From 39ce51321244a1d282a608582ae1c9cdd79526e3 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Tue, 25 Jul 2017 14:24:33 +0200 Subject: [PATCH] New upstream release 1.15.3 https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_3.html --- .gitignore | 1 + ...t-leak-selinux-context-on-clients-de.patch | 68 ------ ...o-not-fail-if-SELinux-is-not-managed.patch | 210 ------------------ ...esponder-that-pkinit-is-not-availabl.patch | 60 ----- ...ols-The-ai-structure-is-not-an-array.patch | 51 ----- ...ix-issues-with-multiple-IP-addresses.patch | 46 ---- ...lit-connect-and-communication-phases.patch | 95 -------- ...-on-originalMemberOf-use-the-sysdb-m.patch | 174 --------------- ...able-tests-with-expired-certificates.patch | 28 --- sources | 2 +- sssd.spec | 117 ++++++++-- 11 files changed, 98 insertions(+), 754 deletions(-) delete mode 100644 0001-responders-do-not-leak-selinux-context-on-clients-de.patch delete mode 100644 0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch delete mode 100644 0003-krb5-return-to-responder-that-pkinit-is-not-availabl.patch delete mode 100644 0004-ssh-tools-The-ai-structure-is-not-an-array.patch delete mode 100644 0005-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch delete mode 100644 0006-ssh-tools-Split-connect-and-communication-phases.patch delete mode 100644 0007-HBAC-Do-not-rely-on-originalMemberOf-use-the-sysdb-m.patch delete mode 100644 0510-BUILD-Disable-tests-with-expired-certificates.patch diff --git a/.gitignore b/.gitignore index 0a8663e..633f1d0 100644 --- a/.gitignore +++ b/.gitignore @@ -76,3 +76,4 @@ sssd-1.2.91.tar.gz /sssd-1.15.0.tar.gz /sssd-1.15.1.tar.gz /sssd-1.15.2.tar.gz +/sssd-1.15.3.tar.gz diff --git a/0001-responders-do-not-leak-selinux-context-on-clients-de.patch b/0001-responders-do-not-leak-selinux-context-on-clients-de.patch deleted file mode 100644 index b6fa846..0000000 --- a/0001-responders-do-not-leak-selinux-context-on-clients-de.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 408edbc9ef7b7467c153f2498d7034962222664c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Mon, 3 Apr 2017 12:56:01 +0200 -Subject: [PATCH 1/2] responders: do not leak selinux context on clients - destruction -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The SELinux context created in get_client_cred is not talloc bound and -we were leaking it if available with each client's destruction. - -Resolves: -https://pagure.io/SSSD/sssd/issue/3360 - -Reviewed-by: Lukáš Slebodník ---- - src/responder/common/responder_common.c | 20 +++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) - -diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c -index 76f43609651217e537ffa515aaf5b5caa98a2e90..b5b4a3284cf288f1bd328fee83877e9ba6cb61e4 100644 ---- a/src/responder/common/responder_common.c -+++ b/src/responder/common/responder_common.c -@@ -97,7 +97,7 @@ static errno_t get_client_cred(struct cli_ctx *cctx) - SEC_CTX secctx; - int ret; - -- cctx->creds = talloc(cctx, struct cli_creds); -+ cctx->creds = talloc_zero(cctx, struct cli_creds); - if (!cctx->creds) return ENOMEM; - - #ifdef HAVE_UCRED -@@ -464,6 +464,22 @@ static void client_fd_handler(struct tevent_context *ev, - - static errno_t setup_client_idle_timer(struct cli_ctx *cctx); - -+static int cli_ctx_destructor(struct cli_ctx *cctx) -+{ -+ if (cctx->creds == NULL) { -+ return 0; -+ } -+ -+ if (cctx->creds->selinux_ctx == NULL) { -+ return 0; -+ } -+ -+ SELINUX_context_free(cctx->creds->selinux_ctx); -+ cctx->creds->selinux_ctx = NULL; -+ -+ return 0; -+} -+ - struct accept_fd_ctx { - struct resp_ctx *rctx; - bool is_private; -@@ -520,6 +536,8 @@ static void accept_fd_handler(struct tevent_context *ev, - return; - } - -+ talloc_set_destructor(cctx, cli_ctx_destructor); -+ - len = sizeof(cctx->addr); - cctx->cfd = accept(fd, (struct sockaddr *)&cctx->addr, &len); - if (cctx->cfd == -1) { --- -2.12.2 - diff --git a/0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch b/0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch deleted file mode 100644 index af1c66e..0000000 --- a/0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch +++ /dev/null @@ -1,210 +0,0 @@ -From 3ebb0b03c35c5b733d7bdb53b434950711461bbb Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20=C5=BDidek?= -Date: Wed, 8 Feb 2017 12:01:37 +0100 -Subject: [PATCH 2/2] selinux: Do not fail if SELinux is not managed -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Previously we failed if semanage_is_managed returned 0 or -1 (not -managed or error). With this patch we only fail in case of error and -continue normally if selinux is not managed by libsemanage at all. - -Resolves: -https://fedorahosted.org/sssd/ticket/3297 - -Reviewed-by: Lukáš Slebodník ---- - Makefile.am | 1 + - src/providers/ipa/selinux_child.c | 9 ++++-- - src/util/sss_semanage.c | 61 +++++++++++++++++++++++++-------------- - src/util/util_errors.c | 1 + - src/util/util_errors.h | 1 + - 5 files changed, 49 insertions(+), 24 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index 45b04de2638a745a189c0b4e5794ccd29913b10d..fed51a9d09d867856cbf26bfcd99df3b89d4859d 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -3827,6 +3827,7 @@ selinux_child_SOURCES = \ - src/util/sss_semanage.c \ - src/util/atomic_io.c \ - src/util/util.c \ -+ src/util/util_errors.c \ - $(NULL) - selinux_child_CFLAGS = \ - $(AM_CFLAGS) \ -diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c -index 380005c7ad3269fc8113c62ceef30b076455b5dd..f8dd3954a7244df2dcbb910aabf8888f41306c09 100644 ---- a/src/providers/ipa/selinux_child.c -+++ b/src/providers/ipa/selinux_child.c -@@ -174,14 +174,19 @@ static bool seuser_needs_update(struct input_buffer *ibuf) - - ret = get_seuser(ibuf, ibuf->username, &db_seuser, &db_mls_range); - DEBUG(SSSDBG_TRACE_INTERNAL, -- "get_seuser: ret: %d seuser: %s mls: %s\n", -- ret, db_seuser ? db_seuser : "unknown", -+ "get_seuser: ret: %d msg: [%s] seuser: %s mls: %s\n", -+ ret, sss_strerror(ret), -+ db_seuser ? db_seuser : "unknown", - db_mls_range ? db_mls_range : "unknown"); - if (ret == EOK && db_seuser && db_mls_range && - strcmp(db_seuser, ibuf->seuser) == 0 && - strcmp(db_mls_range, ibuf->mls_range) == 0) { - needs_update = false; - } -+ /* OR */ -+ if (ret == ERR_SELINUX_NOT_MANAGED) { -+ needs_update = false; -+ } - - talloc_free(db_seuser); - talloc_free(db_mls_range); -diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c -index fe06bee1dfec3abca3aa3cd5e85e55386ac11343..0da97aad4d8eba733b131c2749932e03ca4242c4 100644 ---- a/src/util/sss_semanage.c -+++ b/src/util/sss_semanage.c -@@ -73,7 +73,7 @@ static void sss_semanage_close(semanage_handle_t *handle) - semanage_handle_destroy(handle); - } - --static semanage_handle_t *sss_semanage_init(void) -+static int sss_semanage_init(semanage_handle_t **_handle) - { - int ret; - semanage_handle_t *handle = NULL; -@@ -81,7 +81,8 @@ static semanage_handle_t *sss_semanage_init(void) - handle = semanage_handle_create(); - if (!handle) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n"); -- return NULL; -+ ret = EIO; -+ goto done; - } - - semanage_msg_set_callback(handle, -@@ -89,28 +90,41 @@ static semanage_handle_t *sss_semanage_init(void) - NULL); - - ret = semanage_is_managed(handle); -- if (ret != 1) { -- DEBUG(SSSDBG_CRIT_FAILURE, "SELinux policy not managed\n"); -- goto fail; -+ if (ret == 0) { -+ DEBUG(SSSDBG_TRACE_FUNC, "SELinux policy not managed via libsemanage\n"); -+ ret = ERR_SELINUX_NOT_MANAGED; -+ goto done; -+ } else if (ret == -1) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Call to semanage_is_managed failed\n"); -+ ret = EIO; -+ goto done; - } - - ret = semanage_access_check(handle); - if (ret < SEMANAGE_CAN_READ) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n"); -- goto fail; -+ ret = EACCES; -+ goto done; - } - - ret = semanage_connect(handle); - if (ret != 0) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Cannot estabilish SELinux management connection\n"); -- goto fail; -+ ret = EIO; -+ goto done; - } - -- return handle; --fail: -- sss_semanage_close(handle); -- return NULL; -+ ret = EOK; -+ -+done: -+ if (ret != EOK) { -+ sss_semanage_close(handle); -+ } else { -+ *_handle = handle; -+ } -+ -+ return ret; - } - - static int sss_semanage_user_add(semanage_handle_t *handle, -@@ -228,10 +242,11 @@ int set_seuser(const char *login_name, const char *seuser_name, - return EOK; - } - -- handle = sss_semanage_init(); -- if (!handle) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n"); -- ret = EIO; -+ ret = sss_semanage_init(&handle); -+ if (ret == ERR_SELINUX_NOT_MANAGED) { -+ goto done; -+ } else if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n"); - goto done; - } - -@@ -295,10 +310,11 @@ int del_seuser(const char *login_name) - int ret; - int exists = 0; - -- handle = sss_semanage_init(); -- if (!handle) { -- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n"); -- ret = EIO; -+ ret = sss_semanage_init(&handle); -+ if (ret == ERR_SELINUX_NOT_MANAGED) { -+ goto done; -+ } else if (ret != EOK) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n"); - goto done; - } - -@@ -377,10 +393,11 @@ int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name, - semanage_seuser_t *sm_user = NULL; - semanage_seuser_key_t *sm_key = NULL; - -- sm_handle = sss_semanage_init(); -- if (sm_handle == NULL) { -+ ret = sss_semanage_init(&sm_handle); -+ if (ret == ERR_SELINUX_NOT_MANAGED) { -+ goto done; -+ } else if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n"); -- ret = EIO; - goto done; - } - -diff --git a/src/util/util_errors.c b/src/util/util_errors.c -index 17388c997db5315c2491af1021e75aff07632488..97a7853827bb3a4a9c49f0306ca52be0f9aa8389 100644 ---- a/src/util/util_errors.c -+++ b/src/util/util_errors.c -@@ -74,6 +74,7 @@ struct err_string error_to_str[] = { - { "Cannot connect to system bus" }, /* ERR_NO_SYSBUS */ - { "LDAP search returned a referral" }, /* ERR_REFERRAL */ - { "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */ -+ { "SELinux is not managed by libsemanage" }, /* ERR_SELINUX_NOT_MANAGED */ - { "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */ - { "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */ - { "Invalid SSSD configuration detected" }, /* ERR_INVALID_CONFIG */ -diff --git a/src/util/util_errors.h b/src/util/util_errors.h -index 7aacad26084a3a2af6333988f07db865f6a4d299..8d0d99b4cc86812d9c67d9319a23055c1c8fa4dc 100644 ---- a/src/util/util_errors.h -+++ b/src/util/util_errors.h -@@ -96,6 +96,7 @@ enum sssd_errors { - ERR_NO_SYSBUS, - ERR_REFERRAL, - ERR_SELINUX_CONTEXT, -+ ERR_SELINUX_NOT_MANAGED, - ERR_REGEX_NOMATCH, - ERR_TIMESPEC_NOT_SUPPORTED, - ERR_INVALID_CONFIG, --- -2.12.2 - diff --git a/0003-krb5-return-to-responder-that-pkinit-is-not-availabl.patch b/0003-krb5-return-to-responder-that-pkinit-is-not-availabl.patch deleted file mode 100644 index f90fa3a..0000000 --- a/0003-krb5-return-to-responder-that-pkinit-is-not-availabl.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 1c551b1373799643f3e9ba4f696d21b8fc57dafd Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Thu, 16 Mar 2017 20:43:08 +0100 -Subject: [PATCH] krb5: return to responder that pkinit is not available -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If pkinit is not available for a user but other authentication methods -are SSSD should still fall back to local certificate based -authentication if Smartcard credentials are provided. - -Resolves https://pagure.io/SSSD/sssd/issue/3343 - -Reviewed-by: Jakub Hrozek -Reviewed-by: Lukáš Slebodník ---- - src/providers/krb5/krb5_child.c | 17 +++++++++++++---- - 1 file changed, 13 insertions(+), 4 deletions(-) - -diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c -index 777a25f2a0ea434dde12d2396f6a35c2a1b86cd0..a4128dda6b0861a95dba223047d66c4158b1afb6 100644 ---- a/src/providers/krb5/krb5_child.c -+++ b/src/providers/krb5/krb5_child.c -@@ -42,6 +42,10 @@ - - #define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw" - -+#define IS_SC_AUTHTOK(tok) ( \ -+ sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \ -+ || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD) -+ - enum k5c_fast_opt { - K5C_FAST_NEVER, - K5C_FAST_TRY, -@@ -1529,12 +1533,17 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr, - * pre-auth module is missing or no Smartcard is inserted and only - * pkinit is available KRB5_PREAUTH_FAILED is returned. - * ERR_NO_AUTH_METHOD_AVAILABLE is used to indicate to the -- * frontend that local authentication might be tried. */ -+ * frontend that local authentication might be tried. -+ * Same is true if Smartcard credentials are given but only other -+ * authentication methods are available. */ - if (kr->pd->cmd == SSS_PAM_AUTHENTICATE - && kerr == KRB5_PREAUTH_FAILED -- && kr->password_prompting == false -- && kr->otp == false -- && kr->pkinit_prompting == false) { -+ && kr->pkinit_prompting == false -+ && (( kr->password_prompting == false -+ && kr->otp == false) -+ || ((kr->otp == true -+ || kr->password_prompting == true) -+ && IS_SC_AUTHTOK(kr->pd->authtok))) ) { - return ERR_NO_AUTH_METHOD_AVAILABLE; - } - return kerr; --- -2.12.2 - diff --git a/0004-ssh-tools-The-ai-structure-is-not-an-array.patch b/0004-ssh-tools-The-ai-structure-is-not-an-array.patch deleted file mode 100644 index 734f465..0000000 --- a/0004-ssh-tools-The-ai-structure-is-not-an-array.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 08084b1179bb9fc38bc22b464b3d44907107bfd3 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Tue, 25 Apr 2017 12:39:32 +0000 -Subject: [PATCH 4/6] ssh tools: The ai structure is not an array, -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This structure is actually a linked list, so do not mislead readers by -treating it as an array. - -Resolves: -https://pagure.io/SSSD/sssd/issue/1498 - -Merges: https://pagure.io/SSSD/sssd/pull-request/3383 - -Signed-off-by: Simo Sorce -Reviewed-by: Lukáš Slebodník ---- - src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c -index adb82288d435cefccf7e23e6ed2b2c551798a7f8..310243c2fc8091f711559d4afb412e619af687ad 100644 ---- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c -+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c -@@ -268,10 +268,10 @@ int main(int argc, const char **argv) - DEBUG(SSSDBG_OP_FAILURE, - "getaddrinfo() failed (%d): %s\n", ret, gai_strerror(ret)); - } else { -- host = ai[0].ai_canonname; -+ host = ai->ai_canonname; - } - } else { -- ret = getnameinfo(ai[0].ai_addr, ai[0].ai_addrlen, -+ ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, - canonhost, NI_MAXHOST, NULL, 0, NI_NAMEREQD); - if (ret) { - DEBUG(SSSDBG_OP_FAILURE, -@@ -295,7 +295,7 @@ int main(int argc, const char **argv) - if (pc_args) { - ret = connect_proxy_command(discard_const(pc_args)); - } else if (ai) { -- ret = connect_socket(ai[0].ai_family, ai[0].ai_addr, ai[0].ai_addrlen); -+ ret = connect_socket(ai->ai_family, ai->ai_addr, ai->ai_addrlen); - } else { - ret = EFAULT; - } --- -2.12.2 - diff --git a/0005-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch b/0005-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch deleted file mode 100644 index 6ccee63..0000000 --- a/0005-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 5f6232c7e6d9635c1d6b6b09f799309b6094b143 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Tue, 25 Apr 2017 14:00:15 +0000 -Subject: [PATCH 5/6] ssh tools: Fix issues with multiple IP addresses -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Cycle through all resolved address until one succeed or all fail. -This is needed for dual stack systems where either IPv4 or IPv6 are -improperly configured or selectively filtered at some point along the -route. - -Resolves: -https://pagure.io/SSSD/sssd/issue/1498 - -Merges: https://pagure.io/SSSD/sssd/pull-request/3383 - -Signed-off-by: Simo Sorce -Reviewed-by: Lukáš Slebodník ---- - src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c -index 310243c2fc8091f711559d4afb412e619af687ad..b7b0c3bb66226be1c6453332a0b3af9fdf4e5a29 100644 ---- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c -+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c -@@ -295,7 +295,13 @@ int main(int argc, const char **argv) - if (pc_args) { - ret = connect_proxy_command(discard_const(pc_args)); - } else if (ai) { -- ret = connect_socket(ai->ai_family, ai->ai_addr, ai->ai_addrlen); -+ /* Try all IP addresses before giving up */ -+ for (struct addrinfo *ti = ai; ti != NULL; ti = ti->ai_next) { -+ ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen); -+ if (ret == 0) { -+ break; -+ } -+ } - } else { - ret = EFAULT; - } --- -2.12.2 - diff --git a/0006-ssh-tools-Split-connect-and-communication-phases.patch b/0006-ssh-tools-Split-connect-and-communication-phases.patch deleted file mode 100644 index f9ad656..0000000 --- a/0006-ssh-tools-Split-connect-and-communication-phases.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 244adc327f7e29ba2c7ef60bc9f732d8fe3e68c9 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Tue, 25 Apr 2017 19:19:13 +0000 -Subject: [PATCH 6/6] ssh tools: Split connect and communication phases -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -We can fallback after a connect error, but we cannot easily fall back -once we start sending data as we may have consumed part of the buffer so -reconnecting and sending what's left would not make sense. - -Therefore we now fallback on connect errors, but we issue a hard fail if -error happens after communication has been established. - -Resolves: -https://pagure.io/SSSD/sssd/issue/1498 - -Merges: https://pagure.io/SSSD/sssd/pull-request/3383 - -Signed-off-by: Simo Sorce -Reviewed-by: Lukáš Slebodník ---- - src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 30 ++++++++++++++++++++-------- - 1 file changed, 22 insertions(+), 8 deletions(-) - -diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c -index b7b0c3bb66226be1c6453332a0b3af9fdf4e5a29..976ba86b321923cecad0703214e22b0a773ef585 100644 ---- a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c -+++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c -@@ -40,14 +40,10 @@ - - /* connect to server using socket */ - static int --connect_socket(int family, struct sockaddr *addr, size_t addr_len) -+connect_socket(int family, struct sockaddr *addr, size_t addr_len, int *sd) - { - int flags; - int sock = -1; -- struct pollfd fds[2]; -- char buffer[BUFFER_SIZE]; -- int i; -- ssize_t res; - int ret; - - /* set O_NONBLOCK on standard input */ -@@ -85,6 +81,22 @@ connect_socket(int family, struct sockaddr *addr, size_t addr_len) - goto done; - } - -+ *sd = sock; -+ -+done: -+ if (ret != 0 && sock >= 0) close(sock); -+ return ret; -+} -+ -+static int proxy_data(int sock) -+{ -+ int flags; -+ struct pollfd fds[2]; -+ char buffer[BUFFER_SIZE]; -+ int i; -+ ssize_t res; -+ int ret; -+ - /* set O_NONBLOCK on the socket */ - flags = fcntl(sock, F_GETFL); - if (flags == -1) { -@@ -158,8 +170,7 @@ connect_socket(int family, struct sockaddr *addr, size_t addr_len) - } - - done: -- if (sock >= 0) close(sock); -- -+ close(sock); - return ret; - } - -@@ -297,8 +308,11 @@ int main(int argc, const char **argv) - } else if (ai) { - /* Try all IP addresses before giving up */ - for (struct addrinfo *ti = ai; ti != NULL; ti = ti->ai_next) { -- ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen); -+ int socket_descriptor = -1; -+ ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen, -+ &socket_descriptor); - if (ret == 0) { -+ ret = proxy_data(socket_descriptor); - break; - } - } --- -2.12.2 - diff --git a/0007-HBAC-Do-not-rely-on-originalMemberOf-use-the-sysdb-m.patch b/0007-HBAC-Do-not-rely-on-originalMemberOf-use-the-sysdb-m.patch deleted file mode 100644 index b5e7ca4..0000000 --- a/0007-HBAC-Do-not-rely-on-originalMemberOf-use-the-sysdb-m.patch +++ /dev/null @@ -1,174 +0,0 @@ -From c92e49144978ad3b6c9fffa8803ebdad8f6f5b18 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Sun, 9 Apr 2017 20:50:47 +0200 -Subject: [PATCH] HBAC: Do not rely on originalMemberOf, use the sysdb memberof - links instead - -The IPA HBAC code used to read the group members from the -originalMemberOf attribute value for performance reasons. However, -especially on IPA clients trusting an AD domain, the originalMemberOf -attribute value is often not synchronized correctly. - -Instead of going through the work of maintaining both member/memberOf -and originalMemberOf, let's just do an ASQ search for the group names of -the groups the user is a member of in the cache and read their -SYSBD_NAME attribute. - -To avoid clashing between similarly-named groups in IPA and in AD, we -look at the container of the group. - -Resolves: -https://pagure.io/SSSD/sssd/issue/3382 - -Reviewed-by: Sumit Bose ---- - src/providers/ipa/ipa_hbac_common.c | 97 +++++++++++++++++++++++++------------ - 1 file changed, 67 insertions(+), 30 deletions(-) - -diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c -index b99b75d32..ba677965a 100644 ---- a/src/providers/ipa/ipa_hbac_common.c -+++ b/src/providers/ipa/ipa_hbac_common.c -@@ -507,15 +507,15 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx, - struct hbac_request_element **user_element) - { - errno_t ret; -- unsigned int i; - unsigned int num_groups = 0; - TALLOC_CTX *tmp_ctx; -- const char *member_dn; - struct hbac_request_element *users; -- struct ldb_message *msg; -- struct ldb_message_element *el; -- const char *attrs[] = { SYSDB_ORIG_MEMBEROF, NULL }; - char *shortname; -+ const char *fqgroupname = NULL; -+ struct sss_domain_info *ipa_domain; -+ struct ldb_dn *ipa_groups_basedn; -+ struct ldb_result *res; -+ int exp_comp; - - tmp_ctx = talloc_new(mem_ctx); - if (tmp_ctx == NULL) return ENOMEM; -@@ -533,56 +533,93 @@ hbac_eval_user_element(TALLOC_CTX *mem_ctx, - } - users->name = talloc_steal(users, shortname); - -- /* Read the originalMemberOf attribute -- * This will give us the list of both POSIX and -- * non-POSIX groups that this user belongs to. -+ ipa_domain = get_domains_head(domain); -+ if (ipa_domain == NULL) { -+ ret = EINVAL; -+ goto done; -+ } -+ -+ ipa_groups_basedn = ldb_dn_new_fmt(tmp_ctx, sysdb_ctx_get_ldb(domain->sysdb), -+ SYSDB_TMPL_GROUP_BASE, ipa_domain->name); -+ if (ipa_groups_basedn == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ /* +1 because there will be a RDN preceding the base DN */ -+ exp_comp = ldb_dn_get_comp_num(ipa_groups_basedn) + 1; -+ -+ /* -+ * Get all the groups the user is a member of. -+ * This includes both POSIX and non-POSIX groups. - */ -- ret = sysdb_search_user_by_name(tmp_ctx, domain, username, -- attrs, &msg); -+ ret = sysdb_initgroups(tmp_ctx, domain, username, &res); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "Could not determine user memberships for [%s]\n", -- users->name); -+ "sysdb_asq_search failed [%d]: %s\n", ret, sss_strerror(ret)); - goto done; - } - -- el = ldb_msg_find_element(msg, SYSDB_ORIG_MEMBEROF); -- if (el == NULL || el->num_values == 0) { -+ if (res->count == 0) { -+ /* This should not happen at this point */ -+ DEBUG(SSSDBG_MINOR_FAILURE, -+ "User [%s] not found in cache.\n", username); -+ ret = ENOENT; -+ goto done; -+ } else if (res->count == 1) { -+ /* The first item is the user entry */ - DEBUG(SSSDBG_TRACE_LIBS, "No groups for [%s]\n", users->name); - ret = create_empty_grouplist(users); - goto done; - } - DEBUG(SSSDBG_TRACE_LIBS, -- "[%d] groups for [%s]\n", el->num_values, users->name); -+ "[%u] groups for [%s]\n", res->count - 1, username); - -- users->groups = talloc_array(users, const char *, el->num_values + 1); -+ /* This also includes the sentinel, b/c we'll skip the user entry below */ -+ users->groups = talloc_array(users, const char *, res->count); - if (users->groups == NULL) { - ret = ENOMEM; - goto done; - } - -- for (i = 0; i < el->num_values; i++) { -- member_dn = (const char *)el->values[i].data; -+ /* Start counting from 1 to exclude the user entry */ -+ for (size_t i = 1; i < res->count; i++) { -+ /* Only groups from the IPA domain can be referenced from HBAC rules. To -+ * avoid evaluating groups which might even have the same name, but come -+ * from a trusted domain, we first copy the DN to a temporary one.. -+ */ -+ if (ldb_dn_get_comp_num(res->msgs[i]->dn) != exp_comp -+ || ldb_dn_compare_base(ipa_groups_basedn, -+ res->msgs[i]->dn) != 0) { -+ DEBUG(SSSDBG_FUNC_DATA, -+ "Skipping non-IPA group %s\n", -+ ldb_dn_get_linearized(res->msgs[i]->dn)); -+ continue; -+ } - -- ret = get_ipa_groupname(users->groups, domain->sysdb, member_dn, -- &users->groups[num_groups]); -- if (ret != EOK && ret != ERR_UNEXPECTED_ENTRY_TYPE) { -+ fqgroupname = ldb_msg_find_attr_as_string(res->msgs[i], SYSDB_NAME, NULL); -+ if (fqgroupname == NULL) { - DEBUG(SSSDBG_MINOR_FAILURE, -- "Skipping malformed entry [%s]\n", member_dn); -+ "Skipping malformed entry [%s]\n", -+ ldb_dn_get_linearized(res->msgs[i]->dn)); - continue; -- } else if (ret == EOK) { -- DEBUG(SSSDBG_TRACE_LIBS, "Added group [%s] for user [%s]\n", -- users->groups[num_groups], users->name); -- num_groups++; -+ } -+ -+ ret = sss_parse_internal_fqname(tmp_ctx, fqgroupname, -+ &shortname, NULL); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_MINOR_FAILURE, "Malformed name %s, skipping!\n", fqgroupname); - continue; - } -- /* Skip entries that are not groups */ -- DEBUG(SSSDBG_TRACE_INTERNAL, -- "Skipping non-group memberOf [%s]\n", member_dn); -+ -+ users->groups[num_groups] = talloc_steal(users->groups, shortname); -+ DEBUG(SSSDBG_TRACE_LIBS, "Added group [%s] for user [%s]\n", -+ users->groups[num_groups], users->name); -+ num_groups++; - } - users->groups[num_groups] = NULL; - -- if (num_groups < el->num_values) { -+ if (num_groups < (res->count - 1)) { - /* Shrink the array memory */ - users->groups = talloc_realloc(users, users->groups, const char *, - num_groups+1); --- -2.13.0 - diff --git a/0510-BUILD-Disable-tests-with-expired-certificates.patch b/0510-BUILD-Disable-tests-with-expired-certificates.patch deleted file mode 100644 index bfb2f29..0000000 --- a/0510-BUILD-Disable-tests-with-expired-certificates.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 5ecc5585fbe2cf8b3f1efb7fe3473dbcb67ff160 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Tue, 27 Jun 2017 15:12:27 +0200 -Subject: [PATCH] BUILD: Disable tests with expired certificates - ---- - Makefile.am | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index 5635a8c8fd681c4a17d003487e9ea440ab431407..c230d5e69320206778637ee3d30bedf9fe2e000a 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -273,11 +273,9 @@ if HAVE_CMOCKA - responder_cache_req-tests \ - test_sbus_opath \ - test_fo_srv \ -- pam-srv-tests \ - test_ipa_subdom_util \ - test_tools_colondb \ - test_krb5_wait_queue \ -- test_cert_utils \ - test_ldap_id_cleanup \ - test_data_provider_be \ - test_dp_request_table \ --- -2.13.0 - diff --git a/sources b/sources index d0afde1..7a1c8b1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sssd-1.15.2.tar.gz) = e0ed648155641261e53cff338aaa1bad72bd8051170b6f42e9c9427d46d747902a828cbbab680e16e5c248b901f01303678540ec9621f33bb8dcf60d7a4d1921 +SHA512 (sssd-1.15.3.tar.gz) = 92478205ee1b1cebc3d35b733576180db51cee8cc84d0c2cb78386924ffa90ae355b6ad9b7b51e5e5f5a7a4588764d1c7afb0673c035b1fe9b1a283beb79a428 diff --git a/sssd.spec b/sssd.spec index 571d81f..d998f0a 100644 --- a/sssd.spec +++ b/sssd.spec @@ -21,6 +21,10 @@ %global enable_systemtap 1 %global enable_systemtap_opt --enable-systemtap + %global with_secrets 1 + + %global with_kcm 1 + %global libwbc_alternatives_version 0.13 %global libwbc_lib_version %{libwbc_alternatives_version}.0 %global libwbc_alternatives_suffix %nil @@ -29,8 +33,8 @@ %endif Name: sssd -Version: 1.15.2 -Release: 6%{?dist} +Version: 1.15.3 +Release: 1%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -39,18 +43,8 @@ Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### -Patch0001: 0001-responders-do-not-leak-selinux-context-on-clients-de.patch -Patch0002: 0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch -Patch0003: 0003-krb5-return-to-responder-that-pkinit-is-not-availabl.patch -Patch0004: 0004-ssh-tools-The-ai-structure-is-not-an-array.patch -Patch0005: 0005-ssh-tools-Fix-issues-with-multiple-IP-addresses.patch -Patch0006: 0006-ssh-tools-Split-connect-and-communication-phases.patch -Patch0007: 0007-HBAC-Do-not-rely-on-originalMemberOf-use-the-sysdb-m.patch Patch0502: 0502-SYSTEMD-Use-capabilities.patch -# Simpler is to disable unit tests then patching binary files -# Remove me with 1.15.3 -Patch0510: 0510-BUILD-Disable-tests-with-expired-certificates.patch ### Dependencies ### @@ -126,7 +120,9 @@ BuildRequires: samba4-devel BuildRequires: libsmbclient-devel BuildRequires: systemtap-sdt-devel BuildRequires: http-parser-devel +BuildRequires: libuuid-devel BuildRequires: jansson-devel +BuildRequires: libcurl-devel %description Provides a set of daemons to manage access to remote directories and @@ -145,6 +141,9 @@ License: GPLv3+ # Conflicts Conflicts: selinux-policy < 3.10.0-46 Conflicts: sssd < 1.10.0-8%{?dist}.beta2 +# due to ABI changes in rawhide(1.1.30/1.2.0) +# f26 <= will never have libldb 1.2.0 due to samba-4.6.x +Conflicts: libldb >= 1.1.30 # Requires Requires: sssd-client%{?_isa} = %{version}-%{release} Recommends: libsss_sudo = %{version}-%{release} @@ -551,6 +550,36 @@ The libnfsidmap sssd module provides a way for rpc.idmapd to call SSSD to map UIDs/GIDs to names and vice versa. It can be also used for mapping principal (user) name to IDs(UID or GID) or to obtain groups which user are member of. +%package -n libsss_certmap +Summary: SSSD Certficate Mapping Library +Group: Development/Libraries +License: LGPLv3+ +Requires(post): /sbin/ldconfig +Requires(postun): /sbin/ldconfig +Conflicts: sssd-common < %{version}-%{release} + +%description -n libsss_certmap +Library to map certificates to users based on rules + +%package -n libsss_certmap-devel +Summary: SSSD Certficate Mapping Library +Group: Development/Libraries +License: LGPLv3+ +Requires: libsss_certmap = %{version}-%{release} + +%description -n libsss_certmap-devel +Library to map certificates to users based on rules + +%package kcm +Summary: An implementation of a Kerberos KCM server +Group: Applications/System +License: GPLv3+ +Requires: sssd-common = %{version}-%{release} + +%description kcm +An implementation of a Kerberos KCM server. Use this package if you want to +use the KCM: Kerberos credentials cache. + %prep # Update timestamps on the files touched by a patch, to avoid non-equal # .pyc/.pyo files across the multilib peers within a build, where "Level" @@ -612,8 +641,7 @@ sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate make install DESTDIR=$RPM_BUILD_ROOT -if [ ! -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version} -] +if [ ! -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/modules/libwbclient.so.%{libwbc_lib_version} ] then echo "Expected libwbclient version not found, please check if version has changed." exit -1 @@ -655,10 +683,11 @@ do done touch sssd.lang -for subpackage in ldap krb5 ipa ad proxy tools client dbus nfs_idmap \ - winbind_idmap +for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \ + sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \ + libsss_certmap sssd_kcm do - touch sssd_$subpackage.lang + touch $subpackage.lang done for man in `find $RPM_BUILD_ROOT/%{_mandir}/??/man?/ -type f | sed -e "s#$RPM_BUILD_ROOT/%{_mandir}/##"` @@ -704,9 +733,15 @@ do sssd-ifp*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_dbus.lang ;; + sssd-kcm*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_kcm.lang + ;; idmap_sss*) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_winbind_idmap.lang ;; + sss-certmap*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> libsss_certmap.lang + ;; *) echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang ;; @@ -723,11 +758,12 @@ cat python2_sssdconfig.lang echo "python3_sssdconfig.lang:" cat python3_sssdconfig.lang -for subpackage in ldap krb5 ipa ad proxy tools client dbus nfs_idmap \ - winbind_idmap +for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \ + sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \ + libsss_certmap sssd_kcm do - echo "sssd_$subpackage.lang:" - cat sssd_$subpackage.lang + echo "$subpackage.lang:" + cat $subpackage.lang done %files @@ -1063,6 +1099,27 @@ done %{_mandir}/man5/sss_rpcidmapd.5* %{_libdir}/libnfsidmap/sss.so +%files -n libsss_certmap -f libsss_certmap.lang +%defattr(-,root,root,-) +%license src/sss_client/COPYING src/sss_client/COPYING.LESSER +%{_libdir}/libsss_certmap.so.* +%{_mandir}/man5/sss-certmap.5* + +%files -n libsss_certmap-devel +%defattr(-,root,root,-) +%doc certmap_doc/html +%{_includedir}/sss_certmap.h +%{_libdir}/libsss_certmap.so +%{_libdir}/pkgconfig/sss_certmap.pc + +%files kcm -f sssd_kcm.lang +%{_libexecdir}/%{servicename}/sssd_kcm +%dir %{_datadir}/sssd-kcm +%{_datadir}/sssd-kcm/kcm_default_ccache +%{_unitdir}/sssd-kcm.socket +%{_unitdir}/sssd-kcm.service +%{_mandir}/man8/sssd-kcm.8* + %post common %systemd_post sssd.service %systemd_post sssd-autofs.socket @@ -1111,6 +1168,16 @@ done %postun dbus %systemd_postun_with_restart sssd-ifp.service +%post kcm +%systemd_post sssd-kcm.socket + +%preun kcm +%systemd_preun sssd-kcm.socket + +%postun kcm +%systemd_postun_with_restart sssd-kcm.socket +%systemd_postun_with_restart sssd-kcm.service + %if (0%{?with_cifs_utils_plugin} == 1) %post client /sbin/ldconfig @@ -1146,6 +1213,10 @@ fi %postun -n libsss_simpleifp -p /sbin/ldconfig +%post -n libsss_certmap -p /sbin/ldconfig + +%postun -n libsss_certmap -p /sbin/ldconfig + %posttrans common %systemd_postun_with_restart sssd.service @@ -1173,6 +1244,10 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Tue Jul 25 2017 Lukas Slebodnik - 1.15.3-1 +- New upstream release 1.15.3 +- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_3.html + * Tue Jun 27 2017 Lukas Slebodnik - 1.15.2-6 Fix build issues: Disable unit tests with expided certificates