHOST, NULL, 0, NI_NAMEREQD);
if (ret) {
DEBUG(SSSDBG_OP_FAILURE,
@@ -295,7 +295,7 @@ int main(int argc, const char **argv)
if (pc_args) {
ret = connect_proxy_command(discard_const(pc_args));
} else if (ai) {
- ret = connect_socket(ai[0].ai_family, ai[0].ai_addr, ai[0].ai_addrlen);
+ ret = connect_socket(ai->ai_family, ai->ai_addr, ai->ai_addrlen);
} else {
ret = EFAULT;
}
--
2.12.2

46
0005-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch
View File

@ -1,46 +0,0 @@
From 5f6232c7e6d9635c1d6b6b09f799309b6094b143 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 25 Apr 2017 14:00:15 +0000
Subject: [PATCH 5/6] ssh tools: Fix issues with multiple IP addresses
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cycle through all resolved address until one succeed or all fail.
This is needed for dual stack systems where either IPv4 or IPv6 are
improperly configured or selectively filtered at some point along the
route.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
index 310243c2fc8091f711559d4afb412e619af687ad..b7b0c3bb66226be1c6453332a0b3af9fdf4e5a29 100644
--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
@@ -295,7 +295,13 @@ int main(int argc, const char **argv)
if (pc_args) {
ret = connect_proxy_command(discard_const(pc_args));
} else if (ai) {
- ret = connect_socket(ai->ai_family, ai->ai_addr, ai->ai_addrlen);
+ /* Try all IP addresses before giving up */
+ for (struct addrinfo *ti = ai; ti != NULL; ti = ti->ai_next) {
+ ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen);
+ if (ret == 0) {
+ break;
+ }
+ }
} else {
ret = EFAULT;
}
--
2.12.2

95
0006-ssh-tools-Split-connect-and-communication-phases.patch
View File

@ -1,95 +0,0 @@
From 244adc327f7e29ba2c7ef60bc9f732d8fe3e68c9 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 25 Apr 2017 19:19:13 +0000
Subject: [PATCH 6/6] ssh tools: Split connect and communication phases
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We can fallback after a connect error, but we cannot easily fall back
once we start sending data as we may have consumed part of the buffer so
reconnecting and sending what's left would not make sense.
Therefore we now fallback on connect errors, but we issue a hard fail if
error happens after communication has been established.
Resolves:
https://pagure.io/SSSD/sssd/issue/1498
Merges: https://pagure.io/SSSD/sssd/pull-request/3383
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 30 ++++++++++++++++++++--------
1 file changed, 22 insertions(+), 8 deletions(-)
diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
index b7b0c3bb66226be1c6453332a0b3af9fdf4e5a29..976ba86b321923cecad0703214e22b0a773ef585 100644
--- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c
@@ -40,14 +40,10 @@
/* connect to server using socket */
static int
-connect_socket(int family, struct sockaddr *addr, size_t addr_len)
+connect_socket(int family, struct sockaddr *addr, size_t addr_len, int *sd)
{
int flags;
int sock = -1;
- struct pollfd fds[2];
- char buffer[BUFFER_SIZE];
- int i;
- ssize_t res;
int ret;
/* set O_NONBLOCK on standard input */
@@ -85,6 +81,22 @@ connect_socket(int family, struct sockaddr *addr, size_t addr_len)
goto done;
}
+ *sd = sock;
+
+done:
+ if (ret != 0 && sock >= 0) close(sock);
+ return ret;
+}
+
+static int proxy_data(int sock)
+{
+ int flags;
+ struct pollfd fds[2];
+ char buffer[BUFFER_SIZE];
+ int i;
+ ssize_t res;
+ int ret;
+
/* set O_NONBLOCK on the socket */
flags = fcntl(sock, F_GETFL);
if (flags == -1) {
@@ -158,8 +170,7 @@ connect_socket(int family, struct sockaddr *addr, size_t addr_len)
}
done:
- if (sock >= 0) close(sock);
-
+ close(sock);
return ret;
}
@@ -297,8 +308,11 @@ int main(int argc, const char **argv)
} else if (ai) {
/* Try all IP addresses before giving up */
for (struct addrinfo *ti = ai; ti != NULL; ti = ti->ai_next) {
- ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen);
+ int socket_descriptor = -1;
+ ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen,
+ &socket_descriptor);
if (ret == 0) {
+ ret = proxy_data(socket_descriptor);
break;
}
}
--
2.12.2

174
0007-HBAC-Do-not-rely-on-originalMemberOf-use-the-sysdb-m.patch
View File

@ -1,174 +0,0 @@
From c92e49144978ad3b6c9fffa8803ebdad8f6f5b18 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sun, 9 Apr 2017 20:50:47 +0200
Subject: [PATCH] HBAC: Do not rely on originalMemberOf, use the sysdb memberof
links instead
The IPA HBAC code used to read the group members from the
originalMemberOf attribute value for performance reasons. However,
especially on IPA clients trusting an AD domain, the originalMemberOf
attribute value is often not synchronized correctly.
Instead of going through the work of maintaining both member/memberOf
and originalMemberOf, let's just do an ASQ search for the group names of
the groups the user is a member of in the cache and read their
SYSBD_NAME attribute.
To avoid clashing between similarly-named groups in IPA and in AD, we
look at the container of the group.
Resolves:
https://pagure.io/SSSD/sssd/issue/3382
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/providers/ipa/ipa_hbac_common.c | 97 +++++++++++++++++++++++++------------
1 file changed, 67 insertions(+), 30 deletions(-)
diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
index b99b75d32..ba677965a 100644
--- a/src/providers/ipa/ipa_hbac_common.c
+++ b/src/providers/ipa/ipa_hbac_common.c
@@ -507,15 +507,15 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx,
struct hbac_request_element **user_element)
{
errno_t ret;
- unsigned int i;
unsigned int num_groups = 0;
TALLOC_CTX *tmp_ctx;
- const char *member_dn;
struct hbac_request_element *users;
- struct ldb_message *msg;
- struct ldb_message_element *el;
- const char *attrs[] = { SYSDB_ORIG_MEMBEROF, NULL };
char *shortname;
+ const char *fqgroupname = NULL;
+ struct sss_domain_info *ipa_domain;
+ struct ldb_dn *ipa_groups_basedn;
+ struct ldb_result *res;
+ int exp_comp;
tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) return ENOMEM;
@@ -533,56 +533,93 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx,
}
users->name = talloc_steal(users, shortname);
- /* Read the originalMemberOf attribute
- * This will give us the list of both POSIX and
- * non-POSIX groups that this user belongs to.
+ ipa_domain = get_domains_head(domain);
+ if (ipa_domain == NULL) {
+ ret = EINVAL;
+ goto done;
+ }
+
+ ipa_groups_basedn = ldb_dn_new_fmt(tmp_ctx, sysdb_ctx_get_ldb(domain->sysdb),
+ SYSDB_TMPL_GROUP_BASE, ipa_domain->name);
+ if (ipa_groups_basedn == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ /* +1 because there will be a RDN preceding the base DN */
+ exp_comp = ldb_dn_get_comp_num(ipa_groups_basedn) + 1;
+
+ /*
+ * Get all the groups the user is a member of.
+ * This includes both POSIX and non-POSIX groups.
*/
- ret = sysdb_search_user_by_name(tmp_ctx, domain, username,
- attrs, &msg);
+ ret = sysdb_initgroups(tmp_ctx, domain, username, &res);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
- "Could not determine user memberships for [%s]\n",
- users->name);
+ "sysdb_asq_search failed [%d]: %s\n", ret, sss_strerror(ret));
goto done;
}
- el = ldb_msg_find_element(msg, SYSDB_ORIG_MEMBEROF);
- if (el == NULL || el->num_values == 0) {
+ if (res->count == 0) {
+ /* This should not happen at this point */
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "User [%s] not found in cache.\n", username);
+ ret = ENOENT;
+ goto done;
+ } else if (res->count == 1) {
+ /* The first item is the user entry */
DEBUG(SSSDBG_TRACE_LIBS, "No groups for [%s]\n", users->name);
ret = create_empty_grouplist(users);
goto done;
}
DEBUG(SSSDBG_TRACE_LIBS,
- "[%d] groups for [%s]\n", el->num_values, users->name);
+ "[%u] groups for [%s]\n", res->count - 1, username);
- users->groups = talloc_array(users, const char *, el->num_values + 1);
+ /* This also includes the sentinel, b/c we'll skip the user entry below */
+ users->groups = talloc_array(users, const char *, res->count);
if (users->groups == NULL) {
ret = ENOMEM;
goto done;
}
- for (i = 0; i < el->num_values; i++) {
- member_dn = (const char *)el->values[i].data;
+ /* Start counting from 1 to exclude the user entry */
+ for (size_t i = 1; i < res->count; i++) {
+ /* Only groups from the IPA domain can be referenced from HBAC rules. To
+ * avoid evaluating groups which might even have the same name, but come
+ * from a trusted domain, we first copy the DN to a temporary one..
+ */
+ if (ldb_dn_get_comp_num(res->msgs[i]->dn) != exp_comp
+ || ldb_dn_compare_base(ipa_groups_basedn,
+ res->msgs[i]->dn) != 0) {
+ DEBUG(SSSDBG_FUNC_DATA,
+ "Skipping non-IPA group %s\n",
+ ldb_dn_get_linearized(res->msgs[i]->dn));
+ continue;
+ }
- ret = get_ipa_groupname(users->groups, domain->sysdb, member_dn,
- &users->groups[num_groups]);
- if (ret != EOK && ret != ERR_UNEXPECTED_ENTRY_TYPE) {
+ fqgroupname = ldb_msg_find_attr_as_string(res->msgs[i], SYSDB_NAME, NULL);
+ if (fqgroupname == NULL) {
DEBUG(SSSDBG_MINOR_FAILURE,
- "Skipping malformed entry [%s]\n", member_dn);
+ "Skipping malformed entry [%s]\n",
+ ldb_dn_get_linearized(res->msgs[i]->dn));
continue;
- } else if (ret == EOK) {
- DEBUG(SSSDBG_TRACE_LIBS, "Added group [%s] for user [%s]\n",
- users->groups[num_groups], users->name);
- num_groups++;
+ }
+
+ ret = sss_parse_internal_fqname(tmp_ctx, fqgroupname,
+ &shortname, NULL);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "Malformed name %s, skipping!\n", fqgroupname);
continue;
}
- /* Skip entries that are not groups */
- DEBUG(SSSDBG_TRACE_INTERNAL,
- "Skipping non-group memberOf [%s]\n", member_dn);
+
+ users->groups[num_groups] = talloc_steal(users->groups, shortname);
+ DEBUG(SSSDBG_TRACE_LIBS, "Added group [%s] for user [%s]\n",
+ users->groups[num_groups], users->name);
+ num_groups++;
}
users->groups[num_groups] = NULL;
- if (num_groups < el->num_values) {
+ if (num_groups < (res->count - 1)) {
/* Shrink the array memory */
users->groups = talloc_realloc(users, users->groups, const char *,
num_groups+1);
--
2.13.0

28
0510-BUILD-Disable-tests-with-expired-certificates.patch
View File

@ -1,28 +0,0 @@
From 5ecc5585fbe2cf8b3f1efb7fe3473dbcb67ff160 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 27 Jun 2017 15:12:27 +0200
Subject: [PATCH] BUILD: Disable tests with expired certificates
---
Makefile.am | 2 --
1 file changed, 2 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 5635a8c8fd681c4a17d003487e9ea440ab431407..c230d5e69320206778637ee3d30bedf9fe2e000a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -273,11 +273,9 @@ if HAVE_CMOCKA
responder_cache_req-tests \
test_sbus_opath \
test_fo_srv \
- pam-srv-tests \
test_ipa_subdom_util \
test_tools_colondb \
test_krb5_wait_queue \
- test_cert_utils \
test_ldap_id_cleanup \
test_data_provider_be \
test_dp_request_table \
--
2.13.0

2
sources
View File

@ -1 +1 @@
SHA512 (sssd-1.15.2.tar.gz) = e0ed648155641261e53cff338aaa1bad72bd8051170b6f42e9c9427d46d747902a828cbbab680e16e5c248b901f01303678540ec9621f33bb8dcf60d7a4d1921
SHA512 (sssd-1.15.3.tar.gz) = 92478205ee1b1cebc3d35b733576180db51cee8cc84d0c2cb78386924ffa90ae355b6ad9b7b51e5e5f5a7a4588764d1c7afb0673c035b1fe9b1a283beb79a428

117
sssd.spec
View File

@ -21,6 +21,10 @@
%global enable_systemtap 1
%global enable_systemtap_opt --enable-systemtap
%global with_secrets 1
%global with_kcm 1
%global libwbc_alternatives_version 0.12
%global libwbc_lib_version %{libwbc_alternatives_version}.0
%global libwbc_alternatives_suffix %nil
@ -29,8 +33,8 @@
%endif
Name: sssd
Version: 1.15.2
Release: 6%{?dist}
Version: 1.15.3
Release: 1%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -39,19 +43,9 @@ Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
Patch0001: 0001-responders-do-not-leak-selinux-context-on-clients-de.patch
Patch0002: 0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch
Patch0003: 0003-krb5-return-to-responder-that-pkinit-is-not-availabl.patch
Patch0004: 0004-ssh-tools-The-ai-structure-is-not-an-array.patch
Patch0005: 0005-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch
Patch0006: 0006-ssh-tools-Split-connect-and-communication-phases.patch
Patch0007: 0007-HBAC-Do-not-rely-on-originalMemberOf-use-the-sysdb-m.patch
Patch0500: 0500-Revert-libwbclient-sssd-update-interface-to-version-.patch
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
# Simpler is to disable unit tests then patching binary files
# Remove me with 1.15.3
Patch0510: 0510-BUILD-Disable-tests-with-expired-certificates.patch
### Dependencies ###
@ -127,7 +121,9 @@ BuildRequires: samba4-devel
BuildRequires: libsmbclient-devel
BuildRequires: systemtap-sdt-devel
BuildRequires: http-parser-devel
BuildRequires: libuuid-devel
BuildRequires: jansson-devel
BuildRequires: libcurl-devel
%description
Provides a set of daemons to manage access to remote directories and
@ -146,6 +142,9 @@ License: GPLv3+
# Conflicts
Conflicts: selinux-policy < 3.10.0-46
Conflicts: sssd < 1.10.0-8%{?dist}.beta2
# due to ABI changes in rawhide(1.1.30/1.2.0)
# f26 <= will never have libldb 1.2.0 due to samba-4.6.x
Conflicts: libldb >= 1.1.30
# Requires
Requires: sssd-client%{?_isa} = %{version}-%{release}
Recommends: libsss_sudo = %{version}-%{release}
@ -552,6 +551,36 @@ The libnfsidmap sssd module provides a way for rpc.idmapd to call SSSD to map
UIDs/GIDs to names and vice versa. It can be also used for mapping principal
(user) name to IDs(UID or GID) or to obtain groups which user are member of.
%package -n libsss_certmap
Summary: SSSD Certficate Mapping Library
Group: Development/Libraries
License: LGPLv3+
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
Conflicts: sssd-common < %{version}-%{release}
%description -n libsss_certmap
Library to map certificates to users based on rules
%package -n libsss_certmap-devel
Summary: SSSD Certficate Mapping Library
Group: Development/Libraries
License: LGPLv3+
Requires: libsss_certmap = %{version}-%{release}
%description -n libsss_certmap-devel
Library to map certificates to users based on rules
%package kcm
Summary: An implementation of a Kerberos KCM server
Group: Applications/System
License: GPLv3+
Requires: sssd-common = %{version}-%{release}
%description kcm
An implementation of a Kerberos KCM server. Use this package if you want to
use the KCM: Kerberos credentials cache.
%prep
# Update timestamps on the files touched by a patch, to avoid non-equal
# .pyc/.pyo files across the multilib peers within a build, where "Level"
@ -612,8 +641,7 @@ sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate
make install DESTDIR=$RPM_BUILD_ROOT
if [ ! -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version}
]
if [ ! -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version} ]
then
echo "Expected libwbclient version not found, please check if version has changed."
exit -1
@ -655,10 +683,11 @@ do
done
touch sssd.lang
for subpackage in ldap krb5 ipa ad proxy tools client dbus nfs_idmap \
winbind_idmap
for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \
sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \
libsss_certmap sssd_kcm
do
touch sssd_$subpackage.lang
touch $subpackage.lang
done
for man in `find $RPM_BUILD_ROOT/%{_mandir}/??/man?/ -type f | sed -e "s#$RPM_BUILD_ROOT/%{_mandir}/##"`
@ -704,9 +733,15 @@ do
sssd-ifp*)
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_dbus.lang
;;
sssd-kcm*)
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_kcm.lang
;;
idmap_sss*)
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_winbind_idmap.lang
;;
sss-certmap*)
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> libsss_certmap.lang
;;
*)
echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang
;;
@ -723,11 +758,12 @@ cat python2_sssdconfig.lang
echo "python3_sssdconfig.lang:"
cat python3_sssdconfig.lang
for subpackage in ldap krb5 ipa ad proxy tools client dbus nfs_idmap \
winbind_idmap
for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \
sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \
libsss_certmap sssd_kcm
do
echo "sssd_$subpackage.lang:"
cat sssd_$subpackage.lang
echo "$subpackage.lang:"
cat $subpackage.lang
done
%files
@ -1063,6 +1099,27 @@ done
%{_mandir}/man5/sss_rpcidmapd.5*
%{_libdir}/libnfsidmap/sss.so
%files -n libsss_certmap -f libsss_certmap.lang
%defattr(-,root,root,-)
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libsss_certmap.so.*
%{_mandir}/man5/sss-certmap.5*
%files -n libsss_certmap-devel
%defattr(-,root,root,-)
%doc certmap_doc/html
%{_includedir}/sss_certmap.h
%{_libdir}/libsss_certmap.so
%{_libdir}/pkgconfig/sss_certmap.pc
%files kcm -f sssd_kcm.lang
%{_libexecdir}/%{servicename}/sssd_kcm
%dir %{_datadir}/sssd-kcm
%{_datadir}/sssd-kcm/kcm_default_ccache
%{_unitdir}/sssd-kcm.socket
%{_unitdir}/sssd-kcm.service
%{_mandir}/man8/sssd-kcm.8*
%post common
%systemd_post sssd.service
%systemd_post sssd-autofs.socket
@ -1111,6 +1168,16 @@ done
%postun dbus
%systemd_postun_with_restart sssd-ifp.service
%post kcm
%systemd_post sssd-kcm.socket
%preun kcm
%systemd_preun sssd-kcm.socket
%postun kcm
%systemd_postun_with_restart sssd-kcm.socket
%systemd_postun_with_restart sssd-kcm.service
%if (0%{?with_cifs_utils_plugin} == 1)
%post client
/sbin/ldconfig
@ -1146,6 +1213,10 @@ fi
%postun -n libsss_simpleifp -p /sbin/ldconfig
%post -n libsss_certmap -p /sbin/ldconfig
%postun -n libsss_certmap -p /sbin/ldconfig
%posttrans common
%systemd_postun_with_restart sssd.service
@ -1173,6 +1244,10 @@ fi
%{_libdir}/%{name}/modules/libwbclient.so
%changelog
* Tue Jul 25 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.3-1
- New upstream release 1.15.3
- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_3.html
* Tue Jun 27 2017 Lukas Slebodnik <lslebodn@redhat.com> - 1.15.2-6
Fix build issues: Disable unit tests with expided certificates