packages/sssd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport upstream patches

Browse Source 
Signed-off-by: xuraoqing <xuraoqing@huawei.com>
(cherry picked from commit c154fee26edd16d9df9f3125c987f760b80fcbd6)
This commit is contained in:
xuraoqing 2023-08-02 07:38:52 +08:00 committed by openeuler-sync-bot
parent c008433194
commit fb85764afc
7 changed files with 356 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
backport-AD-Do-not-use-the-shortcut-when-filter_groups-is-set.patch Normal file
View File

@ -0,0 +1,68 @@
From c3d6cc9a374bd2d31af9ee35fda8c054fcab7c86 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
Date: Wed, 8 Mar 2023 14:28:54 +0100
Subject: [PATCH] AD: Do not use the shortcut when filter_groups is set.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When using 'id <user>', a shortcut avoids creating the proper group
object but, instead, one where the SID is the group name is created.
This prevents a proper filtering of groups which requires the actual
group name.
Not using the shortcut will retrieve the group names and the filtering
will work.
Resolves: https://github.com/SSSD/sssd/issues/6617
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference:https://github.com/SSSD/sssd/commit/c3d6cc9a374bd2d31af9ee35fda8c054fcab7c86
Conflict:NA
---
src/providers/ldap/sdap_async_initgroups_ad.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c
index d76b7c8b8..f5c88e2fb 100644
--- a/src/providers/ldap/sdap_async_initgroups_ad.c
+++ b/src/providers/ldap/sdap_async_initgroups_ad.c
@@ -1591,6 +1591,8 @@ sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx,
struct tevent_req *req = NULL;
struct tevent_req *subreq = NULL;
errno_t ret;
+ bool use_shortcut;
+ char **param = NULL;
req = tevent_req_create(mem_ctx, &state,
struct sdap_ad_tokengroups_initgroups_state);
@@ -1611,9 +1613,22 @@ sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx,
* to avoid having to transfer and retain members when the fake
* tokengroups object without name is replaced by the full group object
*/
+ use_shortcut = false;
if (state->use_id_mapping
&& !IS_SUBDOMAIN(state->domain)
- && state->domain->ignore_group_members == false) {
+ && !state->domain->ignore_group_members) {
+ ret = confdb_get_param(id_ctx->be->cdb, mem_ctx, id_ctx->be->conf_path,
+ CONFDB_NSS_FILTER_GROUPS, &param);
+ if (ret == EOK) {
+ use_shortcut = (param == NULL || param[0] == NULL);
+ talloc_free(param);
+ } else {
+ DEBUG(SSSDBG_MINOR_FAILURE, "Failed to access %s: %i (%s)\n",
+ CONFDB_NSS_FILTER_GROUPS, ret, sss_strerror(ret));
+ /* Continue without using the shortcut. Safest option. */
+ }
+ }
+ if (use_shortcut) {
subreq = sdap_ad_tokengroups_initgr_mapping_send(state, ev, opts,
sysdb, domain, sh,
name, orig_dn,
--
2.33.0

59
backport-Fixed-pid-wrapping-in-sss_cli_check_socket.patch Normal file
View File

@ -0,0 +1,59 @@
From 0e25f0d19986d47c86c2e75ceaa3b66499a85ec9 Mon Sep 17 00:00:00 2001
From: answer9030 <jiangjixiang@kylinos.cn>
Date: Thu, 9 Mar 2023 14:47:37 +0800
Subject: [PATCH] Fixed pid wrapping in sss_cli_check_socket
Resolves: https://github.com/SSSD/sssd/issues/6592
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reference:https://github.com/SSSD/sssd/commit/0e25f0d19986d47c86c2e75ceaa3b66499a85ec9
Conflict:NA
---
src/sss_client/common.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index c8ade645b..39b107527 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -684,21 +684,28 @@ static enum sss_status sss_cli_check_socket(int *errnop,
int timeout)
{
static pid_t mypid;
- struct stat mysb;
+ static struct stat selfsb;
+ struct stat mypid_sb, myself_sb;
int mysd;
int ret;
- if (getpid() != mypid) {
- ret = fstat(sss_cli_sd, &mysb);
+ ret = lstat("/proc/self/", &myself_sb);
+
+ if (getpid() != mypid || (ret == 0 && myself_sb.st_ino != selfsb.st_ino)) {
+ ret = fstat(sss_cli_sd, &mypid_sb);
if (ret == 0) {
- if (S_ISSOCK(mysb.st_mode) &&
- mysb.st_dev == sss_cli_sb.st_dev &&
- mysb.st_ino == sss_cli_sb.st_ino) {
+ if (S_ISSOCK(mypid_sb.st_mode) &&
+ mypid_sb.st_dev == sss_cli_sb.st_dev &&
+ mypid_sb.st_ino == sss_cli_sb.st_ino) {
sss_cli_close_socket();
}
}
sss_cli_sd = -1;
mypid = getpid();
+ ret = lstat("/proc/self/", &selfsb);
+ if (ret) {
+ memset(&selfsb, 0, sizeof(selfsb));
+ }
}
/* check if the socket has been closed on the other side */
--
2.33.0

60
backport-Fixed-the-problem-of-calling-getpid-and-lstat-twice-.patch Normal file
View File

@ -0,0 +1,60 @@
From 5c363bfbfb6aee507e4d966df4f45b39e5f00b91 Mon Sep 17 00:00:00 2001
From: answer9030 <jiangjixiang@kylinos.cn>
Date: Thu, 16 Mar 2023 14:49:51 +0800
Subject: [PATCH] Fixed the problem of calling getpid() and lstat() twice in
sss_cli_check_socket()
the second call to getpid() and lstat() is redundant.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reference:https://github.com/SSSD/sssd/commit/5c363bfbfb6aee507e4d966df4f45b39e5f00b91
Conflict:NA
---
src/sss_client/common.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index 39b107527..53ff6e8e9 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -683,15 +683,16 @@ static enum sss_status sss_cli_check_socket(int *errnop,
const char *socket_name,
int timeout)
{
- static pid_t mypid;
- static struct stat selfsb;
+ static pid_t mypid_s;
+ static ino_t myself_ino;
struct stat mypid_sb, myself_sb;
+ pid_t mypid_d;
int mysd;
int ret;
ret = lstat("/proc/self/", &myself_sb);
-
- if (getpid() != mypid || (ret == 0 && myself_sb.st_ino != selfsb.st_ino)) {
+ mypid_d = getpid();
+ if (mypid_d != mypid_s || (ret == 0 && myself_sb.st_ino != myself_ino)) {
ret = fstat(sss_cli_sd, &mypid_sb);
if (ret == 0) {
if (S_ISSOCK(mypid_sb.st_mode) &&
@@ -701,11 +702,8 @@ static enum sss_status sss_cli_check_socket(int *errnop,
}
}
sss_cli_sd = -1;
- mypid = getpid();
- ret = lstat("/proc/self/", &selfsb);
- if (ret) {
- memset(&selfsb, 0, sizeof(selfsb));
- }
+ mypid_s = mypid_d;
+ myself_ino = myself_sb.st_ino;
}
/* check if the socket has been closed on the other side */
--
2.33.0

41
backport-KCM-Switch-default-caches-only-when-there-is-no-curr.patch Normal file
View File

@ -0,0 +1,41 @@
From 55e27a423d4065aa419e1bd80db1826eb8264c4a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
Date: Mon, 20 Mar 2023 15:24:03 +0100
Subject: [PATCH] KCM: Switch default caches only when there is no current
default.
Only when there was a current default cache
(uuid_is_null(old_dfl_uuid) == false), the default cache was switched.
This condition should be negated so that the cache is switched when
there is no current default.
Resolves: https://github.com/SSSD/sssd/issues/6357
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reference:https://github.com/SSSD/sssd/commit/55e27a423d4065aa419e1bd80db1826eb8264c4a
Conflict:NA
---
src/responder/kcm/kcmsrv_ops.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c
index f7f80d850..33d7cd506 100644
--- a/src/responder/kcm/kcmsrv_ops.c
+++ b/src/responder/kcm/kcmsrv_ops.c
@@ -668,8 +668,8 @@ static void kcm_op_initialize_got_default(struct tevent_req *subreq)
return;
}
- if (uuid_is_null(old_dfl_uuid) == false) {
- /* If there was a previous default ccache, switch to the initialized
+ if (uuid_is_null(old_dfl_uuid)) {
+ /* If there was no previous default ccache, switch to the initialized
* one by default
*/
/* `dfl_uuid` is output arg and isn't read in kcm_cc_get_uuid() but
--
2.33.0

31
backport-SUDO-fix-mistype.patch Normal file
View File

@ -0,0 +1,31 @@
From e2106c946c933759f0769e5179bb9f743abc0574 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 21 Mar 2023 17:19:18 +0100
Subject: [PATCH] SUDO: fix mistype
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reference:https://github.com/SSSD/sssd/commit/e2106c946c933759f0769e5179bb9f743abc0574
Conflict:NA
---
src/responder/sudo/sudosrv_query.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/sudo/sudosrv_query.c b/src/responder/sudo/sudosrv_query.c
index 5b0edb644..a868ebeed 100644
--- a/src/responder/sudo/sudosrv_query.c
+++ b/src/responder/sudo/sudosrv_query.c
@@ -235,7 +235,7 @@ errno_t sudosrv_build_response(TALLOC_CTX *mem_ctx,
if (ret != EOK) {
goto fail;
}
- DEBUG(SSSDBG_TRACE_INTERNAL, "rules_num: [%"PRIu32"]\n", error);
+ DEBUG(SSSDBG_TRACE_INTERNAL, "rules_num: [%"PRIu32"]\n", rules_num);
/* rules */
for (i = 0; i < rules_num; i++) {
--
2.33.0

87
backport-ad-skip-filtering-if-ad_enabled_domains-is-set.patch Normal file
View File

@ -0,0 +1,87 @@
From 9358a74d3a56c738890353aaf6bc956bfe72df99 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 19 Dec 2022 11:21:23 +0100
Subject: [PATCH] ad: skip filtering if ad_enabled_domains is set
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The domain filtering based on LDAP attributes might be too strict in
forests which have a long and complex history where not all attributes
might be updated to reflect the current state, e.g. membership to the
local forest. To skip the filtering the ad_enabled_domains attribute can
be set to the list of expected domains.
Resolves: https://github.com/SSSD/sssd/issues/6626
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reference:https://github.com/SSSD/sssd/commit/9358a74d3a56c738890353aaf6bc956bfe72df99
Conflict:NA
---
src/man/sssd-ad.5.xml | 16 ++++++++++++----
src/providers/ad/ad_subdomains.c | 19 +++++++++++++------
2 files changed, 25 insertions(+), 10 deletions(-)
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 6f8e5990f..65778124b 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -158,10 +158,18 @@ ldap_id_mapping = False
<term>ad_enabled_domains (string)</term>
<listitem>
<para>
- A comma-separated list of enabled Active Directory domains.
- If provided, SSSD will ignore any domains not listed in this
- option. If left unset, all domains from the AD forest will
- be available.
+ A comma-separated list of enabled Active Directory
+ domains. If provided, SSSD will ignore any domains
+ not listed in this option. If left unset, all
+ discovered domains from the AD forest will be
+ available.
+ </para>
+ <para>
+ During the discovery of the domains SSSD will
+ filter out some domains where flags or attributes
+ indicate that they do not belong to the local
+ forest or are not trusted. If ad_enabled_domains is
+ set, SSSD will try to enable all listed domains.
</para>
<para>
For proper operation, this option must be specified in all
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 09c5a892d..db7f1c3c7 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -1524,12 +1524,19 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
goto done;
}
- ret = ad_filter_domains(state, unfiltered_reply, unfiltered_reply_count,
- &state->reply, &state->reply_count);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE,
- "Failed to filter list of returned domains.\n");
- goto done;
+ if (state->sd_ctx->ad_enabled_domains == NULL) {
+ ret = ad_filter_domains(state, unfiltered_reply, unfiltered_reply_count,
+ &state->reply, &state->reply_count);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Failed to filter list of returned domains.\n");
+ goto done;
+ }
+ } else {
+ DEBUG(SSSDBG_TRACE_ALL,
+ "ad_enabled_domains is set, skipping domain filtering.\n");
+ state->reply_count = unfiltered_reply_count;
+ state->reply = unfiltered_reply;
}
if (state->reply_count == 0
--
2.33.0

11
sssd.spec
View File

@ -1,6 +1,6 @@
Name: sssd
Version: 2.6.1
Release: 9
Release: 10
Summary: System Security Services Daemon
License: GPLv3+ and LGPLv3+
URL: https://pagure.io/SSSD/sssd/
@ -14,6 +14,12 @@ Patch6004: PAM-P11-fixed-minor-mem-leak.patch
Patch6005: SSS_CLIENT-mem-cache-fixed-missing-error-code.patch
Patch6006: fix-coredump-during-ifp-reconnect.patch
Patch6007: backport-MONITOR-fix-socket_activated-flag-initialization.patch
Patch6008: backport-SUDO-fix-mistype.patch
Patch6009: backport-KCM-Switch-default-caches-only-when-there-is-no-curr.patch
Patch6010: backport-Fixed-pid-wrapping-in-sss_cli_check_socket.patch
Patch6011: backport-Fixed-the-problem-of-calling-getpid-and-lstat-twice-.patch
Patch6012: backport-AD-Do-not-use-the-shortcut-when-filter_groups-is-set.patch
Patch6013: backport-ad-skip-filtering-if-ad_enabled_domains-is-set.patch
Requires: python3-sssd = %{version}-%{release}
Requires: libldb
@ -521,6 +527,9 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Wed Aug 2 2023 xuraoqing<xuraoqing@huawei.com> - 2.6.1-10
- backport upstream patch
* Thu Mar 23 2023 yixiangzhike<yixiangzhike007@163.com> - 2.6.1-9
- backport upstream patch