Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed) Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7 Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable") Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username #
This commit is contained in:
parent
5cc012ea39
commit
a994a882f1
1
.gitignore
vendored
1
.gitignore
vendored
@ -4,3 +4,4 @@
|
||||
/sssd-2.7.3.tar.gz
|
||||
/sssd-2.8.1.tar.gz
|
||||
/sssd-2.8.2.tar.gz
|
||||
/sssd-2.9.0.tar.gz
|
||||
|
248
0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch
Normal file
248
0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch
Normal file
@ -0,0 +1,248 @@
|
||||
From eb43c2400a34a4ab77be4f75ba7536baecda3bef Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
|
||||
Date: Wed, 10 May 2023 17:29:07 +0200
|
||||
Subject: [PATCH] FILE WATCH: Callback not executed on link or relative path
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
When the watched file was a symbolic link or was a relative path,
|
||||
the calback was not executed because the filename comparison
|
||||
was wrongly considering the files to be different.
|
||||
|
||||
The solution is to normalize the filenames before comparing them.
|
||||
This cannot be easily done at setup because the file could not
|
||||
exist at that moment.
|
||||
|
||||
The test was adapted to check this situation.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6718
|
||||
|
||||
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
(cherry picked from commit b2a4ff2aa67707c226c5835c1fcac042fce1cae3)
|
||||
---
|
||||
src/tests/file_watch-tests.c | 83 ++++++++++++++++++++++++++----------
|
||||
src/util/file_watch.c | 26 +++++++++--
|
||||
2 files changed, 83 insertions(+), 26 deletions(-)
|
||||
|
||||
diff --git a/src/tests/file_watch-tests.c b/src/tests/file_watch-tests.c
|
||||
index 3ca5b44f9..3e1aea6ce 100644
|
||||
--- a/src/tests/file_watch-tests.c
|
||||
+++ b/src/tests/file_watch-tests.c
|
||||
@@ -36,11 +36,19 @@
|
||||
#include "util/file_watch.h"
|
||||
#include "tests/common.h"
|
||||
|
||||
-#define FW_DIR TEST_DIR "/file-watch"
|
||||
-#define WATCHED_FILE_INOTIFY FW_DIR "/watched_file_inotify"
|
||||
-#define WATCHED_FILE_POLL FW_DIR "/watched_file_poll"
|
||||
-#define WATCHED_EXISTING_FILE_INOTIFY FW_DIR "/watched_file_inotify.exists"
|
||||
-#define WATCHED_EXISTING_FILE_POLL FW_DIR "/watched_file_poll.exists"
|
||||
+#define FW_NAME "/file-watch-test-dir"
|
||||
+#define FILE_INOTIFY_NAME "watched_file_inotify"
|
||||
+#define FILE_POLL_NAME "watched_file_poll"
|
||||
+#define FW_DIR TEST_DIR FW_NAME
|
||||
+#define EXISTING_FILE_INOTIFY_NAME FILE_INOTIFY_NAME ".exists"
|
||||
+#define EXISTING_FILE_POLL_NAME FILE_POLL_NAME ".exists"
|
||||
+#define WATCHED_FILE_INOTIFY FW_DIR "/.." FW_NAME "/" FILE_INOTIFY_NAME
|
||||
+#define WATCHED_FILE_POLL FW_DIR "/.." FW_NAME "/" FILE_POLL_NAME
|
||||
+#define WATCHED_EXISTING_FILE_INOTIFY FW_DIR "/.." FW_NAME "/" EXISTING_FILE_INOTIFY_NAME
|
||||
+#define WATCHED_EXISTING_FILE_POLL FW_DIR "/.." FW_NAME "/" EXISTING_FILE_POLL_NAME
|
||||
+#define WATCHED_EXISTING_LINK_INOTIFY FW_DIR "/" EXISTING_FILE_INOTIFY_NAME ".link"
|
||||
+#define WATCHED_EXISTING_LINK_POLL FW_DIR "/" EXISTING_FILE_POLL_NAME ".link"
|
||||
+#define UNWATCHED_FILE FW_DIR "/unwatched_file"
|
||||
|
||||
|
||||
static TALLOC_CTX *test_mem_ctx;
|
||||
@@ -50,34 +58,51 @@ struct fn_arg {
|
||||
int counter;
|
||||
};
|
||||
|
||||
-static void setup_file_watch(void)
|
||||
+static void remove_files(void)
|
||||
{
|
||||
- test_mem_ctx = talloc_new(NULL);
|
||||
- mkdir(FW_DIR, 0700);
|
||||
unlink(WATCHED_FILE_INOTIFY);
|
||||
unlink(WATCHED_FILE_POLL);
|
||||
+ unlink(WATCHED_EXISTING_LINK_INOTIFY);
|
||||
+ unlink(WATCHED_EXISTING_LINK_POLL);
|
||||
unlink(WATCHED_EXISTING_FILE_INOTIFY);
|
||||
unlink(WATCHED_EXISTING_FILE_POLL);
|
||||
+ unlink(UNWATCHED_FILE);
|
||||
}
|
||||
|
||||
+static void setup_file_watch(void)
|
||||
+{
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "==========================================\n");
|
||||
+ test_mem_ctx = talloc_new(NULL);
|
||||
+ mkdir(FW_DIR, 0700);
|
||||
+ remove_files();
|
||||
+}
|
||||
|
||||
static void teardown_file_watch(void)
|
||||
{
|
||||
- unlink(WATCHED_FILE_INOTIFY);
|
||||
- unlink(WATCHED_FILE_POLL);
|
||||
- unlink(WATCHED_EXISTING_FILE_INOTIFY);
|
||||
- unlink(WATCHED_EXISTING_FILE_POLL);
|
||||
talloc_free(test_mem_ctx);
|
||||
+ remove_files();
|
||||
+ rmdir(FW_DIR);
|
||||
}
|
||||
|
||||
|
||||
static void callback(const char *filename, void *arg)
|
||||
{
|
||||
- DEBUG(SSSDBG_TRACE_FUNC, "Callback invoked\n");
|
||||
+ static char received[PATH_MAX + 1];
|
||||
+ static char expected[PATH_MAX + 1];
|
||||
+ char *res;
|
||||
struct fn_arg *data = (struct fn_arg *) arg;
|
||||
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Callback invoked\n");
|
||||
+
|
||||
ck_assert_msg(data != NULL, "Callback received NULL argument");
|
||||
- ck_assert_msg(strcmp(filename, data->filename) == 0,
|
||||
+
|
||||
+ res = realpath(data->filename, expected);
|
||||
+ ck_assert_msg(res != NULL, "Failed to normalize the expected filename");
|
||||
+
|
||||
+ res = realpath(filename, received);
|
||||
+ ck_assert_msg(res != NULL, "Failed to normalize the received filename");
|
||||
+
|
||||
+ ck_assert_msg(strcmp(expected, received) == 0,
|
||||
"Wrong filename in the callback.");
|
||||
data->counter++;
|
||||
}
|
||||
@@ -88,7 +113,7 @@ static void modify_file(const char *filename)
|
||||
int fd;
|
||||
int res;
|
||||
|
||||
- DEBUG(SSSDBG_TRACE_FUNC, "File modified\n");
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Modifying file %s\n", filename);
|
||||
fd = open(filename, O_WRONLY | O_CREAT | O_APPEND, S_IRUSR | S_IWUSR);
|
||||
ck_assert_msg(fd != -1, "Failed to open the file.");
|
||||
|
||||
@@ -119,11 +144,14 @@ static void test_file_watch_no_file(bool use_inotify)
|
||||
arg.filename = filename;
|
||||
arg.counter = 0;
|
||||
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Watching file %s\n", filename);
|
||||
ctx = fw_watch_file(test_mem_ctx, ev, filename, use_inotify, callback, &arg);
|
||||
ck_assert_msg(ctx != NULL, "Failed to watch a file.");
|
||||
ck_assert_msg(arg.counter == 0, "Unexpected callback invocation.");
|
||||
|
||||
- // At this point the file doesn't exist, we will create it.
|
||||
+ // At this point the file doesn't exist. We create the watched and an
|
||||
+ // unwatched file
|
||||
+ modify_file(UNWATCHED_FILE);
|
||||
modify_file(filename);
|
||||
if (use_inotify) {
|
||||
res = tevent_loop_once(ev);
|
||||
@@ -152,26 +180,35 @@ static void test_file_watch_with_file(bool use_inotify)
|
||||
{
|
||||
struct file_watch_ctx *ctx;
|
||||
struct tevent_context *ev;
|
||||
+ const char *filepath;
|
||||
const char *filename;
|
||||
+ const char *linkpath;
|
||||
struct fn_arg arg;
|
||||
int res;
|
||||
|
||||
if (use_inotify) {
|
||||
- filename = WATCHED_EXISTING_FILE_INOTIFY;
|
||||
+ filename = EXISTING_FILE_INOTIFY_NAME;
|
||||
+ filepath = WATCHED_EXISTING_FILE_INOTIFY;
|
||||
+ linkpath = WATCHED_EXISTING_LINK_INOTIFY;
|
||||
} else {
|
||||
- filename = WATCHED_EXISTING_FILE_POLL;
|
||||
+ filename = EXISTING_FILE_POLL_NAME;
|
||||
+ filepath = WATCHED_EXISTING_FILE_POLL;
|
||||
+ linkpath = WATCHED_EXISTING_LINK_POLL;
|
||||
}
|
||||
- modify_file(filename);
|
||||
+ modify_file(filepath);
|
||||
+ res = symlink(filename, linkpath);
|
||||
+ ck_assert_msg(res == 0, "Failed create the symbolic link");
|
||||
|
||||
ev = tevent_context_init(test_mem_ctx);
|
||||
ck_assert_msg(ev != NULL, "Failed to create the tevent context.");
|
||||
|
||||
- arg.filename = filename;
|
||||
+ arg.filename = linkpath;
|
||||
arg.counter = 0;
|
||||
|
||||
// File already exists
|
||||
- ctx = fw_watch_file(test_mem_ctx, ev, filename, use_inotify, callback, &arg);
|
||||
- ck_assert_msg(ctx != NULL, "Failed to watch a file.");
|
||||
+ DEBUG(SSSDBG_TRACE_ALL, "Watching link %s\n", linkpath);
|
||||
+ ctx = fw_watch_file(test_mem_ctx, ev, linkpath, use_inotify, callback, &arg);
|
||||
+ ck_assert_msg(ctx != NULL, "Failed to watch a link.");
|
||||
ck_assert_msg(arg.counter >= 1, "Callback not invoked at start up.");
|
||||
ck_assert_msg(arg.counter <= 1, "Callback invoked too many times at start up.");
|
||||
|
||||
@@ -179,7 +216,7 @@ static void test_file_watch_with_file(bool use_inotify)
|
||||
if (!use_inotify) {
|
||||
sleep(2); // Detection by polling is based on the file's modification time.
|
||||
}
|
||||
- modify_file(filename);
|
||||
+ modify_file(filepath);
|
||||
if (use_inotify) {
|
||||
res = tevent_loop_once(ev);
|
||||
ck_assert_msg(res == 0, "tevent_loop_once() failed.");
|
||||
diff --git a/src/util/file_watch.c b/src/util/file_watch.c
|
||||
index b994e4116..d19fdccd6 100644
|
||||
--- a/src/util/file_watch.c
|
||||
+++ b/src/util/file_watch.c
|
||||
@@ -121,7 +121,10 @@ static int watched_file_inotify_cb(const char *filename,
|
||||
uint32_t flags,
|
||||
void *pvt)
|
||||
{
|
||||
+ static char received[PATH_MAX + 1];
|
||||
+ static char expected[PATH_MAX + 1];
|
||||
struct file_watch_ctx *fw_ctx;
|
||||
+ char *res;
|
||||
|
||||
DEBUG(SSSDBG_TRACE_LIBS,
|
||||
"Received inotify notification for %s\n", filename);
|
||||
@@ -131,15 +134,32 @@ static int watched_file_inotify_cb(const char *filename,
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
- if (strcmp(fw_ctx->filename, filename) == 0) {
|
||||
- if (access(fw_ctx->filename, F_OK) == 0) {
|
||||
- fw_ctx->cb(fw_ctx->filename, fw_ctx->cb_arg);
|
||||
+ res = realpath(fw_ctx->filename, expected);
|
||||
+ if (res == NULL) {
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS,
|
||||
+ "Normalization failed for expected %s. Skipping the callback.\n",
|
||||
+ fw_ctx->filename);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ res = realpath(filename, received);
|
||||
+ if (res == NULL) {
|
||||
+ DEBUG(SSSDBG_TRACE_LIBS,
|
||||
+ "Normalization failed for received %s. Skipping the callback.\n",
|
||||
+ filename);
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ if (strcmp(expected, received) == 0) {
|
||||
+ if (access(received, F_OK) == 0) {
|
||||
+ fw_ctx->cb(received, fw_ctx->cb_arg);
|
||||
} else {
|
||||
DEBUG(SSSDBG_TRACE_LIBS,
|
||||
"File %s is missing. Skipping the callback.\n", filename);
|
||||
}
|
||||
}
|
||||
|
||||
+done:
|
||||
return EOK;
|
||||
}
|
||||
|
||||
--
|
||||
2.38.1
|
||||
|
@ -1,158 +0,0 @@
|
||||
From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Thu, 8 Dec 2022 15:14:05 +0100
|
||||
Subject: [PATCH] ldap: update shadow last change in sysdb as well
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Otherwise pam can use the changed information whe id chaching is
|
||||
enabled, so next authentication that fits into the id timeout
|
||||
(5 seconds by default) will still sees the password as expired.
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/6477
|
||||
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||
(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886)
|
||||
---
|
||||
src/db/sysdb.h | 4 ++++
|
||||
src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++
|
||||
src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++-----
|
||||
3 files changed, 52 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
|
||||
index 7c666f5c4..06b44f5ba 100644
|
||||
--- a/src/db/sysdb.h
|
||||
+++ b/src/db/sysdb.h
|
||||
@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain,
|
||||
struct sysdb_attrs *attrs,
|
||||
int mod_op);
|
||||
|
||||
+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
|
||||
+ const char *name,
|
||||
+ const char *attrname);
|
||||
+
|
||||
/* Replace group attrs */
|
||||
int sysdb_set_group_attr(struct sss_domain_info *domain,
|
||||
const char *name,
|
||||
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
|
||||
index 0d6f2d5cd..ed0df9872 100644
|
||||
--- a/src/db/sysdb_ops.c
|
||||
+++ b/src/db/sysdb_ops.c
|
||||
@@ -1485,6 +1485,38 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain,
|
||||
+ const char *name,
|
||||
+ const char *attrname)
|
||||
+{
|
||||
+ struct sysdb_attrs *attrs;
|
||||
+ char *value;
|
||||
+ errno_t ret;
|
||||
+
|
||||
+ attrs = sysdb_new_attrs(NULL);
|
||||
+ if (attrs == NULL) {
|
||||
+ return ENOMEM;
|
||||
+ }
|
||||
+
|
||||
+ /* The attribute contains number of days since the epoch */
|
||||
+ value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400);
|
||||
+ if (value == NULL) {
|
||||
+ ret = ENOMEM;
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_attrs_add_string(attrs, attrname, value);
|
||||
+ if (ret != EOK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP);
|
||||
+
|
||||
+done:
|
||||
+ talloc_free(attrs);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
/* =Replace-Attributes-On-Group=========================================== */
|
||||
|
||||
int sysdb_set_group_attr(struct sss_domain_info *domain,
|
||||
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
|
||||
index 6404a9d3a..96b9d6df4 100644
|
||||
--- a/src/providers/ldap/ldap_auth.c
|
||||
+++ b/src/providers/ldap/ldap_auth.c
|
||||
@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state {
|
||||
struct pam_data *pd;
|
||||
struct sdap_handle *sh;
|
||||
char *dn;
|
||||
+ enum pwexpire pw_expire_type;
|
||||
};
|
||||
|
||||
static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq);
|
||||
@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
|
||||
{
|
||||
struct sdap_pam_chpass_handler_state *state;
|
||||
struct tevent_req *req;
|
||||
- enum pwexpire pw_expire_type;
|
||||
void *pw_expire_data;
|
||||
size_t msg_len;
|
||||
uint8_t *msg;
|
||||
@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
|
||||
state = tevent_req_data(req, struct sdap_pam_chpass_handler_state);
|
||||
|
||||
ret = auth_recv(subreq, state, &state->sh, &state->dn,
|
||||
- &pw_expire_type, &pw_expire_data);
|
||||
+ &state->pw_expire_type, &pw_expire_data);
|
||||
talloc_free(subreq);
|
||||
|
||||
if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) &&
|
||||
@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
|
||||
}
|
||||
|
||||
if (ret == EOK) {
|
||||
- switch (pw_expire_type) {
|
||||
+ switch (state->pw_expire_type) {
|
||||
case PWEXPIRE_SHADOW:
|
||||
ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL);
|
||||
break;
|
||||
@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
|
||||
break;
|
||||
default:
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
- "Unknown password expiration type %d.\n", pw_expire_type);
|
||||
+ "Unknown password expiration type %d.\n",
|
||||
+ state->pw_expire_type);
|
||||
state->pd->pam_status = PAM_SYSTEM_ERR;
|
||||
goto done;
|
||||
}
|
||||
@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq)
|
||||
case ERR_PASSWORD_EXPIRED:
|
||||
DEBUG(SSSDBG_TRACE_LIBS,
|
||||
"user [%s] successfully authenticated.\n", state->dn);
|
||||
- ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type);
|
||||
+ ret = sdap_pam_chpass_handler_change_step(state, req,
|
||||
+ state->pw_expire_type);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE,
|
||||
"sdap_pam_chpass_handler_change_step() failed.\n");
|
||||
@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq)
|
||||
|
||||
switch (ret) {
|
||||
case EOK:
|
||||
+ if (state->pw_expire_type == PWEXPIRE_SHADOW) {
|
||||
+ ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain,
|
||||
+ state->pd->user, SYSDB_SHADOWPW_LASTCHANGE);
|
||||
+ if (ret != EOK) {
|
||||
+ state->pd->pam_status = PAM_SYSTEM_ERR;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
state->pd->pam_status = PAM_SUCCESS;
|
||||
break;
|
||||
case ERR_CHPASS_DENIED:
|
||||
--
|
||||
2.37.3
|
||||
|
@ -1,58 +0,0 @@
|
||||
From f3333b9dbeda33a9344b458accaa4ff372adb660 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Fri, 3 Feb 2023 11:35:42 +0100
|
||||
Subject: [PATCH 2/4] SSS_CLIENT: fix error codes returned by common
|
||||
read/write/check helpers.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
It's kind of expected that in case `(POLLERR | POLLHUP | POLLNVAL)`
|
||||
error condition is detected, regular `POLLIN/POLLOUT` won't be set.
|
||||
Error code set by error condition should have a priority. This enables
|
||||
users of this helper to retry attempt (as designed).
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
(cherry picked from commit 0b8638d8de435384562f17d041655887b73523cd)
|
||||
---
|
||||
src/sss_client/common.c | 9 +++------
|
||||
1 file changed, 3 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
|
||||
index 2c888faa9..27e09f6f3 100644
|
||||
--- a/src/sss_client/common.c
|
||||
+++ b/src/sss_client/common.c
|
||||
@@ -161,8 +161,7 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd,
|
||||
case 1:
|
||||
if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
|
||||
*errnop = EPIPE;
|
||||
- }
|
||||
- if (!(pfd.revents & POLLOUT)) {
|
||||
+ } else if (!(pfd.revents & POLLOUT)) {
|
||||
*errnop = EBUSY;
|
||||
}
|
||||
break;
|
||||
@@ -273,8 +272,7 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd,
|
||||
}
|
||||
if (pfd.revents & (POLLERR | POLLNVAL)) {
|
||||
*errnop = EPIPE;
|
||||
- }
|
||||
- if (!(pfd.revents & POLLIN)) {
|
||||
+ } else if (!(pfd.revents & POLLIN)) {
|
||||
*errnop = EBUSY;
|
||||
}
|
||||
break;
|
||||
@@ -725,8 +723,7 @@ static enum sss_status sss_cli_check_socket(int *errnop,
|
||||
case 1:
|
||||
if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
|
||||
*errnop = EPIPE;
|
||||
- }
|
||||
- if (!(pfd.revents & (POLLIN | POLLOUT))) {
|
||||
+ } else if (!(pfd.revents & (POLLIN | POLLOUT))) {
|
||||
*errnop = EBUSY;
|
||||
}
|
||||
break;
|
||||
--
|
||||
2.37.3
|
||||
|
@ -1,63 +0,0 @@
|
||||
From a40b25a3af29706c058ce5a02dd0ba294dbb6874 Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Wed, 8 Feb 2023 17:48:52 +0100
|
||||
Subject: [PATCH 3/4] SSS_CLIENT: if poll() returns POLLNVAL then socket is
|
||||
alredy closed (or wasn't open) so it shouldn't be closed again. Otherwise
|
||||
there is a risk to close "foreign" socket opened in another thread.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
(cherry picked from commit ef93284b5a1f196425d9a61e8e24de8972240eb3)
|
||||
---
|
||||
src/sss_client/common.c | 18 +++++++++++++++---
|
||||
1 file changed, 15 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
|
||||
index 27e09f6f3..c8ade645b 100644
|
||||
--- a/src/sss_client/common.c
|
||||
+++ b/src/sss_client/common.c
|
||||
@@ -159,7 +159,11 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd,
|
||||
*errnop = ETIME;
|
||||
break;
|
||||
case 1:
|
||||
- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
|
||||
+ if (pfd.revents & (POLLERR | POLLHUP)) {
|
||||
+ *errnop = EPIPE;
|
||||
+ } else if (pfd.revents & POLLNVAL) {
|
||||
+ /* Invalid request: fd is not opened */
|
||||
+ sss_cli_sd = -1;
|
||||
*errnop = EPIPE;
|
||||
} else if (!(pfd.revents & POLLOUT)) {
|
||||
*errnop = EBUSY;
|
||||
@@ -270,7 +274,11 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd,
|
||||
if (pfd.revents & (POLLHUP)) {
|
||||
pollhup = true;
|
||||
}
|
||||
- if (pfd.revents & (POLLERR | POLLNVAL)) {
|
||||
+ if (pfd.revents & POLLERR) {
|
||||
+ *errnop = EPIPE;
|
||||
+ } else if (pfd.revents & POLLNVAL) {
|
||||
+ /* Invalid request: fd is not opened */
|
||||
+ sss_cli_sd = -1;
|
||||
*errnop = EPIPE;
|
||||
} else if (!(pfd.revents & POLLIN)) {
|
||||
*errnop = EBUSY;
|
||||
@@ -721,7 +729,11 @@ static enum sss_status sss_cli_check_socket(int *errnop,
|
||||
*errnop = ETIME;
|
||||
break;
|
||||
case 1:
|
||||
- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) {
|
||||
+ if (pfd.revents & (POLLERR | POLLHUP)) {
|
||||
+ *errnop = EPIPE;
|
||||
+ } else if (pfd.revents & POLLNVAL) {
|
||||
+ /* Invalid request: fd is not opened */
|
||||
+ sss_cli_sd = -1;
|
||||
*errnop = EPIPE;
|
||||
} else if (!(pfd.revents & (POLLIN | POLLOUT))) {
|
||||
*errnop = EBUSY;
|
||||
--
|
||||
2.37.3
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (sssd-2.8.2.tar.gz) = 10b7a641823aefb43e30bff9e5f309a1f48446ffff421a06f86496db24ba1fbd384733b5690864507ef9b2f04c91e563fe9820536031f83f1bd6e93edfedee55
|
||||
SHA512 (sssd-2.9.0.tar.gz) = cf65572cfa6468c4b3edc3a33a48ab6d58979917901662eb8b2d8fc5931494be81da13295246500a3a315b71d0395594c9a565014e5875f3cdde50da096f253d
|
||||
|
23
sssd.spec
23
sssd.spec
@ -18,8 +18,8 @@
|
||||
%global enable_systemtap_opt --enable-systemtap
|
||||
|
||||
Name: sssd
|
||||
Version: 2.8.2
|
||||
Release: 2%{?dist}
|
||||
Version: 2.9.0
|
||||
Release: 1%{?dist}
|
||||
Group: Applications/System
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
@ -27,10 +27,7 @@ URL: https://github.com/SSSD/sssd
|
||||
Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz
|
||||
|
||||
### Patches ###
|
||||
Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch
|
||||
Patch0002: 0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch
|
||||
Patch0003: 0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch
|
||||
Patch0004: 0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch
|
||||
Patch0001: 0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch
|
||||
|
||||
### Downstream Patches ###
|
||||
|
||||
@ -214,7 +211,6 @@ Summary: Userspace tools for use with the SSSD
|
||||
Group: Applications/System
|
||||
License: GPLv3+
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
Requires: libsss_simpleifp = %{version}-%{release}
|
||||
# required by sss_obfuscate
|
||||
Requires: python3-sss = %{version}-%{release}
|
||||
Requires: python3-sssdconfig = %{version}-%{release}
|
||||
@ -594,6 +590,8 @@ autoreconf -ivf
|
||||
--with-initscript=systemd \
|
||||
--with-syslog=journald \
|
||||
--with-subid \
|
||||
--with-files-provider \
|
||||
--with-libsifp \
|
||||
--enable-sss-default-nss-plugin \
|
||||
--without-python2-bindings \
|
||||
--with-sssd-user=sssd \
|
||||
@ -910,7 +908,7 @@ done
|
||||
%{_mandir}/man5/sssd-ifp.5*
|
||||
%{_unitdir}/sssd-ifp.service
|
||||
# InfoPipe DBus plumbing
|
||||
%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
|
||||
%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf
|
||||
%{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service
|
||||
|
||||
%files -n libsss_simpleifp
|
||||
@ -1213,6 +1211,15 @@ fi
|
||||
%systemd_postun_with_restart sssd.service
|
||||
|
||||
%changelog
|
||||
* Mon May 15 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.9.0-1
|
||||
- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9
|
||||
- Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed)
|
||||
- Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket
|
||||
- Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7
|
||||
- Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name
|
||||
- Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable")
|
||||
- Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username #
|
||||
|
||||
* Mon Feb 13 2023 Alexey Tikhonov <atikhono@redhat.com> - 2.8.2-2
|
||||
- Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy"
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user