- New upstream release 0.5.0

This commit is contained in:
Simo Sorce 2009-08-24 18:56:24 +00:00
parent 2cae3a8b19
commit 8b935a1efc
8 changed files with 24 additions and 274 deletions

View File

@ -1 +1 @@
sssd-0.4.1.tar.gz sssd-0.5.0.tar.gz

View File

@ -1 +1 @@
b1c6c3532e5bcc22de4849e52f9bad0a sssd-0.4.1.tar.gz 7566dcac75e7248ca99b4dd0bb49c1ee sssd-0.5.0.tar.gz

View File

@ -1,19 +0,0 @@
From da891b9cd5a17c65299f84db507181fd74a7a6bf Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Thu, 11 Jun 2009 08:46:43 -0400
Subject: [PATCH] Add missing configure check for getpgrp
---
server/util/signal.m4 | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/server/util/signal.m4 b/server/util/signal.m4
index c6d7f72..a778020 100644
--- a/server/util/signal.m4
+++ b/server/util/signal.m4
@@ -1 +1 @@
-AC_CHECK_FUNCS(sigprocmask sigblock sigaction)
+AC_CHECK_FUNCS(sigprocmask sigblock sigaction getpgrp)
--
1.6.2.2

View File

@ -1,26 +0,0 @@
From 52ef221f3f5fc65c96d35ecaa7eb8a7a67ce6e4b Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 28 Jul 2009 09:43:57 -0400
Subject: [PATCH] Address CVE-2009-2410
Fix incorrect error code return in local_handler_callback
---
server/responder/pam/pam_LOCAL_domain.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/server/responder/pam/pam_LOCAL_domain.c b/server/responder/pam/pam_LOCAL_domain.c
index 010bd8d..48a4a81 100644
--- a/server/responder/pam/pam_LOCAL_domain.c
+++ b/server/responder/pam/pam_LOCAL_domain.c
@@ -327,7 +327,7 @@ static void local_handler_callback(void *pvt, int ldb_status,
password = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_PWD, NULL);
NULL_CHECK_OR_JUMP(password, ("No password stored.\n"),
- lreq->error, ret, done);
+ lreq->error, LDB_ERR_NO_SUCH_ATTRIBUTE, done);
DEBUG(4, ("user: [%s], password hash: [%s]\n", username, password));
ret = s3crypt_sha512(lreq, authtok, password, &new_hash);
--
1.6.2.5

View File

@ -1,58 +0,0 @@
From 832ef83184b1d67b7006becf149f1f8fce580ec3 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Thu, 4 Jun 2009 13:37:10 -0400
Subject: [PATCH] Fix invalid pointer error in ldb_debug_messages
---
server/util/debug.c | 21 +++++++++++++++++++--
1 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/server/util/debug.c b/server/util/debug.c
index f7f89f5..d6a98e2 100644
--- a/server/util/debug.c
+++ b/server/util/debug.c
@@ -12,9 +12,16 @@ void debug_fn(const char *format, ...)
{
va_list ap;
char *s = NULL;
+ int ret;
va_start(ap, format);
- vasprintf(&s, format, ap);
+
+ ret = vasprintf(&s, format, ap);
+ if (ret < 0) {
+ /* ENOMEM */
+ return;
+ }
+
va_end(ap);
/*write(state.fd, s, strlen(s));*/
@@ -26,6 +33,9 @@ void ldb_debug_messages(void *context, enum ldb_debug_level level,
const char *fmt, va_list ap)
{
int loglevel = -1;
+ int ret;
+ char * message = NULL;
+
switch(level) {
case LDB_DEBUG_FATAL:
loglevel = 0;
@@ -41,5 +51,12 @@ void ldb_debug_messages(void *context, enum ldb_debug_level level,
break;
}
- DEBUG(loglevel, (fmt, ap));
+ ret = vasprintf(&message, fmt, ap);
+ if (ret < 0) {
+ /* ENOMEM */
+ return;
+ }
+
+ DEBUG(loglevel, (message));
+ free(message);
}
--
1.6.2.2

View File

@ -1,113 +0,0 @@
From 673c2ce9b3371241de872b2bd206f732485888cb Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Fri, 19 Jun 2009 11:09:33 -0400
Subject: [PATCH] Fix segfault in update_monitor_config
We were stealing the memory context of only the first value in
the linked-list of domains (and also services). This patch adds a
memory context to hold the lists so that can be stolen along with
all of the entries.
---
server/confdb/confdb.c | 4 ++++
server/monitor/monitor.c | 34 ++++++++++++++++++++++++++--------
2 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/server/confdb/confdb.c b/server/confdb/confdb.c
index 8eefcfb..8b8dc74 100644
--- a/server/confdb/confdb.c
+++ b/server/confdb/confdb.c
@@ -709,6 +709,10 @@ int confdb_get_domain(struct confdb_ctx *cdb,
}
domain = talloc_zero(mem_ctx, struct sss_domain_info);
+ if (!domain) {
+ ret = ENOMEM;
+ goto done;
+ }
tmp = ldb_msg_find_attr_as_string(res->msgs[0], "cn", NULL);
if (!tmp) {
diff --git a/server/monitor/monitor.c b/server/monitor/monitor.c
index 906d157..e4fca25 100644
--- a/server/monitor/monitor.c
+++ b/server/monitor/monitor.c
@@ -84,7 +84,9 @@ struct mt_svc {
struct mt_ctx {
struct tevent_context *ev;
struct confdb_ctx *cdb;
+ TALLOC_CTX *domain_ctx; /* Memory context for domain list */
struct sss_domain_info *domains;
+ TALLOC_CTX *service_ctx; /* Memory context for services */
char **services;
struct mt_svc *svc_list;
struct sbus_srv_ctx *sbus_srv;
@@ -619,8 +621,13 @@ int get_monitor_config(struct mt_ctx *ctx)
return ret;
}
- ret = confdb_get_string_as_list(ctx->cdb, ctx, SERVICE_CONF_ENTRY,
- "activeServices", &ctx->services);
+ ctx->service_ctx = talloc_new(ctx);
+ if(!ctx->service_ctx) {
+ return ENOMEM;
+ }
+ ret = confdb_get_string_as_list(ctx->cdb, ctx->service_ctx,
+ SERVICE_CONF_ENTRY, "activeServices",
+ &ctx->services);
if (ret != EOK) {
DEBUG(0, ("No services configured!\n"));
return EINVAL;
@@ -631,7 +638,11 @@ int get_monitor_config(struct mt_ctx *ctx)
return ret;
}
- ret = confdb_get_domains(ctx->cdb, ctx, &ctx->domains);
+ ctx->domain_ctx = talloc_new(ctx);
+ if(!ctx->domain_ctx) {
+ return ENOMEM;
+ }
+ ret = confdb_get_domains(ctx->cdb, ctx->domain_ctx, &ctx->domains);
if (ret != EOK) {
DEBUG(2, ("No domains configured. LOCAL should always exist!\n"));
return ret;
@@ -861,7 +872,12 @@ static int update_monitor_config(struct mt_ctx *ctx)
struct mt_svc *cur_svc;
struct mt_svc *new_svc;
struct sss_domain_info *dom, *new_dom;
- struct mt_ctx *new_config = talloc_zero(NULL, struct mt_ctx);
+ struct mt_ctx *new_config;
+
+ new_config = talloc_zero(NULL, struct mt_ctx);
+ if(!new_config) {
+ return ENOMEM;
+ }
new_config->ev = ctx->ev;
new_config->cdb = ctx->cdb;
@@ -953,8 +969,9 @@ static int update_monitor_config(struct mt_ctx *ctx)
}
/* Replace the old service list with the new one */
- talloc_free(ctx->services);
- ctx->services = talloc_steal(ctx, new_config->services);
+ talloc_free(ctx->service_ctx);
+ ctx->service_ctx = talloc_steal(ctx, new_config->service_ctx);
+ ctx->services = new_config->services;
/* Compare data providers */
/* Have any providers been disabled? */
@@ -1040,8 +1057,9 @@ static int update_monitor_config(struct mt_ctx *ctx)
}
/* Replace the old domain list with the new one */
- talloc_free(ctx->domains);
- ctx->domains = talloc_steal(ctx, new_config->domains);
+ talloc_free(ctx->domain_ctx);
+ ctx->domain_ctx = talloc_steal(ctx, new_config->domain_ctx);
+ ctx->domains = new_config->domains;
/* Signal all services to reload their configuration */
for(cur_svc = ctx->svc_list; cur_svc; cur_svc = cur_svc->next) {
--
1.6.2.2

View File

@ -1,36 +0,0 @@
From 12cbba5545aefa59e27f683e17e05b8e80063718 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Fri, 19 Jun 2009 11:28:49 -0400
Subject: [PATCH] Protect against segfault in service_signal_reload
There is a potential race condition where the monitor may attempt
to signal a reload of a child process before the communication
sbus channel is available. If this happens, we will just exit this
function and let the monitor kill and restart the child process.
---
server/monitor/monitor.c | 9 +++++++++
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/server/monitor/monitor.c b/server/monitor/monitor.c
index e4fca25..5cc73c8 100644
--- a/server/monitor/monitor.c
+++ b/server/monitor/monitor.c
@@ -525,6 +525,15 @@ static int service_signal_reload(struct mt_svc *svc)
return EOK;
}
+ if (!svc->mt_conn) {
+ /* Avoid a race condition where we are trying to
+ * order a service to reload that hasn't started
+ * yet.
+ */
+ DEBUG(1,("Could not reload service [%s].\n", svc->name));
+ return EIO;
+ }
+
conn = sbus_get_connection(svc->mt_conn->conn_ctx);
msg = dbus_message_new_method_call(NULL,
SERVICE_PATH,
--
1.6.2.2

View File

@ -1,6 +1,6 @@
Name: sssd Name: sssd
Version: 0.4.1 Version: 0.5.0
Release: 4%{?dist} Release: 0%{?dist}
Group: Applications/System Group: Applications/System
Summary: System Security Services Daemon Summary: System Security Services Daemon
@ -12,20 +12,19 @@ Source1: sssd.conf.default
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ### ### Patches ###
Patch010: sssd-0.4.1-debug_fn.patch
Patch011: sssd-0.4.1-conf_check.patch
Patch012: sssd-0.4.1-reload_conf.patch
Patch013: sssd-0.4.1-reload_conf_2.patch
Patch014: sssd-0.4.1-cve-2009-2410.patch
### Dependencies ### ### Dependencies ###
Requires: libldb >= 0.9.3 Requires: libldb >= 0.9.3
Requires: libtdb >= 1.1.3
Requires(preun): initscripts chkconfig Requires(preun): initscripts chkconfig
Requires(postun): /sbin/service Requires(postun): /sbin/service
%define servicename sssd %define servicename sssd
%define sssdstatedir %{_localstatedir}/lib/sss
%define dbpath %{sssdstatedir}/db
%define pipepath %{sssdstatedir}/pipes
### Build Dependencies ### ### Build Dependencies ###
@ -48,6 +47,8 @@ BuildRequires: pcre-devel
BuildRequires: libxslt BuildRequires: libxslt
BuildRequires: libxml2 BuildRequires: libxml2
BuildRequires: docbook-style-xsl BuildRequires: docbook-style-xsl
BuildRequires: krb5-devel
BuildRequires: c-ares-devel
%description %description
Provides a set of daemons to manage access to remote directories and Provides a set of daemons to manage access to remote directories and
@ -59,17 +60,11 @@ services for projects like FreeIPA.
%prep %prep
%setup -q %setup -q
%patch010 -p1 -b .debug_fn
%patch011 -p1 -b .conf_check
%patch012 -p1 -b .reload_conf
%patch013 -p1 -b .reload_conf_2
%patch014 -p1 -b .cve-2009-2410
%build %build
%configure \ %configure \
--without-tests \ --without-tests \
--without-policykit \ --with-db-path=%{dbpath} \
--without-infopipe \ --with-pipe-path=%{pipepath} \
--with-init-dir=%{_initrddir} \ --with-init-dir=%{_initrddir} \
--enable-nsslibdir=/%{_lib} --enable-nsslibdir=/%{_lib}
@ -86,7 +81,9 @@ rm -f \
$RPM_BUILD_ROOT/%{_lib}/security/pam_sss.la \ $RPM_BUILD_ROOT/%{_lib}/security/pam_sss.la \
$RPM_BUILD_ROOT/%{_libdir}/ldb/memberof.la \ $RPM_BUILD_ROOT/%{_libdir}/ldb/memberof.la \
$RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ldap.la \ $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ldap.la \
$RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la $RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la \
$RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_krb5.la \
$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sssd mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sssd
install -m600 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf install -m600 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf
@ -108,10 +105,11 @@ rm -rf $RPM_BUILD_ROOT
%{_libexecdir}/%{servicename}/ %{_libexecdir}/%{servicename}/
%{_libdir}/%{name}/ %{_libdir}/%{name}/
%{_libdir}/ldb/memberof.so %{_libdir}/ldb/memberof.so
%dir /var/lib/sss/ %{_libdir}/krb5/plugins/libkrb5/*
%attr(700,root,root) %dir /var/lib/sss/db %dir %{sssdstatedir}
%dir /var/lib/sss/pipes %attr(700,root,root) %dir %{dbpath}
%attr(700,root,root) %dir /var/lib/sss/pipes/private %attr(755,root,root) %dir %{pipepath}
%attr(700,root,root) %dir %{pipepath}/private
%dir %{_sysconfdir}/sssd %dir %{_sysconfdir}/sssd
%config(noreplace) %{_sysconfdir}/sssd/sssd.conf %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
/%{_lib}/libnss_sss.so.2 /%{_lib}/libnss_sss.so.2
@ -119,6 +117,7 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man5/* %{_mandir}/man5/*
%{_mandir}/man8/* %{_mandir}/man8/*
%{_datadir}/locale/*/LC_MESSAGES/sss_client.mo %{_datadir}/locale/*/LC_MESSAGES/sss_client.mo
%{_datadir}/locale/*/LC_MESSAGES/sss_daemon.mo
%post %post
/sbin/ldconfig /sbin/ldconfig
@ -137,6 +136,9 @@ if [ $1 -ge 1 ] ; then
fi fi
%changelog %changelog
* Mon Aug 24 2009 Simo Sorce <ssorce@redhat.com> - 0.5.0-0
- New upstream release 0.5.0
* Wed Jul 29 2009 Jakub Hrozek <jhrozek@redhat.com> - 0.4.1-4 * Wed Jul 29 2009 Jakub Hrozek <jhrozek@redhat.com> - 0.4.1-4
- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in - Fix for CVE-2009-2410 - Native SSSD users with no password set could log in
without a password. (Patch by Stephen Gallagher) without a password. (Patch by Stephen Gallagher)