Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile with no specific host/hostgroup set

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2018-02-14 22:14:28 +01:00 · 2018-02-14 22:14:28 +01:00 · 199a72e62a
commit 199a72e62a
parent 11c6ee78b8
2 changed files with 160 additions and 1 deletions
--- a/0082-DESKPROFILE-Add-checks-for-user-and-host-category.patch
+++ b/0082-DESKPROFILE-Add-checks-for-user-and-host-category.patch
@ -0,0 +1,154 @@
 From b72e444bc1cd2fe8d9617f09b446c678d4684fff Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
 Date: Mon, 22 Jan 2018 00:02:43 +0100
 Subject: [PATCH] DESKPROFILE: Add checks for user and host category
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 freeipa-deskprofile-plugin can have both user and host category set as
 "all" and when it happens, no users and groups or hosts or hostgroups
 are going to be set.
 Let's treat this expected (but so far missed) situation on SSSD side.
 Resolves:
 https://pagure.io/SSSD/sssd/issue/3449
 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
 ---
 src/providers/ipa/ipa_deskprofile_rules_util.c | 100 ++++++++++++++++++++-----
 1 file changed, 82 insertions(+), 18 deletions(-)
 diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
 index 53c433145..01b7d0527 100644
 --- a/src/providers/ipa/ipa_deskprofile_rules_util.c
 +++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
@@ -684,6 +684,8 @@ ipa_deskprofile_rules_save_rule_to_disk(
     TALLOC_CTX *tmp_ctx;
     const char *rule_name;
     const char *data;
 +    const char *hostcat;
 +    const char *usercat;
     char *shortname;
     char *domainname;
     char *base_dn;
@@ -722,6 +724,28 @@ ipa_deskprofile_rules_save_rule_to_disk(
         goto done;
     }
 +    ret = sysdb_attrs_get_string(rule, IPA_HOST_CATEGORY, &hostcat);
 +    if (ret == ENOENT) {
 +        hostcat = NULL;
 +    } else if (ret != EOK) {
 +        DEBUG(SSSDBG_TRACE_FUNC,
 +              "Failed to get the Desktop Profile Rule host category for rule "
 +              "\"%s\" [%d]: %s\n",
 +              rule_name, ret, sss_strerror(ret));
 +        goto done;
 +    }
 +
 +    ret = sysdb_attrs_get_string(rule, IPA_USER_CATEGORY, &usercat);
 +    if (ret == ENOENT) {
 +        usercat = NULL;
 +    } else if (ret != EOK) {
 +        DEBUG(SSSDBG_TRACE_FUNC,
 +              "Failed to get the Desktop Profile Rule user category for rule "
 +              "\"%s\" [%d]: %s\n",
 +              rule_name, ret, sss_strerror(ret));
 +        goto done;
 +    }
 +
     rule_prio = talloc_asprintf(tmp_ctx, "%06d", prio);
     if (rule_prio == NULL) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate rule priority\n");
@@ -753,26 +777,66 @@ ipa_deskprofile_rules_save_rule_to_disk(
         goto done;
     }
 -    ret = ipa_deskprofile_rule_check_memberuser(tmp_ctx, domain, rule,
 -                                                rule_name, rule_prio,
 -                                                base_dn, username,
 -                                                &user_prio, &group_prio);
 -    if (ret != EOK) {
 -        DEBUG(SSSDBG_CRIT_FAILURE,
 -              "ipa_deskprofile_rule_check_memberuser() failed [%d]: %s\n",
 -              ret, sss_strerror(ret));
 -        goto done;
 +    if (usercat != NULL && strcasecmp(usercat, "all") == 0) {
 +        user_prio = talloc_strdup(tmp_ctx, rule_prio);
 +        if (user_prio == NULL) {
 +            DEBUG(SSSDBG_CRIT_FAILURE,
 +                  "Failed to allocate the user priority "
 +                  "when user category is \"all\"\n");
 +            ret = ENOMEM;
 +            goto done;
 +        }
 +
 +        group_prio = talloc_strdup(tmp_ctx, rule_prio);
 +        if (group_prio == NULL) {
 +            DEBUG(SSSDBG_CRIT_FAILURE,
 +                  "Failed to allocate the group priority "
 +                  "when user category is \"all\"\n");
 +            ret = ENOMEM;
 +            goto done;
 +        }
 +    } else {
 +        ret = ipa_deskprofile_rule_check_memberuser(tmp_ctx, domain, rule,
 +                                                    rule_name, rule_prio,
 +                                                    base_dn, username,
 +                                                    &user_prio, &group_prio);
 +        if (ret != EOK) {
 +            DEBUG(SSSDBG_CRIT_FAILURE,
 +                  "ipa_deskprofile_rule_check_memberuser() failed [%d]: %s\n",
 +                  ret, sss_strerror(ret));
 +            goto done;
 +        }
     }
 -    ret = ipa_deskprofile_rule_check_memberhost(tmp_ctx, domain, rule,
 -                                                rule_name, rule_prio,
 -                                                base_dn, hostname,
 -                                                &host_prio, &hostgroup_prio);
 -    if (ret != EOK) {
 -        DEBUG(SSSDBG_CRIT_FAILURE,
 -              "ipa_deskprofile_rule_check_memberhost() failed [%d]: %s\n",
 -              ret, sss_strerror(ret));
 -        goto done;
 +    if (hostcat != NULL && strcasecmp(hostcat, "all") == 0) {
 +        host_prio = talloc_strdup(tmp_ctx, rule_prio);
 +        if (host_prio == NULL) {
 +            DEBUG(SSSDBG_CRIT_FAILURE,
 +                  "Failed to allocate the host priority "
 +                  "when host category is \"all\"\n");
 +            ret = ENOMEM;
 +            goto done;
 +        }
 +
 +        hostgroup_prio = talloc_strdup(tmp_ctx, rule_prio);
 +        if (hostgroup_prio == NULL) {
 +            DEBUG(SSSDBG_CRIT_FAILURE,
 +                  "Failed to allocate the hostgroup priority "
 +                  "when host category is \"all\"\n");
 +            ret = ENOMEM;
 +            goto done;
 +        }
 +    } else {
 +        ret = ipa_deskprofile_rule_check_memberhost(tmp_ctx, domain, rule,
 +                                                    rule_name, rule_prio,
 +                                                    base_dn, hostname,
 +                                                    &host_prio, &hostgroup_prio);
 +        if (ret != EOK) {
 +            DEBUG(SSSDBG_CRIT_FAILURE,
 +                  "ipa_deskprofile_rule_check_memberhost() failed [%d]: %s\n",
 +                  ret, sss_strerror(ret));
 +            goto done;
 +        }
     }
     ret = ipa_deskprofile_get_normalized_rule_name(mem_ctx, rule_name,
 -- 
 2.14.3
--- a/sssd.spec
+++ b/sssd.spec
@ -34,7 +34,7 @@
 Name: sssd
 Version: 1.16.0
-Release: 11%{?dist}
+Release: 12%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@ -122,6 +122,7 @@ Patch0078: 0078-confdb-Do-not-start-implicit_files-with-proxy-domain.patch
 Patch0079: 0079-test_files_provider-Regression-test-for-implicit_fil.patch
 Patch0080: 0080-BUILD-Add-missing-libs-found-by-Wl-z-defs.patch
 Patch0081: 0081-SELINUX-Check-if-SELinux-is-managed-in-selinux_child.patch
 Patch0082: 0082-DESKPROFILE-Add-checks-for-user-and-host-category.patch
 Patch0502: 0502-SYSTEMD-Use-capabilities.patch
 Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
@ -1324,6 +1325,10 @@ fi
                                %{_libdir}/%{name}/modules/libwbclient.so
 %changelog
 * Wed Feb 14 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.0-12
 - Resolves: rhbz#1538643 - SSSD crashes when retrieving a Desktop Profile
                           with no specific host/hostgroup set
 * Wed Feb 07 2018 Lukas Slebodnik <lslebodn@fedoraproject.org> - 1.16.0-11
 - Resolves: upstream#3618 - selinux_child segfaults in a docker container