URL: https://github.com/SSSD/sssd/pull/361 Author: fidencio Title: #361: Add root (user, group, uid and gid) to the negative cache (backport to sssd-1-14) Action: opened
PR body: """ Some patches have been dropped from the original series as those touched files/functions that are not present in sssd-1-14. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/361/head:pr361 git checkout pr361
From 466efb7b1f6a5fd55658d2cb0c0bf2f2af74a98c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Mon, 14 Aug 2017 15:28:41 +0200 Subject: [PATCH 1/6] NEGCACHE: Add some comments about each step of sss_ncache_prepopulate() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The comments help to understand which part of the code is dealing with users or groups of specific or non-specific domain filters. Related: https://pagure.io/SSSD/sssd/issue/3460 Signed-off-by: Fabiano Fidêncio <fiden...@redhat.com> Reviewed-by: Jakub Hrozek <jhro...@redhat.com> (cherry picked from commit b54d79cf3c8017e186b5ea7cdc383746233db39b) --- src/responder/common/negcache.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c index 5b7ad69f4..0f95e53c3 100644 --- a/src/responder/common/negcache.c +++ b/src/responder/common/negcache.c @@ -694,7 +694,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, return ENOMEM; } - /* Populate domain-specific negative cache entries */ + /* Populate domain-specific negative cache user entries */ for (dom = domain_list; dom; dom = get_next_domain(dom, 0)) { conf_path = talloc_asprintf(tmpctx, CONFDB_DOMAIN_PATH_TMPL, dom->name); @@ -752,6 +752,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, } } + /* Populate non domain-specific negative cache user entries */ ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY, CONFDB_NSS_FILTER_USERS, &filter_list); if (ret == ENOENT) { @@ -828,6 +829,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, } } + /* Populate domain-specific negative cache group entries */ filter_set = false; for (dom = domain_list; dom; dom = get_next_domain(dom, 0)) { conf_path = talloc_asprintf(tmpctx, CONFDB_DOMAIN_PATH_TMPL, dom->name); @@ -878,6 +880,7 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, } } + /* Populate non domain-specific negative cache group entries */ ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY, CONFDB_NSS_FILTER_GROUPS, &filter_list); if (ret == ENOENT) { From efcefe856ba6a829c60495a1619e58719f770a3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Mon, 14 Aug 2017 15:46:10 +0200 Subject: [PATCH 2/6] NEGCACHE: Always add "root" to the negative cache MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The current code only adds "root" to the negative cache in case there's any other user or group set up in to be added. As SSSD doesn't handle "root", it should *always* be added to the negative cache. Related: https://pagure.io/SSSD/sssd/issue/3460 Signed-off-by: Fabiano Fidêncio <fiden...@redhat.com> Reviewed-by: Jakub Hrozek <jhro...@redhat.com> (cherry picked from commit 1e7b7da3aa56060c26f8ba1c08318cdee77753ea) --- src/responder/common/negcache.c | 88 +++++++++++++++++++++++++---------------- 1 file changed, 54 insertions(+), 34 deletions(-) diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c index 0f95e53c3..be3b6222e 100644 --- a/src/responder/common/negcache.c +++ b/src/responder/common/negcache.c @@ -679,8 +679,8 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, struct resp_ctx *rctx) { errno_t ret; - bool filter_set = false; char **filter_list = NULL; + char **default_list = NULL; char *name = NULL; struct sss_domain_info *dom = NULL; struct sss_domain_info *domain_list = rctx->domains; @@ -709,7 +709,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, &filter_list); if (ret == ENOENT) continue; if (ret != EOK) goto done; - filter_set = true; for (i = 0; (filter_list && filter_list[i]); i++) { ret = sss_parse_name_for_domains(tmpctx, domain_list, @@ -755,22 +754,9 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, /* Populate non domain-specific negative cache user entries */ ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY, CONFDB_NSS_FILTER_USERS, &filter_list); - if (ret == ENOENT) { - if (!filter_set) { - filter_list = talloc_array(tmpctx, char *, 2); - if (!filter_list) { - ret = ENOMEM; - goto done; - } - filter_list[0] = talloc_strdup(tmpctx, "root"); - if (!filter_list[0]) { - ret = ENOMEM; - goto done; - } - filter_list[1] = NULL; - } + if (ret != EOK && ret != ENOENT) { + goto done; } - else if (ret != EOK) goto done; for (i = 0; (filter_list && filter_list[i]); i++) { ret = sss_parse_name_for_domains(tmpctx, domain_list, @@ -830,7 +816,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, } /* Populate domain-specific negative cache group entries */ - filter_set = false; for (dom = domain_list; dom; dom = get_next_domain(dom, 0)) { conf_path = talloc_asprintf(tmpctx, CONFDB_DOMAIN_PATH_TMPL, dom->name); if (!conf_path) { @@ -843,7 +828,6 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, CONFDB_NSS_FILTER_GROUPS, &filter_list); if (ret == ENOENT) continue; if (ret != EOK) goto done; - filter_set = true; for (i = 0; (filter_list && filter_list[i]); i++) { ret = sss_parse_name(tmpctx, dom->names, filter_list[i], @@ -883,22 +867,9 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, /* Populate non domain-specific negative cache group entries */ ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY, CONFDB_NSS_FILTER_GROUPS, &filter_list); - if (ret == ENOENT) { - if (!filter_set) { - filter_list = talloc_array(tmpctx, char *, 2); - if (!filter_list) { - ret = ENOMEM; - goto done; - } - filter_list[0] = talloc_strdup(tmpctx, "root"); - if (!filter_list[0]) { - ret = ENOMEM; - goto done; - } - filter_list[1] = NULL; - } + if (ret != EOK && ret != ENOENT) { + goto done; } - else if (ret != EOK) goto done; for (i = 0; (filter_list && filter_list[i]); i++) { ret = sss_parse_name_for_domains(tmpctx, domain_list, @@ -957,6 +928,55 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, } } + /* SSSD doesn't handle "root", thus it'll be added to the negative cache + * nonetheless what's already added there. */ + default_list = talloc_array(tmpctx, char *, 2); + if (default_list == NULL) { + ret= ENOMEM; + goto done; + } + default_list[0] = talloc_strdup(tmpctx, "root"); + if (default_list[0] == NULL) { + ret = ENOMEM; + goto done; + } + default_list[1] = NULL; + + /* Populate negative cache users and groups entries for the + * "default_list" */ + for (i = 0; (default_list != NULL && default_list[i] != NULL); i++) { + for (dom = domain_list; + dom != NULL; + dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { + fqname = sss_create_internal_fqname(tmpctx, + default_list[i], + dom->name); + if (fqname == NULL) { + continue; + } + + ret = sss_ncache_set_user(ncache, true, dom, fqname); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to store permanent user filter for" + " [%s:%s] (%d [%s])\n", + dom->name, default_list[i], + ret, strerror(ret)); + continue; + } + + ret = sss_ncache_set_group(ncache, true, dom, fqname); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to store permanent group filter for" + " [%s:%s] (%d [%s])\n", + dom->name, default_list[i], + ret, strerror(ret)); + continue; + } + } + } + ret = EOK; done: From 1fa4bd69d5c939daf30ec54bdd29c2576e82d790 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Wed, 16 Aug 2017 10:45:19 +0200 Subject: [PATCH 3/6] TEST_NEGCACHE: Test that "root" is always added to ncache MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Simply modify test_sss_ncache_prepopulate() in order to ensure that "root" user and group are always added to the negative cache, no matter whether they're set as part of the filter_users or filter_groups options. Related: https://pagure.io/SSSD/sssd/issue/3460 Signed-off-by: Fabiano Fidêncio <fiden...@redhat.com> Reviewed-by: Jakub Hrozek <jhro...@redhat.com> (cherry picked from commit e54764d62bfcc48770d9b2578132979aa58636e5) --- src/tests/cmocka/test_negcache.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c index 2e3575771..80248b488 100644 --- a/src/tests/cmocka/test_negcache.c +++ b/src/tests/cmocka/test_negcache.c @@ -631,6 +631,12 @@ static void test_sss_ncache_prepopulate(void **state) ret = check_group_in_ncache(ncache, dom, "testgroup3@somedomain"); assert_int_equal(ret, ENOENT); + + ret = check_user_in_ncache(ncache, dom, "root"); + assert_int_equal(ret, EEXIST); + + ret = check_group_in_ncache(ncache, dom, "root"); + assert_int_equal(ret, EEXIST); } static void test_sss_ncache_default_domain_suffix(void **state) From cbcea173a205b5ed43e4e884f3ec3457e11e85eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Mon, 14 Aug 2017 12:15:42 +0200 Subject: [PATCH 4/6] NEGCACHE: Descend to all subdomains when adding user/groups MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When a user or group is added to the negative cache, we should descend to all subdomains as well. Related: https://pagure.io/SSSD/sssd/issue/3460 Signed-off-by: Fabiano Fidêncio <fiden...@redhat.com> Reviewed-by: Jakub Hrozek <jhro...@redhat.com> (cherry picked from commit 9908bdc9755e744c3e2c7c746a4edf95f9083ef5) --- src/responder/common/negcache.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c index be3b6222e..061e009ad 100644 --- a/src/responder/common/negcache.c +++ b/src/responder/common/negcache.c @@ -795,7 +795,9 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, continue; } } else { - for (dom = domain_list; dom; dom = get_next_domain(dom, 0)) { + for (dom = domain_list; + dom != NULL; + dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { fqname = sss_create_internal_fqname(tmpctx, name, dom->name); if (fqname == NULL) { continue; @@ -908,7 +910,9 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, continue; } } else { - for (dom = domain_list; dom; dom = get_next_domain(dom, 0)) { + for (dom = domain_list; + dom != NULL; + dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { fqname = sss_create_internal_fqname(tmpctx, name, dom->name); if (fqname == NULL) { continue; From c7c2a7ca8e92523dfd86fed630e4a64f2ed4948b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Mon, 14 Aug 2017 13:31:45 +0200 Subject: [PATCH 5/6] NEGCACHE: Add root's uid/gid to ncache MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As "root" is not handled by SSSD, let's add its uid and gid to the negative cache as well. The reason it's added without specifying a domain is to follow how the negative cache is used by cache req's code when searching something by id. As the negative cache check for uid/gid, in the cache req code, is done after resolving the name, we can save one LDAP call to the data provider. Related: https://pagure.io/SSSD/sssd/issue/3460 Signed-off-by: Fabiano Fidêncio <fiden...@redhat.com> Reviewed-by: Jakub Hrozek <jhro...@redhat.com> (cherry picked from commit 3ad33ca77044f9a9d18f7def271b0beb180e567b) --- src/responder/common/negcache.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c index 061e009ad..21c7c9e70 100644 --- a/src/responder/common/negcache.c +++ b/src/responder/common/negcache.c @@ -981,6 +981,23 @@ errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, } } + /* Also add "root" uid and gid to the negative cache */ + ret = sss_ncache_set_uid(ncache, true, NULL, 0); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to store permanent uid filter for root (0) " + "(%d [%s])\n", + ret, strerror(ret)); + } + + ret = sss_ncache_set_gid(ncache, true, NULL, 0); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to store permanent gid filter for root (0) " + "(%d [%s])\n", + ret, strerror(ret)); + } + ret = EOK; done: From 6e6283ec1874d92343ef11e6d8200c77624a7e6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com> Date: Wed, 16 Aug 2017 10:51:47 +0200 Subject: [PATCH 6/6] TEST_NEGCACHE: Ensure root's uid and gid are always added to ncache MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In order to do so two new functions have been introduced and test_sss_ncache_prepopulate() has been modified in order to ensure that root's uid and gid are always added to the negative cache. Related: https://pagure.io/SSSD/sssd/issue/3460 Signed-off-by: Fabiano Fidêncio <fiden...@redhat.com> Reviewed-by: Jakub Hrozek <jhro...@redhat.com> (cherry picked from commit b4b3d0642120ca05f63959fe2f317a6b93031929) --- src/tests/cmocka/test_negcache.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c index 80248b488..bbfd7e6eb 100644 --- a/src/tests/cmocka/test_negcache.c +++ b/src/tests/cmocka/test_negcache.c @@ -565,6 +565,24 @@ static int check_group_in_ncache(struct sss_nc_ctx *ctx, return ret; } +static int check_uid_in_ncache(struct sss_nc_ctx *ctx, + uid_t uid) +{ + int ret; + + ret = sss_ncache_check_uid(ctx, NULL, uid); + return ret; +} + +static int check_gid_in_ncache(struct sss_nc_ctx *ctx, + gid_t gid) +{ + int ret; + + ret = sss_ncache_check_gid(ctx, NULL, gid); + return ret; +} + static void test_sss_ncache_prepopulate(void **state) { int ret; @@ -637,6 +655,12 @@ static void test_sss_ncache_prepopulate(void **state) ret = check_group_in_ncache(ncache, dom, "root"); assert_int_equal(ret, EEXIST); + + ret = check_uid_in_ncache(ncache, 0); + assert_int_equal(ret, EEXIST); + + ret = check_gid_in_ncache(ncache, 0); + assert_int_equal(ret, EEXIST); } static void test_sss_ncache_default_domain_suffix(void **state)
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
