packages/sssd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:b194d39b3d7628577b4e8c96cd1d940b83c4cfd2
Branches Tags
packages:main
...
compare: packages:6cbbc5e32fbf47d6bd7c7a2434a41312e988f5c4
Branches Tags
packages:main

10 Commits
b194d39b3d ... 6cbbc5e32f

Author SHA1 Message Date
openeuler-ci-bot
6cbbc5e32f
!145 [sync] PR-143: backport upstream patches 
From: @openeuler-sync-bot 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
 2024-06-19 04:10:15 +00:00
wangjiang
e57b20122e backport upstream patches 
(cherry picked from commit 01d514387f372a0471720762657d1c3644d1f555)
 2024-06-19 09:12:07 +08:00
openeuler-ci-bot
6398277f1b
!120 fix CVE-2023-3758 
From: @Venland 
Reviewed-by: @qsw333, @hzero1996, @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2024-04-24 01:32:21 +00:00
liweigang
f084778ce3 fix CVE-2023-3758 
Signed-off-by: liweigang <liweiganga@uniontech.com>
 2024-04-22 15:00:38 +08:00
openeuler-ci-bot
c5c5933c3d
!116 [sync] PR-113: backport some upstream patches 
From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2024-02-24 08:42:39 +00:00
hzero1996
a407e82f2b backport some patches 
(cherry picked from commit 3c6d35a9978a56037caf7b6cd9d1aca6993cb0c1)
 2024-02-23 09:21:32 +08:00
openeuler-ci-bot
6a544f7700
!104 backport some upstream patches 
From: @hzero1996 
Reviewed-by: @huangzq6, @HuaxinLuGitee 
Signed-off-by: @huangzq6, @HuaxinLuGitee
 2023-11-29 06:16:46 +00:00
hzero1996
08424ac466 backport some patches 2023-11-28 15:55:49 +08:00
openeuler-ci-bot
0e94db44d3
!100 [sync] PR-97: backport upstream patches 
From: @openeuler-sync-bot 
Reviewed-by: @huangzq6, @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
 2023-10-07 01:09:53 +00:00
fly_fzc
bcf7f22f07 backport upstream patches 
(cherry picked from commit dfd154fc1eab69ccf7205c936abb022bbd1fb80a)
 2023-09-22 17:05:18 +08:00
33 changed files with 3123 additions and 1 deletions
Show Stats Expand all files Collapse all files

83
backport-CONFDB-check-the-return-values.patch Normal file
View File

@ -0,0 +1,83 @@
From 54dd529d2777edc625e25c5ebd259b396360337c Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Thu, 18 Nov 2021 17:43:19 +0100
Subject: [PATCH] CONFDB: check the return values
Covscan pointed out that return value of chown and sete[ug]id is
not checked in some cases. There is not much we can do
in case of failure so only minor failure is logged.
Resolves: https://github.com/SSSD/sssd/issues/5876
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/54dd529d2777edc625e25c5ebd259b396360337c
Conflict: NA
---
src/confdb/confdb.c | 6 +++++-
src/util/usertools.c | 25 +++++++++++++++++++++----
2 files changed, 26 insertions(+), 5 deletions(-)
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 6a6fac916..e557b469c 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -685,7 +685,11 @@ int confdb_init(TALLOC_CTX *mem_ctx,
old_umask = umask(SSS_DFL_UMASK);
/* file may exists and could be owned by root from previous version */
sss_sssd_user_uid_and_gid(&sssd_uid, &sssd_gid);
- chown(confdb_location, sssd_uid, sssd_gid);
+ ret = chown(confdb_location, sssd_uid, sssd_gid);
+ if (ret != EOK && errno != ENOENT) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "Unable to chown config database [%s]: %s\n",
+ confdb_location, sss_strerror(errno));
+ }
sss_set_sssd_user_eid();
ret = ldb_connect(cdb->ldb, confdb_location, 0, NULL);
diff --git a/src/util/usertools.c b/src/util/usertools.c
index 370a98b41..72deceeee 100644
--- a/src/util/usertools.c
+++ b/src/util/usertools.c
@@ -863,17 +863,34 @@ void sss_set_sssd_user_eid(void)
uid_t uid;
gid_t gid;
+
if (geteuid() == 0) {
sss_sssd_user_uid_and_gid(&uid, &gid);
- seteuid(uid);
- setegid(gid);
+ if (seteuid(uid) != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Failed to set euid to %"SPRIuid": %s\n",
+ uid, sss_strerror(errno));
+ }
+ if (setegid(gid) != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Failed to set egid to %"SPRIgid": %s\n",
+ gid, sss_strerror(errno));
+ }
}
}
void sss_restore_sssd_user_eid(void)
{
if (getuid() == 0) {
- seteuid(getuid());
- setegid(getgid());
+ if (seteuid(getuid()) != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Failed to restore euid: %s\n",
+ sss_strerror(errno));
+ }
+ if (setegid(getgid()) != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Failed to restore egid: %s\n",
+ sss_strerror(errno));
+ }
}
}
--
2.27.0

218
backport-CVE-2023-3758.patch Normal file
View File

@ -0,0 +1,218 @@
From f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 8 Nov 2023 14:50:24 +0100
Subject: [PATCH] ad-gpo: use hash to store intermediate results
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently after the evaluation of a single GPO file the intermediate
results are stored in the cache and this cache entry is updated until
all applicable GPO files are evaluated. Finally the data in the cache is
used to make the decision of access is granted or rejected.
If there are two or more access-control request running in parallel one
request might overwrite the cache object with intermediate data while
another request reads the cached data for the access decision and as a
result will do this decision based on intermediate data.
To avoid this the intermediate results are not stored in the cache
anymore but in hash tables which are specific to the request. Only the
final result is written to the cache to have it available for offline
authentication.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a)
Referencehttps://github.com/SSSD/sssd/commit/f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726
Conflict: src/providers/ad/ad_gpo.c
---
src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++-----
1 file changed, 102 insertions(+), 14 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 4d12ef7806..f272131059 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1356,6 +1356,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
return ret;
}
+static errno_t
+add_result_to_hash(hash_table_t *hash, const char *key, char *value)
+{
+ int hret;
+ hash_key_t k;
+ hash_value_t v;
+
+ if (hash == NULL || key == NULL || value == NULL) {
+ return EINVAL;
+ }
+
+ k.type = HASH_KEY_CONST_STRING;
+ k.c_str = key;
+
+ v.type = HASH_VALUE_PTR;
+ v.ptr = value;
+
+ hret = hash_enter(hash, &k, &v);
+ if (hret != HASH_SUCCESS) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",
+ key, value, hash_error_string(hret));
+ return EIO;
+ }
+
+ return EOK;
+}
+
/*
* This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,
* and stores the allow_key and deny_key of all of the gpo_map_types present
@@ -1363,6 +1390,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
*/
static errno_t
ad_gpo_store_policy_settings(struct sss_domain_info *domain,
+ hash_table_t *allow_maps, hash_table_t *deny_maps,
const char *filename)
{
struct ini_cfgfile *file_ctx = NULL;
@@ -1496,14 +1524,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
goto done;
} else if (ret != ENOENT) {
const char *value = allow_value ? allow_value : empty_val;
- ret = sysdb_gpo_store_gpo_result_setting(domain,
- allow_key,
- value);
+ ret = add_result_to_hash(allow_maps, allow_key,
+ talloc_strdup(allow_maps, value));
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "sysdb_gpo_store_gpo_result_setting failed for key:"
- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,
- ret, sss_strerror(ret));
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
+ "value: [%s] to allow maps "
+ "[%d][%s].\n",
+ allow_key, value, ret,
+ sss_strerror(ret));
goto done;
}
}
@@ -1523,14 +1551,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
goto done;
} else if (ret != ENOENT) {
const char *value = deny_value ? deny_value : empty_val;
- ret = sysdb_gpo_store_gpo_result_setting(domain,
- deny_key,
- value);
+ ret = add_result_to_hash(deny_maps, deny_key,
+ talloc_strdup(deny_maps, value));
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "sysdb_gpo_store_gpo_result_setting failed for key:"
- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,
- ret, sss_strerror(ret));
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
+ "value: [%s] to deny maps "
+ "[%d][%s].\n",
+ deny_key, value, ret,
+ sss_strerror(ret));
goto done;
}
}
@@ -1825,6 +1853,8 @@ struct ad_gpo_access_state {
int num_cse_filtered_gpos;
int cse_gpo_index;
const char *ad_domain;
+ hash_table_t *allow_maps;
+ hash_table_t *deny_maps;
};
static void ad_gpo_connect_done(struct tevent_req *subreq);
@@ -1946,6 +1976,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
goto immediately;
}
+ ret = sss_hash_create(state, 0, &state->allow_maps);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "
+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
+ goto immediately;
+ }
+
+ ret = sss_hash_create(state, 0, &state->deny_maps);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "
+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
+ goto immediately;
+ }
subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
if (subreq == NULL) {
@@ -2632,6 +2675,43 @@ ad_gpo_cse_step(struct tevent_req *req)
return EAGAIN;
}
+static errno_t
+store_hash_maps_in_cache(struct sss_domain_info *domain,
+ hash_table_t *allow_maps, hash_table_t *deny_maps)
+{
+ int ret;
+ struct hash_iter_context_t *iter;
+ hash_entry_t *entry;
+ size_t c;
+ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};
+
+
+ for (c = 0; hash_list[c] != NULL; c++) {
+ iter = new_hash_iter_context(hash_list[c]);
+ if (iter == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");
+ return EINVAL;
+ }
+
+ while ((entry = iter->next(iter)) != NULL) {
+ ret = sysdb_gpo_store_gpo_result_setting(domain,
+ entry->key.c_str,
+ entry->value.ptr);
+ if (ret != EOK) {
+ free(iter);
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_gpo_store_gpo_result_setting failed for key:"
+ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str,
+ (char *) entry->value.ptr, ret, sss_strerror(ret));
+ return ret;
+ }
+ }
+ talloc_free(iter);
+ }
+
+ return EOK;
+}
+
/*
* This cse-specific function (GP_EXT_GUID_SECURITY) increments the
* cse_gpo_index until the policy settings for all applicable GPOs have been
@@ -2673,6 +2753,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
* (as part of the GPO Result object in the sysdb cache).
*/
ret = ad_gpo_store_policy_settings(state->host_domain,
+ state->allow_maps, state->deny_maps,
cse_filtered_gpo->policy_filename);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
@@ -2686,6 +2767,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)
if (ret == EOK) {
/* ret is EOK only after all GPO policy files have been downloaded */
+ ret = store_hash_maps_in_cache(state->host_domain,
+ state->allow_maps, state->deny_maps);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "
+ "[%d][%s].\n", ret, sss_strerror(ret));
+ goto done;
+ }
ret = ad_gpo_perform_hbac_processing(state,
state->gpo_mode,
state->gpo_map_type,

42
backport-KCM-Display-in-the-log-the-limit-as-set-by-the-user.patch Normal file
View File

@ -0,0 +1,42 @@
From 96d8b77ae6e7d1dd72b9add553935fc4aa6ab2c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
Date: Mon, 9 Oct 2023 10:56:08 +0200
Subject: [PATCH] KCM: Display in the log the limit as set by the user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
max_uid_ccaches is unconditionally incremented by 2 in ccdb_secdb_init()
to create space for some internal entries. We cannot just show this
value as it is not what the user configured.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/96d8b77ae6e7d1dd72b9add553935fc4aa6ab2c5
Conflict: NA
---
src/responder/kcm/secrets/secrets.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/responder/kcm/secrets/secrets.c b/src/responder/kcm/secrets/secrets.c
index 4dc748c3b..8f32c63e9 100644
--- a/src/responder/kcm/secrets/secrets.c
+++ b/src/responder/kcm/secrets/secrets.c
@@ -381,11 +381,12 @@ static int local_db_check_peruid_number_of_secrets(TALLOC_CTX *mem_ctx,
ret = local_db_remove_oldest_expired_secret(res, req);
if (ret != EOK) {
if (ret == ERR_NO_MATCHING_CREDS) {
+ /* max_uid_secrets is incremented by 2 for internal entries. */
DEBUG(SSSDBG_OP_FAILURE,
"Cannot store any more secrets for this client (basedn %s) "
"as the maximum allowed limit (%d) has been reached\n",
ldb_dn_get_linearized(cli_basedn),
- req->quota->max_uid_secrets);
+ req->quota->max_uid_secrets - 2);
ret = ERR_SEC_INVALID_TOO_MANY_SECRETS;
}
goto done;
--
2.33.0

44
backport-KCM-Fix-a-memory-leak.patch Normal file
View File

@ -0,0 +1,44 @@
From cbae6855320b53f3f2bdc0e11c5a9c8eb84daf87 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
Date: Mon, 18 Dec 2023 11:37:29 +0100
Subject: [PATCH] KCM: Fix a memory "leak"
When an operation is processed, a buffer is allocated for the reply
and its parent is the client context (struct cli_ctx). This buffer
is not explicitly freed but it is released when the client context is
freed. With each operation a new buffer is allocated and the
previous one gets "lost."
This is not an actual leak because the lost buffers are released by
talloc once the client context is freed, when the connection is closed.
But on long-lived connections this can consume a large amount of memory
before the connection is closed.
To solve this, the request context (struct kcm_req_ctx) is the new
parent of the buffer. The request is freed as soon as the operation is
completed and no buffer gets lost.
Resolves: https://github.com/SSSD/sssd/issues/7072
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/responder/kcm/kcmsrv_cmd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c
index 1f60d1a14..9c37e3cf0 100644
--- a/src/responder/kcm/kcmsrv_cmd.c
+++ b/src/responder/kcm/kcmsrv_cmd.c
@@ -350,7 +350,7 @@ static void kcm_send_reply(struct kcm_req_ctx *req_ctx)
cctx = req_ctx->cctx;
- ret = kcm_output_construct(cctx, &req_ctx->op_io, &req_ctx->repbuf);
+ ret = kcm_output_construct(req_ctx, &req_ctx->op_io, &req_ctx->repbuf);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"Cannot construct the reply buffer, terminating client\n");
--
2.33.0

35
backport-KCM-Fixed-a-wrong-check.patch Normal file
View File

@ -0,0 +1,35 @@
From 3cba6d1153c102f9596335db28cc017e8338e868 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
Date: Fri, 3 Nov 2023 15:31:46 +0100
Subject: [PATCH] KCM: Fixed a wrong check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The pointer to the newly allocated iobuffer is stored into
state->op_ctx->reply but the check for NULL is done on state->reply,
which we already know is not NULL because it was checked before and
not modified after that.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/responder/kcm/kcmsrv_ops.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c
index 33d7cd506..dab96b486 100644
--- a/src/responder/kcm/kcmsrv_ops.c
+++ b/src/responder/kcm/kcmsrv_ops.c
@@ -161,7 +161,7 @@ struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx,
state,
KCM_REPLY_MAX - 2*sizeof(uint32_t),
KCM_REPLY_MAX - 2*sizeof(uint32_t));
- if (state->reply == NULL) {
+ if (state->op_ctx->reply == NULL) {
ret = ENOMEM;
goto immediate;
}
--
2.33.0

299
backport-KCM-Remove-the-oldest-expired-credential-if-no-more-.patch Normal file
View File

@ -0,0 +1,299 @@
From 93ee0159a0f467ced3412d034ec706dd3508901e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
Date: Tue, 3 Oct 2023 12:39:49 +0200
Subject: [PATCH] KCM: Remove the oldest expired credential if no more space.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
:feature: When adding a new credential to KCM and the user has
already reached their limit, the oldest expired credential
will be removed to free some space.
If no expired credential is found to be removed, the operation
will fail as it happened in the previous versions.
Resolves: https://github.com/SSSD/sssd/issues/6667
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/93ee0159a0f467ced3412d034ec706dd3508901e
Conflict: NA
---
src/responder/kcm/secrets/secrets.c | 203 +++++++++++++++++++++++++---
1 file changed, 186 insertions(+), 17 deletions(-)
diff --git a/src/responder/kcm/secrets/secrets.c b/src/responder/kcm/secrets/secrets.c
index 025d1c421..4dc748c3b 100644
--- a/src/responder/kcm/secrets/secrets.c
+++ b/src/responder/kcm/secrets/secrets.c
@@ -18,15 +18,18 @@
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#include "config.h"
+#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
-#include <fcntl.h>
+#include <time.h>
#include <uuid/uuid.h>
-#include "config.h"
-
+#include "responder/kcm/kcmsrv_ccache.h"
#include "util/util.h"
+#include "util/util_creds.h"
+#include "util/sss_iobuf.h"
#include "util/strtonum.h"
#include "util/crypto/sss_crypto.h"
#include "sec_pvt.h"
@@ -50,6 +53,10 @@ static struct sss_sec_quota default_kcm_quota = {
.containers_nest_level = DEFAULT_SEC_CONTAINERS_NEST_LEVEL,
};
+static char *local_dn_to_path(TALLOC_CTX *mem_ctx,
+ struct ldb_dn *basedn,
+ struct ldb_dn *dn);
+
static int local_db_check_containers(TALLOC_CTX *mem_ctx,
struct sss_sec_ctx *sec_ctx,
struct ldb_dn *leaf_dn)
@@ -181,11 +188,166 @@ static struct ldb_dn *per_uid_container(TALLOC_CTX *mem_ctx,
return uid_base_dn;
}
+static errno_t get_secret_expiration_time(uint8_t *key, size_t key_length,
+ uint8_t *sec, size_t sec_length,
+ time_t *_expiration)
+{
+ errno_t ret;
+ TALLOC_CTX *tmp_ctx;
+ time_t expiration = 0;
+ struct cli_creds client = {};
+ struct kcm_ccache *cc;
+ struct sss_iobuf *iobuf;
+ krb5_creds **cred_list, **cred;
+ const char *key_str;
+
+ if (_expiration == NULL) {
+ return EINVAL;
+ }
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ return ENOMEM;
+ }
+
+ key_str = talloc_strndup(tmp_ctx, (const char *) key, key_length);
+ if (key_str == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ iobuf = sss_iobuf_init_readonly(tmp_ctx, sec, sec_length);
+ if (iobuf == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sec_kv_to_ccache_binary(tmp_ctx, key_str, iobuf, &client, &cc);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ cred_list = kcm_cc_unmarshal(tmp_ctx, NULL, cc);
+ if (cred_list == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ for (cred = cred_list; *cred != NULL; cred++) {
+ if ((*cred)->times.endtime != 0) {
+ expiration = (time_t) (*cred)->times.endtime;
+ break;
+ }
+ }
+
+ *_expiration = expiration;
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
+static errno_t local_db_remove_oldest_expired_secret(struct ldb_result *res,
+ struct sss_sec_req *req)
+{
+ struct sss_sec_req *new_req = NULL;
+ const struct ldb_val *val;
+ const struct ldb_val *rdn;
+ struct ldb_message *msg;
+ struct ldb_message_element *elem;
+ struct ldb_dn *basedn;
+ struct ldb_dn *oldest_dn = NULL;
+ time_t oldest_time = time(NULL);
+ time_t expiration;
+ unsigned int i;
+ int ret;
+
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Removing the oldest expired credential\n");
+ /* Between all the messages in result, there is also the key we are
+ * currently treating, but because yet it doesn't have an expiration time,
+ * it will be skipped.
+ */
+ for (i = 0; i < res->count; i++) {
+ msg = res->msgs[i];
+
+ /* Skip cn=default,... or any non cn=... */
+ rdn = ldb_dn_get_rdn_val(msg->dn);
+ if (strcmp(ldb_dn_get_rdn_name(msg->dn), "cn") != 0
+ || strncmp("default", (char *) rdn->data, rdn->length) == 0) {
+ continue;
+ }
+
+ elem = ldb_msg_find_element(msg, SEC_ATTR_SECRET);
+ if (elem != NULL) {
+ if (elem->num_values != 1) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ "Element %s has %u values. Ignoring it.\n",
+ SEC_ATTR_SECRET, elem->num_values);
+ ret = ERR_MALFORMED_ENTRY;
+ goto done;
+ }
+
+ val = &elem->values[0];
+ ret = get_secret_expiration_time(rdn->data, rdn->length,
+ val->data, val->length,
+ &expiration);
+ if (ret != EOK) {
+ goto done;
+ }
+ if (expiration > 0 && expiration < oldest_time) {
+ oldest_dn = msg->dn;
+ oldest_time = expiration;
+ }
+ }
+ }
+
+ if (oldest_dn == NULL) {
+ DEBUG(SSSDBG_TRACE_INTERNAL, "Found no expired credential to remove\n");
+ ret = ERR_NO_MATCHING_CREDS;
+ goto done;
+ }
+
+ new_req = talloc_zero(NULL, struct sss_sec_req);
+ if (new_req == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate the new request\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ basedn = ldb_dn_new(new_req, req->sctx->ldb, req->basedn);
+ if (basedn == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create a dn: %s\n", req->basedn);
+ ret = EINVAL;
+ goto done;
+ }
+
+ new_req->basedn = req->basedn;
+ new_req->quota = req->quota;
+ new_req->req_dn = oldest_dn;
+ new_req->sctx = req->sctx;
+ new_req->path = local_dn_to_path(new_req, basedn, oldest_dn);
+ if (new_req->path == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create the path\n");
+ ret = EINVAL;
+ goto done;
+ }
+
+ ret = sss_sec_delete(new_req);
+
+done:
+ if (new_req != NULL)
+ talloc_free(new_req);
+
+ return ret;
+}
+
+
static int local_db_check_peruid_number_of_secrets(TALLOC_CTX *mem_ctx,
struct sss_sec_req *req)
{
TALLOC_CTX *tmp_ctx;
- static const char *attrs[] = { NULL };
+ static const char *attrs[] = { SEC_ATTR_SECRET, NULL };
struct ldb_result *res = NULL;
struct ldb_dn *cli_basedn = NULL;
int ret;
@@ -214,13 +376,20 @@ static int local_db_check_peruid_number_of_secrets(TALLOC_CTX *mem_ctx,
}
if (res->count >= req->quota->max_uid_secrets) {
- DEBUG(SSSDBG_OP_FAILURE,
- "Cannot store any more secrets for this client (basedn %s) "
- "as the maximum allowed limit (%d) has been reached\n",
- ldb_dn_get_linearized(cli_basedn),
- req->quota->max_uid_secrets);
- ret = ERR_SEC_INVALID_TOO_MANY_SECRETS;
- goto done;
+ /* We reached the limit. Let's try to removed the
+ * oldest expired credential to free some space. */
+ ret = local_db_remove_oldest_expired_secret(res, req);
+ if (ret != EOK) {
+ if (ret == ERR_NO_MATCHING_CREDS) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Cannot store any more secrets for this client (basedn %s) "
+ "as the maximum allowed limit (%d) has been reached\n",
+ ldb_dn_get_linearized(cli_basedn),
+ req->quota->max_uid_secrets);
+ ret = ERR_SEC_INVALID_TOO_MANY_SECRETS;
+ }
+ goto done;
+ }
}
ret = EOK;
@@ -808,15 +977,15 @@ errno_t sss_sec_put(struct sss_sec_req *req,
goto done;
}
- ret = local_db_check_number_of_secrets(msg, req);
+ ret = local_db_check_peruid_number_of_secrets(msg, req);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
- "local_db_check_number_of_secrets failed [%d]: %s\n",
+ "local_db_check_peruid_number_of_secrets failed [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
- ret = local_db_check_peruid_number_of_secrets(msg, req);
+ ret = local_db_check_number_of_secrets(msg, req);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"local_db_check_number_of_secrets failed [%d]: %s\n",
@@ -905,15 +1074,15 @@ errno_t sss_sec_update(struct sss_sec_req *req,
goto done;
}
- ret = local_db_check_number_of_secrets(msg, req);
+ ret = local_db_check_peruid_number_of_secrets(msg, req);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
- "local_db_check_number_of_secrets failed [%d]: %s\n",
+ "local_db_check_peruid_number_of_secrets failed [%d]: %s\n",
ret, sss_strerror(ret));
goto done;
}
- ret = local_db_check_peruid_number_of_secrets(msg, req);
+ ret = local_db_check_number_of_secrets(msg, req);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
"local_db_check_number_of_secrets failed [%d]: %s\n",
--
2.33.0

33
backport-KRB5-avoid-FORWARD_NULL.patch Normal file
View File

@ -0,0 +1,33 @@
From 7f308c6fe01408fa6beb48b9f7627068968da771 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 19 Jun 2023 21:46:08 +0200
Subject: [PATCH] KRB5: avoid FORWARD_NULL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/7f308c6fe01408fa6beb48b9f7627068968da771
Conflict: NA
---
src/providers/krb5/krb5_ccache.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/krb5/krb5_ccache.c b/src/providers/krb5/krb5_ccache.c
index 20d932e53..88f75a8d8 100644
--- a/src/providers/krb5/krb5_ccache.c
+++ b/src/providers/krb5/krb5_ccache.c
@@ -788,7 +788,7 @@ done:
DEBUG(SSSDBG_OP_FAILURE, "krb5_cc_close failed.\n");
}
- if (krb5_cc_close(kctx, mem_ccache) != 0) {
+ if ((mem_ccache != NULL) && (krb5_cc_close(kctx, mem_ccache) != 0)) {
DEBUG(SSSDBG_OP_FAILURE, "krb5_cc_close failed.\n");
}
--
2.27.0

32
backport-KRB5-avoid-RESOURCE_LEAK.patch Normal file
View File

@ -0,0 +1,32 @@
From a83be8fb51172d4e1a282a0a078d81ee93afdcb5 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 19 Jun 2023 22:03:43 +0200
Subject: [PATCH] KRB5: avoid RESOURCE_LEAK
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/a83be8fb51172d4e1a282a0a078d81ee93afdcb5
Conflict: NA
---
src/providers/krb5/krb5_child.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 158831198..a3d83b4c8 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1869,6 +1869,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
&validation_princ);
if (kerr != 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_copy_principal failed.\n");
+ krb5_kt_end_seq_get(kr->ctx, keytab, &cursor);
goto done;
}
--
2.27.0

39
backport-KRB5-avoid-another-attempt-to-free-cc-in-done-sectio.patch Normal file
View File

@ -0,0 +1,39 @@
From f6bbd591d636e4309ec37659f825b0f9c53d4b6b Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 19 Jun 2023 20:56:14 +0200
Subject: [PATCH] KRB5: avoid another attempt to free 'cc' in 'done:' section
if first attempt failed.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/f6bbd591d636e4309ec37659f825b0f9c53d4b6b
Conflict: NA
---
src/providers/krb5/krb5_ccache.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/providers/krb5/krb5_ccache.c b/src/providers/krb5/krb5_ccache.c
index 5b80fec52..72c3a23de 100644
--- a/src/providers/krb5/krb5_ccache.c
+++ b/src/providers/krb5/krb5_ccache.c
@@ -637,12 +637,12 @@ errno_t get_ccache_file_data(const char *ccache_file, const char *client_name,
krb5_free_cred_contents(ctx, &cred);
kerr = krb5_cc_close(ctx, cc);
+ cc = NULL;
if (kerr != 0) {
KRB5_DEBUG(SSSDBG_OP_FAILURE, ctx, kerr);
DEBUG(SSSDBG_CRIT_FAILURE, "krb5_cc_close failed.\n");
goto done;
}
- cc = NULL;
kerr = 0;
--
2.27.0

34
backport-KRB5-fix-memory-leak-1.patch Normal file
View File

@ -0,0 +1,34 @@
From b69ff375a2b185219bae91c48aa7bfb3138b98f2 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 19 Jun 2023 21:53:28 +0200
Subject: [PATCH] KRB5: fix memory leak
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/b69ff375a2b185219bae91c48aa7bfb3138b98f2
Conflict: NA
---
src/providers/krb5/krb5_child.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index f69cd6d54..774b47e3a 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1400,6 +1400,9 @@ done:
/* FIXME: should we krb5_cc_destroy in case of error? */
krb5_cc_close(kctx, kcc);
}
+
+ krb5_free_context(kctx);
+
return kerr;
}
--
2.27.0

32
backport-KRB5-fix-memory-leak-2.patch Normal file
View File

@ -0,0 +1,32 @@
From 75822701770179582c344960603cce8bd54a7890 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 19 Jun 2023 21:56:13 +0200
Subject: [PATCH] KRB5: fix memory leak
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/75822701770179582c344960603cce8bd54a7890
Conflict: NA
---
src/providers/krb5/krb5_child.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 774b47e3a..158831198 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1854,6 +1854,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr)
if (kerr != 0) {
DEBUG(SSSDBG_CRIT_FAILURE, "error reading keytab [%s], " \
"not verifying TGT.\n", kr->keytab);
+ krb5_kt_close(kr->ctx, keytab);
return kerr;
}
--
2.27.0

34
backport-KRB5-fixed-RESOURCE_LEAK.patch Normal file
View File

@ -0,0 +1,34 @@
From 01f0d067f1e4ba8ec3710f515d21631a53c9c9ef Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 20 Jun 2023 16:48:07 +0200
Subject: [PATCH] KRB5: fixed RESOURCE_LEAK
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/01f0d067f1e4ba8ec3710f515d21631a53c9c9ef
Conflict: NA
---
src/providers/krb5/krb5_keytab.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/providers/krb5/krb5_keytab.c b/src/providers/krb5/krb5_keytab.c
index e70408b9b..db383d411 100644
--- a/src/providers/krb5/krb5_keytab.c
+++ b/src/providers/krb5/krb5_keytab.c
@@ -214,6 +214,9 @@ done:
if (kerr != 0) {
talloc_free(mem_name);
+ if ((mem_keytab != NULL) && krb5_kt_close(kctx, mem_keytab) != 0) {
+ DEBUG(SSSDBG_MINOR_FAILURE, "krb5_kt_close failed.\n");
+ }
}
if (tmp_mem_keytab != NULL && krb5_kt_close(kctx, tmp_mem_keytab) != 0) {
--
2.27.0

32
backport-LDAP-fixed-RESOURCE_LEAK.patch Normal file
View File

@ -0,0 +1,32 @@
From fd7da517ddd0e220f081ad9e7b5d7fcb0cae39b7 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 20 Jun 2023 17:22:07 +0200
Subject: [PATCH] LDAP: fixed RESOURCE_LEAK
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/fd7da517ddd0e220f081ad9e7b5d7fcb0cae39b7
Conflict: NA
---
src/providers/ldap/ldap_child.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index 4818240d4..6ad2fb63a 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -212,6 +212,7 @@ static int lc_verify_keytab_ex(const char *principal,
DEBUG(SSSDBG_FATAL_FAILURE,
"Could not parse keytab entry\n");
sss_log(SSS_LOG_ERR, "Could not parse keytab entry\n");
+ krb5_kt_end_seq_get(context, keytab, &cursor);
return EIO;
}
--
2.27.0

52
backport-LDAP-fixed-leak-of-kprinc.patch Normal file
View File

@ -0,0 +1,52 @@
From eca00ef4719c44c4e68ead3346a16229b6471d13 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Tue, 20 Jun 2023 17:41:36 +0200
Subject: [PATCH] LDAP: fixed leak of `kprinc`
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/eca00ef4719c44c4e68ead3346a16229b6471d13
Conflict: NA
---
src/providers/ldap/ldap_child.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index 6ad2fb63a..6c167d239 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -367,12 +367,6 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
}
DEBUG(SSSDBG_CONF_SETTINGS, "Principal name is: [%s]\n", full_princ);
- krberr = krb5_parse_name(context, full_princ, &kprinc);
- if (krberr != 0) {
- DEBUG(SSSDBG_OP_FAILURE, "krb5_parse_name() failed: %d\n", krberr);
- goto done;
- }
-
if (keytab_name) {
krberr = krb5_kt_resolve(context, keytab_name, &keytab);
} else {
@@ -447,8 +441,14 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
goto done;
}
+ krberr = krb5_parse_name(context, full_princ, &kprinc);
+ if (krberr != 0) {
+ DEBUG(SSSDBG_OP_FAILURE, "krb5_parse_name() failed: %d\n", krberr);
+ goto done;
+ }
krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc,
keytab, 0, NULL, options);
+ krb5_free_principal(context, kprinc);
if (krberr != 0) {
DEBUG(SSSDBG_OP_FAILURE,
"krb5_get_init_creds_keytab() failed: %d\n", krberr);
--
2.27.0

42
backport-LOGROTATE-logrotate-should-also-signal-sssd_kcm.patch Normal file
View File

@ -0,0 +1,42 @@
From 230e7757a7805c7c530d0914936f353882bd504e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= <allopez@redhat.com>
Date: Fri, 10 Nov 2023 14:07:49 +0100
Subject: [PATCH] LOGROTATE: logrotate should also signal sssd_kcm
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
sssd_kcm is not registered with SSSD's monitor, so it is not signaled
when it must restart the log. Adding this command will directly signal
sssd_kcm (in addition to the monitor).
If sssd_kcm is also running in one or more containers, they will also
receive the signal. Because only the log files in the host where rotated,
the instances in the containers will go on using the same log files.
Nothing will happen except for the "Received SIGHUP. Rotating logfiles."
message in the log files. If we want to avoid this, we should implement
a PID file.
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
contrib/sssd.spec.in | 1 +
src/examples/logrotate | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/examples/logrotate b/src/examples/logrotate
index ecf0c6102..6e769451c 100644
--- a/src/examples/logrotate
+++ b/src/examples/logrotate
@@ -7,6 +7,7 @@
compress
delaycompress
postrotate
- /bin/kill -HUP `cat /var/run/sssd.pid 2>/dev/null` 2> /dev/null || true
+ /bin/kill -HUP `cat /var/run/sssd.pid 2>/dev/null` 2> /dev/null || true
+ /bin/pkill -HUP sssd_kcm 2> /dev/null || true
endscript
}
--
2.33.0

39
backport-Proxy-Avoid-ldb_modify-failed-error.patch Normal file
View File

@ -0,0 +1,39 @@
From eebb43def9e93c039203993c67148bfdc72c18ad Mon Sep 17 00:00:00 2001
From: Justin Stephenson <jstephen@redhat.com>
Date: Wed, 23 Aug 2023 15:15:26 -0400
Subject: [PATCH] Proxy: Avoid ldb_modify failed error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves the sysdb errors returned in the proxy provider
logs when proxy_fast_alias is True.
This extraneous memset call would overwrite the previously
returned pwd buffer, therefore an attempt was made to update
the user's SYSDB_PWD with an empty value causing the error.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/eebb43def9e93c039203993c67148bfdc72c18ad
Conflict: NA
---
src/providers/proxy/proxy_id.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c
index db6bbb2f0..9e7722eb0 100644
--- a/src/providers/proxy/proxy_id.c
+++ b/src/providers/proxy/proxy_id.c
@@ -1418,7 +1418,6 @@ static int get_initgr(TALLOC_CTX *mem_ctx,
}
uid = pwd->pw_uid;
- memset(buffer, 0, buflen);
/* Canonicalize the username in case it was actually an alias */
if (ctx->fast_alias == true) {
--
2.33.0

55
backport-RESPONDER-use-proper-context-for-getDomains.patch Normal file
View File

@ -0,0 +1,55 @@
From 18f378921ed95dfd6a5e373c87712f7935247d71 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 26 Apr 2024 14:04:50 +0200
Subject: [PATCH] RESPONDER: use proper context for getDomains()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Request was created on a long term responder context, but a callback
for this request tries to access memory that is allocated on a short
term client context. So if client disconnects before request is
completed, then callback dereferences already freed memory.
Resolves: https://github.com/SSSD/sssd/issues/7319
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reference:https://github.com/SSSD/sssd/commit/dc637c9730d0ba04a0d8aa2645ee537224cd4b19
Conflict:NA
---
src/responder/pac/pacsrv_cmd.c | 2 +-
src/responder/pam/pamsrv_cmd.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/responder/pac/pacsrv_cmd.c b/src/responder/pac/pacsrv_cmd.c
index e3aab88..29d5574 100644
--- a/src/responder/pac/pacsrv_cmd.c
+++ b/src/responder/pac/pacsrv_cmd.c
@@ -140,7 +140,7 @@ static errno_t pac_add_pac_user(struct cli_ctx *cctx)
ret = responder_get_domain_by_id(cctx->rctx, pr_ctx->user_dom_sid_str,
&pr_ctx->dom);
if (ret == EAGAIN || ret == ENOENT) {
- req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, true,
+ req = sss_dp_get_domains_send(cctx, cctx->rctx, true,
pr_ctx->domain_name);
if (req == NULL) {
ret = ENOMEM;
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 20c332b..1570304 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1510,7 +1510,7 @@ static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd)
ret = pam_forwarder_parse_data(cctx, pd);
if (ret == EAGAIN) {
- req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, true, pd->domain);
+ req = sss_dp_get_domains_send(cctx, cctx->rctx, true, pd->domain);
if (req == NULL) {
ret = ENOMEM;
} else {
--
2.33.0

50
backport-SYSDB-in-case-ignore_group_members-true-group-is-act.patch Normal file
View File

@ -0,0 +1,50 @@
From 2fd5374fdf78bc7330bd9e6f3b86bec86bdf592b Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Sat, 10 Jun 2023 16:28:23 +0200
Subject: [PATCH] SYSDB: in case (ignore_group_members == true) group is
actually complete
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Example workflow:
- SSSD client is enrolled into AD domain (Token-Groups are enabled)
- `id $user` is executed
- initgroups() is called for this user
- during processing of initgroups() sssd_be obtains a list of group SIDs
user is a member of, and then partially resolves those groups and adds
it to the local cache as "incomplete" (i.e. 'expired')
- as a next step `id` calls getgrnam() for every group in initgroups() list
- since groups are saved into the cache as "incomplete" (technically - "expired")
this again results in LDAP search of this group.
But if `ignore_group_members = true` this search doesn't provide
new information. "Incomplete" groups could be used instead.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/2fd5374fdf78bc7330bd9e6f3b86bec86bdf592b
Conflict: NA
---
src/db/sysdb_ops.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index d11d8d956..7a3c00213 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -2307,8 +2307,10 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain,
ret = sysdb_attrs_add_time_t(attrs, SYSDB_LAST_UPDATE, now);
if (ret) goto done;
+ /* in case (ignore_group_members == true) group is actually complete */
ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE,
- now-1);
+ domain->ignore_group_members ?
+ (now + domain->group_timeout) : (now-1));
if (ret) goto done;
ret = sysdb_attrs_add_bool(attrs, SYSDB_POSIX, posix);
--
2.27.0

57
backport-UTILS-inotify-avoid-potential-NULL-deref.patch Normal file
View File

@ -0,0 +1,57 @@
From d24073823fa7d82726f631628923e9a5378d529d Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 18 Mar 2024 12:15:21 +0100
Subject: [PATCH] UTILS: inotify: avoid potential NULL deref
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes following error:
```
Error: STRING_NULL (CWE-170):
sssd-2.9.1/src/util/inotify.c:298: string_null_source: Function ""read"" does not terminate string ""ev_buf"". [Note: The source code implementation of the function has been overridden by a builtin model.]
sssd-2.9.1/src/util/inotify.c:316: var_assign_var: Assigning: ""ptr"" = ""ev_buf"". Both now point to the same unterminated string.
sssd-2.9.1/src/util/inotify.c:320: var_assign_var: Assigning: ""in_event"" = ""ptr"". Both now point to the same unterminated string.
sssd-2.9.1/src/util/inotify.c:327: string_null: Passing unterminated string ""in_event->name"" to ""process_dir_event"", which expects a null-terminated string.
# 325|
# 326| if (snctx->wctx->dir_wd == in_event->wd) {
# 327|-> ret = process_dir_event(snctx, in_event);
# 328| } else if (snctx->wctx->file_wd == in_event->wd) {
# 329| ret = process_file_event(snctx, in_event);
```
-- it might be unsafe to dereference `in_event->name`
if `in_event->len == 0`
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reference:https://github.com/SSSD/sssd/commit/4085ee07926303aa26e46dfcc6dec87776432c62
Conflict:NA
---
src/util/inotify.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/util/inotify.c b/src/util/inotify.c
index a3c33ed..8192cfd 100644
--- a/src/util/inotify.c
+++ b/src/util/inotify.c
@@ -233,9 +233,13 @@ static errno_t process_dir_event(struct snotify_ctx *snctx,
{
errno_t ret;
+ if (in_event->len == 0) {
+ DEBUG(SSSDBG_TRACE_FUNC, "Not interested in nameless event\n");
+ return EOK;
+ }
+
DEBUG(SSSDBG_TRACE_ALL, "inotify name: %s\n", in_event->name);
- if (in_event->len == 0 \
- || strcmp(in_event->name, snctx->base_name) != 0) {
+ if (strcmp(in_event->name, snctx->base_name) != 0) {
DEBUG(SSSDBG_TRACE_FUNC, "Not interested in %s\n", in_event->name);
return EOK;
}
--
2.33.0

69
backport-UTILS-swap-order-of-seteuid-setegid.patch Normal file
View File

@ -0,0 +1,69 @@
From fcfffb5cf14ddd2ff28873e2274bca226441b40b Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Mon, 7 Aug 2023 18:51:54 +0200
Subject: [PATCH] UTILS: swap order of seteuid()/setegid()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Otherwise it fails with:
```
6906 16:40:32.455571 setresuid(-1, 996, -1) = 0
6906 16:40:32.455590 setresgid(-1, 993, -1) = -1 EPERM (Operation not permitted)
```
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/fcfffb5cf14ddd2ff28873e2274bca226441b40b
Conflict: NA
---
src/util/usertools.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/src/util/usertools.c b/src/util/usertools.c
index 40c141032..8084760a0 100644
--- a/src/util/usertools.c
+++ b/src/util/usertools.c
@@ -860,16 +860,17 @@ void sss_set_sssd_user_eid(void)
if (geteuid() == 0) {
sss_sssd_user_uid_and_gid(&uid, &gid);
- if (seteuid(uid) != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
- "Failed to set euid to %"SPRIuid": %s\n",
- uid, sss_strerror(errno));
- }
+
if (setegid(gid) != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
+ DEBUG(SSSDBG_IMPORTANT_INFO,
"Failed to set egid to %"SPRIgid": %s\n",
gid, sss_strerror(errno));
}
+ if (seteuid(uid) != EOK) {
+ DEBUG(SSSDBG_IMPORTANT_INFO,
+ "Failed to set euid to %"SPRIuid": %s\n",
+ uid, sss_strerror(errno));
+ }
}
}
@@ -877,12 +878,12 @@ void sss_restore_sssd_user_eid(void)
{
if (getuid() == 0) {
if (seteuid(getuid()) != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
+ DEBUG(SSSDBG_IMPORTANT_INFO,
"Failed to restore euid: %s\n",
sss_strerror(errno));
}
if (setegid(getgid()) != EOK) {
- DEBUG(SSSDBG_MINOR_FAILURE,
+ DEBUG(SSSDBG_IMPORTANT_INFO,
"Failed to restore egid: %s\n",
sss_strerror(errno));
}
--
2.27.0

84
backport-ad-refresh-root-domain-when-read-directly.patch Normal file
View File

@ -0,0 +1,84 @@
From 4d841bf2060717171fecad628480c8f2bc03760d Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 1 Mar 2024 10:50:07 +0100
Subject: [PATCH] ad: refresh root domain when read directly
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the domain object of the forest root domain cannot be found in the
LDAP tree of the local AD domain SSSD tries to read the request data
from an LDAP server of the forest root domain directly. After reading
this data the information is stored in the cache but currently the
information about the domain store in memory is not updated with the
additional data. As a result e.g. the domain SID is missing in this data
and only becomes available after a restart where it is read from the
cache.
With this patch an unconditional refresh is triggered at the end of the
fallback code path.
Resolves: https://github.com/SSSD/sssd/issues/7250
Reviewed-by: Dan Lavu <dlavu@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference:https://github.com/SSSD/sssd/commit/0de6c33047ac7a2b5316ec5ec936d6b675671c53
Conflict:NA
---
src/providers/ad/ad_subdomains.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c
index 5bddf9b..e6745ce 100644
--- a/src/providers/ad/ad_subdomains.c
+++ b/src/providers/ad/ad_subdomains.c
@@ -1389,7 +1389,7 @@ struct ad_get_root_domain_state {
static void ad_get_root_domain_done(struct tevent_req *subreq);
static void ad_check_root_domain_done(struct tevent_req *subreq);
static errno_t
-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state);
+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh);
struct tevent_req *
ad_check_domain_send(TALLOC_CTX *mem_ctx,
@@ -1571,7 +1571,7 @@ static void ad_get_root_domain_done(struct tevent_req *subreq)
return;
}
- ret = ad_get_root_domain_refresh(state);
+ ret = ad_get_root_domain_refresh(state, false);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
}
@@ -1664,7 +1664,7 @@ static void ad_check_root_domain_done(struct tevent_req *subreq)
state->reply_count = 1;
- ret = ad_get_root_domain_refresh(state);
+ ret = ad_get_root_domain_refresh(state, true);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "ad_get_root_domain_refresh() failed.\n");
}
@@ -1679,7 +1679,7 @@ done:
}
static errno_t
-ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
+ad_get_root_domain_refresh(struct ad_get_root_domain_state *state, bool refresh)
{
struct sss_domain_info *root_domain;
bool has_changes;
@@ -1695,7 +1695,7 @@ ad_get_root_domain_refresh(struct ad_get_root_domain_state *state)
goto done;
}
- if (has_changes) {
+ if (has_changes || refresh) {
ret = ad_subdom_reinit(state->sd_ctx);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, "Could not reinitialize subdomains\n");
--
2.33.0

48
backport-ad-use-sAMAccountName-to-lookup-hosts.patch Normal file
View File

@ -0,0 +1,48 @@
From 67c11c2ebae843f7ddd6b857efa2e1f6449986f3 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 7 Jun 2023 10:45:59 +0200
Subject: [PATCH] ad: use sAMAccountName to lookup hosts
To determine which GPOs apply to the host running SSSD the full DN of
the host object in AD is needed. To fine this object we use the NetBIOS
name of the host which is stored in AD in the sAMAccountName attribute.
Using other attributes, e.g. if ldap_user_name is set to a different
attribute, will most probably cause a failure since those attributes are
not managed as expected for host object. As a result sAMAccountName
should be hardcoded here to avoid issues.
Resolves: https://github.com/SSSD/sssd/issues/6766
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/67c11c2ebae843f7ddd6b857efa2e1f6449986f3
Conflict: NA
---
src/providers/ad/ad_gpo.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 4b7bbf182..44e9cbb27 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -59,6 +59,7 @@
#define AD_AT_DN "distinguishedName"
#define AD_AT_UAC "userAccountControl"
+#define AD_AT_SAMACCOUNTNAME "sAMAccountName"
#define AD_AT_CONFIG_NC "configurationNamingContext"
#define AD_AT_GPLINK "gPLink"
#define AD_AT_GPOPTIONS "gpOptions"
@@ -2061,7 +2062,7 @@ ad_gpo_connect_done(struct tevent_req *subreq)
filter = talloc_asprintf(state,
"(&(objectclass=%s)(%s=%s))",
state->opts->user_map[SDAP_OC_USER].name,
- state->opts->user_map[SDAP_AT_USER_NAME].name,
+ AD_AT_SAMACCOUNTNAME,
sam_account_name);
if (filter == NULL) {
ret = ENOMEM;
--
2.27.0

37
backport-cli-caculate-the-wait_time-in-milliseconds.patch Normal file
View File

@ -0,0 +1,37 @@
From a997ee7bd9d259e7faf654cb94145c0135df02f8 Mon Sep 17 00:00:00 2001
From: licunlong <shenxiaogll@163.com>
Date: Fri, 29 Sep 2023 12:24:45 +0800
Subject: [PATCH] cli: caculate the wait_time in milliseconds
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The timeout we pass in is 300000ms, and we sleep 1s every
time we get a EAGAIN error, so we need to multiply 1000
for sleep_time.
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/a997ee7bd9d259e7faf654cb94145c0135df02f8
Conflict: NA
---
src/sss_client/common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/sss_client/common.c b/src/sss_client/common.c
index 53ff6e8e9..c80c8e74b 100644
--- a/src/sss_client/common.c
+++ b/src/sss_client/common.c
@@ -617,7 +617,7 @@ static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout
socklen_t errnosize;
struct pollfd pfd;
- wait_time += sleep_time;
+ wait_time += sleep_time * 1000;
ret = connect(sd, (struct sockaddr *)&nssaddr,
sizeof(nssaddr));
--
2.33.0

140
backport-dyndns-PTR-record-updates-separately.patch Normal file
View File

@ -0,0 +1,140 @@
From f0bba9d5178d18e7b08aaa58375916d111dfeb59 Mon Sep 17 00:00:00 2001
From: Tomas Halman <thalman@redhat.com>
Date: Tue, 26 Sep 2023 11:05:13 +0200
Subject: [PATCH] dyndns: PTR record updates separately
DNS server does not allow updates for different zones in one
single step. Those updates must be sent separately.
It is complicated and in some cases impossible to detect that
PTR updates does not fit into one zone because it often depends
on DNS server configuration.
With this patch PTR record updates are always sent separately.
Resolves: https://github.com/SSSD/sssd/issues/6956
Reviewed-by: Dan Lavu <dlavu@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/f0bba9d5178d18e7b08aaa58375916d111dfeb59
Conflict: NA
---
src/man/sssd-ad.5.xml | 5 +++++
src/man/sssd-ipa.5.xml | 5 +++++
src/providers/be_dyndns.c | 18 +++---------------
src/tests/cmocka/test_dyndns.c | 5 +++++
4 files changed, 18 insertions(+), 15 deletions(-)
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
index 65778124b..082e97e52 100644
--- a/src/man/sssd-ad.5.xml
+++ b/src/man/sssd-ad.5.xml
@@ -1262,6 +1262,11 @@ ad_gpo_map_deny = +my_pam_service
updated when updating the client's DNS records.
Applicable only when dyndns_update is true.
</para>
+ <para>
+ Note that <emphasis>dyndns_update_per_family</emphasis>
+ parameter does not apply for PTR record updates.
+ Those updates are always sent separately.
+ </para>
<para>
Default: True
</para>
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index aa6ff2380..4802ce866 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -286,6 +286,11 @@
PTR records automatically when forward records
are changed.
</para>
+ <para>
+ Note that <emphasis>dyndns_update_per_family</emphasis>
+ parameter does not apply for PTR record updates.
+ Those updates are always sent separately.
+ </para>
<para>
Default: False (disabled)
</para>
diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c
index 2de9a13a9..2c655ef1e 100644
--- a/src/providers/be_dyndns.c
+++ b/src/providers/be_dyndns.c
@@ -402,7 +402,7 @@ nsupdate_msg_add_ptr(char *update_msg, struct sss_iface_addr *addresses,
}
updateipv4 = talloc_asprintf_append(updateipv4,
- "update add %s %d in PTR %s.\n",
+ "update add %s %d in PTR %s.\nsend\n",
ptr, ttl, hostname);
break;
case AF_INET6:
@@ -415,7 +415,7 @@ nsupdate_msg_add_ptr(char *update_msg, struct sss_iface_addr *addresses,
}
}
updateipv6 = talloc_asprintf_append(updateipv6,
- "update add %s %d in PTR %s.\n",
+ "update add %s %d in PTR %s.\nsend\n",
ptr, ttl, hostname);
break;
}
@@ -426,21 +426,9 @@ nsupdate_msg_add_ptr(char *update_msg, struct sss_iface_addr *addresses,
}
}
- if (update_per_family && updateipv4[0] && updateipv6[0]) {
- /* update per family and both families present */
- return talloc_asprintf_append(update_msg,
- "%s"
- "send\n"
- "%s"
- "send\n",
- updateipv4,
- updateipv6);
- }
-
return talloc_asprintf_append(update_msg,
"%s"
- "%s"
- "send\n",
+ "%s",
updateipv4,
updateipv6);
}
diff --git a/src/tests/cmocka/test_dyndns.c b/src/tests/cmocka/test_dyndns.c
index 1ef5a9019..7526c16a8 100644
--- a/src/tests/cmocka/test_dyndns.c
+++ b/src/tests/cmocka/test_dyndns.c
@@ -663,11 +663,13 @@ void dyndns_test_create_ptr_msg(void **state)
assert_string_equal(msg,
"\nupdate delete 1.0.168.192.in-addr.arpa. in PTR\n"
"update add 1.0.168.192.in-addr.arpa. 1234 in PTR bran_stark.\n"
+ "send\n"
"update delete 2.0.168.192.in-addr.arpa. in PTR\n"
"update add 2.0.168.192.in-addr.arpa. 1234 in PTR bran_stark.\n"
"send\n"
"update delete 4.4.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. in PTR\n"
"update add 4.4.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. 1234 in PTR bran_stark.\n"
+ "send\n"
"update delete 5.5.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. in PTR\n"
"update add 5.5.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. 1234 in PTR bran_stark.\n"
"send\n");
@@ -680,10 +682,13 @@ void dyndns_test_create_ptr_msg(void **state)
assert_string_equal(msg,
"\nupdate delete 1.0.168.192.in-addr.arpa. in PTR\n"
"update add 1.0.168.192.in-addr.arpa. 1234 in PTR bran_stark.\n"
+ "send\n"
"update delete 2.0.168.192.in-addr.arpa. in PTR\n"
"update add 2.0.168.192.in-addr.arpa. 1234 in PTR bran_stark.\n"
+ "send\n"
"update delete 4.4.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. in PTR\n"
"update add 4.4.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. 1234 in PTR bran_stark.\n"
+ "send\n"
"update delete 5.5.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. in PTR\n"
"update add 5.5.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.b.d.c.1.0.0.2.ip6.arpa. 1234 in PTR bran_stark.\n"
"send\n");
--
2.33.0

172
backport-fail_over-protect-against-a-segmentation-fault.patch Normal file
View File

@ -0,0 +1,172 @@
From 8a8869994745429b3f5535a5d0b91f1d0b2fa723 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 29 Mar 2023 12:58:37 +0200
Subject: [PATCH] fail_over: protect against a segmentation fault
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
A missing server name in struct fo_server will cause a segmentation
fault. Currently it is unclear why the server name is missing at this
point. To avoid the segmentation fault it is checked before if the
server name is missing. Additionally the state of some internal
structures is added to the debug logs to help debugging why the server
name is missing.
Resolves: https://github.com/SSSD/sssd/issues/6659
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/8a8869994745429b3f5535a5d0b91f1d0b2fa723
Conflict: data_provider_fo.c
---
src/providers/data_provider_fo.c | 14 +++++++++
src/providers/fail_over.c | 53 ++++++++++++++++++++++++++++++++
src/providers/fail_over.h | 3 ++
3 files changed, 70 insertions(+)
diff --git a/src/external/sizes.m4 b/src/external/sizes.m4
index c4f00d66ff..0b6b630026 100644
--- a/src/external/sizes.m4
+++ b/src/external/sizes.m4
@@ -9,6 +9,7 @@ AC_CHECK_SIZEOF(long long)
AC_CHECK_SIZEOF(uid_t)
AC_CHECK_SIZEOF(gid_t)
AC_CHECK_SIZEOF(id_t)
+AC_CHECK_SIZEOF(time_t)
if test $ac_cv_sizeof_long_long -lt 8 ; then
AC_MSG_ERROR([SSSD requires long long of 64-bits])
diff --git a/src/util/sss_format.h b/src/util/sss_format.h
index 9a30417..a9f3770 100644
--- a/src/util/sss_format.h
+++ b/src/util/sss_format.h
@@ -64,5 +64,12 @@
# error Unexpected sizeof gid_t
#endif /* SIZEOF_GID_T */
+#if SIZEOF_TIME_T == 8
+# define SPRItime PRId64
+#elif SIZEOF_TIME_T == 4
+# define SPRItime PRId32
+#else
+# error Unexpected sizeof time_t
+#endif /*SIZEOF_TIME_T*/
#endif /* __SSS_FORMAT_H__ */
diff --git a/src/providers/data_provider_fo.c b/src/providers/data_provider_fo.c
index eca5f2f8e..b0aed54e9 100644
--- a/src/providers/data_provider_fo.c
+++ b/src/providers/data_provider_fo.c
@@ -594,6 +594,14 @@ fail:
tevent_req_error(req, ret);
}
+static void dump_be_svc_data(const struct be_svc_data *svc)
+{
+ DEBUG(SSSDBG_OP_FAILURE, "be_svc_data: name=[%s] last_good_srv=[%s] "
+ "last_good_port=[%d] last_status_change=[%"SPRItime"]\n",
+ svc->name, svc->last_good_srv, svc->last_good_port,
+ svc->last_status_change);
+}
+
errno_t be_resolve_server_process(struct tevent_req *subreq,
struct be_resolve_server_state *state,
struct tevent_req **new_subreq)
@@ -681,6 +689,12 @@ errno_t be_resolve_server_process(struct tevent_req *subreq,
DEBUG(SSSDBG_FUNC_DATA, "Found address for server %s: [%s] TTL %d\n",
fo_get_server_str_name(state->srv), ipaddr,
srvaddr->addr_list[0]->ttl);
+ } else {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Missing server name.\n");
+ dump_be_svc_data(state->svc);
+ dump_fo_server(state->srv);
+ dump_fo_server_list(state->srv);
+ return ENOENT;
}
srv_status_change = fo_get_server_hostname_last_change(state->srv);
diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c
index 9cb26838c..7cb642448 100644
--- a/src/providers/fail_over.c
+++ b/src/providers/fail_over.c
@@ -200,6 +200,59 @@ str_srv_data_status(enum srv_lookup_status status)
return "unknown SRV lookup status";
}
+static void dump_srv_data(const struct srv_data *srv_data)
+{
+ if (srv_data == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "srv_data is NULL\n");
+ return;
+ }
+
+ DEBUG(SSSDBG_OP_FAILURE, "srv_data: dns_domain [%s] discovery_domain [%s] "
+ "sssd_domain [%s] proto [%s] srv [%s] "
+ "srv_lookup_status [%s] ttl [%d] "
+ "last_status_change [%"SPRItime"]\n",
+ srv_data->dns_domain == NULL ? "dns_domain is NULL"
+ : srv_data->dns_domain,
+ srv_data->discovery_domain == NULL ? "discovery_domain is NULL"
+ : srv_data->discovery_domain,
+ srv_data->sssd_domain == NULL ? "sssd_domain is NULL"
+ : srv_data->sssd_domain,
+ srv_data->proto == NULL ? "proto is NULL"
+ : srv_data->proto,
+ srv_data->srv == NULL ? "srv is NULL"
+ : srv_data->srv,
+ str_srv_data_status(srv_data->srv_lookup_status),
+ srv_data->ttl, srv_data->last_status_change.tv_sec);
+}
+
+void dump_fo_server(const struct fo_server *srv)
+{
+ DEBUG(SSSDBG_OP_FAILURE, "fo_server: primary [%s] port [%d] "
+ "port_status [%s] common->name [%s].\n",
+ srv->primary ? "true" : "false", srv->port,
+ str_port_status(srv->port_status),
+ srv->common == NULL ? "common is NULL"
+ : (srv->common->name == NULL
+ ? "common->name is NULL"
+ : srv->common->name));
+ dump_srv_data(srv->srv_data);
+}
+
+void dump_fo_server_list(const struct fo_server *srv)
+{
+ const struct fo_server *s;
+
+ s = srv;
+ while (s->prev != NULL) {
+ s = s->prev;
+ }
+
+ while (s != NULL) {
+ dump_fo_server(s);
+ s = s->next;
+ }
+}
+
static const char *
str_server_status(enum server_status status)
{
diff --git a/src/providers/fail_over.h b/src/providers/fail_over.h
index 92a0456b5..36021ad6f 100644
--- a/src/providers/fail_over.h
+++ b/src/providers/fail_over.h
@@ -88,6 +88,9 @@ struct fo_options {
enum restrict_family family_order;
};
+void dump_fo_server(const struct fo_server *srv);
+void dump_fo_server_list(const struct fo_server *srv);
+
/*
* Create a new fail over context based on options passed in the
* opts parameter
--
2.27.0

250
backport-ipa-correctly-remove-missing-attributes-on-netgroup-.patch Normal file
View File

@ -0,0 +1,250 @@
From b033b0dda972e885f63234aa81dca317c8234c2c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Tue, 23 May 2023 12:21:44 +0200
Subject: [PATCH] ipa: correctly remove missing attributes on netgroup update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When a netgroup is updated, previously it did not remove the missing
attributes. This caused an issue especially when a member was removed.
Resolves: https://github.com/SSSD/sssd/issues/6652
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/b033b0dda972e885f63234aa81dca317c8234c2c
Conflict: NA
---
src/db/sysdb.c | 9 ++
src/db/sysdb.h | 1 +
src/providers/ipa/ipa_netgroups.c | 35 +++++++-
src/tests/system/tests/test_netgroups.py | 108 +++++++++++++++++++++++
4 files changed, 151 insertions(+), 2 deletions(-)
create mode 100644 src/tests/system/tests/test_netgroups.py
diff --git a/src/db/sysdb.c b/src/db/sysdb.c
index 649e79fca..1faa11b16 100644
--- a/src/db/sysdb.c
+++ b/src/db/sysdb.c
@@ -523,6 +523,15 @@ static int sysdb_attrs_add_val_int(struct sysdb_attrs *attrs,
return EOK;
}
+
+int sysdb_attrs_add_empty(struct sysdb_attrs *attrs, const char *name)
+{
+ struct ldb_message_element *el;
+
+ /* Calling this will create the element if it does not exist. */
+ return sysdb_attrs_get_el_ext(attrs, name, true, &el);
+}
+
int sysdb_attrs_add_val(struct sysdb_attrs *attrs,
const char *name, const struct ldb_val *val)
{
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 2f20692cc..887a9630e 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -398,6 +398,7 @@ enum sysdb_obj_type {
extern const char *sysdb_ts_cache_attrs[];
/* values are copied in the structure, allocated on "attrs" */
+int sysdb_attrs_add_empty(struct sysdb_attrs *attrs, const char *name);
int sysdb_attrs_add_val(struct sysdb_attrs *attrs,
const char *name, const struct ldb_val *val);
int sysdb_attrs_add_val_safe(struct sysdb_attrs *attrs,
diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c
index 52d90af4f..57f11a507 100644
--- a/src/providers/ipa/ipa_netgroups.c
+++ b/src/providers/ipa/ipa_netgroups.c
@@ -70,7 +70,10 @@ static errno_t ipa_save_netgroup(TALLOC_CTX *mem_ctx,
struct ldb_message_element *el;
struct sysdb_attrs *netgroup_attrs;
const char *name = NULL;
+ char **missing;
+ int missing_index;
int ret;
+ int i;
size_t c;
ret = sysdb_attrs_get_el(attrs,
@@ -90,6 +93,23 @@ static errno_t ipa_save_netgroup(TALLOC_CTX *mem_ctx,
goto fail;
}
+ missing = talloc_zero_array(netgroup_attrs, char *, attrs->num + 1);
+ if (missing == NULL) {
+ ret = ENOMEM;
+ goto fail;
+ }
+
+ for (i = 0, missing_index = 0; i < attrs->num; i++) {
+ if (attrs->a[i].num_values == 0) {
+ missing[missing_index] = talloc_strdup(missing, attrs->a[i].name);
+ if (missing[missing_index] == NULL) {
+ ret = ENOMEM;
+ goto fail;
+ }
+ missing_index++;
+ }
+ }
+
ret = sysdb_attrs_get_el(attrs, SYSDB_ORIG_DN, &el);
if (ret) {
goto fail;
@@ -138,7 +158,6 @@ static errno_t ipa_save_netgroup(TALLOC_CTX *mem_ctx,
if (el->num_values == 0) {
DEBUG(SSSDBG_TRACE_LIBS,
"No original members for netgroup [%s]\n", name);
-
} else {
DEBUG(SSSDBG_TRACE_LIBS,
"Adding original members to netgroup [%s]\n", name);
@@ -173,7 +192,7 @@ static errno_t ipa_save_netgroup(TALLOC_CTX *mem_ctx,
DEBUG(SSSDBG_TRACE_FUNC, "Storing info for netgroup %s\n", name);
- ret = sysdb_add_netgroup(dom, name, NULL, netgroup_attrs, NULL,
+ ret = sysdb_add_netgroup(dom, name, NULL, netgroup_attrs, missing,
dom->netgroup_timeout, 0);
if (ret) goto fail;
@@ -866,6 +885,18 @@ static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state)
hash_iterate(state->new_netgroups, extract_netgroups, state);
for (i = 0; i < state->netgroups_count; i++) {
+ /* Make sure these attributes always exist, so we can remove them if
+ * there are no members. */
+ ret = sysdb_attrs_add_empty(state->netgroups[i], SYSDB_NETGROUP_MEMBER);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ ret = sysdb_attrs_add_empty(state->netgroups[i], SYSDB_NETGROUP_TRIPLE);
+ if (ret != EOK) {
+ goto done;
+ }
+
/* load all its member netgroups, translate */
DEBUG(SSSDBG_TRACE_INTERNAL, "Extracting netgroup members of netgroup %d\n", i);
ret = sysdb_attrs_get_string_array(state->netgroups[i],
diff --git a/src/tests/system/tests/test_netgroups.py b/src/tests/system/tests/test_netgroups.py
new file mode 100644
index 000000000..6b6bc8e8b
--- /dev/null
+++ b/src/tests/system/tests/test_netgroups.py
@@ -0,0 +1,108 @@
+"""
+Netgroup tests.
+
+:requirement: netgroup
+"""
+
+from __future__ import annotations
+
+import pytest
+from sssd_test_framework.roles.client import Client
+from sssd_test_framework.roles.generic import GenericProvider
+from sssd_test_framework.topology import KnownTopologyGroup
+
+
+@pytest.mark.tier(1)
+@pytest.mark.ticket(gh=6652, bz=2162552)
+@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
+def test_netgroups__add_remove_netgroup_triple(client: Client, provider: GenericProvider):
+ """
+ :title: Netgroup triple is correctly removed from cached record
+ :setup:
+ 1. Create local user "user-1"
+ 2. Create netgroup "ng-1"
+ 3. Add "(-,user-1,)" triple to the netgroup
+ 4. Start SSSD
+ :steps:
+ 1. Run "getent netgroup ng-1"
+ 2. Remove "(-,user-1,)" triple from "ng-1"
+ 3. Invalidate netgroup in cache "sssctl cache-expire -n ng-1"
+ 4. Run "getent netgroup ng-1"
+ :expectedresults:
+ 1. "(-,user-1,)" is present in the netgroup
+ 2. Triple was removed from the netgroup
+ 3. Cached record was invalidated
+ 4. "(-,user-1,)" is not present in the netgroup
+ :customerscenario: True
+ """
+ user = provider.user("user-1").add()
+ ng = provider.netgroup("ng-1").add().add_member(user=user)
+
+ client.sssd.start()
+
+ result = client.tools.getent.netgroup("ng-1")
+ assert result is not None
+ assert result.name == "ng-1"
+ assert len(result.members) == 1
+ assert "(-, user-1)" in result.members
+
+ ng.remove_member(user=user)
+ client.sssctl.cache_expire(netgroups=True)
+
+ result = client.tools.getent.netgroup("ng-1")
+ assert result is not None
+ assert result.name == "ng-1"
+ assert len(result.members) == 0
+
+
+@pytest.mark.tier(1)
+@pytest.mark.ticket(gh=6652, bz=2162552)
+@pytest.mark.topology(KnownTopologyGroup.AnyProvider)
+def test_netgroups__add_remove_netgroup_member(client: Client, provider: GenericProvider):
+ """
+ :title: Netgroup member is correctly removed from cached record
+ :setup:
+ 1. Create local user "user-1"
+ 2. Create local user "user-2"
+ 3. Create netgroup "ng-1"
+ 4. Create netgroup "ng-2"
+ 5. Add "(-,user-1,)" triple to the netgroup "ng-1"
+ 6. Add "(-,user-2,)" triple to the netgroup "ng-2"
+ 7. Add "ng-1" as a member to "ng-2"
+ 8. Start SSSD
+ :steps:
+ 1. Run "getent netgroup ng-2"
+ 2. Remove "ng-1" from "ng-2"
+ 3. Invalidate netgroup "ng-2" in cache "sssctl cache-expire -n ng-2"
+ 4. Run "getent netgroup ng-2"
+ :expectedresults:
+ 1. "(-,user-1,)", "(-,user-2,)" is present in the netgroup
+ 2. Netgroup member was removed from the netgroup
+ 3. Cached record was invalidated
+ 4. "(-,user-1,)" is not present in the netgroup, only "(-,user-2,)"
+ :customerscenario: True
+ """
+ u1 = provider.user("user-1").add()
+ u2 = provider.user("user-2").add()
+
+ ng1 = provider.netgroup("ng-1").add().add_member(user=u1)
+ ng2 = provider.netgroup("ng-2").add().add_member(user=u2, ng=ng1)
+
+ client.sssd.start()
+
+ result = client.tools.getent.netgroup("ng-2")
+ assert result is not None
+ assert result.name == "ng-2"
+ assert len(result.members) == 2
+ assert "(-, user-1)" in result.members
+ assert "(-, user-2)" in result.members
+
+ ng2.remove_member(ng=ng1)
+ client.sssctl.cache_expire(netgroups=True)
+
+ result = client.tools.getent.netgroup("ng-2")
+ assert result is not None
+ assert result.name == "ng-2"
+ assert len(result.members) == 1
+ assert "(-, user-1)" not in result.members
+ assert "(-, user-2)" in result.members
--
2.27.0

220
backport-ipa-do-not-go-offline-if-group-does-not-have-SID.patch Normal file
View File

@ -0,0 +1,220 @@
From 26047f07c0f7aa61a44543de8674ec7d0904812e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Thu, 10 Aug 2023 13:16:51 +0200
Subject: [PATCH] ipa: do not go offline if group does not have SID
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This happens during applying overrides on cached group
during initgroups of trusted user. If the group does not
have SID (it's GID is outside the sidgen range), SSSD goes
offline.
Only SSSD running in server_mode is affected.
This patch ignores error in single group and rather continues
processing the remaining groups.
Resolves: https://github.com/SSSD/sssd/issues/6942
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/26047f07c0f7aa61a44543de8674ec7d0904812e
Conflict: NA
---
src/providers/ipa/ipa_id.c | 97 +++++++++----------
src/tests/system/tests/test_trust_identity.py | 61 ++++++++++++
2 files changed, 109 insertions(+), 49 deletions(-)
create mode 100644 src/tests/system/tests/test_trust_identity.py
diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c
index 636e07965..fcac56ce2 100644
--- a/src/providers/ipa/ipa_id.c
+++ b/src/providers/ipa/ipa_id.c
@@ -291,66 +291,65 @@ static int ipa_initgr_get_overrides_step(struct tevent_req *req)
int ret;
struct tevent_req *subreq;
const char *ipa_uuid;
+ const char *dn;
struct ipa_initgr_get_overrides_state *state = tevent_req_data(req,
struct ipa_initgr_get_overrides_state);
- DEBUG(SSSDBG_TRACE_LIBS,
- "Processing group %zu/%zu\n", state->group_idx, state->group_count);
+ for (; state->group_idx < state->group_count; state->group_idx++) {
+ dn = ldb_dn_get_linearized(state->groups[state->group_idx]->dn);
- if (state->group_idx >= state->group_count) {
- return EOK;
- }
+ DEBUG(SSSDBG_TRACE_LIBS, "Processing group %s (%zu/%zu)\n",
+ dn, state->group_idx, state->group_count);
- ipa_uuid = ldb_msg_find_attr_as_string(state->groups[state->group_idx],
- state->groups_id_attr, NULL);
- if (ipa_uuid == NULL) {
- /* This should never happen, the search filter used to get the list
- * of groups includes "uuid=*"
- */
- DEBUG(SSSDBG_OP_FAILURE,
- "The group %s has no UUID attribute %s, error!\n",
- ldb_dn_get_linearized(state->groups[state->group_idx]->dn),
- state->groups_id_attr);
- return EINVAL;
- }
+ ipa_uuid = ldb_msg_find_attr_as_string(state->groups[state->group_idx],
+ state->groups_id_attr, NULL);
+ if (ipa_uuid == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "The group %s has no UUID attribute %s, error!\n",
+ dn, state->groups_id_attr);
+ continue;
+ }
- talloc_free(state->ar); /* Avoid spiking memory with many groups */
+ talloc_free(state->ar); /* Avoid spiking memory with many groups */
- if (strcmp(state->groups_id_attr, SYSDB_UUID) == 0) {
- ret = get_dp_id_data_for_uuid(state, ipa_uuid,
- state->user_dom->name, &state->ar);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_sid failed.\n");
- return ret;
- }
- } else if (strcmp(state->groups_id_attr, SYSDB_SID_STR) == 0) {
- ret = get_dp_id_data_for_sid(state, ipa_uuid,
- state->user_dom->name, &state->ar);
- if (ret != EOK) {
- DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_sid failed.\n");
- return ret;
+ if (strcmp(state->groups_id_attr, SYSDB_UUID) == 0) {
+ ret = get_dp_id_data_for_uuid(state, ipa_uuid,
+ state->user_dom->name, &state->ar);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_sid failed.\n");
+ return ret;
+ }
+ } else if (strcmp(state->groups_id_attr, SYSDB_SID_STR) == 0) {
+ ret = get_dp_id_data_for_sid(state, ipa_uuid,
+ state->user_dom->name, &state->ar);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_sid failed.\n");
+ return ret;
+ }
+ } else {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported groups ID type [%s].\n",
+ state->groups_id_attr);
+ return EINVAL;
}
- } else {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported groups ID type [%s].\n",
- state->groups_id_attr);
- return EINVAL;
- }
- DEBUG(SSSDBG_TRACE_LIBS, "Fetching group %s\n", ipa_uuid);
+ DEBUG(SSSDBG_TRACE_LIBS, "Fetching group %s: %s\n", dn, ipa_uuid);
- subreq = ipa_get_ad_override_send(state, state->ev,
- state->ipa_ctx->sdap_id_ctx,
- state->ipa_ctx->ipa_options,
- state->realm,
- state->ipa_ctx->view_name,
- state->ar);
- if (subreq == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_override_send failed.\n");
- return ENOMEM;
+ subreq = ipa_get_ad_override_send(state, state->ev,
+ state->ipa_ctx->sdap_id_ctx,
+ state->ipa_ctx->ipa_options,
+ state->realm,
+ state->ipa_ctx->view_name,
+ state->ar);
+ if (subreq == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_override_send failed.\n");
+ return ENOMEM;
+ }
+ tevent_req_set_callback(subreq,
+ ipa_initgr_get_overrides_override_done, req);
+ return EAGAIN;
}
- tevent_req_set_callback(subreq,
- ipa_initgr_get_overrides_override_done, req);
- return EAGAIN;
+
+ return EOK;
}
static void ipa_initgr_get_overrides_override_done(struct tevent_req *subreq)
diff --git a/src/tests/system/tests/test_trust_identity.py b/src/tests/system/tests/test_trust_identity.py
new file mode 100644
index 000000000..9076b8724
--- /dev/null
+++ b/src/tests/system/tests/test_trust_identity.py
@@ -0,0 +1,61 @@
+"""
+Identity of trusted users and groups.
+
+:requirement: IDM-SSSD-REQ: Testing SSSD in IPA Provider
+"""
+
+from __future__ import annotations
+
+import pytest
+from sssd_test_framework.roles.generic import GenericADProvider
+from sssd_test_framework.roles.ipa import IPA
+from sssd_test_framework.topology import KnownTopologyGroup
+
+
+@pytest.mark.importance("low")
+@pytest.mark.ticket(jira="RHEL-3925", gh=6942)
+@pytest.mark.topology(KnownTopologyGroup.IPATrust)
+def test_trust_identity__group_without_sid(ipa: IPA, trusted: GenericADProvider):
+ """
+ :title: Subdomain goes offline if IPA group is missing SID
+ :setup:
+ 1. Create IPA external group "external-group" and add AD user "Administrator" as a member
+ 2. Create IPA posix group "posix-group" and add "external-group" as a member
+ 3. Clear SSSD cache and logs on IPA server
+ 4. Restart SSSD on IPA server
+ :steps:
+ 1. Resolve user "Administrator@addomain"
+ 2. Expire user "Administrator@addomain"
+ 3. Resolve user "Administrator@addomain"
+ 4. Run "sssctl domain-status addomain"
+ :expectedresults:
+ 1. User is resolved and member of posix-group
+ 2. User is expired in SSSD cache
+ 3. User is resolved and member of posix-group
+ 4. The Active Directory domain is still online
+ :customerscenario: True
+ """
+ username = trusted.fqn("administrator")
+ external = ipa.group("external-group").add(external=True).add_member(username)
+ ipa.group("posix-group").add(gid=5001).add_member(external)
+
+ ipa.sssd.clear(db=True, memcache=True, logs=True)
+ ipa.sssd.restart()
+
+ # Cache trusted user
+ result = ipa.tools.id(username)
+ assert result is not None
+ assert result.user.name == username
+ assert result.memberof("posix-group")
+
+ # Expire the user and resolve it again, this will trigger the affected code path
+ ipa.sssctl.cache_expire(user=username)
+ result = ipa.tools.id(username)
+ assert result is not None
+ assert result.user.name == username
+ assert result.memberof("posix-group")
+
+ # Check that SSSD did not go offline
+ status = ipa.sssctl.domain_status(trusted.domain, online=True)
+ assert "online status: offline" not in status.stdout.lower()
+ assert "online status: online" in status.stdout.lower()
--
2.33.0

121
backport-nssidmap-fix-sss_nss_getgrouplist_timeout-with-empty.patch Normal file
View File

@ -0,0 +1,121 @@
From cffe6e09c6b4cd8afa049365bbd432ace5d2a9d9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 26 Oct 2023 14:09:48 +0200
Subject: [PATCH] nssidmap: fix sss_nss_getgrouplist_timeout() with empty
secondary group list
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
sss_nss_getgrouplist_timeout() is intended as a replacement for
getgrouplist() which only gets secondary groups from SSSD. Currently it
returns an ENOENT error if there are no secondary groups returned by
SSSD. However, as with getgrouplist(), there is the second parameter
which expects a single GID which will be added to the result. This means
that sss_nss_getgrouplist_timeout() will always return at least this GID
as a result and an ENOENT error does not make sense.
With this patch sss_nss_getgrouplist_timeout() will not return an error
anymore if there are no secondary groups but just a result with the
single GID from the second parameter.
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/sss_client/idmap/sss_nss_ex.c | 5 ++--
src/tests/cmocka/sss_nss_idmap-tests.c | 32 ++++++++++++++++++++++++++
2 files changed, 35 insertions(+), 2 deletions(-)
diff --git a/src/sss_client/idmap/sss_nss_ex.c b/src/sss_client/idmap/sss_nss_ex.c
index b5230d6b7..24e2a6be9 100644
--- a/src/sss_client/idmap/sss_nss_ex.c
+++ b/src/sss_client/idmap/sss_nss_ex.c
@@ -241,8 +241,9 @@ static int sss_get_ex(struct nss_input *inp, uint32_t flags,
/* Get number of results from repbuf. */
SAFEALIGN_COPY_UINT32(&num_results, repbuf, NULL);
- /* no results if not found */
- if (num_results == 0) {
+ /* no results if not found, INITGR requests are handled separately */
+ if (num_results == 0 && inp->cmd != SSS_NSS_INITGR
+ && inp->cmd != SSS_NSS_INITGR_EX) {
ret = ENOENT;
goto out;
}
diff --git a/src/tests/cmocka/sss_nss_idmap-tests.c b/src/tests/cmocka/sss_nss_idmap-tests.c
index 880bab0e5..30b24a57e 100644
--- a/src/tests/cmocka/sss_nss_idmap-tests.c
+++ b/src/tests/cmocka/sss_nss_idmap-tests.c
@@ -30,6 +30,7 @@
#include "util/util.h"
#include "util/sss_endian.h"
+#define IPA_389DS_PLUGIN_HELPER_CALLS 1
#include "sss_client/idmap/sss_nss_idmap.h"
#include "tests/cmocka/common_mock.h"
@@ -50,6 +51,8 @@ uint8_t buf3[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x
uint8_t buf4[] = {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 't', 'e', 's', 't', 'x'};
uint8_t buf_orig1[] = {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 'k', 'e', 'y', 0x00, 'v', 'a', 'l', 'u', 'e', 0x00};
+
+uint8_t buf_initgr[] = {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xde, 0x00, 0x00, 0x00};
#elif (__BYTE_ORDER == __BIG_ENDIAN)
uint8_t buf1[] = {0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 't', 'e', 's', 't', 0x00};
uint8_t buf2[] = {0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 't', 'e', 's', 't', 0x00};
@@ -57,10 +60,14 @@ uint8_t buf3[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x
uint8_t buf4[] = {0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 't', 'e', 's', 't', 'x'};
uint8_t buf_orig1[] = {0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 'k', 'e', 'y', 0x00, 'v', 'a', 'l', 'u', 'e', 0x00};
+
+uint8_t buf_initgr[] = {0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xde};
#else
#error "unknow endianess"
#endif
+uint8_t buf_initgr_no_gr[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
+
enum nss_status __wrap_sss_nss_make_request_timeout(enum sss_cli_command cmd,
struct sss_cli_req_data *rd,
int timeout,
@@ -148,12 +155,37 @@ void test_getorigbyname(void **state)
sss_nss_free_kv(kv_list);
}
+void test_sss_nss_getgrouplist_timeout(void **state)
+{
+ int ret;
+ gid_t groups[10];
+ int ngroups = sizeof(groups);
+ struct sss_nss_make_request_test_data d = {buf_initgr, sizeof(buf_initgr), 0, NSS_STATUS_SUCCESS};
+
+ will_return(__wrap_sss_nss_make_request_timeout, &d);
+ ret = sss_nss_getgrouplist_timeout("test", 111, groups, &ngroups, 0, 0);
+ assert_int_equal(ret, EOK);
+ assert_int_equal(ngroups, 2);
+ assert_int_equal(groups[0], 111);
+ assert_int_equal(groups[1], 222);
+
+ d.repbuf = buf_initgr_no_gr;
+ d.replen = sizeof(buf_initgr_no_gr);
+
+ will_return(__wrap_sss_nss_make_request_timeout, &d);
+ ret = sss_nss_getgrouplist_timeout("test", 111, groups, &ngroups, 0, 0);
+ assert_int_equal(ret, EOK);
+ assert_int_equal(ngroups, 1);
+ assert_int_equal(groups[0], 111);
+}
+
int main(int argc, const char *argv[])
{
const struct CMUnitTest tests[] = {
cmocka_unit_test(test_getsidbyname),
cmocka_unit_test(test_getorigbyname),
+ cmocka_unit_test(test_sss_nss_getgrouplist_timeout),
};
return cmocka_run_group_tests(tests, NULL, NULL);
--
2.33.0

112
backport-pam_sss-fix-passthrow-of-old-authtok-from-another-pa.patch Normal file
View File

@ -0,0 +1,112 @@
From ae6b9163be0a5a8846e8dbf2e0da2c29221781b9 Mon Sep 17 00:00:00 2001
From: Petr Mikhalicin <pmikhalicin@rutoken.ru>
Date: Fri, 10 Nov 2023 15:24:48 +0600
Subject: [PATCH] pam_sss: fix passthrow of old authtok from another pam
modules at PAM_PRELIM_CHECK
pam_sss ignored old authtoks passed from another pam modules
Resolves: https://github.com/SSSD/sssd/issues/7007
Resolves: https://github.com/SSSD/sssd/issues/5418
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/sss_client/pam_sss.c | 75 ++++++++++++++++++++++++----------------
1 file changed, 45 insertions(+), 30 deletions(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index a1c353604..47f3f6bd3 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -2728,42 +2728,57 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
exp_data = NULL;
}
- /* we query for the old password during PAM_PRELIM_CHECK to make
- * pam_sss work e.g. with pam_cracklib */
if (pam_flags & PAM_PRELIM_CHECK) {
- if ( (getuid() != 0 || exp_data ) && !(flags & PAM_CLI_FLAGS_USE_FIRST_PASS)) {
- if (flags & PAM_CLI_FLAGS_USE_2FA
- || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
- && pi->otp_challenge != NULL)) {
- if (pi->password_prompting) {
- ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
- _("Second Factor (optional): "));
- } else {
- ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
- _("Second Factor: "));
- }
+ if (getuid() == 0 && !exp_data )
+ return PAM_SUCCESS;
+
+ if (flags & PAM_CLI_FLAGS_USE_2FA
+ || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
+ && pi->otp_challenge != NULL)) {
+ if (pi->password_prompting) {
+ ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
+ _("Second Factor (optional): "));
} else {
- ret = prompt_password(pamh, pi, _("Current Password: "));
+ ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
+ _("Second Factor: "));
}
- if (ret != PAM_SUCCESS) {
- D(("failed to get credentials from user"));
- return ret;
+ } else if ((flags & PAM_CLI_FLAGS_USE_FIRST_PASS)
+ && check_authtok_data(pamh, pi) != 0) {
+ if (pi->pamstack_oldauthtok == NULL) {
+ pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY;
+ pi->pam_authtok = NULL;
+ pi->pam_authtok_size = 0;
+ } else {
+ pi->pam_authtok = strdup(pi->pamstack_oldauthtok);
+ if (pi->pam_authtok == NULL) {
+ D(("strdup failed"));
+ return PAM_BUF_ERR;
+ }
+ pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
+ pi->pam_authtok_size = strlen(pi->pam_authtok);
}
+ ret = PAM_SUCCESS;
+ } else {
+ ret = prompt_password(pamh, pi, _("Current Password: "));
+ }
+ if (ret != PAM_SUCCESS) {
+ D(("failed to get credentials from user"));
+ return ret;
+ }
- ret = pam_set_item(pamh, PAM_OLDAUTHTOK, pi->pam_authtok);
- if (ret != PAM_SUCCESS) {
- D(("Failed to set PAM_OLDAUTHTOK [%s], "
- "oldauthtok may not be available",
- pam_strerror(pamh,ret)));
- return ret;
- }
+ ret = pam_set_item(pamh, PAM_OLDAUTHTOK, pi->pam_authtok);
+ if (ret != PAM_SUCCESS) {
+ D(("Failed to set PAM_OLDAUTHTOK [%s], "
+ "oldauthtok may not be available",
+ pam_strerror(pamh,ret)));
+ return ret;
+ }
- if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA) {
- ret = keep_authtok_data(pamh, pi);
- if (ret != 0) {
- D(("Failed to store authtok data to pam handle. Password "
- "change might fail."));
- }
+ if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA) {
+ ret = keep_authtok_data(pamh, pi);
+ if (ret != 0) {
+ D(("Failed to store authtok data to pam handle. Password "
+ "change might fail."));
}
}
--
2.33.0

55
backport-sbus-arm-watchdog-for-sbus_connect_init_send.patch Normal file
View File

@ -0,0 +1,55 @@
From cca9361d92501e0be34d264d370fe897a0c970af Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 9 Jun 2023 13:01:47 +0200
Subject: [PATCH] sbus: arm watchdog for sbus_connect_init_send()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There seem to be conditions where the reply in the
sbus_call_DBus_Hello_send() request gets lost and the backend cannot
properly initialize its sbus/DBus server. Since the backend cannot be
connected by the frontends in this state the best way to recover would
be a restart. Since the event-loop is active in this state, e.g. waiting
for the reply, the watchdog will not consider the process as hung and
will not restart the process.
To make the watchdog handle this case arm_watchdog() and
disarm_watchdog() are called before and after the request, respectively.
Resolves: https://github.com/SSSD/sssd/issues/6803
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/cca9361d92501e0be34d264d370fe897a0c970af
Conflict: Makefile.am
---
src/sbus/connection/sbus_connection_connect.c | 4 ++++
1 files changed, 4 insertions(+)
diff --git a/src/sbus/connection/sbus_connection_connect.c b/src/sbus/connection/sbus_connection_connect.c
index 45a0fa491..edc090e15 100644
--- a/src/sbus/connection/sbus_connection_connect.c
+++ b/src/sbus/connection/sbus_connection_connect.c
@@ -67,6 +67,8 @@ sbus_connect_init_send(TALLOC_CTX *mem_ctx,
tevent_req_set_callback(subreq, sbus_connect_init_hello_done, req);
+ arm_watchdog();
+
return req;
}
@@ -111,6 +113,8 @@ static void sbus_connect_init_done(struct tevent_req *subreq)
uint32_t res;
errno_t ret;
+ disarm_watchdog();
+
req = tevent_req_callback_data(subreq, struct tevent_req);
ret = sbus_call_DBus_RequestName_recv(subreq, &res);
--
2.27.0

407
backport-sss_iface-do-not-add-cli_id-to-chain-key.patch Normal file
View File

@ -0,0 +1,407 @@
From 1e5dfc187c7659cca567d2f7d5592e72794ef13c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 4 Sep 2023 14:12:58 +0200
Subject: [PATCH] sss_iface: do not add cli_id to chain key
Otherwise we only chain identical requests from the same client
which effectively renders chaining not functional.
Resolves: https://github.com/SSSD/sssd/issues/6911
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/1e5dfc187c7659cca567d2f7d5592e72794ef13c
Conflict: NA
---
src/sss_iface/sbus_sss_client_async.c | 12 +++----
src/sss_iface/sbus_sss_interface.h | 24 ++++++-------
src/sss_iface/sbus_sss_keygens.c | 50 +++++++++++++--------------
src/sss_iface/sbus_sss_keygens.h | 10 +++---
src/sss_iface/sss_iface.xml | 12 +++----
5 files changed, 54 insertions(+), 54 deletions(-)
diff --git a/src/sss_iface/sbus_sss_client_async.c b/src/sss_iface/sbus_sss_client_async.c
index 042d1b7b3..5ca925283 100644
--- a/src/sss_iface/sbus_sss_client_async.c
+++ b/src/sss_iface/sbus_sss_client_async.c
@@ -1861,7 +1861,7 @@ sbus_call_dp_autofs_Enumerate_send
const char * arg_mapname,
uint32_t arg_cli_id)
{
- return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1_2,
+ return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1,
busname, object_path, "sssd.DataProvider.Autofs", "Enumerate", arg_dp_flags, arg_mapname, arg_cli_id);
}
@@ -1883,7 +1883,7 @@ sbus_call_dp_autofs_GetEntry_send
const char * arg_entryname,
uint32_t arg_cli_id)
{
- return sbus_method_in_ussu_out__send(mem_ctx, conn, _sbus_sss_key_ussu_0_1_2_3,
+ return sbus_method_in_ussu_out__send(mem_ctx, conn, _sbus_sss_key_ussu_0_1_2,
busname, object_path, "sssd.DataProvider.Autofs", "GetEntry", arg_dp_flags, arg_mapname, arg_entryname, arg_cli_id);
}
@@ -1904,7 +1904,7 @@ sbus_call_dp_autofs_GetMap_send
const char * arg_mapname,
uint32_t arg_cli_id)
{
- return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1_2,
+ return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1,
busname, object_path, "sssd.DataProvider.Autofs", "GetMap", arg_dp_flags, arg_mapname, arg_cli_id);
}
@@ -2142,7 +2142,7 @@ sbus_call_dp_dp_getAccountDomain_send
const char * arg_filter,
uint32_t arg_cli_id)
{
- return sbus_method_in_uusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusu_0_1_2_3,
+ return sbus_method_in_uusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusu_0_1_2,
busname, object_path, "sssd.dataprovider", "getAccountDomain", arg_dp_flags, arg_entry_type, arg_filter, arg_cli_id);
}
@@ -2170,7 +2170,7 @@ sbus_call_dp_dp_getAccountInfo_send
const char * arg_extra,
uint32_t arg_cli_id)
{
- return sbus_method_in_uusssu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusssu_0_1_2_3_4_5,
+ return sbus_method_in_uusssu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusssu_0_1_2_3_4,
busname, object_path, "sssd.dataprovider", "getAccountInfo", arg_dp_flags, arg_entry_type, arg_filter, arg_domain, arg_extra, arg_cli_id);
}
@@ -2267,7 +2267,7 @@ sbus_call_dp_dp_resolverHandler_send
const char * arg_filter_value,
uint32_t arg_cli_id)
{
- return sbus_method_in_uuusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uuusu_0_1_2_3_4,
+ return sbus_method_in_uuusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uuusu_0_1_2_3,
busname, object_path, "sssd.dataprovider", "resolverHandler", arg_dp_flags, arg_entry_type, arg_filter_type, arg_filter_value, arg_cli_id);
}
diff --git a/src/sss_iface/sbus_sss_interface.h b/src/sss_iface/sbus_sss_interface.h
index fc86c71d9..5b4d1c362 100644
--- a/src/sss_iface/sbus_sss_interface.h
+++ b/src/sss_iface/sbus_sss_interface.h
@@ -166,7 +166,7 @@
&_sbus_sss_args_sssd_DataProvider_Autofs_Enumerate, \
NULL, \
_sbus_sss_invoke_in_usu_out__send, \
- _sbus_sss_key_usu_0_1_2, \
+ _sbus_sss_key_usu_0_1, \
(handler), (data)); \
})
@@ -177,7 +177,7 @@
&_sbus_sss_args_sssd_DataProvider_Autofs_Enumerate, \
NULL, \
_sbus_sss_invoke_in_usu_out__send, \
- _sbus_sss_key_usu_0_1_2, \
+ _sbus_sss_key_usu_0_1, \
(handler_send), (handler_recv), (data)); \
})
@@ -188,7 +188,7 @@
&_sbus_sss_args_sssd_DataProvider_Autofs_GetEntry, \
NULL, \
_sbus_sss_invoke_in_ussu_out__send, \
- _sbus_sss_key_ussu_0_1_2_3, \
+ _sbus_sss_key_ussu_0_1_2, \
(handler), (data)); \
})
@@ -199,7 +199,7 @@
&_sbus_sss_args_sssd_DataProvider_Autofs_GetEntry, \
NULL, \
_sbus_sss_invoke_in_ussu_out__send, \
- _sbus_sss_key_ussu_0_1_2_3, \
+ _sbus_sss_key_ussu_0_1_2, \
(handler_send), (handler_recv), (data)); \
})
@@ -210,7 +210,7 @@
&_sbus_sss_args_sssd_DataProvider_Autofs_GetMap, \
NULL, \
_sbus_sss_invoke_in_usu_out__send, \
- _sbus_sss_key_usu_0_1_2, \
+ _sbus_sss_key_usu_0_1, \
(handler), (data)); \
})
@@ -221,7 +221,7 @@
&_sbus_sss_args_sssd_DataProvider_Autofs_GetMap, \
NULL, \
_sbus_sss_invoke_in_usu_out__send, \
- _sbus_sss_key_usu_0_1_2, \
+ _sbus_sss_key_usu_0_1, \
(handler_send), (handler_recv), (data)); \
})
@@ -522,7 +522,7 @@
&_sbus_sss_args_sssd_dataprovider_getAccountDomain, \
NULL, \
_sbus_sss_invoke_in_uusu_out_qus_send, \
- _sbus_sss_key_uusu_0_1_2_3, \
+ _sbus_sss_key_uusu_0_1_2, \
(handler), (data)); \
})
@@ -533,7 +533,7 @@
&_sbus_sss_args_sssd_dataprovider_getAccountDomain, \
NULL, \
_sbus_sss_invoke_in_uusu_out_qus_send, \
- _sbus_sss_key_uusu_0_1_2_3, \
+ _sbus_sss_key_uusu_0_1_2, \
(handler_send), (handler_recv), (data)); \
})
@@ -544,7 +544,7 @@
&_sbus_sss_args_sssd_dataprovider_getAccountInfo, \
NULL, \
_sbus_sss_invoke_in_uusssu_out_qus_send, \
- _sbus_sss_key_uusssu_0_1_2_3_4_5, \
+ _sbus_sss_key_uusssu_0_1_2_3_4, \
(handler), (data)); \
})
@@ -555,7 +555,7 @@
&_sbus_sss_args_sssd_dataprovider_getAccountInfo, \
NULL, \
_sbus_sss_invoke_in_uusssu_out_qus_send, \
- _sbus_sss_key_uusssu_0_1_2_3_4_5, \
+ _sbus_sss_key_uusssu_0_1_2_3_4, \
(handler_send), (handler_recv), (data)); \
})
@@ -632,7 +632,7 @@
&_sbus_sss_args_sssd_dataprovider_resolverHandler, \
NULL, \
_sbus_sss_invoke_in_uuusu_out_qus_send, \
- _sbus_sss_key_uuusu_0_1_2_3_4, \
+ _sbus_sss_key_uuusu_0_1_2_3, \
(handler), (data)); \
})
@@ -643,7 +643,7 @@
&_sbus_sss_args_sssd_dataprovider_resolverHandler, \
NULL, \
_sbus_sss_invoke_in_uuusu_out_qus_send, \
- _sbus_sss_key_uuusu_0_1_2_3_4, \
+ _sbus_sss_key_uuusu_0_1_2_3, \
(handler_send), (handler_recv), (data)); \
})
diff --git a/src/sss_iface/sbus_sss_keygens.c b/src/sss_iface/sbus_sss_keygens.c
index 1bffc1360..0bded60f8 100644
--- a/src/sss_iface/sbus_sss_keygens.c
+++ b/src/sss_iface/sbus_sss_keygens.c
@@ -90,87 +90,87 @@ _sbus_sss_key_ussu_0_1
}
const char *
-_sbus_sss_key_ussu_0_1_2_3
+_sbus_sss_key_ussu_0_1_2
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_ussu *args)
{
if (sbus_req->sender == NULL) {
- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%s",
sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
+ sbus_req->path, args->arg0, args->arg1, args->arg2);
}
- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%s",
sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
+ sbus_req->path, args->arg0, args->arg1, args->arg2);
}
const char *
-_sbus_sss_key_usu_0_1_2
+_sbus_sss_key_usu_0_1
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_usu *args)
{
if (sbus_req->sender == NULL) {
- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s",
sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2);
+ sbus_req->path, args->arg0, args->arg1);
}
- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s",
sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2);
+ sbus_req->path, args->arg0, args->arg1);
}
const char *
-_sbus_sss_key_uusssu_0_1_2_3_4_5
+_sbus_sss_key_uusssu_0_1_2_3_4
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_uusssu *args)
{
if (sbus_req->sender == NULL) {
- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s",
sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4, args->arg5);
+ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4);
}
- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s",
sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4, args->arg5);
+ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4);
}
const char *
-_sbus_sss_key_uusu_0_1_2_3
+_sbus_sss_key_uusu_0_1_2
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_uusu *args)
{
if (sbus_req->sender == NULL) {
- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s",
sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
+ sbus_req->path, args->arg0, args->arg1, args->arg2);
}
- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s",
sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
+ sbus_req->path, args->arg0, args->arg1, args->arg2);
}
const char *
-_sbus_sss_key_uuusu_0_1_2_3_4
+_sbus_sss_key_uuusu_0_1_2_3
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_uuusu *args)
{
if (sbus_req->sender == NULL) {
- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s",
sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4);
+ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
}
- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "",
+ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s",
sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member,
- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4);
+ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3);
}
diff --git a/src/sss_iface/sbus_sss_keygens.h b/src/sss_iface/sbus_sss_keygens.h
index 8f09b46de..7e42c2c53 100644
--- a/src/sss_iface/sbus_sss_keygens.h
+++ b/src/sss_iface/sbus_sss_keygens.h
@@ -49,31 +49,31 @@ _sbus_sss_key_ussu_0_1
struct _sbus_sss_invoker_args_ussu *args);
const char *
-_sbus_sss_key_ussu_0_1_2_3
+_sbus_sss_key_ussu_0_1_2
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_ussu *args);
const char *
-_sbus_sss_key_usu_0_1_2
+_sbus_sss_key_usu_0_1
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_usu *args);
const char *
-_sbus_sss_key_uusssu_0_1_2_3_4_5
+_sbus_sss_key_uusssu_0_1_2_3_4
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_uusssu *args);
const char *
-_sbus_sss_key_uusu_0_1_2_3
+_sbus_sss_key_uusu_0_1_2
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_uusu *args);
const char *
-_sbus_sss_key_uuusu_0_1_2_3_4
+_sbus_sss_key_uuusu_0_1_2_3
(TALLOC_CTX *mem_ctx,
struct sbus_request *sbus_req,
struct _sbus_sss_invoker_args_uuusu *args);
diff --git a/src/sss_iface/sss_iface.xml b/src/sss_iface/sss_iface.xml
index 6709c4e48..82c65aa0b 100644
--- a/src/sss_iface/sss_iface.xml
+++ b/src/sss_iface/sss_iface.xml
@@ -91,18 +91,18 @@
<method name="GetMap">
<arg name="dp_flags" type="u" direction="in" key="1" />
<arg name="mapname" type="s" direction="in" key="2" />
- <arg name="cli_id" type="u" direction="in" key="3" />
+ <arg name="cli_id" type="u" direction="in" />
</method>
<method name="GetEntry">
<arg name="dp_flags" type="u" direction="in" key="1" />
<arg name="mapname" type="s" direction="in" key="2" />
<arg name="entryname" type="s" direction="in" key="3" />
- <arg name="cli_id" type="u" direction="in" key="4" />
+ <arg name="cli_id" type="u" direction="in" />
</method>
<method name="Enumerate">
<arg name="dp_flags" type="u" direction="in" key="1" />
<arg name="mapname" type="s" direction="in" key="2" />
- <arg name="cli_id" type="u" direction="in" key="3" />
+ <arg name="cli_id" type="u" direction="in" />
</method>
</interface>
@@ -133,7 +133,7 @@
<arg name="entry_type" type="u" direction="in" key="2" />
<arg name="filter_type" type="u" direction="in" key="3" />
<arg name="filter_value" type="s" direction="in" key="4" />
- <arg name="cli_id" type="u" direction="in" key="5" />
+ <arg name="cli_id" type="u" direction="in" />
<arg name="dp_error" type="q" direction="out" />
<arg name="error" type="u" direction="out" />
<arg name="error_message" type="s" direction="out" />
@@ -150,7 +150,7 @@
<arg name="filter" type="s" direction="in" key="3" />
<arg name="domain" type="s" direction="in" key="4" />
<arg name="extra" type="s" direction="in" key="5" />
- <arg name="cli_id" type="u" direction="in" key="6" />
+ <arg name="cli_id" type="u" direction="in" />
<arg name="dp_error" type="q" direction="out" />
<arg name="error" type="u" direction="out" />
<arg name="error_message" type="s" direction="out" />
@@ -159,7 +159,7 @@
<arg name="dp_flags" type="u" direction="in" key="1" />
<arg name="entry_type" type="u" direction="in" key="2" />
<arg name="filter" type="s" direction="in" key="3" />
- <arg name="cli_id" type="u" direction="in" key="4" />
+ <arg name="cli_id" type="u" direction="in" />
<arg name="dp_error" type="q" direction="out" />
<arg name="error" type="u" direction="out" />
<arg name="domain_name" type="s" direction="out" />
--
2.33.0

108
backport-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch Normal file
View File

@ -0,0 +1,108 @@
From 75f2b35ad3b9256de905d05c5108400d35688554 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 9 Jun 2023 12:31:39 +0200
Subject: [PATCH] watchdog: add arm_watchdog() and disarm_watchdog() calls
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Those two new calls can be used if there are requests stuck by e.g.
waiting on replies where there is no other way to handle the timeout and
get the system back into a stable state. They should be only used as a
last resort.
Resolves: https://github.com/SSSD/sssd/issues/6803
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reference: https://github.com/SSSD/sssd/commit/75f2b35ad3b9256de905d05c5108400d35688554
Conflict: NA
---
src/util/util.h | 12 ++++++++++++
src/util/util_watchdog.c | 28 ++++++++++++++++++++++++++--
2 files changed, 38 insertions(+), 2 deletions(-)
diff --git a/src/util/util.h b/src/util/util.h
index 11dc40d57..02fd53237 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -791,6 +791,18 @@ int setup_watchdog(struct tevent_context *ev, int interval);
void teardown_watchdog(void);
int get_watchdog_ticks(void);
+/* The arm_watchdog() and disarm_watchdog() calls will disable and re-enable
+ * the watchdog reset, respectively. This means that after arm_watchdog() is
+ * called the watchdog will not be resetted anymore and it will kill the
+ * process if disarm_watchdog() wasn't called before.
+ * Those calls should only be used when there is no other way to handle
+ * waiting request and recover into a stable state.
+ * Those calls cannot be nested, i.e. after calling arm_watchdog() it should
+ * not be called a second time in a different request because then
+ * disarm_watchdog() will disable the watchdog coverage for both. */
+void arm_watchdog(void);
+void disarm_watchdog(void);
+
/* from files.c */
int sss_remove_tree(const char *root);
int sss_remove_subtree(const char *root);
diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c
index b1534e499..abafd94b9 100644
--- a/src/util/util_watchdog.c
+++ b/src/util/util_watchdog.c
@@ -40,6 +40,7 @@ struct watchdog_ctx {
time_t timestamp;
struct tevent_fd *tfd;
int pipefd[2];
+ bool armed; /* if 'true' ticks counter will not be reset */
} watchdog_ctx;
static void watchdog_detect_timeshift(void)
@@ -89,8 +90,13 @@ static void watchdog_event_handler(struct tevent_context *ev,
struct timeval current_time,
void *private_data)
{
- /* first thing reset the watchdog ticks */
- watchdog_reset();
+ if (!watchdog_ctx.armed) {
+ /* first thing reset the watchdog ticks */
+ watchdog_reset();
+ } else {
+ DEBUG(SSSDBG_IMPORTANT_INFO,
+ "Watchdog armed, process might be terminated soon.\n");
+ }
/* then set a new watchodg event */
watchdog_ctx.te = tevent_add_timer(ev, ev,
@@ -197,6 +203,7 @@ int setup_watchdog(struct tevent_context *ev, int interval)
watchdog_ctx.ev = ev;
watchdog_ctx.input_interval = interval;
watchdog_ctx.timestamp = time(NULL);
+ watchdog_ctx.armed = false;
ret = pipe(watchdog_ctx.pipefd);
if (ret == -1) {
@@ -264,3 +271,20 @@ int get_watchdog_ticks(void)
{
return __sync_add_and_fetch(&watchdog_ctx.ticks, 0);
}
+
+void arm_watchdog(void)
+{
+ if (watchdog_ctx.armed) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "arm_watchdog() is called although the watchdog is already armed. "
+ "This indicates a programming error and should be avoided because "
+ "it will most probably not work as expected.\n");
+ }
+
+ watchdog_ctx.armed = true;
+}
+
+void disarm_watchdog(void)
+{
+ watchdog_ctx.armed = false;
+}
--
2.27.0

49
sssd.spec
View File

@ -1,6 +1,6 @@
Name: sssd
Version: 2.6.1
Release: 10
Release: 15
Summary: System Security Services Daemon
License: GPLv3+ and LGPLv3+
URL: https://pagure.io/SSSD/sssd/
@ -20,6 +20,38 @@ Patch6010: backport-Fixed-pid-wrapping-in-sss_cli_check_socket.patch
Patch6011: backport-Fixed-the-problem-of-calling-getpid-and-lstat-twice-.patch
Patch6012: backport-AD-Do-not-use-the-shortcut-when-filter_groups-is-set.patch
Patch6013: backport-ad-skip-filtering-if-ad_enabled_domains-is-set.patch
Patch6014: backport-fail_over-protect-against-a-segmentation-fault.patch
Patch6015: backport-ipa-correctly-remove-missing-attributes-on-netgroup-.patch
Patch6016: backport-ad-use-sAMAccountName-to-lookup-hosts.patch
Patch6017: backport-KRB5-avoid-FORWARD_NULL.patch
Patch6018: backport-KRB5-fix-memory-leak-1.patch
Patch6019: backport-KRB5-fix-memory-leak-2.patch
Patch6020: backport-KRB5-avoid-RESOURCE_LEAK.patch
Patch6021: backport-KRB5-fixed-RESOURCE_LEAK.patch
Patch6022: backport-LDAP-fixed-RESOURCE_LEAK.patch
Patch6023: backport-LDAP-fixed-leak-of-kprinc.patch
Patch6024: backport-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch
Patch6025: backport-sbus-arm-watchdog-for-sbus_connect_init_send.patch
Patch6026: backport-SYSDB-in-case-ignore_group_members-true-group-is-act.patch
Patch6027: backport-KRB5-avoid-another-attempt-to-free-cc-in-done-sectio.patch
Patch6028: backport-CONFDB-check-the-return-values.patch
Patch6029: backport-UTILS-swap-order-of-seteuid-setegid.patch
Patch6030: backport-sss_iface-do-not-add-cli_id-to-chain-key.patch
Patch6031: backport-KCM-Remove-the-oldest-expired-credential-if-no-more-.patch
Patch6032: backport-Proxy-Avoid-ldb_modify-failed-error.patch
Patch6033: backport-cli-caculate-the-wait_time-in-milliseconds.patch
Patch6034: backport-dyndns-PTR-record-updates-separately.patch
Patch6035: backport-ipa-do-not-go-offline-if-group-does-not-have-SID.patch
Patch6036: backport-KCM-Display-in-the-log-the-limit-as-set-by-the-user.patch
Patch6037: backport-LOGROTATE-logrotate-should-also-signal-sssd_kcm.patch
Patch6038: backport-KCM-Fixed-a-wrong-check.patch
Patch6039: backport-pam_sss-fix-passthrow-of-old-authtok-from-another-pa.patch
Patch6040: backport-nssidmap-fix-sss_nss_getgrouplist_timeout-with-empty.patch
Patch6041: backport-KCM-Fix-a-memory-leak.patch
Patch6042: backport-CVE-2023-3758.patch
Patch6043: backport-UTILS-inotify-avoid-potential-NULL-deref.patch
Patch6044: backport-ad-refresh-root-domain-when-read-directly.patch
Patch6045: backport-RESPONDER-use-proper-context-for-getDomains.patch
Requires: python3-sssd = %{version}-%{release}
Requires: libldb
@ -527,6 +559,21 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
* Tue Jun 18 2024 wangjiang <wangjiang37@h-partners.com> - 2.6.1-15
- backport upstream patches
* Fri Apr 19 2024 liweigang <liweiganga@uniontech.com> - 2.6.1-14
- fix CVE-2023-3758
* Thu Feb 22 2024 wangcheng <wangcheng156@huawei.com> - 2.6.1-13
- backport upstream patches
* Tue Nov 28 2023 wangcheng <wangcheng156@huawei.com> - 2.6.1-12
- backport upstream patches
* Fri Sep 22 2023 fuanan <fuanan3@h-partners.com> - 2.6.1-11
- backport upstream patches
* Wed Aug 2 2023 xuraoqing<xuraoqing@huawei.com> - 2.6.1-10
- backport upstream patch