diff --git a/.cvsignore b/.cvsignore index a7f9aa5..4ba448b 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -sssd-0.4.1.tar.gz +sssd-0.5.0.tar.gz diff --git a/sources b/sources index ddd3579..76326f4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -b1c6c3532e5bcc22de4849e52f9bad0a sssd-0.4.1.tar.gz +7566dcac75e7248ca99b4dd0bb49c1ee sssd-0.5.0.tar.gz diff --git a/sssd-0.4.1-conf_check.patch b/sssd-0.4.1-conf_check.patch deleted file mode 100644 index a25564e..0000000 --- a/sssd-0.4.1-conf_check.patch +++ /dev/null @@ -1,19 +0,0 @@ -From da891b9cd5a17c65299f84db507181fd74a7a6bf Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Thu, 11 Jun 2009 08:46:43 -0400 -Subject: [PATCH] Add missing configure check for getpgrp - ---- - server/util/signal.m4 | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/server/util/signal.m4 b/server/util/signal.m4 -index c6d7f72..a778020 100644 ---- a/server/util/signal.m4 -+++ b/server/util/signal.m4 -@@ -1 +1 @@ --AC_CHECK_FUNCS(sigprocmask sigblock sigaction) -+AC_CHECK_FUNCS(sigprocmask sigblock sigaction getpgrp) --- -1.6.2.2 - diff --git a/sssd-0.4.1-cve-2009-2410.patch b/sssd-0.4.1-cve-2009-2410.patch deleted file mode 100644 index a716f31..0000000 --- a/sssd-0.4.1-cve-2009-2410.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 52ef221f3f5fc65c96d35ecaa7eb8a7a67ce6e4b Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Tue, 28 Jul 2009 09:43:57 -0400 -Subject: [PATCH] Address CVE-2009-2410 - -Fix incorrect error code return in local_handler_callback ---- - server/responder/pam/pam_LOCAL_domain.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/server/responder/pam/pam_LOCAL_domain.c b/server/responder/pam/pam_LOCAL_domain.c -index 010bd8d..48a4a81 100644 ---- a/server/responder/pam/pam_LOCAL_domain.c -+++ b/server/responder/pam/pam_LOCAL_domain.c -@@ -327,7 +327,7 @@ static void local_handler_callback(void *pvt, int ldb_status, - - password = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_PWD, NULL); - NULL_CHECK_OR_JUMP(password, ("No password stored.\n"), -- lreq->error, ret, done); -+ lreq->error, LDB_ERR_NO_SUCH_ATTRIBUTE, done); - DEBUG(4, ("user: [%s], password hash: [%s]\n", username, password)); - - ret = s3crypt_sha512(lreq, authtok, password, &new_hash); --- -1.6.2.5 - diff --git a/sssd-0.4.1-debug_fn.patch b/sssd-0.4.1-debug_fn.patch deleted file mode 100644 index 5f3e3ac..0000000 --- a/sssd-0.4.1-debug_fn.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 832ef83184b1d67b7006becf149f1f8fce580ec3 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Thu, 4 Jun 2009 13:37:10 -0400 -Subject: [PATCH] Fix invalid pointer error in ldb_debug_messages - ---- - server/util/debug.c | 21 +++++++++++++++++++-- - 1 files changed, 19 insertions(+), 2 deletions(-) - -diff --git a/server/util/debug.c b/server/util/debug.c -index f7f89f5..d6a98e2 100644 ---- a/server/util/debug.c -+++ b/server/util/debug.c -@@ -12,9 +12,16 @@ void debug_fn(const char *format, ...) - { - va_list ap; - char *s = NULL; -+ int ret; - - va_start(ap, format); -- vasprintf(&s, format, ap); -+ -+ ret = vasprintf(&s, format, ap); -+ if (ret < 0) { -+ /* ENOMEM */ -+ return; -+ } -+ - va_end(ap); - - /*write(state.fd, s, strlen(s));*/ -@@ -26,6 +33,9 @@ void ldb_debug_messages(void *context, enum ldb_debug_level level, - const char *fmt, va_list ap) - { - int loglevel = -1; -+ int ret; -+ char * message = NULL; -+ - switch(level) { - case LDB_DEBUG_FATAL: - loglevel = 0; -@@ -41,5 +51,12 @@ void ldb_debug_messages(void *context, enum ldb_debug_level level, - break; - } - -- DEBUG(loglevel, (fmt, ap)); -+ ret = vasprintf(&message, fmt, ap); -+ if (ret < 0) { -+ /* ENOMEM */ -+ return; -+ } -+ -+ DEBUG(loglevel, (message)); -+ free(message); - } --- -1.6.2.2 - diff --git a/sssd-0.4.1-reload_conf.patch b/sssd-0.4.1-reload_conf.patch deleted file mode 100644 index 6bfa9e2..0000000 --- a/sssd-0.4.1-reload_conf.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 673c2ce9b3371241de872b2bd206f732485888cb Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Fri, 19 Jun 2009 11:09:33 -0400 -Subject: [PATCH] Fix segfault in update_monitor_config - -We were stealing the memory context of only the first value in -the linked-list of domains (and also services). This patch adds a -memory context to hold the lists so that can be stolen along with -all of the entries. ---- - server/confdb/confdb.c | 4 ++++ - server/monitor/monitor.c | 34 ++++++++++++++++++++++++++-------- - 2 files changed, 30 insertions(+), 8 deletions(-) - -diff --git a/server/confdb/confdb.c b/server/confdb/confdb.c -index 8eefcfb..8b8dc74 100644 ---- a/server/confdb/confdb.c -+++ b/server/confdb/confdb.c -@@ -709,6 +709,10 @@ int confdb_get_domain(struct confdb_ctx *cdb, - } - - domain = talloc_zero(mem_ctx, struct sss_domain_info); -+ if (!domain) { -+ ret = ENOMEM; -+ goto done; -+ } - - tmp = ldb_msg_find_attr_as_string(res->msgs[0], "cn", NULL); - if (!tmp) { -diff --git a/server/monitor/monitor.c b/server/monitor/monitor.c -index 906d157..e4fca25 100644 ---- a/server/monitor/monitor.c -+++ b/server/monitor/monitor.c -@@ -84,7 +84,9 @@ struct mt_svc { - struct mt_ctx { - struct tevent_context *ev; - struct confdb_ctx *cdb; -+ TALLOC_CTX *domain_ctx; /* Memory context for domain list */ - struct sss_domain_info *domains; -+ TALLOC_CTX *service_ctx; /* Memory context for services */ - char **services; - struct mt_svc *svc_list; - struct sbus_srv_ctx *sbus_srv; -@@ -619,8 +621,13 @@ int get_monitor_config(struct mt_ctx *ctx) - return ret; - } - -- ret = confdb_get_string_as_list(ctx->cdb, ctx, SERVICE_CONF_ENTRY, -- "activeServices", &ctx->services); -+ ctx->service_ctx = talloc_new(ctx); -+ if(!ctx->service_ctx) { -+ return ENOMEM; -+ } -+ ret = confdb_get_string_as_list(ctx->cdb, ctx->service_ctx, -+ SERVICE_CONF_ENTRY, "activeServices", -+ &ctx->services); - if (ret != EOK) { - DEBUG(0, ("No services configured!\n")); - return EINVAL; -@@ -631,7 +638,11 @@ int get_monitor_config(struct mt_ctx *ctx) - return ret; - } - -- ret = confdb_get_domains(ctx->cdb, ctx, &ctx->domains); -+ ctx->domain_ctx = talloc_new(ctx); -+ if(!ctx->domain_ctx) { -+ return ENOMEM; -+ } -+ ret = confdb_get_domains(ctx->cdb, ctx->domain_ctx, &ctx->domains); - if (ret != EOK) { - DEBUG(2, ("No domains configured. LOCAL should always exist!\n")); - return ret; -@@ -861,7 +872,12 @@ static int update_monitor_config(struct mt_ctx *ctx) - struct mt_svc *cur_svc; - struct mt_svc *new_svc; - struct sss_domain_info *dom, *new_dom; -- struct mt_ctx *new_config = talloc_zero(NULL, struct mt_ctx); -+ struct mt_ctx *new_config; -+ -+ new_config = talloc_zero(NULL, struct mt_ctx); -+ if(!new_config) { -+ return ENOMEM; -+ } - - new_config->ev = ctx->ev; - new_config->cdb = ctx->cdb; -@@ -953,8 +969,9 @@ static int update_monitor_config(struct mt_ctx *ctx) - } - - /* Replace the old service list with the new one */ -- talloc_free(ctx->services); -- ctx->services = talloc_steal(ctx, new_config->services); -+ talloc_free(ctx->service_ctx); -+ ctx->service_ctx = talloc_steal(ctx, new_config->service_ctx); -+ ctx->services = new_config->services; - - /* Compare data providers */ - /* Have any providers been disabled? */ -@@ -1040,8 +1057,9 @@ static int update_monitor_config(struct mt_ctx *ctx) - } - - /* Replace the old domain list with the new one */ -- talloc_free(ctx->domains); -- ctx->domains = talloc_steal(ctx, new_config->domains); -+ talloc_free(ctx->domain_ctx); -+ ctx->domain_ctx = talloc_steal(ctx, new_config->domain_ctx); -+ ctx->domains = new_config->domains; - - /* Signal all services to reload their configuration */ - for(cur_svc = ctx->svc_list; cur_svc; cur_svc = cur_svc->next) { --- -1.6.2.2 - diff --git a/sssd-0.4.1-reload_conf_2.patch b/sssd-0.4.1-reload_conf_2.patch deleted file mode 100644 index 136e2a9..0000000 --- a/sssd-0.4.1-reload_conf_2.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 12cbba5545aefa59e27f683e17e05b8e80063718 Mon Sep 17 00:00:00 2001 -From: Stephen Gallagher -Date: Fri, 19 Jun 2009 11:28:49 -0400 -Subject: [PATCH] Protect against segfault in service_signal_reload - -There is a potential race condition where the monitor may attempt -to signal a reload of a child process before the communication -sbus channel is available. If this happens, we will just exit this -function and let the monitor kill and restart the child process. ---- - server/monitor/monitor.c | 9 +++++++++ - 1 files changed, 9 insertions(+), 0 deletions(-) - -diff --git a/server/monitor/monitor.c b/server/monitor/monitor.c -index e4fca25..5cc73c8 100644 ---- a/server/monitor/monitor.c -+++ b/server/monitor/monitor.c -@@ -525,6 +525,15 @@ static int service_signal_reload(struct mt_svc *svc) - return EOK; - } - -+ if (!svc->mt_conn) { -+ /* Avoid a race condition where we are trying to -+ * order a service to reload that hasn't started -+ * yet. -+ */ -+ DEBUG(1,("Could not reload service [%s].\n", svc->name)); -+ return EIO; -+ } -+ - conn = sbus_get_connection(svc->mt_conn->conn_ctx); - msg = dbus_message_new_method_call(NULL, - SERVICE_PATH, --- -1.6.2.2 - diff --git a/sssd.spec b/sssd.spec index 77afa7c..dac287b 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,6 +1,6 @@ Name: sssd -Version: 0.4.1 -Release: 4%{?dist} +Version: 0.5.0 +Release: 0%{?dist} Group: Applications/System Summary: System Security Services Daemon @@ -12,20 +12,19 @@ Source1: sssd.conf.default BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### -Patch010: sssd-0.4.1-debug_fn.patch -Patch011: sssd-0.4.1-conf_check.patch -Patch012: sssd-0.4.1-reload_conf.patch -Patch013: sssd-0.4.1-reload_conf_2.patch -Patch014: sssd-0.4.1-cve-2009-2410.patch ### Dependencies ### Requires: libldb >= 0.9.3 +Requires: libtdb >= 1.1.3 Requires(preun): initscripts chkconfig Requires(postun): /sbin/service %define servicename sssd +%define sssdstatedir %{_localstatedir}/lib/sss +%define dbpath %{sssdstatedir}/db +%define pipepath %{sssdstatedir}/pipes ### Build Dependencies ### @@ -48,6 +47,8 @@ BuildRequires: pcre-devel BuildRequires: libxslt BuildRequires: libxml2 BuildRequires: docbook-style-xsl +BuildRequires: krb5-devel +BuildRequires: c-ares-devel %description Provides a set of daemons to manage access to remote directories and @@ -59,17 +60,11 @@ services for projects like FreeIPA. %prep %setup -q -%patch010 -p1 -b .debug_fn -%patch011 -p1 -b .conf_check -%patch012 -p1 -b .reload_conf -%patch013 -p1 -b .reload_conf_2 -%patch014 -p1 -b .cve-2009-2410 - %build %configure \ --without-tests \ - --without-policykit \ - --without-infopipe \ + --with-db-path=%{dbpath} \ + --with-pipe-path=%{pipepath} \ --with-init-dir=%{_initrddir} \ --enable-nsslibdir=/%{_lib} @@ -86,7 +81,9 @@ rm -f \ $RPM_BUILD_ROOT/%{_lib}/security/pam_sss.la \ $RPM_BUILD_ROOT/%{_libdir}/ldb/memberof.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ldap.la \ - $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la + $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la \ + $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_krb5.la \ + $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sssd install -m600 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf @@ -108,10 +105,11 @@ rm -rf $RPM_BUILD_ROOT %{_libexecdir}/%{servicename}/ %{_libdir}/%{name}/ %{_libdir}/ldb/memberof.so -%dir /var/lib/sss/ -%attr(700,root,root) %dir /var/lib/sss/db -%dir /var/lib/sss/pipes -%attr(700,root,root) %dir /var/lib/sss/pipes/private +%{_libdir}/krb5/plugins/libkrb5/* +%dir %{sssdstatedir} +%attr(700,root,root) %dir %{dbpath} +%attr(755,root,root) %dir %{pipepath} +%attr(700,root,root) %dir %{pipepath}/private %dir %{_sysconfdir}/sssd %config(noreplace) %{_sysconfdir}/sssd/sssd.conf /%{_lib}/libnss_sss.so.2 @@ -119,6 +117,7 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man5/* %{_mandir}/man8/* %{_datadir}/locale/*/LC_MESSAGES/sss_client.mo +%{_datadir}/locale/*/LC_MESSAGES/sss_daemon.mo %post /sbin/ldconfig @@ -137,6 +136,9 @@ if [ $1 -ge 1 ] ; then fi %changelog +* Mon Aug 24 2009 Simo Sorce - 0.5.0-0 +- New upstream release 0.5.0 + * Wed Jul 29 2009 Jakub Hrozek - 0.4.1-4 - Fix for CVE-2009-2410 - Native SSSD users with no password set could log in without a password. (Patch by Stephen Gallagher)