fix some issues from Coverity scan

flush sssd caches - patch by Jakub Hrozek
This commit is contained in:
Tomas Mraz 2018-10-12 17:38:01 +02:00
parent 8362f15341
commit d80def3861
3 changed files with 873 additions and 1 deletions

223
shadow-4.6-coverity.patch Normal file
View File

@ -0,0 +1,223 @@
diff -up shadow-4.6/lib/commonio.c.coverity shadow-4.6/lib/commonio.c
--- shadow-4.6/lib/commonio.c.coverity 2018-10-10 09:50:59.307738194 +0200
+++ shadow-4.6/lib/commonio.c 2018-10-10 09:55:32.919319048 +0200
@@ -382,7 +382,7 @@ int commonio_lock_nowait (struct commoni
char* lock = NULL;
size_t lock_file_len;
size_t file_len;
- int err;
+ int err = 0;
if (db->locked) {
return 1;
@@ -391,12 +391,10 @@ int commonio_lock_nowait (struct commoni
lock_file_len = strlen(db->filename) + 6; /* sizeof ".lock" */
file = (char*)malloc(file_len);
if(file == NULL) {
- err = ENOMEM;
goto cleanup_ENOMEM;
}
lock = (char*)malloc(lock_file_len);
if(lock == NULL) {
- err = ENOMEM;
goto cleanup_ENOMEM;
}
snprintf (file, file_len, "%s.%lu",
diff -up shadow-4.6/libmisc/console.c.coverity shadow-4.6/libmisc/console.c
--- shadow-4.6/libmisc/console.c.coverity 2018-04-29 18:42:37.000000000 +0200
+++ shadow-4.6/libmisc/console.c 2018-10-10 11:56:51.368837533 +0200
@@ -50,7 +50,7 @@ static bool is_listed (const char *cfgin
static bool is_listed (const char *cfgin, const char *tty, bool def)
{
FILE *fp;
- char buf[200], *s;
+ char buf[1024], *s;
const char *cons;
/*
@@ -70,7 +70,8 @@ static bool is_listed (const char *cfgin
if (*cons != '/') {
char *pbuf;
- strcpy (buf, cons);
+ strncpy (buf, cons, sizeof (buf));
+ buf[sizeof (buf) - 1] = '\0';
pbuf = &buf[0];
while ((s = strtok (pbuf, ":")) != NULL) {
if (strcmp (s, tty) == 0) {
diff -up shadow-4.6/lib/spawn.c.coverity shadow-4.6/lib/spawn.c
--- shadow-4.6/lib/spawn.c.coverity 2018-04-29 18:42:37.000000001 +0200
+++ shadow-4.6/lib/spawn.c 2018-10-10 11:36:49.035784609 +0200
@@ -69,7 +69,7 @@ int run_command (const char *cmd, const
do {
wpid = waitpid (pid, status, 0);
} while ( ((pid_t)-1 == wpid && errno == EINTR)
- || (wpid != pid));
+ || ((pid_t)-1 != wpid && wpid != pid));
if ((pid_t)-1 == wpid) {
fprintf (stderr, "%s: waitpid (status: %d): %s\n",
diff -up shadow-4.6/src/useradd.c.coverity shadow-4.6/src/useradd.c
--- shadow-4.6/src/useradd.c.coverity 2018-10-10 09:50:59.303738098 +0200
+++ shadow-4.6/src/useradd.c 2018-10-12 13:51:54.480490257 +0200
@@ -314,7 +314,7 @@ static void fail_exit (int code)
static void get_defaults (void)
{
FILE *fp;
- char* default_file = USER_DEFAULTS_FILE;
+ char *default_file = USER_DEFAULTS_FILE;
char buf[1024];
char *cp;
@@ -324,6 +324,8 @@ static void get_defaults (void)
len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2;
default_file = malloc(len);
+ if (default_file == NULL)
+ return;
wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE);
assert (wlen == (int) len -1);
}
@@ -334,7 +336,7 @@ static void get_defaults (void)
fp = fopen (default_file, "r");
if (NULL == fp) {
- return;
+ goto getdef_err;
}
/*
@@ -445,7 +447,7 @@ static void get_defaults (void)
}
}
(void) fclose (fp);
-
+ getdef_err:
if(prefix[0]) {
free(default_file);
}
@@ -480,8 +482,8 @@ static int set_defaults (void)
FILE *ifp;
FILE *ofp;
char buf[1024];
- char* new_file = NEW_USER_FILE;
- char* default_file = USER_DEFAULTS_FILE;
+ char *new_file = NULL;
+ char *default_file = USER_DEFAULTS_FILE;
char *cp;
int ofd;
int wlen;
@@ -492,17 +494,30 @@ static int set_defaults (void)
bool out_shell = false;
bool out_skel = false;
bool out_create_mail_spool = false;
+ size_t len;
+ int ret = -1;
- if(prefix[0]) {
- size_t len;
- len = strlen(prefix) + strlen(NEW_USER_FILE) + 2;
- new_file = malloc(len);
- wlen = snprintf(new_file, len, "%s/%s", prefix, NEW_USER_FILE);
- assert (wlen == (int) len -1);
+ len = strlen(prefix) + strlen(NEW_USER_FILE) + 2;
+ new_file = malloc(len);
+ if (new_file == NULL) {
+ fprintf (stderr,
+ _("%s: cannot create new defaults file: %s\n"),
+ Prog, strerror(errno));
+ return -1;
+ }
+ wlen = snprintf(new_file, len, "%s%s%s", prefix, prefix[0]?"/":"", NEW_USER_FILE);
+ assert (wlen <= (int) len -1);
+ if(prefix[0]) {
len = strlen(prefix) + strlen(USER_DEFAULTS_FILE) + 2;
default_file = malloc(len);
+ if (default_file == NULL) {
+ fprintf (stderr,
+ _("%s: cannot create new defaults file: %s\n"),
+ Prog, strerror(errno));
+ goto setdef_err;
+ }
wlen = snprintf(default_file, len, "%s/%s", prefix, USER_DEFAULTS_FILE);
assert (wlen == (int) len -1);
}
@@ -515,7 +530,7 @@ static int set_defaults (void)
fprintf (stderr,
_("%s: cannot create new defaults file\n"),
Prog);
- return -1;
+ goto setdef_err;
}
ofp = fdopen (ofd, "w");
@@ -523,7 +538,7 @@ static int set_defaults (void)
fprintf (stderr,
_("%s: cannot open new defaults file\n"),
Prog);
- return -1;
+ goto setdef_err;
}
/*
@@ -550,7 +565,7 @@ static int set_defaults (void)
_("%s: line too long in %s: %s..."),
Prog, default_file, buf);
(void) fclose (ifp);
- return -1;
+ goto setdef_err;
}
}
@@ -614,7 +629,7 @@ static int set_defaults (void)
|| (fsync (fileno (ofp)) != 0)
|| (fclose (ofp) != 0)) {
unlink (new_file);
- return -1;
+ goto setdef_err;
}
/*
@@ -629,7 +644,7 @@ static int set_defaults (void)
_("%s: Cannot create backup file (%s): %s\n"),
Prog, buf, strerror (err));
unlink (new_file);
- return -1;
+ goto setdef_err;
}
/*
@@ -640,11 +655,11 @@ static int set_defaults (void)
fprintf (stderr,
_("%s: rename: %s: %s\n"),
Prog, new_file, strerror (err));
- return -1;
+ goto setdef_err;
}
#ifdef WITH_AUDIT
audit_logger (AUDIT_USYS_CONFIG, Prog,
- "changing-useradd-defaults",
+ "changing useradd defaults",
NULL, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
#endif
@@ -654,13 +669,14 @@ static int set_defaults (void)
(unsigned int) def_group, def_home, def_shell,
def_inactive, def_expire, def_template,
def_create_mail_spool));
-
+ ret = 0;
+ setdef_err:
+ free(new_file);
if(prefix[0]) {
- free(new_file);
free(default_file);
}
- return 0;
+ return ret;
}
/*

641
shadow-4.6-sssd-flush.patch Normal file
View File

@ -0,0 +1,641 @@
From 4aaf05d72e9d6daf348cefb8a6ad35d2966cbe9b Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jakub.hrozek@posteo.se>
Date: Wed, 12 Sep 2018 14:22:11 +0200
Subject: [PATCH] Flush sssd caches in addition to nscd caches
Some distributions, notably Fedora, have the following order of nsswitch
modules by default:
passwd: sss files
group: sss files
The advantage of serving local users through SSSD is that the nss_sss
module has a fast mmapped-cache that speeds up NSS lookups compared to
accessing the disk an opening the files on each NSS request.
Traditionally, this has been done with the help of nscd, but using nscd
in parallel with sssd is cumbersome, as both SSSD and nscd use their own
independent caching, so using nscd in setups where sssd is also serving
users from some remote domain (LDAP, AD, ...) can result in a bit of
unpredictability.
More details about why Fedora chose to use sss before files can be found
on e.g.:
https://fedoraproject.org//wiki/Changes/SSSDCacheForLocalUsers
or:
https://docs.pagure.org/SSSD.sssd/design_pages/files_provider.html
Now, even though sssd watches the passwd and group files with the help
of inotify, there can still be a small window where someone requests a
user or a group, finds that it doesn't exist, adds the entry and checks
again. Without some support in shadow-utils that would explicitly drop
the sssd caches, the inotify watch can fire a little late, so a
combination of commands like this:
getent passwd user || useradd user; getent passwd user
can result in the second getent passwd not finding the newly added user
as the racy behaviour might still return the cached negative hit from
the first getent passwd.
This patch more or less copies the already existing support that
shadow-utils had for dropping nscd caches, except using the "sss_cache"
tool that sssd ships.
---
configure.ac | 10 +++++++
lib/Makefile.am | 2 ++
lib/commonio.c | 2 ++
lib/sssd.c | 75 +++++++++++++++++++++++++++++++++++++++++++++++++
lib/sssd.h | 17 +++++++++++
src/chfn.c | 2 ++
src/chgpasswd.c | 2 ++
src/chpasswd.c | 2 ++
src/chsh.c | 2 ++
src/gpasswd.c | 2 ++
src/groupadd.c | 2 ++
src/groupdel.c | 2 ++
src/groupmod.c | 2 ++
src/grpck.c | 2 ++
src/grpconv.c | 2 ++
src/grpunconv.c | 2 ++
src/newusers.c | 2 ++
src/passwd.c | 2 ++
src/pwck.c | 2 ++
src/pwconv.c | 2 ++
src/pwunconv.c | 2 ++
src/useradd.c | 2 ++
src/userdel.c | 2 ++
src/usermod.c | 2 ++
src/vipw.c | 2 ++
25 files changed, 146 insertions(+)
create mode 100644 lib/sssd.c
create mode 100644 lib/sssd.h
diff --git a/configure.ac b/configure.ac
index 41068a5d..10ad70cf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -280,6 +280,9 @@ AC_ARG_WITH(sha-crypt,
AC_ARG_WITH(nscd,
[AC_HELP_STRING([--with-nscd], [enable support for nscd @<:@default=yes@:>@])],
[with_nscd=$withval], [with_nscd=yes])
+AC_ARG_WITH(sssd,
+ [AC_HELP_STRING([--with-sssd], [enable support for flushing sssd caches @<:@default=yes@:>@])],
+ [with_sssd=$withval], [with_sssd=yes])
AC_ARG_WITH(group-name-max-length,
[AC_HELP_STRING([--with-group-name-max-length], [set max group name length @<:@default=16@:>@])],
[with_group_name_max_length=$withval], [with_group_name_max_length=yes])
@@ -304,6 +307,12 @@ if test "$with_nscd" = "yes"; then
[AC_MSG_ERROR([posix_spawn is needed for nscd support])])
fi
+if test "$with_sssd" = "yes"; then
+ AC_CHECK_FUNC(posix_spawn,
+ [AC_DEFINE(USE_SSSD, 1, [Define to support flushing of sssd caches])],
+ [AC_MSG_ERROR([posix_spawn is needed for sssd support])])
+fi
+
dnl Check for some functions in libc first, only if not found check for
dnl other libraries. This should prevent linking libnsl if not really
dnl needed (Linux glibc, Irix), but still link it if needed (Solaris).
@@ -679,5 +688,6 @@ echo " shadow group support: $enable_shadowgrp"
echo " S/Key support: $with_skey"
echo " SHA passwords encryption: $with_sha_crypt"
echo " nscd support: $with_nscd"
+echo " sssd support: $with_sssd"
echo " subordinate IDs support: $enable_subids"
echo
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 6db86cd6..fd634542 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -30,6 +30,8 @@ libshadow_la_SOURCES = \
lockpw.c \
nscd.c \
nscd.h \
+ sssd.c \
+ sssd.h \
pam_defs.h \
port.c \
port.h \
diff --git a/lib/commonio.c b/lib/commonio.c
index d06b8e7d..96f2d5f7 100644
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -45,6 +45,7 @@
#include <stdio.h>
#include <signal.h>
#include "nscd.h"
+#include "sssd.h"
#ifdef WITH_TCB
#include <tcb.h>
#endif /* WITH_TCB */
@@ -485,6 +486,7 @@ static void dec_lock_count (void)
if (nscd_need_reload) {
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
nscd_need_reload = false;
}
#ifdef HAVE_LCKPWDF
diff --git a/lib/sssd.c b/lib/sssd.c
new file mode 100644
index 00000000..80e49e55
--- /dev/null
+++ b/lib/sssd.c
@@ -0,0 +1,75 @@
+/* Author: Peter Vrabec <pvrabec@redhat.com> */
+
+#include <config.h>
+#ifdef USE_SSSD
+
+#include <stdio.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+#include "exitcodes.h"
+#include "defines.h"
+#include "prototypes.h"
+#include "sssd.h"
+
+#define MSG_SSSD_FLUSH_CACHE_FAILED "%s: Failed to flush the sssd cache.\n"
+
+int sssd_flush_cache (int dbflags)
+{
+ int status, code, rv;
+ const char *cmd = "/usr/sbin/sss_cache";
+ char *sss_cache_args = NULL;
+ const char *spawnedArgs[] = {"sss_cache", NULL, NULL};
+ const char *spawnedEnv[] = {NULL};
+ int i = 0;
+
+ sss_cache_args = malloc(4);
+ if (sss_cache_args == NULL) {
+ return -1;
+ }
+
+ sss_cache_args[i++] = '-';
+ if (dbflags & SSSD_DB_PASSWD) {
+ sss_cache_args[i++] = 'U';
+ }
+ if (dbflags & SSSD_DB_GROUP) {
+ sss_cache_args[i++] = 'G';
+ }
+ sss_cache_args[i++] = '\0';
+ if (i == 2) {
+ /* Neither passwd nor group, nothing to do */
+ free(sss_cache_args);
+ return 0;
+ }
+ spawnedArgs[1] = sss_cache_args;
+
+ rv = run_command (cmd, spawnedArgs, spawnedEnv, &status);
+ free(sss_cache_args);
+ if (rv != 0) {
+ /* run_command writes its own more detailed message. */
+ (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
+ return -1;
+ }
+
+ code = WEXITSTATUS (status);
+ if (!WIFEXITED (status)) {
+ (void) fprintf (stderr,
+ _("%s: sss_cache did not terminate normally (signal %d)\n"),
+ Prog, WTERMSIG (status));
+ return -1;
+ } else if (code == E_CMD_NOTFOUND) {
+ /* sss_cache is not installed, or it is installed but uses an
+ interpreter that is missing. Probably the former. */
+ return 0;
+ } else if (code != 0) {
+ (void) fprintf (stderr, _("%s: sss_cache exited with status %d\n"),
+ Prog, code);
+ (void) fprintf (stderr, _(MSG_SSSD_FLUSH_CACHE_FAILED), Prog);
+ return -1;
+ }
+
+ return 0;
+}
+#else /* USE_SSSD */
+extern int errno; /* warning: ANSI C forbids an empty source file */
+#endif /* USE_SSSD */
+
diff --git a/lib/sssd.h b/lib/sssd.h
new file mode 100644
index 00000000..00ff2a8a
--- /dev/null
+++ b/lib/sssd.h
@@ -0,0 +1,17 @@
+#ifndef _SSSD_H_
+#define _SSSD_H_
+
+#define SSSD_DB_PASSWD 0x001
+#define SSSD_DB_GROUP 0x002
+
+/*
+ * sssd_flush_cache - flush specified service buffer in sssd cache
+ */
+#ifdef USE_SSSD
+extern int sssd_flush_cache (int dbflags);
+#else
+#define sssd_flush_cache(service) (0)
+#endif
+
+#endif
+
diff --git a/src/chfn.c b/src/chfn.c
index 18aa3de7..0725e1c7 100644
--- a/src/chfn.c
+++ b/src/chfn.c
@@ -47,6 +47,7 @@
#include "defines.h"
#include "getdef.h"
#include "nscd.h"
+#include "sssd.h"
#ifdef USE_PAM
#include "pam_defs.h"
#endif
@@ -746,6 +747,7 @@ int main (int argc, char **argv)
SYSLOG ((LOG_INFO, "changed user '%s' information", user));
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
closelog ();
exit (E_SUCCESS);
diff --git a/src/chgpasswd.c b/src/chgpasswd.c
index 13203a46..e5f2eb7e 100644
--- a/src/chgpasswd.c
+++ b/src/chgpasswd.c
@@ -46,6 +46,7 @@
#endif /* ACCT_TOOLS_SETUID */
#include "defines.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "groupio.h"
#ifdef SHADOWGRP
@@ -581,6 +582,7 @@ int main (int argc, char **argv)
close_files ();
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return (0);
}
diff --git a/src/chpasswd.c b/src/chpasswd.c
index 918b27ee..49e79cdb 100644
--- a/src/chpasswd.c
+++ b/src/chpasswd.c
@@ -44,6 +44,7 @@
#endif /* USE_PAM */
#include "defines.h"
#include "nscd.h"
+#include "sssd.h"
#include "getdef.h"
#include "prototypes.h"
#include "pwio.h"
@@ -624,6 +625,7 @@ int main (int argc, char **argv)
}
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
return (0);
}
diff --git a/src/chsh.c b/src/chsh.c
index c89708b9..910e3dd4 100644
--- a/src/chsh.c
+++ b/src/chsh.c
@@ -46,6 +46,7 @@
#include "defines.h"
#include "getdef.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwauth.h"
#include "pwio.h"
@@ -557,6 +558,7 @@ int main (int argc, char **argv)
SYSLOG ((LOG_INFO, "changed user '%s' shell to '%s'", user, loginsh));
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
closelog ();
exit (E_SUCCESS);
diff --git a/src/gpasswd.c b/src/gpasswd.c
index c4a492b1..4d75af96 100644
--- a/src/gpasswd.c
+++ b/src/gpasswd.c
@@ -45,6 +45,7 @@
#include "defines.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#ifdef SHADOWGRP
#include "sgroupio.h"
@@ -1201,6 +1202,7 @@ int main (int argc, char **argv)
close_files ();
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
exit (E_SUCCESS);
}
diff --git a/src/groupadd.c b/src/groupadd.c
index b57006c5..2dd8eec9 100644
--- a/src/groupadd.c
+++ b/src/groupadd.c
@@ -51,6 +51,7 @@
#include "getdef.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#ifdef SHADOWGRP
#include "sgroupio.h"
@@ -625,6 +626,7 @@ int main (int argc, char **argv)
close_files ();
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return E_SUCCESS;
}
diff --git a/src/groupdel.c b/src/groupdel.c
index 70bed010..f941a84a 100644
--- a/src/groupdel.c
+++ b/src/groupdel.c
@@ -49,6 +49,7 @@
#include "defines.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#ifdef SHADOWGRP
#include "sgroupio.h"
@@ -492,6 +493,7 @@ int main (int argc, char **argv)
close_files ();
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return E_SUCCESS;
}
diff --git a/src/groupmod.c b/src/groupmod.c
index b293b98f..1dca5fc9 100644
--- a/src/groupmod.c
+++ b/src/groupmod.c
@@ -51,6 +51,7 @@
#include "groupio.h"
#include "pwio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#ifdef SHADOWGRP
#include "sgroupio.h"
@@ -877,6 +878,7 @@ int main (int argc, char **argv)
close_files ();
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return E_SUCCESS;
}
diff --git a/src/grpck.c b/src/grpck.c
index ea5d3b39..6140b10d 100644
--- a/src/grpck.c
+++ b/src/grpck.c
@@ -45,6 +45,7 @@
#include "defines.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#ifdef SHADOWGRP
@@ -870,6 +871,7 @@ int main (int argc, char **argv)
close_files (changed);
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
/*
* Tell the user what we did and exit.
diff --git a/src/grpconv.c b/src/grpconv.c
index f95f4960..5e5eaaca 100644
--- a/src/grpconv.c
+++ b/src/grpconv.c
@@ -48,6 +48,7 @@
#include <unistd.h>
#include <getopt.h>
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
/*@-exitarg@*/
#include "exitcodes.h"
@@ -273,6 +274,7 @@ int main (int argc, char **argv)
}
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return 0;
}
diff --git a/src/grpunconv.c b/src/grpunconv.c
index 253f06f5..e4105c26 100644
--- a/src/grpunconv.c
+++ b/src/grpunconv.c
@@ -48,6 +48,7 @@
#include <grp.h>
#include <getopt.h>
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
/*@-exitarg@*/
#include "exitcodes.h"
@@ -236,6 +237,7 @@ int main (int argc, char **argv)
}
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_GROUP);
return 0;
}
diff --git a/src/newusers.c b/src/newusers.c
index 8e4bef97..7c3bb1c2 100644
--- a/src/newusers.c
+++ b/src/newusers.c
@@ -62,6 +62,7 @@
#include "getdef.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "pwio.h"
#include "sgroupio.h"
#include "shadowio.h"
@@ -1233,6 +1234,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
#ifdef USE_PAM
unsigned int i;
diff --git a/src/passwd.c b/src/passwd.c
index 3af3e651..5bea2765 100644
--- a/src/passwd.c
+++ b/src/passwd.c
@@ -51,6 +51,7 @@
#include "defines.h"
#include "getdef.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwauth.h"
#include "pwio.h"
@@ -1150,6 +1151,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
SYSLOG ((LOG_INFO, "password for '%s' changed by '%s'", name, myname));
closelog ();
diff --git a/src/pwck.c b/src/pwck.c
index 05df68ec..0ffb711e 100644
--- a/src/pwck.c
+++ b/src/pwck.c
@@ -48,6 +48,7 @@
#include "shadowio.h"
#include "getdef.h"
#include "nscd.h"
+#include "sssd.h"
#ifdef WITH_TCB
#include "tcbfuncs.h"
#endif /* WITH_TCB */
@@ -877,6 +878,7 @@ int main (int argc, char **argv)
close_files (changed);
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
/*
* Tell the user what we did and exit.
diff --git a/src/pwconv.c b/src/pwconv.c
index d6ee31a8..9c69fa13 100644
--- a/src/pwconv.c
+++ b/src/pwconv.c
@@ -72,6 +72,7 @@
#include "pwio.h"
#include "shadowio.h"
#include "nscd.h"
+#include "sssd.h"
/*
* exit status values
@@ -328,6 +329,7 @@ int main (int argc, char **argv)
}
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
return E_SUCCESS;
}
diff --git a/src/pwunconv.c b/src/pwunconv.c
index fabf0237..e11ea494 100644
--- a/src/pwunconv.c
+++ b/src/pwunconv.c
@@ -42,6 +42,7 @@
#include <getopt.h>
#include "defines.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwio.h"
#include "shadowio.h"
@@ -250,6 +251,7 @@ int main (int argc, char **argv)
}
nscd_flush_cache ("passwd");
+ sssd_flush_cache (SSSD_DB_PASSWD);
return 0;
}
diff --git a/src/useradd.c b/src/useradd.c
index ca90f076..b0c2224d 100644
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -60,6 +60,7 @@
#include "getdef.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwauth.h"
#include "pwio.h"
@@ -2425,6 +2426,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
/*
* tallylog_reset needs to be able to lookup
diff --git a/src/userdel.c b/src/userdel.c
index c8de1d31..0715e4fe 100644
--- a/src/userdel.c
+++ b/src/userdel.c
@@ -53,6 +53,7 @@
#include "getdef.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwauth.h"
#include "pwio.h"
@@ -1328,6 +1329,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
return ((0 != errors) ? E_HOMEDIR : E_SUCCESS);
}
diff --git a/src/usermod.c b/src/usermod.c
index 7355ad31..fd9a98a6 100644
--- a/src/usermod.c
+++ b/src/usermod.c
@@ -57,6 +57,7 @@
#include "getdef.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwauth.h"
#include "pwio.h"
@@ -2255,6 +2256,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
#ifdef WITH_SELINUX
if (Zflg) {
diff --git a/src/vipw.c b/src/vipw.c
index 6d730f65..2cfac6b4 100644
--- a/src/vipw.c
+++ b/src/vipw.c
@@ -42,6 +42,7 @@
#include "defines.h"
#include "groupio.h"
#include "nscd.h"
+#include "sssd.h"
#include "prototypes.h"
#include "pwio.h"
#include "sgroupio.h"
@@ -556,6 +557,7 @@ int main (int argc, char **argv)
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+ sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
return E_SUCCESS;
}

View File

@ -1,7 +1,7 @@
Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils
Version: 4.6
Release: 2%{?dist}
Release: 3%{?dist}
Epoch: 2
URL: http://pkg-shadow.alioth.debian.org/
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
@ -30,6 +30,8 @@ Patch31: shadow-4.6-getenforce.patch
Patch32: shadow-4.5-crypt_h.patch
Patch33: shadow-4.5-long-entry.patch
Patch34: shadow-4.6-usermod-crash.patch
Patch35: shadow-4.6-coverity.patch
Patch36: shadow-4.6-sssd-flush.patch
License: BSD and GPLv2+
Group: System Environment/Base
@ -81,6 +83,8 @@ are used for managing group accounts.
%patch32 -p1 -b .crypt_h
%patch33 -p1 -b .long-entry
%patch34 -p1 -b .usermod-crash
%patch35 -p1 -b .coverity
%patch36 -p1 -b .sssd-flush
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
cp -f doc/HOWTO.utf8 doc/HOWTO
@ -232,6 +236,10 @@ done
%{_mandir}/man8/vigr.8*
%changelog
* Wed Oct 10 2018 Tomáš Mráz <tmraz@redhat.com> - 2:4.6-3
- fix some issues from Coverity scan
- flush sssd caches - patch by Jakub Hrozek
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild