sssd-2.5.0-2: Fix KCM regression on long upgrade path
Resolves: rhbz#1962006
This commit is contained in:
parent
0f12c3fbb3
commit
f224e547f4
@ -0,0 +1,49 @@
|
||||
From 9b017dbc80cf09b3a2d7e09f771faf70d4538b4f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
||||
Date: Thu, 13 May 2021 12:18:24 +0200
|
||||
Subject: [PATCH 1/5] KCM: return KRB5_FCC_INTERNAL for unknown or not
|
||||
implemented operation
|
||||
|
||||
sssd-kcm should follow Heimdal's return codes. Heimdal returns `KRB5_FCC_INTERNAL`
|
||||
for cases where operation code is not known or not implemented. See:
|
||||
|
||||
* https://github.com/heimdal/heimdal/blob/master/kcm/protocol.c#L1785
|
||||
* https://github.com/heimdal/heimdal/blob/master/kcm/protocol.c#L1792
|
||||
|
||||
We returned different codes before this patch which makes Kerberos to differentiate
|
||||
between Heimdal and sssd implementation. This leads to errors like:
|
||||
|
||||
* https://github.com/krb5/krb5/pull/1178#issuecomment-838289703
|
||||
|
||||
Resolves: https://github.com/SSSD/sssd/issues/5628
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
---
|
||||
src/responder/kcm/kcmsrv_cmd.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c
|
||||
index 6b11b184124c7cb17be2c7858afda3d56a4dcea6..3ad17ef431bb3d42b39f56d04c97acfc25f06d2f 100644
|
||||
--- a/src/responder/kcm/kcmsrv_cmd.c
|
||||
+++ b/src/responder/kcm/kcmsrv_cmd.c
|
||||
@@ -197,7 +197,7 @@ static errno_t kcm_input_parse(struct kcm_reqbuf *reqbuf,
|
||||
if (op_io->op == NULL) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"Did not find a KCM operation handler for the requested opcode\n");
|
||||
- return ERR_KCM_MALFORMED_IN_PKT;
|
||||
+ return ERR_KCM_OP_NOT_IMPLEMENTED;
|
||||
}
|
||||
|
||||
/* The operation only receives the payload, not the opcode or the protocol info */
|
||||
@@ -643,7 +643,7 @@ krb5_error_code sss2krb5_error(errno_t err)
|
||||
case EACCES:
|
||||
return KRB5_FCC_PERM;
|
||||
case ERR_KCM_OP_NOT_IMPLEMENTED:
|
||||
- return KRB5_CC_NOSUPP;
|
||||
+ return KRB5_FCC_INTERNAL;
|
||||
case ERR_WRONG_NAME_FORMAT:
|
||||
return KRB5_CC_BADNAME;
|
||||
case ERR_NO_MATCHING_CREDS:
|
||||
--
|
||||
2.30.2
|
||||
|
104
0002-SECRETS-Resolve-mkey-path-correctly.patch
Normal file
104
0002-SECRETS-Resolve-mkey-path-correctly.patch
Normal file
@ -0,0 +1,104 @@
|
||||
From dbde4e692e34d3ff8233ac17a5eae5a062637e48 Mon Sep 17 00:00:00 2001
|
||||
From: Justin Stephenson <jstephen@redhat.com>
|
||||
Date: Wed, 19 May 2021 10:54:52 -0400
|
||||
Subject: [PATCH 2/5] SECRETS: Resolve mkey path correctly
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Use the correct master key path for the secrets database,
|
||||
fixing an issue on upgrade.
|
||||
|
||||
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
||||
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
||||
---
|
||||
src/tests/cmocka/test_kcm_renewals.c | 3 ++-
|
||||
src/util/secrets/secrets.c | 10 ++++++----
|
||||
src/util/secrets/secrets.h | 1 +
|
||||
3 files changed, 9 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/tests/cmocka/test_kcm_renewals.c b/src/tests/cmocka/test_kcm_renewals.c
|
||||
index f508bab005ff916a8f2a453670c137a56ac9ba46..53ce558be22cffb486d593bbc8c021b91e8fb2fa 100644
|
||||
--- a/src/tests/cmocka/test_kcm_renewals.c
|
||||
+++ b/src/tests/cmocka/test_kcm_renewals.c
|
||||
@@ -37,6 +37,7 @@
|
||||
#define TESTS_PATH "tp_" BASE_FILE_STEM
|
||||
#define TEST_CONF_DB "test_kcm_renewals_conf.ldb"
|
||||
#define TEST_DB_FULL_PATH TESTS_PATH "/secrets.ldb"
|
||||
+#define TEST_MKEY_FULL_PATH TESTS_PATH "/.secrets.mkey"
|
||||
|
||||
errno_t kcm_renew_all_tgts(TALLOC_CTX *mem_ctx,
|
||||
struct kcm_renew_tgt_ctx *renew_tgt_ctx,
|
||||
@@ -199,7 +200,7 @@ static void test_kcm_renewals_tgt(void **state)
|
||||
open(TEST_DB_FULL_PATH, O_CREAT|O_EXCL|O_WRONLY, 0600);
|
||||
|
||||
ret = sss_sec_init_with_path(test_ctx->ccdb, NULL, TEST_DB_FULL_PATH,
|
||||
- &secdb->sctx);
|
||||
+ TEST_MKEY_FULL_PATH, &secdb->sctx);
|
||||
|
||||
/* Create renew ctx */
|
||||
renew_tgt_ctx = talloc_zero(test_ctx, struct kcm_renew_tgt_ctx);
|
||||
diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c
|
||||
index 42df14aa9c6265cbd723f826ce47f35529c4be10..2801eb24263ef8116a7afc294ee91a863295f5be 100644
|
||||
--- a/src/util/secrets/secrets.c
|
||||
+++ b/src/util/secrets/secrets.c
|
||||
@@ -634,13 +634,13 @@ static int generate_master_key(const char *filename, size_t size)
|
||||
}
|
||||
|
||||
static errno_t lcl_read_mkey(TALLOC_CTX *mem_ctx,
|
||||
- const char *dbpath,
|
||||
+ const char *mkeypath,
|
||||
struct sss_sec_data *master_key)
|
||||
{
|
||||
int mfd;
|
||||
ssize_t size;
|
||||
errno_t ret;
|
||||
- const char *mkey = dbpath;
|
||||
+ const char *mkey = mkeypath;
|
||||
|
||||
master_key->data = talloc_size(mem_ctx, MKEY_SIZE);
|
||||
if (master_key->data == NULL) {
|
||||
@@ -703,6 +703,7 @@ static int set_quotas(struct sss_sec_ctx *sec_ctx,
|
||||
errno_t sss_sec_init_with_path(TALLOC_CTX *mem_ctx,
|
||||
struct sss_sec_hive_config **config_list,
|
||||
const char *dbpath,
|
||||
+ const char *mkeypath,
|
||||
struct sss_sec_ctx **_sec_ctx)
|
||||
{
|
||||
struct sss_sec_ctx *sec_ctx;
|
||||
@@ -746,7 +747,7 @@ errno_t sss_sec_init_with_path(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- ret = lcl_read_mkey(sec_ctx, dbpath, &sec_ctx->master_key);
|
||||
+ ret = lcl_read_mkey(sec_ctx, mkeypath, &sec_ctx->master_key);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_OP_FAILURE, "Cannot get the master key\n");
|
||||
goto done;
|
||||
@@ -764,9 +765,10 @@ errno_t sss_sec_init(TALLOC_CTX *mem_ctx,
|
||||
struct sss_sec_ctx **_sec_ctx)
|
||||
{
|
||||
const char *dbpath = SECRETS_DB_PATH"/secrets.ldb";
|
||||
+ const char *mkeypath = SECRETS_DB_PATH"/.secrets.mkey";
|
||||
errno_t ret;
|
||||
|
||||
- ret = sss_sec_init_with_path(mem_ctx, config_list, dbpath, _sec_ctx);
|
||||
+ ret = sss_sec_init_with_path(mem_ctx, config_list, dbpath, mkeypath, _sec_ctx);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize secdb [%d]: %s\n",
|
||||
ret, sss_strerror(ret));
|
||||
diff --git a/src/util/secrets/secrets.h b/src/util/secrets/secrets.h
|
||||
index a15b99ffec6d1810e0c0cf815ed48d118ba2a08c..958f0824b5c89d8cafc249c7ac123ed999931347 100644
|
||||
--- a/src/util/secrets/secrets.h
|
||||
+++ b/src/util/secrets/secrets.h
|
||||
@@ -83,6 +83,7 @@ errno_t sss_sec_init(TALLOC_CTX *mem_ctx,
|
||||
errno_t sss_sec_init_with_path(TALLOC_CTX *mem_ctx,
|
||||
struct sss_sec_hive_config **config_list,
|
||||
const char *dbpath,
|
||||
+ const char *mkeypath,
|
||||
struct sss_sec_ctx **_sec_ctx);
|
||||
|
||||
errno_t sss_sec_new_req(TALLOC_CTX *mem_ctx,
|
||||
--
|
||||
2.30.2
|
||||
|
51
0003-UTIL-SECRETS-mistype-fix.patch
Normal file
51
0003-UTIL-SECRETS-mistype-fix.patch
Normal file
@ -0,0 +1,51 @@
|
||||
From 9777427facccbbe45c855b0319258335dffb986a Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Tue, 18 May 2021 12:04:01 +0200
|
||||
Subject: [PATCH 3/5] UTIL/SECRETS: mistype fix
|
||||
|
||||
Wrong variable was tested after mem allocation.
|
||||
|
||||
Also fixes following covscan issues:
|
||||
```
|
||||
Error: DEADCODE (CWE-561):
|
||||
sssd-2.5.0/src/util/secrets/secrets.c:1004: cond_notnull: Condition "uuid_list == NULL", taking false branch. Now the value of "uuid_list" is not "NULL".
|
||||
sssd-2.5.0/src/util/secrets/secrets.c:1010: notnull: At condition "uuid_list == NULL", the value of "uuid_list" cannot be "NULL".
|
||||
sssd-2.5.0/src/util/secrets/secrets.c:1010: dead_error_condition: The condition "uuid_list == NULL" cannot be true.
|
||||
sssd-2.5.0/src/util/secrets/secrets.c:1011: dead_error_begin: Execution cannot reach this statement: "ret = 12;".
|
||||
# 1009| uid_list = talloc_zero_array(tmp_ctx, const char *, res->count);
|
||||
# 1010| if (uuid_list == NULL) {
|
||||
# 1011|-> ret = ENOMEM;
|
||||
# 1012| goto done;
|
||||
# 1013| }
|
||||
```
|
||||
|
||||
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
|
||||
---
|
||||
src/util/secrets/secrets.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/util/secrets/secrets.c b/src/util/secrets/secrets.c
|
||||
index 2801eb24263ef8116a7afc294ee91a863295f5be..6e99e291dd355cc69b0d872f53624ca3446e18ad 100644
|
||||
--- a/src/util/secrets/secrets.c
|
||||
+++ b/src/util/secrets/secrets.c
|
||||
@@ -1002,14 +1002,14 @@ errno_t sss_sec_list_cc_uuids(TALLOC_CTX *mem_ctx,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- uuid_list = talloc_zero_array(tmp_ctx, const char *, res->count);
|
||||
+ uuid_list = talloc_zero_array(tmp_ctx, const char *, res->count);
|
||||
if (uuid_list == NULL) {
|
||||
ret = ENOMEM;
|
||||
goto done;
|
||||
}
|
||||
|
||||
- uid_list = talloc_zero_array(tmp_ctx, const char *, res->count);
|
||||
- if (uuid_list == NULL) {
|
||||
+ uid_list = talloc_zero_array(tmp_ctx, const char *, res->count);
|
||||
+ if (uid_list == NULL) {
|
||||
ret = ENOMEM;
|
||||
goto done;
|
||||
}
|
||||
--
|
||||
2.30.2
|
||||
|
10
sssd.spec
10
sssd.spec
@ -27,7 +27,7 @@
|
||||
|
||||
Name: sssd
|
||||
Version: 2.5.0
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
URL: https://github.com/SSSD/sssd/
|
||||
@ -35,6 +35,10 @@ Source0: https://github.com/SSSD/sssd/releases/download/2.5.0/sssd-2.5.0.tar.gz
|
||||
|
||||
### Patches ###
|
||||
|
||||
Patch0001: 0001-KCM-return-KRB5_FCC_INTERNAL-for-unknown-or-not-impl.patch
|
||||
Patch0002: 0002-SECRETS-Resolve-mkey-path-correctly.patch
|
||||
Patch0003: 0003-UTIL-SECRETS-mistype-fix.patch
|
||||
|
||||
### Dependencies ###
|
||||
|
||||
Requires: sssd-ad = %{version}-%{release}
|
||||
@ -998,6 +1002,10 @@ fi
|
||||
%systemd_postun_with_restart sssd.service
|
||||
|
||||
%changelog
|
||||
* Wed May 19 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.0-2
|
||||
- Fix regression in sssd-kcm when upgrading from 2.4.0 directly to 2.5.0
|
||||
- Return correct error code for unknown/unsupported operations in sssd-kcm
|
||||
|
||||
* Mon May 10 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.0-1
|
||||
- Rebase to SSSD 2.5.0
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user