- New upstream release 0.5.0
This commit is contained in:
parent
2cae3a8b19
commit
8b935a1efc
@ -1 +1 @@
|
|||||||
sssd-0.4.1.tar.gz
|
sssd-0.5.0.tar.gz
|
||||||
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
b1c6c3532e5bcc22de4849e52f9bad0a sssd-0.4.1.tar.gz
|
7566dcac75e7248ca99b4dd0bb49c1ee sssd-0.5.0.tar.gz
|
||||||
|
@ -1,19 +0,0 @@
|
|||||||
From da891b9cd5a17c65299f84db507181fd74a7a6bf Mon Sep 17 00:00:00 2001
|
|
||||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
|
||||||
Date: Thu, 11 Jun 2009 08:46:43 -0400
|
|
||||||
Subject: [PATCH] Add missing configure check for getpgrp
|
|
||||||
|
|
||||||
---
|
|
||||||
server/util/signal.m4 | 2 +-
|
|
||||||
1 files changed, 1 insertions(+), 1 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/server/util/signal.m4 b/server/util/signal.m4
|
|
||||||
index c6d7f72..a778020 100644
|
|
||||||
--- a/server/util/signal.m4
|
|
||||||
+++ b/server/util/signal.m4
|
|
||||||
@@ -1 +1 @@
|
|
||||||
-AC_CHECK_FUNCS(sigprocmask sigblock sigaction)
|
|
||||||
+AC_CHECK_FUNCS(sigprocmask sigblock sigaction getpgrp)
|
|
||||||
--
|
|
||||||
1.6.2.2
|
|
||||||
|
|
@ -1,26 +0,0 @@
|
|||||||
From 52ef221f3f5fc65c96d35ecaa7eb8a7a67ce6e4b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
|
||||||
Date: Tue, 28 Jul 2009 09:43:57 -0400
|
|
||||||
Subject: [PATCH] Address CVE-2009-2410
|
|
||||||
|
|
||||||
Fix incorrect error code return in local_handler_callback
|
|
||||||
---
|
|
||||||
server/responder/pam/pam_LOCAL_domain.c | 2 +-
|
|
||||||
1 files changed, 1 insertions(+), 1 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/server/responder/pam/pam_LOCAL_domain.c b/server/responder/pam/pam_LOCAL_domain.c
|
|
||||||
index 010bd8d..48a4a81 100644
|
|
||||||
--- a/server/responder/pam/pam_LOCAL_domain.c
|
|
||||||
+++ b/server/responder/pam/pam_LOCAL_domain.c
|
|
||||||
@@ -327,7 +327,7 @@ static void local_handler_callback(void *pvt, int ldb_status,
|
|
||||||
|
|
||||||
password = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_PWD, NULL);
|
|
||||||
NULL_CHECK_OR_JUMP(password, ("No password stored.\n"),
|
|
||||||
- lreq->error, ret, done);
|
|
||||||
+ lreq->error, LDB_ERR_NO_SUCH_ATTRIBUTE, done);
|
|
||||||
DEBUG(4, ("user: [%s], password hash: [%s]\n", username, password));
|
|
||||||
|
|
||||||
ret = s3crypt_sha512(lreq, authtok, password, &new_hash);
|
|
||||||
--
|
|
||||||
1.6.2.5
|
|
||||||
|
|
@ -1,58 +0,0 @@
|
|||||||
From 832ef83184b1d67b7006becf149f1f8fce580ec3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
|
||||||
Date: Thu, 4 Jun 2009 13:37:10 -0400
|
|
||||||
Subject: [PATCH] Fix invalid pointer error in ldb_debug_messages
|
|
||||||
|
|
||||||
---
|
|
||||||
server/util/debug.c | 21 +++++++++++++++++++--
|
|
||||||
1 files changed, 19 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/server/util/debug.c b/server/util/debug.c
|
|
||||||
index f7f89f5..d6a98e2 100644
|
|
||||||
--- a/server/util/debug.c
|
|
||||||
+++ b/server/util/debug.c
|
|
||||||
@@ -12,9 +12,16 @@ void debug_fn(const char *format, ...)
|
|
||||||
{
|
|
||||||
va_list ap;
|
|
||||||
char *s = NULL;
|
|
||||||
+ int ret;
|
|
||||||
|
|
||||||
va_start(ap, format);
|
|
||||||
- vasprintf(&s, format, ap);
|
|
||||||
+
|
|
||||||
+ ret = vasprintf(&s, format, ap);
|
|
||||||
+ if (ret < 0) {
|
|
||||||
+ /* ENOMEM */
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
va_end(ap);
|
|
||||||
|
|
||||||
/*write(state.fd, s, strlen(s));*/
|
|
||||||
@@ -26,6 +33,9 @@ void ldb_debug_messages(void *context, enum ldb_debug_level level,
|
|
||||||
const char *fmt, va_list ap)
|
|
||||||
{
|
|
||||||
int loglevel = -1;
|
|
||||||
+ int ret;
|
|
||||||
+ char * message = NULL;
|
|
||||||
+
|
|
||||||
switch(level) {
|
|
||||||
case LDB_DEBUG_FATAL:
|
|
||||||
loglevel = 0;
|
|
||||||
@@ -41,5 +51,12 @@ void ldb_debug_messages(void *context, enum ldb_debug_level level,
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
- DEBUG(loglevel, (fmt, ap));
|
|
||||||
+ ret = vasprintf(&message, fmt, ap);
|
|
||||||
+ if (ret < 0) {
|
|
||||||
+ /* ENOMEM */
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ DEBUG(loglevel, (message));
|
|
||||||
+ free(message);
|
|
||||||
}
|
|
||||||
--
|
|
||||||
1.6.2.2
|
|
||||||
|
|
@ -1,113 +0,0 @@
|
|||||||
From 673c2ce9b3371241de872b2bd206f732485888cb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
|
||||||
Date: Fri, 19 Jun 2009 11:09:33 -0400
|
|
||||||
Subject: [PATCH] Fix segfault in update_monitor_config
|
|
||||||
|
|
||||||
We were stealing the memory context of only the first value in
|
|
||||||
the linked-list of domains (and also services). This patch adds a
|
|
||||||
memory context to hold the lists so that can be stolen along with
|
|
||||||
all of the entries.
|
|
||||||
---
|
|
||||||
server/confdb/confdb.c | 4 ++++
|
|
||||||
server/monitor/monitor.c | 34 ++++++++++++++++++++++++++--------
|
|
||||||
2 files changed, 30 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/server/confdb/confdb.c b/server/confdb/confdb.c
|
|
||||||
index 8eefcfb..8b8dc74 100644
|
|
||||||
--- a/server/confdb/confdb.c
|
|
||||||
+++ b/server/confdb/confdb.c
|
|
||||||
@@ -709,6 +709,10 @@ int confdb_get_domain(struct confdb_ctx *cdb,
|
|
||||||
}
|
|
||||||
|
|
||||||
domain = talloc_zero(mem_ctx, struct sss_domain_info);
|
|
||||||
+ if (!domain) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
tmp = ldb_msg_find_attr_as_string(res->msgs[0], "cn", NULL);
|
|
||||||
if (!tmp) {
|
|
||||||
diff --git a/server/monitor/monitor.c b/server/monitor/monitor.c
|
|
||||||
index 906d157..e4fca25 100644
|
|
||||||
--- a/server/monitor/monitor.c
|
|
||||||
+++ b/server/monitor/monitor.c
|
|
||||||
@@ -84,7 +84,9 @@ struct mt_svc {
|
|
||||||
struct mt_ctx {
|
|
||||||
struct tevent_context *ev;
|
|
||||||
struct confdb_ctx *cdb;
|
|
||||||
+ TALLOC_CTX *domain_ctx; /* Memory context for domain list */
|
|
||||||
struct sss_domain_info *domains;
|
|
||||||
+ TALLOC_CTX *service_ctx; /* Memory context for services */
|
|
||||||
char **services;
|
|
||||||
struct mt_svc *svc_list;
|
|
||||||
struct sbus_srv_ctx *sbus_srv;
|
|
||||||
@@ -619,8 +621,13 @@ int get_monitor_config(struct mt_ctx *ctx)
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = confdb_get_string_as_list(ctx->cdb, ctx, SERVICE_CONF_ENTRY,
|
|
||||||
- "activeServices", &ctx->services);
|
|
||||||
+ ctx->service_ctx = talloc_new(ctx);
|
|
||||||
+ if(!ctx->service_ctx) {
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+ ret = confdb_get_string_as_list(ctx->cdb, ctx->service_ctx,
|
|
||||||
+ SERVICE_CONF_ENTRY, "activeServices",
|
|
||||||
+ &ctx->services);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(0, ("No services configured!\n"));
|
|
||||||
return EINVAL;
|
|
||||||
@@ -631,7 +638,11 @@ int get_monitor_config(struct mt_ctx *ctx)
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = confdb_get_domains(ctx->cdb, ctx, &ctx->domains);
|
|
||||||
+ ctx->domain_ctx = talloc_new(ctx);
|
|
||||||
+ if(!ctx->domain_ctx) {
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
+ ret = confdb_get_domains(ctx->cdb, ctx->domain_ctx, &ctx->domains);
|
|
||||||
if (ret != EOK) {
|
|
||||||
DEBUG(2, ("No domains configured. LOCAL should always exist!\n"));
|
|
||||||
return ret;
|
|
||||||
@@ -861,7 +872,12 @@ static int update_monitor_config(struct mt_ctx *ctx)
|
|
||||||
struct mt_svc *cur_svc;
|
|
||||||
struct mt_svc *new_svc;
|
|
||||||
struct sss_domain_info *dom, *new_dom;
|
|
||||||
- struct mt_ctx *new_config = talloc_zero(NULL, struct mt_ctx);
|
|
||||||
+ struct mt_ctx *new_config;
|
|
||||||
+
|
|
||||||
+ new_config = talloc_zero(NULL, struct mt_ctx);
|
|
||||||
+ if(!new_config) {
|
|
||||||
+ return ENOMEM;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
new_config->ev = ctx->ev;
|
|
||||||
new_config->cdb = ctx->cdb;
|
|
||||||
@@ -953,8 +969,9 @@ static int update_monitor_config(struct mt_ctx *ctx)
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Replace the old service list with the new one */
|
|
||||||
- talloc_free(ctx->services);
|
|
||||||
- ctx->services = talloc_steal(ctx, new_config->services);
|
|
||||||
+ talloc_free(ctx->service_ctx);
|
|
||||||
+ ctx->service_ctx = talloc_steal(ctx, new_config->service_ctx);
|
|
||||||
+ ctx->services = new_config->services;
|
|
||||||
|
|
||||||
/* Compare data providers */
|
|
||||||
/* Have any providers been disabled? */
|
|
||||||
@@ -1040,8 +1057,9 @@ static int update_monitor_config(struct mt_ctx *ctx)
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Replace the old domain list with the new one */
|
|
||||||
- talloc_free(ctx->domains);
|
|
||||||
- ctx->domains = talloc_steal(ctx, new_config->domains);
|
|
||||||
+ talloc_free(ctx->domain_ctx);
|
|
||||||
+ ctx->domain_ctx = talloc_steal(ctx, new_config->domain_ctx);
|
|
||||||
+ ctx->domains = new_config->domains;
|
|
||||||
|
|
||||||
/* Signal all services to reload their configuration */
|
|
||||||
for(cur_svc = ctx->svc_list; cur_svc; cur_svc = cur_svc->next) {
|
|
||||||
--
|
|
||||||
1.6.2.2
|
|
||||||
|
|
@ -1,36 +0,0 @@
|
|||||||
From 12cbba5545aefa59e27f683e17e05b8e80063718 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Stephen Gallagher <sgallagh@redhat.com>
|
|
||||||
Date: Fri, 19 Jun 2009 11:28:49 -0400
|
|
||||||
Subject: [PATCH] Protect against segfault in service_signal_reload
|
|
||||||
|
|
||||||
There is a potential race condition where the monitor may attempt
|
|
||||||
to signal a reload of a child process before the communication
|
|
||||||
sbus channel is available. If this happens, we will just exit this
|
|
||||||
function and let the monitor kill and restart the child process.
|
|
||||||
---
|
|
||||||
server/monitor/monitor.c | 9 +++++++++
|
|
||||||
1 files changed, 9 insertions(+), 0 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/server/monitor/monitor.c b/server/monitor/monitor.c
|
|
||||||
index e4fca25..5cc73c8 100644
|
|
||||||
--- a/server/monitor/monitor.c
|
|
||||||
+++ b/server/monitor/monitor.c
|
|
||||||
@@ -525,6 +525,15 @@ static int service_signal_reload(struct mt_svc *svc)
|
|
||||||
return EOK;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (!svc->mt_conn) {
|
|
||||||
+ /* Avoid a race condition where we are trying to
|
|
||||||
+ * order a service to reload that hasn't started
|
|
||||||
+ * yet.
|
|
||||||
+ */
|
|
||||||
+ DEBUG(1,("Could not reload service [%s].\n", svc->name));
|
|
||||||
+ return EIO;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
conn = sbus_get_connection(svc->mt_conn->conn_ctx);
|
|
||||||
msg = dbus_message_new_method_call(NULL,
|
|
||||||
SERVICE_PATH,
|
|
||||||
--
|
|
||||||
1.6.2.2
|
|
||||||
|
|
42
sssd.spec
42
sssd.spec
@ -1,6 +1,6 @@
|
|||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 0.4.1
|
Version: 0.5.0
|
||||||
Release: 4%{?dist}
|
Release: 0%{?dist}
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
|
|
||||||
@ -12,20 +12,19 @@ Source1: sssd.conf.default
|
|||||||
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
||||||
|
|
||||||
### Patches ###
|
### Patches ###
|
||||||
Patch010: sssd-0.4.1-debug_fn.patch
|
|
||||||
Patch011: sssd-0.4.1-conf_check.patch
|
|
||||||
Patch012: sssd-0.4.1-reload_conf.patch
|
|
||||||
Patch013: sssd-0.4.1-reload_conf_2.patch
|
|
||||||
Patch014: sssd-0.4.1-cve-2009-2410.patch
|
|
||||||
|
|
||||||
### Dependencies ###
|
### Dependencies ###
|
||||||
|
|
||||||
Requires: libldb >= 0.9.3
|
Requires: libldb >= 0.9.3
|
||||||
|
Requires: libtdb >= 1.1.3
|
||||||
|
|
||||||
Requires(preun): initscripts chkconfig
|
Requires(preun): initscripts chkconfig
|
||||||
Requires(postun): /sbin/service
|
Requires(postun): /sbin/service
|
||||||
|
|
||||||
%define servicename sssd
|
%define servicename sssd
|
||||||
|
%define sssdstatedir %{_localstatedir}/lib/sss
|
||||||
|
%define dbpath %{sssdstatedir}/db
|
||||||
|
%define pipepath %{sssdstatedir}/pipes
|
||||||
|
|
||||||
### Build Dependencies ###
|
### Build Dependencies ###
|
||||||
|
|
||||||
@ -48,6 +47,8 @@ BuildRequires: pcre-devel
|
|||||||
BuildRequires: libxslt
|
BuildRequires: libxslt
|
||||||
BuildRequires: libxml2
|
BuildRequires: libxml2
|
||||||
BuildRequires: docbook-style-xsl
|
BuildRequires: docbook-style-xsl
|
||||||
|
BuildRequires: krb5-devel
|
||||||
|
BuildRequires: c-ares-devel
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Provides a set of daemons to manage access to remote directories and
|
Provides a set of daemons to manage access to remote directories and
|
||||||
@ -59,17 +60,11 @@ services for projects like FreeIPA.
|
|||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
|
||||||
%patch010 -p1 -b .debug_fn
|
|
||||||
%patch011 -p1 -b .conf_check
|
|
||||||
%patch012 -p1 -b .reload_conf
|
|
||||||
%patch013 -p1 -b .reload_conf_2
|
|
||||||
%patch014 -p1 -b .cve-2009-2410
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure \
|
%configure \
|
||||||
--without-tests \
|
--without-tests \
|
||||||
--without-policykit \
|
--with-db-path=%{dbpath} \
|
||||||
--without-infopipe \
|
--with-pipe-path=%{pipepath} \
|
||||||
--with-init-dir=%{_initrddir} \
|
--with-init-dir=%{_initrddir} \
|
||||||
--enable-nsslibdir=/%{_lib}
|
--enable-nsslibdir=/%{_lib}
|
||||||
|
|
||||||
@ -86,7 +81,9 @@ rm -f \
|
|||||||
$RPM_BUILD_ROOT/%{_lib}/security/pam_sss.la \
|
$RPM_BUILD_ROOT/%{_lib}/security/pam_sss.la \
|
||||||
$RPM_BUILD_ROOT/%{_libdir}/ldb/memberof.la \
|
$RPM_BUILD_ROOT/%{_libdir}/ldb/memberof.la \
|
||||||
$RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ldap.la \
|
$RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_ldap.la \
|
||||||
$RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la
|
$RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_proxy.la \
|
||||||
|
$RPM_BUILD_ROOT/%{_libdir}/sssd/libsss_krb5.la \
|
||||||
|
$RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la
|
||||||
|
|
||||||
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sssd
|
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sssd
|
||||||
install -m600 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf
|
install -m600 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf
|
||||||
@ -108,10 +105,11 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%{_libexecdir}/%{servicename}/
|
%{_libexecdir}/%{servicename}/
|
||||||
%{_libdir}/%{name}/
|
%{_libdir}/%{name}/
|
||||||
%{_libdir}/ldb/memberof.so
|
%{_libdir}/ldb/memberof.so
|
||||||
%dir /var/lib/sss/
|
%{_libdir}/krb5/plugins/libkrb5/*
|
||||||
%attr(700,root,root) %dir /var/lib/sss/db
|
%dir %{sssdstatedir}
|
||||||
%dir /var/lib/sss/pipes
|
%attr(700,root,root) %dir %{dbpath}
|
||||||
%attr(700,root,root) %dir /var/lib/sss/pipes/private
|
%attr(755,root,root) %dir %{pipepath}
|
||||||
|
%attr(700,root,root) %dir %{pipepath}/private
|
||||||
%dir %{_sysconfdir}/sssd
|
%dir %{_sysconfdir}/sssd
|
||||||
%config(noreplace) %{_sysconfdir}/sssd/sssd.conf
|
%config(noreplace) %{_sysconfdir}/sssd/sssd.conf
|
||||||
/%{_lib}/libnss_sss.so.2
|
/%{_lib}/libnss_sss.so.2
|
||||||
@ -119,6 +117,7 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%{_mandir}/man5/*
|
%{_mandir}/man5/*
|
||||||
%{_mandir}/man8/*
|
%{_mandir}/man8/*
|
||||||
%{_datadir}/locale/*/LC_MESSAGES/sss_client.mo
|
%{_datadir}/locale/*/LC_MESSAGES/sss_client.mo
|
||||||
|
%{_datadir}/locale/*/LC_MESSAGES/sss_daemon.mo
|
||||||
|
|
||||||
%post
|
%post
|
||||||
/sbin/ldconfig
|
/sbin/ldconfig
|
||||||
@ -137,6 +136,9 @@ if [ $1 -ge 1 ] ; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Aug 24 2009 Simo Sorce <ssorce@redhat.com> - 0.5.0-0
|
||||||
|
- New upstream release 0.5.0
|
||||||
|
|
||||||
* Wed Jul 29 2009 Jakub Hrozek <jhrozek@redhat.com> - 0.4.1-4
|
* Wed Jul 29 2009 Jakub Hrozek <jhrozek@redhat.com> - 0.4.1-4
|
||||||
- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in
|
- Fix for CVE-2009-2410 - Native SSSD users with no password set could log in
|
||||||
without a password. (Patch by Stephen Gallagher)
|
without a password. (Patch by Stephen Gallagher)
|
||||||
|
Loading…
Reference in New Issue
Block a user