[SSSD] [sssd PR#295][opened] MAN: Document that the secrets provider can only be specified in a per-client section

Thu, 01 Jun 2017 01:06:41 -0700 

   URL: https://github.com/SSSD/sssd/pull/295
Author: jhrozek
 Title: #295: MAN: Document that the secrets provider can only be specified in 
a per-client section
Action: opened

PR body:
"""
Resolves:
    https://pagure.io/SSSD/sssd/issue/3417
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/295/head:pr295
git checkout pr295

From a75fc206d9d064f68b6773a3cb5bf5f04aa1e32f Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Thu, 1 Jun 2017 09:51:31 +0200
Subject: [PATCH 1/2] KRB5: Fix access_provider=krb5

Resolves:
    https://pagure.io/SSSD/sssd/issue/3418

The domain type (posix or not) was being sent to the krb5_child always,
but the buffer only had enough space in case of authentication, not
authorization.

This patch makes the buffer one uint32_t unit larger.

To reproduce, just set up sssd.conf with:
    access_provider = krb5

Without the patch, you would see messages like:
    ==14111== Invalid write of size 2
    ==14111==    at 0x4C3041B: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:1018)
    ==14111==    by 0xE0EE275: safealign_memcpy (util_safealign.h:51)
    ==14111==    by 0xE0EECB3: create_send_buffer (krb5_child_handler.c:239)
    ==14111==    by 0xE0EFDDE: handle_child_send (krb5_child_handler.c:529)
    ==14111==    by 0xE0EDEDD: krb5_access_send (krb5_access.c:149)
    ==14111==    by 0xE0ED32F: krb5_pam_handler_send (krb5_auth.c:1250)
    ==14111==    by 0x418868: file_dp_request (dp_request.c:254)
    ==14111==    by 0x418976: dp_req_send (dp_request.c:300)
    ==14111==    by 0x41C25F: dp_pam_handler (dp_target_auth.c:219)
    ==14111==    by 0x52B3456: sbus_request_invoke_or_finish (sssd_dbus_request.c:71)
    ==14111==    by 0x52B0F37: sbus_message_handler_got_caller_id (sssd_dbus_interface.c:1048)
    ==14111==    by 0x923C923: tevent_common_loop_immediate (tevent_immediate.c:135)
    ==14111==  Address 0x126ab506 is 150 bytes inside a block of size 151 alloc'd
    ==14111==    at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
    ==14111==    by 0x944D7F4: __talloc_with_prefix (talloc.c:698)
    ==14111==    by 0x944D7F4: __talloc (talloc.c:739)
    ==14111==    by 0x944D7F4: _talloc_named_const (talloc.c:896)
    ==14111==    by 0x944D7F4: talloc_named_const (talloc.c:1675)
    ==14111==    by 0xE0EE7B6: create_send_buffer (krb5_child_handler.c:185)
    ==14111==    by 0xE0EFDDE: handle_child_send (krb5_child_handler.c:529)
    ==14111==    by 0xE0EDEDD: krb5_access_send (krb5_access.c:149)
    ==14111==    by 0xE0ED32F: krb5_pam_handler_send (krb5_auth.c:1250)
    ==14111==    by 0x418868: file_dp_request (dp_request.c:254)
    ==14111==    by 0x418976: dp_req_send (dp_request.c:300)
    ==14111==    by 0x41C25F: dp_pam_handler (dp_target_auth.c:219)
    ==14111==    by 0x52B3456: sbus_request_invoke_or_finish (sssd_dbus_request.c:71)
    ==14111==    by 0x52B0F37: sbus_message_handler_got_caller_id (sssd_dbus_interface.c:1048)
    ==14111==    by 0x923C923: tevent_common_loop_immediate (tevent_immediate.c:135)
---
 src/providers/krb5/krb5_child_handler.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
index 87e79a06e..11ac867e6 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -156,14 +156,14 @@ static errno_t create_send_buffer(struct krb5child_req *kr,
         return ENOMEM;
     }
 
-    buf->size = 8*sizeof(uint32_t) + strlen(kr->upn);
+    buf->size = 9*sizeof(uint32_t) + strlen(kr->upn);
 
     if (kr->pd->cmd == SSS_PAM_AUTHENTICATE ||
         kr->pd->cmd == SSS_PAM_PREAUTH ||
         kr->pd->cmd == SSS_CMD_RENEW ||
         kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM ||
         kr->pd->cmd == SSS_PAM_CHAUTHTOK) {
-        buf->size += 5*sizeof(uint32_t) + strlen(kr->ccname) + strlen(keytab) +
+        buf->size += 4*sizeof(uint32_t) + strlen(kr->ccname) + strlen(keytab) +
                      sss_authtok_get_size(kr->pd->authtok);
 
         buf->size += sizeof(uint32_t);

From ca4b5e2ca23090799514578d1c729f04bf997422 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Thu, 1 Jun 2017 10:04:21 +0200
Subject: [PATCH 2/2] MAN: Document that the secrets provider can only be
 specified in a per-client section

Resolves:
    https://pagure.io/SSSD/sssd/issue/3417
---
 src/man/sssd-secrets.5.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml
index 44a86c3fb..d833174b5 100644
--- a/src/man/sssd-secrets.5.xml
+++ b/src/man/sssd-secrets.5.xml
@@ -112,9 +112,9 @@ systemctl enable sssd-secrets.service
                     per-user subsections that define which provider store
                     the secrets for this particular user. The per-user
                     subsections should contain all options for that user's
-                    provider. If a per-user section does not exist, the
-                    global settings from the secret responder's section
-                    are used.  The following providers are supported:
+                    provider. Please note that currently the global provider
+                    is always local, the proxy provider can only be specified
+                    in a per-user section. The following providers are supported:
                     <variablelist>
                         <varlistentry>
                             <term>local</term>

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to