1dedfbb334
Resolves: upstream#3588 - sssd_nss consumes more memory until restarted
or machine swaps
Resolves: failure in glibc tests
https://sourceware.org/bugzilla/show_bug.cgi?id=22530
Resolves: upstream#3451 - When sssd is configured with id_provider proxy and
auth_provider ldap, login fails if the LDAP server
is not allowing anonymous binds
Resolves: upstream#3285 - SSSD needs restart after incorrect clock is
corrected with AD
Resolves: upstream#3586 - Give a more detailed debug and system-log message
if krb5_init_context() failed
Resolves: rhbz#1431153 - SSSD ships a drop-in configuration snippet
in /etc/systemd/system
Backport few upstream features from 1.16.1
200 lines
6.2 KiB
Diff
200 lines
6.2 KiB
Diff
From a5bf38afa217b8e22fe221977959f78a44f15843 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
Date: Thu, 2 Nov 2017 15:00:17 +0100
|
|
Subject: [PATCH 61/79] sssctl: call dbus instead of pam to refresh HBAC rules
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Related:
|
|
https://pagure.io/SSSD/sssd/issue/2840
|
|
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
---
|
|
src/tools/sssctl/sssctl_access_report.c | 127 +++++++++++++++-----------------
|
|
1 file changed, 58 insertions(+), 69 deletions(-)
|
|
|
|
diff --git a/src/tools/sssctl/sssctl_access_report.c b/src/tools/sssctl/sssctl_access_report.c
|
|
index 11172329817b4dedaca480ab8a4537149853c330..8cf1a8a871b27827c317d658c0f93f34773c4841 100644
|
|
--- a/src/tools/sssctl/sssctl_access_report.c
|
|
+++ b/src/tools/sssctl/sssctl_access_report.c
|
|
@@ -15,11 +15,11 @@
|
|
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
-#include <security/pam_appl.h>
|
|
-
|
|
#include "util/util.h"
|
|
#include "tools/common/sss_tools.h"
|
|
#include "tools/sssctl/sssctl.h"
|
|
+#include "sbus/sssd_dbus.h"
|
|
+#include "responder/ifp/ifp_iface.h"
|
|
|
|
/*
|
|
* We're searching the cache directly..
|
|
@@ -27,58 +27,9 @@
|
|
#include "providers/ipa/ipa_hbac_private.h"
|
|
#include "providers/ipa/ipa_rules_common.h"
|
|
|
|
-#ifdef HAVE_SECURITY_PAM_MISC_H
|
|
-# include <security/pam_misc.h>
|
|
-#elif defined(HAVE_SECURITY_OPENPAM_H)
|
|
-# include <security/openpam.h>
|
|
-#endif
|
|
-
|
|
-#ifdef HAVE_SECURITY_PAM_MISC_H
|
|
-static struct pam_conv conv = {
|
|
- misc_conv,
|
|
- NULL
|
|
-};
|
|
-#elif defined(HAVE_SECURITY_OPENPAM_H)
|
|
-static struct pam_conv conv = {
|
|
- openpam_ttyconv,
|
|
- NULL
|
|
-};
|
|
-#else
|
|
-# error "Missing text based pam conversation function"
|
|
-#endif
|
|
-
|
|
-#ifndef DEFAULT_SERVICE
|
|
-#define DEFAULT_SERVICE "system-auth"
|
|
-#endif /* DEFAULT_SERVICE */
|
|
-
|
|
-#ifndef DEFAULT_USER
|
|
-#define DEFAULT_USER "admin"
|
|
-#endif /* DEFAULT_USER */
|
|
-
|
|
typedef errno_t (*sssctl_dom_access_reporter_fn)(struct sss_tool_ctx *tool_ctx,
|
|
- const char *user,
|
|
- const char *service,
|
|
struct sss_domain_info *domain);
|
|
|
|
-static errno_t run_pam_acct(struct sss_tool_ctx *tool_ctx,
|
|
- const char *user,
|
|
- const char *service,
|
|
- struct sss_domain_info *domain)
|
|
-{
|
|
- errno_t ret;
|
|
- pam_handle_t *pamh;
|
|
-
|
|
- ret = pam_start(service, user, &conv, &pamh);
|
|
- if (ret != PAM_SUCCESS) {
|
|
- ERROR("pam_start failed: %s\n", pam_strerror(pamh, ret));
|
|
- return EIO;
|
|
- }
|
|
-
|
|
- ret = pam_acct_mgmt(pamh, 0);
|
|
- pam_end(pamh, ret);
|
|
- return ret;
|
|
-}
|
|
-
|
|
static errno_t get_rdn_value(TALLOC_CTX *mem_ctx,
|
|
struct sss_domain_info *dom,
|
|
const char *dn_attr,
|
|
@@ -315,9 +266,58 @@ static void print_ipa_hbac_rule(struct sss_domain_info *domain,
|
|
PRINT("\n");
|
|
}
|
|
|
|
+static errno_t refresh_hbac_rules(struct sss_tool_ctx *tool_ctx,
|
|
+ struct sss_domain_info *domain)
|
|
+{
|
|
+ TALLOC_CTX *tmp_ctx;
|
|
+ sss_sifp_error error;
|
|
+ sss_sifp_ctx *sifp;
|
|
+ DBusMessage *reply;
|
|
+ const char *path;
|
|
+ errno_t ret;
|
|
+
|
|
+ tmp_ctx = talloc_new(NULL);
|
|
+ if (tmp_ctx == NULL) {
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
|
|
+ return ENOMEM;
|
|
+ }
|
|
+
|
|
+ path = sbus_opath_compose(tmp_ctx, IFP_PATH_DOMAINS, domain->name);
|
|
+ if (path == NULL) {
|
|
+ printf(_("Out of memory!\n"));
|
|
+ ret = ENOMEM;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ error = sssctl_sifp_init(tool_ctx, &sifp);
|
|
+ if (error != SSS_SIFP_OK) {
|
|
+ sssctl_sifp_error(sifp, error, "Unable to connect to the InfoPipe");
|
|
+ ret = EIO;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ error = sssctl_sifp_send(tmp_ctx, sifp, &reply, path,
|
|
+ IFACE_IFP_DOMAINS_DOMAIN,
|
|
+ IFACE_IFP_DOMAINS_DOMAIN_REFRESHACCESSRULES);
|
|
+ if (error != SSS_SIFP_OK) {
|
|
+ sssctl_sifp_error(sifp, error, "Unable to refresh HBAC rules");
|
|
+ ret = EIO;
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ ret = sbus_parse_reply(reply);
|
|
+ if (ret != EOK) {
|
|
+ goto done;
|
|
+ }
|
|
+
|
|
+ ret = EOK;
|
|
+
|
|
+done:
|
|
+ talloc_free(tmp_ctx);
|
|
+ return ret;
|
|
+}
|
|
+
|
|
static errno_t sssctl_ipa_access_report(struct sss_tool_ctx *tool_ctx,
|
|
- const char *user,
|
|
- const char *service,
|
|
struct sss_domain_info *domain)
|
|
{
|
|
TALLOC_CTX *tmp_ctx = NULL;
|
|
@@ -338,9 +338,9 @@ static errno_t sssctl_ipa_access_report(struct sss_tool_ctx *tool_ctx,
|
|
struct ldb_message **msgs = NULL;
|
|
|
|
/* Run the pam account phase to make sure the rules are fetched by SSSD */
|
|
- ret = run_pam_acct(tool_ctx, user, service, domain);
|
|
- if (ret != PAM_SUCCESS && ret != PAM_PERM_DENIED) {
|
|
- ERROR("Cannot run the PAM account phase, reporting stale rules\n");
|
|
+ ret = refresh_hbac_rules(tool_ctx, domain);
|
|
+ if (ret != EOK) {
|
|
+ ERROR("Unable to refresh HBAC rules, using cached content\n");
|
|
/* Non-fatal */
|
|
}
|
|
|
|
@@ -398,19 +398,8 @@ errno_t sssctl_access_report(struct sss_cmdline *cmdline,
|
|
const char *domname = NULL;
|
|
sssctl_dom_access_reporter_fn reporter;
|
|
struct sss_domain_info *dom;
|
|
- const char *user = DEFAULT_USER;
|
|
- const char *service = DEFAULT_SERVICE;
|
|
|
|
- /* Parse command line. */
|
|
- struct poptOption options[] = {
|
|
- { "user", 'u', POPT_ARG_STRING, &user, 0,
|
|
- _("PAM user, default: " DEFAULT_USER), NULL },
|
|
- { "service", 's', POPT_ARG_STRING, &service, 0,
|
|
- _("PAM service, default: " DEFAULT_SERVICE), NULL },
|
|
- POPT_TABLEEND
|
|
- };
|
|
-
|
|
- ret = sss_tool_popt_ex(cmdline, options, SSS_TOOL_OPT_OPTIONAL,
|
|
+ ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL,
|
|
NULL, NULL, "DOMAIN", _("Specify domain name."),
|
|
&domname, NULL);
|
|
if (ret != EOK) {
|
|
@@ -431,5 +420,5 @@ errno_t sssctl_access_report(struct sss_cmdline *cmdline,
|
|
return ret;
|
|
}
|
|
|
|
- return reporter(tool_ctx, user, service, dom);
|
|
+ return reporter(tool_ctx, dom);
|
|
}
|
|
--
|
|
2.15.1
|
|
|