rpms/sssd
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove the ability to create public ccachedir (#1015089)

Browse Source
This commit is contained in:
Jakub Hrozek 2013-10-04 09:51:35 +02:00
parent 36fd89e84a
commit 72c2cb49be
3 changed files with 722 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

284
0001-krb5-Remove-ability-to-create-public-directories.patch Normal file
View File

@ -0,0 +1,284 @@
From 121baf75c457c2642a2408173c5240027734a3fd Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 3 Sep 2013 22:48:02 -0400
Subject: [PATCH 1/2] krb5: Remove ability to create public directories
Setting up public directories is the job of the admin, and
current sssd syntax can't express the actual intention of the admin with
regrads to which parts of the path should be public or private.
Resolves:
https://fedorahosted.org/sssd/ticket/2071
---
src/providers/krb5/krb5_auth.c | 7 ++-
src/providers/krb5/krb5_utils.c | 96 ++++++++++++++---------------------------
src/providers/krb5/krb5_utils.h | 6 +--
3 files changed, 38 insertions(+), 71 deletions(-)
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 51c0d739247b7d40a17b6ee367c502df140a7383..a16b5395d21c40e53a5e69519141cbd3c47d7907 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -292,7 +292,7 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr,
struct be_ctx *be_ctx)
{
const char *ccname_template;
- bool private_path = false;
+ const char *realm;
errno_t ret;
if (!kr->is_offline) {
@@ -317,8 +317,7 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr,
ccname_template = dp_opt_get_cstring(kr->krb5_ctx->opts,
KRB5_CCNAME_TMPL);
kr->ccname = expand_ccname_template(kr, kr, ccname_template, true,
- be_ctx->domain->case_sensitive,
- &private_path);
+ be_ctx->domain->case_sensitive);
if (kr->ccname == NULL) {
DEBUG(1, ("expand_ccname_template failed.\n"));
return ENOMEM;
@@ -326,7 +325,7 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr,
ret = sss_krb5_precreate_ccache(kr->ccname,
kr->krb5_ctx->illegal_path_re,
- kr->uid, kr->gid, private_path);
+ kr->uid, kr->gid);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, ("ccache creation failed.\n"));
return ret;
diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c
index e6860482d9d330cbf12ad42d04e2e3af894cee89..cf6d72ad2e67f0d09ce423738003aa719cc43456 100644
--- a/src/providers/krb5/krb5_utils.c
+++ b/src/providers/krb5/krb5_utils.c
@@ -203,7 +203,7 @@ done:
char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
const char *template, bool file_mode,
- bool case_sensitive, bool *private_path)
+ bool case_sensitive)
{
char *copy;
char *p;
@@ -217,8 +217,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
char action;
bool rerun;
- *private_path = false;
-
if (template == NULL) {
DEBUG(1, ("Missing template.\n"));
return NULL;
@@ -269,7 +267,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
result = talloc_asprintf_append(result, "%s%s", p,
name);
- if (!file_mode) *private_path = true;
break;
case 'U':
if (kr->uid <= 0) {
@@ -279,7 +276,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
}
result = talloc_asprintf_append(result, "%s%"SPRIuid, p,
kr->uid);
- if (!file_mode) *private_path = true;
break;
case 'p':
if (kr->upn == NULL) {
@@ -288,7 +284,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
goto done;
}
result = talloc_asprintf_append(result, "%s%s", p, kr->upn);
- if (!file_mode) *private_path = true;
break;
case '%':
result = talloc_asprintf_append(result, "%s%%", p);
@@ -308,7 +303,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
goto done;
}
result = talloc_asprintf_append(result, "%s%s", p, kr->homedir);
- if (!file_mode) *private_path = true;
break;
case 'd':
if (file_mode) {
@@ -320,8 +314,7 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
}
dummy = expand_ccname_template(tmp_ctx, kr, cache_dir_tmpl,
- false, case_sensitive,
- private_path);
+ false, case_sensitive);
if (dummy == NULL) {
DEBUG(1, ("Expanding credential cache directory "
"template failed.\n"));
@@ -414,41 +407,30 @@ done:
return res;
}
-static errno_t check_parent_stat(bool private_path, struct stat *parent_stat,
+static errno_t check_parent_stat(struct stat *parent_stat,
uid_t uid, gid_t gid)
{
- if (private_path) {
- if (!((parent_stat->st_uid == 0 && parent_stat->st_gid == 0) ||
- parent_stat->st_uid == uid)) {
- DEBUG(1, ("Private directory can only be created below a "
- "directory belonging to root or to "
- "[%"SPRIuid"][%"SPRIgid"].\n", uid, gid));
- return EINVAL;
- }
+ if (!((parent_stat->st_uid == 0 && parent_stat->st_gid == 0) ||
+ parent_stat->st_uid == uid)) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Private directory can only be created below a directory "
+ "belonging to root or to [%"SPRIuid"][%"SPRIgid"].\n",
+ uid, gid));
+ return EINVAL;
+ }
- if (parent_stat->st_uid == uid) {
- if (!(parent_stat->st_mode & S_IXUSR)) {
- DEBUG(1, ("Parent directory does have the search bit set for "
- "the owner.\n"));
- return EINVAL;
- }
- } else {
- if (!(parent_stat->st_mode & S_IXOTH)) {
- DEBUG(1, ("Parent directory does have the search bit set for "
- "others.\n"));
- return EINVAL;
- }
+ if (parent_stat->st_uid == uid) {
+ if (!(parent_stat->st_mode & S_IXUSR)) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Parent directory does not have the search bit set for "
+ "the owner.\n"));
+ return EINVAL;
}
} else {
- if (parent_stat->st_uid != 0 || parent_stat->st_gid != 0) {
- DEBUG(1, ("Public directory cannot be created below a user "
- "directory.\n"));
- return EINVAL;
- }
-
if (!(parent_stat->st_mode & S_IXOTH)) {
- DEBUG(1, ("Parent directory does have the search bit set for "
- "others.\n"));
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Parent directory does not have the search bit set for "
+ "others.\n"));
return EINVAL;
}
}
@@ -559,7 +541,7 @@ check_ccache_re(const char *filename, pcre *illegal_re)
errno_t
create_ccache_dir(const char *ccdirname, pcre *illegal_re,
- uid_t uid, gid_t gid, bool private_path)
+ uid_t uid, gid_t gid)
{
int ret = EFAULT;
struct stat parent_stat;
@@ -598,27 +580,17 @@ create_ccache_dir(const char *ccdirname, pcre *illegal_re,
goto done;
}
- ret = check_parent_stat(private_path, &parent_stat, uid, gid);
+ ret = check_parent_stat(&parent_stat, uid, gid);
if (ret != EOK) {
DEBUG(SSSDBG_MINOR_FAILURE,
- ("check_parent_stat failed for %s directory [%s].\n",
- private_path ? "private" : "public", ccdirname));
+ ("check_parent_stat failed for directory [%s].\n", ccdirname));
goto done;
}
DLIST_FOR_EACH(li, missing_parents) {
DEBUG(SSSDBG_TRACE_INTERNAL,
("Creating directory [%s].\n", li->s));
- if (li->next == NULL) {
- new_dir_mode = private_path ? 0700 : 01777;
- } else {
- if (private_path &&
- parent_stat.st_uid == uid && parent_stat.st_gid == gid) {
- new_dir_mode = 0700;
- } else {
- new_dir_mode = 0755;
- }
- }
+ new_dir_mode = 0700;
old_umask = umask(0000);
ret = mkdir(li->s, new_dir_mode);
@@ -630,16 +602,12 @@ create_ccache_dir(const char *ccdirname, pcre *illegal_re,
strerror(ret)));
goto done;
}
- if (private_path &&
- ((parent_stat.st_uid == uid && parent_stat.st_gid == gid) ||
- li->next == NULL)) {
- ret = chown(li->s, uid, gid);
- if (ret != EOK) {
- ret = errno;
- DEBUG(SSSDBG_MINOR_FAILURE,
- ("chown failed [%d][%s].\n", ret, strerror(ret)));
- goto done;
- }
+ ret = chown(li->s, uid, gid);
+ if (ret != EOK) {
+ ret = errno;
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("chown failed [%d][%s].\n", ret, strerror(ret)));
+ goto done;
}
}
@@ -758,7 +726,7 @@ done:
}
errno_t sss_krb5_precreate_ccache(const char *ccname, pcre *illegal_re,
- uid_t uid, gid_t gid, bool private_path)
+ uid_t uid, gid_t gid)
{
TALLOC_CTX *tmp_ctx = NULL;
const char *filename;
@@ -802,7 +770,7 @@ errno_t sss_krb5_precreate_ccache(const char *ccname, pcre *illegal_re,
*end = '\0';
} while (*(end+1) == '\0');
- ret = create_ccache_dir(ccdirname, illegal_re, uid, gid, private_path);
+ ret = create_ccache_dir(ccdirname, illegal_re, uid, gid);
done:
talloc_free(tmp_ctx);
return ret;
diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h
index 33cc6112b02af6991ef4aa4f1988dcbe08ed9266..4b1ebb0bb7a9e13d68ee62820f6408d029a2f072 100644
--- a/src/providers/krb5/krb5_utils.h
+++ b/src/providers/krb5/krb5_utils.h
@@ -43,11 +43,11 @@ errno_t check_if_cached_upn_needs_update(struct sysdb_ctx *sysdb,
const char *upn);
errno_t create_ccache_dir(const char *dirname, pcre *illegal_re,
- uid_t uid, gid_t gid, bool private_path);
+ uid_t uid, gid_t gid);
char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
const char *template, bool file_mode,
- bool case_sensitive, bool *private_path);
+ bool case_sensitive);
errno_t become_user(uid_t uid, gid_t gid);
struct sss_creds;
@@ -58,7 +58,7 @@ errno_t switch_creds(TALLOC_CTX *mem_ctx,
errno_t restore_creds(struct sss_creds *saved_creds);
errno_t sss_krb5_precreate_ccache(const char *ccname, pcre *illegal_re,
- uid_t uid, gid_t gid, bool private_path);
+ uid_t uid, gid_t gid);
errno_t sss_krb5_cc_destroy(const char *ccname, uid_t uid, gid_t gid);
errno_t sss_krb5_check_ccache_princ(uid_t uid, gid_t gid,
const char *ccname, const char *principal);
--
1.8.3.1

432
0002-krb5-Fix-unit-tests.patch Normal file
View File

@ -0,0 +1,432 @@
From adf0fd14ea54a3b015efe8a6d67532b87a064cdd Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 4 Oct 2013 09:40:34 +0200
Subject: [PATCH 2/2] krb5: Fix unit tests
---
src/tests/krb5_child-test.c | 5 +-
src/tests/krb5_utils-tests.c | 126 +++++++++++++++----------------------------
2 files changed, 46 insertions(+), 85 deletions(-)
diff --git a/src/tests/krb5_child-test.c b/src/tests/krb5_child-test.c
index 959b1bd698284d0db16634357e39fcd076b9fa00..0c6b68b82c648b8e83f5d11b613dd57be89482a0 100644
--- a/src/tests/krb5_child-test.c
+++ b/src/tests/krb5_child-test.c
@@ -198,7 +198,6 @@ create_dummy_req(TALLOC_CTX *mem_ctx, const char *user,
{
struct krb5child_req *kr;
struct passwd *pwd;
- bool private = false;
errno_t ret;
/* The top level child request */
@@ -246,7 +245,7 @@ create_dummy_req(TALLOC_CTX *mem_ctx, const char *user,
kr->ccname = expand_ccname_template(kr, kr,
dp_opt_get_cstring(kr->krb5_ctx->opts,
KRB5_CCNAME_TMPL),
- true, true, &private);
+ true, true);
if (!kr->ccname) goto fail;
DEBUG(SSSDBG_FUNC_DATA, ("ccname [%s] uid [%llu] gid [%llu]\n",
@@ -262,7 +261,7 @@ create_dummy_req(TALLOC_CTX *mem_ctx, const char *user,
ret = sss_krb5_precreate_ccache(kr->ccname,
kr->krb5_ctx->illegal_path_re,
- kr->uid, kr->gid, private);
+ kr->uid, kr->gid);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, ("create_ccache_dir failed.\n"));
goto fail;
diff --git a/src/tests/krb5_utils-tests.c b/src/tests/krb5_utils-tests.c
index ea0292569135e0fc22a44251cfc4e8719a15837f..3e0c607a58b9ff0840a93867c1ad61cc5a2ae665 100644
--- a/src/tests/krb5_utils-tests.c
+++ b/src/tests/krb5_utils-tests.c
@@ -117,13 +117,13 @@ START_TEST(test_pub_ccache_dir)
ret = chmod(testpath, 0754);
fail_unless(ret == EOK, "chmod failed.");
- ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345, false);
+ ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345);
fail_unless(ret == EINVAL, "sss_krb5_precreate_ccache does not return EINVAL "
"while x-bit is missing.");
ret = chmod(testpath, 0755);
fail_unless(ret == EOK, "chmod failed.");
- ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345, false);
+ ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345);
fail_unless(ret == EOK, "sss_krb5_precreate_ccache failed.");
check_dir(subdirname, 0, 0, 01777);
@@ -158,7 +158,7 @@ START_TEST(test_pub_ccache_dir_in_user_dir)
filename = talloc_asprintf(tmp_ctx, "%s/ccfile", subdirname);
fail_unless(filename != NULL, "talloc_asprintf failed.");
- ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345, false);
+ ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345);
fail_unless(ret == EINVAL, "Creating public ccache dir in user dir "
"does not failed with EINVAL.");
@@ -193,13 +193,13 @@ START_TEST(test_priv_ccache_dir)
ret = chmod(testpath, 0754);
fail_unless(ret == EOK, "chmod failed.");
- ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid, true);
+ ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid);
fail_unless(ret == EINVAL, "sss_krb5_precreate_ccache does not return EINVAL "
"while x-bit is missing.");
ret = chmod(testpath, 0755);
fail_unless(ret == EOK, "chmod failed.");
- ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid, true);
+ ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid);
fail_unless(ret == EOK, "sss_krb5_precreate_ccache failed.");
check_dir(subdir, uid, gid, 0700);
@@ -248,13 +248,13 @@ START_TEST(test_private_ccache_dir_in_user_dir)
ret = chmod(user_dir, 0600);
fail_unless(ret == EOK, "chmod failed.");
- ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid, true);
+ ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid);
fail_unless(ret == EINVAL, "sss_krb5_precreate_ccache does not return EINVAL "
"while x-bit is missing.");
ret = chmod(user_dir, 0700);
fail_unless(ret == EOK, "chmod failed.");
- ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid, true);
+ ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid);
fail_unless(ret == EOK, "sss_krb5_precreate_ccache failed.");
check_dir(dn3, uid, gid, 0700);
@@ -292,7 +292,7 @@ START_TEST(test_private_ccache_dir_in_wrong_user_dir)
filename = talloc_asprintf(tmp_ctx, "%s/ccfile", subdirname);
fail_unless(filename != NULL, "talloc_asprintf failed.");
- ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345, true);
+ ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345);
fail_unless(ret == EINVAL, "Creating private ccache dir in wrong user "
"dir does not failed with EINVAL.");
@@ -329,27 +329,27 @@ START_TEST(test_illegal_patterns)
filename = talloc_asprintf(tmp_ctx, "abc/./ccfile");
fail_unless(filename != NULL, "talloc_asprintf failed.");
- ret = create_ccache_dir(filename, illegal_re, uid, gid, true);
+ ret = create_ccache_dir(filename, illegal_re, uid, gid);
fail_unless(ret == EINVAL, "create_ccache_dir allowed relative path [%s].",
filename);
filename = talloc_asprintf(tmp_ctx, "%s/abc/./ccfile", dirname);
fail_unless(filename != NULL, "talloc_asprintf failed.");
- ret = create_ccache_dir(filename, illegal_re, uid, gid, true);
+ ret = create_ccache_dir(filename, illegal_re, uid, gid);
fail_unless(ret == EINVAL, "create_ccache_dir allowed "
"illegal pattern '/./' in filename [%s].",
filename);
filename = talloc_asprintf(tmp_ctx, "%s/abc/../ccfile", dirname);
fail_unless(filename != NULL, "talloc_asprintf failed.");
- ret = create_ccache_dir(filename, illegal_re, uid, gid, true);
+ ret = create_ccache_dir(filename, illegal_re, uid, gid);
fail_unless(ret == EINVAL, "create_ccache_dir allowed "
"illegal pattern '/../' in filename [%s].",
filename);
filename = talloc_asprintf(tmp_ctx, "%s/abc//ccfile", dirname);
fail_unless(filename != NULL, "talloc_asprintf failed.");
- ret = create_ccache_dir(filename, illegal_re, uid, gid, true);
+ ret = create_ccache_dir(filename, illegal_re, uid, gid);
fail_unless(ret == EINVAL, "create_ccache_dir allowed "
"illegal pattern '//' in filename [%s].",
filename);
@@ -385,7 +385,7 @@ START_TEST(test_cc_dir_create)
residual = talloc_asprintf(tmp_ctx, "DIR:%s/%s", dirname, "ccdir");
fail_unless(residual != NULL, "talloc_asprintf failed.");
- ret = sss_krb5_precreate_ccache(residual, illegal_re, uid, gid, true);
+ ret = sss_krb5_precreate_ccache(residual, illegal_re, uid, gid);
fail_unless(ret == EOK, "sss_krb5_precreate_ccache failed\n");
ret = rmdir(dirname);
if (ret < 0) ret = errno;
@@ -398,7 +398,7 @@ START_TEST(test_cc_dir_create)
residual = talloc_asprintf(tmp_ctx, "DIR:%s/%s", dirname, "ccdir/");
fail_unless(residual != NULL, "talloc_asprintf failed.");
- ret = sss_krb5_precreate_ccache(residual, illegal_re, uid, gid, true);
+ ret = sss_krb5_precreate_ccache(residual, illegal_re, uid, gid);
fail_unless(ret == EOK, "sss_krb5_precreate_ccache failed\n");
ret = rmdir(dirname);
if (ret < 0) ret = errno;
@@ -463,40 +463,34 @@ void free_talloc_context(void)
}
static void do_test(const char *file_template, const char *dir_template,
- const char *expected, const bool expected_private_path)
+ const char *expected)
{
char *result;
int ret;
- bool private_path = false;
ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, dir_template);
fail_unless(ret == EOK, "Failed to set Ccache dir");
- result = expand_ccname_template(tmp_ctx, kr, file_template, true,
- true, &private_path);
+ result = expand_ccname_template(tmp_ctx, kr, file_template, true, true);
fail_unless(result != NULL, "Cannot expand template [%s].", file_template);
fail_unless(strcmp(result, expected) == 0,
"Expansion failed, result [%s], expected [%s].",
result, expected);
- fail_unless(private_path == expected_private_path,
- "Unexpected private path, get [%s], expected [%s].",
- private_path ? "true" : "false",
- expected_private_path ? "true" : "false");
}
START_TEST(test_multiple_substitutions)
{
- do_test(BASE"_%u_%U_%u", CCACHE_DIR, BASE"_"USERNAME"_"UID"_"USERNAME, false);
+ do_test(BASE"_%u_%U_%u", CCACHE_DIR, BASE"_"USERNAME"_"UID"_"USERNAME);
do_test("%d/"FILENAME, BASE"_%u_%U_%u",
- BASE"_"USERNAME"_"UID"_"USERNAME"/"FILENAME, true);
+ BASE"_"USERNAME"_"UID"_"USERNAME"/"FILENAME);
}
END_TEST
START_TEST(test_username)
{
- do_test(BASE"_%u", CCACHE_DIR, BASE"_"USERNAME, false);
- do_test("%d/"FILENAME, BASE"_%u", BASE"_"USERNAME"/"FILENAME, true);
+ do_test(BASE"_%u", CCACHE_DIR, BASE"_"USERNAME);
+ do_test("%d/"FILENAME, BASE"_%u", BASE"_"USERNAME"/"FILENAME);
}
END_TEST
@@ -504,7 +498,6 @@ START_TEST(test_case_sensitive)
{
char *result;
int ret;
- bool private_path = false;
const char *file_template = BASE"_%u";
const char *expected_cs = BASE"_TestUser";
const char *expected_ci = BASE"_testuser";
@@ -513,16 +506,14 @@ START_TEST(test_case_sensitive)
ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, CCACHE_DIR);
fail_unless(ret == EOK, "Failed to set Ccache dir");
- result = expand_ccname_template(tmp_ctx, kr, file_template, true,
- true, &private_path);
+ result = expand_ccname_template(tmp_ctx, kr, file_template, true, true);
fail_unless(result != NULL, "Cannot expand template [%s].", file_template);
fail_unless(strcmp(result, expected_cs) == 0,
"Expansion failed, result [%s], expected [%s].",
result, expected_cs);
- result = expand_ccname_template(tmp_ctx, kr, file_template, true,
- false, &private_path);
+ result = expand_ccname_template(tmp_ctx, kr, file_template, true, false);
fail_unless(result != NULL, "Cannot expand template [%s].", file_template);
fail_unless(strcmp(result, expected_ci) == 0,
@@ -533,29 +524,29 @@ END_TEST
START_TEST(test_uid)
{
- do_test(BASE"_%U", CCACHE_DIR, BASE"_"UID, false);
- do_test("%d/"FILENAME, BASE"_%U", BASE"_"UID"/"FILENAME, true);
+ do_test(BASE"_%U", CCACHE_DIR, BASE"_"UID);
+ do_test("%d/"FILENAME, BASE"_%U", BASE"_"UID"/"FILENAME);
}
END_TEST
START_TEST(test_upn)
{
- do_test(BASE"_%p", CCACHE_DIR, BASE"_"PRINCIPAL_NAME, false);
- do_test("%d/"FILENAME, BASE"_%p", BASE"_"PRINCIPAL_NAME"/"FILENAME, true);
+ do_test(BASE"_%p", CCACHE_DIR, BASE"_"PRINCIPAL_NAME);
+ do_test("%d/"FILENAME, BASE"_%p", BASE"_"PRINCIPAL_NAME"/"FILENAME);
}
END_TEST
START_TEST(test_realm)
{
- do_test(BASE"_%r", CCACHE_DIR, BASE"_"REALM, false);
- do_test("%d/"FILENAME, BASE"_%r", BASE"_"REALM"/"FILENAME, false);
+ do_test(BASE"_%r", CCACHE_DIR, BASE"_"REALM);
+ do_test("%d/"FILENAME, BASE"_%r", BASE"_"REALM"/"FILENAME);
}
END_TEST
START_TEST(test_home)
{
- do_test(BASE"_%h", CCACHE_DIR, BASE"_"HOME_DIRECTORY, false);
- do_test("%d/"FILENAME, BASE"_%h", BASE"_"HOME_DIRECTORY"/"FILENAME, true);
+ do_test(BASE"_%h", CCACHE_DIR, BASE"_"HOME_DIRECTORY);
+ do_test("%d/"FILENAME, BASE"_%h", BASE"_"HOME_DIRECTORY"/"FILENAME);
}
END_TEST
@@ -563,20 +554,15 @@ START_TEST(test_ccache_dir)
{
char *result;
int ret;
- bool private_path = false;
- do_test(BASE"_%d", CCACHE_DIR, BASE"_"CCACHE_DIR, false);
+ do_test(BASE"_%d", CCACHE_DIR, BASE"_"CCACHE_DIR);
ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, BASE"_%d");
fail_unless(ret == EOK, "Failed to set Ccache dir");
- result = expand_ccname_template(tmp_ctx, kr, "%d/"FILENAME, true,
- true, &private_path);
+ result = expand_ccname_template(tmp_ctx, kr, "%d/"FILENAME, true, true);
fail_unless(result == NULL, "Using %%d in ccache dir should fail.");
- fail_unless(private_path == false,
- "Unexpected private path, get [%s], expected [%s].",
- private_path ? "true" : "false", "false");
}
END_TEST
@@ -584,39 +570,32 @@ START_TEST(test_pid)
{
char *result;
int ret;
- bool private_path = false;
- do_test(BASE"_%P", CCACHE_DIR, BASE"_"PID, false);
+ do_test(BASE"_%P", CCACHE_DIR, BASE"_"PID);
ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, BASE"_%P");
fail_unless(ret == EOK, "Failed to set Ccache dir");
- result = expand_ccname_template(tmp_ctx, kr, "%d/"FILENAME, true,
- true, &private_path);
+ result = expand_ccname_template(tmp_ctx, kr, "%d/"FILENAME, true, true);
fail_unless(result == NULL, "Using %%P in ccache dir should fail.");
- fail_unless(private_path == false,
- "Unexpected private path, get [%s], expected [%s].",
- private_path ? "true" : "false", "false");
}
END_TEST
START_TEST(test_percent)
{
- do_test(BASE"_%%", CCACHE_DIR, BASE"_%", false);
- do_test("%d/"FILENAME, BASE"_%%", BASE"_%/"FILENAME, false);
+ do_test(BASE"_%%", CCACHE_DIR, BASE"_%");
+ do_test("%d/"FILENAME, BASE"_%%", BASE"_%/"FILENAME);
}
END_TEST
-START_TEST(test_unknow_template)
+START_TEST(test_unknown_template)
{
const char *test_template = BASE"_%X";
char *result;
int ret;
- bool private_path = false;
- result = expand_ccname_template(tmp_ctx, kr, test_template, true,
- true, &private_path);
+ result = expand_ccname_template(tmp_ctx, kr, test_template, true, true);
fail_unless(result == NULL, "Unknown template [%s] should fail.",
test_template);
@@ -624,14 +603,10 @@ START_TEST(test_unknow_template)
ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, BASE"_%X");
fail_unless(ret == EOK, "Failed to set Ccache dir");
test_template = "%d/"FILENAME;
- result = expand_ccname_template(tmp_ctx, kr, test_template, true,
- true, &private_path);
+ result = expand_ccname_template(tmp_ctx, kr, test_template, true, true);
fail_unless(result == NULL, "Unknown template [%s] should fail.",
test_template);
- fail_unless(private_path == false,
- "Unexpected private path, get [%s], expected [%s].",
- private_path ? "true" : "false", "false");
}
END_TEST
@@ -639,16 +614,11 @@ START_TEST(test_NULL)
{
char *test_template = NULL;
char *result;
- bool private_path = false;
- result = expand_ccname_template(tmp_ctx, kr, test_template, true,
- true, &private_path);
+ result = expand_ccname_template(tmp_ctx, kr, test_template, true, true);
fail_unless(result == NULL, "Expected NULL as a result for an empty input.",
test_template);
- fail_unless(private_path == false,
- "Unexpected private path, get [%s], expected [%s].",
- private_path ? "true" : "false", "false");
}
END_TEST
@@ -656,32 +626,25 @@ START_TEST(test_no_substitution)
{
const char *test_template = BASE;
char *result;
- bool private_path = false;
- result = expand_ccname_template(tmp_ctx, kr, test_template, true,
- true, &private_path);
+ result = expand_ccname_template(tmp_ctx, kr, test_template, true, true);
fail_unless(result != NULL, "Cannot expand template [%s].", test_template);
fail_unless(strcmp(result, test_template) == 0,
"Expansion failed, result [%s], expected [%s].",
result, test_template);
- fail_unless(private_path == false,
- "Unexpected private path, get [%s], expected [%s].",
- private_path ? "true" : "false", "false");
}
END_TEST
START_TEST(test_krb5_style_expansion)
{
char *result;
- bool private_path = false;
const char *file_template;
const char *expected;
file_template = BASE"/%{uid}/%{USERID}/%{euid}/%{username}";
expected = BASE"/"UID"/"UID"/"UID"/"USERNAME;
- result = expand_ccname_template(tmp_ctx, kr, file_template, true,
- true, &private_path);
+ result = expand_ccname_template(tmp_ctx, kr, file_template, true, true);
fail_unless(result != NULL, "Cannot expand template [%s].", file_template);
fail_unless(strcmp(result, expected) == 0,
@@ -690,8 +653,7 @@ START_TEST(test_krb5_style_expansion)
file_template = BASE"/%{unknown}";
expected = BASE"/%{unknown}";
- result = expand_ccname_template(tmp_ctx, kr, file_template, true,
- false, &private_path);
+ result = expand_ccname_template(tmp_ctx, kr, file_template, true, false);
fail_unless(result != NULL, "Cannot expand template [%s].", file_template);
fail_unless(strcmp(result, expected) == 0,
@@ -754,7 +716,7 @@ Suite *krb5_utils_suite (void)
free_talloc_context);
tcase_add_test (tc_ccname_template, test_no_substitution);
tcase_add_test (tc_ccname_template, test_NULL);
- tcase_add_test (tc_ccname_template, test_unknow_template);
+ tcase_add_test (tc_ccname_template, test_unknown_template);
tcase_add_test (tc_ccname_template, test_username);
tcase_add_test (tc_ccname_template, test_case_sensitive);
tcase_add_test (tc_ccname_template, test_uid);
--
1.8.3.1

7
sssd.spec
View File

@ -8,7 +8,7 @@
Name: sssd
Version: 1.11.1
Release: 1%{?dist}
Release: 2%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -17,6 +17,8 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
Patch0001: 0001-krb5-Remove-ability-to-create-public-directories.patch
Patch0002: 0002-krb5-Fix-unit-tests.patch
### Dependencies ###
Requires: sssd-common = %{version}-%{release}
@ -704,6 +706,9 @@ fi
%postun -n libsss_idmap -p /sbin/ldconfig
%changelog
* Fri Oct 04 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.11.1-1
- Remove the ability to create public ccachedir (#1015089)
* Fri Sep 27 2013 Jakub Hrozek <jhrozek@redhat.com> - 1.11.1-1
- New upstream release 1.11.1
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1