[SSSD] [sssd PR#496][edited] sysdb: sanitize search filter input - backport sssd-1-13
URL: https://github.com/SSSD/sssd/pull/496 Author: sumit-bose Title: #496: sysdb: sanitize search filter input - backport sssd-1-13 Action: edited Changed field: title Original value: """ sysdb: sanitize search filter input """ ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#497][edited] sysdb: sanitize search filter input - backport sssd-1-14
URL: https://github.com/SSSD/sssd/pull/497 Author: sumit-bose Title: #497: sysdb: sanitize search filter input - backport sssd-1-14 Action: edited Changed field: title Original value: """ sysdb: sanitize search filter input """ ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#497][comment] sysdb: sanitize search filter input
URL: https://github.com/SSSD/sssd/pull/497 Title: #497: sysdb: sanitize search filter input sumit-bose commented: """ @fidencio, the number of templates in SYSDB_PWUPN_FILTER changed and because of that that patch cannot be cherry-picked to sssd-1-13 without a change. """ See the full comment at https://github.com/SSSD/sssd/pull/497#issuecomment-359564404 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#483][comment] Password change with two factor authentication
URL: https://github.com/SSSD/sssd/pull/483 Title: #483: Password change with two factor authentication jhrozek commented: """ Code-wise looks good. I've started some tests to make sure nothing is broken and I'll add the accepted label when they come back green. """ See the full comment at https://github.com/SSSD/sssd/pull/483#issuecomment-359550296 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#497][comment] sysdb: sanitize search filter input
URL: https://github.com/SSSD/sssd/pull/497 Title: #497: sysdb: sanitize search filter input fidencio commented: """ @sumit-bose, seems that this PR is exactly the same as #496. If that's the case, would you mind closing one of them? """ See the full comment at https://github.com/SSSD/sssd/pull/497#issuecomment-359548113 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#464][comment] SYSDB: Properly handle name/gid override when using domain resolution order
URL: https://github.com/SSSD/sssd/pull/464 Title: #464: SYSDB: Properly handle name/gid override when using domain resolution order fidencio commented: """ @jhrozek, sorry, no. I'd strongly prefer if someone else could take it over from now. """ See the full comment at https://github.com/SSSD/sssd/pull/464#issuecomment-359545724 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#464][comment] SYSDB: Properly handle name/gid override when using domain resolution order
URL: https://github.com/SSSD/sssd/pull/464 Title: #464: SYSDB: Properly handle name/gid override when using domain resolution order jhrozek commented: """ Hi @fidencio given that there is a downstream BZ where the support person mentioned they might need the fix in downstream I was wondering if you had time to add the test so we can push this patch upstream? """ See the full comment at https://github.com/SSSD/sssd/pull/464#issuecomment-359545119 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#472][+Accepted] Remove the 'sshPublicKey' attribute from the cache when it's removed from IPA
URL: https://github.com/SSSD/sssd/pull/472 Title: #472: Remove the 'sshPublicKey' attribute from the cache when it's removed from IPA Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#472][comment] Remove the 'sshPublicKey' attribute from the cache when it's removed from IPA
URL: https://github.com/SSSD/sssd/pull/472 Title: #472: Remove the 'sshPublicKey' attribute from the cache when it's removed from IPA jhrozek commented: """ Since the code will be (in absence of proper upstream infrastructure) tested by our downstream QE, I'm adding the Accepted label back. """ See the full comment at https://github.com/SSSD/sssd/pull/472#issuecomment-359544612 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#475][comment] AD: Use the right sdap_domain for the forest root
URL: https://github.com/SSSD/sssd/pull/475 Title: #475: AD: Use the right sdap_domain for the forest root jhrozek commented: """ Hi @lslebodn I would like to merge this code also to downstream during this week, I wonder if you already had some time to run tests with the latest patch? """ See the full comment at https://github.com/SSSD/sssd/pull/475#issuecomment-359537401 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#499][comment] dyndns_tests: Fix unit test with missing features in nsupdate
URL: https://github.com/SSSD/sssd/pull/499 Title: #499: dyndns_tests: Fix unit test with missing features in nsupdate lslebodn commented: """ You can easily that that on fedora rawhide i686 atm; due to crash in nsupdate Or you can modify ifdef in `nsupdate_msg_add_realm_cmd` to simulate such behaviour on other distros Or fake configure time detection of supported features by nsupdate ... """ See the full comment at https://github.com/SSSD/sssd/pull/499#issuecomment-359481691 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#499][comment] dyndns_tests: Fix unit test with missing features in nsupdate
URL: https://github.com/SSSD/sssd/pull/499 Title: #499: dyndns_tests: Fix unit test with missing features in nsupdate lslebodn commented: """ You can easily that that on fedora rawhide i686 atm; due to crash in nsupdate Or you can modify ifdef in `nsupdate_msg_add_realm_cmd` to simulate such behaviour on other distros """ See the full comment at https://github.com/SSSD/sssd/pull/499#issuecomment-359481691 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#499][opened] dyndns_tests: Fix unit test with missing features in nsupdate
URL: https://github.com/SSSD/sssd/pull/499 Author: lslebodn Title: #499: dyndns_tests: Fix unit test with missing features in nsupdate Action: opened PR body: """ We return different string in the function nsupdate_msg_add_realm_cmd if realm command is not supported by nsupdate. However cmocka based unit test did not expect such string and failed. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/499/head:pr499 git checkout pr499 From 8bf5237eea4f1afea3656a3385aa4fcdc2f28ffd Mon Sep 17 00:00:00 2001 From: Lukas SlebodnikDate: Mon, 22 Jan 2018 17:23:32 +0100 Subject: [PATCH] dyndns_tests: Fix unit test with missing features in nsupdate We return different string in the function nsupdate_msg_add_realm_cmd if realm command is not supported by nsupdate. However cmocka based unit test did not expect such string and failed. --- src/tests/cmocka/test_dyndns.c | 8 1 file changed, 8 insertions(+) diff --git a/src/tests/cmocka/test_dyndns.c b/src/tests/cmocka/test_dyndns.c index fafd4d8a5..a105dd6e6 100644 --- a/src/tests/cmocka/test_dyndns.c +++ b/src/tests/cmocka/test_dyndns.c @@ -406,7 +406,11 @@ void dyndns_test_create_fwd_msg(void **state) assert_string_equal(msg, "server Winterfell\n" +#ifdef HAVE_NSUPDATE_REALM "realm North\n" +#else +"\n" +#endif "update delete bran_stark. in A\n" "update add bran_stark. 1234 in A 192.168.0.2\n" "send\n" @@ -423,7 +427,11 @@ void dyndns_test_create_fwd_msg(void **state) assert_int_equal(ret, EOK); assert_string_equal(msg, +#ifdef HAVE_NSUPDATE_REALM "realm North\n" +#else +"\n" +#endif "update delete bran_stark. in A\n" "update add bran_stark. 1234 in A 192.168.0.2\n" "send\n" ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#410][comment] IPA: sanitize name in override search filter - Backport to SSSD-1.13
URL: https://github.com/SSSD/sssd/pull/410 Title: #410: IPA: sanitize name in override search filter - Backport to SSSD-1.13 sumit-bose commented: """ Hi Lukas, I think you backported the changes to the wrong function. In 1.13 in ipa_get_ad_override_connect_done() be_acct_req_to_override_filter() is called to create the filter for the override search and not get_be_acct_req_for_xyz(). be_acct_req_to_override_filter() was renamed to dp_id_data_to_override_filter() by 3d29430867cf92b2d71afa95abb679711231117c that's why the patch for master (c2dec0dc740ba426f26563563c0aea3a38f3c3c1) adds the sanitation to this function. HTH bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/410#issuecomment-359458111 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: Fleet Commander: design changes due to the drop of DAC_OVERRIDE capability
On Mon, 2018-01-22 at 15:10 +0100, Fabiano Fidêncio wrote: > People, > > Let's start with the context of this email: > https://bugzilla.redhat.com/show_bug.cgi?id=1536854 > So, seems that even without knowing that, I've relied on CAP_DAC_OVERRIDE > in order to have the Fleet Commander integration working as expected and in > the implementation details of this feature. > > The desktop profiles are stored in a dir like: > /var/lib/sss/deskprofile/$domain/$user/$profile. > > Currently, the way I've been creating those are: > $domain = 755 (root:root) > $user = 600 ($user:$user_group) > $profile = 600 ($user:$user_group) > > Now, as mentioned in the bugzilla linked in this email, the current code > fails with an EACCES. > > With all this background, I'd like to discuss what's the best approach to > take. I've opened a PR (https://github.com/SSSD/sssd/pull/498) which makes > everything work again, but does the following changes: > > $domain = 755 (root:root) -- NO changes here > $user = 770 ($user:root) --> changed from 600 ($user:$user_group) > $profile = 660 ($user:root) --> changed from 600 ($user:$user_group) > > This is one way to solve the issue suggested at > https://bugzilla.redhat.com/show_bug.cgi?id=1536854#c5. > > Another suggestion, also mentioned in the bugzilla, would be to only > fchown()/fchmod() the files/dirs *after* all the operations we do are over. > > Is there any other suggestion? Whatever comes out of this discussion will > be used to update the feature's design page accordingly. Change euid to that of the user during operations, leave the permissions strict ? Simo. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Fleet Commander: design changes due to the drop of DAC_OVERRIDE capability
People, Let's start with the context of this email: https://bugzilla.redhat.com/show_bug.cgi?id=1536854 So, seems that even without knowing that, I've relied on CAP_DAC_OVERRIDE in order to have the Fleet Commander integration working as expected and in the implementation details of this feature. The desktop profiles are stored in a dir like: /var/lib/sss/deskprofile/$domain/$user/$profile. Currently, the way I've been creating those are: $domain = 755 (root:root) $user = 600 ($user:$user_group) $profile = 600 ($user:$user_group) Now, as mentioned in the bugzilla linked in this email, the current code fails with an EACCES. With all this background, I'd like to discuss what's the best approach to take. I've opened a PR (https://github.com/SSSD/sssd/pull/498) which makes everything work again, but does the following changes: $domain = 755 (root:root) -- NO changes here $user = 770 ($user:root) --> changed from 600 ($user:$user_group) $profile = 660 ($user:root) --> changed from 600 ($user:$user_group) This is one way to solve the issue suggested at https://bugzilla.redhat.com/show_bug.cgi?id=1536854#c5. Another suggestion, also mentioned in the bugzilla, would be to only fchown()/fchmod() the files/dirs *after* all the operations we do are over. Is there any other suggestion? Whatever comes out of this discussion will be used to update the feature's design page accordingly. Best Regards, -- Fabiano Fidêncio ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][+Changes requested] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE lslebodn commented: """ Would you be so kind and could you firstly update design page. ATM it is unclear who should have which access to the related directory. Therefore it is difficult to say whether we can use this approach or need to use a different solution. BTW linked ticket already contains such suggestion: ``` it woudl be good to elaborate there more and specify who should have which access to files (rw, ro, ...) ``` """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-359419594 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][synchronized] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Author: fidencio Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/498/head:pr498 git checkout pr498 From 3e3c9d2ac6ec43194ae0a5c8713fabfa29216ef4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?=Date: Sat, 20 Jan 2018 15:06:37 +0100 Subject: [PATCH 1/3] DESKPROFILE: Soften the umask for the hostname's dir MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The default umask (0177) is way too strict, not allowing us to create the domain's dir, which has to have its mode set as 755. In order to solve this, let's soften the umask to 0022. This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora package. Resolves: https://pagure.io/SSSD/sssd/issue/3621 Signed-off-by: Fabiano Fidêncio --- src/providers/ipa/ipa_deskprofile_rules_util.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c index 53c433145..f9a867daf 100644 --- a/src/providers/ipa/ipa_deskprofile_rules_util.c +++ b/src/providers/ipa/ipa_deskprofile_rules_util.c @@ -229,6 +229,7 @@ ipa_deskprofile_rules_create_user_dir( char *domain; char *domain_dir; errno_t ret; +mode_t old_umask; tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { @@ -243,8 +244,10 @@ ipa_deskprofile_rules_create_user_dir( goto done; } +old_umask = umask(0022); ret = sss_create_dir(IPA_DESKPROFILE_RULES_USER_DIR, domain, 0755, getuid(), getgid()); +umask(old_umask); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create the directory \"%s/%s\" that would be used to " From 370d70304cec89e6894fbbc048b8c87f6e73275a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Sat, 20 Jan 2018 23:58:14 +0100 Subject: [PATCH 2/3] DESKPROFILE: Fix the permissions and soften the umask for user's dir MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The user dir has to be part of "root" group, otherwise we won't have access to write any file there. More than that, the perms for the dir, which currently are set 0600, have to set to 0770 due to the same issue. As the perms have to be 0770, softening the default umask from (0177) t o (0007) is also needed. This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora package. Resolves: https://pagure.io/SSSD/sssd/issue/3621 Signed-off-by: Fabiano Fidêncio --- src/providers/ipa/ipa_deskprofile_rules_util.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c index f9a867daf..c56075ef6 100644 --- a/src/providers/ipa/ipa_deskprofile_rules_util.c +++ b/src/providers/ipa/ipa_deskprofile_rules_util.c @@ -264,7 +264,9 @@ ipa_deskprofile_rules_create_user_dir( goto done; } -ret = sss_create_dir(domain_dir, shortname, 0600, uid, gid); +old_umask = umask(0007); +ret = sss_create_dir(domain_dir, shortname, 0770, uid, getgid()); +umask(old_umask); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create the directory \"%s/%s/%s\" that would be used " From 5adcd4b168cff27d0faaedcae804543dfe0723b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 22 Jan 2018 11:49:23 +0100 Subject: [PATCH 3/3] DESKPROFILE: Change the group (and its perm) of the profile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In order to allow the sssd_be process to delete the deskprofile files, let's change the file permission and group perms to 0660 being owned by the "root" group. This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora package. Resolves: https://pagure.io/SSSD/sssd/issue/3621 Signed-off-by: Fabiano Fidêncio --- src/providers/ipa/ipa_deskprofile_rules_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c index c56075ef6..00a69313a 100644 --- a/src/providers/ipa/ipa_deskprofile_rules_util.c +++ b/src/providers/ipa/ipa_deskprofile_rules_util.c @@ -809,7 +809,7 @@ ipa_deskprofile_rules_save_rule_to_disk( goto done; } -fd = open(filename_path, O_WRONLY | O_CREAT | O_TRUNC, 0600); +fd = open(filename_path, O_WRONLY | O_CREAT | O_TRUNC, 0660); if (fd == -1) { ret = errno; DEBUG(SSSDBG_CRIT_FAILURE, @@ -829,7 +829,7 @@ ipa_deskprofile_rules_save_rule_to_disk(
[SSSD] [sssd PR#498][opened] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Author: fidencio Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE Action: opened PR body: """ See the attached patches. Step-by-step on how to test this will be added later on. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/498/head:pr498 git checkout pr498 From 3e3c9d2ac6ec43194ae0a5c8713fabfa29216ef4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?=Date: Sat, 20 Jan 2018 15:06:37 +0100 Subject: [PATCH 1/3] DESKPROFILE: Soften the umask for the hostname's dir MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The default umask (0177) is way too strict, not allowing us to create the domain's dir, which has to have its mode set as 755. In order to solve this, let's soften the umask to 0022. This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora package. Resolves: https://pagure.io/SSSD/sssd/issue/3621 Signed-off-by: Fabiano Fidêncio --- src/providers/ipa/ipa_deskprofile_rules_util.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c index 53c433145..f9a867daf 100644 --- a/src/providers/ipa/ipa_deskprofile_rules_util.c +++ b/src/providers/ipa/ipa_deskprofile_rules_util.c @@ -229,6 +229,7 @@ ipa_deskprofile_rules_create_user_dir( char *domain; char *domain_dir; errno_t ret; +mode_t old_umask; tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { @@ -243,8 +244,10 @@ ipa_deskprofile_rules_create_user_dir( goto done; } +old_umask = umask(0022); ret = sss_create_dir(IPA_DESKPROFILE_RULES_USER_DIR, domain, 0755, getuid(), getgid()); +umask(old_umask); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create the directory \"%s/%s\" that would be used to " From 370d70304cec89e6894fbbc048b8c87f6e73275a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Sat, 20 Jan 2018 23:58:14 +0100 Subject: [PATCH 2/3] DESKPROFILE: Fix the permissions and soften the umask for user's dir MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The user dir has to be part of "root" group, otherwise we won't have access to write any file there. More than that, the perms for the dir, which currently are set 0600, have to set to 0770 due to the same issue. As the perms have to be 0770, softening the default umask from (0177) t o (0007) is also needed. This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora package. Resolves: https://pagure.io/SSSD/sssd/issue/3621 Signed-off-by: Fabiano Fidêncio --- src/providers/ipa/ipa_deskprofile_rules_util.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c index f9a867daf..c56075ef6 100644 --- a/src/providers/ipa/ipa_deskprofile_rules_util.c +++ b/src/providers/ipa/ipa_deskprofile_rules_util.c @@ -264,7 +264,9 @@ ipa_deskprofile_rules_create_user_dir( goto done; } -ret = sss_create_dir(domain_dir, shortname, 0600, uid, gid); +old_umask = umask(0007); +ret = sss_create_dir(domain_dir, shortname, 0770, uid, getgid()); +umask(old_umask); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create the directory \"%s/%s/%s\" that would be used " From 0636cef71d870c0821f51249f3a3cc3b9f211296 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 22 Jan 2018 11:49:23 +0100 Subject: [PATCH 3/3] DESKPROFILE: Change the group of the profile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In order to allow the sssd_be process to delete the deskprofile files, let's change the file permission and group perms to 0600 being owned by the "root" group. This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora package. Resolves: https://pagure.io/SSSD/sssd/issue/3621 Signed-off-by: Fabiano Fidêncio --- src/providers/ipa/ipa_deskprofile_rules_util.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c index c56075ef6..00a69313a 100644 --- a/src/providers/ipa/ipa_deskprofile_rules_util.c +++ b/src/providers/ipa/ipa_deskprofile_rules_util.c @@ -809,7 +809,7 @@ ipa_deskprofile_rules_save_rule_to_disk( goto done; } -fd = open(filename_path, O_WRONLY | O_CREAT | O_TRUNC, 0600); +fd = open(filename_path, O_WRONLY | O_CREAT | O_TRUNC, 0660); if (fd == -1) { ret = errno;
[SSSD] [sssd PR#497][opened] sysdb: sanitize search filter input
URL: https://github.com/SSSD/sssd/pull/497 Author: sumit-bose Title: #497: sysdb: sanitize search filter input Action: opened PR body: """ Backport of commit 1f2662c8f97c9c0fa250055d4b6750abfc6d0835 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/497/head:pr497 git checkout pr497 From 7e361e3a8a125808a493a7a536aff2224ac0f5e1 Mon Sep 17 00:00:00 2001 From: Sumit BoseDate: Mon, 22 Jan 2018 11:02:09 +0100 Subject: [PATCH] sysdb: sanitize search filter input Backport of commit 1f2662c8f97c9c0fa250055d4b6750abfc6d0835 --- src/db/sysdb_ops.c | 55 +++-- src/tests/sysdb-tests.c | 7 +++ 2 files changed, 51 insertions(+), 11 deletions(-) diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c index 5d4546867..8b13c83c0 100644 --- a/src/db/sysdb_ops.c +++ b/src/db/sysdb_ops.c @@ -598,6 +598,7 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx, int ret; const char *def_attrs[] = { SYSDB_NAME, SYSDB_UPN, SYSDB_CANONICAL_UPN, SYSDB_USER_EMAIL, NULL }; +char *sanitized; tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { @@ -605,6 +606,12 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx, goto done; } +ret = sss_filter_sanitize(tmp_ctx, upn, ); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n"); +goto done; +} + base_dn = sysdb_base_dn(domain->sysdb, tmp_ctx); if (base_dn == NULL) { ret = ENOMEM; @@ -613,7 +620,7 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx, ret = ldb_search(domain->sysdb->ldb, tmp_ctx, , base_dn, LDB_SCOPE_SUBTREE, attrs ? attrs : def_attrs, - SYSDB_PWUPN_FILTER, upn, upn, upn); + SYSDB_PWUPN_FILTER, sanitized, sanitized, sanitized); if (ret != EOK) { ret = sysdb_error_to_errno(ret); goto done; @@ -4625,12 +4632,13 @@ errno_t sysdb_remove_attrs(struct sss_domain_info *domain, return ret; } -static errno_t sysdb_search_object_by_str_attr(TALLOC_CTX *mem_ctx, - struct sss_domain_info *domain, - const char *filter_tmpl, - const char *str, - const char **attrs, - struct ldb_result **_res) +static errno_t sysdb_search_object_by_str_attr_ex(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *filter_tmpl, + const char *str, + const char **attrs, + bool sanitize_input, + struct ldb_result **_res) { TALLOC_CTX *tmp_ctx; const char *def_attrs[] = { SYSDB_NAME, SYSDB_UIDNUM, SYSDB_GIDNUM, @@ -4640,12 +4648,25 @@ static errno_t sysdb_search_object_by_str_attr(TALLOC_CTX *mem_ctx, struct ldb_dn *basedn; int ret; struct ldb_result *res = NULL; +char *sanitized = NULL; + +if (str == NULL) { +return EINVAL; +} tmp_ctx = talloc_new(NULL); if (!tmp_ctx) { return ENOMEM; } +if (sanitize_input) { +ret = sss_filter_sanitize(tmp_ctx, str, ); +if (ret != EOK) { +DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n"); +goto done; +} +} + basedn = ldb_dn_new_fmt(tmp_ctx, domain->sysdb->ldb, SYSDB_DOM_BASE, domain->name); if (basedn == NULL) { @@ -4656,7 +4677,7 @@ static errno_t sysdb_search_object_by_str_attr(TALLOC_CTX *mem_ctx, ret = ldb_search(domain->sysdb->ldb, tmp_ctx, , basedn, LDB_SCOPE_SUBTREE, attrs?attrs:def_attrs, - filter_tmpl, str); + filter_tmpl, sanitized == NULL ? str : sanitized); if (ret != EOK) { ret = sysdb_error_to_errno(ret); DEBUG(SSSDBG_OP_FAILURE, "ldb_search failed.\n"); @@ -4694,6 +4715,17 @@ static errno_t sysdb_search_object_by_str_attr(TALLOC_CTX *mem_ctx, return ret; } +static errno_t sysdb_search_object_by_str_attr(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *filter_tmpl, + const char *str, + const char **attrs, + struct ldb_result **_res) +{ +return sysdb_search_object_by_str_attr_ex(mem_ctx, domain, filter_tmpl, str, + attrs, true, _res); +} + errno_t sysdb_search_object_by_sid(TALLOC_CTX *mem_ctx,
[SSSD] [sssd PR#495][comment] DESKPROFILE: Add checks for user and host category
URL: https://github.com/SSSD/sssd/pull/495 Title: #495: DESKPROFILE: Add checks for user and host category fidencio commented: """ Steps to reproduce the issue: 1. git clone https://github.com/fidencio/fleet-commander-vagans 2. In the project's folder do: cd fleet-commander; vagrant up 3. Once the VMs are provisioned, access cockpit: https://master.ipa.example:9090/ 4. Click in the "FleetCommander" tab 5. Close the windows that will open 6. Click in "Add Profile" 7. Add a profile without filling out Hosts and Hostgroups 8. From the fleet-commander folder, do: vagrant ssh ipaclient 8.1: ssh to the machine using admin's user: ssh -l admin localhost 8.2: Close the admin session 8.3 A root, take a look at journalctl -xe and a message about a crash will be seen. With the patch, 8.3 won't happen and your profile will be downloaded to /var/lib/deskprofile/ipa.example/admin/ NOTE: If your way to test it is through a fedpkg build, be aware of: https://bugzilla.redhat.com/show_bug.cgi?id=1536854 """ See the full comment at https://github.com/SSSD/sssd/pull/495#issuecomment-359338285 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org