rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import sssd-2.6.2-3.el8

Browse Source
This commit is contained in:
CentOS Sources 2022-05-10 03:18:31 -04:00 committed by Stepan Oksanichenko
parent 4d5a159fd8
commit 562beb1a29
15 changed files with 1492 additions and 11903 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/sssd-2.5.2.tar.gz SOURCES/sssd-2.6.2.tar.gz

2
.sssd.metadata
View File

@ -1 +1 @@
680a282289fdfc6e27562e0ac82933ccd1f9574e SOURCES/sssd-2.5.2.tar.gz c520edf841399668ed81881850a6581bd293b371 SOURCES/sssd-2.6.2.tar.gz

277
SOURCES/0001-TOOLS-replace-system-with-execvp.patch
View File

@ -1,277 +0,0 @@
From 3861960837b996d959af504a937a03963dc21d62 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 18 Jun 2021 13:17:19 +0200
Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
user supplied command
A flaw was found in SSSD, where the sssctl command was vulnerable
to shell command injection via the logs-fetch and cache-expire
subcommands. This flaw allows an attacker to trick the root user
into running a specially crafted sssctl command, such as via sudo,
to gain root access. The highest threat from this vulnerability is
to confidentiality, integrity, as well as system availability.
:fixes: CVE-2021-3621
---
src/tools/sssctl/sssctl.c | 39 ++++++++++++++++-------
src/tools/sssctl/sssctl.h | 2 +-
src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++----
4 files changed, 73 insertions(+), 57 deletions(-)
diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
index 2997dbf96..8adaf3091 100644
--- a/src/tools/sssctl/sssctl.c
+++ b/src/tools/sssctl/sssctl.c
@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
return SSSCTL_PROMPT_ERROR;
}
-errno_t sssctl_run_command(const char *command)
+errno_t sssctl_run_command(const char *const argv[])
{
int ret;
+ int wstatus;
- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
+ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
- ret = system(command);
+ ret = fork();
if (ret == -1) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
ERROR("Error while executing external command\n");
return EFAULT;
- } else if (WEXITSTATUS(ret) != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
- command, WEXITSTATUS(ret));
+ }
+
+ if (ret == 0) {
+ /* cast is safe - see
+ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
+ "The statement about argv[] and envp[] being constants ... "
+ */
+ execvp(argv[0], discard_const_p(char * const, argv));
ERROR("Error while executing external command\n");
- return EIO;
+ _exit(1);
+ } else {
+ if (waitpid(ret, &wstatus, 0) == -1) {
+ ERROR("Error while executing external command '%s'\n", argv[0]);
+ return EFAULT;
+ } else if (WEXITSTATUS(wstatus) != 0) {
+ ERROR("Command '%s' failed with [%d]\n",
+ argv[0], WEXITSTATUS(wstatus));
+ return EIO;
+ }
}
return EOK;
@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
#elif defined(HAVE_SERVICE)
switch (action) {
case SSSCTL_SVC_START:
- return sssctl_run_command(SERVICE_PATH" sssd start");
+ return sssctl_run_command(
+ (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
case SSSCTL_SVC_STOP:
- return sssctl_run_command(SERVICE_PATH" sssd stop");
+ return sssctl_run_command(
+ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
case SSSCTL_SVC_RESTART:
- return sssctl_run_command(SERVICE_PATH" sssd restart");
+ return sssctl_run_command(
+ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
}
#endif
diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
index 0115b2457..599ef6519 100644
--- a/src/tools/sssctl/sssctl.h
+++ b/src/tools/sssctl/sssctl.h
@@ -47,7 +47,7 @@ enum sssctl_prompt_result
sssctl_prompt(const char *message,
enum sssctl_prompt_result defval);
-errno_t sssctl_run_command(const char *command);
+errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
bool sssctl_start_sssd(bool force);
bool sssctl_stop_sssd(bool force);
bool sssctl_restart_sssd(bool force);
diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
index 8d79b977f..bf2291341 100644
--- a/src/tools/sssctl/sssctl_data.c
+++ b/src/tools/sssctl/sssctl_data.c
@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
}
}
- ret = sssctl_run_command("sss_override user-export "
- SSS_BACKUP_USER_OVERRIDES);
+ ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
+ SSS_BACKUP_USER_OVERRIDES, NULL});
if (ret != EOK) {
ERROR("Unable to export user overrides\n");
return ret;
}
- ret = sssctl_run_command("sss_override group-export "
- SSS_BACKUP_GROUP_OVERRIDES);
+ ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
if (ret != EOK) {
ERROR("Unable to export group overrides\n");
return ret;
@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
}
if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
- ret = sssctl_run_command("sss_override user-import "
- SSS_BACKUP_USER_OVERRIDES);
+ ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
+ SSS_BACKUP_USER_OVERRIDES, NULL});
if (ret != EOK) {
ERROR("Unable to import user overrides\n");
return ret;
@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
}
if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
- ret = sssctl_run_command("sss_override group-import "
- SSS_BACKUP_GROUP_OVERRIDES);
+ ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
if (ret != EOK) {
ERROR("Unable to import group overrides\n");
return ret;
@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
void *pvt)
{
errno_t ret;
- char *cmd_args = NULL;
- const char *cachecmd = SSS_CACHE;
- char *cmd = NULL;
- int i;
-
- if (cmdline->argc == 0) {
- ret = sssctl_run_command(cachecmd);
- goto done;
- }
- cmd_args = talloc_strdup(tool_ctx, "");
- if (cmd_args == NULL) {
- ret = ENOMEM;
- goto done;
+ const char **args = talloc_array_size(tool_ctx,
+ sizeof(char *),
+ cmdline->argc + 2);
+ if (!args) {
+ return ENOMEM;
}
+ memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
+ args[0] = SSS_CACHE;
+ args[cmdline->argc + 1] = NULL;
- for (i = 0; i < cmdline->argc; i++) {
- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
- if (i != cmdline->argc - 1) {
- cmd_args = talloc_strdup_append(cmd_args, " ");
- }
- }
-
- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
- if (cmd == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- ret = sssctl_run_command(cmd);
-
-done:
- talloc_free(cmd_args);
- talloc_free(cmd);
+ ret = sssctl_run_command(args);
+ talloc_free(args);
return ret;
}
diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
index 9ff2be05b..ebb2c4571 100644
--- a/src/tools/sssctl/sssctl_logs.c
+++ b/src/tools/sssctl/sssctl_logs.c
@@ -31,6 +31,7 @@
#include <ldb.h>
#include <popt.h>
#include <stdio.h>
+#include <glob.h>
#include "util/util.h"
#include "tools/common/sss_process.h"
@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
{
struct sssctl_logs_opts opts = {0};
errno_t ret;
+ glob_t globbuf;
/* Parse command line. */
struct poptOption options[] = {
@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
sss_signal(SIGHUP);
} else {
+ globbuf.gl_offs = 4;
+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
+ return ret;
+ }
+ globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
+ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
+ globbuf.gl_pathv[2] = discard_const_p(char, "--size");
+ globbuf.gl_pathv[3] = discard_const_p(char, "0");
+
PRINT("Truncating log files...\n");
- ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES);
+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
+ globfree(&globbuf);
if (ret != EOK) {
ERROR("Unable to truncate log files\n");
return ret;
@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
void *pvt)
{
const char *file;
- const char *cmd;
errno_t ret;
+ glob_t globbuf;
/* Parse command line. */
ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
return ret;
}
- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
- if (cmd == NULL) {
- ERROR("Out of memory!");
+ globbuf.gl_offs = 3;
+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
+ return ret;
}
+ globbuf.gl_pathv[0] = discard_const_p(char, "tar");
+ globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
+ globbuf.gl_pathv[2] = discard_const_p(char, file);
PRINT("Archiving log files into %s...\n", file);
- ret = sssctl_run_command(cmd);
+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
+ globfree(&globbuf);
if (ret != EOK) {
ERROR("Unable to archive log files\n");
return ret;
--
2.26.3

33
SOURCES/0001-ipa-fix-reply-socket-of-selinux_child.patch Normal file
View File

@ -0,0 +1,33 @@
From 5a2e0ebe83913e317f66478daeff35987c278e27 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 4 Jan 2022 10:11:49 +0100
Subject: [PATCH] ipa: fix reply socket of selinux_child
Commit c92d39a30fa0162d4efdfbe5883c8ea9911a2249 accidentally switched
the reply socket of selinux_child from stdout to stderr while switching
from exec_child to exec_child_ex. This patch returns the original
behavior.
Resolves: https://github.com/SSSD/sssd/issues/5939
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
src/providers/ipa/ipa_selinux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index 6f885c0fd..2e0593dd7 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -714,7 +714,7 @@ static errno_t selinux_fork_child(struct selinux_child_state *state)
if (pid == 0) { /* child */
exec_child_ex(state, pipefd_to_child, pipefd_from_child,
SELINUX_CHILD, SELINUX_CHILD_LOG_FILE, extra_args,
- false, STDIN_FILENO, STDERR_FILENO);
+ false, STDIN_FILENO, STDOUT_FILENO);
DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n",
ret, sss_strerror(ret));
return ret;
--
2.26.3

0
SOURCES/0009-ad-add-required-cn-attribute-to-subdomain-object.patch → SOURCES/0002-ad-add-required-cn-attribute-to-subdomain-object.patch
View File

10871
SOURCES/0002-po-update-translations.patch
View File

File diff suppressed because it is too large Load Diff

187
SOURCES/0003-ad-filter-trusted-domains.patch
View File

@ -1,187 +0,0 @@
From 4c48c4a7792961cf8a228c76975ac370d32904e1 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 6 Oct 2021 13:03:27 +0200
Subject: [PATCH] ad: filter trusted domains
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The fix for https://github.com/SSSD/sssd/issues/5528 might discover
domains which are not trusted (one-way trust) or are from a different
forest (direct trust). Both should be ignored because they are not
trusted or can currently not be handled properly. This patch filters out
those domains.
Resolves: https://github.com/SSSD/sssd/issues/5819
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_subdomains.c | 104 +++++++++++++++++++++++++++++--
1 file changed, 99 insertions(+), 5 deletions(-)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 3eb49c93f..ac463026f 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -46,6 +46,7 @@
#define AD_AT_TRUST_PARTNER "trustPartner"
#define AD_AT_TRUST_ATTRS "trustAttributes"
#define AD_AT_DOMAIN_NAME "cn"
+#define AD_AT_TRUST_DIRECTION "trustDirection"
/* trustType=2 denotes uplevel (NT5 and later) trusted domains. See
* http://msdn.microsoft.com/en-us/library/windows/desktop/ms680342%28v=vs.85%29.aspx
@@ -69,6 +70,12 @@
/* do not refresh more often than every 5 seconds for now */
#define AD_SUBDOMAIN_REFRESH_LIMIT 5
+/* Flags of trustAttributes attribute, see MS-ADTS 6.1.6.7.9 for details */
+#define TRUST_ATTRIBUTE_WITHIN_FOREST 0x00000020
+
+/* Flags for trustDirection attribute, see MS-ADTS 6.1.6.7.12 for details */
+#define TRUST_DIRECTION_OUTBOUND 0x00000002
+
static void
ad_disable_gc(struct ad_options *ad_options)
{
@@ -646,6 +653,85 @@ done:
return ret;
}
+/* When reading trusted domains from the local DC we are basically interested
+ * in domains from the local forest we are trusting, i.e. users from this
+ * domain can connect to us. To not unnecessarily bloat the list of domains
+ * and make multi-domain searches slow we filter domains from other forest and
+ * domains we do not trust.
+ * In future we might add config options to broaden the scope and allow more
+ * domains.
+ * If ad_filter_domains() returns successfully with EOK in input array is not
+ * valid anymore and should be freed by the caller. */
+static errno_t ad_filter_domains(TALLOC_CTX *mem_ctx,
+ struct sysdb_attrs **subdomains,
+ size_t num_subdomains,
+ struct sysdb_attrs ***_sd_out,
+ size_t *_num_sd_out)
+{
+ int ret;
+ size_t c;
+ uint32_t tmp_uint32_t;
+ const char *value;
+ struct sysdb_attrs **sd_out;
+ size_t num_sd_out = 0;
+
+ sd_out = talloc_zero_array(mem_ctx, struct sysdb_attrs *,
+ num_subdomains + 1);
+ if (sd_out == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to allocate memory for sub-domain list.\n");
+ return ENOMEM;
+ }
+
+ for (c = 0; c < num_subdomains; c++) {
+ ret = sysdb_attrs_get_string(subdomains[c], AD_AT_TRUST_PARTNER,
+ &value);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");
+ talloc_free(sd_out);
+ return ret;
+ }
+
+ /* Ignore direct trusts to domains from other forests
+ * (TRUST_ATTRIBUTE_WITHIN_FOREST is not set) or domains we do not
+ * trust (TRUST_DIRECTION_OUTBOUND is not set) */
+
+ tmp_uint32_t = 0;
+ ret = sysdb_attrs_get_uint32_t(subdomains[c], AD_AT_TRUST_ATTRS,
+ &tmp_uint32_t);
+ if (ret != EOK
+ || (tmp_uint32_t & TRUST_ATTRIBUTE_WITHIN_FOREST) == 0) {
+ DEBUG(SSSDBG_FUNC_DATA,
+ "TRUST_ATTRIBUTE_WITHIN_FOREST not set for [%s].\n",
+ value);
+ continue;
+ }
+
+ tmp_uint32_t = 0;
+ ret = sysdb_attrs_get_uint32_t(subdomains[c], AD_AT_TRUST_DIRECTION,
+ &tmp_uint32_t);
+ if (ret != EOK
+ || (tmp_uint32_t & TRUST_DIRECTION_OUTBOUND) == 0) {
+ DEBUG(SSSDBG_FUNC_DATA,
+ "TRUST_DIRECTION_OUTBOUND not set for [%s].\n",
+ value);
+ continue;
+ }
+
+ sd_out[num_sd_out] = subdomains[c];
+ num_sd_out++;
+ }
+
+ for (c = 0; c < num_sd_out; c++) {
+ sd_out[c] = talloc_steal(sd_out, sd_out[c]);
+ }
+
+ *_sd_out = sd_out;
+ *_num_sd_out = num_sd_out;
+
+ return EOK;
+}
+
/* How many times we keep a domain not found during searches before it will be
* removed. */
#define MAX_NOT_FOUND 6
@@ -1125,7 +1211,7 @@ static void ad_get_slave_domain_connect_done(struct tevent_req *subreq)
errno_t ret;
const char *attrs[] = { AD_AT_FLATNAME, AD_AT_TRUST_PARTNER,
AD_AT_SID, AD_AT_TRUST_TYPE,
- AD_AT_TRUST_ATTRS, NULL };
+ AD_AT_TRUST_ATTRS, AD_AT_TRUST_DIRECTION, NULL };
req = tevent_req_callback_data(subreq, struct tevent_req);
state = tevent_req_data(req, struct ad_get_slave_domain_state);
@@ -1333,7 +1419,7 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
struct sdap_options *opts;
errno_t ret;
const char *attrs[] = { AD_AT_FLATNAME, AD_AT_TRUST_PARTNER,
- AD_AT_SID, AD_AT_TRUST_TYPE,
+ AD_AT_SID, AD_AT_TRUST_TYPE, AD_AT_TRUST_DIRECTION,
AD_AT_TRUST_ATTRS, AD_AT_DOMAIN_NAME, NULL };
req = tevent_req_create(mem_ctx, &state, struct ad_get_root_domain_state);
@@ -1411,13 +1497,15 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
struct ad_get_root_domain_state *state;
errno_t ret;
bool has_changes = false;
+ struct sysdb_attrs **unfiltered_reply;
+ size_t unfiltered_reply_count;
req = tevent_req_callback_data(subreq, struct tevent_req);
state = tevent_req_data(req, struct ad_get_root_domain_state);
ret = sdap_search_bases_return_first_recv(subreq, state,
- &state->reply_count,
- &state->reply);
+ &unfiltered_reply_count,
+ &unfiltered_reply);
talloc_zfree(subreq);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Unable to lookup forest root information "
@@ -1425,7 +1513,13 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
goto done;
}
- find_domain(state->reply_count, state->reply, state->forest);
+ ret = ad_filter_domains(state, unfiltered_reply, unfiltered_reply_count,
+ &state->reply, &state->reply_count);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to filter list of returned domains.\n");
+ goto done;
+ }
if (state->reply_count == 0
|| find_domain(state->reply_count, state->reply,
--
2.26.3

140
SOURCES/0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch Normal file
View File

@ -0,0 +1,140 @@
From ca8cef0fc2f6066811105f4c201070cda38c4064 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Thu, 13 Jan 2022 11:28:30 +0100
Subject: [PATCH] krb5: AD and IPA don't change Kerberos port
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
AD and IPA providers use a common fo_server object for LDAP and
Kerberos, which is created with the LDAP data. This means that due to
the changes introduced in
https://github.com/SSSD/sssd/commit/1e747fad4539ffb402010e73f78469fe57af408f
the port in use for the Kerberos requests would be the one specified for
LDAP, usually the default one (389).
In order to avoid that, AD and IPA providers shouldn't change the
Kerberos port with the one provided for LDAP.
:fixes: A critical regression that prevented authentication of users via
AD and IPA providers was fixed. LDAP port was reused for Kerberos
communication and this provider would send incomprehensible information
to this port.
Resolves: https://github.com/SSSD/sssd/issues/5947
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/providers/ad/ad_common.c | 1 +
src/providers/ipa/ipa_common.c | 1 +
src/providers/krb5/krb5_common.c | 34 +++++++++++++++++++-------------
src/providers/krb5/krb5_common.h | 1 +
4 files changed, 23 insertions(+), 14 deletions(-)
diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c
index e263444c5..1ca5f8e3a 100644
--- a/src/providers/ad/ad_common.c
+++ b/src/providers/ad/ad_common.c
@@ -1087,6 +1087,7 @@ ad_resolve_callback(void *private_data, struct fo_server *server)
if (service->krb5_service->write_kdcinfo) {
ret = write_krb5info_file_from_fo_server(service->krb5_service,
server,
+ true,
SSS_KRB5KDC_FO_SRV,
ad_krb5info_file_filter);
if (ret != EOK) {
diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c
index 1509cb1ce..e6c1f9aa4 100644
--- a/src/providers/ipa/ipa_common.c
+++ b/src/providers/ipa/ipa_common.c
@@ -925,6 +925,7 @@ static void ipa_resolve_callback(void *private_data, struct fo_server *server)
if (service->krb5_service->write_kdcinfo) {
ret = write_krb5info_file_from_fo_server(service->krb5_service,
server,
+ true,
SSS_KRB5KDC_FO_SRV,
NULL);
if (ret != EOK) {
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index 719ce6a12..5ffa20809 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -690,6 +690,7 @@ static const char* fo_server_address_or_name(TALLOC_CTX *tmp_ctx, struct fo_serv
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
struct fo_server *server,
+ bool force_default_port,
const char *service,
bool (*filter)(struct fo_server *))
{
@@ -731,13 +732,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
if (filter == NULL || filter(server) == false) {
address = fo_server_address_or_name(tmp_ctx, server);
if (address) {
- port = fo_get_server_port(server);
- if (port != 0) {
- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
- if (address == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
- talloc_free(tmp_ctx);
- return ENOMEM;
+ if (!force_default_port) {
+ port = fo_get_server_port(server);
+ if (port != 0) {
+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
+ if (address == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
+ talloc_free(tmp_ctx);
+ return ENOMEM;
+ }
}
}
@@ -775,13 +778,15 @@ errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
continue;
}
- port = fo_get_server_port(item);
- if (port != 0) {
- address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
- if (address == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
- talloc_free(tmp_ctx);
- return ENOMEM;
+ if (!force_default_port) {
+ port = fo_get_server_port(item);
+ if (port != 0) {
+ address = talloc_asprintf(tmp_ctx, "%s:%d", address, port);
+ if (address == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
+ talloc_free(tmp_ctx);
+ return ENOMEM;
+ }
}
}
@@ -821,6 +826,7 @@ static void krb5_resolve_callback(void *private_data, struct fo_server *server)
if (krb5_service->write_kdcinfo) {
ret = write_krb5info_file_from_fo_server(krb5_service,
server,
+ false,
krb5_service->name,
NULL);
if (ret != EOK) {
diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h
index 151f446d1..2fd39a751 100644
--- a/src/providers/krb5/krb5_common.h
+++ b/src/providers/krb5/krb5_common.h
@@ -174,6 +174,7 @@ errno_t write_krb5info_file(struct krb5_service *krb5_service,
errno_t write_krb5info_file_from_fo_server(struct krb5_service *krb5_service,
struct fo_server *server,
+ bool force_default_port,
const char *service,
bool (*filter)(struct fo_server *));
--
2.26.3

62
SOURCES/0004-cache_req-return-success-for-autofs-when-ENOENT-is-r.patch
View File

@ -1,62 +0,0 @@
From bb94a18f0f0cba1e9fb5abf78b995d69e5f3c559 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 18 Oct 2021 12:29:06 +0200
Subject: [PATCH] cache_req: return success for autofs when ENOENT is returned
from provider
The receive function should return true if data provider lookup was
successfull and false if there was an error. "Not found" result is
considered a successful lookup, only failure to perform a search
should result in false return code.
Resolves: https://github.com/SSSD/sssd/issues/5832
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
---
.../common/cache_req/plugins/cache_req_autofs_entry_by_name.c | 2 +-
.../common/cache_req/plugins/cache_req_autofs_map_by_name.c | 2 +-
.../common/cache_req/plugins/cache_req_autofs_map_entries.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
index 0dc6a585a..788b6708c 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
@@ -97,7 +97,7 @@ cache_req_autofs_entry_by_name_dp_recv(struct tevent_req *subreq,
ret = sbus_call_dp_autofs_GetEntry_recv(subreq);
- if (ret == ERR_MISSING_DP_TARGET) {
+ if (ret == ERR_MISSING_DP_TARGET || ret == ENOENT) {
ret = EOK;
}
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
index 6a665c58e..5d82641cc 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
@@ -93,7 +93,7 @@ cache_req_autofs_map_by_name_dp_recv(struct tevent_req *subreq,
ret = sbus_call_dp_autofs_GetMap_recv(subreq);
- if (ret == ERR_MISSING_DP_TARGET) {
+ if (ret == ERR_MISSING_DP_TARGET || ret == ENOENT) {
ret = EOK;
}
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
index 46776b980..29f289723 100644
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
@@ -125,7 +125,7 @@ cache_req_autofs_map_entries_dp_recv(struct tevent_req *subreq,
ret = sbus_call_dp_autofs_Enumerate_recv(subreq);
- if (ret == ERR_MISSING_DP_TARGET) {
+ if (ret == ERR_MISSING_DP_TARGET || ret == ENOENT) {
ret = EOK;
}
--
2.26.3

1249
SOURCES/0004-po-update-translations.patch Normal file
View File

File diff suppressed because it is too large Load Diff

81
SOURCES/0005-MONITOR-reduce-logs-severity-around-signalling-and-t.patch
View File

@ -1,81 +0,0 @@
From 01ff8155baea989c42664985ea939cb93beb31e7 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 1 Oct 2021 18:01:21 +0200
Subject: [PATCH] MONITOR: reduce logs severity around signalling and
termination of services to avoid useless in those cases backtraces
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/monitor/monitor.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 42def7451..b5fee7e7a 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -655,7 +655,7 @@ static int service_signal(struct mt_svc *svc,
* order a service to reload that hasn't started
* yet.
*/
- DEBUG(SSSDBG_CRIT_FAILURE,
+ DEBUG(SSSDBG_IMPORTANT_INFO,
"Could not signal service [%s].\n", svc->name);
return EIO;
}
@@ -684,8 +684,8 @@ static void service_signal_done(struct tevent_req *req)
return;
}
- DEBUG(SSSDBG_FATAL_FAILURE, "Unable to signal service [%d]: %s\n",
- ret, sss_strerror(ret));
+ DEBUG(ret == ENOENT ? SSSDBG_MINOR_FAILURE : SSSDBG_OP_FAILURE,
+ "Unable to signal service [%d]: %s\n", ret, sss_strerror(ret));
}
static int service_signal_dns_reload(struct mt_svc *svc)
@@ -1363,14 +1363,14 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)
}
killed = false;
- DEBUG(SSSDBG_CRIT_FAILURE,
+ DEBUG(SSSDBG_IMPORTANT_INFO,
"Terminating [%s][%d]\n", svc->name, svc->pid);
do {
errno = 0;
kret = kill(-svc->pid, SIGTERM);
if (kret < 0) {
error = errno;
- DEBUG(SSSDBG_CRIT_FAILURE, "Couldn't kill [%s][%d]: [%s]\n",
+ DEBUG(SSSDBG_MINOR_FAILURE, "Couldn't terminate [%s][%d]: [%s]\n",
svc->name, svc->pid, strerror(error));
}
@@ -1384,7 +1384,7 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)
if (error == ECHILD) {
killed = true;
} else if (error != EINTR) {
- DEBUG(SSSDBG_FATAL_FAILURE,
+ DEBUG(SSSDBG_IMPORTANT_INFO,
"[%d][%s] while waiting for [%s]\n",
error, strerror(error), svc->name);
/* Forcibly kill this child */
@@ -1394,13 +1394,13 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)
} else if (pid != 0) {
error = 0;
if (WIFEXITED(status)) {
- DEBUG(SSSDBG_CRIT_FAILURE,
+ DEBUG(SSSDBG_IMPORTANT_INFO,
"Child [%s] exited gracefully\n", svc->name);
} else if (WIFSIGNALED(status)) {
- DEBUG(SSSDBG_CRIT_FAILURE,
+ DEBUG(SSSDBG_IMPORTANT_INFO,
"Child [%s] terminated with a signal\n", svc->name);
} else {
- DEBUG(SSSDBG_CRIT_FAILURE,
+ DEBUG(SSSDBG_IMPORTANT_INFO,
"Child [%s] did not exit cleanly\n", svc->name);
/* Forcibly kill this child */
kill(-svc->pid, SIGKILL);
--
2.26.3

145
SOURCES/0006-DEBUG-avoid-backtrace-dups.patch
View File

@ -1,145 +0,0 @@
From bb8da4303851642318b626aad507ab7c39f6a80d Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 1 Nov 2021 20:09:02 +0100
Subject: [PATCH] DEBUG: avoid backtrace dups.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In case the same error(s) is repeated again and again repeating the same
backtrace doesn't add much value. In this case let's add just a note.
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/util/debug.c | 4 +--
src/util/debug_backtrace.c | 51 +++++++++++++++++++++++++++++++++++---
2 files changed, 50 insertions(+), 5 deletions(-)
diff --git a/src/util/debug.c b/src/util/debug.c
index 7c03fb7df..953123718 100644
--- a/src/util/debug.c
+++ b/src/util/debug.c
@@ -42,7 +42,7 @@
void sss_debug_backtrace_init(void);
void sss_debug_backtrace_vprintf(int level, const char *format, va_list ap);
void sss_debug_backtrace_printf(int level, const char *format, ...);
-void sss_debug_backtrace_endmsg(int level);
+void sss_debug_backtrace_endmsg(const char *file, long line, int level);
const char *debug_prg_name = "sssd";
@@ -359,7 +359,7 @@ void sss_vdebug_fn(const char *file,
if (flags & APPEND_LINE_FEED) {
sss_debug_backtrace_printf(level, "\n");
}
- sss_debug_backtrace_endmsg(level);
+ sss_debug_backtrace_endmsg(file, line, level);
}
void sss_debug_fn(const char *file,
diff --git a/src/util/debug_backtrace.c b/src/util/debug_backtrace.c
index d99325ab6..e376f815b 100644
--- a/src/util/debug_backtrace.c
+++ b/src/util/debug_backtrace.c
@@ -30,6 +30,9 @@ extern FILE *_sss_debug_file;
static const unsigned SSS_DEBUG_BACKTRACE_DEFAULT_SIZE = 100*1024; /* bytes */
static const unsigned SSS_DEBUG_BACKTRACE_LEVEL = SSSDBG_BE_FO;
+/* Size of locations history to keep to avoid duplicating backtraces */
+#define SSS_DEBUG_BACKTRACE_LOCATIONS 5
+
/* -->
* ring buffer = [*******t...\n............e000]
@@ -46,12 +49,21 @@ static struct {
char *buffer; /* buffer start */
char *end; /* end data border */
char *tail; /* tail of "current" message */
+
+ /* locations where last backtraces happened */
+ struct {
+ const char *file;
+ long line;
+ } locations[SSS_DEBUG_BACKTRACE_LOCATIONS];
+ unsigned last_location_idx;
} _bt;
static inline bool _all_levels_enabled(void);
static inline bool _backtrace_is_enabled(int level);
static inline bool _is_trigger_level(int level);
+static void _store_location(const char *file, long line);
+static bool _is_recent_location(const char *file, long line);
static void _backtrace_vprintf(const char *format, va_list ap);
static void _backtrace_printf(const char *format, ...);
static void _backtrace_dump(void);
@@ -75,6 +87,8 @@ void sss_debug_backtrace_init(void)
_bt.enabled = true;
_bt.initialized = true;
+ /* locations[] & last_location_idx are zero-initialized */
+
_backtrace_printf(" * ");
}
@@ -116,7 +130,7 @@ void sss_debug_backtrace_printf(int level, const char *format, ...)
}
-void sss_debug_backtrace_endmsg(int level)
+void sss_debug_backtrace_endmsg(const char *file, long line, int level)
{
if (DEBUG_IS_SET(level)) {
_debug_fflush();
@@ -124,7 +138,16 @@ void sss_debug_backtrace_endmsg(int level)
if (_backtrace_is_enabled(level)) {
if (_is_trigger_level(level)) {
- _backtrace_dump();
+ if (!_is_recent_location(file, line)) {
+ _backtrace_dump();
+ _store_location(file, line);
+ } else {
+ fprintf(_sss_debug_file ? _sss_debug_file : stderr,
+ " * ... skipping repetitive backtrace ...\n");
+ /* and reset */
+ _bt.end = _bt.buffer;
+ _bt.tail = _bt.buffer;
+ }
}
_backtrace_printf(" * ");
}
@@ -191,7 +214,29 @@ static inline bool _backtrace_is_enabled(int level)
}
- /* prints to buffer */
+static void _store_location(const char *file, long line)
+{
+ _bt.last_location_idx = (_bt.last_location_idx + 1) % SSS_DEBUG_BACKTRACE_LOCATIONS;
+ /* __FILE__ is a character string literal with static storage duration. */
+ _bt.locations[_bt.last_location_idx].file = file;
+ _bt.locations[_bt.last_location_idx].line = line;
+}
+
+
+static bool _is_recent_location(const char *file, long line)
+{
+ for (unsigned idx = 0; idx < SSS_DEBUG_BACKTRACE_LOCATIONS; ++idx) {
+ if ((line == _bt.locations[idx].line) &&
+ (_bt.locations[idx].file != NULL) &&
+ (strcmp(file, _bt.locations[idx].file) == 0)) {
+ return true;
+ }
+ }
+ return false;
+}
+
+
+/* prints to buffer */
static void _backtrace_vprintf(const char *format, va_list ap)
{
int buff_tail_size = _bt.size - (_bt.tail - _bt.buffer);
--
2.26.3

131
SOURCES/0007-cache_req-cache_first-fix-for-fully-qualified-names.patch
View File

@ -1,131 +0,0 @@
From 26654d3e5f5882dd1681116cb49228d108351d48 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 12 Aug 2021 09:27:57 +0200
Subject: [PATCH] cache_req: cache_first fix for fully-qualified names
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
With commit b572871236a7f9059d375a5ab1bff8cbfd519956 "cache_req:
introduce cache_behavior enumeration" the processing of cache and
backend lookups was refactored. Unfortunately this introduce an issue
when looking up users or groups with a fully-qualified name and the
'cache_first = True' option is set.
In the old code the case when a domain name is available was handle
before the cache_first first option was evaluated and cache_req was
instructed to first look in the cache and then call the backend if the
object is not available or expired, i.e. the default behavior. Since
only a single domain is involved this is in agreement with 'cache_first
= True' and only a single iteration is needed.
In the new code the cache_first option is evaluated before the presence
of a domain name is checked and as a result even for single domain
searches the first cache_req iteration is only looking at the cache and
will not call the backend. This means the now for searches with a
fully-qualified name a second iteration is needed if the object was not
found in the cache.
Unfortunately the old exit condition that if a domain name is present
only a single iteration is needed is still present in the new code which
effectively makes requests with fully-qualified named only search the
cache and never call the backends. This patch removes the exit condition
and does a second iteration for fully-qualified names as well if
'cache_first = True' is set.
Resolves: https://github.com/SSSD/sssd/issues/5744
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/responder/common/cache_req/cache_req.c | 3 +-
src/tests/cmocka/test_responder_cache_req.c | 53 +++++++++++++++++++++
2 files changed, 54 insertions(+), 2 deletions(-)
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
index 750d655c1..56ec077f3 100644
--- a/src/responder/common/cache_req/cache_req.c
+++ b/src/responder/common/cache_req/cache_req.c
@@ -1331,8 +1331,7 @@ static errno_t cache_req_select_domains(struct tevent_req *req,
state = tevent_req_data(req, struct cache_req_state);
- if ((state->cr->cache_behavior != CACHE_REQ_CACHE_FIRST)
- || (domain_name != NULL)) {
+ if (state->cr->cache_behavior != CACHE_REQ_CACHE_FIRST) {
if (!state->first_iteration) {
/* We're done here. */
diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
index 5cf7660e7..27a525f6e 100644
--- a/src/tests/cmocka/test_responder_cache_req.c
+++ b/src/tests/cmocka/test_responder_cache_req.c
@@ -992,6 +992,56 @@ void test_user_by_name_missing_notfound(void **state)
assert_true(test_ctx->dp_called);
}
+void test_user_by_name_missing_notfound_cache_first(void **state)
+{
+ struct cache_req_test_ctx *test_ctx = NULL;
+
+ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ test_ctx->rctx->cache_first = true;
+
+ /* Mock values. */
+ will_return(__wrap_sss_dp_get_account_send, test_ctx);
+ mock_account_recv_simple();
+ mock_parse_inp(users[0].short_name, NULL, ERR_OK);
+
+ /* Test. */
+ run_user_by_name(test_ctx, test_ctx->tctx->dom, 0, ENOENT);
+ assert_true(test_ctx->dp_called);
+}
+
+void test_user_by_name_missing_notfound_full_name(void **state)
+{
+ struct cache_req_test_ctx *test_ctx = NULL;
+
+ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+
+ /* Mock values. */
+ will_return(__wrap_sss_dp_get_account_send, test_ctx);
+ mock_account_recv_simple();
+ mock_parse_inp(users[0].short_name, TEST_DOM_NAME, ERR_OK);
+
+ /* Test. */
+ run_user_by_name(test_ctx, test_ctx->tctx->dom, 0, ENOENT);
+ assert_true(test_ctx->dp_called);
+}
+
+void test_user_by_name_missing_notfound_cache_first_full_name(void **state)
+{
+ struct cache_req_test_ctx *test_ctx = NULL;
+
+ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
+ test_ctx->rctx->cache_first = true;
+
+ /* Mock values. */
+ will_return(__wrap_sss_dp_get_account_send, test_ctx);
+ mock_account_recv_simple();
+ mock_parse_inp(users[0].short_name, TEST_DOM_NAME, ERR_OK);
+
+ /* Test. */
+ run_user_by_name(test_ctx, test_ctx->tctx->dom, 0, ENOENT);
+ assert_true(test_ctx->dp_called);
+}
+
void test_user_by_name_multiple_domains_requested_domains_found(void **state)
{
struct cache_req_test_ctx *test_ctx = NULL;
@@ -4255,6 +4305,9 @@ int main(int argc, const char *argv[])
new_single_domain_test(user_by_name_ncache),
new_single_domain_test(user_by_name_missing_found),
new_single_domain_test(user_by_name_missing_notfound),
+ new_single_domain_test(user_by_name_missing_notfound_cache_first),
+ new_single_domain_test(user_by_name_missing_notfound_full_name),
+ new_single_domain_test(user_by_name_missing_notfound_cache_first_full_name),
new_multi_domain_test(user_by_name_multiple_domains_found),
new_multi_domain_test(user_by_name_multiple_domains_notfound),
new_multi_domain_test(user_by_name_multiple_domains_parse),
--
2.26.3

111
SOURCES/0008-utils-ignore-systemd-and-sd-pam-process-in-get_activ.patch
View File

@ -1,111 +0,0 @@
From a56b8d1aaf030fea196b65545dfe207ea10bdf50 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Fri, 3 Dec 2021 13:38:44 +0100
Subject: [PATCH] utils: ignore systemd and sd-pam process in
get_active_uid_linux()
We iterate processes in /proc to get the list of active users (users
that has any process running). However, recent change in systemd makes
systemd and sd-pam process ligner for few more seconds when the user has
logged out which breaks the no-session functionality in pam responder.
If user is logged in, another process then systemd and sd-pam must be
running. Therefore we can just ignore these from the list.
```
admin 351997 0.4 0.0 22648 14636 ? Ss 13:25 0:00 /usr/lib/systemd/systemd --user
admin 351999 0.0 0.0 201464 7756 ? S 13:25 0:00 (sd-pam)
```
Resolves: https://github.com/SSSD/sssd/issues/5900
:fixes: Quick log out and log in did not correctly refresh
user's initgroups in `no_session` PAM schema due to lingering
systemd processes.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/util/find_uid.c | 31 +++++++++++++++++++++++++++++--
1 file changed, 29 insertions(+), 2 deletions(-)
diff --git a/src/util/find_uid.c b/src/util/find_uid.c
index 38e8f6164..1b506dfc3 100644
--- a/src/util/find_uid.c
+++ b/src/util/find_uid.c
@@ -58,7 +58,7 @@ static void hash_talloc_free(void *ptr, void *pvt)
talloc_free(ptr);
}
-static errno_t get_uid_from_pid(const pid_t pid, uid_t *uid)
+static errno_t get_uid_from_pid(const pid_t pid, uid_t *uid, bool *is_systemd)
{
int ret;
char path[PATHLEN];
@@ -138,6 +138,7 @@ static errno_t get_uid_from_pid(const pid_t pid, uid_t *uid)
"close failed [%d][%s].\n", error, strerror(error));
}
+ /* Get uid */
p = strstr(buf, "\nUid:\t");
if (p != NULL) {
p += 6;
@@ -165,6 +166,24 @@ static errno_t get_uid_from_pid(const pid_t pid, uid_t *uid)
return EINVAL;
}
+ /* Get process name. */
+ p = strstr(buf, "Name:\t");
+ if (p == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "format error\n");
+ return EINVAL;
+ }
+ p += 6;
+ e = strchr(p,'\n');
+ if (e == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "format error\n");
+ return EINVAL;
+ }
+ if (strncmp(p, "systemd", e-p) == 0 || strncmp(p, "(sd-pam)", e-p) == 0) {
+ *is_systemd = true;
+ } else {
+ *is_systemd = false;
+ }
+
*uid = num;
return EOK;
@@ -215,6 +234,7 @@ static errno_t get_active_uid_linux(hash_table_t *table, uid_t search_uid)
struct dirent *dirent;
int ret, err;
pid_t pid = -1;
+ bool is_systemd;
uid_t uid;
hash_key_t key;
@@ -238,7 +258,7 @@ static errno_t get_active_uid_linux(hash_table_t *table, uid_t search_uid)
goto done;
}
- ret = get_uid_from_pid(pid, &uid);
+ ret = get_uid_from_pid(pid, &uid, &is_systemd);
if (ret != EOK) {
/* Most probably this /proc entry disappeared.
Anyway, just skip it.
@@ -248,6 +268,13 @@ static errno_t get_active_uid_linux(hash_table_t *table, uid_t search_uid)
continue;
}
+ if (is_systemd) {
+ /* Systemd process may linger for a while even when user.
+ * is logged out. Lets ignore it and focus only
+ * on non-systemd processes. */
+ continue;
+ }
+
if (table != NULL) {
key.type = HASH_KEY_ULONG;
key.ul = (unsigned long) uid;
--
2.26.3

104
SPECS/sssd.spec
View File

@ -18,8 +18,8 @@
%global enable_systemtap_opt --enable-systemtap %global enable_systemtap_opt --enable-systemtap
Name: sssd Name: sssd
Version: 2.5.2 Version: 2.6.2
Release: 2%{?dist}.4 Release: 3%{?dist}
Group: Applications/System Group: Applications/System
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPLv3+ License: GPLv3+
@ -27,15 +27,10 @@ URL: https://github.com/SSSD/sssd
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
### Patches ### ### Patches ###
Patch0001: 0001-TOOLS-replace-system-with-execvp.patch Patch0001: 0001-ipa-fix-reply-socket-of-selinux_child.patch
Patch0002: 0002-po-update-translations.patch Patch0002: 0002-ad-add-required-cn-attribute-to-subdomain-object.patch
Patch0003: 0003-ad-filter-trusted-domains.patch Patch0003: 0003-krb5-AD-and-IPA-don-t-change-Kerberos-port.patch
Patch0004: 0004-cache_req-return-success-for-autofs-when-ENOENT-is-r.patch Patch0004: 0004-po-update-translations.patch
Patch0005: 0005-MONITOR-reduce-logs-severity-around-signalling-and-t.patch
Patch0006: 0006-DEBUG-avoid-backtrace-dups.patch
Patch0007: 0007-cache_req-cache_first-fix-for-fully-qualified-names.patch
Patch0008: 0008-utils-ignore-systemd-and-sd-pam-process-in-get_activ.patch
Patch0009: 0009-ad-add-required-cn-attribute-to-subdomain-object.patch
### Downstream Patches ### ### Downstream Patches ###
@ -83,7 +78,7 @@ BuildRequires: openldap-devel
BuildRequires: pam-devel BuildRequires: pam-devel
BuildRequires: nss-devel BuildRequires: nss-devel
BuildRequires: nspr-devel BuildRequires: nspr-devel
BuildRequires: pcre-devel BuildRequires: pcre2-devel
BuildRequires: libxslt BuildRequires: libxslt
BuildRequires: libxml2 BuildRequires: libxml2
BuildRequires: docbook-style-xsl BuildRequires: docbook-style-xsl
@ -101,7 +96,6 @@ BuildRequires: gettext-devel
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: diffstat BuildRequires: diffstat
BuildRequires: findutils BuildRequires: findutils
BuildRequires: glib2-devel
BuildRequires: selinux-policy-targeted BuildRequires: selinux-policy-targeted
BuildRequires: libcmocka-devel >= 1.0.0 BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: uid_wrapper BuildRequires: uid_wrapper
@ -123,8 +117,10 @@ BuildRequires: libsmbclient-devel
BuildRequires: samba-winbind BuildRequires: samba-winbind
BuildRequires: systemtap-sdt-devel BuildRequires: systemtap-sdt-devel
BuildRequires: libuuid-devel BuildRequires: libuuid-devel
BuildRequires: jansson-devel
BuildRequires: gdm-pam-extensions-devel BuildRequires: gdm-pam-extensions-devel
BuildRequires: libunistring-devel
BuildRequires: shadow-utils-subid-devel
BuildRequires: po4a
%description %description
Provides a set of daemons to manage access to remote directories and Provides a set of daemons to manage access to remote directories and
@ -219,13 +215,12 @@ Requires: libsss_simpleifp = %{version}-%{release}
Requires: python3-sss = %{version}-%{release} Requires: python3-sss = %{version}-%{release}
Requires: python3-sssdconfig = %{version}-%{release} Requires: python3-sssdconfig = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release} Requires: libsss_certmap = %{version}-%{release}
# for logger=journald support with sss_analyze
Requires: python3-systemd
Recommends: sssd-dbus Recommends: sssd-dbus
%description tools %description tools
Provides userspace tools for manipulating users, groups, and nested groups in Provides several administrative tools:
SSSD when using id_provider = local in /etc/sssd/sssd.conf.
Also provides several other administrative tools:
* sss_debuglevel to change the debug level on the fly * sss_debuglevel to change the debug level on the fly
* sss_seed which pre-creates a user entry for use in kickstarts * sss_seed which pre-creates a user entry for use in kickstarts
* sss_obfuscate for generating an obfuscated LDAP password * sss_obfuscate for generating an obfuscated LDAP password
@ -249,11 +244,8 @@ Requires: sssd-common = %{version}-%{release}
%{?python_provide:%python_provide python3-sss} %{?python_provide:%python_provide python3-sss}
%description -n python3-sss %description -n python3-sss
Provides python3 module for manipulating users, groups, and nested groups in Provides python3 bindings:
SSSD when using id_provider = local in /etc/sssd/sssd.conf. * function for retrieving list of groups user belongs to
Also provides several other useful python3 bindings:
* function for retrieving list of groups user belongs to.
* class for obfuscation of passwords * class for obfuscation of passwords
%package -n python3-sss-murmur %package -n python3-sss-murmur
@ -587,6 +579,7 @@ autoreconf -ivf
--disable-rpath \ --disable-rpath \
--with-initscript=systemd \ --with-initscript=systemd \
--with-syslog=journald \ --with-syslog=journald \
--with-subid \
--enable-sss-default-nss-plugin \ --enable-sss-default-nss-plugin \
--enable-files-domain \ --enable-files-domain \
--without-python2-bindings \ --without-python2-bindings \
@ -607,6 +600,7 @@ unset CK_TIMEOUT_MULTIPLIER
%install %install
%py3_shebang_fix src/tools/analyzer/sss_analyze
sed -i -e 's:/usr/bin/python:%{__python3}:' src/tools/sss_obfuscate sed -i -e 's:/usr/bin/python:%{__python3}:' src/tools/sss_obfuscate
make install DESTDIR=$RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT
@ -627,6 +621,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d
cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \ cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/kcm_default_ccache
# krb5 configuration snippet
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
# Create directory for cifs-idmap alternative # Create directory for cifs-idmap alternative
# Otherwise this directory could not be owned by sssd-client # Otherwise this directory could not be owned by sssd-client
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils
@ -858,6 +856,9 @@ done
%license COPYING %license COPYING
%{_libdir}/%{name}/libsss_krb5.so %{_libdir}/%{name}/libsss_krb5.so
%{_mandir}/man5/sssd-krb5.5* %{_mandir}/man5/sssd-krb5.5*
%config(noreplace) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
%dir %{_datadir}/sssd/krb5-snippets
%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir
%files common-pac %files common-pac
%defattr(-,root,root,-) %defattr(-,root,root,-)
@ -911,6 +912,7 @@ done
%defattr(-,root,root,-) %defattr(-,root,root,-)
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER %license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libnss_sss.so.2 %{_libdir}/libnss_sss.so.2
%{_libdir}/libsubid_sss.so
%{_libdir}/security/pam_sss.so %{_libdir}/security/pam_sss.so
%{_libdir}/security/pam_sss_gss.so %{_libdir}/security/pam_sss_gss.so
%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
@ -945,6 +947,8 @@ done
%{_sbindir}/sss_debuglevel %{_sbindir}/sss_debuglevel
%{_sbindir}/sss_seed %{_sbindir}/sss_seed
%{_sbindir}/sssctl %{_sbindir}/sssctl
%{_libexecdir}/%{servicename}/sss_analyze
%{python3_sitelib}/sssd/
%{_mandir}/man8/sss_obfuscate.8* %{_mandir}/man8/sss_obfuscate.8*
%{_mandir}/man8/sss_override.8* %{_mandir}/man8/sss_override.8*
%{_mandir}/man8/sss_debuglevel.8* %{_mandir}/man8/sss_debuglevel.8*
@ -1043,7 +1047,6 @@ done
%{_unitdir}/sssd-kcm.socket %{_unitdir}/sssd-kcm.socket
%{_unitdir}/sssd-kcm.service %{_unitdir}/sssd-kcm.service
%{_mandir}/man8/sssd-kcm.8* %{_mandir}/man8/sssd-kcm.8*
%{_libdir}/%{name}/libsss_secrets.so
%pre ipa %pre ipa
getent group sssd >/dev/null || groupadd -r sssd getent group sssd >/dev/null || groupadd -r sssd
@ -1154,21 +1157,50 @@ fi
%systemd_postun_with_restart sssd.service %systemd_postun_with_restart sssd.service
%changelog %changelog
* Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2.4 * Mon Jan 17 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-3
- Resolves: rhbz#2030651 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries [rhel-8.5.0.z] - Resolves: rhbz#2039892 - 2.6.2 regression: Daemon crashes when resolving AD user names
- Resolves: rhbz#2035285 - AD Domain in the AD Forest Missing after sssd latest update [rhel-8.5.0.z] - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set.
- Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries
- Resolves: rhbz#2035245 - AD Domain in the AD Forest Missing after sssd latest update
- Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization
* Tue Dec 07 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2.3 * Tue Jan 04 2022 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-2
- Resolves: rhbz#2028828 - pam responder does not call initgroups to refresh the user entry [rhel-8.5.0.z] - Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files (additional patch)
* Mon Nov 29 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2.2 * Mon Dec 27 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.2-1
- Resolves: rhbz#2018440 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest) [rhel-8.5.0.z] - Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6
- Resolves: rhbz#2016923 - autofs lookups for unknown mounts are delayed for 50s [rhel-8.5.0.z] - Resolves: rhbz#2013260 - [RHEL8] Add ability to parse child log files
- Resolves: rhbz#2021499 - Make backtrace less "chatty" (avoid duplicate backtraces) [rhel-8.5.0.z] - Resolves: rhbz#2030386 - sssd-kcm has requirement on krb5 symbol "krb5_unmarshal_credentials" only available in latest RHEL8.5 krb5 libraries
- Resolves: rhbz#2013379 - Lookup with fully-qualified name does not work with 'cache_first = True' [rhel-8.5.0.z] - Resolves: rhbz#1859315 - sssd does not use kerberos port that is set.
- Resolves: rhbz#1961182 - Passwordless (GSSAPI) SSH not working due to missing "includedir /var/lib/sss/pubconf/krb5.include.d" directive in /etc/krb5.conf
- Resolves: rhbz#2008829 - sssd_be segfault due to empty forest root name
- Resolves: rhbz#2012263 - pam responder does not call initgroups to refresh the user entry
- Resolves: rhbz#2012308 - Add client certificate validation D-Bus API
- Resolves: rhbz#2012327 - Groups are missing while performing id lookup as SSSD switching to offline mode due to the wrong domain name in the ldap-pings(netlogon).
- Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs
- Resolves: rhbz#2013259 - [RHEL8] Add tevent chain ID logic into responders
- Resolves: rhbz#2017301 - [sssd] RHEL 8.6 Tier 0 Localization
* Mon Oct 18 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2.1 * Fri Nov 26 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.1-2
- Resolves: rhbz#2014460 - tps tests fail with cross dependency on sssd debuginfo package: removal of 'sssd-libwbclient-debuginfo' is missing [rhel-8.5.0.z] - Rebuild due to rhbz#2013596 - Rebase Samba to the the latest 4.15.x release
* Mon Nov 15 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.6.1-1
- Resolves: rhbz#2011216 - Rebase SSSD for RHEL 8.6
- Resolves: rhbz#1968340 - 'exclude_groups' option provided in SSSD for session recording (tlog) doesn't work as expected
- Resolves: rhbz#1952569 - SSSD should use "hidden" temporary file in its krb locator
- Resolves: rhbz#1917970 - proxy provider: secondary group is showing in sssd cache after group is removed
- Resolves: rhbz#1636002 - socket-activated services start as the sssd user and then are unable to read the confdb
- Resolves: rhbz#2021196 - Make backtrace less "chatty" (avoid duplicate backtraces)
- Resolves: rhbz#2018432 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest)
- Resolves: rhbz#2015070 - Consistency in defaults between OpenSSH and SSSD
- Resolves: rhbz#2013297 - disabled root ad domain causes subdomains to be marked offline
- Resolves: rhbz#2013294 - Lookup with fully-qualified name does not work with 'cache_first = True'
- Resolves: rhbz#2013218 - autofs lookups for unknown mounts are delayed for 50s
- Resolves: rhbz#2013028 - [RFE] Health and Support Analyzer: Add sssctl sub-command to select and display a single request from the logs
- Resolves: rhbz#2013024 - Add support for CKM_RSA_PKCS in smart card authentication.
- Resolves: rhbz#2013006 - [RFE] support subid ranges managed by FreeIPA
- Resolves: rhbz#2012308 - Add client certificate validation D-Bus API
- Resolves: rhbz#2012122 - tps tests fail with cross dependency on sssd debuginfo package: removal of 'sssd-libwbclient-debuginfo' is missing
* Mon Aug 02 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2 * Mon Aug 02 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2
- Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8] - Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8]