diff --git a/SOURCES/0187-RESPONDERS-Fix-terminating-idle-connections.patch b/SOURCES/0187-RESPONDERS-Fix-terminating-idle-connections.patch new file mode 100644 index 0000000..724b886 --- /dev/null +++ b/SOURCES/0187-RESPONDERS-Fix-terminating-idle-connections.patch @@ -0,0 +1,84 @@ +From d6c7d35fdb4d416360a855a37b8c2164f053b470 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 11 Jul 2017 18:26:01 +0200 +Subject: [PATCH 187/190] RESPONDERS: Fix terminating idle connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The client_idle_handler() function tried to schedule another tevent +timer to check for idle client connections in case the current +connection was still valid, but in doing so, it also stored the current +time into the last_request_time field of the client context. + +This kept the connection always alive, because the last_request_time +could then never be older than the timeout. + +This patch changes the setup_client_idle_timer() function to only do +what the synopsis says and set the idle timer. The caller (usually the +function that accepts the connection) is supposed to store the request +time itself. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3448 + +Reviewed-by: Lukáš Slebodník +Reviewed-by: Fabiano Fidêncio +--- + src/responder/common/responder_common.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c +index 9d4889be652c6d6fb974b59001a9ac77b496e9ab..9d706f9799ef1b31122d8380fbf9c53ba0cc9e68 100644 +--- a/src/responder/common/responder_common.c ++++ b/src/responder/common/responder_common.c +@@ -607,7 +607,15 @@ static void accept_fd_handler(struct tevent_context *ev, + cctx->ev = ev; + cctx->rctx = rctx; + +- /* Set up the idle timer */ ++ /* Record the new time and set up the idle timer */ ++ ret = reset_client_idle_timer(cctx); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "Could not create idle timer for client. " ++ "This connection may not auto-terminate\n"); ++ /* Non-fatal, continue */ ++ } ++ + ret = setup_client_idle_timer(cctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +@@ -634,7 +642,7 @@ static void client_idle_handler(struct tevent_context *ev, + if (cctx->last_request_time > now) { + DEBUG(SSSDBG_IMPORTANT_INFO, + "Time shift detected, re-scheduling the client timeout\n"); +- goto end; ++ goto done; + } + + if ((now - cctx->last_request_time) > cctx->rctx->client_idle_timeout) { +@@ -648,7 +656,7 @@ static void client_idle_handler(struct tevent_context *ev, + return; + } + +-end: ++done: + setup_client_idle_timer(cctx); + } + +@@ -661,11 +669,9 @@ errno_t reset_client_idle_timer(struct cli_ctx *cctx) + + static errno_t setup_client_idle_timer(struct cli_ctx *cctx) + { +- time_t now = time(NULL); + struct timeval tv = + tevent_timeval_current_ofs(cctx->rctx->client_idle_timeout/2, 0); + +- cctx->last_request_time = now; + talloc_zfree(cctx->idle); + + cctx->idle = tevent_add_timer(cctx->ev, cctx, tv, client_idle_handler, cctx); +-- +2.9.4 + diff --git a/SOURCES/0188-TESTS-Integration-test-for-idle-timeout.patch b/SOURCES/0188-TESTS-Integration-test-for-idle-timeout.patch new file mode 100644 index 0000000..c587a0f --- /dev/null +++ b/SOURCES/0188-TESTS-Integration-test-for-idle-timeout.patch @@ -0,0 +1,135 @@ +From fd008eddbf069014d8f17944d018ad3d85d5679f Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Wed, 19 Jul 2017 14:22:17 +0200 +Subject: [PATCH 188/190] TESTS: Integration test for idle timeout +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The secrets responder test was chosen even though the bug was in the generic +responder code b/c it runs a single responder process, so it's trivial to +read the PID of the responder under test. + +Changes subprocess.call() for os.execv() so that the setup function can +return the secret responder PID right away. + +The client timeout in the test has to be at least 10 seconds because +internally, the responders don't allow a shorter timeout. + +Regression test for https://pagure.io/SSSD/sssd/issue/3448 + +Reviewed-by: Lukáš Slebodník +Reviewed-by: Fabiano Fidêncio +--- + src/tests/intg/test_secrets.py | 75 ++++++++++++++++++++++++++++++++++-------- + 1 file changed, 62 insertions(+), 13 deletions(-) + +diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py +index 202f43e61cb0e4986394ad2b32da5abdcb0be3e9..1be31318b194de1550bc84af16260bf1503567dc 100644 +--- a/src/tests/intg/test_secrets.py ++++ b/src/tests/intg/test_secrets.py +@@ -55,9 +55,9 @@ def create_sssd_secrets_fixture(request): + assert secpid >= 0 + + if secpid == 0: +- if subprocess.call([resp_path, "--uid=0", "--gid=0"]) != 0: +- print("sssd_secrets failed to start") +- sys.exit(99) ++ os.execv(resp_path, ("--uid=0", "--gid=0")) ++ print("sssd_secrets failed to start") ++ sys.exit(99) + else: + sock_path = os.path.join(config.RUNSTATEDIR, "secrets.socket") + sck = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) +@@ -83,13 +83,8 @@ def create_sssd_secrets_fixture(request): + return secpid + + +-@pytest.fixture +-def setup_for_secrets(request): +- """ +- Just set up the local provider for tests and enable the secrets +- responder +- """ +- conf = unindent("""\ ++def generate_sec_config(): ++ return unindent("""\ + [sssd] + domains = local + services = nss +@@ -100,11 +95,19 @@ def setup_for_secrets(request): + [secrets] + max_secrets = 10 + max_payload_size = 2 +- """).format(**locals()) ++ """) ++ ++ ++@pytest.fixture ++def setup_for_secrets(request): ++ """ ++ Just set up the local provider for tests and enable the secrets ++ responder ++ """ ++ conf = generate_sec_config() + + create_conf_fixture(request, conf) +- create_sssd_secrets_fixture(request) +- return None ++ return create_sssd_secrets_fixture(request) + + + def get_secrets_socket(): +@@ -386,3 +389,49 @@ def test_containers(setup_for_secrets, secrets_cli): + with pytest.raises(HTTPError) as err406: + cli.create_container(container) + assert str(err406.value).startswith("406") ++ ++ ++def get_num_fds(pid): ++ procpath = os.path.join("/proc/", str(pid), "fd") ++ return len([fdname for fdname in os.listdir(procpath)]) ++ ++ ++@pytest.fixture ++def setup_for_cli_timeout_test(request): ++ """ ++ Same as the generic setup, except a short client_idle_timeout so that ++ the test_idle_timeout() test closes the fd towards the client. ++ """ ++ conf = generate_sec_config() + \ ++ unindent(""" ++ client_idle_timeout = 10 ++ """).format() ++ ++ create_conf_fixture(request, conf) ++ return create_sssd_secrets_fixture(request) ++ ++ ++def test_idle_timeout(setup_for_cli_timeout_test): ++ """ ++ Test that idle file descriptors are reaped after the idle timeout ++ passes ++ """ ++ secpid = setup_for_cli_timeout_test ++ sock_path = get_secrets_socket() ++ ++ nfds_pre = get_num_fds(secpid) ++ ++ sock = socket.socket(family=socket.AF_UNIX) ++ sock.connect(sock_path) ++ time.sleep(1) ++ nfds_conn = get_num_fds(secpid) ++ assert nfds_pre + 1 == nfds_conn ++ # With the idle timeout set to 10 seconds, we need to sleep at least 15, ++ # because the internal timer ticks every timeout/2 seconds, so it would ++ # tick at 5, 10 and 15 seconds and the client timeout check uses a ++ # greater-than comparison, so the 10-seconds tick wouldn't yet trigger ++ # disconnect ++ time.sleep(15) ++ ++ nfds_post = get_num_fds(secpid) ++ assert nfds_pre == nfds_post +-- +2.9.4 + diff --git a/SOURCES/0189-MAN-Document-that-client_idle_timeout-can-t-be-short.patch b/SOURCES/0189-MAN-Document-that-client_idle_timeout-can-t-be-short.patch new file mode 100644 index 0000000..e353c96 --- /dev/null +++ b/SOURCES/0189-MAN-Document-that-client_idle_timeout-can-t-be-short.patch @@ -0,0 +1,36 @@ +From 0442102b2e5c6f1bc331ca2078baff8a7b4a50cb Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Thu, 20 Jul 2017 10:10:58 +0200 +Subject: [PATCH 189/190] MAN: Document that client_idle_timeout can't be + shorter than 10 seconds +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +To ensure the client timeout is not too low and clients do not reconnect +too often, the client_idle_timeout is forced to be 10 seconds minimum. + +Reviewed-by: Lukáš Slebodník +Reviewed-by: Fabiano Fidêncio +--- + src/man/sssd.conf.5.xml | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml +index a35f2807eac8bb89d6cb1dd0a48f738d71a7578f..89729575c724622af817f1c05a94d4ae8f1ece2d 100644 +--- a/src/man/sssd.conf.5.xml ++++ b/src/man/sssd.conf.5.xml +@@ -621,7 +621,9 @@ + a client of an SSSD process can hold onto a file + descriptor without communicating on it. This value + is limited in order to avoid resource exhaustion +- on the system. ++ on the system. The timeout can't be shorter than ++ 10 seconds. If a lower value is configured, it ++ will be adjusted to 10 seconds. + + + Default: 60 +-- +2.9.4 + diff --git a/SOURCES/0190-ad_account_can_shortcut-shortcut-if-ID-is-unknown.patch b/SOURCES/0190-ad_account_can_shortcut-shortcut-if-ID-is-unknown.patch new file mode 100644 index 0000000..c652a4d --- /dev/null +++ b/SOURCES/0190-ad_account_can_shortcut-shortcut-if-ID-is-unknown.patch @@ -0,0 +1,38 @@ +From 55e8b436443cfae1c3b2155be7325d53760f7271 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 20 Jul 2017 20:01:14 +0200 +Subject: [PATCH 190/190] ad_account_can_shortcut: shortcut if ID is unknown +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If sss_idmap_unix_to_sid() returns an error we can assume that the given +POSIX ID is not from the current domain and can be skipped. This is e.g. +the case in the IPA provider if a POSIX ID used in the IPA domain is +checked in a trusted id-mapped AD domain before the IPA domain is +checked. + +Resolves https://pagure.io/SSSD/sssd/issue/3452 + +Reviewed-by: Lukáš Slebodník +Reviewed-by: Jakub Hrozek +--- + src/providers/ad/ad_id.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c +index d1f6c444f5ddbcbbac6ff7f41fb6c8bf9ca976cb..e14ada386f16851a65097952c85e57b7acda14aa 100644 +--- a/src/providers/ad/ad_id.c ++++ b/src/providers/ad/ad_id.c +@@ -86,6 +86,8 @@ static bool ad_account_can_shortcut(struct sdap_idmap_ctx *idmap_ctx, + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, "Mapping ID [%s] to SID failed: " + "[%s]\n", filter_value, idmap_error_string(err)); ++ /* assume id is from a different domain */ ++ shortcut = true; + goto done; + } + /* fall through */ +-- +2.9.4 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 533bdf8..8dfde90 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -40,7 +40,7 @@ Name: sssd Version: 1.15.2 -Release: 50%{?dist} +Release: 50%{?dist}.2 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -235,6 +235,10 @@ Patch0183: 0183-RESPONDER-Use-fqnames-as-output-when-needed.patch Patch0184: 0184-DOMAIN-Add-sss_domain_info_-get-set-_output_fqnames.patch Patch0185: 0185-GPO-Fix-typo-in-DEBUG-message.patch Patch0186: 0186-SDAP-Update-parent-sdap_list.patch +Patch0187: 0187-RESPONDERS-Fix-terminating-idle-connections.patch +Patch0188: 0188-TESTS-Integration-test-for-idle-timeout.patch +Patch0189: 0189-MAN-Document-that-client_idle_timeout-can-t-be-short.patch +Patch0190: 0190-ad_account_can_shortcut-shortcut-if-ID-is-unknown.patch #This patch should not be removed in RHEL-7 Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec @@ -1371,6 +1375,14 @@ fi } %changelog +* Sun Aug 6 2017 Jakub Hrozek - 1.15.2-50.2 +- Resolves: rhbz#1478252 - Querying the AD domain for external domain's + ID can mark the AD domain offline [rhel-7.4.z] + +* Sun Aug 6 2017 Jakub Hrozek - 1.15.2-50.1 +- Resolves: rhbz#1478250 - Idle nss file descriptors should be closed + [rhel-7.4.z] + * Wed Jun 21 2017 Jakub Hrozek - 1.15.2-50 - Resolves: rhbz#1457926 - Wrong search base used when SSSD is directly connected to AD child domain