import sssd-2.5.2-2.el8_5.2
This commit is contained in:
parent
d0ab9d6745
commit
d963a6f456
187
SOURCES/0003-ad-filter-trusted-domains.patch
Normal file
187
SOURCES/0003-ad-filter-trusted-domains.patch
Normal file
@ -0,0 +1,187 @@
|
|||||||
|
From 4c48c4a7792961cf8a228c76975ac370d32904e1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Wed, 6 Oct 2021 13:03:27 +0200
|
||||||
|
Subject: [PATCH] ad: filter trusted domains
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
The fix for https://github.com/SSSD/sssd/issues/5528 might discover
|
||||||
|
domains which are not trusted (one-way trust) or are from a different
|
||||||
|
forest (direct trust). Both should be ignored because they are not
|
||||||
|
trusted or can currently not be handled properly. This patch filters out
|
||||||
|
those domains.
|
||||||
|
|
||||||
|
Resolves: https://github.com/SSSD/sssd/issues/5819
|
||||||
|
|
||||||
|
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/providers/ad/ad_subdomains.c | 104 +++++++++++++++++++++++++++++--
|
||||||
|
1 file changed, 99 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
|
||||||
|
index 3eb49c93f..ac463026f 100644
|
||||||
|
--- a/src/providers/ad/ad_subdomains.c
|
||||||
|
+++ b/src/providers/ad/ad_subdomains.c
|
||||||
|
@@ -46,6 +46,7 @@
|
||||||
|
#define AD_AT_TRUST_PARTNER "trustPartner"
|
||||||
|
#define AD_AT_TRUST_ATTRS "trustAttributes"
|
||||||
|
#define AD_AT_DOMAIN_NAME "cn"
|
||||||
|
+#define AD_AT_TRUST_DIRECTION "trustDirection"
|
||||||
|
|
||||||
|
/* trustType=2 denotes uplevel (NT5 and later) trusted domains. See
|
||||||
|
* http://msdn.microsoft.com/en-us/library/windows/desktop/ms680342%28v=vs.85%29.aspx
|
||||||
|
@@ -69,6 +70,12 @@
|
||||||
|
/* do not refresh more often than every 5 seconds for now */
|
||||||
|
#define AD_SUBDOMAIN_REFRESH_LIMIT 5
|
||||||
|
|
||||||
|
+/* Flags of trustAttributes attribute, see MS-ADTS 6.1.6.7.9 for details */
|
||||||
|
+#define TRUST_ATTRIBUTE_WITHIN_FOREST 0x00000020
|
||||||
|
+
|
||||||
|
+/* Flags for trustDirection attribute, see MS-ADTS 6.1.6.7.12 for details */
|
||||||
|
+#define TRUST_DIRECTION_OUTBOUND 0x00000002
|
||||||
|
+
|
||||||
|
static void
|
||||||
|
ad_disable_gc(struct ad_options *ad_options)
|
||||||
|
{
|
||||||
|
@@ -646,6 +653,85 @@ done:
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* When reading trusted domains from the local DC we are basically interested
|
||||||
|
+ * in domains from the local forest we are trusting, i.e. users from this
|
||||||
|
+ * domain can connect to us. To not unnecessarily bloat the list of domains
|
||||||
|
+ * and make multi-domain searches slow we filter domains from other forest and
|
||||||
|
+ * domains we do not trust.
|
||||||
|
+ * In future we might add config options to broaden the scope and allow more
|
||||||
|
+ * domains.
|
||||||
|
+ * If ad_filter_domains() returns successfully with EOK in input array is not
|
||||||
|
+ * valid anymore and should be freed by the caller. */
|
||||||
|
+static errno_t ad_filter_domains(TALLOC_CTX *mem_ctx,
|
||||||
|
+ struct sysdb_attrs **subdomains,
|
||||||
|
+ size_t num_subdomains,
|
||||||
|
+ struct sysdb_attrs ***_sd_out,
|
||||||
|
+ size_t *_num_sd_out)
|
||||||
|
+{
|
||||||
|
+ int ret;
|
||||||
|
+ size_t c;
|
||||||
|
+ uint32_t tmp_uint32_t;
|
||||||
|
+ const char *value;
|
||||||
|
+ struct sysdb_attrs **sd_out;
|
||||||
|
+ size_t num_sd_out = 0;
|
||||||
|
+
|
||||||
|
+ sd_out = talloc_zero_array(mem_ctx, struct sysdb_attrs *,
|
||||||
|
+ num_subdomains + 1);
|
||||||
|
+ if (sd_out == NULL) {
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||||
|
+ "Failed to allocate memory for sub-domain list.\n");
|
||||||
|
+ return ENOMEM;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ for (c = 0; c < num_subdomains; c++) {
|
||||||
|
+ ret = sysdb_attrs_get_string(subdomains[c], AD_AT_TRUST_PARTNER,
|
||||||
|
+ &value);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n");
|
||||||
|
+ talloc_free(sd_out);
|
||||||
|
+ return ret;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Ignore direct trusts to domains from other forests
|
||||||
|
+ * (TRUST_ATTRIBUTE_WITHIN_FOREST is not set) or domains we do not
|
||||||
|
+ * trust (TRUST_DIRECTION_OUTBOUND is not set) */
|
||||||
|
+
|
||||||
|
+ tmp_uint32_t = 0;
|
||||||
|
+ ret = sysdb_attrs_get_uint32_t(subdomains[c], AD_AT_TRUST_ATTRS,
|
||||||
|
+ &tmp_uint32_t);
|
||||||
|
+ if (ret != EOK
|
||||||
|
+ || (tmp_uint32_t & TRUST_ATTRIBUTE_WITHIN_FOREST) == 0) {
|
||||||
|
+ DEBUG(SSSDBG_FUNC_DATA,
|
||||||
|
+ "TRUST_ATTRIBUTE_WITHIN_FOREST not set for [%s].\n",
|
||||||
|
+ value);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ tmp_uint32_t = 0;
|
||||||
|
+ ret = sysdb_attrs_get_uint32_t(subdomains[c], AD_AT_TRUST_DIRECTION,
|
||||||
|
+ &tmp_uint32_t);
|
||||||
|
+ if (ret != EOK
|
||||||
|
+ || (tmp_uint32_t & TRUST_DIRECTION_OUTBOUND) == 0) {
|
||||||
|
+ DEBUG(SSSDBG_FUNC_DATA,
|
||||||
|
+ "TRUST_DIRECTION_OUTBOUND not set for [%s].\n",
|
||||||
|
+ value);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ sd_out[num_sd_out] = subdomains[c];
|
||||||
|
+ num_sd_out++;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ for (c = 0; c < num_sd_out; c++) {
|
||||||
|
+ sd_out[c] = talloc_steal(sd_out, sd_out[c]);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ *_sd_out = sd_out;
|
||||||
|
+ *_num_sd_out = num_sd_out;
|
||||||
|
+
|
||||||
|
+ return EOK;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* How many times we keep a domain not found during searches before it will be
|
||||||
|
* removed. */
|
||||||
|
#define MAX_NOT_FOUND 6
|
||||||
|
@@ -1125,7 +1211,7 @@ static void ad_get_slave_domain_connect_done(struct tevent_req *subreq)
|
||||||
|
errno_t ret;
|
||||||
|
const char *attrs[] = { AD_AT_FLATNAME, AD_AT_TRUST_PARTNER,
|
||||||
|
AD_AT_SID, AD_AT_TRUST_TYPE,
|
||||||
|
- AD_AT_TRUST_ATTRS, NULL };
|
||||||
|
+ AD_AT_TRUST_ATTRS, AD_AT_TRUST_DIRECTION, NULL };
|
||||||
|
|
||||||
|
req = tevent_req_callback_data(subreq, struct tevent_req);
|
||||||
|
state = tevent_req_data(req, struct ad_get_slave_domain_state);
|
||||||
|
@@ -1333,7 +1419,7 @@ ad_get_root_domain_send(TALLOC_CTX *mem_ctx,
|
||||||
|
struct sdap_options *opts;
|
||||||
|
errno_t ret;
|
||||||
|
const char *attrs[] = { AD_AT_FLATNAME, AD_AT_TRUST_PARTNER,
|
||||||
|
- AD_AT_SID, AD_AT_TRUST_TYPE,
|
||||||
|
+ AD_AT_SID, AD_AT_TRUST_TYPE, AD_AT_TRUST_DIRECTION,
|
||||||
|
AD_AT_TRUST_ATTRS, AD_AT_DOMAIN_NAME, NULL };
|
||||||
|
|
||||||
|
req = tevent_req_create(mem_ctx, &state, struct ad_get_root_domain_state);
|
||||||
|
@@ -1411,13 +1497,15 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
|
||||||
|
struct ad_get_root_domain_state *state;
|
||||||
|
errno_t ret;
|
||||||
|
bool has_changes = false;
|
||||||
|
+ struct sysdb_attrs **unfiltered_reply;
|
||||||
|
+ size_t unfiltered_reply_count;
|
||||||
|
|
||||||
|
req = tevent_req_callback_data(subreq, struct tevent_req);
|
||||||
|
state = tevent_req_data(req, struct ad_get_root_domain_state);
|
||||||
|
|
||||||
|
ret = sdap_search_bases_return_first_recv(subreq, state,
|
||||||
|
- &state->reply_count,
|
||||||
|
- &state->reply);
|
||||||
|
+ &unfiltered_reply_count,
|
||||||
|
+ &unfiltered_reply);
|
||||||
|
talloc_zfree(subreq);
|
||||||
|
if (ret != EOK) {
|
||||||
|
DEBUG(SSSDBG_OP_FAILURE, "Unable to lookup forest root information "
|
||||||
|
@@ -1425,7 +1513,13 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
- find_domain(state->reply_count, state->reply, state->forest);
|
||||||
|
+ ret = ad_filter_domains(state, unfiltered_reply, unfiltered_reply_count,
|
||||||
|
+ &state->reply, &state->reply_count);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ DEBUG(SSSDBG_OP_FAILURE,
|
||||||
|
+ "Failed to filter list of returned domains.\n");
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (state->reply_count == 0
|
||||||
|
|| find_domain(state->reply_count, state->reply,
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -0,0 +1,62 @@
|
|||||||
|
From bb94a18f0f0cba1e9fb5abf78b995d69e5f3c559 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||||
|
Date: Mon, 18 Oct 2021 12:29:06 +0200
|
||||||
|
Subject: [PATCH] cache_req: return success for autofs when ENOENT is returned
|
||||||
|
from provider
|
||||||
|
|
||||||
|
The receive function should return true if data provider lookup was
|
||||||
|
successfull and false if there was an error. "Not found" result is
|
||||||
|
considered a successful lookup, only failure to perform a search
|
||||||
|
should result in false return code.
|
||||||
|
|
||||||
|
Resolves: https://github.com/SSSD/sssd/issues/5832
|
||||||
|
|
||||||
|
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
|
||||||
|
---
|
||||||
|
.../common/cache_req/plugins/cache_req_autofs_entry_by_name.c | 2 +-
|
||||||
|
.../common/cache_req/plugins/cache_req_autofs_map_by_name.c | 2 +-
|
||||||
|
.../common/cache_req/plugins/cache_req_autofs_map_entries.c | 2 +-
|
||||||
|
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
||||||
|
index 0dc6a585a..788b6708c 100644
|
||||||
|
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
||||||
|
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c
|
||||||
|
@@ -97,7 +97,7 @@ cache_req_autofs_entry_by_name_dp_recv(struct tevent_req *subreq,
|
||||||
|
|
||||||
|
ret = sbus_call_dp_autofs_GetEntry_recv(subreq);
|
||||||
|
|
||||||
|
- if (ret == ERR_MISSING_DP_TARGET) {
|
||||||
|
+ if (ret == ERR_MISSING_DP_TARGET || ret == ENOENT) {
|
||||||
|
ret = EOK;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
||||||
|
index 6a665c58e..5d82641cc 100644
|
||||||
|
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
||||||
|
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c
|
||||||
|
@@ -93,7 +93,7 @@ cache_req_autofs_map_by_name_dp_recv(struct tevent_req *subreq,
|
||||||
|
|
||||||
|
ret = sbus_call_dp_autofs_GetMap_recv(subreq);
|
||||||
|
|
||||||
|
- if (ret == ERR_MISSING_DP_TARGET) {
|
||||||
|
+ if (ret == ERR_MISSING_DP_TARGET || ret == ENOENT) {
|
||||||
|
ret = EOK;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
||||||
|
index 46776b980..29f289723 100644
|
||||||
|
--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
||||||
|
+++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c
|
||||||
|
@@ -125,7 +125,7 @@ cache_req_autofs_map_entries_dp_recv(struct tevent_req *subreq,
|
||||||
|
|
||||||
|
ret = sbus_call_dp_autofs_Enumerate_recv(subreq);
|
||||||
|
|
||||||
|
- if (ret == ERR_MISSING_DP_TARGET) {
|
||||||
|
+ if (ret == ERR_MISSING_DP_TARGET || ret == ENOENT) {
|
||||||
|
ret = EOK;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -0,0 +1,81 @@
|
|||||||
|
From 01ff8155baea989c42664985ea939cb93beb31e7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Date: Fri, 1 Oct 2021 18:01:21 +0200
|
||||||
|
Subject: [PATCH] MONITOR: reduce logs severity around signalling and
|
||||||
|
termination of services to avoid useless in those cases backtraces
|
||||||
|
|
||||||
|
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||||
|
---
|
||||||
|
src/monitor/monitor.c | 18 +++++++++---------
|
||||||
|
1 file changed, 9 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
|
||||||
|
index 42def7451..b5fee7e7a 100644
|
||||||
|
--- a/src/monitor/monitor.c
|
||||||
|
+++ b/src/monitor/monitor.c
|
||||||
|
@@ -655,7 +655,7 @@ static int service_signal(struct mt_svc *svc,
|
||||||
|
* order a service to reload that hasn't started
|
||||||
|
* yet.
|
||||||
|
*/
|
||||||
|
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||||
|
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||||
|
"Could not signal service [%s].\n", svc->name);
|
||||||
|
return EIO;
|
||||||
|
}
|
||||||
|
@@ -684,8 +684,8 @@ static void service_signal_done(struct tevent_req *req)
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
- DEBUG(SSSDBG_FATAL_FAILURE, "Unable to signal service [%d]: %s\n",
|
||||||
|
- ret, sss_strerror(ret));
|
||||||
|
+ DEBUG(ret == ENOENT ? SSSDBG_MINOR_FAILURE : SSSDBG_OP_FAILURE,
|
||||||
|
+ "Unable to signal service [%d]: %s\n", ret, sss_strerror(ret));
|
||||||
|
}
|
||||||
|
|
||||||
|
static int service_signal_dns_reload(struct mt_svc *svc)
|
||||||
|
@@ -1363,14 +1363,14 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)
|
||||||
|
}
|
||||||
|
|
||||||
|
killed = false;
|
||||||
|
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||||
|
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||||
|
"Terminating [%s][%d]\n", svc->name, svc->pid);
|
||||||
|
do {
|
||||||
|
errno = 0;
|
||||||
|
kret = kill(-svc->pid, SIGTERM);
|
||||||
|
if (kret < 0) {
|
||||||
|
error = errno;
|
||||||
|
- DEBUG(SSSDBG_CRIT_FAILURE, "Couldn't kill [%s][%d]: [%s]\n",
|
||||||
|
+ DEBUG(SSSDBG_MINOR_FAILURE, "Couldn't terminate [%s][%d]: [%s]\n",
|
||||||
|
svc->name, svc->pid, strerror(error));
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1384,7 +1384,7 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)
|
||||||
|
if (error == ECHILD) {
|
||||||
|
killed = true;
|
||||||
|
} else if (error != EINTR) {
|
||||||
|
- DEBUG(SSSDBG_FATAL_FAILURE,
|
||||||
|
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||||
|
"[%d][%s] while waiting for [%s]\n",
|
||||||
|
error, strerror(error), svc->name);
|
||||||
|
/* Forcibly kill this child */
|
||||||
|
@@ -1394,13 +1394,13 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret)
|
||||||
|
} else if (pid != 0) {
|
||||||
|
error = 0;
|
||||||
|
if (WIFEXITED(status)) {
|
||||||
|
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||||
|
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||||
|
"Child [%s] exited gracefully\n", svc->name);
|
||||||
|
} else if (WIFSIGNALED(status)) {
|
||||||
|
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||||
|
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||||
|
"Child [%s] terminated with a signal\n", svc->name);
|
||||||
|
} else {
|
||||||
|
- DEBUG(SSSDBG_CRIT_FAILURE,
|
||||||
|
+ DEBUG(SSSDBG_IMPORTANT_INFO,
|
||||||
|
"Child [%s] did not exit cleanly\n", svc->name);
|
||||||
|
/* Forcibly kill this child */
|
||||||
|
kill(-svc->pid, SIGKILL);
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
145
SOURCES/0006-DEBUG-avoid-backtrace-dups.patch
Normal file
145
SOURCES/0006-DEBUG-avoid-backtrace-dups.patch
Normal file
@ -0,0 +1,145 @@
|
|||||||
|
From bb8da4303851642318b626aad507ab7c39f6a80d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||||
|
Date: Mon, 1 Nov 2021 20:09:02 +0100
|
||||||
|
Subject: [PATCH] DEBUG: avoid backtrace dups.
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
In case the same error(s) is repeated again and again repeating the same
|
||||||
|
backtrace doesn't add much value. In this case let's add just a note.
|
||||||
|
|
||||||
|
Reviewed-by: Tomáš Halman <thalman@redhat.com>
|
||||||
|
---
|
||||||
|
src/util/debug.c | 4 +--
|
||||||
|
src/util/debug_backtrace.c | 51 +++++++++++++++++++++++++++++++++++---
|
||||||
|
2 files changed, 50 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/util/debug.c b/src/util/debug.c
|
||||||
|
index 7c03fb7df..953123718 100644
|
||||||
|
--- a/src/util/debug.c
|
||||||
|
+++ b/src/util/debug.c
|
||||||
|
@@ -42,7 +42,7 @@
|
||||||
|
void sss_debug_backtrace_init(void);
|
||||||
|
void sss_debug_backtrace_vprintf(int level, const char *format, va_list ap);
|
||||||
|
void sss_debug_backtrace_printf(int level, const char *format, ...);
|
||||||
|
-void sss_debug_backtrace_endmsg(int level);
|
||||||
|
+void sss_debug_backtrace_endmsg(const char *file, long line, int level);
|
||||||
|
|
||||||
|
const char *debug_prg_name = "sssd";
|
||||||
|
|
||||||
|
@@ -359,7 +359,7 @@ void sss_vdebug_fn(const char *file,
|
||||||
|
if (flags & APPEND_LINE_FEED) {
|
||||||
|
sss_debug_backtrace_printf(level, "\n");
|
||||||
|
}
|
||||||
|
- sss_debug_backtrace_endmsg(level);
|
||||||
|
+ sss_debug_backtrace_endmsg(file, line, level);
|
||||||
|
}
|
||||||
|
|
||||||
|
void sss_debug_fn(const char *file,
|
||||||
|
diff --git a/src/util/debug_backtrace.c b/src/util/debug_backtrace.c
|
||||||
|
index d99325ab6..e376f815b 100644
|
||||||
|
--- a/src/util/debug_backtrace.c
|
||||||
|
+++ b/src/util/debug_backtrace.c
|
||||||
|
@@ -30,6 +30,9 @@ extern FILE *_sss_debug_file;
|
||||||
|
static const unsigned SSS_DEBUG_BACKTRACE_DEFAULT_SIZE = 100*1024; /* bytes */
|
||||||
|
static const unsigned SSS_DEBUG_BACKTRACE_LEVEL = SSSDBG_BE_FO;
|
||||||
|
|
||||||
|
+/* Size of locations history to keep to avoid duplicating backtraces */
|
||||||
|
+#define SSS_DEBUG_BACKTRACE_LOCATIONS 5
|
||||||
|
+
|
||||||
|
|
||||||
|
/* -->
|
||||||
|
* ring buffer = [*******t...\n............e000]
|
||||||
|
@@ -46,12 +49,21 @@ static struct {
|
||||||
|
char *buffer; /* buffer start */
|
||||||
|
char *end; /* end data border */
|
||||||
|
char *tail; /* tail of "current" message */
|
||||||
|
+
|
||||||
|
+ /* locations where last backtraces happened */
|
||||||
|
+ struct {
|
||||||
|
+ const char *file;
|
||||||
|
+ long line;
|
||||||
|
+ } locations[SSS_DEBUG_BACKTRACE_LOCATIONS];
|
||||||
|
+ unsigned last_location_idx;
|
||||||
|
} _bt;
|
||||||
|
|
||||||
|
|
||||||
|
static inline bool _all_levels_enabled(void);
|
||||||
|
static inline bool _backtrace_is_enabled(int level);
|
||||||
|
static inline bool _is_trigger_level(int level);
|
||||||
|
+static void _store_location(const char *file, long line);
|
||||||
|
+static bool _is_recent_location(const char *file, long line);
|
||||||
|
static void _backtrace_vprintf(const char *format, va_list ap);
|
||||||
|
static void _backtrace_printf(const char *format, ...);
|
||||||
|
static void _backtrace_dump(void);
|
||||||
|
@@ -75,6 +87,8 @@ void sss_debug_backtrace_init(void)
|
||||||
|
_bt.enabled = true;
|
||||||
|
_bt.initialized = true;
|
||||||
|
|
||||||
|
+ /* locations[] & last_location_idx are zero-initialized */
|
||||||
|
+
|
||||||
|
_backtrace_printf(" * ");
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -116,7 +130,7 @@ void sss_debug_backtrace_printf(int level, const char *format, ...)
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
-void sss_debug_backtrace_endmsg(int level)
|
||||||
|
+void sss_debug_backtrace_endmsg(const char *file, long line, int level)
|
||||||
|
{
|
||||||
|
if (DEBUG_IS_SET(level)) {
|
||||||
|
_debug_fflush();
|
||||||
|
@@ -124,7 +138,16 @@ void sss_debug_backtrace_endmsg(int level)
|
||||||
|
|
||||||
|
if (_backtrace_is_enabled(level)) {
|
||||||
|
if (_is_trigger_level(level)) {
|
||||||
|
- _backtrace_dump();
|
||||||
|
+ if (!_is_recent_location(file, line)) {
|
||||||
|
+ _backtrace_dump();
|
||||||
|
+ _store_location(file, line);
|
||||||
|
+ } else {
|
||||||
|
+ fprintf(_sss_debug_file ? _sss_debug_file : stderr,
|
||||||
|
+ " * ... skipping repetitive backtrace ...\n");
|
||||||
|
+ /* and reset */
|
||||||
|
+ _bt.end = _bt.buffer;
|
||||||
|
+ _bt.tail = _bt.buffer;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
_backtrace_printf(" * ");
|
||||||
|
}
|
||||||
|
@@ -191,7 +214,29 @@ static inline bool _backtrace_is_enabled(int level)
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
- /* prints to buffer */
|
||||||
|
+static void _store_location(const char *file, long line)
|
||||||
|
+{
|
||||||
|
+ _bt.last_location_idx = (_bt.last_location_idx + 1) % SSS_DEBUG_BACKTRACE_LOCATIONS;
|
||||||
|
+ /* __FILE__ is a character string literal with static storage duration. */
|
||||||
|
+ _bt.locations[_bt.last_location_idx].file = file;
|
||||||
|
+ _bt.locations[_bt.last_location_idx].line = line;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+static bool _is_recent_location(const char *file, long line)
|
||||||
|
+{
|
||||||
|
+ for (unsigned idx = 0; idx < SSS_DEBUG_BACKTRACE_LOCATIONS; ++idx) {
|
||||||
|
+ if ((line == _bt.locations[idx].line) &&
|
||||||
|
+ (_bt.locations[idx].file != NULL) &&
|
||||||
|
+ (strcmp(file, _bt.locations[idx].file) == 0)) {
|
||||||
|
+ return true;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ return false;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+/* prints to buffer */
|
||||||
|
static void _backtrace_vprintf(const char *format, va_list ap)
|
||||||
|
{
|
||||||
|
int buff_tail_size = _bt.size - (_bt.tail - _bt.buffer);
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -0,0 +1,131 @@
|
|||||||
|
From 26654d3e5f5882dd1681116cb49228d108351d48 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Thu, 12 Aug 2021 09:27:57 +0200
|
||||||
|
Subject: [PATCH] cache_req: cache_first fix for fully-qualified names
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
With commit b572871236a7f9059d375a5ab1bff8cbfd519956 "cache_req:
|
||||||
|
introduce cache_behavior enumeration" the processing of cache and
|
||||||
|
backend lookups was refactored. Unfortunately this introduce an issue
|
||||||
|
when looking up users or groups with a fully-qualified name and the
|
||||||
|
'cache_first = True' option is set.
|
||||||
|
|
||||||
|
In the old code the case when a domain name is available was handle
|
||||||
|
before the cache_first first option was evaluated and cache_req was
|
||||||
|
instructed to first look in the cache and then call the backend if the
|
||||||
|
object is not available or expired, i.e. the default behavior. Since
|
||||||
|
only a single domain is involved this is in agreement with 'cache_first
|
||||||
|
= True' and only a single iteration is needed.
|
||||||
|
|
||||||
|
In the new code the cache_first option is evaluated before the presence
|
||||||
|
of a domain name is checked and as a result even for single domain
|
||||||
|
searches the first cache_req iteration is only looking at the cache and
|
||||||
|
will not call the backend. This means the now for searches with a
|
||||||
|
fully-qualified name a second iteration is needed if the object was not
|
||||||
|
found in the cache.
|
||||||
|
|
||||||
|
Unfortunately the old exit condition that if a domain name is present
|
||||||
|
only a single iteration is needed is still present in the new code which
|
||||||
|
effectively makes requests with fully-qualified named only search the
|
||||||
|
cache and never call the backends. This patch removes the exit condition
|
||||||
|
and does a second iteration for fully-qualified names as well if
|
||||||
|
'cache_first = True' is set.
|
||||||
|
|
||||||
|
Resolves: https://github.com/SSSD/sssd/issues/5744
|
||||||
|
|
||||||
|
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||||
|
---
|
||||||
|
src/responder/common/cache_req/cache_req.c | 3 +-
|
||||||
|
src/tests/cmocka/test_responder_cache_req.c | 53 +++++++++++++++++++++
|
||||||
|
2 files changed, 54 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c
|
||||||
|
index 750d655c1..56ec077f3 100644
|
||||||
|
--- a/src/responder/common/cache_req/cache_req.c
|
||||||
|
+++ b/src/responder/common/cache_req/cache_req.c
|
||||||
|
@@ -1331,8 +1331,7 @@ static errno_t cache_req_select_domains(struct tevent_req *req,
|
||||||
|
|
||||||
|
state = tevent_req_data(req, struct cache_req_state);
|
||||||
|
|
||||||
|
- if ((state->cr->cache_behavior != CACHE_REQ_CACHE_FIRST)
|
||||||
|
- || (domain_name != NULL)) {
|
||||||
|
+ if (state->cr->cache_behavior != CACHE_REQ_CACHE_FIRST) {
|
||||||
|
|
||||||
|
if (!state->first_iteration) {
|
||||||
|
/* We're done here. */
|
||||||
|
diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c
|
||||||
|
index 5cf7660e7..27a525f6e 100644
|
||||||
|
--- a/src/tests/cmocka/test_responder_cache_req.c
|
||||||
|
+++ b/src/tests/cmocka/test_responder_cache_req.c
|
||||||
|
@@ -992,6 +992,56 @@ void test_user_by_name_missing_notfound(void **state)
|
||||||
|
assert_true(test_ctx->dp_called);
|
||||||
|
}
|
||||||
|
|
||||||
|
+void test_user_by_name_missing_notfound_cache_first(void **state)
|
||||||
|
+{
|
||||||
|
+ struct cache_req_test_ctx *test_ctx = NULL;
|
||||||
|
+
|
||||||
|
+ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
|
||||||
|
+ test_ctx->rctx->cache_first = true;
|
||||||
|
+
|
||||||
|
+ /* Mock values. */
|
||||||
|
+ will_return(__wrap_sss_dp_get_account_send, test_ctx);
|
||||||
|
+ mock_account_recv_simple();
|
||||||
|
+ mock_parse_inp(users[0].short_name, NULL, ERR_OK);
|
||||||
|
+
|
||||||
|
+ /* Test. */
|
||||||
|
+ run_user_by_name(test_ctx, test_ctx->tctx->dom, 0, ENOENT);
|
||||||
|
+ assert_true(test_ctx->dp_called);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void test_user_by_name_missing_notfound_full_name(void **state)
|
||||||
|
+{
|
||||||
|
+ struct cache_req_test_ctx *test_ctx = NULL;
|
||||||
|
+
|
||||||
|
+ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
|
||||||
|
+
|
||||||
|
+ /* Mock values. */
|
||||||
|
+ will_return(__wrap_sss_dp_get_account_send, test_ctx);
|
||||||
|
+ mock_account_recv_simple();
|
||||||
|
+ mock_parse_inp(users[0].short_name, TEST_DOM_NAME, ERR_OK);
|
||||||
|
+
|
||||||
|
+ /* Test. */
|
||||||
|
+ run_user_by_name(test_ctx, test_ctx->tctx->dom, 0, ENOENT);
|
||||||
|
+ assert_true(test_ctx->dp_called);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void test_user_by_name_missing_notfound_cache_first_full_name(void **state)
|
||||||
|
+{
|
||||||
|
+ struct cache_req_test_ctx *test_ctx = NULL;
|
||||||
|
+
|
||||||
|
+ test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx);
|
||||||
|
+ test_ctx->rctx->cache_first = true;
|
||||||
|
+
|
||||||
|
+ /* Mock values. */
|
||||||
|
+ will_return(__wrap_sss_dp_get_account_send, test_ctx);
|
||||||
|
+ mock_account_recv_simple();
|
||||||
|
+ mock_parse_inp(users[0].short_name, TEST_DOM_NAME, ERR_OK);
|
||||||
|
+
|
||||||
|
+ /* Test. */
|
||||||
|
+ run_user_by_name(test_ctx, test_ctx->tctx->dom, 0, ENOENT);
|
||||||
|
+ assert_true(test_ctx->dp_called);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
void test_user_by_name_multiple_domains_requested_domains_found(void **state)
|
||||||
|
{
|
||||||
|
struct cache_req_test_ctx *test_ctx = NULL;
|
||||||
|
@@ -4255,6 +4305,9 @@ int main(int argc, const char *argv[])
|
||||||
|
new_single_domain_test(user_by_name_ncache),
|
||||||
|
new_single_domain_test(user_by_name_missing_found),
|
||||||
|
new_single_domain_test(user_by_name_missing_notfound),
|
||||||
|
+ new_single_domain_test(user_by_name_missing_notfound_cache_first),
|
||||||
|
+ new_single_domain_test(user_by_name_missing_notfound_full_name),
|
||||||
|
+ new_single_domain_test(user_by_name_missing_notfound_cache_first_full_name),
|
||||||
|
new_multi_domain_test(user_by_name_multiple_domains_found),
|
||||||
|
new_multi_domain_test(user_by_name_multiple_domains_notfound),
|
||||||
|
new_multi_domain_test(user_by_name_multiple_domains_parse),
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -19,7 +19,7 @@
|
|||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 2.5.2
|
Version: 2.5.2
|
||||||
Release: 2%{?dist}
|
Release: 2%{?dist}.2
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -29,6 +29,11 @@ Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{versio
|
|||||||
### Patches ###
|
### Patches ###
|
||||||
Patch0001: 0001-TOOLS-replace-system-with-execvp.patch
|
Patch0001: 0001-TOOLS-replace-system-with-execvp.patch
|
||||||
Patch0002: 0002-po-update-translations.patch
|
Patch0002: 0002-po-update-translations.patch
|
||||||
|
Patch0003: 0003-ad-filter-trusted-domains.patch
|
||||||
|
Patch0004: 0004-cache_req-return-success-for-autofs-when-ENOENT-is-r.patch
|
||||||
|
Patch0005: 0005-MONITOR-reduce-logs-severity-around-signalling-and-t.patch
|
||||||
|
Patch0006: 0006-DEBUG-avoid-backtrace-dups.patch
|
||||||
|
Patch0007: 0007-cache_req-cache_first-fix-for-fully-qualified-names.patch
|
||||||
|
|
||||||
### Downstream Patches ###
|
### Downstream Patches ###
|
||||||
|
|
||||||
@ -137,6 +142,7 @@ Conflicts: selinux-policy < 3.10.0-46
|
|||||||
Conflicts: sssd < 1.10.0-8%{?dist}.beta2
|
Conflicts: sssd < 1.10.0-8%{?dist}.beta2
|
||||||
# sssd-libwbclient is removed from RHEL8 starting 8.5 that is based on sssd-2.5
|
# sssd-libwbclient is removed from RHEL8 starting 8.5 that is based on sssd-2.5
|
||||||
Obsoletes: sssd-libwbclient < 2.5.0
|
Obsoletes: sssd-libwbclient < 2.5.0
|
||||||
|
Obsoletes: sssd-libwbclient-debuginfo < 2.5.0
|
||||||
# Requires
|
# Requires
|
||||||
# Explicitly require RHEL-8.0 versions of the Samba libraries
|
# Explicitly require RHEL-8.0 versions of the Samba libraries
|
||||||
# in order to prevent untested combinations of a new SSSD and
|
# in order to prevent untested combinations of a new SSSD and
|
||||||
@ -1144,6 +1150,15 @@ fi
|
|||||||
%systemd_postun_with_restart sssd.service
|
%systemd_postun_with_restart sssd.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Nov 29 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2.2
|
||||||
|
- Resolves: rhbz#2018440 - 2.5.x based SSSD adds more AD domains than it should based on the configuration file (not trusted and from a different forest) [rhel-8.5.0.z]
|
||||||
|
- Resolves: rhbz#2016923 - autofs lookups for unknown mounts are delayed for 50s [rhel-8.5.0.z]
|
||||||
|
- Resolves: rhbz#2021499 - Make backtrace less "chatty" (avoid duplicate backtraces) [rhel-8.5.0.z]
|
||||||
|
- Resolves: rhbz#2013379 - Lookup with fully-qualified name does not work with 'cache_first = True' [rhel-8.5.0.z]
|
||||||
|
|
||||||
|
* Mon Oct 18 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2.1
|
||||||
|
- Resolves: rhbz#2014460 - tps tests fail with cross dependency on sssd debuginfo package: removal of 'sssd-libwbclient-debuginfo' is missing [rhel-8.5.0.z]
|
||||||
|
|
||||||
* Mon Aug 02 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2
|
* Mon Aug 02 2021 Alexey Tikhonov <atikhono@redhat.com> - 2.5.2-2
|
||||||
- Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8]
|
- Resolves: rhbz#1975169 - EMBARGOED CVE-2021-3621 sssd: shell command injection in sssctl [rhel-8]
|
||||||
- Resolves: rhbz#1962042 - [sssd] RHEL 8.5 Tier 0 Localization
|
- Resolves: rhbz#1962042 - [sssd] RHEL 8.5 Tier 0 Localization
|
||||||
|
Loading…
Reference in New Issue
Block a user