From 306f2f008c4d564a6f5943758ec0b8f0db45340a Mon Sep 17 00:00:00 2001 From: Pavel Březina Date: Nov 01 2021 18:10:28 +0000 Subject: sssd-2.6.0-2: pull latest upstream code --- diff --git a/0001-DEBUG-fix-missing-va_end.patch b/0001-DEBUG-fix-missing-va_end.patch new file mode 100644 index 0000000..e7c99ef --- /dev/null +++ b/0001-DEBUG-fix-missing-va_end.patch @@ -0,0 +1,43 @@ +From 625274738b5f68418608be99b68d35c43079e2a1 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Thu, 14 Oct 2021 18:48:09 +0200 +Subject: [PATCH 01/17] DEBUG: fix missing "va_end" + +Fixes following warning: +``` +Error: VARARGS (CWE-237): +sssd-2.6.0/src/util/debug.c:294: va_init: Initializing va_list "ap_fallback". +sssd-2.6.0/src/util/debug.c:305: missing_va_end: "va_end" was not called for "ap_fallback". + # 303| debug_chain_id, format); + # 304| if (ret < 0) { + # 305|-> return; + # 306| } + # 307| result_fmt = chain_id_fmt_dyn; +``` + +Reviewed-by: Sumit Bose +--- + src/util/debug.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/util/debug.c b/src/util/debug.c +index 51fb42d3cf454ab8a83aa82329725bd250ce271c..7c03fb7dfff1bd6b9510ecd3c2e0948a83e7622e 100644 +--- a/src/util/debug.c ++++ b/src/util/debug.c +@@ -297,11 +297,13 @@ void sss_vdebug_fn(const char *file, + ret = snprintf(chain_id_fmt_fixed, sizeof(chain_id_fmt_fixed), + DEBUG_CHAIN_ID_FMT"%s", debug_chain_id, format); + if (ret < 0) { ++ va_end(ap_fallback); + return; + } else if (ret >= sizeof(chain_id_fmt_fixed)) { + ret = asprintf(&chain_id_fmt_dyn, DEBUG_CHAIN_ID_FMT"%s", + debug_chain_id, format); + if (ret < 0) { ++ va_end(ap_fallback); + return; + } + result_fmt = chain_id_fmt_dyn; +-- +2.31.1 + diff --git a/0002-CONFDB-Change-ownership-of-config.ldb.patch b/0002-CONFDB-Change-ownership-of-config.ldb.patch new file mode 100644 index 0000000..c33a4a5 --- /dev/null +++ b/0002-CONFDB-Change-ownership-of-config.ldb.patch @@ -0,0 +1,143 @@ +From 92e1679943fd2a2a50c9e0e176a10a875cb3ac56 Mon Sep 17 00:00:00 2001 +From: Tomas Halman +Date: Fri, 15 Oct 2021 11:03:19 +0200 +Subject: [PATCH 03/17] CONFDB: Change ownership of config.ldb + +Config database is owned by root. This prevents our socket +activated services to start because they are started under +the sssd user. Changing the ownership to sssd fixes the issue. + +Resolves: https://github.com/SSSD/sssd/issues/5781 + +Reviewed-by: Iker Pedrosa +--- + src/confdb/confdb.c | 3 +++ + src/monitor/monitor.c | 5 ++++- + src/tests/cwrap/group | 1 + + src/tests/cwrap/passwd | 1 + + src/util/usertools.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + src/util/util.h | 3 +++ + 6 files changed, 54 insertions(+), 1 deletion(-) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index b7a73d97b34bfa60aa59855c1eec2a17ed0a4ec0..7a718cc628343570d484135da639250ad83e8b01 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -673,8 +673,11 @@ int confdb_init(TALLOC_CTX *mem_ctx, + } + + old_umask = umask(SSS_DFL_UMASK); ++ sss_set_sssd_user_eid(); + + ret = ldb_connect(cdb->ldb, confdb_location, 0, NULL); ++ ++ sss_restore_sssd_user_eid(); + umask(old_umask); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to open config database [%s]\n", +diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c +index b5fee7e7a78cb75ee267279f5a97725d8dedca52..c7610cb69b77899103d99bf44bb3b9f426482e65 100644 +--- a/src/monitor/monitor.c ++++ b/src/monitor/monitor.c +@@ -1551,6 +1551,8 @@ errno_t load_configuration(TALLOC_CTX *mem_ctx, + errno_t ret; + struct mt_ctx *ctx; + char *cdb_file = NULL; ++ uid_t sssd_uid; ++ gid_t sssd_gid; + + ctx = talloc_zero(mem_ctx, struct mt_ctx); + if(!ctx) { +@@ -1591,7 +1593,8 @@ errno_t load_configuration(TALLOC_CTX *mem_ctx, + + /* Allow configuration database to be accessible + * when SSSD runs as nonroot */ +- ret = chown(cdb_file, ctx->uid, ctx->gid); ++ sss_sssd_user_uid_and_gid(&sssd_uid, &sssd_gid); ++ ret = chown(cdb_file, sssd_uid, sssd_gid); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_FATAL_FAILURE, +diff --git a/src/tests/cwrap/group b/src/tests/cwrap/group +index d0cea659ea030d14a293f5d941f473f8f3786886..1a3766e6307274b2935737d5060e3d8531d0bed2 100644 +--- a/src/tests/cwrap/group ++++ b/src/tests/cwrap/group +@@ -1,2 +1,3 @@ ++root:x:0: + sssd:x:123: + foogroup:x:10001: +diff --git a/src/tests/cwrap/passwd b/src/tests/cwrap/passwd +index 862ccfe03e40d43c60c56b0c50f328f494d7e6b9..0511a91bcb2ee3e12d582c98ca0bc6bb358816d3 100644 +--- a/src/tests/cwrap/passwd ++++ b/src/tests/cwrap/passwd +@@ -1,2 +1,3 @@ ++root:x:0:0:root:/root:/bin/bash + sssd:x:123:456:sssd unprivileged user:/:/sbin/nologin + foobar:x:10001:10001:User for SSSD testing:/home/foobar:/bin/bash +diff --git a/src/util/usertools.c b/src/util/usertools.c +index 8c2ed4e2de764edcb0549eac02a524e7e9975c4f..6f93a4cef288a245a95c2e510a62233f904034fb 100644 +--- a/src/util/usertools.c ++++ b/src/util/usertools.c +@@ -835,3 +835,45 @@ done: + talloc_zfree(tmp_ctx); + return ret; + } ++ ++void sss_sssd_user_uid_and_gid(uid_t *_uid, gid_t *_gid) ++{ ++ uid_t sssd_uid; ++ gid_t sssd_gid; ++ errno_t ret; ++ ++ ret = sss_user_by_name_or_uid(SSSD_USER, &sssd_uid, &sssd_gid); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "failed to get sssd user (" SSSD_USER ") uid/gid, using root\n"); ++ sssd_uid = 0; ++ sssd_gid = 0; ++ } ++ ++ if (_uid != NULL) { ++ *_uid = sssd_uid; ++ } ++ ++ if (_gid != NULL) { ++ *_gid = sssd_gid; ++ } ++} ++ ++void sss_set_sssd_user_eid(void) ++{ ++ uid_t uid; ++ gid_t gid; ++ ++ if (geteuid() == 0) { ++ sss_sssd_user_uid_and_gid(&uid, &gid); ++ seteuid(uid); ++ setegid(gid); ++ } ++} ++ ++void sss_restore_sssd_user_eid(void) ++{ ++ if (getuid() == 0) { ++ seteuid(getuid()); ++ setegid(getgid()); ++ } ++} +diff --git a/src/util/util.h b/src/util/util.h +index e85cd12022c4ef39c8dd6859bc9adf28e0314129..6dfd2540cc209a728f385273082221b65d05249f 100644 +--- a/src/util/util.h ++++ b/src/util/util.h +@@ -383,6 +383,9 @@ errno_t sss_canonicalize_ip_address(TALLOC_CTX *mem_ctx, + const char * const * get_known_services(void); + + errno_t sss_user_by_name_or_uid(const char *input, uid_t *_uid, gid_t *_gid); ++void sss_sssd_user_uid_and_gid(uid_t *_uid, gid_t *_gid); ++void sss_set_sssd_user_eid(void); ++void sss_restore_sssd_user_eid(void); + + int split_on_separator(TALLOC_CTX *mem_ctx, const char *str, + const char sep, bool trim, bool skip_empty, +-- +2.31.1 + diff --git a/0003-CONFDB-Change-ownership-before-dropping-privileges.patch b/0003-CONFDB-Change-ownership-before-dropping-privileges.patch new file mode 100644 index 0000000..339228b --- /dev/null +++ b/0003-CONFDB-Change-ownership-before-dropping-privileges.patch @@ -0,0 +1,44 @@ +From 7db6cfd0674d45a4e769b0beeb551c89cc89f92f Mon Sep 17 00:00:00 2001 +From: Tomas Halman +Date: Fri, 15 Oct 2021 11:04:05 +0200 +Subject: [PATCH 04/17] CONFDB: Change ownership before dropping privileges + +From previous SSSD version, config file can exist and can be +owned by root. To allow smooth transition we can change +the ownership. + +This commit can be reverted later. + +Resolves: https://github.com/SSSD/sssd/issues/5781 + +Reviewed-by: Iker Pedrosa +--- + src/confdb/confdb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index 7a718cc628343570d484135da639250ad83e8b01..80203c0f640975471df31c522ca91f94099cbcf9 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -641,6 +641,8 @@ int confdb_init(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb; + int ret = EOK; + mode_t old_umask; ++ uid_t sssd_uid; ++ gid_t sssd_gid; + + cdb = talloc_zero(mem_ctx, struct confdb_ctx); + if (!cdb) +@@ -673,6 +675,9 @@ int confdb_init(TALLOC_CTX *mem_ctx, + } + + old_umask = umask(SSS_DFL_UMASK); ++ /* file may exists and could be owned by root from previous version */ ++ sss_sssd_user_uid_and_gid(&sssd_uid, &sssd_gid); ++ chown(confdb_location, sssd_uid, sssd_gid); + sss_set_sssd_user_eid(); + + ret = ldb_connect(cdb->ldb, confdb_location, 0, NULL); +-- +2.31.1 + diff --git a/0004-GPO-fixed-compilation-warning.patch b/0004-GPO-fixed-compilation-warning.patch new file mode 100644 index 0000000..a2a091f --- /dev/null +++ b/0004-GPO-fixed-compilation-warning.patch @@ -0,0 +1,53 @@ +From 766fe6235083d38bc25ae5562cd67113262af015 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 18 Oct 2021 22:25:31 +0200 +Subject: [PATCH 05/17] GPO: fixed compilation warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes following compilation warning: +``` +../src/providers/ad/ad_gpo.c: In function ‘ad_gpo_access_send’: +../src/util/debug.h:138:5: warning: ‘%s’ directive argument is null [-Wformat-overflow=] + 138 | sss_debug_fn(__FILE__, __LINE__, __FUNCTION__, \ + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 139 | level, \ + | ~~~~~~~~ + 140 | format, ##__VA_ARGS__); \ + | ~~~~~~~~~~~~~~~~~~~~~~ +../src/providers/ad/ad_gpo.c:1847:5: note: in expansion of macro ‘DEBUG’ + 1847 | DEBUG(SSSDBG_TRACE_FUNC, "service %s maps to %s\n", service, + | ^~~~~ +``` + +Reviewed-by: Pavel Březina +--- + src/providers/ad/ad_gpo.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c +index 219f3984912086a61bf79525e6740ed4c9bc247b..f3452176af1275ea393957a8e8c667c1376bf314 100644 +--- a/src/providers/ad/ad_gpo.c ++++ b/src/providers/ad/ad_gpo.c +@@ -250,7 +250,7 @@ struct gpo_map_option_entry gpo_map_option_entries[] = { + {GPO_MAP_DENY, AD_GPO_MAP_DENY, gpo_map_deny_defaults, NULL, NULL}, + }; + +-const char* gpo_map_type_string(int gpo_map_type) ++static const char* gpo_map_type_string(int gpo_map_type) + { + switch(gpo_map_type) { + case GPO_MAP_INTERACTIVE: return "Interactive"; +@@ -261,7 +261,7 @@ const char* gpo_map_type_string(int gpo_map_type) + case GPO_MAP_PERMIT: return "Permitted"; + case GPO_MAP_DENY: return "Denied"; + } +- return NULL; ++ return "-unknown-"; /* this helper is only used in logs */ + } + + static inline bool +-- +2.31.1 + diff --git a/0005-KCM-fixed-uninitialized-value.patch b/0005-KCM-fixed-uninitialized-value.patch new file mode 100644 index 0000000..480143f --- /dev/null +++ b/0005-KCM-fixed-uninitialized-value.patch @@ -0,0 +1,56 @@ +From 84a4230b195f578c43d6e221b4a04f546fd998f9 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 18 Oct 2021 22:35:13 +0200 +Subject: [PATCH 06/17] KCM: fixed uninitialized value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes following warnings: +``` +Error: UNINIT (CWE-457): +sssd-2.6.0/src/responder/kcm/kcmsrv_ccache.c:285: var_decl: Declaring variable "ret" without initializer. +sssd-2.6.0/src/responder/kcm/kcmsrv_ccache.c:323: uninit_use: Using uninitialized value "ret". + # 321| krb5_free_context(kctx); + # 322| + # 323|-> return ret; + # 324| #else + # 325| return EOK; + +Error: CLANG_WARNING: +sssd-2.6.0/src/responder/kcm/kcmsrv_ccache.c:323:5: warning[core.uninitialized.UndefReturn]: Undefined or garbage value returned to caller + # 321| krb5_free_context(kctx); + # 322| + # 323|-> return ret; + # 324| #else + # 325| return EOK; +``` + +Reviewed-by: Pavel Březina +--- + src/responder/kcm/kcmsrv_ccache.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c +index ef174e0a090c54b72d488f6d68041d2ac117990d..b63fc70afa35d52e79771d7a5c9f679bdead9f39 100644 +--- a/src/responder/kcm/kcmsrv_ccache.c ++++ b/src/responder/kcm/kcmsrv_ccache.c +@@ -294,6 +294,7 @@ kcm_cc_remove_duplicates(struct kcm_ccache *cc, + kcrd = kcm_cred_to_krb5(kctx, kcm_crd); + if (kcrd == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to convert kcm cred to krb5\n"); ++ ret = ERR_INTERNAL; + goto done; + } + +@@ -301,6 +302,7 @@ kcm_cc_remove_duplicates(struct kcm_ccache *cc, + kcrd_cc = kcm_cred_to_krb5(kctx, p); + if (kcrd_cc == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to convert kcm cred to krb5\n"); ++ ret = ERR_INTERNAL; + goto done; + } + +-- +2.31.1 + diff --git a/0006-cache_req-return-success-for-autofs-when-ENOENT-is-r.patch b/0006-cache_req-return-success-for-autofs-when-ENOENT-is-r.patch new file mode 100644 index 0000000..ab8eba2 --- /dev/null +++ b/0006-cache_req-return-success-for-autofs-when-ENOENT-is-r.patch @@ -0,0 +1,62 @@ +From bb94a18f0f0cba1e9fb5abf78b995d69e5f3c559 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 18 Oct 2021 12:29:06 +0200 +Subject: [PATCH 07/17] cache_req: return success for autofs when ENOENT is + returned from provider + +The receive function should return true if data provider lookup was +successfull and false if there was an error. "Not found" result is +considered a successful lookup, only failure to perform a search +should result in false return code. + +Resolves: https://github.com/SSSD/sssd/issues/5832 + +Reviewed-by: Pawel Polawski +--- + .../common/cache_req/plugins/cache_req_autofs_entry_by_name.c | 2 +- + .../common/cache_req/plugins/cache_req_autofs_map_by_name.c | 2 +- + .../common/cache_req/plugins/cache_req_autofs_map_entries.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c +index 0dc6a585ab8b90ebf8bc43a061172a6d8e3bc3ad..788b6708ce343f7acdf4a9a8388c4eb8732129f8 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_entry_by_name.c +@@ -97,7 +97,7 @@ cache_req_autofs_entry_by_name_dp_recv(struct tevent_req *subreq, + + ret = sbus_call_dp_autofs_GetEntry_recv(subreq); + +- if (ret == ERR_MISSING_DP_TARGET) { ++ if (ret == ERR_MISSING_DP_TARGET || ret == ENOENT) { + ret = EOK; + } + +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c +index 6a665c58ec83eb2471d8be823eef9e61ab6d443a..5d82641ccab1f42e4596102d95f64ed166857d56 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_by_name.c +@@ -93,7 +93,7 @@ cache_req_autofs_map_by_name_dp_recv(struct tevent_req *subreq, + + ret = sbus_call_dp_autofs_GetMap_recv(subreq); + +- if (ret == ERR_MISSING_DP_TARGET) { ++ if (ret == ERR_MISSING_DP_TARGET || ret == ENOENT) { + ret = EOK; + } + +diff --git a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c +index 46776b980804ace3188f14375256d205b2610037..29f289723f233c1b357eefcb6d1fd75c493b950e 100644 +--- a/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c ++++ b/src/responder/common/cache_req/plugins/cache_req_autofs_map_entries.c +@@ -125,7 +125,7 @@ cache_req_autofs_map_entries_dp_recv(struct tevent_req *subreq, + + ret = sbus_call_dp_autofs_Enumerate_recv(subreq); + +- if (ret == ERR_MISSING_DP_TARGET) { ++ if (ret == ERR_MISSING_DP_TARGET || ret == ENOENT) { + ret = EOK; + } + +-- +2.31.1 + diff --git a/0007-sbus-maintain-correct-refcount-before-sending-a-repl.patch b/0007-sbus-maintain-correct-refcount-before-sending-a-repl.patch new file mode 100644 index 0000000..a8cb5a5 --- /dev/null +++ b/0007-sbus-maintain-correct-refcount-before-sending-a-repl.patch @@ -0,0 +1,48 @@ +From 8db2485cd28e0af74bd008251ba49b6d6e3a73a6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Wed, 29 Sep 2021 12:11:08 +0200 +Subject: [PATCH 08/17] sbus: maintain correct refcount before sending a reply + +sbus_reply decreases the refcount of @reply. This usuall means that +refcount drops to zero and the message is freed. However, under +special circumstances the refcount is increased inside libdbus, +the refcount will be 1 when we leave the function and we drop it +to zero in talloc_free(state) later in this function. This will +leave an invalid message to be send inside dbus connection and +eventually crash. + +Increasing the refcount here makes sure that the refcount is always +correct. + +Resolves: https://github.com/SSSD/sssd/issues/5672 + +Reviewed-by: Pawel Polawski +--- + src/sbus/router/sbus_router_handler.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/sbus/router/sbus_router_handler.c b/src/sbus/router/sbus_router_handler.c +index d9a374b41411d7e4451c2d84d3ab1589e256a29a..7b6c2441f16af20b6d4fa27ae17225756a9d387a 100644 +--- a/src/sbus/router/sbus_router_handler.c ++++ b/src/sbus/router/sbus_router_handler.c +@@ -160,6 +160,17 @@ static void sbus_issue_request_done(struct tevent_req *subreq) + } + + if (ret == EOK) { ++ /* sbus_reply decreases the refcount of @reply. This usuall means that ++ * refcount drops to zero and the message is freed. However, under ++ * special circumstances the refcount is increased inside libdbus, ++ * the refcount will be 1 when we leave the function and we drop it ++ * to zero in talloc_free(state) later in this function. This will ++ * leave an invalid message to be send inside dbus connection and ++ * eventually crash. ++ * ++ * Increasing the refcount here makes sure that the refcount is always ++ * correct. */ ++ dbus_message_ref(reply); + sbus_reply(state->conn, reply); + } else { + sbus_errno_to_error(state, ret, &error_name, &error_msg); +-- +2.31.1 + diff --git a/0008-Removed-excessive-includes-around-strtonum.patch b/0008-Removed-excessive-includes-around-strtonum.patch new file mode 100644 index 0000000..a2895ed --- /dev/null +++ b/0008-Removed-excessive-includes-around-strtonum.patch @@ -0,0 +1,101 @@ +From de6eba31eaf19e7d8c87cc84aee140e29438336f Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 15 Oct 2021 18:23:55 +0200 +Subject: [PATCH 09/17] Removed excessive includes around 'strtonum' + +Reviewed-by: Pawel Polawski +--- + src/providers/ad/ad_gpo.c | 1 + + src/util/strtonum.c | 6 ------ + src/util/strtonum.h | 2 -- + src/util/usertools.c | 1 + + src/util/well_known_sids.c | 1 + + 5 files changed, 3 insertions(+), 8 deletions(-) + +diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c +index f3452176af1275ea393957a8e8c667c1376bf314..8f2fe277e14fe4f430184c03d9913fbbaa3428e9 100644 +--- a/src/providers/ad/ad_gpo.c ++++ b/src/providers/ad/ad_gpo.c +@@ -31,6 +31,7 @@ + * ad_gpo_process_cse_send/recv: retrieve policy file data + */ + ++#include + #include + #include + #include +diff --git a/src/util/strtonum.c b/src/util/strtonum.c +index 22e682b4b22d1de056c578a05a5f81dfdd17df24..8eda8ea25e8896358e13fef7ed4aeeef0df6cdfe 100644 +--- a/src/util/strtonum.c ++++ b/src/util/strtonum.c +@@ -19,14 +19,10 @@ + along with this program. If not, see . + */ + +-#include + #include + #include +-#include "config.h" +-#include "util/util.h" + #include "util/strtonum.h" + +-/* strtoint32 */ + int32_t strtoint32(const char *nptr, char **endptr, int base) + { + long long ret = 0; +@@ -48,7 +44,6 @@ int32_t strtoint32(const char *nptr, char **endptr, int base) + } + + +-/* strtouint32 */ + uint32_t strtouint32(const char *nptr, char **endptr, int base) + { + unsigned long long ret = 0; +@@ -65,7 +60,6 @@ uint32_t strtouint32(const char *nptr, char **endptr, int base) + } + + +-/* strtouint16 */ + uint16_t strtouint16(const char *nptr, char **endptr, int base) + { + unsigned long long ret = 0; +diff --git a/src/util/strtonum.h b/src/util/strtonum.h +index d9c31e9cde87c3af06ab08fbbcadadaf57b593e5..ae493b5f512e31459372bd806e2accccdd827af1 100644 +--- a/src/util/strtonum.h ++++ b/src/util/strtonum.h +@@ -22,8 +22,6 @@ + #ifndef _STRTONUM_H_ + #define _STRTONUM_H_ + +-#include +-#include + #include + + int32_t strtoint32(const char *nptr, char **endptr, int base); +diff --git a/src/util/usertools.c b/src/util/usertools.c +index 6f93a4cef288a245a95c2e510a62233f904034fb..1fbde2eb43b1cc4c6dead346a1dafc632a6ec78b 100644 +--- a/src/util/usertools.c ++++ b/src/util/usertools.c +@@ -21,6 +21,7 @@ + + #include + #include ++#include + #include + #include + +diff --git a/src/util/well_known_sids.c b/src/util/well_known_sids.c +index 38fe2646faa884f3e14d2b0379b9d9eb7641772c..1f9a7beea8086c6aa34a132e4df85edbf37aca55 100644 +--- a/src/util/well_known_sids.c ++++ b/src/util/well_known_sids.c +@@ -20,6 +20,7 @@ + along with this program. If not, see . + */ + ++#include + #include "util/util.h" + #include "util/strtonum.h" + +-- +2.31.1 + diff --git a/0009-strtonum-helpers-usage-sanitization.patch b/0009-strtonum-helpers-usage-sanitization.patch new file mode 100644 index 0000000..91f1f54 --- /dev/null +++ b/0009-strtonum-helpers-usage-sanitization.patch @@ -0,0 +1,403 @@ +From a2cc7daef2a1378aa12a21cd37a6369946e27bfc Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 15 Oct 2021 21:12:32 +0200 +Subject: [PATCH 10/17] 'strtonum' helpers: usage sanitization + +To properly check for an error during string to number conversion +one needs to: + - check `errno` + - check that something was really converted (i.e. start != end) + - (if this is expected) check that entire string was consumed + +Some of those error conditions weren't checked in various locations +over the code. + +Reviewed-by: Pawel Polawski +--- + src/db/sysdb.c | 3 --- + src/providers/ad/ad_id.c | 8 ++++---- + src/providers/ad/ad_machine_pw_renewal.c | 2 -- + src/providers/ipa/ipa_s2n_exop.c | 1 - + src/providers/ipa/ipa_subdomains_id.c | 8 ++++---- + src/providers/ipa/ipa_views.c | 1 - + src/providers/ldap/ldap_id.c | 4 ++-- + src/providers/ldap/ldap_id_services.c | 7 ++++--- + src/providers/ldap/sdap_access.c | 8 ++++---- + src/providers/ldap/sdap_range.c | 2 +- + src/providers/proxy/proxy_services.c | 1 - + src/responder/common/responder_common.c | 3 +-- + src/responder/ifp/ifp_groups.c | 9 +++++---- + src/responder/ifp/ifp_users.c | 7 ++++--- + src/responder/ifp/ifpsrv.c | 7 ++++--- + src/tools/common/sss_colondb.c | 7 ++++--- + src/util/usertools.c | 3 +-- + src/util/well_known_sids.c | 1 - + 18 files changed, 38 insertions(+), 44 deletions(-) + +diff --git a/src/db/sysdb.c b/src/db/sysdb.c +index 3fe0ebf6c21a408228b572b2268d159eed6cfafc..3ba79ab3603d802c71dad24e994779019a0ced2f 100644 +--- a/src/db/sysdb.c ++++ b/src/db/sysdb.c +@@ -359,7 +359,6 @@ int sysdb_attrs_get_int32_t(struct sysdb_attrs *attrs, const char *name, + return ERANGE; + } + +- errno = 0; + val = strtoint32((const char *) el->values[0].data, &endptr, 10); + if (errno != 0) return errno; + if (*endptr) return EINVAL; +@@ -385,7 +384,6 @@ int sysdb_attrs_get_uint32_t(struct sysdb_attrs *attrs, const char *name, + return ERANGE; + } + +- errno = 0; + val = strtouint32((const char *) el->values[0].data, &endptr, 10); + if (errno != 0) return errno; + if (*endptr) return EINVAL; +@@ -411,7 +409,6 @@ int sysdb_attrs_get_uint16_t(struct sysdb_attrs *attrs, const char *name, + return ERANGE; + } + +- errno = 0; + val = strtouint16((const char *) el->values[0].data, &endptr, 10); + if (errno != 0) return errno; + if (*endptr) return EINVAL; +diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c +index 8e4a0a50946296bf8281b5d80913a3a9fd7855d7..3d12472432708de8df0a872decbcea3dea6cbd99 100644 +--- a/src/providers/ad/ad_id.c ++++ b/src/providers/ad/ad_id.c +@@ -42,6 +42,7 @@ static bool ad_account_can_shortcut(struct sdap_idmap_ctx *idmap_ctx, + uint32_t id; + bool shortcut = false; + errno_t ret; ++ char *endptr; + + if (!sdap_idmap_domain_has_algorithmic_mapping(idmap_ctx, domain->name, + domain->domain_id)) { +@@ -51,10 +52,9 @@ static bool ad_account_can_shortcut(struct sdap_idmap_ctx *idmap_ctx, + switch (filter_type) { + case BE_FILTER_IDNUM: + /* convert value to ID */ +- errno = 0; +- id = strtouint32(filter_value, NULL, 10); +- if (errno != 0) { +- ret = errno; ++ id = strtouint32(filter_value, &endptr, 10); ++ if ((errno != 0) || *endptr || (filter_value == endptr)) { ++ ret = errno ? errno : EINVAL; + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to convert filter value to " + "number [%d]: %s\n", ret, strerror(ret)); + goto done; +diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c +index 6e7137a86a2edcebdc2d1f105cabdf9410a42db7..b5c6cfec9454ad4472f79ed8918b2d4d85640fb7 100644 +--- a/src/providers/ad/ad_machine_pw_renewal.c ++++ b/src/providers/ad/ad_machine_pw_renewal.c +@@ -360,7 +360,6 @@ errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx, + goto done; + } + +- errno = 0; + period = strtouint32(opt_list[0], &endptr, 10); + if (errno != 0 || *endptr != '\0' || opt_list[0] == endptr) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse first renewal option.\n"); +@@ -368,7 +367,6 @@ errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx, + goto done; + } + +- errno = 0; + initial_delay = strtouint32(opt_list[1], &endptr, 10); + if (errno != 0 || *endptr != '\0' || opt_list[0] == endptr) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse second renewal option.\n"); +diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c +index b0baf0e67ce5499aab8a2d87964d7ab1d45d3a55..56105ac2bdad22f20e8885dbc881d43e568530a9 100644 +--- a/src/providers/ipa/ipa_s2n_exop.c ++++ b/src/providers/ipa/ipa_s2n_exop.c +@@ -1340,7 +1340,6 @@ static errno_t ipa_s2n_get_list_step(struct tevent_req *req) + + break; + case REQ_INP_ID: +- errno = 0; + id = strtouint32(state->list[state->list_idx], &endptr, 10); + if (errno != 0 || *endptr != '\0' + || (state->list[state->list_idx] == endptr)) { +diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c +index 46d4962585caca7d30df41d1dcf728360ca0a176..445b9ba2ff2ee2116409316a97f9783700af505b 100644 +--- a/src/providers/ipa/ipa_subdomains_id.c ++++ b/src/providers/ipa/ipa_subdomains_id.c +@@ -1125,6 +1125,7 @@ errno_t get_object_from_cache(TALLOC_CTX *mem_ctx, + uint32_t id; + struct ldb_message *msg = NULL; + struct ldb_result *res = NULL; ++ char *endptr; + const char *attrs[] = { SYSDB_NAME, + SYSDB_UIDNUM, + SYSDB_SID_STR, +@@ -1183,10 +1184,9 @@ errno_t get_object_from_cache(TALLOC_CTX *mem_ctx, + ret = EOK; + goto done; + } else if (ar->filter_type == BE_FILTER_IDNUM) { +- errno = 0; +- id = strtouint32(ar->filter_value, NULL, 10); +- if (errno != 0) { +- ret = errno; ++ id = strtouint32(ar->filter_value, &endptr, 10); ++ if ((errno != 0) || *endptr || (ar->filter_value == endptr)) { ++ ret = errno ? errno : EINVAL; + DEBUG(SSSDBG_OP_FAILURE, "strtouint32 failed.\n"); + goto done; + } +diff --git a/src/providers/ipa/ipa_views.c b/src/providers/ipa/ipa_views.c +index e1090d03b32747ded0cfafa64571646db83103b1..50243098ae591f55e98c70cd7aa9248b973d6477 100644 +--- a/src/providers/ipa/ipa_views.c ++++ b/src/providers/ipa/ipa_views.c +@@ -90,7 +90,6 @@ static errno_t dp_id_data_to_override_filter(TALLOC_CTX *mem_ctx, + break; + + case BE_FILTER_IDNUM: +- errno = 0; + id = strtouint32(ar->filter_value, &endptr, 10); + if (errno != 0|| *endptr != '\0' || (ar->filter_value == endptr)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid id value [%s].\n", +diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c +index 9b67773a8d2dd96e084eca8e091e36eba56bfa2f..51cebc8c9b176d37d08908ad3d53b22b373f55d6 100644 +--- a/src/providers/ldap/ldap_id.c ++++ b/src/providers/ldap/ldap_id.c +@@ -264,7 +264,7 @@ struct tevent_req *users_get_send(TALLOC_CTX *memctx, + * in the search filter. + */ + uid = strtouint32(filter_value, &endptr, 10); +- if (errno != EOK) { ++ if ((errno != EOK) || *endptr || (filter_value == endptr)) { + ret = EINVAL; + goto done; + } +@@ -742,7 +742,7 @@ struct tevent_req *groups_get_send(TALLOC_CTX *memctx, + * in the search filter. + */ + gid = strtouint32(filter_value, &endptr, 10); +- if (errno != EOK) { ++ if ((errno != EOK) || *endptr || (filter_value == endptr)) { + ret = EINVAL; + goto done; + } +diff --git a/src/providers/ldap/ldap_id_services.c b/src/providers/ldap/ldap_id_services.c +index 638cb619b39f135307090dcf0f2c6ab2cc4119d0..52a15631842cb4f93c2d73cf6b72aca9c097a26b 100644 +--- a/src/providers/ldap/ldap_id_services.c ++++ b/src/providers/ldap/ldap_id_services.c +@@ -217,6 +217,7 @@ services_get_done(struct tevent_req *subreq) + { + errno_t ret; + uint16_t port; ++ char *endptr; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct sdap_services_get_state *state = +@@ -263,9 +264,9 @@ services_get_done(struct tevent_req *subreq) + break; + + case BE_FILTER_IDNUM: +- port = strtouint16(state->name, NULL, 10); +- if (errno) { +- tevent_req_error(req, errno); ++ port = strtouint16(state->name, &endptr, 10); ++ if (errno || *endptr || (state->name == endptr)) { ++ tevent_req_error(req, (errno ? errno : EINVAL)); + return; + } + +diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c +index 8add97ba88c09f16e833aa145c57d9fbbff54f95..1b898d24488fb1d7decdf5c2488009a02116b0fd 100644 +--- a/src/providers/ldap/sdap_access.c ++++ b/src/providers/ldap/sdap_access.c +@@ -1812,6 +1812,7 @@ is_account_locked(const char *pwdAccountLockedTime, + time_t duration; + time_t now; + bool locked; ++ char *endptr; + + /* Default action is to consider account to be locked. */ + locked = true; +@@ -1855,10 +1856,9 @@ is_account_locked(const char *pwdAccountLockedTime, + if (difftime(lock_time, now) > 0.0) { + locked = false; + } else if (pwdAccountLockedDurationTime != NULL) { +- errno = 0; +- duration = strtouint32(pwdAccountLockedDurationTime, NULL, 0); +- if (errno) { +- ret = errno; ++ duration = strtouint32(pwdAccountLockedDurationTime, &endptr, 0); ++ if (errno || *endptr) { ++ ret = errno ? errno : EINVAL; + goto done; + } + /* Lockout has expired */ +diff --git a/src/providers/ldap/sdap_range.c b/src/providers/ldap/sdap_range.c +index d88def6fa91789fb023909535c3f81e32adf6144..44c3350db1e19f6bcaece3e91652c2d0dd6e843e 100644 +--- a/src/providers/ldap/sdap_range.c ++++ b/src/providers/ldap/sdap_range.c +@@ -120,7 +120,7 @@ errno_t sdap_parse_range(TALLOC_CTX *mem_ctx, + } + + *range_offset = strtouint32(end_range, &endptr, 10); +- if (*endptr != '\0') { ++ if ((errno != 0) || (*endptr != '\0') || (end_range == endptr)) { + *range_offset = 0; + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, +diff --git a/src/providers/proxy/proxy_services.c b/src/providers/proxy/proxy_services.c +index 2f7bbeb06d8f063466db55121c7005b04116d4f7..856da09be970741b015ebfabf06cff3f15ab5ce4 100644 +--- a/src/providers/proxy/proxy_services.c ++++ b/src/providers/proxy/proxy_services.c +@@ -171,7 +171,6 @@ get_serv_byport(struct proxy_id_ctx *ctx, + goto done; + } + +- errno = 0; + port = htons(strtouint16(be_filter, NULL, 0)); + if (errno) { + ret = errno; +diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c +index 7e145aa9b26a3298e572484a6998b579f50dd4f2..913dbcd8002e77ba48157c44671218a5042289d8 100644 +--- a/src/responder/common/responder_common.c ++++ b/src/responder/common/responder_common.c +@@ -224,7 +224,6 @@ errno_t csv_string_to_uid_array(TALLOC_CTX *mem_ctx, const char *csv_string, + } + + for (c = 0; c < list_size; c++) { +- errno = 0; + if (*list[c] == '\0') { + DEBUG(SSSDBG_OP_FAILURE, "Empty list item.\n"); + ret = EINVAL; +@@ -232,7 +231,7 @@ errno_t csv_string_to_uid_array(TALLOC_CTX *mem_ctx, const char *csv_string, + } + + uids[c] = strtouint32(list[c], &endptr, 10); +- if (errno != 0 || *endptr != '\0') { ++ if ((errno != 0) || (*endptr != '\0') || (list[c] == endptr)) { + ret = errno; + if (ret == ERANGE) { + DEBUG(SSSDBG_OP_FAILURE, "List item [%s] is out of range.\n", +diff --git a/src/responder/ifp/ifp_groups.c b/src/responder/ifp/ifp_groups.c +index 353f3a79f31517fe6daa1c2158ed463d2d4d9a81..14c58c74c34ff31e792b5c0d85644956e082cd42 100644 +--- a/src/responder/ifp/ifp_groups.c ++++ b/src/responder/ifp/ifp_groups.c +@@ -530,13 +530,14 @@ ifp_groups_get_from_cache(TALLOC_CTX *mem_ctx, + struct ldb_result *group_res = NULL; + errno_t ret; + gid_t gid; ++ char *endptr; + + switch (domain->type) { + case DOM_TYPE_POSIX: +- gid = strtouint32(key, NULL, 10); +- ret = errno; +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Invalid UID value\n"); ++ gid = strtouint32(key, &endptr, 10); ++ if ((errno != 0) || *endptr || (key == endptr)) { ++ ret = errno ? errno : EINVAL; ++ DEBUG(SSSDBG_CRIT_FAILURE, "Invalid GID value\n"); + return ret; + } + +diff --git a/src/responder/ifp/ifp_users.c b/src/responder/ifp/ifp_users.c +index ac9330858f0247ce0236d029b5d8678921c9061b..714f7ef78d4e3215b5dd80becaecb063caed860c 100644 +--- a/src/responder/ifp/ifp_users.c ++++ b/src/responder/ifp/ifp_users.c +@@ -1038,12 +1038,13 @@ ifp_users_get_from_cache(TALLOC_CTX *mem_ctx, + struct ldb_result *user_res = NULL; + errno_t ret; + uid_t uid; ++ char *endptr; + + switch (domain->type) { + case DOM_TYPE_POSIX: +- uid = strtouint32(key, NULL, 10); +- ret = errno; +- if (ret != EOK) { ++ uid = strtouint32(key, &endptr, 10); ++ if ((errno != 0) || *endptr || (key == endptr)) { ++ ret = errno ? errno : EINVAL; + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid UID value\n"); + goto done; + } +diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c +index 6de2e00a0194a3d62807a7754d6b7a55ae491acf..d27c2dfccde04401501fa4b37f22a3c96e6f6578 100644 +--- a/src/responder/ifp/ifpsrv.c ++++ b/src/responder/ifp/ifpsrv.c +@@ -166,6 +166,7 @@ int ifp_process_init(TALLOC_CTX *mem_ctx, + char *uid_str; + char *attr_list_str; + char *wildcard_limit_str; ++ char *endptr; + + ifp_cmds = get_ifp_cmds(); + ret = sss_process_init(mem_ctx, ev, cdb, +@@ -245,9 +246,9 @@ int ifp_process_init(TALLOC_CTX *mem_ctx, + } + + if (wildcard_limit_str) { +- ifp_ctx->wildcard_limit = strtouint32(wildcard_limit_str, NULL, 10); +- ret = errno; +- if (ret != EOK) { ++ ifp_ctx->wildcard_limit = strtouint32(wildcard_limit_str, &endptr, 10); ++ if ((errno != 0) || *endptr || (wildcard_limit_str == endptr)) { ++ ret = errno ? errno : EINVAL; + goto fail; + } + } +diff --git a/src/tools/common/sss_colondb.c b/src/tools/common/sss_colondb.c +index e8aeb315c9ed0efde15553e2d741d04c5d895b1a..41e6c3a51d0ff84ca9322d443eeccad1aa764ac0 100644 +--- a/src/tools/common/sss_colondb.c ++++ b/src/tools/common/sss_colondb.c +@@ -78,6 +78,7 @@ static char *read_field_as_uint32(char *line, + const char *str; + char *rest; + errno_t ret; ++ char *endptr; + + rest = read_field_as_string(line, &str); + if (str == NULL) { +@@ -85,9 +86,9 @@ static char *read_field_as_uint32(char *line, + return rest; + } + +- *_value = strtouint32(str, NULL, 10); +- if (errno != 0) { +- ret = errno; ++ *_value = strtouint32(str, &endptr, 10); ++ if ((errno != 0) || *endptr || (str == endptr)) { ++ ret = errno ? errno : EINVAL; + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse number [%d]: %s\n", + ret, sss_strerror(ret)); + +diff --git a/src/util/usertools.c b/src/util/usertools.c +index 1fbde2eb43b1cc4c6dead346a1dafc632a6ec78b..370a98b41740bb5494a10f93752daa40c6e445ff 100644 +--- a/src/util/usertools.c ++++ b/src/util/usertools.c +@@ -578,9 +578,8 @@ errno_t sss_user_by_name_or_uid(const char *input, uid_t *_uid, gid_t *_gid) + struct passwd *pwd; + + /* Try if it's an ID first */ +- errno = 0; + uid = strtouint32(input, &endptr, 10); +- if (errno != 0 || *endptr != '\0') { ++ if ((errno != 0) || (*endptr != '\0') || (input == endptr)) { + ret = errno; + if (ret == ERANGE) { + DEBUG(SSSDBG_OP_FAILURE, +diff --git a/src/util/well_known_sids.c b/src/util/well_known_sids.c +index 1f9a7beea8086c6aa34a132e4df85edbf37aca55..0b51667a2a62702105c44ab2ba7594c7dbb18c91 100644 +--- a/src/util/well_known_sids.c ++++ b/src/util/well_known_sids.c +@@ -189,7 +189,6 @@ static errno_t handle_rid_to_name_map(const char *sid, size_t prefix_len, + char *endptr; + size_t c; + +- errno = 0; + rid = (uint32_t) strtouint32(sid + prefix_len, &endptr, 10); + if (errno != 0 || *endptr != '\0') { + return EINVAL; +-- +2.31.1 + diff --git a/0010-strto-usage-sanitization.patch b/0010-strto-usage-sanitization.patch new file mode 100644 index 0000000..68b1a21 --- /dev/null +++ b/0010-strto-usage-sanitization.patch @@ -0,0 +1,200 @@ +From 3c17a57e7cb30263b73e7b9456b896503be6bd45 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 15 Oct 2021 22:29:12 +0200 +Subject: [PATCH 11/17] 'strto*()': usage sanitization + +To properly check for an error during string to number conversion +one needs to: + - check `errno` + - check that something was really converted (i.e. start != end) + - (if this is expected) check that entire string was consumed + +Some of those error conditions weren't checked in various locations +over the code. + +Reviewed-by: Pawel Polawski +--- + src/confdb/confdb.c | 16 ++++++++++++---- + src/providers/ldap/sdap.c | 6 ++++-- + src/providers/ldap/sdap_async_enum.c | 7 ++++--- + src/providers/ldap/sdap_async_iphost.c | 4 ++-- + src/providers/ldap/sdap_async_ipnetwork.c | 4 ++-- + src/providers/ldap/sdap_async_services.c | 4 ++-- + src/util/crypto/libcrypto/crypto_sha512crypt.c | 3 ++- + 7 files changed, 28 insertions(+), 16 deletions(-) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index 80203c0f640975471df31c522ca91f94099cbcf9..6a6fac916e5f45b64c7402da3f35bb46e2bf4906 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -439,6 +439,7 @@ int confdb_get_int(struct confdb_ctx *cdb, + char **values = NULL; + long val; + int ret; ++ char *endptr; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); +@@ -460,12 +461,15 @@ int confdb_get_int(struct confdb_ctx *cdb, + } + + errno = 0; +- val = strtol(values[0], NULL, 0); ++ val = strtol(values[0], &endptr, 0); + ret = errno; + if (ret != 0) { + goto failed; + } +- ++ if (*endptr || (values[0] == endptr)) { ++ ret = EINVAL; ++ goto failed; ++ } + if (val < INT_MIN || val > INT_MAX) { + ret = ERANGE; + goto failed; +@@ -495,6 +499,7 @@ long confdb_get_long(struct confdb_ctx *cdb, + char **values = NULL; + long val; + int ret; ++ char *endptr; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); +@@ -516,12 +521,15 @@ long confdb_get_long(struct confdb_ctx *cdb, + } + + errno = 0; +- val = strtol(values[0], NULL, 0); ++ val = strtol(values[0], &endptr, 0); + ret = errno; + if (ret != 0) { + goto failed; + } +- ++ if (*endptr || (values[0] == endptr)) { ++ ret = EINVAL; ++ goto failed; ++ } + } else { + val = defval; + } +diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c +index 32c0144b929b702a2a3ba70b6f477d80a59eb083..72d6a7281291581341f9df878729a38ff3da04fa 100644 +--- a/src/providers/ldap/sdap.c ++++ b/src/providers/ldap/sdap.c +@@ -1418,8 +1418,9 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx, + opts->gen_map[SDAP_AT_ENTRY_USN].opt_name); + } else { + so->supports_usn = true; ++ errno = 0; + so->last_usn = strtoul(last_usn_value, &endptr, 10); +- if (endptr != NULL && (*endptr != '\0' || endptr == last_usn_value)) { ++ if (errno || !endptr || *endptr || (endptr == last_usn_value)) { + DEBUG(SSSDBG_MINOR_FAILURE, + "USN is not valid (value: %s)\n", last_usn_value); + so->last_usn = 0; +@@ -1442,8 +1443,9 @@ int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx, + opts->gen_map[SDAP_AT_ENTRY_USN].name = + talloc_strdup(opts->gen_map, usn_attrs[i].entry_name); + so->supports_usn = true; ++ errno = 0; + so->last_usn = strtoul(last_usn_value, &endptr, 10); +- if (endptr != NULL && (*endptr != '\0' || endptr == last_usn_value)) { ++ if (errno || !endptr || *endptr || (endptr == last_usn_value)) { + DEBUG(SSSDBG_MINOR_FAILURE, + "USN is not valid (value: %s)\n", last_usn_value); + so->last_usn = 0; +diff --git a/src/providers/ldap/sdap_async_enum.c b/src/providers/ldap/sdap_async_enum.c +index 2a12e59b749ded0c486b16fc5af58ef968dbfb2c..44cec84adb7b078696ed8744e050b738c0963eea 100644 +--- a/src/providers/ldap/sdap_async_enum.c ++++ b/src/providers/ldap/sdap_async_enum.c +@@ -571,9 +571,9 @@ static void enum_users_done(struct tevent_req *subreq) + talloc_zfree(state->ctx->srv_opts->max_user_value); + state->ctx->srv_opts->max_user_value = + talloc_steal(state->ctx, usn_value); +- ++ errno = 0; + usn_number = strtoul(usn_value, &endptr, 10); +- if ((endptr == NULL || (*endptr == '\0' && endptr != usn_value)) ++ if (!errno && endptr && (*endptr == '\0') && (endptr != usn_value) + && (usn_number > state->ctx->srv_opts->last_usn)) { + state->ctx->srv_opts->last_usn = usn_number; + } +@@ -751,8 +751,9 @@ static void enum_groups_done(struct tevent_req *subreq) + talloc_zfree(state->ctx->srv_opts->max_group_value); + state->ctx->srv_opts->max_group_value = + talloc_steal(state->ctx, usn_value); ++ errno = 0; + usn_number = strtoul(usn_value, &endptr, 10); +- if ((endptr == NULL || (*endptr == '\0' && endptr != usn_value)) ++ if (!errno && endptr && (*endptr == '\0') && (endptr != usn_value) + && (usn_number > state->ctx->srv_opts->last_usn)) { + state->ctx->srv_opts->last_usn = usn_number; + } +diff --git a/src/providers/ldap/sdap_async_iphost.c b/src/providers/ldap/sdap_async_iphost.c +index e798a32c26ef97c3081d8a33ac9ab74b1b7d0f5d..33b8e21672c81714bfce612a5726e153baba0fd7 100644 +--- a/src/providers/ldap/sdap_async_iphost.c ++++ b/src/providers/ldap/sdap_async_iphost.c +@@ -618,9 +618,9 @@ enum_iphosts_op_done(struct tevent_req *subreq) + talloc_zfree(state->id_ctx->srv_opts->max_iphost_value); + state->id_ctx->srv_opts->max_iphost_value = + talloc_steal(state->id_ctx, usn_value); +- ++ errno = 0; + usn_number = strtoul(usn_value, &endptr, 10); +- if ((endptr == NULL || (*endptr == '\0' && endptr != usn_value)) ++ if (!errno && endptr && (*endptr == '\0') && (endptr != usn_value) + && (usn_number > state->id_ctx->srv_opts->last_usn)) { + state->id_ctx->srv_opts->last_usn = usn_number; + } +diff --git a/src/providers/ldap/sdap_async_ipnetwork.c b/src/providers/ldap/sdap_async_ipnetwork.c +index e34bf58d4a8eb2610f76fd3f6543b5f59538286a..e057566c1609a9277a66992ed5270cf4556f2ef7 100644 +--- a/src/providers/ldap/sdap_async_ipnetwork.c ++++ b/src/providers/ldap/sdap_async_ipnetwork.c +@@ -603,9 +603,9 @@ enum_ipnetworks_op_done(struct tevent_req *subreq) + talloc_zfree(state->id_ctx->srv_opts->max_ipnetwork_value); + state->id_ctx->srv_opts->max_ipnetwork_value = + talloc_steal(state->id_ctx, usn_value); +- ++ errno = 0; + usn_number = strtoul(usn_value, &endptr, 10); +- if ((endptr == NULL || (*endptr == '\0' && endptr != usn_value)) ++ if (!errno && endptr && (*endptr == '\0') && (endptr != usn_value) + && (usn_number > state->id_ctx->srv_opts->last_usn)) { + state->id_ctx->srv_opts->last_usn = usn_number; + } +diff --git a/src/providers/ldap/sdap_async_services.c b/src/providers/ldap/sdap_async_services.c +index eebe23913399bd0c3c451f4009d7ddb3a172838d..cccc4f94c29e83aed767d2afecf80df94d1c2f69 100644 +--- a/src/providers/ldap/sdap_async_services.c ++++ b/src/providers/ldap/sdap_async_services.c +@@ -623,9 +623,9 @@ enum_services_op_done(struct tevent_req *subreq) + talloc_zfree(state->id_ctx->srv_opts->max_service_value); + state->id_ctx->srv_opts->max_service_value = + talloc_steal(state->id_ctx, usn_value); +- ++ errno = 0; + usn_number = strtoul(usn_value, &endptr, 10); +- if ((endptr == NULL || (*endptr == '\0' && endptr != usn_value)) ++ if (!errno && endptr && (*endptr == '\0') && (endptr != usn_value) + && (usn_number > state->id_ctx->srv_opts->last_usn)) { + state->id_ctx->srv_opts->last_usn = usn_number; + } +diff --git a/src/util/crypto/libcrypto/crypto_sha512crypt.c b/src/util/crypto/libcrypto/crypto_sha512crypt.c +index 1e57b04d131b9224fc0ef7947095cfa21e0d4f31..c816d26f184bda62811723c36ba4a009f6473e21 100644 +--- a/src/util/crypto/libcrypto/crypto_sha512crypt.c ++++ b/src/util/crypto/libcrypto/crypto_sha512crypt.c +@@ -101,8 +101,9 @@ static int sha512_crypt_r(const char *key, + char *endp; + + num = salt + ROUNDS_SIZE; ++ errno = 0; + srounds = strtoul(num, &endp, 10); +- if (*endp == '$') { ++ if (!errno && (*endp == '$')) { + salt = endp + 1; + if (srounds < ROUNDS_MIN) srounds = ROUNDS_MIN; + if (srounds > ROUNDS_MAX) srounds = ROUNDS_MAX; +-- +2.31.1 + diff --git a/0011-SUDO-decrease-log-level-in-case-object-wasn-t-found.patch b/0011-SUDO-decrease-log-level-in-case-object-wasn-t-found.patch new file mode 100644 index 0000000..a94e452 --- /dev/null +++ b/0011-SUDO-decrease-log-level-in-case-object-wasn-t-found.patch @@ -0,0 +1,32 @@ +From 86413e5f01339ce54bcece2d1d8b1b88d8823c1e Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Tue, 26 Oct 2021 16:02:43 +0200 +Subject: [PATCH 14/17] SUDO: decrease log level in case object wasn't found + +It is expected sudo responder can be requested to lookup unknown entry. +One of typical examples is lookup for a local user. + +Resolves: https://github.com/SSSD/sssd/issues/5839 + +Reviewed-by: Pawel Polawski +--- + src/responder/sudo/sudosrv_cmd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/responder/sudo/sudosrv_cmd.c b/src/responder/sudo/sudosrv_cmd.c +index 3bed22b6fc8b476686269d68e49def6a5af9383b..63b548fe8d5c76aa2fb6eec7f1b174fa7f47f90b 100644 +--- a/src/responder/sudo/sudosrv_cmd.c ++++ b/src/responder/sudo/sudosrv_cmd.c +@@ -261,7 +261,8 @@ static void sudosrv_cmd_done(struct tevent_req *req) + &cmd_ctx->num_rules); + talloc_zfree(req); + if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to obtain cached rules [%d]: %s\n", ++ DEBUG((ret == ENOENT) ? SSSDBG_MINOR_FAILURE : SSSDBG_OP_FAILURE, ++ "Unable to obtain cached rules [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } +-- +2.31.1 + diff --git a/0012-KCM-delete-malformed-cn-default-entries.patch b/0012-KCM-delete-malformed-cn-default-entries.patch new file mode 100644 index 0000000..0df35dc --- /dev/null +++ b/0012-KCM-delete-malformed-cn-default-entries.patch @@ -0,0 +1,67 @@ +From 7cba8ed6ae965ffcae9c14269cde02ddc24eaa53 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Tue, 26 Oct 2021 22:16:49 +0200 +Subject: [PATCH 16/17] KCM: delete malformed 'cn=default' entries +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This is needed to cleanup outdated entries in old (encrypted) +format that are no longer supported. + +Steps to reproduce: + +With an old SSSD version that still writes encrypted content in secrets db: + - obtain any ticket (even one ticket is enough) + - `kswitch -c ...` to any cache (any successful execution of `kswitch` + will use `SET_DEFAULT_CACHE` KCM op and create + 'cn=default,cn=$uid,cn=persistent,cn=kcm' entry) + +Then update SSSD and try `klist`: + - 2.6.0 version will fail with "[ccdb_secdb_get_default_send] (0x0040): Unexpected UUID size ..." + - 2.6.0 + this patch will remove this entry: +``` +[ccdb_secdb_get_default_send] (0x0040): Unexpected UUID size 152, deleting this entry +[sss_sec_delete] (0x0400): Removing a secret from [persistent/1000/default] +``` +and continue as if default isn't set (since all encrypted entries will be purged, +cache will appear empty) + +Reviewed-by: Pavel Březina +Reviewed-by: Pawel Polawski +--- + src/responder/kcm/kcmsrv_ccache_secdb.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ccache_secdb.c b/src/responder/kcm/kcmsrv_ccache_secdb.c +index 05146b1553ad514934f709959036c5335f8c7adc..875eb3c900e5d894591810ff117d1601910e030f 100644 +--- a/src/responder/kcm/kcmsrv_ccache_secdb.c ++++ b/src/responder/kcm/kcmsrv_ccache_secdb.c +@@ -764,8 +764,22 @@ static struct tevent_req *ccdb_secdb_get_default_send(TALLOC_CTX *mem_ctx, + + uuid_size = sss_iobuf_get_size(dfl_iobuf); + if (uuid_size != UUID_STR_SIZE) { +- DEBUG(SSSDBG_OP_FAILURE, "Unexpected UUID size %zu\n", uuid_size); +- ret = EIO; ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Unexpected UUID size %zu, deleting this entry\n", uuid_size); ++ ret = sss_sec_delete(sreq); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Failed to delete entry: [%d]: %s, " ++ "consider manual removal of "SECRETS_DB_PATH"/secrets.ldb\n", ++ ret, sss_strerror(ret)); ++ sss_log(SSS_LOG_CRIT, ++ "Can't delete an entry from "SECRETS_DB_PATH"/secrets.ldb, " ++ "content seems to be corrupted. Consider file removal. " ++ "(Take a note, this will delete all credentials managed " ++ "via sssd_kcm)"); ++ } ++ uuid_clear(state->uuid); ++ ret = EOK; + goto immediate; + } + +-- +2.31.1 + diff --git a/0013-proxy-allow-removing-group-members.patch b/0013-proxy-allow-removing-group-members.patch new file mode 100644 index 0000000..5a39eef --- /dev/null +++ b/0013-proxy-allow-removing-group-members.patch @@ -0,0 +1,231 @@ +From 301659a662a7a7aac11096fd0409f83b45cb41d1 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Tue, 14 Sep 2021 12:35:09 +0200 +Subject: [PATCH 17/17] proxy: allow removing group members +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The proxy provider doesn't allow to remove group members once they have +been added. This patch allows to do it by looping the member list from +the cache and comparing it with the actual membership list. If a member +is missing then it's removed from the cache. + +Resolves: https://github.com/SSSD/sssd/issues/5783 + +Signed-off-by: Iker Pedrosa + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Pavel Březina +--- + src/providers/proxy/proxy_id.c | 159 ++++++++++++++++++++++++++++++++- + 1 file changed, 157 insertions(+), 2 deletions(-) + +diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c +index 25daea585dfc0df2b568ee3175765a6d64be334b..db6bbb2f0f0a02b31aafd63480613ab82b9d6792 100644 +--- a/src/providers/proxy/proxy_id.c ++++ b/src/providers/proxy/proxy_id.c +@@ -908,6 +908,10 @@ handle_getgr_result(enum nss_status status, struct group *grp, + struct sss_domain_info *dom, + bool *delete_group) + { ++ if (delete_group) { ++ *delete_group = false; ++ } ++ + switch (status) { + case NSS_STATUS_TRYAGAIN: + DEBUG(SSSDBG_MINOR_FAILURE, "Buffer too small\n"); +@@ -915,7 +919,9 @@ handle_getgr_result(enum nss_status status, struct group *grp, + + case NSS_STATUS_NOTFOUND: + DEBUG(SSSDBG_MINOR_FAILURE, "Group not found.\n"); +- *delete_group = true; ++ if (delete_group) { ++ *delete_group = true; ++ } + break; + + case NSS_STATUS_SUCCESS: +@@ -927,7 +933,9 @@ handle_getgr_result(enum nss_status status, struct group *grp, + if (OUT_OF_ID_RANGE(grp->gr_gid, dom->id_min, dom->id_max)) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Group filtered out! (id out of range)\n"); +- *delete_group = true; ++ if (delete_group) { ++ *delete_group = true; ++ } + break; + } + break; +@@ -1488,6 +1496,141 @@ fail: + return ret; + } + ++static int remove_group_members(struct proxy_id_ctx *ctx, ++ struct sss_domain_info *dom, ++ const struct passwd *pwd, ++ long int num_gids, ++ const gid_t *gids, ++ long int num_cached_gids, ++ const gid_t *cached_gids) ++{ ++ TALLOC_CTX *tmp_ctx = NULL; ++ int i = 0, j = 0; ++ int ret = EOK; ++ const char *groupname = NULL; ++ const char *username = NULL; ++ bool group_found = false; ++ struct ldb_result *res = NULL; ++ ++ tmp_ctx = talloc_new(NULL); ++ if (!tmp_ctx) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); ++ return ENOMEM; ++ } ++ ++ username = sss_create_internal_fqname(tmp_ctx, pwd->pw_name, dom->name); ++ if (username == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "Failed to create fqdn '%s'\n", pwd->pw_name); ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ for (i = 0; i < num_cached_gids; i++) { ++ group_found = false; ++ /* group 0 is the primary group so it can be skipped */ ++ for (j = 1; j < num_gids; j++) { ++ if (cached_gids[i] == gids[j]) { ++ group_found = true; ++ break; ++ } ++ } ++ ++ if (!group_found) { ++ ret = sysdb_getgrgid(tmp_ctx, dom, cached_gids[i], &res); ++ if (ret != EOK || res->count != 1) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "sysdb_getgrgid failed for GID [%d].\n", cached_gids[i]); ++ continue; ++ } ++ ++ groupname = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, NULL); ++ if (groupname == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Attribute is missing but this should never happen!\n"); ++ continue; ++ } ++ ++ ret = sysdb_remove_group_member(dom, groupname, ++ username, ++ SYSDB_MEMBER_USER, false); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Could not remove member [%s] from group [%s]\n", ++ username, groupname); ++ continue; ++ } ++ } ++ } ++ ++ ret = EOK; ++ ++done: ++ talloc_free(tmp_ctx); ++ return ret; ++} ++ ++static int get_cached_user_groups(struct sysdb_ctx *sysdb, ++ struct sss_domain_info *dom, ++ const struct passwd *pwd, ++ unsigned int *_num_cached_gids, ++ gid_t **_cached_gids) ++{ ++ TALLOC_CTX *tmp_ctx = NULL; ++ int ret = EOK; ++ int i = 0, j = 0; ++ gid_t gid = 0; ++ gid_t *cached_gids = NULL; ++ const char *username = NULL; ++ struct ldb_result *res = NULL; ++ ++ if (_num_cached_gids == NULL || _cached_gids == NULL) { ++ return EINVAL; ++ } ++ ++ tmp_ctx = talloc_new(NULL); ++ if (!tmp_ctx) { ++ ret = ENOMEM; ++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); ++ goto done; ++ } ++ ++ username = sss_create_internal_fqname(tmp_ctx, pwd->pw_name, dom->name); ++ if (username == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "Failed to create fqdn '%s'\n", pwd->pw_name); ++ ret = ENOMEM; ++ goto done; ++ } ++ ++ ret = sysdb_initgroups(tmp_ctx, dom, username, &res); ++ /* the first element is the user itself so it can be skipped */ ++ if (ret == EOK && res->count > 1) { ++ cached_gids = talloc_array(tmp_ctx, gid_t, res->count - 1); ++ ++ for (i = 1; i < res->count; i++) { ++ gid = ldb_msg_find_attr_as_uint(res->msgs[i], SYSDB_GIDNUM, 0); ++ if (gid != 0) { ++ cached_gids[j] = gid; ++ j++; ++ } ++ } ++ ++ *_num_cached_gids = j; ++ *_cached_gids = talloc_steal(sysdb, cached_gids); ++ } else if (ret == EOK) { ++ *_num_cached_gids = 0; ++ *_cached_gids = NULL; ++ } else { ++ goto done; ++ } ++ ++ ret = EOK; ++ ++done: ++ talloc_zfree(tmp_ctx); ++ ++ return ret; ++} ++ + static int get_initgr_groups_process(TALLOC_CTX *memctx, + struct proxy_id_ctx *ctx, + struct sysdb_ctx *sysdb, +@@ -1503,6 +1646,8 @@ static int get_initgr_groups_process(TALLOC_CTX *memctx, + int ret; + int i; + time_t now; ++ gid_t *cached_gids = NULL; ++ unsigned int num_cached_gids = 0; + + num_gids = 0; + limit = 4096; +@@ -1553,6 +1698,16 @@ static int get_initgr_groups_process(TALLOC_CTX *memctx, + DEBUG(SSSDBG_CONF_SETTINGS, "User [%s] appears to be member of %lu " + "groups\n", pwd->pw_name, num_gids); + ++ ret = get_cached_user_groups(sysdb, dom, pwd, &num_cached_gids, &cached_gids); ++ if (ret) { ++ return ret; ++ } ++ ret = remove_group_members(ctx, dom, pwd, num_gids, gids, num_cached_gids, cached_gids); ++ talloc_free(cached_gids); ++ if (ret) { ++ return ret; ++ } ++ + now = time(NULL); + for (i = 0; i < num_gids; i++) { + ret = get_gr_gid(memctx, ctx, sysdb, dom, gids[i], now); +-- +2.31.1 + diff --git a/0014-TESTS-fixed-a-bug-in-define-string-conversion.patch b/0014-TESTS-fixed-a-bug-in-define-string-conversion.patch new file mode 100644 index 0000000..d8a873b --- /dev/null +++ b/0014-TESTS-fixed-a-bug-in-define-string-conversion.patch @@ -0,0 +1,30 @@ +From a664e9ce08ca6c0f9eb2e260b25463eea9c7829b Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 15 Oct 2021 22:30:21 +0200 +Subject: [PATCH] TESTS: fixed a bug in define->string conversion + +Previously result of `AS_STR(OFFLINE_TIMEOUT)` was "OFFLINE_TIMEOUT" +instead of expected integer value. + +Reviewed-by: Pawel Polawski +--- + src/tests/cmocka/test_data_provider_be.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/tests/cmocka/test_data_provider_be.c b/src/tests/cmocka/test_data_provider_be.c +index a6d6ec8802dd0c592c22bec08ac8c6eb154a58e6..49f04ddfb043909559bb8724995c2c8c35e1aac6 100644 +--- a/src/tests/cmocka/test_data_provider_be.c ++++ b/src/tests/cmocka/test_data_provider_be.c +@@ -32,7 +32,8 @@ + #define TEST_ID_PROVIDER "ldap" + + #define OFFLINE_TIMEOUT 2 +-#define AS_STR(param) (#param) ++#define STR_HELPER(x) #x ++#define AS_STR(param) STR_HELPER(param) + + static TALLOC_CTX *global_mock_context = NULL; + static bool global_timer_added; +-- +2.31.1 + diff --git a/sssd.spec b/sssd.spec index a9bf74b..4f7f785 100644 --- a/sssd.spec +++ b/sssd.spec @@ -37,7 +37,7 @@ Name: sssd Version: 2.6.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ @@ -45,6 +45,21 @@ Source0: https://github.com/SSSD/sssd/releases/download/2.6.0/sssd-2.6.0.tar.gz ### Patches ### +Patch0001: 0001-DEBUG-fix-missing-va_end.patch +Patch0002: 0002-CONFDB-Change-ownership-of-config.ldb.patch +Patch0003: 0003-CONFDB-Change-ownership-before-dropping-privileges.patch +Patch0004: 0004-GPO-fixed-compilation-warning.patch +Patch0005: 0005-KCM-fixed-uninitialized-value.patch +Patch0006: 0006-cache_req-return-success-for-autofs-when-ENOENT-is-r.patch +Patch0007: 0007-sbus-maintain-correct-refcount-before-sending-a-repl.patch +Patch0008: 0008-Removed-excessive-includes-around-strtonum.patch +Patch0009: 0009-strtonum-helpers-usage-sanitization.patch +Patch0010: 0010-strto-usage-sanitization.patch +Patch0011: 0011-SUDO-decrease-log-level-in-case-object-wasn-t-found.patch +Patch0012: 0012-KCM-delete-malformed-cn-default-entries.patch +Patch0013: 0013-proxy-allow-removing-group-members.patch +Patch0014: 0014-TESTS-fixed-a-bug-in-define-string-conversion.patch + ### Dependencies ### Requires: sssd-ad = %{version}-%{release} @@ -124,6 +139,7 @@ BuildRequires: samba-devel # required for idmap_sss.so BuildRequires: samba-winbind BuildRequires: selinux-policy-targeted +BuildRequires: shadow-utils-subid-devel # required for p11_child smartcard tests BuildRequires: softhsm >= 2.1.0 BuildRequires: systemd-devel @@ -514,6 +530,7 @@ autoreconf -ivf --with-sssd-user=%{sssd_user} \ --with-syslog=journald \ --with-test-dir=/dev/shm \ + --with-subid \ %if 0%{?fedora} --disable-polkit-rules-path \ %endif @@ -820,6 +837,7 @@ done %files client -f sssd_client.lang %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libnss_sss.so.2 +%{_libdir}/libsubid_sss.so %{_libdir}/security/pam_sss.so %{_libdir}/security/pam_sss_gss.so %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so @@ -1012,6 +1030,11 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Mon Nov 01 2021 Pavel Březina - 2.6.0-2 +- Add additional patches on top of 2.6.0 +- Fix KCM upgrade from older releases +- Enable subid ranges + * Thu Oct 14 2021 Pavel Březina - 2.6.0-1 - Rebase to SSSD 2.6.0