New upstream release
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1 - Support for the service map in NSS - Support for setting default SELinux user context from FreeIPA - Support for retrieving SSH user and host keys from LDAP (Experimental) - Support for caching autofs LDAP requests (Experimental) - Support for caching SUDO rules (Experimental)
This commit is contained in:
parent
e8905f5363
commit
881479933b
1
.gitignore
vendored
1
.gitignore
vendored
@ -21,3 +21,4 @@ sssd-1.2.91.tar.gz
|
|||||||
/sssd-1.6.3.tar.gz
|
/sssd-1.6.3.tar.gz
|
||||||
/sssd-1.6.4.tar.gz
|
/sssd-1.6.4.tar.gz
|
||||||
/sssd-1.7.0.tar.gz
|
/sssd-1.7.0.tar.gz
|
||||||
|
/sssd-1.8.0beta1.tar.gz
|
||||||
|
@ -1,254 +0,0 @@
|
|||||||
From cd59e5d02ec97ea309fd51d4d6a6a4421617cd12 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
|
||||||
Date: Wed, 1 Feb 2012 14:03:36 -0500
|
|
||||||
Subject: [PATCH] LDAP: Do not fail if RootDSE check cannot determine search
|
|
||||||
bases
|
|
||||||
|
|
||||||
https://fedorahosted.org/sssd/ticket/1152
|
|
||||||
|
|
||||||
Conflicts:
|
|
||||||
|
|
||||||
src/providers/ldap/sdap_async_services.c
|
|
||||||
---
|
|
||||||
src/providers/ipa/ipa_netgroups.c | 7 +++++
|
|
||||||
src/providers/ldap/ldap_common.c | 5 +--
|
|
||||||
src/providers/ldap/sdap.c | 7 ++++-
|
|
||||||
src/providers/ldap/sdap_async_groups.c | 9 +++++++
|
|
||||||
src/providers/ldap/sdap_async_initgroups.c | 35 +++++++++++++++++++++++++++-
|
|
||||||
src/providers/ldap/sdap_async_netgroups.c | 10 ++++++++
|
|
||||||
src/providers/ldap/sdap_async_users.c | 9 +++++++
|
|
||||||
src/providers/ldap/sdap_sudo.c | 9 +++++++
|
|
||||||
8 files changed, 86 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c
|
|
||||||
index 78bcee1b44fec3c8d04fc5ba13b46db26396d1b1..7da1147c7d6fd1dec8872209e442ae99ee810aa1 100644
|
|
||||||
--- a/src/providers/ipa/ipa_netgroups.c
|
|
||||||
+++ b/src/providers/ipa/ipa_netgroups.c
|
|
||||||
@@ -209,6 +209,13 @@ struct tevent_req *ipa_get_netgroups_send(TALLOC_CTX *memctx,
|
|
||||||
state->base_filter = filter;
|
|
||||||
state->netgr_base_iter = 0;
|
|
||||||
|
|
||||||
+ if (!ipa_options->id->netgroup_search_bases) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ ("Netgroup lookup request without a search base\n"));
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret = sss_hash_create(state, 32, &state->new_netgroups);
|
|
||||||
if (ret != EOK) goto done;
|
|
||||||
ret = sss_hash_create(state, 32, &state->new_users);
|
|
||||||
diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c
|
|
||||||
index 71921963a768a9975eca6432025704e06f28a2b8..c287b345217befeb872b25521d80d601fc27f0c7 100644
|
|
||||||
--- a/src/providers/ldap/ldap_common.c
|
|
||||||
+++ b/src/providers/ldap/ldap_common.c
|
|
||||||
@@ -538,9 +538,8 @@ int ldap_get_sudo_options(TALLOC_CTX *memctx,
|
|
||||||
dp_opt_get_string(opts->basic, SDAP_SUDO_SEARCH_BASE)));
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
- /* FIXME: try to discover it later */
|
|
||||||
- DEBUG(SSSDBG_OP_FAILURE, ("Error: no SUDO search base set\n"));
|
|
||||||
- return ENOENT;
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC, ("Search base not set, trying to discover it later "
|
|
||||||
+ "connecting to the LDAP server.\n"));
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = sdap_parse_search_base(opts, opts->basic,
|
|
||||||
diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c
|
|
||||||
index 3ca2e286146e1e88b1fd7abef341fa8c3aa699ad..2b29116949b2f8efae269a994a0f3da64a0ee612 100644
|
|
||||||
--- a/src/providers/ldap/sdap.c
|
|
||||||
+++ b/src/providers/ldap/sdap.c
|
|
||||||
@@ -748,7 +748,12 @@ errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse,
|
|
||||||
naming_context = get_naming_context(opts->basic, rootdse);
|
|
||||||
if (naming_context == NULL) {
|
|
||||||
DEBUG(1, ("get_naming_context failed.\n"));
|
|
||||||
- ret = EINVAL;
|
|
||||||
+
|
|
||||||
+ /* This has to be non-fatal, since some servers offer
|
|
||||||
+ * multiple namingContexts entries. We will just
|
|
||||||
+ * add NULL checks for the search bases in the lookups.
|
|
||||||
+ */
|
|
||||||
+ ret = EOK;
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c
|
|
||||||
index e59640997d78db525a98a63cd230d2bc1a74d1a1..fe5dbd49a159c0ca4f57d60b7f69a8792e9a42c9 100644
|
|
||||||
--- a/src/providers/ldap/sdap_async_groups.c
|
|
||||||
+++ b/src/providers/ldap/sdap_async_groups.c
|
|
||||||
@@ -1217,7 +1217,16 @@ struct tevent_req *sdap_get_groups_send(TALLOC_CTX *memctx,
|
|
||||||
state->base_iter = 0;
|
|
||||||
state->search_bases = search_bases;
|
|
||||||
|
|
||||||
+ if (!search_bases) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ ("Group lookup request without a search base\n"));
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret = sdap_get_groups_next_base(req);
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
if (ret != EOK) {
|
|
||||||
tevent_req_error(req, ret);
|
|
||||||
tevent_req_post(req, ev);
|
|
||||||
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
|
|
||||||
index 73ab25ea79cd66ff5fe7131ee7606cf71aa382e5..a769b100557b2d685cb022f09bea0d70ccfe3bb3 100644
|
|
||||||
--- a/src/providers/ldap/sdap_async_initgroups.c
|
|
||||||
+++ b/src/providers/ldap/sdap_async_initgroups.c
|
|
||||||
@@ -303,6 +303,13 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx,
|
|
||||||
state->base_iter = 0;
|
|
||||||
state->search_bases = opts->group_search_bases;
|
|
||||||
|
|
||||||
+ if (!state->search_bases) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ ("Initgroups lookup request without a group search base\n"));
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
state->name = talloc_strdup(state, name);
|
|
||||||
if (!state->name) {
|
|
||||||
talloc_zfree(req);
|
|
||||||
@@ -337,6 +344,8 @@ struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx,
|
|
||||||
talloc_zfree(clean_name);
|
|
||||||
|
|
||||||
ret = sdap_initgr_rfc2307_next_base(req);
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
if (ret != EOK) {
|
|
||||||
tevent_req_error(req, ret);
|
|
||||||
tevent_req_post(req, ev);
|
|
||||||
@@ -1432,6 +1441,13 @@ static struct tevent_req *sdap_initgr_rfc2307bis_send(
|
|
||||||
state->base_iter = 0;
|
|
||||||
state->search_bases = opts->group_search_bases;
|
|
||||||
|
|
||||||
+ if (!state->search_bases) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ ("Initgroups lookup request without a group search base\n"));
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret = sss_hash_create(state, 32, &state->group_hash);
|
|
||||||
if (ret != EOK) {
|
|
||||||
talloc_free(req);
|
|
||||||
@@ -2006,9 +2022,17 @@ struct tevent_req *rfc2307bis_nested_groups_send(
|
|
||||||
SDAP_SEARCH_TIMEOUT);
|
|
||||||
state->base_iter = 0;
|
|
||||||
state->search_bases = opts->group_search_bases;
|
|
||||||
-
|
|
||||||
+ if (!state->search_bases) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ ("Initgroups nested lookup request "
|
|
||||||
+ "without a group search base\n"));
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
ret = rfc2307bis_nested_groups_step(req);
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
if (ret == EOK) {
|
|
||||||
/* All parent groups were already processed */
|
|
||||||
tevent_req_done(req);
|
|
||||||
@@ -2378,9 +2402,16 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
|
||||||
state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
|
|
||||||
state->user_base_iter = 0;
|
|
||||||
state->user_search_bases = id_ctx->opts->user_search_bases;
|
|
||||||
+ if (!state->user_search_bases) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ ("Initgroups lookup request without a user search base\n"));
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
ret = sss_filter_sanitize(state, name, &clean_name);
|
|
||||||
if (ret != EOK) {
|
|
||||||
+ talloc_zfree(req);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -2402,6 +2433,8 @@ struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx,
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = sdap_get_initgr_next_base(req);
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
if (ret != EOK) {
|
|
||||||
tevent_req_error(req, ret);
|
|
||||||
tevent_req_post(req, ev);
|
|
||||||
diff --git a/src/providers/ldap/sdap_async_netgroups.c b/src/providers/ldap/sdap_async_netgroups.c
|
|
||||||
index 0888c7e2fcf03d0b133bcf93ad017086aedffe16..f3a378f6488cfd46001c22b3a5abf29724f2fd0d 100644
|
|
||||||
--- a/src/providers/ldap/sdap_async_netgroups.c
|
|
||||||
+++ b/src/providers/ldap/sdap_async_netgroups.c
|
|
||||||
@@ -579,7 +579,17 @@ struct tevent_req *sdap_get_netgroups_send(TALLOC_CTX *memctx,
|
|
||||||
state->base_iter = 0;
|
|
||||||
state->search_bases = search_bases;
|
|
||||||
|
|
||||||
+ if (!state->search_bases) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ ("Netgroup lookup request without a netgroup search base\n"));
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+
|
|
||||||
ret = sdap_get_netgroups_next_base(req);
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
if (ret != EOK) {
|
|
||||||
tevent_req_error(req, ret);
|
|
||||||
tevent_req_post(req, state->ev);
|
|
||||||
diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c
|
|
||||||
index ac856a64208cb87994f676ab50fdba6d82dbcb50..01168321951fa9d14f4b58d891cb922c6c44d2c2 100644
|
|
||||||
--- a/src/providers/ldap/sdap_async_users.c
|
|
||||||
+++ b/src/providers/ldap/sdap_async_users.c
|
|
||||||
@@ -434,7 +434,16 @@ struct tevent_req *sdap_get_users_send(TALLOC_CTX *memctx,
|
|
||||||
state->search_bases = search_bases;
|
|
||||||
state->enumeration = enumeration;
|
|
||||||
|
|
||||||
+ if (!state->search_bases) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ ("User lookup request without a search base\n"));
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
ret = sdap_get_users_next_base(req);
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
if (ret != EOK) {
|
|
||||||
tevent_req_error(req, ret);
|
|
||||||
tevent_req_post(req, state->ev);
|
|
||||||
diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c
|
|
||||||
index 68cb47cd38952594d34ccc81913b7308caf9af10..aeae22eccf2a9adf3fb2fde831a3b492a6c4afb7 100644
|
|
||||||
--- a/src/providers/ldap/sdap_sudo.c
|
|
||||||
+++ b/src/providers/ldap/sdap_sudo.c
|
|
||||||
@@ -237,6 +237,13 @@ struct tevent_req * sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx,
|
|
||||||
state->ldap_rules = NULL;
|
|
||||||
state->ldap_rules_count = 0;
|
|
||||||
|
|
||||||
+ if (!state->search_bases) {
|
|
||||||
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
+ ("SUDOERS lookup request without a search base\n"));
|
|
||||||
+ ret = EINVAL;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* create filter */
|
|
||||||
state->filter = sdap_sudo_build_filter(state,
|
|
||||||
state->opts->sudorule_map,
|
|
||||||
@@ -256,6 +263,8 @@ struct tevent_req * sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx,
|
|
||||||
|
|
||||||
/* begin search */
|
|
||||||
ret = sdap_sudo_load_sudoers_next_base(req);
|
|
||||||
+
|
|
||||||
+done:
|
|
||||||
if (ret != EOK) {
|
|
||||||
tevent_req_error(req, ret);
|
|
||||||
tevent_req_post(req, sudo_ctx->be_ctx->ev);
|
|
||||||
--
|
|
||||||
1.7.7.6
|
|
||||||
|
|
@ -1,265 +0,0 @@
|
|||||||
From 707b20e80a5c5b86944dc55bbc652b392a4c6454 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
|
||||||
Date: Sat, 21 Jan 2012 12:11:23 -0500
|
|
||||||
Subject: [PATCH 5/5] DP: Fix bugs in sss_dp_get_account_int
|
|
||||||
|
|
||||||
The conversion to the tevent_req style introduced numerous bugs
|
|
||||||
related to memory management of the various client requests. In
|
|
||||||
some circumstances, this could cause memory corruption and
|
|
||||||
segmentation faults in the NSS responder. This patch makes the
|
|
||||||
following changes:
|
|
||||||
|
|
||||||
1) Rename the internal lookup from subreq to sidereq, to indicate
|
|
||||||
that it is not a sub-request of the current lookup (and therefore
|
|
||||||
is not cancelled if the current request is).
|
|
||||||
|
|
||||||
2) Change the handling of the callback loops since they call
|
|
||||||
tevent_req_[done|error], which results in them being freed (and
|
|
||||||
therefore removed from the cb_list. This was the source of the
|
|
||||||
memory corruption that would occasionally result in dereferencing
|
|
||||||
an unreadable request.
|
|
||||||
|
|
||||||
3) Remove the unnecessary sss_dp_get_account_int_recv() function
|
|
||||||
and change sss_dp_get_account_done() so that it only frees the
|
|
||||||
sidereq. All of the waiting processes have already been signaled
|
|
||||||
with the final results from sss_dp_get_account_int_done()
|
|
||||||
---
|
|
||||||
src/responder/common/responder_dp.c | 110 +++++++++++-----------------
|
|
||||||
src/responder/nss/nsssrv_cmd.c | 1 +
|
|
||||||
src/responder/pam/pamsrv_cmd.c | 1 +
|
|
||||||
src/responder/sudo/sudosrv_get_sudorules.c | 1 +
|
|
||||||
4 files changed, 47 insertions(+), 66 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c
|
|
||||||
index f51e2496a165cc2b776af776f2e9d1ea75b8e62c..9219037cc6055899e675eef846af54238d5c61e1 100644
|
|
||||||
--- a/src/responder/common/responder_dp.c
|
|
||||||
+++ b/src/responder/common/responder_dp.c
|
|
||||||
@@ -92,11 +92,28 @@ static int sss_dp_req_destructor(void *ptr)
|
|
||||||
/* If there are callbacks that haven't been invoked, return
|
|
||||||
* an error now.
|
|
||||||
*/
|
|
||||||
- DLIST_FOR_EACH(cb, sdp_req->cb_list) {
|
|
||||||
+ while((cb = sdp_req->cb_list) != NULL) {
|
|
||||||
state = tevent_req_data(cb->req, struct dp_get_account_state);
|
|
||||||
state->err_maj = DP_ERR_FATAL;
|
|
||||||
state->err_min = EIO;
|
|
||||||
+
|
|
||||||
+ /* tevent_req_done/error will free cb */
|
|
||||||
tevent_req_error(cb->req, EIO);
|
|
||||||
+
|
|
||||||
+ /* Freeing the cb removes it from the cb_list.
|
|
||||||
+ * Therefore, the cb_list should now be pointing
|
|
||||||
+ * at a new callback. If it's not, it means the
|
|
||||||
+ * callback handler didn't free cb and may leak
|
|
||||||
+ * memory. Be paranoid and protect against this
|
|
||||||
+ * situation.
|
|
||||||
+ */
|
|
||||||
+ if (cb == sdp_req->cb_list) {
|
|
||||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
|
||||||
+ ("BUG: a callback did not free its request. "
|
|
||||||
+ "May leak memory\n"));
|
|
||||||
+ /* Skip to the next since a memory leak is non-fatal */
|
|
||||||
+ sdp_req->cb_list = sdp_req->cb_list->next;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Destroy the hash entry */
|
|
||||||
@@ -225,14 +242,6 @@ sss_dp_get_account_int_send(struct resp_ctx *rctx,
|
|
||||||
static void
|
|
||||||
sss_dp_get_account_done(struct tevent_req *subreq);
|
|
||||||
|
|
||||||
-static errno_t
|
|
||||||
-sss_dp_get_account_int_recv(TALLOC_CTX *mem_ctx,
|
|
||||||
- struct tevent_req *req,
|
|
||||||
- dbus_uint16_t *err_maj,
|
|
||||||
- dbus_uint32_t *err_min,
|
|
||||||
- char **err_msg);
|
|
||||||
-
|
|
||||||
-
|
|
||||||
/* Send a request to the data provider
|
|
||||||
* Once this function is called, the communication
|
|
||||||
* with the data provider will always run to
|
|
||||||
@@ -252,7 +261,7 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
|
|
||||||
errno_t ret;
|
|
||||||
int hret;
|
|
||||||
struct tevent_req *req;
|
|
||||||
- struct tevent_req *subreq;
|
|
||||||
+ struct tevent_req *sidereq;
|
|
||||||
struct dp_get_account_state *state;
|
|
||||||
struct sss_dp_req *sdp_req;
|
|
||||||
struct sss_dp_callback *cb;
|
|
||||||
@@ -343,19 +352,19 @@ sss_dp_get_account_send(TALLOC_CTX *mem_ctx,
|
|
||||||
*/
|
|
||||||
|
|
||||||
value.type = HASH_VALUE_PTR;
|
|
||||||
- subreq = sss_dp_get_account_int_send(rctx, state->key, dom,
|
|
||||||
+ sidereq = sss_dp_get_account_int_send(rctx, state->key, dom,
|
|
||||||
be_type, filter);
|
|
||||||
- if (!subreq) {
|
|
||||||
+ if (!sidereq) {
|
|
||||||
ret = ENOMEM;
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
- tevent_req_set_callback(subreq, sss_dp_get_account_done, NULL);
|
|
||||||
+ tevent_req_set_callback(sidereq, sss_dp_get_account_done, NULL);
|
|
||||||
|
|
||||||
/* We should now be able to find the sdp_req in the hash table */
|
|
||||||
hret = hash_lookup(rctx->dp_request_table, state->key, &value);
|
|
||||||
if (hret != HASH_SUCCESS) {
|
|
||||||
/* Something must have gone wrong with creating the request */
|
|
||||||
- talloc_zfree(subreq);
|
|
||||||
+ talloc_zfree(sidereq);
|
|
||||||
ret = EIO;
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
@@ -402,23 +411,10 @@ error:
|
|
||||||
}
|
|
||||||
|
|
||||||
static void
|
|
||||||
-sss_dp_get_account_done(struct tevent_req *subreq)
|
|
||||||
+sss_dp_get_account_done(struct tevent_req *sidereq)
|
|
||||||
{
|
|
||||||
- errno_t ret;
|
|
||||||
- struct tevent_req *req = tevent_req_callback_data(subreq,
|
|
||||||
- struct tevent_req);
|
|
||||||
- struct dp_get_account_state *state =
|
|
||||||
- tevent_req_data(req, struct dp_get_account_state);
|
|
||||||
-
|
|
||||||
- ret = sss_dp_get_account_int_recv(state, req,
|
|
||||||
- &state->err_maj,
|
|
||||||
- &state->err_min,
|
|
||||||
- &state->err_msg);
|
|
||||||
- if (ret != EOK) {
|
|
||||||
- tevent_req_done(req);
|
|
||||||
- } else {
|
|
||||||
- tevent_req_error(req, ret);
|
|
||||||
- }
|
|
||||||
+ /* Nothing to do here. The callbacks have already been invoked */
|
|
||||||
+ talloc_zfree(sidereq);
|
|
||||||
}
|
|
||||||
|
|
||||||
errno_t
|
|
||||||
@@ -599,7 +595,7 @@ static void sss_dp_get_account_int_done(DBusPendingCall *pending, void *ptr)
|
|
||||||
int ret;
|
|
||||||
struct tevent_req *req;
|
|
||||||
struct sss_dp_req *sdp_req;
|
|
||||||
- struct sss_dp_callback *cb, *prevcb = NULL;
|
|
||||||
+ struct sss_dp_callback *cb;
|
|
||||||
struct dp_get_account_int_state *state;
|
|
||||||
struct dp_get_account_state *cb_state;
|
|
||||||
|
|
||||||
@@ -630,58 +626,40 @@ static void sss_dp_get_account_int_done(DBusPendingCall *pending, void *ptr)
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Check whether we need to issue any callbacks */
|
|
||||||
- DLIST_FOR_EACH(cb, sdp_req->cb_list) {
|
|
||||||
+ while ((cb = sdp_req->cb_list) != NULL) {
|
|
||||||
cb_state = tevent_req_data(cb->req, struct dp_get_account_state);
|
|
||||||
cb_state->err_maj = sdp_req->err_maj;
|
|
||||||
cb_state->err_min = sdp_req->err_min;
|
|
||||||
cb_state->err_msg = talloc_strdup(cb_state, sdp_req->err_msg);
|
|
||||||
/* Don't bother checking for NULL. If it fails due to ENOMEM,
|
|
||||||
- * we can't really handle it annyway.
|
|
||||||
+ * we can't really handle it anyway.
|
|
||||||
*/
|
|
||||||
|
|
||||||
+ /* tevent_req_done/error will free cb */
|
|
||||||
if (ret == EOK) {
|
|
||||||
tevent_req_done(cb->req);
|
|
||||||
} else {
|
|
||||||
tevent_req_error(cb->req, ret);
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Freeing the request removes it from the list */
|
|
||||||
- if (prevcb) talloc_free(prevcb);
|
|
||||||
- prevcb = cb;
|
|
||||||
+ /* Freeing the cb removes it from the cb_list.
|
|
||||||
+ * Therefore, the cb_list should now be pointing
|
|
||||||
+ * at a new callback. If it's not, it means the
|
|
||||||
+ * callback handler didn't free cb and may leak
|
|
||||||
+ * memory. Be paranoid and protect against this
|
|
||||||
+ * situation.
|
|
||||||
+ */
|
|
||||||
+ if (cb == sdp_req->cb_list) {
|
|
||||||
+ DEBUG(SSSDBG_FATAL_FAILURE,
|
|
||||||
+ ("BUG: a callback did not free its request. "
|
|
||||||
+ "May leak memory\n"));
|
|
||||||
+ /* Skip to the next since a memory leak is non-fatal */
|
|
||||||
+ sdp_req->cb_list = sdp_req->cb_list->next;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
- talloc_free(prevcb);
|
|
||||||
|
|
||||||
/* We're done with this request. Free the sdp_req
|
|
||||||
* This will clean up the hash table entry as well
|
|
||||||
*/
|
|
||||||
talloc_zfree(sdp_req);
|
|
||||||
}
|
|
||||||
-
|
|
||||||
-static errno_t
|
|
||||||
-sss_dp_get_account_int_recv(TALLOC_CTX *mem_ctx,
|
|
||||||
- struct tevent_req *req,
|
|
||||||
- dbus_uint16_t *err_maj,
|
|
||||||
- dbus_uint32_t *err_min,
|
|
||||||
- char **err_msg)
|
|
||||||
-{
|
|
||||||
- struct dp_get_account_int_state *state =
|
|
||||||
- tevent_req_data(req, struct dp_get_account_int_state);
|
|
||||||
-
|
|
||||||
- enum tevent_req_state TRROEstate;
|
|
||||||
- uint64_t TRROEerr;
|
|
||||||
-
|
|
||||||
- *err_maj = state->sdp_req->err_maj;
|
|
||||||
- *err_min = state->sdp_req->err_min;
|
|
||||||
- *err_msg = talloc_steal(mem_ctx, state->sdp_req->err_msg);
|
|
||||||
-
|
|
||||||
- if (tevent_req_is_error(req, &TRROEstate, &TRROEerr)) {
|
|
||||||
- if (TRROEstate == TEVENT_REQ_USER_ERROR) {
|
|
||||||
- *err_maj = DP_ERR_FATAL;
|
|
||||||
- *err_min = TRROEerr;
|
|
||||||
- } else {
|
|
||||||
- return EIO;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- return EOK;
|
|
||||||
-}
|
|
||||||
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
|
|
||||||
index 3bc30ab8641b1787ded15165890e61836e46e802..fc2dca8d7a9e9dc1e5d68c98f95a5d3d67231f4a 100644
|
|
||||||
--- a/src/responder/nss/nsssrv_cmd.c
|
|
||||||
+++ b/src/responder/nss/nsssrv_cmd.c
|
|
||||||
@@ -700,6 +700,7 @@ static void nsssrv_dp_send_acct_req_done(struct tevent_req *req)
|
|
||||||
ret = sss_dp_get_account_recv(cb_ctx->mem_ctx, req,
|
|
||||||
&err_maj, &err_min,
|
|
||||||
&err_msg);
|
|
||||||
+ talloc_zfree(req);
|
|
||||||
if (ret != EOK) {
|
|
||||||
NSS_CMD_FATAL_ERROR(cb_ctx->cctx);
|
|
||||||
}
|
|
||||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
index 3b2d509e237b12516e1234a34a8542ae09752c43..2e544cd5aa5a566e5557f2d9280b57b24f39befd 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_cmd.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
@@ -994,6 +994,7 @@ static void pam_dp_send_acct_req_done(struct tevent_req *req)
|
|
||||||
ret = sss_dp_get_account_recv(cb_ctx->mem_ctx, req,
|
|
||||||
&err_maj, &err_min,
|
|
||||||
&err_msg);
|
|
||||||
+ talloc_zfree(req);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
("Fatal error, killing connection!\n"));
|
|
||||||
diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c
|
|
||||||
index 5d54f95ab78bc43338dd55205e85dbba7bd5f437..1723fd42c8222e72e46498a3b83e427099243369 100644
|
|
||||||
--- a/src/responder/sudo/sudosrv_get_sudorules.c
|
|
||||||
+++ b/src/responder/sudo/sudosrv_get_sudorules.c
|
|
||||||
@@ -181,6 +181,7 @@ static void sudosrv_dp_send_acct_req_done(struct tevent_req *req)
|
|
||||||
ret = sss_dp_get_account_recv(cb_ctx->mem_ctx, req,
|
|
||||||
&err_maj, &err_min,
|
|
||||||
&err_msg);
|
|
||||||
+ talloc_zfree(req);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
||||||
("Fatal error, killing connection!\n"));
|
|
||||||
--
|
|
||||||
1.7.4.1
|
|
||||||
|
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
1fbc9c99df8f2883513cb4b767d4b7d4 sssd-1.7.0.tar.gz
|
e6fddc180edbf69fddcb4151701b2d5c sssd-1.8.0beta1.tar.gz
|
||||||
|
85
sssd.spec
85
sssd.spec
@ -18,28 +18,27 @@
|
|||||||
%global ldb_version 1.1.4
|
%global ldb_version 1.1.4
|
||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 1.7.0
|
Version: 1.8.0
|
||||||
Release: 5%{?dist}
|
Release: 1%{?dist}.beta1
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
URL: http://fedorahosted.org/sssd/
|
URL: http://fedorahosted.org/sssd/
|
||||||
Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
|
Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}beta1.tar.gz
|
||||||
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
||||||
|
|
||||||
### Patches ###
|
### Patches ###
|
||||||
|
|
||||||
Patch0001: 0001-LDAP-Do-not-fail-if-RootDSE-check-cannot-determine-s.patch
|
|
||||||
Patch0002: 0002-DP-Fix-bugs-in-sss_dp_get_account_int.patch
|
|
||||||
|
|
||||||
### Dependencies ###
|
### Dependencies ###
|
||||||
|
|
||||||
Conflicts: selinux-policy < 3.10.0-46
|
Conflicts: selinux-policy < 3.10.0-46
|
||||||
Requires: libldb = %{ldb_version}
|
Requires: libldb = %{ldb_version}
|
||||||
Requires: libtdb >= 1.1.3
|
Requires: libtdb >= 1.1.3
|
||||||
Requires: sssd-client%{?_isa} = %{version}-%{release}
|
Requires: sssd-client%{?_isa} = %{version}-%{release}
|
||||||
Requires: cyrus-sasl-gssapi
|
Requires: cyrus-sasl-gssapi%{?_isa}
|
||||||
|
Requires: libipa_hbac%{?_isa} = %{version}-%{release}
|
||||||
Requires: krb5-libs >= 1.9
|
Requires: krb5-libs >= 1.9
|
||||||
|
Requires: keyutils-libs
|
||||||
Requires(post): systemd-units initscripts chkconfig /sbin/ldconfig
|
Requires(post): systemd-units initscripts chkconfig /sbin/ldconfig
|
||||||
Requires(preun): systemd-units initscripts chkconfig
|
Requires(preun): systemd-units initscripts chkconfig
|
||||||
Requires(postun): systemd-units initscripts chkconfig /sbin/ldconfig
|
Requires(postun): systemd-units initscripts chkconfig /sbin/ldconfig
|
||||||
@ -92,6 +91,7 @@ BuildRequires: keyutils-libs-devel
|
|||||||
BuildRequires: libnl-devel
|
BuildRequires: libnl-devel
|
||||||
BuildRequires: nscd
|
BuildRequires: nscd
|
||||||
BuildRequires: gettext-devel
|
BuildRequires: gettext-devel
|
||||||
|
BuildRequires: pkgconfig
|
||||||
BuildRequires: libunistring-devel
|
BuildRequires: libunistring-devel
|
||||||
BuildRequires: findutils
|
BuildRequires: findutils
|
||||||
|
|
||||||
@ -151,6 +151,22 @@ Requires: libipa_hbac = %{version}-%{release}
|
|||||||
The libipa_hbac-python contains the bindings so that libipa_hbac can be
|
The libipa_hbac-python contains the bindings so that libipa_hbac can be
|
||||||
used by Python applications.
|
used by Python applications.
|
||||||
|
|
||||||
|
%package -n libsss_sudo
|
||||||
|
Summary: A library to allow communication between SUDO and SSSD
|
||||||
|
Group: Development/Libraries
|
||||||
|
License: LGPLv3+
|
||||||
|
|
||||||
|
%description -n libsss_sudo
|
||||||
|
A utility library to allow communication between SUDO and SSSD
|
||||||
|
|
||||||
|
%package -n libsss_sudo-devel
|
||||||
|
Summary: A library to allow communication between SUDO and SSSD
|
||||||
|
Group: Development/Libraries
|
||||||
|
License: LGPLv3+
|
||||||
|
Requires: libsss_sudo = %{version}-%{release}
|
||||||
|
|
||||||
|
%description -n libsss_sudo-devel
|
||||||
|
A utility library to allow communication between SUDO and SSSD
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
# Update timestamps on the files touched by a patch, to avoid non-equal
|
# Update timestamps on the files touched by a patch, to avoid non-equal
|
||||||
@ -168,7 +184,7 @@ UpdateTimestamps() {
|
|||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
%setup -q
|
%setup -q -n %{name}-1.7.91
|
||||||
|
|
||||||
for p in %patches ; do
|
for p in %patches ; do
|
||||||
%__patch -p1 -i $p
|
%__patch -p1 -i $p
|
||||||
@ -187,7 +203,8 @@ autoreconf -ivf
|
|||||||
--enable-pammoddir=/%{_lib}/security \
|
--enable-pammoddir=/%{_lib}/security \
|
||||||
--disable-static \
|
--disable-static \
|
||||||
--disable-rpath \
|
--disable-rpath \
|
||||||
--with-test-dir=/dev/shm
|
--with-test-dir=/dev/shm \
|
||||||
|
--enable-all-experimental-features
|
||||||
|
|
||||||
make %{?_smp_mflags} all docs
|
make %{?_smp_mflags} all docs
|
||||||
|
|
||||||
@ -204,11 +221,9 @@ make install DESTDIR=$RPM_BUILD_ROOT
|
|||||||
# Prepare language files
|
# Prepare language files
|
||||||
/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd
|
/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd
|
||||||
|
|
||||||
# Copy SSSDConfig API files
|
# Prepare empty config file
|
||||||
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sssd
|
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sssd
|
||||||
touch $RPM_BUILD_ROOT/%{_sysconfdir}/sssd/sssd.conf
|
touch $RPM_BUILD_ROOT/%{_sysconfdir}/sssd/sssd.conf
|
||||||
install -m400 src/config/etc/sssd.api.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.api.conf
|
|
||||||
install -m400 src/config/etc/sssd.api.d/* $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.api.d/
|
|
||||||
|
|
||||||
# Copy default logrotate file
|
# Copy default logrotate file
|
||||||
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d
|
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d
|
||||||
@ -273,9 +288,8 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
|
%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
|
||||||
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd
|
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd
|
||||||
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
|
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
|
||||||
%config %{_sysconfdir}/sssd/sssd.api.conf
|
%{_datadir}/sssd/sssd.api.conf
|
||||||
%attr(700,root,root) %dir %{_sysconfdir}/sssd/sssd.api.d
|
%{_datadir}/sssd/sssd.api.d
|
||||||
%config %{_sysconfdir}/sssd/sssd.api.d/*
|
|
||||||
%{_mandir}/man5/sssd.conf.5*
|
%{_mandir}/man5/sssd.conf.5*
|
||||||
%{_mandir}/man5/sssd-ipa.5*
|
%{_mandir}/man5/sssd-ipa.5*
|
||||||
%{_mandir}/man5/sssd-krb5.5*
|
%{_mandir}/man5/sssd-krb5.5*
|
||||||
@ -285,16 +299,20 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%{python_sitearch}/pysss.so
|
%{python_sitearch}/pysss.so
|
||||||
%{python_sitelib}/*.py*
|
%{python_sitelib}/*.py*
|
||||||
|
|
||||||
%files client -f sssd_tools.lang
|
%files client
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
|
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
|
||||||
/%{_lib}/libnss_sss.so.2
|
/%{_lib}/libnss_sss.so.2
|
||||||
/%{_lib}/security/pam_sss.so
|
/%{_lib}/security/pam_sss.so
|
||||||
%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
|
%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
|
||||||
|
%{_bindir}/sss_ssh_authorizedkeys
|
||||||
|
%{_bindir}/sss_ssh_knownhostsproxy
|
||||||
|
%{_mandir}/man1/sss_ssh_authorizedkeys.1*
|
||||||
|
%{_mandir}/man1/sss_ssh_knownhostsproxy.1*
|
||||||
%{_mandir}/man8/pam_sss.8*
|
%{_mandir}/man8/pam_sss.8*
|
||||||
%{_mandir}/man8/sssd_krb5_locator_plugin.8*
|
%{_mandir}/man8/sssd_krb5_locator_plugin.8*
|
||||||
|
|
||||||
%files tools
|
%files tools -f sssd_tools.lang
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%doc COPYING
|
%doc COPYING
|
||||||
%{_sbindir}/sss_useradd
|
%{_sbindir}/sss_useradd
|
||||||
@ -334,6 +352,30 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%{python_sitearch}/pyhbac.so
|
%{python_sitearch}/pyhbac.so
|
||||||
|
|
||||||
|
%package -n libsss_autofs
|
||||||
|
Summary: A library to allow communication between Autofs and SSSD
|
||||||
|
Group: Development/Libraries
|
||||||
|
License: LGPLv3+
|
||||||
|
|
||||||
|
%description -n libsss_autofs
|
||||||
|
A utility library to allow communication between Autofs and SSSD
|
||||||
|
|
||||||
|
%files -n libsss_sudo
|
||||||
|
%defattr(-,root,root,-)
|
||||||
|
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
|
||||||
|
%{_libdir}/libsss_sudo.so.*
|
||||||
|
|
||||||
|
%files -n libsss_sudo-devel
|
||||||
|
%doc libsss_sudo_doc/html
|
||||||
|
%{_includedir}/sss_sudo.h
|
||||||
|
%{_libdir}/libsss_sudo.so
|
||||||
|
%{_libdir}/pkgconfig/libsss_sudo.pc
|
||||||
|
|
||||||
|
%files -n libsss_autofs
|
||||||
|
%defattr(-,root,root,-)
|
||||||
|
%doc src/sss_client/COPYING src/sss_client/COPYING.LESSER
|
||||||
|
%{_libdir}/sssd/modules/libsss_autofs.so*
|
||||||
|
|
||||||
%post
|
%post
|
||||||
/sbin/ldconfig
|
/sbin/ldconfig
|
||||||
|
|
||||||
@ -380,6 +422,15 @@ fi
|
|||||||
%postun -n libipa_hbac -p /sbin/ldconfig
|
%postun -n libipa_hbac -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Feb 06 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.8.0-1.beta1
|
||||||
|
- New upstream release
|
||||||
|
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.8.0beta1
|
||||||
|
- Support for the service map in NSS
|
||||||
|
- Support for setting default SELinux user context from FreeIPA
|
||||||
|
- Support for retrieving SSH user and host keys from LDAP (Experimental)
|
||||||
|
- Support for caching autofs LDAP requests (Experimental)
|
||||||
|
- Support for caching SUDO rules (Experimental)
|
||||||
|
|
||||||
* Wed Feb 01 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7.0-5
|
* Wed Feb 01 2012 Stephen Gallagher <sgallagh@redhat.com> - 1.7.0-5
|
||||||
- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for
|
- Resolves: rhbz#773706 - SSSD fails during autodetection of search bases for
|
||||||
new LDAP features - fix netgroups and sudo as well
|
new LDAP features - fix netgroups and sudo as well
|
||||||
|
Loading…
Reference in New Issue
Block a user