From 72c2cb49be17ca29cad1de4aa8b0d0c5d96515ef Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Fri, 4 Oct 2013 09:51:35 +0200 Subject: [PATCH] Remove the ability to create public ccachedir (#1015089) --- ...ability-to-create-public-directories.patch | 284 ++++++++++++ 0002-krb5-Fix-unit-tests.patch | 432 ++++++++++++++++++ sssd.spec | 7 +- 3 files changed, 722 insertions(+), 1 deletion(-) create mode 100644 0001-krb5-Remove-ability-to-create-public-directories.patch create mode 100644 0002-krb5-Fix-unit-tests.patch diff --git a/0001-krb5-Remove-ability-to-create-public-directories.patch b/0001-krb5-Remove-ability-to-create-public-directories.patch new file mode 100644 index 0000000..367e26c --- /dev/null +++ b/0001-krb5-Remove-ability-to-create-public-directories.patch @@ -0,0 +1,284 @@ +From 121baf75c457c2642a2408173c5240027734a3fd Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Tue, 3 Sep 2013 22:48:02 -0400 +Subject: [PATCH 1/2] krb5: Remove ability to create public directories + +Setting up public directories is the job of the admin, and +current sssd syntax can't express the actual intention of the admin with +regrads to which parts of the path should be public or private. + +Resolves: +https://fedorahosted.org/sssd/ticket/2071 +--- + src/providers/krb5/krb5_auth.c | 7 ++- + src/providers/krb5/krb5_utils.c | 96 ++++++++++++++--------------------------- + src/providers/krb5/krb5_utils.h | 6 +-- + 3 files changed, 38 insertions(+), 71 deletions(-) + +diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c +index 51c0d739247b7d40a17b6ee367c502df140a7383..a16b5395d21c40e53a5e69519141cbd3c47d7907 100644 +--- a/src/providers/krb5/krb5_auth.c ++++ b/src/providers/krb5/krb5_auth.c +@@ -292,7 +292,7 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr, + struct be_ctx *be_ctx) + { + const char *ccname_template; +- bool private_path = false; ++ const char *realm; + errno_t ret; + + if (!kr->is_offline) { +@@ -317,8 +317,7 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr, + ccname_template = dp_opt_get_cstring(kr->krb5_ctx->opts, + KRB5_CCNAME_TMPL); + kr->ccname = expand_ccname_template(kr, kr, ccname_template, true, +- be_ctx->domain->case_sensitive, +- &private_path); ++ be_ctx->domain->case_sensitive); + if (kr->ccname == NULL) { + DEBUG(1, ("expand_ccname_template failed.\n")); + return ENOMEM; +@@ -326,7 +325,7 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr, + + ret = sss_krb5_precreate_ccache(kr->ccname, + kr->krb5_ctx->illegal_path_re, +- kr->uid, kr->gid, private_path); ++ kr->uid, kr->gid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("ccache creation failed.\n")); + return ret; +diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c +index e6860482d9d330cbf12ad42d04e2e3af894cee89..cf6d72ad2e67f0d09ce423738003aa719cc43456 100644 +--- a/src/providers/krb5/krb5_utils.c ++++ b/src/providers/krb5/krb5_utils.c +@@ -203,7 +203,7 @@ done: + + char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, + const char *template, bool file_mode, +- bool case_sensitive, bool *private_path) ++ bool case_sensitive) + { + char *copy; + char *p; +@@ -217,8 +217,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, + char action; + bool rerun; + +- *private_path = false; +- + if (template == NULL) { + DEBUG(1, ("Missing template.\n")); + return NULL; +@@ -269,7 +267,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, + + result = talloc_asprintf_append(result, "%s%s", p, + name); +- if (!file_mode) *private_path = true; + break; + case 'U': + if (kr->uid <= 0) { +@@ -279,7 +276,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, + } + result = talloc_asprintf_append(result, "%s%"SPRIuid, p, + kr->uid); +- if (!file_mode) *private_path = true; + break; + case 'p': + if (kr->upn == NULL) { +@@ -288,7 +284,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, + goto done; + } + result = talloc_asprintf_append(result, "%s%s", p, kr->upn); +- if (!file_mode) *private_path = true; + break; + case '%': + result = talloc_asprintf_append(result, "%s%%", p); +@@ -308,7 +303,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, + goto done; + } + result = talloc_asprintf_append(result, "%s%s", p, kr->homedir); +- if (!file_mode) *private_path = true; + break; + case 'd': + if (file_mode) { +@@ -320,8 +314,7 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, + } + + dummy = expand_ccname_template(tmp_ctx, kr, cache_dir_tmpl, +- false, case_sensitive, +- private_path); ++ false, case_sensitive); + if (dummy == NULL) { + DEBUG(1, ("Expanding credential cache directory " + "template failed.\n")); +@@ -414,41 +407,30 @@ done: + return res; + } + +-static errno_t check_parent_stat(bool private_path, struct stat *parent_stat, ++static errno_t check_parent_stat(struct stat *parent_stat, + uid_t uid, gid_t gid) + { +- if (private_path) { +- if (!((parent_stat->st_uid == 0 && parent_stat->st_gid == 0) || +- parent_stat->st_uid == uid)) { +- DEBUG(1, ("Private directory can only be created below a " +- "directory belonging to root or to " +- "[%"SPRIuid"][%"SPRIgid"].\n", uid, gid)); +- return EINVAL; +- } ++ if (!((parent_stat->st_uid == 0 && parent_stat->st_gid == 0) || ++ parent_stat->st_uid == uid)) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ ("Private directory can only be created below a directory " ++ "belonging to root or to [%"SPRIuid"][%"SPRIgid"].\n", ++ uid, gid)); ++ return EINVAL; ++ } + +- if (parent_stat->st_uid == uid) { +- if (!(parent_stat->st_mode & S_IXUSR)) { +- DEBUG(1, ("Parent directory does have the search bit set for " +- "the owner.\n")); +- return EINVAL; +- } +- } else { +- if (!(parent_stat->st_mode & S_IXOTH)) { +- DEBUG(1, ("Parent directory does have the search bit set for " +- "others.\n")); +- return EINVAL; +- } ++ if (parent_stat->st_uid == uid) { ++ if (!(parent_stat->st_mode & S_IXUSR)) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ ("Parent directory does not have the search bit set for " ++ "the owner.\n")); ++ return EINVAL; + } + } else { +- if (parent_stat->st_uid != 0 || parent_stat->st_gid != 0) { +- DEBUG(1, ("Public directory cannot be created below a user " +- "directory.\n")); +- return EINVAL; +- } +- + if (!(parent_stat->st_mode & S_IXOTH)) { +- DEBUG(1, ("Parent directory does have the search bit set for " +- "others.\n")); ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ ("Parent directory does not have the search bit set for " ++ "others.\n")); + return EINVAL; + } + } +@@ -559,7 +541,7 @@ check_ccache_re(const char *filename, pcre *illegal_re) + + errno_t + create_ccache_dir(const char *ccdirname, pcre *illegal_re, +- uid_t uid, gid_t gid, bool private_path) ++ uid_t uid, gid_t gid) + { + int ret = EFAULT; + struct stat parent_stat; +@@ -598,27 +580,17 @@ create_ccache_dir(const char *ccdirname, pcre *illegal_re, + goto done; + } + +- ret = check_parent_stat(private_path, &parent_stat, uid, gid); ++ ret = check_parent_stat(&parent_stat, uid, gid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, +- ("check_parent_stat failed for %s directory [%s].\n", +- private_path ? "private" : "public", ccdirname)); ++ ("check_parent_stat failed for directory [%s].\n", ccdirname)); + goto done; + } + + DLIST_FOR_EACH(li, missing_parents) { + DEBUG(SSSDBG_TRACE_INTERNAL, + ("Creating directory [%s].\n", li->s)); +- if (li->next == NULL) { +- new_dir_mode = private_path ? 0700 : 01777; +- } else { +- if (private_path && +- parent_stat.st_uid == uid && parent_stat.st_gid == gid) { +- new_dir_mode = 0700; +- } else { +- new_dir_mode = 0755; +- } +- } ++ new_dir_mode = 0700; + + old_umask = umask(0000); + ret = mkdir(li->s, new_dir_mode); +@@ -630,16 +602,12 @@ create_ccache_dir(const char *ccdirname, pcre *illegal_re, + strerror(ret))); + goto done; + } +- if (private_path && +- ((parent_stat.st_uid == uid && parent_stat.st_gid == gid) || +- li->next == NULL)) { +- ret = chown(li->s, uid, gid); +- if (ret != EOK) { +- ret = errno; +- DEBUG(SSSDBG_MINOR_FAILURE, +- ("chown failed [%d][%s].\n", ret, strerror(ret))); +- goto done; +- } ++ ret = chown(li->s, uid, gid); ++ if (ret != EOK) { ++ ret = errno; ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ ("chown failed [%d][%s].\n", ret, strerror(ret))); ++ goto done; + } + } + +@@ -758,7 +726,7 @@ done: + } + + errno_t sss_krb5_precreate_ccache(const char *ccname, pcre *illegal_re, +- uid_t uid, gid_t gid, bool private_path) ++ uid_t uid, gid_t gid) + { + TALLOC_CTX *tmp_ctx = NULL; + const char *filename; +@@ -802,7 +770,7 @@ errno_t sss_krb5_precreate_ccache(const char *ccname, pcre *illegal_re, + *end = '\0'; + } while (*(end+1) == '\0'); + +- ret = create_ccache_dir(ccdirname, illegal_re, uid, gid, private_path); ++ ret = create_ccache_dir(ccdirname, illegal_re, uid, gid); + done: + talloc_free(tmp_ctx); + return ret; +diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h +index 33cc6112b02af6991ef4aa4f1988dcbe08ed9266..4b1ebb0bb7a9e13d68ee62820f6408d029a2f072 100644 +--- a/src/providers/krb5/krb5_utils.h ++++ b/src/providers/krb5/krb5_utils.h +@@ -43,11 +43,11 @@ errno_t check_if_cached_upn_needs_update(struct sysdb_ctx *sysdb, + const char *upn); + + errno_t create_ccache_dir(const char *dirname, pcre *illegal_re, +- uid_t uid, gid_t gid, bool private_path); ++ uid_t uid, gid_t gid); + + char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, + const char *template, bool file_mode, +- bool case_sensitive, bool *private_path); ++ bool case_sensitive); + + errno_t become_user(uid_t uid, gid_t gid); + struct sss_creds; +@@ -58,7 +58,7 @@ errno_t switch_creds(TALLOC_CTX *mem_ctx, + errno_t restore_creds(struct sss_creds *saved_creds); + + errno_t sss_krb5_precreate_ccache(const char *ccname, pcre *illegal_re, +- uid_t uid, gid_t gid, bool private_path); ++ uid_t uid, gid_t gid); + errno_t sss_krb5_cc_destroy(const char *ccname, uid_t uid, gid_t gid); + errno_t sss_krb5_check_ccache_princ(uid_t uid, gid_t gid, + const char *ccname, const char *principal); +-- +1.8.3.1 + diff --git a/0002-krb5-Fix-unit-tests.patch b/0002-krb5-Fix-unit-tests.patch new file mode 100644 index 0000000..369c1f3 --- /dev/null +++ b/0002-krb5-Fix-unit-tests.patch @@ -0,0 +1,432 @@ +From adf0fd14ea54a3b015efe8a6d67532b87a064cdd Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 4 Oct 2013 09:40:34 +0200 +Subject: [PATCH 2/2] krb5: Fix unit tests + +--- + src/tests/krb5_child-test.c | 5 +- + src/tests/krb5_utils-tests.c | 126 +++++++++++++++---------------------------- + 2 files changed, 46 insertions(+), 85 deletions(-) + +diff --git a/src/tests/krb5_child-test.c b/src/tests/krb5_child-test.c +index 959b1bd698284d0db16634357e39fcd076b9fa00..0c6b68b82c648b8e83f5d11b613dd57be89482a0 100644 +--- a/src/tests/krb5_child-test.c ++++ b/src/tests/krb5_child-test.c +@@ -198,7 +198,6 @@ create_dummy_req(TALLOC_CTX *mem_ctx, const char *user, + { + struct krb5child_req *kr; + struct passwd *pwd; +- bool private = false; + errno_t ret; + + /* The top level child request */ +@@ -246,7 +245,7 @@ create_dummy_req(TALLOC_CTX *mem_ctx, const char *user, + kr->ccname = expand_ccname_template(kr, kr, + dp_opt_get_cstring(kr->krb5_ctx->opts, + KRB5_CCNAME_TMPL), +- true, true, &private); ++ true, true); + if (!kr->ccname) goto fail; + + DEBUG(SSSDBG_FUNC_DATA, ("ccname [%s] uid [%llu] gid [%llu]\n", +@@ -262,7 +261,7 @@ create_dummy_req(TALLOC_CTX *mem_ctx, const char *user, + + ret = sss_krb5_precreate_ccache(kr->ccname, + kr->krb5_ctx->illegal_path_re, +- kr->uid, kr->gid, private); ++ kr->uid, kr->gid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("create_ccache_dir failed.\n")); + goto fail; +diff --git a/src/tests/krb5_utils-tests.c b/src/tests/krb5_utils-tests.c +index ea0292569135e0fc22a44251cfc4e8719a15837f..3e0c607a58b9ff0840a93867c1ad61cc5a2ae665 100644 +--- a/src/tests/krb5_utils-tests.c ++++ b/src/tests/krb5_utils-tests.c +@@ -117,13 +117,13 @@ START_TEST(test_pub_ccache_dir) + + ret = chmod(testpath, 0754); + fail_unless(ret == EOK, "chmod failed."); +- ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345, false); ++ ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345); + fail_unless(ret == EINVAL, "sss_krb5_precreate_ccache does not return EINVAL " + "while x-bit is missing."); + + ret = chmod(testpath, 0755); + fail_unless(ret == EOK, "chmod failed."); +- ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345, false); ++ ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345); + fail_unless(ret == EOK, "sss_krb5_precreate_ccache failed."); + + check_dir(subdirname, 0, 0, 01777); +@@ -158,7 +158,7 @@ START_TEST(test_pub_ccache_dir_in_user_dir) + filename = talloc_asprintf(tmp_ctx, "%s/ccfile", subdirname); + fail_unless(filename != NULL, "talloc_asprintf failed."); + +- ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345, false); ++ ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345); + fail_unless(ret == EINVAL, "Creating public ccache dir in user dir " + "does not failed with EINVAL."); + +@@ -193,13 +193,13 @@ START_TEST(test_priv_ccache_dir) + + ret = chmod(testpath, 0754); + fail_unless(ret == EOK, "chmod failed."); +- ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid, true); ++ ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid); + fail_unless(ret == EINVAL, "sss_krb5_precreate_ccache does not return EINVAL " + "while x-bit is missing."); + + ret = chmod(testpath, 0755); + fail_unless(ret == EOK, "chmod failed."); +- ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid, true); ++ ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid); + fail_unless(ret == EOK, "sss_krb5_precreate_ccache failed."); + + check_dir(subdir, uid, gid, 0700); +@@ -248,13 +248,13 @@ START_TEST(test_private_ccache_dir_in_user_dir) + + ret = chmod(user_dir, 0600); + fail_unless(ret == EOK, "chmod failed."); +- ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid, true); ++ ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid); + fail_unless(ret == EINVAL, "sss_krb5_precreate_ccache does not return EINVAL " + "while x-bit is missing."); + + ret = chmod(user_dir, 0700); + fail_unless(ret == EOK, "chmod failed."); +- ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid, true); ++ ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid); + fail_unless(ret == EOK, "sss_krb5_precreate_ccache failed."); + + check_dir(dn3, uid, gid, 0700); +@@ -292,7 +292,7 @@ START_TEST(test_private_ccache_dir_in_wrong_user_dir) + filename = talloc_asprintf(tmp_ctx, "%s/ccfile", subdirname); + fail_unless(filename != NULL, "talloc_asprintf failed."); + +- ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345, true); ++ ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345); + fail_unless(ret == EINVAL, "Creating private ccache dir in wrong user " + "dir does not failed with EINVAL."); + +@@ -329,27 +329,27 @@ START_TEST(test_illegal_patterns) + + filename = talloc_asprintf(tmp_ctx, "abc/./ccfile"); + fail_unless(filename != NULL, "talloc_asprintf failed."); +- ret = create_ccache_dir(filename, illegal_re, uid, gid, true); ++ ret = create_ccache_dir(filename, illegal_re, uid, gid); + fail_unless(ret == EINVAL, "create_ccache_dir allowed relative path [%s].", + filename); + + filename = talloc_asprintf(tmp_ctx, "%s/abc/./ccfile", dirname); + fail_unless(filename != NULL, "talloc_asprintf failed."); +- ret = create_ccache_dir(filename, illegal_re, uid, gid, true); ++ ret = create_ccache_dir(filename, illegal_re, uid, gid); + fail_unless(ret == EINVAL, "create_ccache_dir allowed " + "illegal pattern '/./' in filename [%s].", + filename); + + filename = talloc_asprintf(tmp_ctx, "%s/abc/../ccfile", dirname); + fail_unless(filename != NULL, "talloc_asprintf failed."); +- ret = create_ccache_dir(filename, illegal_re, uid, gid, true); ++ ret = create_ccache_dir(filename, illegal_re, uid, gid); + fail_unless(ret == EINVAL, "create_ccache_dir allowed " + "illegal pattern '/../' in filename [%s].", + filename); + + filename = talloc_asprintf(tmp_ctx, "%s/abc//ccfile", dirname); + fail_unless(filename != NULL, "talloc_asprintf failed."); +- ret = create_ccache_dir(filename, illegal_re, uid, gid, true); ++ ret = create_ccache_dir(filename, illegal_re, uid, gid); + fail_unless(ret == EINVAL, "create_ccache_dir allowed " + "illegal pattern '//' in filename [%s].", + filename); +@@ -385,7 +385,7 @@ START_TEST(test_cc_dir_create) + residual = talloc_asprintf(tmp_ctx, "DIR:%s/%s", dirname, "ccdir"); + fail_unless(residual != NULL, "talloc_asprintf failed."); + +- ret = sss_krb5_precreate_ccache(residual, illegal_re, uid, gid, true); ++ ret = sss_krb5_precreate_ccache(residual, illegal_re, uid, gid); + fail_unless(ret == EOK, "sss_krb5_precreate_ccache failed\n"); + ret = rmdir(dirname); + if (ret < 0) ret = errno; +@@ -398,7 +398,7 @@ START_TEST(test_cc_dir_create) + residual = talloc_asprintf(tmp_ctx, "DIR:%s/%s", dirname, "ccdir/"); + fail_unless(residual != NULL, "talloc_asprintf failed."); + +- ret = sss_krb5_precreate_ccache(residual, illegal_re, uid, gid, true); ++ ret = sss_krb5_precreate_ccache(residual, illegal_re, uid, gid); + fail_unless(ret == EOK, "sss_krb5_precreate_ccache failed\n"); + ret = rmdir(dirname); + if (ret < 0) ret = errno; +@@ -463,40 +463,34 @@ void free_talloc_context(void) + } + + static void do_test(const char *file_template, const char *dir_template, +- const char *expected, const bool expected_private_path) ++ const char *expected) + { + char *result; + int ret; +- bool private_path = false; + + ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, dir_template); + fail_unless(ret == EOK, "Failed to set Ccache dir"); + +- result = expand_ccname_template(tmp_ctx, kr, file_template, true, +- true, &private_path); ++ result = expand_ccname_template(tmp_ctx, kr, file_template, true, true); + + fail_unless(result != NULL, "Cannot expand template [%s].", file_template); + fail_unless(strcmp(result, expected) == 0, + "Expansion failed, result [%s], expected [%s].", + result, expected); +- fail_unless(private_path == expected_private_path, +- "Unexpected private path, get [%s], expected [%s].", +- private_path ? "true" : "false", +- expected_private_path ? "true" : "false"); + } + + START_TEST(test_multiple_substitutions) + { +- do_test(BASE"_%u_%U_%u", CCACHE_DIR, BASE"_"USERNAME"_"UID"_"USERNAME, false); ++ do_test(BASE"_%u_%U_%u", CCACHE_DIR, BASE"_"USERNAME"_"UID"_"USERNAME); + do_test("%d/"FILENAME, BASE"_%u_%U_%u", +- BASE"_"USERNAME"_"UID"_"USERNAME"/"FILENAME, true); ++ BASE"_"USERNAME"_"UID"_"USERNAME"/"FILENAME); + } + END_TEST + + START_TEST(test_username) + { +- do_test(BASE"_%u", CCACHE_DIR, BASE"_"USERNAME, false); +- do_test("%d/"FILENAME, BASE"_%u", BASE"_"USERNAME"/"FILENAME, true); ++ do_test(BASE"_%u", CCACHE_DIR, BASE"_"USERNAME); ++ do_test("%d/"FILENAME, BASE"_%u", BASE"_"USERNAME"/"FILENAME); + } + END_TEST + +@@ -504,7 +498,6 @@ START_TEST(test_case_sensitive) + { + char *result; + int ret; +- bool private_path = false; + const char *file_template = BASE"_%u"; + const char *expected_cs = BASE"_TestUser"; + const char *expected_ci = BASE"_testuser"; +@@ -513,16 +506,14 @@ START_TEST(test_case_sensitive) + ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, CCACHE_DIR); + fail_unless(ret == EOK, "Failed to set Ccache dir"); + +- result = expand_ccname_template(tmp_ctx, kr, file_template, true, +- true, &private_path); ++ result = expand_ccname_template(tmp_ctx, kr, file_template, true, true); + + fail_unless(result != NULL, "Cannot expand template [%s].", file_template); + fail_unless(strcmp(result, expected_cs) == 0, + "Expansion failed, result [%s], expected [%s].", + result, expected_cs); + +- result = expand_ccname_template(tmp_ctx, kr, file_template, true, +- false, &private_path); ++ result = expand_ccname_template(tmp_ctx, kr, file_template, true, false); + + fail_unless(result != NULL, "Cannot expand template [%s].", file_template); + fail_unless(strcmp(result, expected_ci) == 0, +@@ -533,29 +524,29 @@ END_TEST + + START_TEST(test_uid) + { +- do_test(BASE"_%U", CCACHE_DIR, BASE"_"UID, false); +- do_test("%d/"FILENAME, BASE"_%U", BASE"_"UID"/"FILENAME, true); ++ do_test(BASE"_%U", CCACHE_DIR, BASE"_"UID); ++ do_test("%d/"FILENAME, BASE"_%U", BASE"_"UID"/"FILENAME); + } + END_TEST + + START_TEST(test_upn) + { +- do_test(BASE"_%p", CCACHE_DIR, BASE"_"PRINCIPAL_NAME, false); +- do_test("%d/"FILENAME, BASE"_%p", BASE"_"PRINCIPAL_NAME"/"FILENAME, true); ++ do_test(BASE"_%p", CCACHE_DIR, BASE"_"PRINCIPAL_NAME); ++ do_test("%d/"FILENAME, BASE"_%p", BASE"_"PRINCIPAL_NAME"/"FILENAME); + } + END_TEST + + START_TEST(test_realm) + { +- do_test(BASE"_%r", CCACHE_DIR, BASE"_"REALM, false); +- do_test("%d/"FILENAME, BASE"_%r", BASE"_"REALM"/"FILENAME, false); ++ do_test(BASE"_%r", CCACHE_DIR, BASE"_"REALM); ++ do_test("%d/"FILENAME, BASE"_%r", BASE"_"REALM"/"FILENAME); + } + END_TEST + + START_TEST(test_home) + { +- do_test(BASE"_%h", CCACHE_DIR, BASE"_"HOME_DIRECTORY, false); +- do_test("%d/"FILENAME, BASE"_%h", BASE"_"HOME_DIRECTORY"/"FILENAME, true); ++ do_test(BASE"_%h", CCACHE_DIR, BASE"_"HOME_DIRECTORY); ++ do_test("%d/"FILENAME, BASE"_%h", BASE"_"HOME_DIRECTORY"/"FILENAME); + } + END_TEST + +@@ -563,20 +554,15 @@ START_TEST(test_ccache_dir) + { + char *result; + int ret; +- bool private_path = false; + +- do_test(BASE"_%d", CCACHE_DIR, BASE"_"CCACHE_DIR, false); ++ do_test(BASE"_%d", CCACHE_DIR, BASE"_"CCACHE_DIR); + + ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, BASE"_%d"); + fail_unless(ret == EOK, "Failed to set Ccache dir"); + +- result = expand_ccname_template(tmp_ctx, kr, "%d/"FILENAME, true, +- true, &private_path); ++ result = expand_ccname_template(tmp_ctx, kr, "%d/"FILENAME, true, true); + + fail_unless(result == NULL, "Using %%d in ccache dir should fail."); +- fail_unless(private_path == false, +- "Unexpected private path, get [%s], expected [%s].", +- private_path ? "true" : "false", "false"); + } + END_TEST + +@@ -584,39 +570,32 @@ START_TEST(test_pid) + { + char *result; + int ret; +- bool private_path = false; + +- do_test(BASE"_%P", CCACHE_DIR, BASE"_"PID, false); ++ do_test(BASE"_%P", CCACHE_DIR, BASE"_"PID); + + ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, BASE"_%P"); + fail_unless(ret == EOK, "Failed to set Ccache dir"); + +- result = expand_ccname_template(tmp_ctx, kr, "%d/"FILENAME, true, +- true, &private_path); ++ result = expand_ccname_template(tmp_ctx, kr, "%d/"FILENAME, true, true); + + fail_unless(result == NULL, "Using %%P in ccache dir should fail."); +- fail_unless(private_path == false, +- "Unexpected private path, get [%s], expected [%s].", +- private_path ? "true" : "false", "false"); + } + END_TEST + + START_TEST(test_percent) + { +- do_test(BASE"_%%", CCACHE_DIR, BASE"_%", false); +- do_test("%d/"FILENAME, BASE"_%%", BASE"_%/"FILENAME, false); ++ do_test(BASE"_%%", CCACHE_DIR, BASE"_%"); ++ do_test("%d/"FILENAME, BASE"_%%", BASE"_%/"FILENAME); + } + END_TEST + +-START_TEST(test_unknow_template) ++START_TEST(test_unknown_template) + { + const char *test_template = BASE"_%X"; + char *result; + int ret; +- bool private_path = false; + +- result = expand_ccname_template(tmp_ctx, kr, test_template, true, +- true, &private_path); ++ result = expand_ccname_template(tmp_ctx, kr, test_template, true, true); + + fail_unless(result == NULL, "Unknown template [%s] should fail.", + test_template); +@@ -624,14 +603,10 @@ START_TEST(test_unknow_template) + ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, BASE"_%X"); + fail_unless(ret == EOK, "Failed to set Ccache dir"); + test_template = "%d/"FILENAME; +- result = expand_ccname_template(tmp_ctx, kr, test_template, true, +- true, &private_path); ++ result = expand_ccname_template(tmp_ctx, kr, test_template, true, true); + + fail_unless(result == NULL, "Unknown template [%s] should fail.", + test_template); +- fail_unless(private_path == false, +- "Unexpected private path, get [%s], expected [%s].", +- private_path ? "true" : "false", "false"); + } + END_TEST + +@@ -639,16 +614,11 @@ START_TEST(test_NULL) + { + char *test_template = NULL; + char *result; +- bool private_path = false; + +- result = expand_ccname_template(tmp_ctx, kr, test_template, true, +- true, &private_path); ++ result = expand_ccname_template(tmp_ctx, kr, test_template, true, true); + + fail_unless(result == NULL, "Expected NULL as a result for an empty input.", + test_template); +- fail_unless(private_path == false, +- "Unexpected private path, get [%s], expected [%s].", +- private_path ? "true" : "false", "false"); + } + END_TEST + +@@ -656,32 +626,25 @@ START_TEST(test_no_substitution) + { + const char *test_template = BASE; + char *result; +- bool private_path = false; + +- result = expand_ccname_template(tmp_ctx, kr, test_template, true, +- true, &private_path); ++ result = expand_ccname_template(tmp_ctx, kr, test_template, true, true); + + fail_unless(result != NULL, "Cannot expand template [%s].", test_template); + fail_unless(strcmp(result, test_template) == 0, + "Expansion failed, result [%s], expected [%s].", + result, test_template); +- fail_unless(private_path == false, +- "Unexpected private path, get [%s], expected [%s].", +- private_path ? "true" : "false", "false"); + } + END_TEST + + START_TEST(test_krb5_style_expansion) + { + char *result; +- bool private_path = false; + const char *file_template; + const char *expected; + + file_template = BASE"/%{uid}/%{USERID}/%{euid}/%{username}"; + expected = BASE"/"UID"/"UID"/"UID"/"USERNAME; +- result = expand_ccname_template(tmp_ctx, kr, file_template, true, +- true, &private_path); ++ result = expand_ccname_template(tmp_ctx, kr, file_template, true, true); + + fail_unless(result != NULL, "Cannot expand template [%s].", file_template); + fail_unless(strcmp(result, expected) == 0, +@@ -690,8 +653,7 @@ START_TEST(test_krb5_style_expansion) + + file_template = BASE"/%{unknown}"; + expected = BASE"/%{unknown}"; +- result = expand_ccname_template(tmp_ctx, kr, file_template, true, +- false, &private_path); ++ result = expand_ccname_template(tmp_ctx, kr, file_template, true, false); + + fail_unless(result != NULL, "Cannot expand template [%s].", file_template); + fail_unless(strcmp(result, expected) == 0, +@@ -754,7 +716,7 @@ Suite *krb5_utils_suite (void) + free_talloc_context); + tcase_add_test (tc_ccname_template, test_no_substitution); + tcase_add_test (tc_ccname_template, test_NULL); +- tcase_add_test (tc_ccname_template, test_unknow_template); ++ tcase_add_test (tc_ccname_template, test_unknown_template); + tcase_add_test (tc_ccname_template, test_username); + tcase_add_test (tc_ccname_template, test_case_sensitive); + tcase_add_test (tc_ccname_template, test_uid); +-- +1.8.3.1 + diff --git a/sssd.spec b/sssd.spec index c91b076..e432266 100644 --- a/sssd.spec +++ b/sssd.spec @@ -8,7 +8,7 @@ Name: sssd Version: 1.11.1 -Release: 1%{?dist} +Release: 2%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -17,6 +17,8 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### +Patch0001: 0001-krb5-Remove-ability-to-create-public-directories.patch +Patch0002: 0002-krb5-Fix-unit-tests.patch ### Dependencies ### Requires: sssd-common = %{version}-%{release} @@ -704,6 +706,9 @@ fi %postun -n libsss_idmap -p /sbin/ldconfig %changelog +* Fri Oct 04 2013 Jakub Hrozek - 1.11.1-1 +- Remove the ability to create public ccachedir (#1015089) + * Fri Sep 27 2013 Jakub Hrozek - 1.11.1-1 - New upstream release 1.11.1 - https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1