[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/498
Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE

fidencio commented:
"""
Thanks for the review, @simo5. I'll add the accepted label (per your review) as 
soon as I hear back from Oliver (from FleetCommander) that his tests passed as 
well.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/498#issuecomment-365449789
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[simo5]

  URL: https://github.com/SSSD/sssd/pull/498
Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE

simo5 commented:
"""
I cannot set labels, but ACK
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/498#issuecomment-365428458
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/498
Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE

fidencio commented:
"""
@simo5, updated the patches according to your suggestion and did a local test 
here and it works like a charm.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/498#issuecomment-365423441
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#498][synchronized] DESKPROFILE: Do not require CAP_DAC_OVERRIDE

[fidencio]

   URL: https://github.com/SSSD/sssd/pull/498
Author: fidencio
 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/498/head:pr498
git checkout pr498
From 0a2b0848a4491394f9acabdcc18d34b209f57765 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Tue, 13 Feb 2018 22:02:45 +0100
Subject: [PATCH 1/6] DESKPROFILE: Harden the permission of deskprofilepath
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After discussing the permissions with Simo, we have agreed on
having the deskprofile dir with the minimal set of permissions
needed

Related:
https://pagure.io/SSSD/sssd/issue/3621

Signed-off-by: Fabiano Fidêncio 
---
 contrib/sssd.spec.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index f4430b424..37efcbff5 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -968,7 +968,7 @@ done
 %if (0%{?with_secrets} == 1)
 %attr(700,root,root) %dir %{secdbpath}
 %endif
-%attr(755,sssd,sssd) %dir %{deskprofilepath}
+%attr(751,sssd,sssd) %dir %{deskprofilepath}
 %ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/passwd
 %ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group
 %ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups

From 050cb8fc5785bee9ad392d320d0eaa994b6bb708 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Sat, 20 Jan 2018 15:06:37 +0100
Subject: [PATCH 2/6] DESKPROFILE: Soften umask for the domain's dir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The default umask (0177) is way too strict, not allowing us to create
the domain's dir, which has to have its mode set as 751.

In order to solve this, let's soften the umask to 0026.

This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora
package.

Resolves:
https://pagure.io/SSSD/sssd/issue/3621

Signed-off-by: Fabiano Fidêncio 
---
 src/providers/ipa/ipa_deskprofile_rules_util.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
index 01b7d0527..989f3aadd 100644
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
@@ -229,6 +229,7 @@ ipa_deskprofile_rules_create_user_dir(
 char *domain;
 char *domain_dir;
 errno_t ret;
+mode_t old_umask;
 
 tmp_ctx = talloc_new(NULL);
 if (tmp_ctx == NULL) {
@@ -243,8 +244,10 @@ ipa_deskprofile_rules_create_user_dir(
 goto done;
 }
 
-ret = sss_create_dir(IPA_DESKPROFILE_RULES_USER_DIR, domain, 0755,
+old_umask = umask(0026);
+ret = sss_create_dir(IPA_DESKPROFILE_RULES_USER_DIR, domain, 0751,
  getuid(), getgid());
+umask(old_umask);
 if (ret != EOK) {
 DEBUG(SSSDBG_CRIT_FAILURE,
   "Failed to create the directory \"%s/%s\" that would be used to "

From 2f40a0b24cf25e9e76f3fecee8358d1c0ccfc9c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= 
Date: Sat, 20 Jan 2018 23:58:14 +0100
Subject: [PATCH 3/6] DESKPROFILE: Fix the permissions and soften the umask for
 user's dir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The user dir has been created as 0600 and owned by the user. It doesn't
work anymore as CAP_DAC_OVERRIDE has been dropped from our systemd
service upstream.

In order to have it working again, let's change it to 0700 (as the
executable bit is needed for creating a file inside a folder) and soften
the default umask from (0177) to (0077) to be able to create this dir.

This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora
package.

Resolves:
https://pagure.io/SSSD/sssd/issue/3621

Signed-off-by: Fabiano Fidêncio 
---
 src/providers/ipa/ipa_deskprofile_rules_util.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c
index 989f3aadd..0846b16f6 100644
--- a/src/providers/ipa/ipa_deskprofile_rules_util.c
+++ b/src/providers/ipa/ipa_deskprofile_rules_util.c
@@ -264,7 +264,11 @@ ipa_deskprofile_rules_create_user_dir(
 goto done;
 }
 
-ret = sss_create_dir(domain_dir, shortname, 0600, uid, gid);
+/* In order to read, create and traverse the directory, we need to have its
+ * permissions set as 'rwx--' (700). */
+old_umask = umask(0077);
+ret = sss_create_dir(domain_dir, shortname, 0700, uid, gid);
+umask(old_umask);
 if (ret != EOK) {
 DEBUG(SSSDBG_CRIT_FAILURE,
  

[SSSD] [sssd PR#496][comment] sysdb: sanitize search filter input - backport sssd-1-13

[jhrozek]

  URL: https://github.com/SSSD/sssd/pull/496
Title: #496: sysdb: sanitize search filter input - backport sssd-1-13

jhrozek commented:
"""
I put it on my todo list, but only after some authselect reviews, so if anyone 
beats me to the review, I won't be mad.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/496#issuecomment-365387240
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#496][comment] sysdb: sanitize search filter input - backport sssd-1-13

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/496
Title: #496: sysdb: sanitize search filter input - backport sssd-1-13

fidencio commented:
"""
@jhrozek, @pbrezina, @mzidek-rh ... may I ask you guys for a review of this 
patch?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/496#issuecomment-365302148
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#475][+Pushed] AD: Use the right sdap_domain for the forest root

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/475
Title: #475: AD: Use the right sdap_domain for the forest root

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#475][comment] AD: Use the right sdap_domain for the forest root

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/475
Title: #475: AD: Use the right sdap_domain for the forest root

lslebodn commented:
"""
master:
* 9ac071272ce0152eb293d3181a5c12b395655521
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/475#issuecomment-365294269
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#475][closed] AD: Use the right sdap_domain for the forest root

[lslebodn]

   URL: https://github.com/SSSD/sssd/pull/475
Author: jhrozek
 Title: #475: AD: Use the right sdap_domain for the forest root
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/475/head:pr475
git checkout pr475
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#475][+Accepted] AD: Use the right sdap_domain for the forest root

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/475
Title: #475: AD: Use the right sdap_domain for the forest root

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#475][comment] AD: Use the right sdap_domain for the forest root

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/475
Title: #475: AD: Use the right sdap_domain for the forest root

lslebodn commented:
"""
I ran tests twice in clean environment and it is fixed.
I had to mix something up yesterday.

ACK

Thank you very much for fixing this regression and sorry for long interval 
between reviews.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/475#issuecomment-365293899
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#508][comment] Fix/suppress few gcc8 warnings

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/508
Title: #508: Fix/suppress few gcc8 warnings

lslebodn commented:
"""
master:
* bd5f48540b25dae81c43feb1d6aba4175da52098
* fcf6a9f34c475b9bbae54311703e87acd5fb8d1a
* c53997720b231ad61af435a3124c7ecd731fc99b
* 2951a9a84bd85f384213a3e071ffc167907df2d7
* 187f68360de1e452afce699706a4253f3fc71a1f
* 35eb23755657e76ac600bae512846a4e485997e5
* 1b6965fd09e4e6a6b5ba76b8221ca3980bcc56b4
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/508#issuecomment-365287426
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#508][+Pushed] Fix/suppress few gcc8 warnings

[lslebodn]

  URL: https://github.com/SSSD/sssd/pull/508
Title: #508: Fix/suppress few gcc8 warnings

Label: +Pushed
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#508][closed] Fix/suppress few gcc8 warnings

[lslebodn]

   URL: https://github.com/SSSD/sssd/pull/508
Author: lslebodn
 Title: #508: Fix/suppress few gcc8 warnings
Action: closed

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/508/head:pr508
git checkout pr508
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#508][+Accepted] Fix/suppress few gcc8 warnings

[pbrezina]

  URL: https://github.com/SSSD/sssd/pull/508
Title: #508: Fix/suppress few gcc8 warnings

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#496][comment] sysdb: sanitize search filter input - backport sssd-1-13

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/496
Title: #496: sysdb: sanitize search filter input - backport sssd-1-13

fidencio commented:
"""
ping!
I either need a second reviewer here or a word saying that just my review is 
enough!
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/496#issuecomment-365192298
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#508][comment] Fix/suppress few gcc8 warnings

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/508
Title: #508: Fix/suppress few gcc8 warnings

fidencio commented:
"""
Btw, I am from the mobile now a days I didn't find a way to add the Accepted 
label. If someone else can do that for me, that would be appreciated.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/508#issuecomment-365191589
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#508][comment] Fix/suppress few gcc8 warnings

[fidencio]

  URL: https://github.com/SSSD/sssd/pull/508
Title: #508: Fix/suppress few gcc8 warnings

fidencio commented:
"""
CI: http://vm-031.${abc}/logs/job/83/77/summary.html

There's a failure on rawhide, but it's been happening for a while and is not 
related to this patch.

I am sorry it took so long to ack it and I guess my message on #sssd was missed.

Ack!
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/508#issuecomment-365191230
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org