[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE fidencio commented: """ Thanks for the review, @simo5. I'll add the accepted label (per your review) as soon as I hear back from Oliver (from FleetCommander) that his tests passed as well. """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-365449789 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE simo5 commented: """ I cannot set labels, but ACK """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-365428458 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE fidencio commented: """ @simo5, updated the patches according to your suggestion and did a local test here and it works like a charm. """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-365423441 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][synchronized] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Author: fidencio Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/498/head:pr498 git checkout pr498 From 0a2b0848a4491394f9acabdcc18d34b209f57765 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?=Date: Tue, 13 Feb 2018 22:02:45 +0100 Subject: [PATCH 1/6] DESKPROFILE: Harden the permission of deskprofilepath MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After discussing the permissions with Simo, we have agreed on having the deskprofile dir with the minimal set of permissions needed Related: https://pagure.io/SSSD/sssd/issue/3621 Signed-off-by: Fabiano FidĂȘncio --- contrib/sssd.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index f4430b424..37efcbff5 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -968,7 +968,7 @@ done %if (0%{?with_secrets} == 1) %attr(700,root,root) %dir %{secdbpath} %endif -%attr(755,sssd,sssd) %dir %{deskprofilepath} +%attr(751,sssd,sssd) %dir %{deskprofilepath} %ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/passwd %ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group %ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups From 050cb8fc5785bee9ad392d320d0eaa994b6bb708 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Sat, 20 Jan 2018 15:06:37 +0100 Subject: [PATCH 2/6] DESKPROFILE: Soften umask for the domain's dir MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The default umask (0177) is way too strict, not allowing us to create the domain's dir, which has to have its mode set as 751. In order to solve this, let's soften the umask to 0026. This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora package. Resolves: https://pagure.io/SSSD/sssd/issue/3621 Signed-off-by: Fabiano FidĂȘncio --- src/providers/ipa/ipa_deskprofile_rules_util.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c index 01b7d0527..989f3aadd 100644 --- a/src/providers/ipa/ipa_deskprofile_rules_util.c +++ b/src/providers/ipa/ipa_deskprofile_rules_util.c @@ -229,6 +229,7 @@ ipa_deskprofile_rules_create_user_dir( char *domain; char *domain_dir; errno_t ret; +mode_t old_umask; tmp_ctx = talloc_new(NULL); if (tmp_ctx == NULL) { @@ -243,8 +244,10 @@ ipa_deskprofile_rules_create_user_dir( goto done; } -ret = sss_create_dir(IPA_DESKPROFILE_RULES_USER_DIR, domain, 0755, +old_umask = umask(0026); +ret = sss_create_dir(IPA_DESKPROFILE_RULES_USER_DIR, domain, 0751, getuid(), getgid()); +umask(old_umask); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create the directory \"%s/%s\" that would be used to " From 2f40a0b24cf25e9e76f3fecee8358d1c0ccfc9c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Sat, 20 Jan 2018 23:58:14 +0100 Subject: [PATCH 3/6] DESKPROFILE: Fix the permissions and soften the umask for user's dir MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The user dir has been created as 0600 and owned by the user. It doesn't work anymore as CAP_DAC_OVERRIDE has been dropped from our systemd service upstream. In order to have it working again, let's change it to 0700 (as the executable bit is needed for creating a file inside a folder) and soften the default umask from (0177) to (0077) to be able to create this dir. This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora package. Resolves: https://pagure.io/SSSD/sssd/issue/3621 Signed-off-by: Fabiano FidĂȘncio --- src/providers/ipa/ipa_deskprofile_rules_util.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c index 989f3aadd..0846b16f6 100644 --- a/src/providers/ipa/ipa_deskprofile_rules_util.c +++ b/src/providers/ipa/ipa_deskprofile_rules_util.c @@ -264,7 +264,11 @@ ipa_deskprofile_rules_create_user_dir( goto done; } -ret = sss_create_dir(domain_dir, shortname, 0600, uid, gid); +/* In order to read, create and traverse the directory, we need to have its + * permissions set as 'rwx--' (700). */ +old_umask = umask(0077); +ret = sss_create_dir(domain_dir, shortname, 0700, uid, gid); +umask(old_umask); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE,
[SSSD] [sssd PR#496][comment] sysdb: sanitize search filter input - backport sssd-1-13
URL: https://github.com/SSSD/sssd/pull/496 Title: #496: sysdb: sanitize search filter input - backport sssd-1-13 jhrozek commented: """ I put it on my todo list, but only after some authselect reviews, so if anyone beats me to the review, I won't be mad. """ See the full comment at https://github.com/SSSD/sssd/pull/496#issuecomment-365387240 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#496][comment] sysdb: sanitize search filter input - backport sssd-1-13
URL: https://github.com/SSSD/sssd/pull/496 Title: #496: sysdb: sanitize search filter input - backport sssd-1-13 fidencio commented: """ @jhrozek, @pbrezina, @mzidek-rh ... may I ask you guys for a review of this patch? """ See the full comment at https://github.com/SSSD/sssd/pull/496#issuecomment-365302148 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#475][+Pushed] AD: Use the right sdap_domain for the forest root
URL: https://github.com/SSSD/sssd/pull/475 Title: #475: AD: Use the right sdap_domain for the forest root Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#475][comment] AD: Use the right sdap_domain for the forest root
URL: https://github.com/SSSD/sssd/pull/475 Title: #475: AD: Use the right sdap_domain for the forest root lslebodn commented: """ master: * 9ac071272ce0152eb293d3181a5c12b395655521 """ See the full comment at https://github.com/SSSD/sssd/pull/475#issuecomment-365294269 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#475][closed] AD: Use the right sdap_domain for the forest root
URL: https://github.com/SSSD/sssd/pull/475 Author: jhrozek Title: #475: AD: Use the right sdap_domain for the forest root Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/475/head:pr475 git checkout pr475 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#475][+Accepted] AD: Use the right sdap_domain for the forest root
URL: https://github.com/SSSD/sssd/pull/475 Title: #475: AD: Use the right sdap_domain for the forest root Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#475][comment] AD: Use the right sdap_domain for the forest root
URL: https://github.com/SSSD/sssd/pull/475 Title: #475: AD: Use the right sdap_domain for the forest root lslebodn commented: """ I ran tests twice in clean environment and it is fixed. I had to mix something up yesterday. ACK Thank you very much for fixing this regression and sorry for long interval between reviews. """ See the full comment at https://github.com/SSSD/sssd/pull/475#issuecomment-365293899 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#508][comment] Fix/suppress few gcc8 warnings
URL: https://github.com/SSSD/sssd/pull/508 Title: #508: Fix/suppress few gcc8 warnings lslebodn commented: """ master: * bd5f48540b25dae81c43feb1d6aba4175da52098 * fcf6a9f34c475b9bbae54311703e87acd5fb8d1a * c53997720b231ad61af435a3124c7ecd731fc99b * 2951a9a84bd85f384213a3e071ffc167907df2d7 * 187f68360de1e452afce699706a4253f3fc71a1f * 35eb23755657e76ac600bae512846a4e485997e5 * 1b6965fd09e4e6a6b5ba76b8221ca3980bcc56b4 """ See the full comment at https://github.com/SSSD/sssd/pull/508#issuecomment-365287426 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#508][+Pushed] Fix/suppress few gcc8 warnings
URL: https://github.com/SSSD/sssd/pull/508 Title: #508: Fix/suppress few gcc8 warnings Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#508][closed] Fix/suppress few gcc8 warnings
URL: https://github.com/SSSD/sssd/pull/508 Author: lslebodn Title: #508: Fix/suppress few gcc8 warnings Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/508/head:pr508 git checkout pr508 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#508][+Accepted] Fix/suppress few gcc8 warnings
URL: https://github.com/SSSD/sssd/pull/508 Title: #508: Fix/suppress few gcc8 warnings Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#496][comment] sysdb: sanitize search filter input - backport sssd-1-13
URL: https://github.com/SSSD/sssd/pull/496 Title: #496: sysdb: sanitize search filter input - backport sssd-1-13 fidencio commented: """ ping! I either need a second reviewer here or a word saying that just my review is enough! """ See the full comment at https://github.com/SSSD/sssd/pull/496#issuecomment-365192298 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#508][comment] Fix/suppress few gcc8 warnings
URL: https://github.com/SSSD/sssd/pull/508 Title: #508: Fix/suppress few gcc8 warnings fidencio commented: """ Btw, I am from the mobile now a days I didn't find a way to add the Accepted label. If someone else can do that for me, that would be appreciated. """ See the full comment at https://github.com/SSSD/sssd/pull/508#issuecomment-365191589 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#508][comment] Fix/suppress few gcc8 warnings
URL: https://github.com/SSSD/sssd/pull/508 Title: #508: Fix/suppress few gcc8 warnings fidencio commented: """ CI: http://vm-031.${abc}/logs/job/83/77/summary.html There's a failure on rawhide, but it's been happening for a while and is not related to this patch. I am sorry it took so long to ack it and I guess my message on #sssd was missed. Ack! """ See the full comment at https://github.com/SSSD/sssd/pull/508#issuecomment-365191230 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org