Resolves: upstream#4159 - p11_child should have an option to skip C_WaitForSlotEvent if the PKCS#11 module does not implement it properly

0025-p11_child-check-if-card-is-present-in-wait_for_card.patch

@@ -0,0 +1,86 @@
+From 7b647338a40d701c6a5bb51c48c10a31a6b72699 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 30 Jan 2020 13:14:14 +0100
+Subject: [PATCH 25/26] p11_child: check if card is present in wait_for_card()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some implementations of C_WaitForSlotEvent() might return even if no
+card was inserted. So it has to be checked if a card is really present.
+
+Resolves: https://pagure.io/SSSD/sssd/issue/4159
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/p11_child/p11_child_openssl.c | 47 ++++++++++++++++---------------
+ 1 file changed, 25 insertions(+), 22 deletions(-)
+
+diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c
+index 56601b117..295715612 100644
+--- a/src/p11_child/p11_child_openssl.c
++++ b/src/p11_child/p11_child_openssl.c
+@@ -1546,35 +1546,38 @@ static errno_t wait_for_card(CK_FUNCTION_LIST *module, CK_SLOT_ID *slot_id)
+     CK_RV rv;
+     CK_SLOT_INFO info;
+ 
+-    rv = module->C_WaitForSlotEvent(wait_flags, slot_id, NULL);
+-    if (rv != CKR_OK) {
+-        if (rv != CKR_FUNCTION_NOT_SUPPORTED) {
++    do {
++        rv = module->C_WaitForSlotEvent(wait_flags, slot_id, NULL);
++        if (rv != CKR_OK && rv != CKR_FUNCTION_NOT_SUPPORTED) {
+             DEBUG(SSSDBG_OP_FAILURE,
+                   "C_WaitForSlotEvent failed [%lu][%s].\n",
+                   rv, p11_kit_strerror(rv));
+             return EIO;
+         }
+ 
+-        /* Poor man's wait */
+-        do {
++        if (rv == CKR_FUNCTION_NOT_SUPPORTED) {
++            /* Poor man's wait */
+             sleep(10);
+-            rv = module->C_GetSlotInfo(*slot_id, &info);
+-            if (rv != CKR_OK) {
+-                DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
+-                return EIO;
+-            }
+-            DEBUG(SSSDBG_TRACE_ALL,
+-                  "Description [%s] Manufacturer [%s] flags [%lu] "
+-                  "removable [%s] token present [%s].\n",
+-                  info.slotDescription, info.manufacturerID, info.flags,
+-                  (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
+-                  (info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
+-            if ((info.flags & CKF_REMOVABLE_DEVICE)
+-                    && (info.flags & CKF_TOKEN_PRESENT)) {
+-                break;
+-            }
+-        } while (true);
+-    }
++        }
++
++        rv = module->C_GetSlotInfo(*slot_id, &info);
++        if (rv != CKR_OK) {
++            DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n");
++            return EIO;
++        }
++        DEBUG(SSSDBG_TRACE_ALL,
++              "Description [%s] Manufacturer [%s] flags [%lu] "
++              "removable [%s] token present [%s].\n",
++              info.slotDescription, info.manufacturerID, info.flags,
++              (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false",
++              (info.flags & CKF_TOKEN_PRESENT) ? "true": "false");
++
++        /* Check if really a token is present */
++        if ((info.flags & CKF_REMOVABLE_DEVICE)
++                && (info.flags & CKF_TOKEN_PRESENT)) {
++            break;
++        }
++    } while (true);
+ 
+     return EOK;
+ }
+-- 
+2.20.1
+

0026-PAM-client-only-require-UID-0-for-private-socket.patch

@@ -0,0 +1,37 @@
+From 37780b895199bab991edae6b1eeb91b7b3966bcf Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 6 Feb 2020 14:50:23 +0100
+Subject: [PATCH 26/26] PAM client: only require UID 0 for private socket
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some privileged services like e.g. gdm might only call with UID 0 but
+with a different GID. This patch removes the GID 0 requirement to access
+to private PAM socket so that e.g. gdm can use the wait-for-card option.
+
+Resolves: https://pagure.io/SSSD/sssd/issue/4159
+
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/sss_client/common.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/sss_client/common.c b/src/sss_client/common.c
+index 270ca8b54..902438c86 100644
+--- a/src/sss_client/common.c
++++ b/src/sss_client/common.c
+@@ -910,8 +910,8 @@ int sss_pam_make_request(enum sss_cli_command cmd,
+         goto out;
+     }
+ 
+-    /* only root shall use the privileged pipe */
+-    if (getuid() == 0 && getgid() == 0) {
++    /* only UID 0 shall use the privileged pipe */
++    if (getuid() == 0) {
+         socket_name = SSS_PAM_PRIV_SOCKET_NAME;
+         errno = 0;
+         statret = stat(socket_name, &stat_buf);
+-- 
+2.20.1
+

sssd.spec

@@ -36,7 +36,7 @@
 
 Name: sssd
 Version: 2.2.3
-Release: 12%{?dist}
+Release: 13%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://pagure.io/SSSD/sssd/
@@ -67,6 +67,8 @@ Patch0021: 0021-sss_ptr_hash-removed-redundant-check.patch
 Patch0022: 0022-sss_ptr_hash-fixed-memory-leak.patch
 Patch0023: 0023-sss_ptr_hash-internal-refactoring.patch
 Patch0024: 0024-TESTS-added-sss_ptr_hash-unit-test.patch
+Patch0025: 0025-p11_child-check-if-card-is-present-in-wait_for_card.patch
+Patch0026: 0026-PAM-client-only-require-UID-0-for-private-socket.patch
 
 ### Downstream only patches ###
 Patch0502: 0502-SYSTEMD-Use-capabilities.patch
@@ -1096,6 +1098,11 @@ fi
                                 %{_libdir}/%{name}/modules/libwbclient.so
 
 %changelog
+* Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-13
+- Resolves: upstream#4159 - p11_child should have an option to skip
+                            C_WaitForSlotEvent if the PKCS#11 module does not
+                            implement it properly
+
 * Wed Feb 26 2020 Michal Židek <mzidek@redhat.com> - 2.2.3-12
 - Resolves: upstream#4135 - util/sss_ptr_hash.c: potential double free in
                             `sss_ptr_hash_delete_cb()`