On 10/23/2015 06:02 PM, Pavel Březina wrote:
On 10/23/2015 05:41 PM, Pavel Reichl wrote:
Thanks for rebase.
I'm having little trouble testing now, it seems to me that user-show
does not work, but it's Friday evening so the problem might be between
between keyboard and chair :-)
$ getent passwd john
john:*:1234:10000:John Doe:/home/john:/bin/bash
sudo sss_override user-add john --name jon
SSSD needs to be restarted for the changes to take effect.
$ sudo systemctl restart sssd
$ sudo sss_override user-find
john@ol:jon:::::
sudo sss_override user-show john
This is what override looks for:
(&(objectClass=userOverride)(overrideAnchorUUID=:LOCAL:name\\5c3Djohn\\5c,cn\\5c3Dusers\\5c,cn\\5c3Dol\\5c,cn\\5c3Dsysd\220)
This is content of cache:
ldbsearch -H cache_ol.ldb '(objectClass=userOverride)' overrideAnchorUUID
asq: Unable to register control with rootdse!
# record 1
dn:
overrideAnchorUUID=:LOCAL:name\3Djohn\,cn\3Dusers\,cn\3Dol\,cn\3Dsysdb,cn=LOCAL,cn=views,cn=sysdb
overrideAnchorUUID::
OkxPQ0FMOm5hbWVcM0Rqb2huXCxjblwzRHVzZXJzXCxjblwzRG9sXCxjb
lwzRHN5c2Ri
Works for me, we'll debug it on Monday on site.
Ok, we found an access after free. 7th patch is attached. Fortunately,
this is only hit with new patches and won't show up in released version.
From 3dfa3b62440c98b0002bb0df3cbf70680d54848a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Mon, 26 Oct 2015 11:28:36 +0100
Subject: [PATCH] sss_override: fix access after free in get_object_dn()
When only str_dn is requested, ldb_dn is freed. This triggers access
after free since str_dn is part of ldb_dn talloc context.
Resolves:
https://fedorahosted.org/sssd/ticket/XXXX
---
src/tools/sss_override.c | 38 +++++++++++++++++++++++++++++---------
1 file changed, 29 insertions(+), 9 deletions(-)
diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c
index ccd9656f24582986e6bfcc34eb4b7116bd7c9c6a..39a66148efe7231bc81ee0d9b426d8ed89cc06bc 100644
--- a/src/tools/sss_override.c
+++ b/src/tools/sss_override.c
@@ -581,35 +581,55 @@ static errno_t get_object_dn(TALLOC_CTX *mem_ctx,
struct ldb_dn **_ldb_dn,
const char **_str_dn)
{
+ TALLOC_CTX *tmp_ctx;
struct ldb_dn *ldb_dn;
+ const char *str_dn;
+ errno_t ret;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
+ return ENOMEM;
+ }
switch (type) {
case SYSDB_MEMBER_USER:
- ldb_dn = sysdb_user_dn(mem_ctx, domain, name);
+ ldb_dn = sysdb_user_dn(tmp_ctx, domain, name);
break;
case SYSDB_MEMBER_GROUP:
- ldb_dn = sysdb_group_dn(mem_ctx, domain, name);
+ ldb_dn = sysdb_group_dn(tmp_ctx, domain, name);
break;
default:
DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported member type %d\n", type);
- return ERR_INTERNAL;
+ ret = ERR_INTERNAL;
+ goto done;
}
if (ldb_dn == NULL) {
- return ENOMEM;
+ ret = ENOMEM;
+ goto done;
}
if (_str_dn != NULL) {
- *_str_dn = ldb_dn_get_linearized(ldb_dn);
+ str_dn = talloc_strdup(tmp_ctx, ldb_dn_get_linearized(ldb_dn));
+ if (str_dn == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ *_str_dn = talloc_steal(mem_ctx, str_dn);
}
if (_ldb_dn != NULL) {
- *_ldb_dn = ldb_dn;
- } else {
- talloc_free(ldb_dn);
+ *_ldb_dn = talloc_steal(mem_ctx, ldb_dn);
}
- return EOK;
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
}
static errno_t override_object_add(struct sss_domain_info *domain,
--
2.1.0
From 2c34682b051a9fd62537adac9896d3fe18b55049 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Tue, 20 Oct 2015 12:22:23 +0200
Subject: [PATCH 1/7] sss_tools: always show common and help options
popt don't handle merging NULL option table, thus common and help
options were not displayed when command doesn't have any options.
---
src/tools/common/sss_tools.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c
index c0b525555bb86941d3245569e13ff8b830d861ba..abb9dbace3c622df84350cfc0b7a6f42c1a5e469 100644
--- a/src/tools/common/sss_tools.c
+++ b/src/tools/common/sss_tools.c
@@ -262,6 +262,19 @@ int sss_tool_route(int argc, const char **argv,
return sss_tool_usage(argv[0], commands);
}
+static struct poptOption *nonnull_popt_table(struct poptOption *options)
+{
+ static struct poptOption empty[] = {
+ POPT_TABLEEND
+ };
+
+ if (options == NULL) {
+ return empty;
+ }
+
+ return options;
+}
+
int sss_tool_popt_ex(struct sss_cmdline *cmdline,
struct poptOption *options,
enum sss_tool_opt require_option,
@@ -272,7 +285,7 @@ int sss_tool_popt_ex(struct sss_cmdline *cmdline,
const char **_fopt)
{
struct poptOption opts_table[] = {
- {NULL, '\0', POPT_ARG_INCLUDE_TABLE, options, \
+ {NULL, '\0', POPT_ARG_INCLUDE_TABLE, nonnull_popt_table(options), \
0, _("Command options:"), NULL },
{NULL, '\0', POPT_ARG_INCLUDE_TABLE, sss_tool_common_opts_table(), \
0, _("Common options:"), NULL },
--
2.1.0
From f03c2540224b1c465ea7508b2b1144cff9194735 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Tue, 20 Oct 2015 11:18:31 +0200
Subject: [PATCH 2/7] sss_override: fix exporting multiple domains
There was a mistake in the code which resulted in exporting one
domain several times if multiple domain were configured.
---
src/tools/sss_override.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c
index 041c2a10617c98bac584b9058fe0050286f71249..d0bf38729519e785aeff8e06e6e7b4e8710e0946 100644
--- a/src/tools/sss_override.c
+++ b/src/tools/sss_override.c
@@ -1249,7 +1249,7 @@ static int override_user_export(struct sss_cmdline *cmdline,
dom = tool_ctx->domains;
do {
- objs = list_user_overrides(tool_ctx, tool_ctx->domains);
+ objs = list_user_overrides(tool_ctx, dom);
if (objs == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get override objects\n");
exit = EXIT_FAILURE;
@@ -1454,7 +1454,7 @@ static int override_group_export(struct sss_cmdline *cmdline,
dom = tool_ctx->domains;
do {
- objs = list_group_overrides(tool_ctx, tool_ctx->domains);
+ objs = list_group_overrides(tool_ctx, dom);
if (objs == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get override objects\n");
exit = EXIT_FAILURE;
--
2.1.0
From 1d9f6fd507327e9a10d282cbf84342616b2e6823 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Fri, 23 Oct 2015 13:30:08 +0200
Subject: [PATCH 3/7] sss_override: add user-find
Resolves:
https://fedorahosted.org/sssd/ticket/2736
---
src/man/sss_override.8.xml | 11 +++
src/tools/sss_override.c | 194 ++++++++++++++++++++++++++++++++-------------
2 files changed, 152 insertions(+), 53 deletions(-)
diff --git a/src/man/sss_override.8.xml b/src/man/sss_override.8.xml
index 24c38936984946b3284d1523a7321a7e7f3d7982..c5cc32e1999a10e610c34ea00d90a90efdd96a30 100644
--- a/src/man/sss_override.8.xml
+++ b/src/man/sss_override.8.xml
@@ -79,6 +79,17 @@
</varlistentry>
<varlistentry>
<term>
+ <option>user-find</option>
+ <optional><option>-d,--domain</option> DOMAIN</optional>
+ </term>
+ <listitem>
+ <para>
+ List user overrides.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
<option>user-import</option>
<emphasis>FILE</emphasis>
</term>
diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c
index d0bf38729519e785aeff8e06e6e7b4e8710e0946..f438f92d6849402818000a33916ab184713b1400 100644
--- a/src/tools/sss_override.c
+++ b/src/tools/sss_override.c
@@ -135,6 +135,43 @@ static int parse_cmdline_group_del(struct sss_cmdline *cmdline,
&group->orig_name, &group->domain);
}
+static int parse_cmdline_find(struct sss_cmdline *cmdline,
+ struct sss_tool_ctx *tool_ctx,
+ struct sss_domain_info **_dom)
+{
+ struct sss_domain_info *dom;
+ const char *domname = NULL;
+ int ret;
+ struct poptOption options[] = {
+ {"domain", 'd', POPT_ARG_STRING | POPT_ARGFLAG_OPTIONAL,
+ &domname, 0, _("Domain name"), NULL },
+ POPT_TABLEEND
+ };
+
+ ret = sss_tool_popt_ex(cmdline, options, SSS_TOOL_OPT_OPTIONAL,
+ NULL, NULL, NULL, NULL, NULL);
+ if (ret != EXIT_SUCCESS) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n");
+ return ret;
+ }
+
+ if (domname == NULL) {
+ *_dom = NULL;
+ return EXIT_SUCCESS;
+ }
+
+ dom = find_domain_by_name(tool_ctx->domains, domname, true);
+ if (dom == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to find domain %s\n", domname);
+ fprintf(stderr, _("Unable to find domain %s\n"), domname);
+ return EXIT_FAILURE;
+ }
+
+ *_dom = dom;
+
+ return EXIT_SUCCESS;
+}
+
static int parse_cmdline_import(struct sss_cmdline *cmdline,
const char **_file)
{
@@ -1082,6 +1119,73 @@ done:
return objs;
}
+static errno_t user_export(const char *filename,
+ struct sss_domain_info *dom,
+ bool iterate)
+{
+ TALLOC_CTX *tmp_ctx;
+ struct sss_colondb *db;
+ struct override_user *objs;
+ errno_t ret;
+ int i;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
+ return ENOMEM;
+ }
+
+ db = sss_colondb_open(tmp_ctx, SSS_COLONDB_WRITE, filename);
+ if (db == NULL) {
+ fprintf(stderr, _("Unable to open %s.\n"),
+ filename == NULL ? "stdout" : filename);
+ ret = EIO;
+ goto done;
+ }
+
+ do {
+ objs = list_user_overrides(tmp_ctx, dom);
+ if (objs == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get override objects\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ for (i = 0; objs[i].orig_name != NULL; i++) {
+ /**
+ * Format: orig_name:name:uid:gid:gecos:home:shell
+ */
+ struct sss_colondb_write_field table[] = {
+ {SSS_COLONDB_STRING, {.str = objs[i].orig_name}},
+ {SSS_COLONDB_STRING, {.str = objs[i].name}},
+ {SSS_COLONDB_UINT32, {.uint32 = objs[i].uid}},
+ {SSS_COLONDB_UINT32, {.uint32 = objs[i].gid}},
+ {SSS_COLONDB_STRING, {.str = objs[i].gecos}},
+ {SSS_COLONDB_STRING, {.str = objs[i].home}},
+ {SSS_COLONDB_STRING, {.str = objs[i].shell}},
+ {SSS_COLONDB_SENTINEL, {0}}
+ };
+
+ ret = sss_colondb_writeline(db, table);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to write line to db\n");
+ goto done;
+ }
+ }
+
+ /* All overrides are under the same subtree, so we don't want to
+ * descent into subdomains. */
+ dom = get_next_domain(dom, false);
+ } while (dom != NULL && iterate);
+
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
+
static int override_user_add(struct sss_cmdline *cmdline,
struct sss_tool_ctx *tool_ctx,
void *pvt)
@@ -1135,6 +1239,36 @@ static int override_user_del(struct sss_cmdline *cmdline,
return EXIT_SUCCESS;
}
+static int override_user_find(struct sss_cmdline *cmdline,
+ struct sss_tool_ctx *tool_ctx,
+ void *pvt)
+{
+ struct sss_domain_info *dom;
+ bool iterate;
+ errno_t ret;
+
+ ret = parse_cmdline_find(cmdline, tool_ctx, &dom);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n");
+ return EXIT_FAILURE;
+ }
+
+ if (dom == NULL) {
+ dom = tool_ctx->domains;
+ iterate = true;
+ } else {
+ iterate = false;
+ }
+
+ ret = user_export(NULL, dom, iterate);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to export users\n");
+ return EXIT_FAILURE;
+ }
+
+ return EXIT_SUCCESS;
+}
+
static int override_user_import(struct sss_cmdline *cmdline,
struct sss_tool_ctx *tool_ctx,
void *pvt)
@@ -1225,69 +1359,22 @@ static int override_user_export(struct sss_cmdline *cmdline,
struct sss_tool_ctx *tool_ctx,
void *pvt)
{
- struct sss_colondb *db;
const char *filename;
- struct override_user *objs;
- struct sss_domain_info *dom;
errno_t ret;
- int exit;
- int i;
ret = parse_cmdline_export(cmdline, &filename);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n");
- exit = EXIT_FAILURE;
- goto done;
+ return EXIT_FAILURE;
}
- db = sss_colondb_open(tool_ctx, SSS_COLONDB_WRITE, filename);
- if (db == NULL) {
- fprintf(stderr, _("Unable to open %s.\n"), filename);
- exit = EXIT_FAILURE;
- goto done;
+ ret = user_export(filename, tool_ctx->domains, true);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to export users\n");
+ return EXIT_FAILURE;
}
- dom = tool_ctx->domains;
- do {
- objs = list_user_overrides(tool_ctx, dom);
- if (objs == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get override objects\n");
- exit = EXIT_FAILURE;
- goto done;
- }
-
- for (i = 0; objs[i].orig_name != NULL; i++) {
- /**
- * Format: orig_name:name:uid:gid:gecos:home:shell
- */
- struct sss_colondb_write_field table[] = {
- {SSS_COLONDB_STRING, {.str = objs[i].orig_name}},
- {SSS_COLONDB_STRING, {.str = objs[i].name}},
- {SSS_COLONDB_UINT32, {.uint32 = objs[i].uid}},
- {SSS_COLONDB_UINT32, {.uint32 = objs[i].gid}},
- {SSS_COLONDB_STRING, {.str = objs[i].gecos}},
- {SSS_COLONDB_STRING, {.str = objs[i].home}},
- {SSS_COLONDB_STRING, {.str = objs[i].shell}},
- {SSS_COLONDB_SENTINEL, {0}}
- };
-
- ret = sss_colondb_writeline(db, table);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to write line to db\n");
- exit = EXIT_FAILURE;
- goto done;
- }
- }
-
- /* All overrides are under the same subtree, so we don't want to
- * descent into subdomains. */
- dom = get_next_domain(dom, 0);
- } while (dom != NULL);
-
- exit = EXIT_SUCCESS;
-
-done:
- return exit;
+ return EXIT_SUCCESS;
}
static int override_group_add(struct sss_cmdline *cmdline,
@@ -1496,6 +1583,7 @@ int main(int argc, const char **argv)
struct sss_route_cmd commands[] = {
{"user-add", override_user_add},
{"user-del", override_user_del},
+ {"user-find", override_user_find},
{"user-import", override_user_import},
{"user-export", override_user_export},
{"group-add", override_group_add},
--
2.1.0
From b2e65be661e10860435996714e3bdf87b17d65cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Fri, 23 Oct 2015 13:33:20 +0200
Subject: [PATCH 4/7] sss_override: add group-find
Resolves:
https://fedorahosted.org/sssd/ticket/2736
---
src/man/sss_override.8.xml | 11 ++++
src/tools/sss_override.c | 150 ++++++++++++++++++++++++++++++---------------
2 files changed, 112 insertions(+), 49 deletions(-)
diff --git a/src/man/sss_override.8.xml b/src/man/sss_override.8.xml
index c5cc32e1999a10e610c34ea00d90a90efdd96a30..253cb79a3388499cf8ad766d432b8c0ce3d0e3d5 100644
--- a/src/man/sss_override.8.xml
+++ b/src/man/sss_override.8.xml
@@ -160,6 +160,17 @@
</varlistentry>
<varlistentry>
<term>
+ <option>group-find</option>
+ <optional><option>-d,--domain</option> DOMAIN</optional>
+ </term>
+ <listitem>
+ <para>
+ List group overrides.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
<option>group-import</option>
<emphasis>FILE</emphasis>
</term>
diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c
index f438f92d6849402818000a33916ab184713b1400..0f45fbeae849d3e0d55b2d35f09221c501fe7c82 100644
--- a/src/tools/sss_override.c
+++ b/src/tools/sss_override.c
@@ -1186,6 +1186,70 @@ done:
return ret;
}
+static errno_t group_export(const char *filename,
+ struct sss_domain_info *dom,
+ bool iterate)
+{
+ TALLOC_CTX *tmp_ctx;
+ struct sss_colondb *db;
+ struct override_group *objs;
+ errno_t ret;
+ int i;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
+ return ENOMEM;
+ }
+
+
+ db = sss_colondb_open(tmp_ctx, SSS_COLONDB_WRITE, filename);
+ if (db == NULL) {
+ fprintf(stderr, _("Unable to open %s.\n"),
+ filename == NULL ? "stdout" : filename);
+ ret = EIO;
+ goto done;
+ }
+
+ do {
+ objs = list_group_overrides(tmp_ctx, dom);
+ if (objs == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get override objects\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ for (i = 0; objs[i].orig_name != NULL; i++) {
+ /**
+ * Format: orig_name:name:gid
+ */
+ struct sss_colondb_write_field table[] = {
+ {SSS_COLONDB_STRING, {.str = objs[i].orig_name}},
+ {SSS_COLONDB_STRING, {.str = objs[i].name}},
+ {SSS_COLONDB_UINT32, {.uint32 = objs[i].gid}},
+ {SSS_COLONDB_SENTINEL, {0}}
+ };
+
+ ret = sss_colondb_writeline(db, table);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to write line to db\n");
+ goto done;
+ }
+ }
+
+ /* All overrides are under the same subtree, so we don't want to
+ * descent into subdomains. */
+ dom = get_next_domain(dom, false);
+ } while (dom != NULL && iterate);
+
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
+}
+
static int override_user_add(struct sss_cmdline *cmdline,
struct sss_tool_ctx *tool_ctx,
void *pvt)
@@ -1431,6 +1495,36 @@ static int override_group_del(struct sss_cmdline *cmdline,
return EXIT_SUCCESS;
}
+static int override_group_find(struct sss_cmdline *cmdline,
+ struct sss_tool_ctx *tool_ctx,
+ void *pvt)
+{
+ struct sss_domain_info *dom;
+ bool iterate;
+ errno_t ret;
+
+ ret = parse_cmdline_find(cmdline, tool_ctx, &dom);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n");
+ return EXIT_FAILURE;
+ }
+
+ if (dom == NULL) {
+ dom = tool_ctx->domains;
+ iterate = true;
+ } else {
+ iterate = false;
+ }
+
+ ret = group_export(NULL, dom, iterate);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to export groups\n");
+ return EXIT_FAILURE;
+ }
+
+ return EXIT_SUCCESS;
+}
+
static int override_group_import(struct sss_cmdline *cmdline,
struct sss_tool_ctx *tool_ctx,
void *pvt)
@@ -1517,65 +1611,22 @@ static int override_group_export(struct sss_cmdline *cmdline,
struct sss_tool_ctx *tool_ctx,
void *pvt)
{
- struct sss_colondb *db;
const char *filename;
- struct override_group *objs;
- struct sss_domain_info *dom;
errno_t ret;
- int exit;
- int i;
ret = parse_cmdline_export(cmdline, &filename);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n");
- exit = EXIT_FAILURE;
- goto done;
+ return EXIT_FAILURE;
}
- db = sss_colondb_open(tool_ctx, SSS_COLONDB_WRITE, filename);
- if (db == NULL) {
- fprintf(stderr, _("Unable to open %s.\n"), filename);
- exit = EXIT_FAILURE;
- goto done;
+ ret = group_export(filename, tool_ctx->domains, true);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to export groups\n");
+ return EXIT_FAILURE;
}
- dom = tool_ctx->domains;
- do {
- objs = list_group_overrides(tool_ctx, dom);
- if (objs == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get override objects\n");
- exit = EXIT_FAILURE;
- goto done;
- }
-
- for (i = 0; objs[i].orig_name != NULL; i++) {
- /**
- * Format: orig_name:name:gid
- */
- struct sss_colondb_write_field table[] = {
- {SSS_COLONDB_STRING, {.str = objs[i].orig_name}},
- {SSS_COLONDB_STRING, {.str = objs[i].name}},
- {SSS_COLONDB_UINT32, {.uint32 = objs[i].gid}},
- {SSS_COLONDB_SENTINEL, {0}}
- };
-
- ret = sss_colondb_writeline(db, table);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to write line to db\n");
- exit = EXIT_FAILURE;
- goto done;
- }
- }
-
- /* All overrides are under the same subtree, so we don't want to
- * descent into subdomains. */
- dom = get_next_domain(dom, 0);
- } while (dom != NULL);
-
- exit = EXIT_SUCCESS;
-
-done:
- return exit;
+ return EXIT_SUCCESS;
}
int main(int argc, const char **argv)
@@ -1588,6 +1639,7 @@ int main(int argc, const char **argv)
{"user-export", override_user_export},
{"group-add", override_group_add},
{"group-del", override_group_del},
+ {"group-find", override_group_find},
{"group-import", override_group_import},
{"group-export", override_group_export},
{NULL, NULL}
--
2.1.0
From 8ccf9b0c49ee4a8e86a4d877e9a9d8000ea015a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Tue, 20 Oct 2015 12:15:41 +0200
Subject: [PATCH 5/7] sss_override: add user-show
Resolves:
https://fedorahosted.org/sssd/ticket/2736
---
src/man/sss_override.8.xml | 11 +++++
src/tools/sss_override.c | 113 +++++++++++++++++++++++++++++++++++++++++----
2 files changed, 116 insertions(+), 8 deletions(-)
diff --git a/src/man/sss_override.8.xml b/src/man/sss_override.8.xml
index 253cb79a3388499cf8ad766d432b8c0ce3d0e3d5..7a03f8b5bfa9ab0d3007913f9bd48923da35af5f 100644
--- a/src/man/sss_override.8.xml
+++ b/src/man/sss_override.8.xml
@@ -90,6 +90,17 @@
</varlistentry>
<varlistentry>
<term>
+ <option>user-show</option>
+ <emphasis>NAME</emphasis>
+ </term>
+ <listitem>
+ <para>
+ Show user overrides.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
<option>user-import</option>
<emphasis>FILE</emphasis>
</term>
diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c
index 0f45fbeae849d3e0d55b2d35f09221c501fe7c82..071aad97b91d2d16421efb4a90f0758bbd80d871 100644
--- a/src/tools/sss_override.c
+++ b/src/tools/sss_override.c
@@ -113,6 +113,14 @@ static int parse_cmdline_user_del(struct sss_cmdline *cmdline,
&user->orig_name, &user->domain);
}
+static int parse_cmdline_user_show(struct sss_cmdline *cmdline,
+ struct sss_tool_ctx *tool_ctx,
+ struct override_user *user)
+{
+ return parse_cmdline(cmdline, tool_ctx, NULL, &user->input_name,
+ &user->orig_name, &user->domain);
+}
+
static int parse_cmdline_group_add(struct sss_cmdline *cmdline,
struct sss_tool_ctx *tool_ctx,
struct override_group *group)
@@ -939,7 +947,8 @@ done:
}
static errno_t list_overrides(TALLOC_CTX *mem_ctx,
- const char *filter,
+ const char *base_filter,
+ const char *ext_filter,
const char **attrs,
struct sss_domain_info *domain,
size_t *_count,
@@ -950,6 +959,7 @@ static errno_t list_overrides(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb = sysdb_ctx_get_ldb(domain->sysdb);
size_t count;
struct ldb_message **msgs;
+ const char *filter;
size_t i;
int ret;
@@ -959,6 +969,16 @@ static errno_t list_overrides(TALLOC_CTX *mem_ctx,
return ENOMEM;
}
+ filter = base_filter;
+ if (ext_filter != NULL) {
+ filter = talloc_asprintf(tmp_ctx, "(&%s%s)", filter, ext_filter);
+ if (filter == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed.\n");
+ ret = ENOMEM;
+ goto done;
+ }
+ }
+
/* Acquire list of override objects. */
dn = ldb_dn_new_fmt(tmp_ctx, ldb, SYSDB_TMPL_VIEW_SEARCH_BASE, LOCALVIEW);
if (dn == NULL) {
@@ -998,7 +1018,8 @@ done:
static struct override_user *
list_user_overrides(TALLOC_CTX *mem_ctx,
- struct sss_domain_info *domain)
+ struct sss_domain_info *domain,
+ const char *filter)
{
TALLOC_CTX *tmp_ctx;
struct override_user *objs;
@@ -1015,7 +1036,7 @@ list_user_overrides(TALLOC_CTX *mem_ctx,
}
ret = list_overrides(tmp_ctx, "(objectClass=" SYSDB_OVERRIDE_USER_CLASS ")",
- attrs, domain, &count, &msgs);
+ filter, attrs, domain, &count, &msgs);
if (ret != EOK) {
goto done;
}
@@ -1080,7 +1101,7 @@ list_group_overrides(TALLOC_CTX *mem_ctx,
}
ret = list_overrides(tmp_ctx, "(objectClass=" SYSDB_OVERRIDE_GROUP_CLASS ")",
- attrs, domain, &count, &msgs);
+ NULL, attrs, domain, &count, &msgs);
if (ret != EOK) {
goto done;
}
@@ -1121,7 +1142,8 @@ done:
static errno_t user_export(const char *filename,
struct sss_domain_info *dom,
- bool iterate)
+ bool iterate,
+ const char *filter)
{
TALLOC_CTX *tmp_ctx;
struct sss_colondb *db;
@@ -1144,7 +1166,7 @@ static errno_t user_export(const char *filename,
}
do {
- objs = list_user_overrides(tmp_ctx, dom);
+ objs = list_user_overrides(tmp_ctx, dom, filter);
if (objs == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get override objects\n");
ret = ENOMEM;
@@ -1324,7 +1346,7 @@ static int override_user_find(struct sss_cmdline *cmdline,
iterate = false;
}
- ret = user_export(NULL, dom, iterate);
+ ret = user_export(NULL, dom, iterate, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to export users\n");
return EXIT_FAILURE;
@@ -1333,6 +1355,80 @@ static int override_user_find(struct sss_cmdline *cmdline,
return EXIT_SUCCESS;
}
+static int override_user_show(struct sss_cmdline *cmdline,
+ struct sss_tool_ctx *tool_ctx,
+ void *pvt)
+{
+ TALLOC_CTX *tmp_ctx;
+ struct override_user input = {NULL};
+ const char *dn;
+ char *anchor;
+ const char *filter;
+ int ret;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed.\n");
+ return EXIT_FAILURE;
+ }
+
+ ret = parse_cmdline_user_show(cmdline, tool_ctx, &input);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n");
+ goto done;
+ }
+
+ ret = get_user_domain_msg(tool_ctx, &input);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get object domain\n");
+ goto done;
+ }
+
+ ret = get_object_dn(tmp_ctx, input.domain, SYSDB_MEMBER_USER,
+ input.orig_name, NULL, &dn);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get object dn\n");
+ goto done;
+ }
+
+ anchor = build_anchor(tmp_ctx, dn);
+ if (anchor == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sss_filter_sanitize(tmp_ctx, anchor, &anchor);
+ if (ret != EOK) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ filter = talloc_asprintf(tmp_ctx, "(%s=%s)",
+ SYSDB_OVERRIDE_ANCHOR_UUID, anchor);
+ if (filter == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = user_export(NULL, input.domain, false, filter);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to export users\n");
+ goto done;
+ }
+
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+
+ if (ret != EOK) {
+ return EXIT_FAILURE;
+ }
+
+ return EXIT_SUCCESS;
+}
+
static int override_user_import(struct sss_cmdline *cmdline,
struct sss_tool_ctx *tool_ctx,
void *pvt)
@@ -1432,7 +1528,7 @@ static int override_user_export(struct sss_cmdline *cmdline,
return EXIT_FAILURE;
}
- ret = user_export(filename, tool_ctx->domains, true);
+ ret = user_export(filename, tool_ctx->domains, true, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to export users\n");
return EXIT_FAILURE;
@@ -1635,6 +1731,7 @@ int main(int argc, const char **argv)
{"user-add", override_user_add},
{"user-del", override_user_del},
{"user-find", override_user_find},
+ {"user-show", override_user_show},
{"user-import", override_user_import},
{"user-export", override_user_export},
{"group-add", override_group_add},
--
2.1.0
From 097d6685173e56c1fc8e5a5a352f582f377fe450 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Fri, 23 Oct 2015 13:37:28 +0200
Subject: [PATCH 6/7] sss_override: add group-show
Resolves:
https://fedorahosted.org/sssd/ticket/2736
---
src/man/sss_override.8.xml | 11 ++++++
src/tools/sss_override.c | 96 +++++++++++++++++++++++++++++++++++++++++++---
2 files changed, 101 insertions(+), 6 deletions(-)
diff --git a/src/man/sss_override.8.xml b/src/man/sss_override.8.xml
index 7a03f8b5bfa9ab0d3007913f9bd48923da35af5f..1c38de12da4e711d0d10a6e9fefb854004199166 100644
--- a/src/man/sss_override.8.xml
+++ b/src/man/sss_override.8.xml
@@ -182,6 +182,17 @@
</varlistentry>
<varlistentry>
<term>
+ <option>group-show</option>
+ <emphasis>NAME</emphasis>
+ </term>
+ <listitem>
+ <para>
+ Show group overrides.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
<option>group-import</option>
<emphasis>FILE</emphasis>
</term>
diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c
index 071aad97b91d2d16421efb4a90f0758bbd80d871..ccd9656f24582986e6bfcc34eb4b7116bd7c9c6a 100644
--- a/src/tools/sss_override.c
+++ b/src/tools/sss_override.c
@@ -143,6 +143,14 @@ static int parse_cmdline_group_del(struct sss_cmdline *cmdline,
&group->orig_name, &group->domain);
}
+static int parse_cmdline_group_show(struct sss_cmdline *cmdline,
+ struct sss_tool_ctx *tool_ctx,
+ struct override_group *group)
+{
+ return parse_cmdline(cmdline, tool_ctx, NULL, &group->input_name,
+ &group->orig_name, &group->domain);
+}
+
static int parse_cmdline_find(struct sss_cmdline *cmdline,
struct sss_tool_ctx *tool_ctx,
struct sss_domain_info **_dom)
@@ -1084,7 +1092,8 @@ done:
static struct override_group *
list_group_overrides(TALLOC_CTX *mem_ctx,
- struct sss_domain_info *domain)
+ struct sss_domain_info *domain,
+ const char *filter)
{
TALLOC_CTX *tmp_ctx;
struct override_group *objs;
@@ -1101,7 +1110,7 @@ list_group_overrides(TALLOC_CTX *mem_ctx,
}
ret = list_overrides(tmp_ctx, "(objectClass=" SYSDB_OVERRIDE_GROUP_CLASS ")",
- NULL, attrs, domain, &count, &msgs);
+ filter, attrs, domain, &count, &msgs);
if (ret != EOK) {
goto done;
}
@@ -1210,7 +1219,8 @@ done:
static errno_t group_export(const char *filename,
struct sss_domain_info *dom,
- bool iterate)
+ bool iterate,
+ const char *filter)
{
TALLOC_CTX *tmp_ctx;
struct sss_colondb *db;
@@ -1234,7 +1244,7 @@ static errno_t group_export(const char *filename,
}
do {
- objs = list_group_overrides(tmp_ctx, dom);
+ objs = list_group_overrides(tmp_ctx, dom, filter);
if (objs == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get override objects\n");
ret = ENOMEM;
@@ -1612,7 +1622,7 @@ static int override_group_find(struct sss_cmdline *cmdline,
iterate = false;
}
- ret = group_export(NULL, dom, iterate);
+ ret = group_export(NULL, dom, iterate, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to export groups\n");
return EXIT_FAILURE;
@@ -1621,6 +1631,79 @@ static int override_group_find(struct sss_cmdline *cmdline,
return EXIT_SUCCESS;
}
+static int override_group_show(struct sss_cmdline *cmdline,
+ struct sss_tool_ctx *tool_ctx,
+ void *pvt)
+{
+ TALLOC_CTX *tmp_ctx;
+ struct override_group input = {NULL};
+ const char *dn;
+ char *anchor;
+ const char *filter;
+ int ret;
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed.\n");
+ return EXIT_FAILURE;
+ }
+
+ ret = parse_cmdline_group_show(cmdline, tool_ctx, &input);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n");
+ goto done;
+ }
+
+ ret = get_group_domain_msg(tool_ctx, &input);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get object domain\n");
+ goto done;
+ }
+
+ ret = get_object_dn(tmp_ctx, input.domain, SYSDB_MEMBER_GROUP,
+ input.orig_name, NULL, &dn);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get object dn\n");
+ goto done;
+ }
+
+ anchor = build_anchor(tmp_ctx, dn);
+ if (anchor == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = sss_filter_sanitize(tmp_ctx, anchor, &anchor);
+ if (ret != EOK) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ filter = talloc_asprintf(tmp_ctx, "(%s=%s)",
+ SYSDB_OVERRIDE_ANCHOR_UUID, anchor);
+ if (filter == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed\n");
+ ret = ENOMEM;
+ goto done;
+ }
+
+ ret = group_export(NULL, input.domain, false, filter);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to export groups\n");
+ goto done;
+ }
+
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+
+ if (ret != EOK) {
+ return EXIT_FAILURE;
+ }
+
+ return EXIT_SUCCESS;
+}
+
static int override_group_import(struct sss_cmdline *cmdline,
struct sss_tool_ctx *tool_ctx,
void *pvt)
@@ -1716,7 +1799,7 @@ static int override_group_export(struct sss_cmdline *cmdline,
return EXIT_FAILURE;
}
- ret = group_export(filename, tool_ctx->domains, true);
+ ret = group_export(filename, tool_ctx->domains, true, NULL);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE, "Unable to export groups\n");
return EXIT_FAILURE;
@@ -1737,6 +1820,7 @@ int main(int argc, const char **argv)
{"group-add", override_group_add},
{"group-del", override_group_del},
{"group-find", override_group_find},
+ {"group-show", override_group_show},
{"group-import", override_group_import},
{"group-export", override_group_export},
{NULL, NULL}
--
2.1.0
From cfd2f78a6f8b253b2a37396a289f26c675bea93f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com>
Date: Mon, 26 Oct 2015 11:28:36 +0100
Subject: [PATCH 7/7] sss_override: do not free ldb_dn in get_object_dn()
When only str_dn is requested, ldb_dn is freed. This triggers access
after free since str_dn is part of ldb_dn talloc context.
---
src/tools/sss_override.c | 38 +++++++++++++++++++++++++++++---------
1 file changed, 29 insertions(+), 9 deletions(-)
diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c
index ccd9656f24582986e6bfcc34eb4b7116bd7c9c6a..39a66148efe7231bc81ee0d9b426d8ed89cc06bc 100644
--- a/src/tools/sss_override.c
+++ b/src/tools/sss_override.c
@@ -581,35 +581,55 @@ static errno_t get_object_dn(TALLOC_CTX *mem_ctx,
struct ldb_dn **_ldb_dn,
const char **_str_dn)
{
+ TALLOC_CTX *tmp_ctx;
struct ldb_dn *ldb_dn;
+ const char *str_dn;
+ errno_t ret;
+
+ tmp_ctx = talloc_new(NULL);
+ if (tmp_ctx == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n");
+ return ENOMEM;
+ }
switch (type) {
case SYSDB_MEMBER_USER:
- ldb_dn = sysdb_user_dn(mem_ctx, domain, name);
+ ldb_dn = sysdb_user_dn(tmp_ctx, domain, name);
break;
case SYSDB_MEMBER_GROUP:
- ldb_dn = sysdb_group_dn(mem_ctx, domain, name);
+ ldb_dn = sysdb_group_dn(tmp_ctx, domain, name);
break;
default:
DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported member type %d\n", type);
- return ERR_INTERNAL;
+ ret = ERR_INTERNAL;
+ goto done;
}
if (ldb_dn == NULL) {
- return ENOMEM;
+ ret = ENOMEM;
+ goto done;
}
if (_str_dn != NULL) {
- *_str_dn = ldb_dn_get_linearized(ldb_dn);
+ str_dn = talloc_strdup(tmp_ctx, ldb_dn_get_linearized(ldb_dn));
+ if (str_dn == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ *_str_dn = talloc_steal(mem_ctx, str_dn);
}
if (_ldb_dn != NULL) {
- *_ldb_dn = ldb_dn;
- } else {
- talloc_free(ldb_dn);
+ *_ldb_dn = talloc_steal(mem_ctx, ldb_dn);
}
- return EOK;
+ ret = EOK;
+
+done:
+ talloc_free(tmp_ctx);
+
+ return ret;
}
static errno_t override_object_add(struct sss_domain_info *domain,
--
2.1.0
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
