[SSSD] [sssd PR#62][opened] PAM: add pam_response_filter option
URL: https://github.com/SSSD/sssd/pull/62
Author: sumit-bose
Title: #62: PAM: add pam_response_filter option
Action: opened
PR body:
"""
Currently the main use-case for this new option is to not set the
KRB5CCNAME environment varible for services like 'sudo-i'.
Resolves https://fedorahosted.org/sssd/ticket/2296
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/62/head:pr62
git checkout pr62
From 93d93fd200d72d8e61502360408088adbb97d418 Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Thu, 20 Oct 2016 11:48:22 +0200
Subject: [PATCH 1/2] PAM: add a test for filter_responses()
---
src/responder/pam/pamsrv.h | 3 +++
src/responder/pam/pamsrv_cmd.c | 4 ++--
src/tests/cmocka/test_pam_srv.c | 43 +
3 files changed, 48 insertions(+), 2 deletions(-)
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
index e686d03..8437d08 100644
--- a/src/responder/pam/pamsrv.h
+++ b/src/responder/pam/pamsrv.h
@@ -99,4 +99,7 @@ errno_t
pam_set_last_online_auth_with_curr_token(struct sss_domain_info *domain,
const char *username,
uint64_t value);
+
+errno_t filter_responses(struct confdb_ctx *cdb,
+ struct response_data *resp_list);
#endif /* __PAMSRV_H__ */
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index de3b4ca..d2ac2f7 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -470,8 +470,8 @@ static errno_t set_last_login(struct pam_auth_req *preq)
return ret;
}
-static errno_t filter_responses(struct confdb_ctx *cdb,
-struct response_data *resp_list)
+errno_t filter_responses(struct confdb_ctx *cdb,
+ struct response_data *resp_list)
{
int ret;
struct response_data *resp;
diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c
index 4b2dea4..01b76fc 100644
--- a/src/tests/cmocka/test_pam_srv.c
+++ b/src/tests/cmocka/test_pam_srv.c
@@ -31,6 +31,7 @@
#include "responder/pam/pam_helpers.h"
#include "sss_client/pam_message.h"
#include "sss_client/sss_cli.h"
+#include "confdb/confdb.h"
#include "util/crypto/sss_crypto.h"
#ifdef HAVE_NSS
@@ -1759,6 +1760,45 @@ void test_pam_cert_auth(void **state)
assert_int_equal(ret, EOK);
}
+void test_filter_response(void **state)
+{
+int ret;
+struct pam_data *pd;
+uint8_t offline_auth_data[(sizeof(uint32_t) + sizeof(int64_t))];
+uint32_t info_type;
+
+struct sss_test_conf_param pam_params[] = {
+{ CONFDB_PAM_VERBOSITY, "1" },
+{ NULL, NULL }, /* Sentinel */
+};
+
+ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
+assert_int_equal(ret, EOK);
+
+pd = talloc_zero(pam_test_ctx, struct pam_data);
+assert_non_null(pd);
+
+info_type = SSS_PAM_USER_INFO_OFFLINE_AUTH;
+memset(offline_auth_data, sizeof(offline_auth_data), 0);
+memcpy(offline_auth_data, &resp_type, sizeof(uint32_t));
+ret = pam_add_response(pd, SSS_PAM_USER_INFO,
+ sizeof(offline_auth_data), offline_auth_data);
+assert_int_equal(ret, EOK);
+
+ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list);
+assert_int_equal(ret, EOK);
+assert_false(pd->resp_list->do_not_send_to_client);
+
+pam_params[0].value = "0";
+ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb);
+assert_int_equal(ret, EOK);
+
+ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list);
+assert_int_equal(ret, EOK);
+assert_true(pd->resp_list->do_not_send_to_client);
+
+}
+
int main(int argc, const char *argv[])
{
int rv;
@@ -1870,6 +1910,9 @@ int main(int argc, const char *argv[])
pam_test_setup_no_verification,
pam_test_teardown),
#endif /* HAVE_NSS */
+
+cmocka_unit_test_setup_teardown(test_filter_response,
+pam_test_setup, pam_test_teardown),
};
/* Set debug level to invalid value so we can deside if -d 0 was used. */
From 95bb77b3df59ec524647b962ca212b26d3ab015e Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Thu, 20 Oct 2016 18:40:01 +0200
Subject: [PATCH 2/2] PAM: add pam_response_filter option
Currently the main use-case for this new option is to not set the
KRB5CCNAME environment varible for services like 'sudo-i'.
Resolves https://fedorahosted.org/sssd/ticket/2296
---
src/confdb/confdb.h | 1 +
src/config/SSSDConfig/__init__.py.in | 1 +
src/config/cfg_rules.ini | 1 +
src/config/etc/sssd.api.conf | 1 +
src/man/sssd.conf.5.xml | 45 +++
src/responder/pam/pamsrv.h | 3 +-
src/responder/pam/pamsrv_cmd.c | 111 +--
src/tests/c
[SSSD] [sssd PR#58][+Pushed] Fix bug in libcrypto version of sss_decrypt
URL: https://github.com/SSSD/sssd/pull/58 Title: #58: Fix bug in libcrypto version of sss_decrypt Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#58][closed] Fix bug in libcrypto version of sss_decrypt
URL: https://github.com/SSSD/sssd/pull/58 Author: lslebodn Title: #58: Fix bug in libcrypto version of sss_decrypt Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/58/head:pr58 git checkout pr58 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#61][+Pushed] BUILD: Fix build without samba
URL: https://github.com/SSSD/sssd/pull/61 Title: #61: BUILD: Fix build without samba Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#61][closed] BUILD: Fix build without samba
URL: https://github.com/SSSD/sssd/pull/61 Author: lslebodn Title: #61: BUILD: Fix build without samba Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/61/head:pr61 git checkout pr61 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#61][comment] BUILD: Fix build without samba
URL: https://github.com/SSSD/sssd/pull/61 Title: #61: BUILD: Fix build without samba fidencio commented: """ Please, fix the typos in the commit message before pushing. shoudl bw -> should be """ See the full comment at https://github.com/SSSD/sssd/pull/61#issuecomment-255363658 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#61][+Accepted] BUILD: Fix build without samba
URL: https://github.com/SSSD/sssd/pull/61 Title: #61: BUILD: Fix build without samba Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#61][comment] BUILD: Fix build without samba
URL: https://github.com/SSSD/sssd/pull/61 Title: #61: BUILD: Fix build without samba sumit-bose commented: """ Patch makes sense. """ See the full comment at https://github.com/SSSD/sssd/pull/61#issuecomment-255357228 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#61][opened] BUILD: Fix build without samba
URL: https://github.com/SSSD/sssd/pull/61 Author: lslebodn Title: #61: BUILD: Fix build without samba Action: opened PR body: """ The test test_ad_subdom shoudl bw compiled only if samba build is enabled. In file included from src/tests/cmocka/test_ad_subdomains.c:39:0: ./src/providers/ad/ad_subdomains.c:35:17: fatal error: ndr.h: No such file or directory #include ^ compilation terminated. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/61/head:pr61 git checkout pr61 From 927bcd34b01ba41c31feb0b90e8adffed2caf230 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Fri, 21 Oct 2016 13:02:28 +0200 Subject: [PATCH] BUILD: Fix build without samba The test test_ad_subdom shoudl bw compiled only if samba build is enabled. In file included from src/tests/cmocka/test_ad_subdomains.c:39:0: ./src/providers/ad/ad_subdomains.c:35:17: fatal error: ndr.h: No such file or directory #include ^ compilation terminated. --- Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.am b/Makefile.am index b5f300a..7952fc3 100644 --- a/Makefile.am +++ b/Makefile.am @@ -257,7 +257,6 @@ if HAVE_CMOCKA test_sbus_opath \ test_fo_srv \ pam-srv-tests \ -test_ad_subdom \ test_ipa_subdom_util \ test_tools_colondb \ test_krb5_wait_queue \ @@ -284,6 +283,7 @@ non_interactive_cmocka_based_tests += \ ad_access_filter_tests \ ad_gpo_tests \ ad_common_tests \ +test_ad_subdom \ test_ipa_subdom_server \ $(NULL) endif ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#57][synchronized] LDAP/AD: resolve domain local groups for remote users
URL: https://github.com/SSSD/sssd/pull/57
Author: sumit-bose
Title: #57: LDAP/AD: resolve domain local groups for remote users
Action: synchronized
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/57/head:pr57
git checkout pr57
From 123f42ade0102e7c37eeab4e4511ccd55f545a1d Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Tue, 18 Oct 2016 14:59:19 +0200
Subject: [PATCH 1/4] sysdb: add parent_dom to sysdb_get_direct_parents()
Currently sysdb_get_direct_parents() only return direct parents from the
same domain as the child object. In setups with sub-domains this might
not be sufficient. A new option parent_dom is added which allows to
specify a domain the direct parents should be lookup up in. If it is
NULL the whole cache is searched.
---
src/db/sysdb.h | 21 +
src/db/sysdb_search.c | 7 ++-
src/providers/ldap/sdap_async_initgroups.c | 11 +++
3 files changed, 34 insertions(+), 5 deletions(-)
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 7de3acd..f5d3ddb 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -1137,8 +1137,29 @@ errno_t sysdb_remove_attrs(struct sss_domain_info *domain,
enum sysdb_member_type type,
char **remove_attrs);
+/**
+ * @brief Return direct parents of an object in the cache
+ *
+ * @param[in] mem_ctx Memory context the result should be allocated
+ * on
+ * @param[in] dom domain the object is in
+ * @param[in] parent_dom domain which should be searched for direct
+ * parents if NULL all domains in the given cache
+ * are searched
+ * @param[in] mtype Type of the object, SYSDB_MEMBER_USER or
+ * SYSDB_MEMBER_GROUP
+ * @param[in] nameName of the object
+ * @param[out] _direct_parents List of names of the direct parent groups
+ *
+ *
+ * @return
+ * - EOK:success
+ * - EINVAL: wrong mtype
+ * - ENOMEM: Memory allocation failed
+ */
errno_t sysdb_get_direct_parents(TALLOC_CTX *mem_ctx,
struct sss_domain_info *dom,
+ struct sss_domain_info *parent_dom,
enum sysdb_member_type mtype,
const char *name,
char ***_direct_parents);
diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c
index cfee578..4d63c38 100644
--- a/src/db/sysdb_search.c
+++ b/src/db/sysdb_search.c
@@ -1981,6 +1981,7 @@ int sysdb_get_netgroup_attr(TALLOC_CTX *mem_ctx,
errno_t sysdb_get_direct_parents(TALLOC_CTX *mem_ctx,
struct sss_domain_info *dom,
+ struct sss_domain_info *parent_dom,
enum sysdb_member_type mtype,
const char *name,
char ***_direct_parents)
@@ -2029,7 +2030,11 @@ errno_t sysdb_get_direct_parents(TALLOC_CTX *mem_ctx,
goto done;
}
-basedn = sysdb_group_base_dn(tmp_ctx, dom);
+if (parent_dom == NULL) {
+basedn = sysdb_base_dn(dom->sysdb, tmp_ctx);
+} else {
+basedn = sysdb_group_base_dn(tmp_ctx, parent_dom);
+}
if (!basedn) {
ret = ENOMEM;
goto done;
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index df39de3..7a2eef4 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -1301,7 +1301,8 @@ sdap_initgr_store_user_memberships(struct sdap_initgr_nested_state *state)
}
}
-ret = sysdb_get_direct_parents(tmp_ctx, state->dom, SYSDB_MEMBER_USER,
+ret = sysdb_get_direct_parents(tmp_ctx, state->dom, state->dom,
+ SYSDB_MEMBER_USER,
state->username, &sysdb_parent_name_list);
if (ret) {
DEBUG(SSSDBG_CRIT_FAILURE,
@@ -1388,7 +1389,7 @@ sdap_initgr_nested_get_membership_diff(TALLOC_CTX *mem_ctx,
goto done;
}
-ret = sysdb_get_direct_parents(tmp_ctx, dom, SYSDB_MEMBER_GROUP,
+ret = sysdb_get_direct_parents(tmp_ctx, dom, dom, SYSDB_MEMBER_GROUP,
group_name, &sysdb_parents_names_list);
if (ret) {
DEBUG(SSSDBG_CRIT_FAILURE,
@@ -2070,7 +2071,8 @@ rfc2307bis_group_memberships_build(hash_entry_t *item, void *user_data)
goto done;
}
-ret = sysdb_get_direct_parents(tmp_ctx, mstate->dom, SYSDB_MEMBER_GROUP,
+ret = sysdb_get_direct_parents(tmp_ctx, mstate->dom, mstate->dom,
+ SYSDB_MEMBER_GROUP,
group_name, &sysdb_parents_names_list);
if (ret) {
DEBUG(SSSDBG_CRIT_FAILUR
[SSSD] [sssd PR#58][comment] Fix bug in libcrypto version of sss_decrypt
URL: https://github.com/SSSD/sssd/pull/58 Title: #58: Fix bug in libcrypto version of sss_decrypt tiran commented: """ ACK Let's investigate the LTO/PGO issue in a different ticket. I'm not even sure that the problem actually exists. """ See the full comment at https://github.com/SSSD/sssd/pull/58#issuecomment-255341765 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#58][comment] Fix bug in libcrypto version of sss_decrypt
URL: https://github.com/SSSD/sssd/pull/58 Title: #58: Fix bug in libcrypto version of sss_decrypt tiran commented: """ I cannot recall that I reviewed the code. In fact I didn't even know that OpenSSL had a constant timing comparison operator called ```CRYPTO_memcmp```. @lslebodn fix looks right. While I was searching for documentation of ```CRYPTO_memcmp```, one posting suggested that optimizers such as PGO or LTO might replace ```CRYPTO_memcmp``` with inline assembler for ```memcmp```. The author suggested to make one of the arguments ```volatile```. """ See the full comment at https://github.com/SSSD/sssd/pull/58#issuecomment-255329314 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: [sssd PR#57][comment] LDAP/AD: resolve domain local groups for remote users
On (21/10/16 10:22), jhrozek wrote: > URL: https://github.com/SSSD/sssd/pull/57 >Title: #57: LDAP/AD: resolve domain local groups for remote users > >jhrozek commented: >""" >Hmm, looks like github ate my mail, so let's paste the comment again (and >sorry if it arrives twice). Coverity detected some warnings: It has nothing to do with coverity. These warnigns are reported by gcc covscan != coverity LS ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#57][comment] LDAP/AD: resolve domain local groups for remote users
URL: https://github.com/SSSD/sssd/pull/57
Title: #57: LDAP/AD: resolve domain local groups for remote users
jhrozek commented:
"""
Hmm, looks like github ate my mail, so let's paste the comment again (and sorry
if it arrives twice). Coverity detected some warnings:
```
Error: COMPILER_WARNING:
sssd-1.14.90/src/providers/ldap/sdap_async_initgroups_ad.c:1554:12: warning:
unused variable 'd' [-Wunused-variable]
# size_t d;
#^
# 1552| int ret;
# 1553| size_t c;
# 1554|-> size_t d;
# 1555| char **groupnamelist = NULL;
# 1556| struct sysdb_attrs *groups[1];
Error: COMPILER_WARNING:
sssd-1.14.90/src/providers/ldap/sdap_async_initgroups_ad.c:1562:25: warning:
unused variable 'msg' [-Wunused-variable]
# struct ldb_message *msg;
# ^
# 1560| const char *class;
# 1561| struct sss_domain_info *obj_dom;
# 1562|-> struct ldb_message *msg;
# 1563| struct ldb_message_element *el;
# 1564| const char *obj_attrs[] = {SYSDB_NAME, SYSDB_MEMBEROF, NULL};
Error: COMPILER_WARNING:
sssd-1.14.90/src/providers/ldap/sdap_async_initgroups_ad.c:1563:33: warning:
unused variable 'el' [-Wunused-variable]
# struct ldb_message_element *el;
# ^
# 1561| struct sss_domain_info *obj_dom;
# 1562| struct ldb_message *msg;
# 1563|-> struct ldb_message_element *el;
# 1564| const char *obj_attrs[] = {SYSDB_NAME, SYSDB_MEMBEROF, NULL};
# 1565| char *local_groups_base_dn;
Error: COMPILER_WARNING:
sssd-1.14.90/src/providers/ldap/sdap_async_initgroups_ad.c:1564:17: warning:
unused variable 'obj_attrs' [-Wunused-variable]
# const char *obj_attrs[] = {SYSDB_NAME, SYSDB_MEMBEROF, NULL};
# ^
# 1562| struct ldb_message *msg;
# 1563| struct ldb_message_element *el;
# 1564|-> const char *obj_attrs[] = {SYSDB_NAME, SYSDB_MEMBEROF, NULL};
# 1565| char *local_groups_base_dn;
# 1566| uint8_t *obj_base_dn;
Error: COMPILER_WARNING:
sssd-1.14.90/src/providers/ldap/sdap_async_initgroups_ad.c:1566:14: warning:
unused variable 'obj_base_dn' [-Wunused-variable]
# uint8_t *obj_base_dn;
# ^
# 1564| const char *obj_attrs[] = {SYSDB_NAME, SYSDB_MEMBEROF, NULL};
# 1565| char *local_groups_base_dn;
# 1566|-> uint8_t *obj_base_dn;
# 1567| char **cached_local_parents = NULL;
# 1568| uint8_t *name_start;
Error: COMPILER_WARNING:
sssd-1.14.90/src/providers/ldap/sdap_async_initgroups_ad.c: scope_hint: In
function 'sdap_ad_get_domain_local_groups_parse_parents'
sssd-1.14.90/src/providers/ldap/sdap_async_initgroups_ad.c:1568:14: warning:
unused variable 'name_start' [-Wunused-variable]
# uint8_t *name_start;
# ^
# 1566| uint8_t *obj_base_dn;
# 1567| char **cached_local_parents = NULL;
# 1568|-> uint8_t *name_start;
# 1569| char **add_list = NULL;
# 1570| char **del_list = NULL;
```
"""
See the full comment at
https://github.com/SSSD/sssd/pull/57#issuecomment-255322943
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
