sssd/0007-krb5_common-add-callback-only-once.patch
Fabiano Fidêncio 68ef824a5f Resolves: upstream#3766 - CVE-2018-10852: information leak from the sssd-sudo responder
And also ...

- Related: upstream#941 - return multiple server addresses to the Kerberos
                          locator plugin
- Related: upstream#3652 - kdcinfo doesn't get populated for other domains
- Resolves: upstream#3747 - sss_ssh_authorizedkeys exits abruptly if SSHD
                            closes its end of the pipe before reading all the
                            SSH keys
- Resolves: upstream#3607 - Handle conflicting e-mail addresses more gracefully
- Resolves: upstream#3754 - SSSD AD uses LDAP filter to detect POSIX attributes
                            stored in AD GC also for regular AD DC queries
- Related: upstream#3219 - [RFE] Regular expression used in sssd.conf not being
                           able to consume an @-sign in the user/group name.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2018-06-25 09:38:16 +02:00

87 lines
3.0 KiB
Diff

From 54ea4576ba8cb8dfbefdd3ced29fc35f836afc61 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 8 Jun 2018 08:29:04 +0200
Subject: [PATCH] krb5_common: add callback only once
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 4759a482781bcecdb0ad1119e74dcefa1fe94337)
---
src/providers/krb5/krb5_common.c | 12 +++++++++++-
src/providers/krb5/krb5_common.h | 2 ++
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index c6896a6cd663da896075e72aa0a0602c198b45e8..d064a09ac3726c4185c2fa1eeac76ef6c261d33b 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -399,6 +399,7 @@ static int remove_info_files_destructor(void *p)
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "remove_krb5_info_files failed.\n");
}
+ ctx->krb5_service->removal_callback_available = false;
return 0;
}
@@ -407,7 +408,7 @@ static errno_t
krb5_add_krb5info_offline_callback(struct krb5_service *krb5_service)
{
int ret;
- struct remove_info_files_ctx *ctx;
+ struct remove_info_files_ctx *ctx = NULL;
if (krb5_service == NULL || krb5_service->name == NULL
|| krb5_service->realm == NULL
@@ -416,6 +417,13 @@ krb5_add_krb5info_offline_callback(struct krb5_service *krb5_service)
return EINVAL;
}
+ if (krb5_service->removal_callback_available) {
+ DEBUG(SSSDBG_TRACE_ALL,
+ "Removal callback already available for service [%s].\n",
+ krb5_service->name);
+ return EOK;
+ }
+
ctx = talloc_zero(krb5_service->be_ctx, struct remove_info_files_ctx);
if (ctx == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zfree failed.\n");
@@ -430,6 +438,7 @@ krb5_add_krb5info_offline_callback(struct krb5_service *krb5_service)
}
ctx->be_ctx = krb5_service->be_ctx;
+ ctx->krb5_service = krb5_service;
ctx->kdc_service_name = talloc_strdup(ctx, krb5_service->name);
if (ctx->kdc_service_name == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed!\n");
@@ -445,6 +454,7 @@ krb5_add_krb5info_offline_callback(struct krb5_service *krb5_service)
}
talloc_set_destructor((TALLOC_CTX *) ctx, remove_info_files_destructor);
+ krb5_service->removal_callback_available = true;
ret = EOK;
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index a2e47b0605debdffa28305dab4f7674707f713ac..3529d740b89fee91281f936fdafd1bdb99e95bd7 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -71,6 +71,7 @@ struct krb5_service {
char *name;
char *realm;
bool write_kdcinfo;
+ bool removal_callback_available;
};
struct fo_service;
@@ -146,6 +147,7 @@ struct remove_info_files_ctx {
struct be_ctx *be_ctx;
const char *kdc_service_name;
const char *kpasswd_service_name;
+ struct krb5_service *krb5_service;
};
errno_t sss_krb5_check_options(struct dp_option *opts,
--
2.17.1