diff --git a/SOURCES/0122-AD-Do-not-remove-non-root-domains-when-looking-up-ro.patch b/SOURCES/0122-AD-Do-not-remove-non-root-domains-when-looking-up-ro.patch new file mode 100644 index 0000000..9247fdd --- /dev/null +++ b/SOURCES/0122-AD-Do-not-remove-non-root-domains-when-looking-up-ro.patch @@ -0,0 +1,89 @@ +From a3877f8eb322be17f7d08d74ad3cf655b96219b5 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 13 May 2014 15:18:07 +0200 +Subject: [PATCH 122/124] AD: Do not remove non-root domains when looking up + root domain + +https://fedorahosted.org/sssd/ticket/2322 + +When the AD subdomains code looked up the root domain subsequently +(after the domain list was already populated), the non-root domains +might have been removed along with their respective tasks, because the +root domain lookup only ever matched a single root domain. + +This could cause havoc especially during login when different lookups +for different domains might be going on during user group refresh. +--- + src/providers/ad/ad_subdomains.c | 25 ++++++++++++++++++++++--- + 1 file changed, 22 insertions(+), 3 deletions(-) + +diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c +index 3c841788d5d88069d79a9438b72f57c8c2e0ffda..ee04cbbe048e55666db22c48cf22c4c0241a0e3c 100644 +--- a/src/providers/ad/ad_subdomains.c ++++ b/src/providers/ad/ad_subdomains.c +@@ -325,13 +325,15 @@ done: + } + + static errno_t ad_subdomains_refresh(struct ad_subdomains_ctx *ctx, +- int count, struct sysdb_attrs **reply, ++ int count, bool root_domain, ++ struct sysdb_attrs **reply, + bool *changes) + { + struct sdap_domain *sdom; + struct sss_domain_info *domain, *dom; + bool handled[count]; + const char *value; ++ const char *root_name = NULL; + int c, h; + int ret; + bool enumerate; +@@ -340,10 +342,27 @@ static errno_t ad_subdomains_refresh(struct ad_subdomains_ctx *ctx, + memset(handled, 0, sizeof(bool) * count); + h = 0; + ++ if (root_domain) { ++ ret = sysdb_attrs_get_string(reply[0], AD_AT_TRUST_PARTNER, ++ &root_name); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ("sysdb_attrs_get_string failed.\n")); ++ goto done; ++ } ++ } ++ + /* check existing subdomains */ + for (dom = get_next_domain(domain, true); + dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */ + dom = get_next_domain(dom, false)) { ++ ++ /* If we are handling root domain, skip all the other domains. We don't ++ * want to accidentally remove non-root domains ++ */ ++ if (root_name && strcmp(root_name, dom->name) != 0) { ++ continue; ++ } ++ + for (c = 0; c < count; c++) { + if (handled[c]) { + continue; +@@ -719,7 +738,7 @@ static void ad_subdomains_get_root_domain_done(struct tevent_req *req) + goto fail; + } + +- ret = ad_subdomains_refresh(ctx->sd_ctx, 1, reply, &has_changes); ++ ret = ad_subdomains_refresh(ctx->sd_ctx, 1, true, reply, &has_changes); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("ad_subdomains_refresh failed.\n")); + goto fail; +@@ -1013,7 +1032,7 @@ static void ad_subdomains_get_slave_domain_done(struct tevent_req *req) + } + + /* Got all the subdomains, let's process them */ +- ret = ad_subdomains_refresh(ctx->sd_ctx, nsubdoms, subdoms, ++ ret = ad_subdomains_refresh(ctx->sd_ctx, nsubdoms, false, subdoms, + &refresh_has_changes); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, ("Failed to refresh subdomains.\n")); +-- +1.9.0 + diff --git a/SOURCES/0123-AD-Provider-bug-fix-uninitialized-variable.patch b/SOURCES/0123-AD-Provider-bug-fix-uninitialized-variable.patch new file mode 100644 index 0000000..0649862 --- /dev/null +++ b/SOURCES/0123-AD-Provider-bug-fix-uninitialized-variable.patch @@ -0,0 +1,37 @@ +From 400c06ebd99bfa447d0f88228320224291c862e0 Mon Sep 17 00:00:00 2001 +From: Pavel Reichl +Date: Fri, 25 Apr 2014 13:26:19 +0100 +Subject: [PATCH 123/124] AD Provider: bug-fix uninitialized variable + +ad_subdomains_refresh() always set value to output parameter 'changes' if EOK is returned. + +Reviewed-by: Sumit Bose +(cherry picked from commit cef2384a3a6fc1a1637c6a55e2bced93d28e8fca) +--- + src/providers/ad/ad_subdomains.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c +index ee04cbbe048e55666db22c48cf22c4c0241a0e3c..ef3bb50e83fc8e39b91922d6fc9646dfe6da58a3 100644 +--- a/src/providers/ad/ad_subdomains.c ++++ b/src/providers/ad/ad_subdomains.c +@@ -423,6 +423,7 @@ static errno_t ad_subdomains_refresh(struct ad_subdomains_ctx *ctx, + if (count == h) { + /* all domains were already accounted for and have been updated */ + ret = EOK; ++ *changes = false; + goto done; + } + +@@ -682,7 +683,7 @@ static void ad_subdomains_get_root_domain_done(struct tevent_req *req) + struct sysdb_attrs **reply = NULL; + struct ad_subdomains_req_ctx *ctx; + int dp_error = DP_ERR_FATAL; +- bool has_changes; ++ bool has_changes = false; + + ctx = tevent_req_callback_data(req, struct ad_subdomains_req_ctx); + +-- +1.9.0 + diff --git a/SOURCES/0124-AD-Provider-bugfix-use-after-free.patch b/SOURCES/0124-AD-Provider-bugfix-use-after-free.patch new file mode 100644 index 0000000..e10c4b9 --- /dev/null +++ b/SOURCES/0124-AD-Provider-bugfix-use-after-free.patch @@ -0,0 +1,48 @@ +From 25193cfe110b328b428cde9641400f7dc999416e Mon Sep 17 00:00:00 2001 +From: Pavel Reichl +Date: Fri, 25 Apr 2014 14:42:39 +0100 +Subject: [PATCH 124/124] AD Provider: bugfix use-after-free + +Resolves: +https://fedorahosted.org/sssd/ticket/2322 + +Reviewed-by: Sumit Bose +(cherry picked from commit ed61bfc5184d9c7a46d17681a22a1abb64423708) +--- + src/providers/data_provider_be.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c +index 37b687f25810447c08c6e0c6e8da4f64c99a5f5f..f85c63065252b24d4eeec0d2671ab0a1a16d4b9a 100644 +--- a/src/providers/data_provider_be.c ++++ b/src/providers/data_provider_be.c +@@ -210,7 +210,8 @@ void be_req_terminate(struct be_req *be_req, + void be_terminate_domain_requests(struct be_ctx *be_ctx, + const char *domain) + { +- struct be_req *be_req = NULL; ++ struct be_req *be_req; ++ struct be_req *next_be_req; + + DEBUG(SSSDBG_TRACE_FUNC, ("Terminating requests for domain [%s]\n", + domain)); +@@ -220,11 +221,15 @@ void be_terminate_domain_requests(struct be_ctx *be_ctx, + return; + } + +- DLIST_FOR_EACH(be_req, be_ctx->active_requests) { ++ be_req = be_ctx->active_requests; ++ while (be_req) { ++ /* save pointer to next request in case be_req will be freed */ ++ next_be_req = be_req->next; + if (strcmp(domain, be_req->domain->name) == 0) { + be_req_terminate(be_req, DP_ERR_FATAL, ERR_DOMAIN_NOT_FOUND, + sss_strerror(ERR_DOMAIN_NOT_FOUND)); + } ++ be_req = next_be_req; + } + } + +-- +1.9.0 + diff --git a/SOURCES/0125-ipa-subdomains-provider-make-sure-search-by-SID-work.patch b/SOURCES/0125-ipa-subdomains-provider-make-sure-search-by-SID-work.patch new file mode 100644 index 0000000..80cd52c --- /dev/null +++ b/SOURCES/0125-ipa-subdomains-provider-make-sure-search-by-SID-work.patch @@ -0,0 +1,73 @@ +From 503e1ebb9c36ecb978a28a5cefd94d24945ee39b Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 13 May 2014 11:22:29 +0300 +Subject: [PATCH 125/126] ipa subdomains provider: make sure search by SID + works for homedir + +Reviewed-by: Jakub Hrozek +--- + src/providers/ipa/ipa_subdomains_id.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c +index 978ccc261d7525662e835b867044b6a5238a29df..d8922a461fc1cbbec4bb65b8cd6e6cf25f2dc605 100644 +--- a/src/providers/ipa/ipa_subdomains_id.c ++++ b/src/providers/ipa/ipa_subdomains_id.c +@@ -484,7 +484,11 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + uint32_t uid; + const char *fqname; + const char *homedir = NULL; +- struct ldb_result *res; ++ struct ldb_result *res = NULL; ++ struct ldb_message *msg = NULL; ++ const char *attrs[] = { SYSDB_NAME, ++ SYSDB_UIDNUM, ++ NULL }; + + if (filter_type == BE_FILTER_NAME) { + ret = sysdb_getpwnam(mem_ctx, dom->sysdb, dom, filter_value, &res); +@@ -496,6 +500,9 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + goto done; + } + ret = sysdb_getpwuid(mem_ctx, dom->sysdb, dom, uid, &res); ++ } else if (filter_type == BE_FILTER_SECID) { ++ ret = sysdb_search_user_by_sid_str(mem_ctx, dom->sysdb, dom, ++ filter_value, attrs, &msg); + } else { + DEBUG(SSSDBG_OP_FAILURE, + ("Unsupported filter type: [%d].\n", filter_type)); +@@ -503,24 +510,27 @@ apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + goto done; + } + +- if (ret != EOK) { ++ if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, + ("Failed to make request to our cache: [%d]: [%s]\n", + ret, sss_strerror(ret))); + goto done; + } + +- if (res->count == 0) { ++ if ((res && res->count == 0) || (msg && msg->num_elements == 0)) { + ret = ENOENT; + goto done; + } + ++ if (res != NULL) { ++ msg = res->msgs[0]; ++ } + /* + * Homedir is always overriden by subdomain_homedir even if it was + * explicitly set by user. + */ +- fqname = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, NULL); +- uid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, 0); ++ fqname = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); ++ uid = ldb_msg_find_attr_as_uint64(msg, SYSDB_UIDNUM, 0); + if (uid == 0) { + DEBUG(SSSDBG_OP_FAILURE, ("UID for user [%s] is not known.\n", + filter_value)); +-- +1.9.0 + diff --git a/SOURCES/0126-tests-Remove-tests-that-check-creating-public-direct.patch b/SOURCES/0126-tests-Remove-tests-that-check-creating-public-direct.patch new file mode 100644 index 0000000..e75778e --- /dev/null +++ b/SOURCES/0126-tests-Remove-tests-that-check-creating-public-direct.patch @@ -0,0 +1,155 @@ +From 43dc5617a037f60e4560cb33c050815e03ccdff0 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Tue, 7 Jan 2014 10:43:55 +0100 +Subject: [PATCH 126/126] tests: Remove tests that check creating public + directories + +The functionality was removed, but we forgot to remove the corresponding +tests, mostly because these tests were only ever ran as root. +--- + src/tests/krb5_utils-tests.c | 121 ------------------------------------------- + 1 file changed, 121 deletions(-) + +diff --git a/src/tests/krb5_utils-tests.c b/src/tests/krb5_utils-tests.c +index 3e0c607a58b9ff0840a93867c1ad61cc5a2ae665..11fe1d749dccb5d367e3840ebc0a396b992bce2a 100644 +--- a/src/tests/krb5_utils-tests.c ++++ b/src/tests/krb5_utils-tests.c +@@ -91,124 +91,6 @@ static void check_dir(const char *dirname, uid_t uid, gid_t gid, mode_t mode) + mode, (stat_buf.st_mode & ~S_IFMT)); + } + +-START_TEST(test_pub_ccache_dir) +-{ +- int ret; +- char *cwd; +- char *testpath; +- char *dirname; +- char *subdirname; +- char *filename; +- +- fail_unless(getuid() == 0, "This test must be run as root."); +- +- cwd = getcwd(NULL, 0); +- fail_unless(cwd != NULL, "getcwd failed."); +- +- testpath = talloc_asprintf(tmp_ctx, "%s/%s", cwd, TESTS_PATH); +- free(cwd); +- fail_unless(testpath != NULL, "talloc_asprintf failed."); +- dirname = talloc_asprintf(tmp_ctx, "%s/pub_ccdir", testpath); +- fail_unless(dirname != NULL, "talloc_asprintf failed."); +- subdirname = talloc_asprintf(tmp_ctx, "%s/subdir", dirname); +- fail_unless(subdirname != NULL, "talloc_asprintf failed."); +- filename = talloc_asprintf(tmp_ctx, "%s/ccfile", subdirname); +- fail_unless(filename != NULL, "talloc_asprintf failed."); +- +- ret = chmod(testpath, 0754); +- fail_unless(ret == EOK, "chmod failed."); +- ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345); +- fail_unless(ret == EINVAL, "sss_krb5_precreate_ccache does not return EINVAL " +- "while x-bit is missing."); +- +- ret = chmod(testpath, 0755); +- fail_unless(ret == EOK, "chmod failed."); +- ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345); +- fail_unless(ret == EOK, "sss_krb5_precreate_ccache failed."); +- +- check_dir(subdirname, 0, 0, 01777); +- RMDIR(subdirname); +- check_dir(dirname, 0, 0, 0755); +- RMDIR(dirname); +-} +-END_TEST +- +-START_TEST(test_pub_ccache_dir_in_user_dir) +-{ +- int ret; +- char *cwd; +- char *dirname; +- char *subdirname; +- char *filename; +- +- fail_unless(getuid() == 0, "This test must be run as root."); +- +- cwd = getcwd(NULL, 0); +- fail_unless(cwd != NULL, "getcwd failed."); +- +- dirname = talloc_asprintf(tmp_ctx, "%s/%s/pub_ccdir", cwd, TESTS_PATH); +- free(cwd); +- fail_unless(dirname != NULL, "talloc_asprintf failed."); +- ret = mkdir(dirname, 0700); +- fail_unless(ret == EOK, "mkdir failed.\n"); +- ret = chown(dirname, 12345, 12345); +- fail_unless(ret == EOK, "chown failed.\n"); +- subdirname = talloc_asprintf(tmp_ctx, "%s/subdir", dirname); +- fail_unless(subdirname != NULL, "talloc_asprintf failed."); +- filename = talloc_asprintf(tmp_ctx, "%s/ccfile", subdirname); +- fail_unless(filename != NULL, "talloc_asprintf failed."); +- +- ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345); +- fail_unless(ret == EINVAL, "Creating public ccache dir in user dir " +- "does not failed with EINVAL."); +- +- RMDIR(dirname); +-} +-END_TEST +- +-START_TEST(test_priv_ccache_dir) +-{ +- int ret; +- char *cwd; +- char *testpath; +- char *dirname; +- char *subdir; +- char *filename; +- uid_t uid = 12345; +- gid_t gid = 12345; +- +- fail_unless(getuid() == 0, "This test must be run as root."); +- +- cwd = getcwd(NULL, 0); +- fail_unless(cwd != NULL, "getcwd failed."); +- +- testpath = talloc_asprintf(tmp_ctx, "%s/%s", cwd, TESTS_PATH); +- free(cwd); +- fail_unless(testpath != NULL, "talloc_asprintf failed."); +- dirname = talloc_asprintf(tmp_ctx, "%s/base", testpath); +- subdir = talloc_asprintf(tmp_ctx, "%s/priv_ccdir", dirname); +- fail_unless(subdir != NULL, "talloc_asprintf failed."); +- filename = talloc_asprintf(tmp_ctx, "%s/ccfile", subdir); +- fail_unless(filename != NULL, "talloc_asprintf failed."); +- +- ret = chmod(testpath, 0754); +- fail_unless(ret == EOK, "chmod failed."); +- ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid); +- fail_unless(ret == EINVAL, "sss_krb5_precreate_ccache does not return EINVAL " +- "while x-bit is missing."); +- +- ret = chmod(testpath, 0755); +- fail_unless(ret == EOK, "chmod failed."); +- ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid); +- fail_unless(ret == EOK, "sss_krb5_precreate_ccache failed."); +- +- check_dir(subdir, uid, gid, 0700); +- RMDIR(subdir); +- check_dir(dirname, 0, 0, 0755); +- RMDIR(dirname); +-} +-END_TEST +- + START_TEST(test_private_ccache_dir_in_user_dir) + { + int ret; +@@ -736,10 +618,7 @@ Suite *krb5_utils_suite (void) + tcase_add_test (tc_create_dir, test_illegal_patterns); + tcase_add_test (tc_create_dir, test_cc_dir_create); + if (getuid() == 0) { +- tcase_add_test (tc_create_dir, test_priv_ccache_dir); + tcase_add_test (tc_create_dir, test_private_ccache_dir_in_user_dir); +- tcase_add_test (tc_create_dir, test_pub_ccache_dir); +- tcase_add_test (tc_create_dir, test_pub_ccache_dir_in_user_dir); + tcase_add_test (tc_create_dir, test_private_ccache_dir_in_wrong_user_dir); + } else { + printf("Run as root to enable more tests.\n"); +-- +1.9.0 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index c35d49c..b268d74 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -8,7 +8,7 @@ Name: sssd Version: 1.11.2 -Release: 65%{?dist} +Release: 68%{?dist}.5 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -138,6 +138,11 @@ Patch0118: 0118-KRB5-Do-not-attempt-to-get-a-TGT-after-a-password-ch.patch Patch0119: 0119-IPA-Use-function-sysdb_attrs_get_el-in-safe-way.patch Patch0120: 0120-AD-connect-to-forest-root-when-downloading-the-list-.patch Patch0121: 0121-IPA-Fix-SELinux-mapping-order-memory-hierarchy.patch +Patch0122: 0122-AD-Do-not-remove-non-root-domains-when-looking-up-ro.patch +Patch0123: 0123-AD-Provider-bug-fix-uninitialized-variable.patch +Patch0124: 0124-AD-Provider-bugfix-use-after-free.patch +Patch0125: 0125-ipa-subdomains-provider-make-sure-search-by-SID-work.patch +Patch0126: 0126-tests-Remove-tests-that-check-creating-public-direct.patch ### Dependencies ### @@ -821,6 +826,40 @@ fi %postun -n libsss_idmap -p /sbin/ldconfig %changelog +* Wed May 21 2014 Jakub Hrozek - 1.11.2-68.5 +- Rebuild for a proper dist tag, yet again, now using the correct build + options +- Related: rhbz#1098608 - Expanding home directory fails when the request + comes from the PAC responder + +* Wed May 21 2014 Jakub Hrozek - 1.11.2-68.4 +- Rebuild for a proper dist tag +- Related: rhbz#1098608 - Expanding home directory fails when the request + comes from the PAC responder + +* Wed May 21 2014 Jakub Hrozek - 1.11.2-68.3 +- Squash in upstream review comments about the PAC patch +- Related: rhbz#1098608 - Expanding home directory fails when the request + comes from the PAC responder + +* Tue May 13 2014 Jakub Hrozek - 1.11.2-68.2 +- Backport a patch to allow krb5-utils-test to run as root +- Related: rhbz#1098608 - Expanding home directory fails when the request + comes from the PAC responder + +* Tue May 13 2014 Jakub Hrozek - 1.11.2-68.1 +- Resolves: rhbz#1098608 - Expanding home directory fails when the request + comes from the PAC responder + +* Tue May 13 2014 Jakub Hrozek - 1.11.2-67 +- Fix a DEBUG message, backport two related fixes +- Related: rhbz#1097323 - segfault in sssd_be when second domain tree + users are queried while joined to child domain + +* Tue May 13 2014 Jakub Hrozek - 1.11.2-66 +- Resolves: rhbz#1097323 - segfault in sssd_be when second domain tree + users are queried while joined to child domain + * Wed Apr 02 2014 Jakub Hrozek - 1.11.2-65 - Resolves: rhbz#1082191 - RHEL7 IPA selinuxusermap hbac rule not always matching