[SSSD] [sssd PR#496][edited] sysdb: sanitize search filter input - backport sssd-1-13

[fidencio]

   URL: https://github.com/SSSD/sssd/pull/496
Author: sumit-bose
 Title: #496: sysdb: sanitize search filter input - backport sssd-1-13
Action: edited

 Changed field: title
Original value:
"""
sysdb: sanitize search filter input
"""

___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#497][edited] sysdb: sanitize search filter input - backport sssd-1-14

[fidencio]

   URL: https://github.com/SSSD/sssd/pull/497
Author: sumit-bose
 Title: #497: sysdb: sanitize search filter input - backport sssd-1-14
Action: edited

 Changed field: title
Original value:
"""
sysdb: sanitize search filter input
"""

___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#497][comment] sysdb: sanitize search filter input

[sumit-bose]

  URL: https://github.com/SSSD/sssd/pull/497
Title: #497: sysdb: sanitize search filter input

sumit-bose commented:
"""
@fidencio, the number of templates in SYSDB_PWUPN_FILTER changed and because of 
that that patch cannot be cherry-picked to sssd-1-13 without a change.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/497#issuecomment-359564404
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#483][comment] Password change with two factor authentication

[jhrozek]

  URL: https://github.com/SSSD/sssd/pull/483
Title: #483: Password change with two factor authentication

jhrozek commented:
"""
Code-wise looks good. I've started some tests to make sure nothing is broken 
and I'll add the accepted label when they come back green.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/483#issuecomment-359550296
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#497][comment] sysdb: sanitize search filter input

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/497
Title: #497: sysdb: sanitize search filter input

fidencio commented:
"""
@sumit-bose, seems that this PR is exactly the same as #496. If that's the 
case, would you mind closing one of them?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/497#issuecomment-359548113
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#464][comment] SYSDB: Properly handle name/gid override when using domain resolution order

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/464
Title: #464: SYSDB: Properly handle name/gid override when using domain 
resolution order

fidencio commented:
"""
@jhrozek, sorry, no.

I'd strongly prefer if someone else could take it over from now.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/464#issuecomment-359545724
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#464][comment] SYSDB: Properly handle name/gid override when using domain resolution order

[jhrozek]

  URL: https://github.com/SSSD/sssd/pull/464
Title: #464: SYSDB: Properly handle name/gid override when using domain 
resolution order

jhrozek commented:
"""
Hi @fidencio given that there is a downstream BZ where the support person 
mentioned they might need the fix in downstream I was wondering if you had time 
to add the test so we can push this patch upstream?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/464#issuecomment-359545119
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#472][+Accepted] Remove the 'sshPublicKey' attribute from the cache when it's removed from IPA

[jhrozek]

  URL: https://github.com/SSSD/sssd/pull/472
Title: #472: Remove the 'sshPublicKey' attribute from the cache when it's 
removed from IPA

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#472][comment] Remove the 'sshPublicKey' attribute from the cache when it's removed from IPA

[jhrozek]

  URL: https://github.com/SSSD/sssd/pull/472
Title: #472: Remove the 'sshPublicKey' attribute from the cache when it's 
removed from IPA

jhrozek commented:
"""
Since the code will be (in absence of proper upstream infrastructure) tested by 
our downstream QE, I'm adding the Accepted label back.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/472#issuecomment-359544612
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#475][comment] AD: Use the right sdap_domain for the forest root

[jhrozek]

  URL: https://github.com/SSSD/sssd/pull/475
Title: #475: AD: Use the right sdap_domain for the forest root

jhrozek commented:
"""
Hi @lslebodn I would like to merge this code also to downstream during this 
week, I wonder if you already had some time to run tests with the latest patch?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/475#issuecomment-359537401
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#499][comment] dyndns_tests: Fix unit test with missing features in nsupdate

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/499
Title: #499: dyndns_tests: Fix unit test with missing features in nsupdate

lslebodn commented:
"""
You can easily that that on fedora rawhide i686 atm; due to crash in nsupdate
Or you can modify ifdef in `nsupdate_msg_add_realm_cmd`  to simulate such 
behaviour on other distros
Or fake configure time detection of supported features by nsupdate ...
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/499#issuecomment-359481691
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#499][comment] dyndns_tests: Fix unit test with missing features in nsupdate

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/499
Title: #499: dyndns_tests: Fix unit test with missing features in nsupdate

lslebodn commented:
"""
You can easily that that on fedora rawhide i686 atm; due to crash in nsupdate
Or you can modify ifdef in `nsupdate_msg_add_realm_cmd`  to simulate such 
behaviour on other distros
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/499#issuecomment-359481691
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#499][opened] dyndns_tests: Fix unit test with missing features in nsupdate

[lslebodn]

   URL: https://github.com/SSSD/sssd/pull/499
Author: lslebodn
 Title: #499: dyndns_tests: Fix unit test with missing features in nsupdate
Action: opened

PR body:
"""
We return different string in the function nsupdate_msg_add_realm_cmd
if realm command is not supported by nsupdate.
However cmocka based unit test did not expect such string and failed.
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/499/head:pr499
git checkout pr499
From 8bf5237eea4f1afea3656a3385aa4fcdc2f28ffd Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik 
Date: Mon, 22 Jan 2018 17:23:32 +0100
Subject: [PATCH] dyndns_tests: Fix unit test with missing features in nsupdate

We return different string in the function nsupdate_msg_add_realm_cmd
if realm command is not supported by nsupdate.
However cmocka based unit test did not expect such string and failed.
---
 src/tests/cmocka/test_dyndns.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/src/tests/cmocka/test_dyndns.c b/src/tests/cmocka/test_dyndns.c
index fafd4d8a5..a105dd6e6 100644
--- a/src/tests/cmocka/test_dyndns.c
+++ b/src/tests/cmocka/test_dyndns.c
@@ -406,7 +406,11 @@ void dyndns_test_create_fwd_msg(void **state)
 
 assert_string_equal(msg,
 "server Winterfell\n"
+#ifdef HAVE_NSUPDATE_REALM
 "realm North\n"
+#else
+"\n"
+#endif
 "update delete bran_stark. in A\n"
 "update add bran_stark. 1234 in A 192.168.0.2\n"
 "send\n"
@@ -423,7 +427,11 @@ void dyndns_test_create_fwd_msg(void **state)
 assert_int_equal(ret, EOK);
 
 assert_string_equal(msg,
+#ifdef HAVE_NSUPDATE_REALM
 "realm North\n"
+#else
+"\n"
+#endif
 "update delete bran_stark. in A\n"
 "update add bran_stark. 1234 in A 192.168.0.2\n"
 "send\n"
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#410][comment] IPA: sanitize name in override search filter - Backport to SSSD-1.13

[sumit-bose]

  URL: https://github.com/SSSD/sssd/pull/410
Title: #410: IPA: sanitize name in override search filter - Backport to 
SSSD-1.13

sumit-bose commented:
"""
Hi Lukas,

I think you backported the changes to the wrong function. In 1.13 in 
ipa_get_ad_override_connect_done() be_acct_req_to_override_filter() is called 
to create the filter for the override search and not get_be_acct_req_for_xyz().

be_acct_req_to_override_filter() was renamed to dp_id_data_to_override_filter() 
by 3d29430867cf92b2d71afa95abb679711231117c that's why the patch for master 
(c2dec0dc740ba426f26563563c0aea3a38f3c3c1) adds the sanitation to this function.

HTH

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/410#issuecomment-359458111
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Re: Fleet Commander: design changes due to the drop of DAC_OVERRIDE capability

[Simo Sorce]

On Mon, 2018-01-22 at 15:10 +0100, Fabiano Fidêncio wrote:
> People,
> 
> Let's start with the context of this email:
> https://bugzilla.redhat.com/show_bug.cgi?id=1536854
> So, seems that even without knowing that, I've relied on CAP_DAC_OVERRIDE
> in order to have the Fleet Commander integration working as expected and in
> the implementation details of this feature.
> 
> The desktop profiles are stored in a dir like:
> /var/lib/sss/deskprofile/$domain/$user/$profile.
> 
> Currently, the way I've been creating those are:
> $domain = 755 (root:root)
> $user = 600 ($user:$user_group)
> $profile = 600 ($user:$user_group)
> 
> Now, as mentioned in the bugzilla linked in this email, the current code
> fails with an EACCES.
> 
> With all this background, I'd like to discuss what's the best approach to
> take. I've opened a PR (https://github.com/SSSD/sssd/pull/498) which makes
> everything work again, but does the following changes:
> 
> $domain = 755 (root:root) -- NO changes here
> $user = 770 ($user:root) --> changed from 600 ($user:$user_group)
> $profile = 660 ($user:root) --> changed from 600 ($user:$user_group)
> 
> This is one way to solve the issue suggested at
> https://bugzilla.redhat.com/show_bug.cgi?id=1536854#c5.
> 
> Another suggestion, also mentioned in the bugzilla, would be to only
> fchown()/fchmod() the files/dirs *after* all the operations we do are over.
> 
> Is there any other suggestion? Whatever comes out of this discussion will
> be used to update the feature's design page accordingly.

Change euid to that of the user during operations, leave the
permissions strict ?

Simo.

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] Fleet Commander: design changes due to the drop of DAC_OVERRIDE capability

[Fabiano Fidêncio]

People,

Let's start with the context of this email:
https://bugzilla.redhat.com/show_bug.cgi?id=1536854
So, seems that even without knowing that, I've relied on CAP_DAC_OVERRIDE
in order to have the Fleet Commander integration working as expected and in
the implementation details of this feature.

The desktop profiles are stored in a dir like:
/var/lib/sss/deskprofile/$domain/$user/$profile.

Currently, the way I've been creating those are:
$domain = 755 (root:root)
$user = 600 ($user:$user_group)
$profile = 600 ($user:$user_group)

Now, as mentioned in the bugzilla linked in this email, the current code
fails with an EACCES.

With all this background, I'd like to discuss what's the best approach to
take. I've opened a PR (https://github.com/SSSD/sssd/pull/498) which makes
everything work again, but does the following changes:

$domain = 755 (root:root) -- NO changes here
$user = 770 ($user:root) --> changed from 600 ($user:$user_group)
$profile = 660 ($user:root) --> changed from 600 ($user:$user_group)

This is one way to solve the issue suggested at
https://bugzilla.redhat.com/show_bug.cgi?id=1536854#c5.

Another suggestion, also mentioned in the bugzilla, would be to only
fchown()/fchmod() the files/dirs *after* all the operations we do are over.

Is there any other suggestion? Whatever comes out of this discussion will
be used to update the feature's design page accordingly.

Best Regards,
-- 
Fabiano Fidêncio
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#498][+Changes requested] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/498
Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/498
Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE

lslebodn commented:
"""
Would you be so kind and could you firstly update design page.
ATM it is unclear who should have which access to the related directory.
Therefore it is difficult to say whether we can use this approach or need to 
use a different solution.

BTW linked ticket already contains such suggestion:
```
it woudl be good to elaborate there more and specify who should have which 
access to files (rw, ro, ...)
```

"""

See the full comment at 
https://github.com/SSSD/sssd/pull/498#issuecomment-359419594
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#498][synchronized] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[fidencio]

   URL: https://github.com/SSSD/sssd/pull/498
Author: fidencio
 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/498/head:pr498
git checkout pr498
From 3e3c9d2ac6ec43194ae0a5c8713fabfa29216ef4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Sat, 20 Jan 2018 15:06:37 +0100
Subject: [PATCH 1/3] DESKPROFILE: Soften the umask for the hostname's dir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The default umask (0177) is way too strict, not allowing us to create
the domain's dir, which has to have its mode set as 755.

In order to solve this, let's soften the umask to 0022.

This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora
package.

Resolves:
https://pagure.io/SSSD/sssd/issue/3621

Signed-off-by: Fabiano Fidêncio 
---
 src/providers/ipa/ipa_deskprofile_rules_util.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
index 53c433145..f9a867daf 100644
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
@@ -229,6 +229,7 @@ ipa_deskprofile_rules_create_user_dir(
 char *domain;
 char *domain_dir;
 errno_t ret;
+mode_t old_umask;
 
 tmp_ctx = talloc_new(NULL);
 if (tmp_ctx == NULL) {
@@ -243,8 +244,10 @@ ipa_deskprofile_rules_create_user_dir(
 goto done;
 }
 
+old_umask = umask(0022);
 ret = sss_create_dir(IPA_DESKPROFILE_RULES_USER_DIR, domain, 0755,
  getuid(), getgid());
+umask(old_umask);
 if (ret != EOK) {
 DEBUG(SSSDBG_CRIT_FAILURE,
   "Failed to create the directory \"%s/%s\" that would be used to "

From 370d70304cec89e6894fbbc048b8c87f6e73275a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Sat, 20 Jan 2018 23:58:14 +0100
Subject: [PATCH 2/3] DESKPROFILE: Fix the permissions and soften the umask for
 user's dir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The user dir has to be part of "root" group, otherwise we won't have
access to write any file there. More than that, the perms for the dir,
which currently are set 0600, have to set to 0770 due to the same issue.

As the perms have to be 0770, softening the default umask from (0177) t
o (0007) is also needed.

This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora
package.

Resolves:
https://pagure.io/SSSD/sssd/issue/3621

Signed-off-by: Fabiano Fidêncio 
---
 src/providers/ipa/ipa_deskprofile_rules_util.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
index f9a867daf..c56075ef6 100644
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
@@ -264,7 +264,9 @@ ipa_deskprofile_rules_create_user_dir(
 goto done;
 }
 
-ret = sss_create_dir(domain_dir, shortname, 0600, uid, gid);
+old_umask = umask(0007);
+ret = sss_create_dir(domain_dir, shortname, 0770, uid, getgid());
+umask(old_umask);
 if (ret != EOK) {
 DEBUG(SSSDBG_CRIT_FAILURE,
"Failed to create the directory \"%s/%s/%s\" that would be used "

From 5adcd4b168cff27d0faaedcae804543dfe0723b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Mon, 22 Jan 2018 11:49:23 +0100
Subject: [PATCH 3/3] DESKPROFILE: Change the group (and its perm) of the
 profile
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In order to allow the sssd_be process to delete the deskprofile files,
let's change the file permission and group perms to 0660 being owned by
the "root" group.

This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora
package.

Resolves:
https://pagure.io/SSSD/sssd/issue/3621

Signed-off-by: Fabiano Fidêncio 
---
 src/providers/ipa/ipa_deskprofile_rules_util.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
index c56075ef6..00a69313a 100644
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
@@ -809,7 +809,7 @@ ipa_deskprofile_rules_save_rule_to_disk(
 goto done;
 }
 
-fd = open(filename_path, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+fd = open(filename_path, O_WRONLY | O_CREAT | O_TRUNC, 0660);
 if (fd == -1) {
 ret = errno;
 DEBUG(SSSDBG_CRIT_FAILURE,
@@ -829,7 +829,7 @@ ipa_deskprofile_rules_save_rule_to_disk(
  

[SSSD] [sssd PR#498][opened] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[fidencio]

   URL: https://github.com/SSSD/sssd/pull/498
Author: fidencio
 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE
Action: opened

PR body:
"""
See the attached patches.

Step-by-step on how to test this will be added later on.
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/498/head:pr498
git checkout pr498
From 3e3c9d2ac6ec43194ae0a5c8713fabfa29216ef4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Sat, 20 Jan 2018 15:06:37 +0100
Subject: [PATCH 1/3] DESKPROFILE: Soften the umask for the hostname's dir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The default umask (0177) is way too strict, not allowing us to create
the domain's dir, which has to have its mode set as 755.

In order to solve this, let's soften the umask to 0022.

This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora
package.

Resolves:
https://pagure.io/SSSD/sssd/issue/3621

Signed-off-by: Fabiano Fidêncio 
---
 src/providers/ipa/ipa_deskprofile_rules_util.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
index 53c433145..f9a867daf 100644
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
@@ -229,6 +229,7 @@ ipa_deskprofile_rules_create_user_dir(
 char *domain;
 char *domain_dir;
 errno_t ret;
+mode_t old_umask;
 
 tmp_ctx = talloc_new(NULL);
 if (tmp_ctx == NULL) {
@@ -243,8 +244,10 @@ ipa_deskprofile_rules_create_user_dir(
 goto done;
 }
 
+old_umask = umask(0022);
 ret = sss_create_dir(IPA_DESKPROFILE_RULES_USER_DIR, domain, 0755,
  getuid(), getgid());
+umask(old_umask);
 if (ret != EOK) {
 DEBUG(SSSDBG_CRIT_FAILURE,
   "Failed to create the directory \"%s/%s\" that would be used to "

From 370d70304cec89e6894fbbc048b8c87f6e73275a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Sat, 20 Jan 2018 23:58:14 +0100
Subject: [PATCH 2/3] DESKPROFILE: Fix the permissions and soften the umask for
 user's dir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The user dir has to be part of "root" group, otherwise we won't have
access to write any file there. More than that, the perms for the dir,
which currently are set 0600, have to set to 0770 due to the same issue.

As the perms have to be 0770, softening the default umask from (0177) t
o (0007) is also needed.

This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora
package.

Resolves:
https://pagure.io/SSSD/sssd/issue/3621

Signed-off-by: Fabiano Fidêncio 
---
 src/providers/ipa/ipa_deskprofile_rules_util.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
index f9a867daf..c56075ef6 100644
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
@@ -264,7 +264,9 @@ ipa_deskprofile_rules_create_user_dir(
 goto done;
 }
 
-ret = sss_create_dir(domain_dir, shortname, 0600, uid, gid);
+old_umask = umask(0007);
+ret = sss_create_dir(domain_dir, shortname, 0770, uid, getgid());
+umask(old_umask);
 if (ret != EOK) {
 DEBUG(SSSDBG_CRIT_FAILURE,
"Failed to create the directory \"%s/%s/%s\" that would be used "

From 0636cef71d870c0821f51249f3a3cc3b9f211296 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Mon, 22 Jan 2018 11:49:23 +0100
Subject: [PATCH 3/3] DESKPROFILE: Change the group of the profile
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In order to allow the sssd_be process to delete the deskprofile files,
let's change the file permission and group perms to 0600 being owned by
the "root" group.

This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora
package.

Resolves:
https://pagure.io/SSSD/sssd/issue/3621

Signed-off-by: Fabiano Fidêncio 
---
 src/providers/ipa/ipa_deskprofile_rules_util.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
index c56075ef6..00a69313a 100644
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
@@ -809,7 +809,7 @@ ipa_deskprofile_rules_save_rule_to_disk(
 goto done;
 }
 
-fd = open(filename_path, O_WRONLY | O_CREAT | O_TRUNC, 0600);
+fd = open(filename_path, O_WRONLY | O_CREAT | O_TRUNC, 0660);
 if (fd == -1) {
 ret = errno;
 

[SSSD] [sssd PR#497][opened] sysdb: sanitize search filter input

[sumit-bose]

   URL: https://github.com/SSSD/sssd/pull/497
Author: sumit-bose
 Title: #497: sysdb: sanitize search filter input
Action: opened

PR body:
"""
Backport of commit 1f2662c8f97c9c0fa250055d4b6750abfc6d0835
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/497/head:pr497
git checkout pr497
From 7e361e3a8a125808a493a7a536aff2224ac0f5e1 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Mon, 22 Jan 2018 11:02:09 +0100
Subject: [PATCH] sysdb: sanitize search filter input

Backport of commit 1f2662c8f97c9c0fa250055d4b6750abfc6d0835
---
 src/db/sysdb_ops.c  | 55 +++--
 src/tests/sysdb-tests.c |  7 +++
 2 files changed, 51 insertions(+), 11 deletions(-)

diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
index 5d4546867..8b13c83c0 100644
--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
@@ -598,6 +598,7 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,
 int ret;
 const char *def_attrs[] = { SYSDB_NAME, SYSDB_UPN, SYSDB_CANONICAL_UPN,
 SYSDB_USER_EMAIL, NULL };
+char *sanitized;
 
 tmp_ctx = talloc_new(NULL);
 if (tmp_ctx == NULL) {
@@ -605,6 +606,12 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,
 goto done;
 }
 
+ret = sss_filter_sanitize(tmp_ctx, upn, );
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n");
+goto done;
+}
+
 base_dn = sysdb_base_dn(domain->sysdb, tmp_ctx);
 if (base_dn == NULL) {
 ret = ENOMEM;
@@ -613,7 +620,7 @@ int sysdb_search_user_by_upn_res(TALLOC_CTX *mem_ctx,
 
 ret = ldb_search(domain->sysdb->ldb, tmp_ctx, ,
  base_dn, LDB_SCOPE_SUBTREE, attrs ? attrs : def_attrs,
- SYSDB_PWUPN_FILTER, upn, upn, upn);
+ SYSDB_PWUPN_FILTER, sanitized, sanitized, sanitized);
 if (ret != EOK) {
 ret = sysdb_error_to_errno(ret);
 goto done;
@@ -4625,12 +4632,13 @@ errno_t sysdb_remove_attrs(struct sss_domain_info *domain,
 return ret;
 }
 
-static errno_t sysdb_search_object_by_str_attr(TALLOC_CTX *mem_ctx,
-   struct sss_domain_info *domain,
-   const char *filter_tmpl,
-   const char *str,
-   const char **attrs,
-   struct ldb_result **_res)
+static errno_t sysdb_search_object_by_str_attr_ex(TALLOC_CTX *mem_ctx,
+ struct sss_domain_info *domain,
+ const char *filter_tmpl,
+ const char *str,
+ const char **attrs,
+ bool sanitize_input,
+ struct ldb_result **_res)
 {
 TALLOC_CTX *tmp_ctx;
 const char *def_attrs[] = { SYSDB_NAME, SYSDB_UIDNUM, SYSDB_GIDNUM,
@@ -4640,12 +4648,25 @@ static errno_t sysdb_search_object_by_str_attr(TALLOC_CTX *mem_ctx,
 struct ldb_dn *basedn;
 int ret;
 struct ldb_result *res = NULL;
+char *sanitized = NULL;
+
+if (str == NULL) {
+return EINVAL;
+}
 
 tmp_ctx = talloc_new(NULL);
 if (!tmp_ctx) {
 return ENOMEM;
 }
 
+if (sanitize_input) {
+ret = sss_filter_sanitize(tmp_ctx, str, );
+if (ret != EOK) {
+DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n");
+goto done;
+}
+}
+
 basedn = ldb_dn_new_fmt(tmp_ctx, domain->sysdb->ldb, SYSDB_DOM_BASE,
 domain->name);
 if (basedn == NULL) {
@@ -4656,7 +4677,7 @@ static errno_t sysdb_search_object_by_str_attr(TALLOC_CTX *mem_ctx,
 
 ret = ldb_search(domain->sysdb->ldb, tmp_ctx, ,
  basedn, LDB_SCOPE_SUBTREE, attrs?attrs:def_attrs,
- filter_tmpl, str);
+ filter_tmpl, sanitized == NULL ? str : sanitized);
 if (ret != EOK) {
 ret = sysdb_error_to_errno(ret);
 DEBUG(SSSDBG_OP_FAILURE, "ldb_search failed.\n");
@@ -4694,6 +4715,17 @@ static errno_t sysdb_search_object_by_str_attr(TALLOC_CTX *mem_ctx,
 return ret;
 }
 
+static errno_t sysdb_search_object_by_str_attr(TALLOC_CTX *mem_ctx,
+   struct sss_domain_info *domain,
+   const char *filter_tmpl,
+   const char *str,
+   const char **attrs,
+   struct ldb_result **_res)
+{
+return sysdb_search_object_by_str_attr_ex(mem_ctx, domain, filter_tmpl, str,
+  attrs, true, _res);
+}
+
 errno_t sysdb_search_object_by_sid(TALLOC_CTX *mem_ctx,
   

[SSSD] [sssd PR#495][comment] DESKPROFILE: Add checks for user and host category

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/495
Title: #495: DESKPROFILE: Add checks for user and host category

fidencio commented:
"""
Steps to reproduce the issue:
1. git clone https://github.com/fidencio/fleet-commander-vagans 
2. In the project's folder do: cd fleet-commander; vagrant up
3. Once the VMs are provisioned, access cockpit: 
https://master.ipa.example:9090/
4. Click in the "FleetCommander" tab
5. Close the windows that will open
6. Click in "Add Profile"
7. Add a profile without filling out Hosts and Hostgroups
8. From the fleet-commander folder, do: vagrant ssh ipaclient
8.1: ssh to the machine using admin's user: ssh -l admin localhost
8.2: Close the admin session
8.3 A root, take a look at journalctl -xe and a message about a crash will 
be seen.

With the patch, 8.3 won't happen and your profile will be downloaded to 
/var/lib/deskprofile/ipa.example/admin/

NOTE: If your way to test it is through a fedpkg build, be aware of: 
https://bugzilla.redhat.com/show_bug.cgi?id=1536854
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/495#issuecomment-359338285
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org