[SSSD] [sssd PR#62][opened] PAM: add pam_response_filter option
URL: https://github.com/SSSD/sssd/pull/62 Author: sumit-bose Title: #62: PAM: add pam_response_filter option Action: opened PR body: """ Currently the main use-case for this new option is to not set the KRB5CCNAME environment varible for services like 'sudo-i'. Resolves https://fedorahosted.org/sssd/ticket/2296 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/62/head:pr62 git checkout pr62 From 93d93fd200d72d8e61502360408088adbb97d418 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 20 Oct 2016 11:48:22 +0200 Subject: [PATCH 1/2] PAM: add a test for filter_responses() --- src/responder/pam/pamsrv.h | 3 +++ src/responder/pam/pamsrv_cmd.c | 4 ++-- src/tests/cmocka/test_pam_srv.c | 43 + 3 files changed, 48 insertions(+), 2 deletions(-) diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h index e686d03..8437d08 100644 --- a/src/responder/pam/pamsrv.h +++ b/src/responder/pam/pamsrv.h @@ -99,4 +99,7 @@ errno_t pam_set_last_online_auth_with_curr_token(struct sss_domain_info *domain, const char *username, uint64_t value); + +errno_t filter_responses(struct confdb_ctx *cdb, + struct response_data *resp_list); #endif /* __PAMSRV_H__ */ diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index de3b4ca..d2ac2f7 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -470,8 +470,8 @@ static errno_t set_last_login(struct pam_auth_req *preq) return ret; } -static errno_t filter_responses(struct confdb_ctx *cdb, -struct response_data *resp_list) +errno_t filter_responses(struct confdb_ctx *cdb, + struct response_data *resp_list) { int ret; struct response_data *resp; diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c index 4b2dea4..01b76fc 100644 --- a/src/tests/cmocka/test_pam_srv.c +++ b/src/tests/cmocka/test_pam_srv.c @@ -31,6 +31,7 @@ #include "responder/pam/pam_helpers.h" #include "sss_client/pam_message.h" #include "sss_client/sss_cli.h" +#include "confdb/confdb.h" #include "util/crypto/sss_crypto.h" #ifdef HAVE_NSS @@ -1759,6 +1760,45 @@ void test_pam_cert_auth(void **state) assert_int_equal(ret, EOK); } +void test_filter_response(void **state) +{ +int ret; +struct pam_data *pd; +uint8_t offline_auth_data[(sizeof(uint32_t) + sizeof(int64_t))]; +uint32_t info_type; + +struct sss_test_conf_param pam_params[] = { +{ CONFDB_PAM_VERBOSITY, "1" }, +{ NULL, NULL }, /* Sentinel */ +}; + +ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); +assert_int_equal(ret, EOK); + +pd = talloc_zero(pam_test_ctx, struct pam_data); +assert_non_null(pd); + +info_type = SSS_PAM_USER_INFO_OFFLINE_AUTH; +memset(offline_auth_data, sizeof(offline_auth_data), 0); +memcpy(offline_auth_data, &resp_type, sizeof(uint32_t)); +ret = pam_add_response(pd, SSS_PAM_USER_INFO, + sizeof(offline_auth_data), offline_auth_data); +assert_int_equal(ret, EOK); + +ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list); +assert_int_equal(ret, EOK); +assert_false(pd->resp_list->do_not_send_to_client); + +pam_params[0].value = "0"; +ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); +assert_int_equal(ret, EOK); + +ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list); +assert_int_equal(ret, EOK); +assert_true(pd->resp_list->do_not_send_to_client); + +} + int main(int argc, const char *argv[]) { int rv; @@ -1870,6 +1910,9 @@ int main(int argc, const char *argv[]) pam_test_setup_no_verification, pam_test_teardown), #endif /* HAVE_NSS */ + +cmocka_unit_test_setup_teardown(test_filter_response, +pam_test_setup, pam_test_teardown), }; /* Set debug level to invalid value so we can deside if -d 0 was used. */ From 95bb77b3df59ec524647b962ca212b26d3ab015e Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 20 Oct 2016 18:40:01 +0200 Subject: [PATCH 2/2] PAM: add pam_response_filter option Currently the main use-case for this new option is to not set the KRB5CCNAME environment varible for services like 'sudo-i'. Resolves https://fedorahosted.org/sssd/ticket/2296 --- src/confdb/confdb.h | 1 + src/config/SSSDConfig/__init__.py.in | 1 + src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.conf | 1 + src/man/sssd.conf.5.xml | 45 +++ src/responder/pam/pamsrv.h | 3 +- src/responder/pam/pamsrv_cmd.c | 111 +-- src/tests/c
[SSSD] [sssd PR#58][+Pushed] Fix bug in libcrypto version of sss_decrypt
URL: https://github.com/SSSD/sssd/pull/58 Title: #58: Fix bug in libcrypto version of sss_decrypt Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#58][closed] Fix bug in libcrypto version of sss_decrypt
URL: https://github.com/SSSD/sssd/pull/58 Author: lslebodn Title: #58: Fix bug in libcrypto version of sss_decrypt Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/58/head:pr58 git checkout pr58 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#61][+Pushed] BUILD: Fix build without samba
URL: https://github.com/SSSD/sssd/pull/61 Title: #61: BUILD: Fix build without samba Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#61][closed] BUILD: Fix build without samba
URL: https://github.com/SSSD/sssd/pull/61 Author: lslebodn Title: #61: BUILD: Fix build without samba Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/61/head:pr61 git checkout pr61 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#61][comment] BUILD: Fix build without samba
URL: https://github.com/SSSD/sssd/pull/61 Title: #61: BUILD: Fix build without samba fidencio commented: """ Please, fix the typos in the commit message before pushing. shoudl bw -> should be """ See the full comment at https://github.com/SSSD/sssd/pull/61#issuecomment-255363658 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#61][+Accepted] BUILD: Fix build without samba
URL: https://github.com/SSSD/sssd/pull/61 Title: #61: BUILD: Fix build without samba Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#61][comment] BUILD: Fix build without samba
URL: https://github.com/SSSD/sssd/pull/61 Title: #61: BUILD: Fix build without samba sumit-bose commented: """ Patch makes sense. """ See the full comment at https://github.com/SSSD/sssd/pull/61#issuecomment-255357228 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#61][opened] BUILD: Fix build without samba
URL: https://github.com/SSSD/sssd/pull/61 Author: lslebodn Title: #61: BUILD: Fix build without samba Action: opened PR body: """ The test test_ad_subdom shoudl bw compiled only if samba build is enabled. In file included from src/tests/cmocka/test_ad_subdomains.c:39:0: ./src/providers/ad/ad_subdomains.c:35:17: fatal error: ndr.h: No such file or directory #include ^ compilation terminated. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/61/head:pr61 git checkout pr61 From 927bcd34b01ba41c31feb0b90e8adffed2caf230 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Fri, 21 Oct 2016 13:02:28 +0200 Subject: [PATCH] BUILD: Fix build without samba The test test_ad_subdom shoudl bw compiled only if samba build is enabled. In file included from src/tests/cmocka/test_ad_subdomains.c:39:0: ./src/providers/ad/ad_subdomains.c:35:17: fatal error: ndr.h: No such file or directory #include ^ compilation terminated. --- Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.am b/Makefile.am index b5f300a..7952fc3 100644 --- a/Makefile.am +++ b/Makefile.am @@ -257,7 +257,6 @@ if HAVE_CMOCKA test_sbus_opath \ test_fo_srv \ pam-srv-tests \ -test_ad_subdom \ test_ipa_subdom_util \ test_tools_colondb \ test_krb5_wait_queue \ @@ -284,6 +283,7 @@ non_interactive_cmocka_based_tests += \ ad_access_filter_tests \ ad_gpo_tests \ ad_common_tests \ +test_ad_subdom \ test_ipa_subdom_server \ $(NULL) endif ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#57][synchronized] LDAP/AD: resolve domain local groups for remote users
URL: https://github.com/SSSD/sssd/pull/57 Author: sumit-bose Title: #57: LDAP/AD: resolve domain local groups for remote users Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/57/head:pr57 git checkout pr57 From 123f42ade0102e7c37eeab4e4511ccd55f545a1d Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 18 Oct 2016 14:59:19 +0200 Subject: [PATCH 1/4] sysdb: add parent_dom to sysdb_get_direct_parents() Currently sysdb_get_direct_parents() only return direct parents from the same domain as the child object. In setups with sub-domains this might not be sufficient. A new option parent_dom is added which allows to specify a domain the direct parents should be lookup up in. If it is NULL the whole cache is searched. --- src/db/sysdb.h | 21 + src/db/sysdb_search.c | 7 ++- src/providers/ldap/sdap_async_initgroups.c | 11 +++ 3 files changed, 34 insertions(+), 5 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 7de3acd..f5d3ddb 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -1137,8 +1137,29 @@ errno_t sysdb_remove_attrs(struct sss_domain_info *domain, enum sysdb_member_type type, char **remove_attrs); +/** + * @brief Return direct parents of an object in the cache + * + * @param[in] mem_ctx Memory context the result should be allocated + * on + * @param[in] dom domain the object is in + * @param[in] parent_dom domain which should be searched for direct + * parents if NULL all domains in the given cache + * are searched + * @param[in] mtype Type of the object, SYSDB_MEMBER_USER or + * SYSDB_MEMBER_GROUP + * @param[in] nameName of the object + * @param[out] _direct_parents List of names of the direct parent groups + * + * + * @return + * - EOK:success + * - EINVAL: wrong mtype + * - ENOMEM: Memory allocation failed + */ errno_t sysdb_get_direct_parents(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + struct sss_domain_info *parent_dom, enum sysdb_member_type mtype, const char *name, char ***_direct_parents); diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c index cfee578..4d63c38 100644 --- a/src/db/sysdb_search.c +++ b/src/db/sysdb_search.c @@ -1981,6 +1981,7 @@ int sysdb_get_netgroup_attr(TALLOC_CTX *mem_ctx, errno_t sysdb_get_direct_parents(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + struct sss_domain_info *parent_dom, enum sysdb_member_type mtype, const char *name, char ***_direct_parents) @@ -2029,7 +2030,11 @@ errno_t sysdb_get_direct_parents(TALLOC_CTX *mem_ctx, goto done; } -basedn = sysdb_group_base_dn(tmp_ctx, dom); +if (parent_dom == NULL) { +basedn = sysdb_base_dn(dom->sysdb, tmp_ctx); +} else { +basedn = sysdb_group_base_dn(tmp_ctx, parent_dom); +} if (!basedn) { ret = ENOMEM; goto done; diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c index df39de3..7a2eef4 100644 --- a/src/providers/ldap/sdap_async_initgroups.c +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -1301,7 +1301,8 @@ sdap_initgr_store_user_memberships(struct sdap_initgr_nested_state *state) } } -ret = sysdb_get_direct_parents(tmp_ctx, state->dom, SYSDB_MEMBER_USER, +ret = sysdb_get_direct_parents(tmp_ctx, state->dom, state->dom, + SYSDB_MEMBER_USER, state->username, &sysdb_parent_name_list); if (ret) { DEBUG(SSSDBG_CRIT_FAILURE, @@ -1388,7 +1389,7 @@ sdap_initgr_nested_get_membership_diff(TALLOC_CTX *mem_ctx, goto done; } -ret = sysdb_get_direct_parents(tmp_ctx, dom, SYSDB_MEMBER_GROUP, +ret = sysdb_get_direct_parents(tmp_ctx, dom, dom, SYSDB_MEMBER_GROUP, group_name, &sysdb_parents_names_list); if (ret) { DEBUG(SSSDBG_CRIT_FAILURE, @@ -2070,7 +2071,8 @@ rfc2307bis_group_memberships_build(hash_entry_t *item, void *user_data) goto done; } -ret = sysdb_get_direct_parents(tmp_ctx, mstate->dom, SYSDB_MEMBER_GROUP, +ret = sysdb_get_direct_parents(tmp_ctx, mstate->dom, mstate->dom, + SYSDB_MEMBER_GROUP, group_name, &sysdb_parents_names_list); if (ret) { DEBUG(SSSDBG_CRIT_FAILUR
[SSSD] [sssd PR#58][comment] Fix bug in libcrypto version of sss_decrypt
URL: https://github.com/SSSD/sssd/pull/58 Title: #58: Fix bug in libcrypto version of sss_decrypt tiran commented: """ ACK Let's investigate the LTO/PGO issue in a different ticket. I'm not even sure that the problem actually exists. """ See the full comment at https://github.com/SSSD/sssd/pull/58#issuecomment-255341765 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#58][comment] Fix bug in libcrypto version of sss_decrypt
URL: https://github.com/SSSD/sssd/pull/58 Title: #58: Fix bug in libcrypto version of sss_decrypt tiran commented: """ I cannot recall that I reviewed the code. In fact I didn't even know that OpenSSL had a constant timing comparison operator called ```CRYPTO_memcmp```. @lslebodn fix looks right. While I was searching for documentation of ```CRYPTO_memcmp```, one posting suggested that optimizers such as PGO or LTO might replace ```CRYPTO_memcmp``` with inline assembler for ```memcmp```. The author suggested to make one of the arguments ```volatile```. """ See the full comment at https://github.com/SSSD/sssd/pull/58#issuecomment-255329314 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: [sssd PR#57][comment] LDAP/AD: resolve domain local groups for remote users
On (21/10/16 10:22), jhrozek wrote: > URL: https://github.com/SSSD/sssd/pull/57 >Title: #57: LDAP/AD: resolve domain local groups for remote users > >jhrozek commented: >""" >Hmm, looks like github ate my mail, so let's paste the comment again (and >sorry if it arrives twice). Coverity detected some warnings: It has nothing to do with coverity. These warnigns are reported by gcc covscan != coverity LS ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#57][comment] LDAP/AD: resolve domain local groups for remote users
URL: https://github.com/SSSD/sssd/pull/57 Title: #57: LDAP/AD: resolve domain local groups for remote users jhrozek commented: """ Hmm, looks like github ate my mail, so let's paste the comment again (and sorry if it arrives twice). Coverity detected some warnings: ``` Error: COMPILER_WARNING: sssd-1.14.90/src/providers/ldap/sdap_async_initgroups_ad.c:1554:12: warning: unused variable 'd' [-Wunused-variable] # size_t d; #^ # 1552| int ret; # 1553| size_t c; # 1554|-> size_t d; # 1555| char **groupnamelist = NULL; # 1556| struct sysdb_attrs *groups[1]; Error: COMPILER_WARNING: sssd-1.14.90/src/providers/ldap/sdap_async_initgroups_ad.c:1562:25: warning: unused variable 'msg' [-Wunused-variable] # struct ldb_message *msg; # ^ # 1560| const char *class; # 1561| struct sss_domain_info *obj_dom; # 1562|-> struct ldb_message *msg; # 1563| struct ldb_message_element *el; # 1564| const char *obj_attrs[] = {SYSDB_NAME, SYSDB_MEMBEROF, NULL}; Error: COMPILER_WARNING: sssd-1.14.90/src/providers/ldap/sdap_async_initgroups_ad.c:1563:33: warning: unused variable 'el' [-Wunused-variable] # struct ldb_message_element *el; # ^ # 1561| struct sss_domain_info *obj_dom; # 1562| struct ldb_message *msg; # 1563|-> struct ldb_message_element *el; # 1564| const char *obj_attrs[] = {SYSDB_NAME, SYSDB_MEMBEROF, NULL}; # 1565| char *local_groups_base_dn; Error: COMPILER_WARNING: sssd-1.14.90/src/providers/ldap/sdap_async_initgroups_ad.c:1564:17: warning: unused variable 'obj_attrs' [-Wunused-variable] # const char *obj_attrs[] = {SYSDB_NAME, SYSDB_MEMBEROF, NULL}; # ^ # 1562| struct ldb_message *msg; # 1563| struct ldb_message_element *el; # 1564|-> const char *obj_attrs[] = {SYSDB_NAME, SYSDB_MEMBEROF, NULL}; # 1565| char *local_groups_base_dn; # 1566| uint8_t *obj_base_dn; Error: COMPILER_WARNING: sssd-1.14.90/src/providers/ldap/sdap_async_initgroups_ad.c:1566:14: warning: unused variable 'obj_base_dn' [-Wunused-variable] # uint8_t *obj_base_dn; # ^ # 1564| const char *obj_attrs[] = {SYSDB_NAME, SYSDB_MEMBEROF, NULL}; # 1565| char *local_groups_base_dn; # 1566|-> uint8_t *obj_base_dn; # 1567| char **cached_local_parents = NULL; # 1568| uint8_t *name_start; Error: COMPILER_WARNING: sssd-1.14.90/src/providers/ldap/sdap_async_initgroups_ad.c: scope_hint: In function 'sdap_ad_get_domain_local_groups_parse_parents' sssd-1.14.90/src/providers/ldap/sdap_async_initgroups_ad.c:1568:14: warning: unused variable 'name_start' [-Wunused-variable] # uint8_t *name_start; # ^ # 1566| uint8_t *obj_base_dn; # 1567| char **cached_local_parents = NULL; # 1568|-> uint8_t *name_start; # 1569| char **add_list = NULL; # 1570| char **del_list = NULL; ``` """ See the full comment at https://github.com/SSSD/sssd/pull/57#issuecomment-255322943 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org