From b725e7de609db6a56700a4a73eb7747d3d198f68 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 26 2015 12:01:47 +0000 Subject: import sssd-1.12.2-58.el7_1.6 --- diff --git a/SOURCES/0189-LDAP-unlink-ccname_file_dummy-if-there-is-an-error.patch b/SOURCES/0189-LDAP-unlink-ccname_file_dummy-if-there-is-an-error.patch new file mode 100644 index 0000000..41b000b --- /dev/null +++ b/SOURCES/0189-LDAP-unlink-ccname_file_dummy-if-there-is-an-error.patch @@ -0,0 +1,53 @@ +From 8d6ecbc445e5b08b1a03c7fab6ea4e4a24e033d8 Mon Sep 17 00:00:00 2001 +From: Daniel Hjorth +Date: Wed, 25 Feb 2015 13:07:35 -0700 +Subject: [PATCH 189/190] LDAP: unlink ccname_file_dummy if there is an error + +https://fedorahosted.org/sssd/ticket/2592 + +If there is an error after ccname_file_dummy is created but before it is +renamed then the file isn't removed. This can cause a lot of files to be +created and take up inodes in a filesystem. + +Reviewed-by: Jakub Hrozek +Reviewed-by: Sumit Bose +(cherry picked from commit 2b20ff2e33ad3993a9cad910c4b4b828513613df) +--- + src/providers/ldap/ldap_child.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c +index f7f8d1d2eab3f66fe4f7d09e50458b495739c1d2..bb61a61858abba90530150ba771053fb8abff14a 100644 +--- a/src/providers/ldap/ldap_child.c ++++ b/src/providers/ldap/ldap_child.c +@@ -491,16 +491,26 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, + "rename failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } ++ ccname_file_dummy = NULL; + + krberr = 0; + *ccname_out = talloc_steal(memctx, ccname); + *expire_time_out = my_creds.times.endtime - kdc_time_offset; + + done: +- talloc_free(tmp_ctx); + if (krberr != 0) KRB5_SYSLOG(krberr); + if (keytab) krb5_kt_close(context, keytab); + if (context) krb5_free_context(context); ++ if (ccname_file_dummy) { ++ DEBUG(SSSDBG_TRACE_INTERNAL, "Unlinking [%s]\n", ccname_file_dummy); ++ ret = unlink(ccname_file_dummy); ++ if (ret == -1) { ++ ret = errno; ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "Unlink failed [%d][%s].\n", ret, strerror(ret)); ++ } ++ } ++ talloc_free(tmp_ctx); + return krberr; + } + +-- +2.1.0 + diff --git a/SOURCES/0190-selinux-Delete-existing-user-mapping-on-empty-defaul.patch b/SOURCES/0190-selinux-Delete-existing-user-mapping-on-empty-defaul.patch new file mode 100644 index 0000000..9101930 --- /dev/null +++ b/SOURCES/0190-selinux-Delete-existing-user-mapping-on-empty-defaul.patch @@ -0,0 +1,82 @@ +From 0f1b17391dce51ce149cafecf5dfe7acc1dc32cb Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 13 Feb 2015 17:57:35 +0100 +Subject: [PATCH 190/190] selinux: Delete existing user mapping on empty + default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +https://fedorahosted.org/sssd/ticket/2587 + +The case of SELinux default user mapping being an empty string is valid, +it should translate into "pick the default context on the target +machine". + +In case the context is empty, we need to delete the per-user mapping from +the SELinux database to make sure the default is used. + +Reviewed-by: Michal Židek +Reviewed-by: Pavel Reichl +(cherry picked from commit 01f78f755fde63997ccfded71fb8395569b11430) +--- + src/providers/ipa/ipa_selinux.c | 14 ++++++++------ + src/providers/ipa/selinux_child.c | 10 +++++++++- + 2 files changed, 17 insertions(+), 7 deletions(-) + +diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c +index 133b679b6d518704ebb2bd901c64ac48170c9a0b..1172424cb3f6df06e6ecaa8914427f8f945a7251 100644 +--- a/src/providers/ipa/ipa_selinux.c ++++ b/src/providers/ipa/ipa_selinux.c +@@ -749,7 +749,7 @@ static errno_t choose_best_seuser(TALLOC_CTX *mem_ctx, + + /* If no maps match, we'll use the default SELinux user from the + * config */ +- seuser_mls_str = talloc_strdup(tmp_ctx, default_user); ++ seuser_mls_str = talloc_strdup(tmp_ctx, default_user ? default_user : ""); + if (seuser_mls_str == NULL) { + ret = ENOMEM; + goto done; +@@ -1373,11 +1373,13 @@ ipa_get_selinux_maps_offline(struct tevent_req *req) + return ENOMEM; + } + +- ret = sysdb_attrs_add_string(state->defaults, +- IPA_CONFIG_SELINUX_DEFAULT_USER_CTX, +- default_user); +- if (ret != EOK) { +- return ret; ++ if (default_user) { ++ ret = sysdb_attrs_add_string(state->defaults, ++ IPA_CONFIG_SELINUX_DEFAULT_USER_CTX, ++ default_user); ++ if (ret != EOK) { ++ return ret; ++ } + } + + ret = sysdb_attrs_add_string(state->defaults, +diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c +index d4670389667607972dd6f072b5ddfda5973e082b..2f79dea109752de09af1105495e1ca8db1e80680 100644 +--- a/src/providers/ipa/selinux_child.c ++++ b/src/providers/ipa/selinux_child.c +@@ -146,7 +146,15 @@ static int sc_set_seuser(const char *login_name, const char *seuser_name, + * the directories are created with the expected permissions + */ + old_mask = umask(0); +- ret = set_seuser(login_name, seuser_name, mls); ++ if (strcmp(seuser_name, "") == 0) { ++ /* An empty SELinux user should cause SSSD to use the system ++ * default. We need to remove the SELinux user from the DB ++ * in that case ++ */ ++ ret = del_seuser(login_name); ++ } else { ++ ret = set_seuser(login_name, seuser_name, mls); ++ } + umask(old_mask); + return ret; + } +-- +2.1.0 + diff --git a/SOURCES/0191-ldap_child-initialized-ccname_file_dummy.patch b/SOURCES/0191-ldap_child-initialized-ccname_file_dummy.patch new file mode 100644 index 0000000..da25e03 --- /dev/null +++ b/SOURCES/0191-ldap_child-initialized-ccname_file_dummy.patch @@ -0,0 +1,33 @@ +From 77e789f65ab6a5007945edc2a9650a7209358b9c Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 6 Mar 2015 11:27:36 +0100 +Subject: [PATCH 191/191] ldap_child: initialized ccname_file_dummy + +ccname_file_dummy is used in the done-block which is called before +ccname_file_dummy is set to a value. This patch initializes +ccname_file_dummy to NULL. + +Related to https://fedorahosted.org/sssd/ticket/2592 + +Reviewed-by: Jakub Hrozek +(cherry picked from commit cc0f9a541c5ecdad750a86b2de9baa1f07403e9e) +--- + src/providers/ldap/ldap_child.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c +index bb61a61858abba90530150ba771053fb8abff14a..822eb22b9c841f5c1b863cad087d65d7e63ae4ae 100644 +--- a/src/providers/ldap/ldap_child.c ++++ b/src/providers/ldap/ldap_child.c +@@ -274,7 +274,7 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, + int kdc_time_offset_usec; + int ret; + TALLOC_CTX *tmp_ctx; +- char *ccname_file_dummy; ++ char *ccname_file_dummy = NULL; + char *ccname_file; + mode_t old_umask; + +-- +2.1.0 + diff --git a/SOURCES/0192-ipa_selinux-Fix-warning-may-be-used-uninitialized.patch b/SOURCES/0192-ipa_selinux-Fix-warning-may-be-used-uninitialized.patch new file mode 100644 index 0000000..4ad7eff --- /dev/null +++ b/SOURCES/0192-ipa_selinux-Fix-warning-may-be-used-uninitialized.patch @@ -0,0 +1,36 @@ +From 448d1e38c9e97ba67041692dc03724e14bd3421a Mon Sep 17 00:00:00 2001 +From: Lukas Slebodnik +Date: Fri, 13 Mar 2015 12:38:29 +0100 +Subject: [PATCH 192/193] ipa_selinux: Fix warning may be used uninitialized + +src/providers/ipa/ipa_selinux.c: In function 'ipa_selinux_handler_done': +src/providers/ipa/ipa_selinux.c:927:16: error: 'sci' may be used uninitialized in this function [-Werror=maybe-uninitialized] + state->sci = sci; + ^ +src/providers/ipa/ipa_selinux.c:333:33: note: 'sci' was declared here + struct selinux_child_input *sci; + ^ +cc1: all warnings being treated as errors + +Reviewed-by: Jakub Hrozek +(cherry picked from commit befd8f4639ecef8185e82092beae801d68fa7eae) +--- + src/providers/ipa/ipa_selinux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c +index 1172424cb3f6df06e6ecaa8914427f8f945a7251..0716536cdb3b34d386ed1a31e6a239a09173b25b 100644 +--- a/src/providers/ipa/ipa_selinux.c ++++ b/src/providers/ipa/ipa_selinux.c +@@ -330,7 +330,7 @@ static void ipa_selinux_handler_done(struct tevent_req *req) + struct sysdb_attrs **hbac_rules = 0; + struct sysdb_attrs **best_match_maps; + struct map_order_ctx *map_order_ctx; +- struct selinux_child_input *sci; ++ struct selinux_child_input *sci = NULL; + struct tevent_req *child_req; + + ret = ipa_get_selinux_recv(req, breq, &map_count, &maps, +-- +2.1.0 + diff --git a/SOURCES/0193-selinux-Handle-setup-with-empty-default-and-no-confi.patch b/SOURCES/0193-selinux-Handle-setup-with-empty-default-and-no-confi.patch new file mode 100644 index 0000000..4bbf745 --- /dev/null +++ b/SOURCES/0193-selinux-Handle-setup-with-empty-default-and-no-confi.patch @@ -0,0 +1,83 @@ +From 1a04637d4c07762c44889963eb25a405d24397cf Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Thu, 12 Mar 2015 16:31:13 +0100 +Subject: [PATCH 193/193] selinux: Handle setup with empty default and no + configured rules +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +SSSD also needs to handle the setup where no rules match the machine and +the default has no MLS component. + +Related to: +https://fedorahosted.org/sssd/ticket/2587 + +Reviewed-by: Michal Židek +(cherry picked from commit 3e6dac8e14f8a3da6d359ee013453dbd8a38dd99) +(cherry picked from commit 4b6ee69fb1f713aae125b0fc2d345846e7a0d642) +--- + src/providers/ipa/ipa_selinux.c | 4 ++-- + src/providers/ipa/selinux_child.c | 10 ++++++++-- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c +index 0716536cdb3b34d386ed1a31e6a239a09173b25b..899dd07105a98faac9430211404499911434f6d6 100644 +--- a/src/providers/ipa/ipa_selinux.c ++++ b/src/providers/ipa/ipa_selinux.c +@@ -808,7 +808,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx, + { + errno_t ret; + char *seuser; +- char *mls_range; ++ const char *mls_range; + char *ptr; + char *username; + char *username_final; +@@ -834,7 +834,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx, + } + if (*ptr == '\0') { + /* No mls_range specified */ +- mls_range = NULL; ++ mls_range = ""; + } else { + *ptr = '\0'; /* split */ + mls_range = ptr + 1; +diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c +index 2f79dea109752de09af1105495e1ca8db1e80680..abcb93b1a76783fd048ddebc976830ac42e1f757 100644 +--- a/src/providers/ipa/selinux_child.c ++++ b/src/providers/ipa/selinux_child.c +@@ -49,7 +49,9 @@ static errno_t unpack_buffer(uint8_t *buf, + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + DEBUG(SSSDBG_TRACE_INTERNAL, "seuser length: %d\n", len); + if (len == 0) { +- return EINVAL; ++ ibuf->seuser = ""; ++ DEBUG(SSSDBG_TRACE_INTERNAL, ++ "Empty SELinux user, will delete the mapping\n"); + } else { + if ((p + len ) > size) return EINVAL; + ibuf->seuser = talloc_strndup(ibuf, (char *)(buf + p), len); +@@ -62,7 +64,10 @@ static errno_t unpack_buffer(uint8_t *buf, + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + DEBUG(SSSDBG_TRACE_INTERNAL, "mls_range length: %d\n", len); + if (len == 0) { +- return EINVAL; ++ if (strcmp(ibuf->seuser, "") != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "No MLS mapping!\n"); ++ return EINVAL; ++ } + } else { + if ((p + len ) > size) return EINVAL; + ibuf->mls_range = talloc_strndup(ibuf, (char *)(buf + p), len); +@@ -75,6 +80,7 @@ static errno_t unpack_buffer(uint8_t *buf, + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + DEBUG(SSSDBG_TRACE_INTERNAL, "username length: %d\n", len); + if (len == 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "No username set!\n"); + return EINVAL; + } else { + if ((p + len ) > size) return EINVAL; +-- +2.1.0 + diff --git a/SOURCES/0194-IPA-idviews-check-if-view-name-is-set.patch b/SOURCES/0194-IPA-idviews-check-if-view-name-is-set.patch new file mode 100644 index 0000000..0aa0958 --- /dev/null +++ b/SOURCES/0194-IPA-idviews-check-if-view-name-is-set.patch @@ -0,0 +1,50 @@ +From 4127df0800a5d4be30fa28ee01df6e68aedc5aa4 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 17 Mar 2015 11:08:05 +0100 +Subject: [PATCH 194/194] IPA idviews: check if view name is set + +When working with older FreeIPA releases the view name might not always +been set. This patch add checks to might sure it is only dereferenced +when set. + +Resolves https://fedorahosted.org/sssd/ticket/2604 + +Reviewed-by: Jakub Hrozek +(cherry picked from commit 8be0cf3eea892e13410c13abb030322599ca1b4f) +--- + src/providers/ipa/ipa_s2n_exop.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c +index 18f2a867df3ad705008537843ea94e38dab0006e..f546067fae4ff45f976885f3b650866b292a3b8a 100644 +--- a/src/providers/ipa/ipa_s2n_exop.c ++++ b/src/providers/ipa/ipa_s2n_exop.c +@@ -1027,7 +1027,8 @@ static void ipa_s2n_get_fqlist_next(struct tevent_req *subreq) + goto fail; + } + +- if (strcmp(state->ipa_ctx->view_name, SYSDB_DEFAULT_VIEW_NAME) == 0) { ++ if (state->ipa_ctx->view_name == NULL || ++ strcmp(state->ipa_ctx->view_name, SYSDB_DEFAULT_VIEW_NAME) == 0) { + ret = ipa_s2n_get_fqlist_save_step(req); + if (ret == EOK) { + tevent_req_done(req); +@@ -1602,6 +1603,7 @@ static void ipa_s2n_get_user_done(struct tevent_req *subreq) + } + + if (ret == ENOENT ++ || state->ipa_ctx->view_name == NULL + || strcmp(state->ipa_ctx->view_name, + SYSDB_DEFAULT_VIEW_NAME) == 0) { + ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs, +@@ -2211,6 +2213,7 @@ static void ipa_s2n_get_fqlist_done(struct tevent_req *subreq) + } + + if (state->override_attrs == NULL ++ && state->ipa_ctx->view_name != NULL + && strcmp(state->ipa_ctx->view_name, + SYSDB_DEFAULT_VIEW_NAME) != 0) { + subreq = ipa_get_ad_override_send(state, state->ev, +-- +2.1.0 + diff --git a/SOURCES/0195-IPA-make-sure-output-variable-is-set.patch b/SOURCES/0195-IPA-make-sure-output-variable-is-set.patch new file mode 100644 index 0000000..d5bba63 --- /dev/null +++ b/SOURCES/0195-IPA-make-sure-output-variable-is-set.patch @@ -0,0 +1,29 @@ +From 9a12e4166ff96b659bd6bfd606ba7de87a9e95d3 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 19 Mar 2015 14:26:26 +0100 +Subject: [PATCH 195/196] IPA: make sure output variable is set + +Reviewed-by: Pavel Reichl +(cherry picked from commit abb093b4ae10f2a5748bf9f194bf76794002eba0) +--- + src/providers/ipa/ipa_s2n_exop.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c +index f546067fae4ff45f976885f3b650866b292a3b8a..7e2b70b953075d33df10ea614c55ce5d25f49b9b 100644 +--- a/src/providers/ipa/ipa_s2n_exop.c ++++ b/src/providers/ipa/ipa_s2n_exop.c +@@ -1244,7 +1244,9 @@ static errno_t process_members(struct sss_domain_info *domain, + + if (members == NULL) { + DEBUG(SSSDBG_TRACE_INTERNAL, "No members\n"); +- *_missing_members = NULL; ++ if (_missing_members != NULL) { ++ *_missing_members = NULL; ++ } + return EOK; + } + +-- +2.1.0 + diff --git a/SOURCES/0196-IPA-set-EINVAL-if-dn-can-t-be-linearized.patch b/SOURCES/0196-IPA-set-EINVAL-if-dn-can-t-be-linearized.patch new file mode 100644 index 0000000..c040fef --- /dev/null +++ b/SOURCES/0196-IPA-set-EINVAL-if-dn-can-t-be-linearized.patch @@ -0,0 +1,26 @@ +From 424f26892d1b2587a806694820babf5754b8db66 Mon Sep 17 00:00:00 2001 +From: Pavel Reichl +Date: Thu, 19 Mar 2015 10:21:21 -0400 +Subject: [PATCH 196/196] IPA: set EINVAL if dn can't be linearized + +Reviewed-by: Sumit Bose +(cherry picked from commit 131da4d9f40e0e407d7bcae18ff16507976bc6c7) +--- + src/providers/ipa/ipa_s2n_exop.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c +index 7e2b70b953075d33df10ea614c55ce5d25f49b9b..292f174257fbf6f6ebc8db6d1eb38cb4b5349b81 100644 +--- a/src/providers/ipa/ipa_s2n_exop.c ++++ b/src/providers/ipa/ipa_s2n_exop.c +@@ -1284,6 +1284,7 @@ static errno_t process_members(struct sss_domain_info *domain, + dn_str = ldb_dn_get_linearized(msg->dn); + if (dn_str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_get_linearized failed.\n"); ++ ret = EINVAL; + goto done; + } + +-- +2.1.0 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 72599fc..854a9be 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -23,7 +23,7 @@ Name: sssd Version: 1.12.2 -Release: 58%{?dist} +Release: 58%{?dist}.6 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -220,6 +220,14 @@ Patch0185: 0185-IPA-Resolve-IPA-user-groups-overrideDN-in-non-defaul.patch Patch0186: 0186-ipa_s2n_save_objects-properly-handle-fully-qualified.patch Patch0187: 0187-AD-use-GC-for-SID-requests-as-well.patch Patch0188: 0188-fill_id-fix-LE-BE-issue-with-wrong-data-type.patch +Patch0189: 0189-LDAP-unlink-ccname_file_dummy-if-there-is-an-error.patch +Patch0190: 0190-selinux-Delete-existing-user-mapping-on-empty-defaul.patch +Patch0191: 0191-ldap_child-initialized-ccname_file_dummy.patch +Patch0192: 0192-ipa_selinux-Fix-warning-may-be-used-uninitialized.patch +Patch0193: 0193-selinux-Handle-setup-with-empty-default-and-no-confi.patch +Patch0194: 0194-IPA-idviews-check-if-view-name-is-set.patch +Patch0195: 0195-IPA-make-sure-output-variable-is-set.patch +Patch0196: 0196-IPA-set-EINVAL-if-dn-can-t-be-linearized.patch ### Dependencies ### @@ -1085,6 +1093,33 @@ fi /usr/bin/rm -f /var/tmp/sssd.upgrade || : %changelog +* Thu Mar 19 2015 Jakub Hrozek - 1.12.2-58.6 +- Initialize variable in the views code in one success and one failure path +- Resolves: rhbz#1203365 - sssd_be segfault on IPA(when auth with AD + trusted domain) client at + src/providers/ipa/ipa_s2n_exop.c:1605 + +* Tue Mar 17 2015 Jakub Hrozek - 1.12.2-58.5 +- Resolves: rhbz#1203365 - sssd_be segfault on IPA(when auth with AD + trusted domain) client at + src/providers/ipa/ipa_s2n_exop.c:1605 + +* Tue Mar 17 2015 Jakub Hrozek - 1.12.2-58.4 +- Handle case where there is no default and no rules +- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security + context on client is staff_u + +* Thu Mar 5 2015 Jakub Hrozek - 1.12.2-58.3 +- Set a pointer in ldap_child to NULL to avoid warnings +- Related: rhbz#1198759 - ccname_file_dummy is not unlinked on error + +* Thu Mar 5 2015 Jakub Hrozek - 1.12.2-58.2 +- Resolves: rhbz#1199143 - With empty ipaselinuxusermapdefault security + context on client is staff_u + +* Thu Mar 5 2015 Jakub Hrozek - 1.12.2-58.1 +- Resolves: rhbz#1198759 - ccname_file_dummy is not unlinked on error + * Tue Feb 3 2015 Jakub Hrozek - 1.12.2-57 - Run the restart in sssd-common posttrans - Explicitly require libwbclient