[SSSD] [sssd PR#516][comment] DESKPROFILE: Document it doesn't work when run as unprivileged user
URL: https://github.com/SSSD/sssd/pull/516 Title: #516: DESKPROFILE: Document it doesn't work when run as unprivileged user fidencio commented: """ Changes done according to your suggestion. Thanks for the review and I'm removing the "Changes Requested" label. """ See the full comment at https://github.com/SSSD/sssd/pull/516#issuecomment-366889568 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#516][comment] DESKPROFILE: Document it doesn't work when run as unprivileged user
URL: https://github.com/SSSD/sssd/pull/516 Title: #516: DESKPROFILE: Document it doesn't work when run as unprivileged user fidencio commented: """ Changes done according to your suggestion. Thanks for the review and I'm removing the "Changes Requested" label.u """ See the full comment at https://github.com/SSSD/sssd/pull/516#issuecomment-366889568 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#516][-Changes requested] DESKPROFILE: Document it doesn't work when run as unprivileged user
URL: https://github.com/SSSD/sssd/pull/516 Title: #516: DESKPROFILE: Document it doesn't work when run as unprivileged user Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#516][synchronized] DESKPROFILE: Document it doesn't work when run as unprivileged user
URL: https://github.com/SSSD/sssd/pull/516 Author: fidencio Title: #516: DESKPROFILE: Document it doesn't work when run as unprivileged user Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/516/head:pr516 git checkout pr516 From aa179f6f62231dff4e5a108064cd1e91b7a9008d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?=Date: Fri, 16 Feb 2018 13:12:32 +0100 Subject: [PATCH] DESKPROFILE: Document it doesn't work when run as unprivileged user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Fabiano Fidêncio --- src/man/sssd.conf.5.xml | 5 + 1 file changed, 5 insertions(+) diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 67856d2b3..1701d888a 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -2461,6 +2461,11 @@ pam_account_locked_message = Account locked, please contact help desk. Default: id_provider is used if it is set and can perform session related tasks. + +In order to have this feature working as expected, +SSSD must be running as "root" and not as the +unprivileged user. + ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#520][+Accepted] DESKPROFILE: Fix 'Improper use of negative value'
URL: https://github.com/SSSD/sssd/pull/520 Title: #520: DESKPROFILE: Fix 'Improper use of negative value' Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#520][comment] DESKPROFILE: Fix 'Improper use of negative value'
URL: https://github.com/SSSD/sssd/pull/520 Title: #520: DESKPROFILE: Fix 'Improper use of negative value' fidencio commented: """ Ouch, I've missed it in just one place. Thanks for the patch, @sumit-bose! ACK! """ See the full comment at https://github.com/SSSD/sssd/pull/520#issuecomment-366889213 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#394][+Rejected] TESTS: Add an integration test for renaming incomplete groups during initgroups
URL: https://github.com/SSSD/sssd/pull/394 Title: #394: TESTS: Add an integration test for renaming incomplete groups during initgroups Label: +Rejected ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#128][comment] Fix group renaming issue when "id_provider = ldap" is set
URL: https://github.com/SSSD/sssd/pull/128 Title: #128: Fix group renaming issue when "id_provider = ldap" is set fidencio commented: """ Patch set has been updated. It already includes the tests provided on #394. """ See the full comment at https://github.com/SSSD/sssd/pull/128#issuecomment-366779085 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#128][-Changes requested] Fix group renaming issue when "id_provider = ldap" is set
URL: https://github.com/SSSD/sssd/pull/128 Title: #128: Fix group renaming issue when "id_provider = ldap" is set Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#128][synchronized] Fix group renaming issue when "id_provider = ldap" is set
URL: https://github.com/SSSD/sssd/pull/128 Author: fidencio Title: #128: Fix group renaming issue when "id_provider = ldap" is set Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/128/head:pr128 git checkout pr128 From 36b52887d4b9028a7315790addf7a4432aa56c1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?=Date: Fri, 16 Feb 2018 13:55:53 +0100 Subject: [PATCH 01/15] NSS: Add InvalidateGroupById handler MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There are some situations where, from the backend, the NSS responder will have to be notified to invalidate a group. In order to achieve this in a clean way, let's add the InvalidateGroupById handler and make use of it later in this very same series. Related: https://pagure.io/SSSD/sssd/issue/2653 Signed-off-by: Fabiano Fidêncio --- src/responder/nss/nss_iface.c | 16 ++ src/responder/nss/nss_iface.xml | 3 +++ src/responder/nss/nss_iface_generated.c | 38 + src/responder/nss/nss_iface_generated.h | 5 + 4 files changed, 62 insertions(+) diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c index 415af9550..805e4fcdf 100644 --- a/src/responder/nss/nss_iface.c +++ b/src/responder/nss/nss_iface.c @@ -199,12 +199,28 @@ int nss_memorycache_update_initgroups(struct sbus_request *sbus_req, return iface_nss_memorycache_UpdateInitgroups_finish(sbus_req); } +int nss_memorycache_invalidate_group_by_id(struct sbus_request *sbus_req, + void *data, + gid_t gid) +{ +struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx); +struct nss_ctx *nctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx); + +DEBUG(SSSDBG_TRACE_LIBS, + "Invalidating group %"PRIu32" from memory cache\n", gid); + +sss_mmap_cache_gr_invalidate_gid(nctx->grp_mc_ctx, gid); + +return iface_nss_memorycache_InvalidateGroupById_finish(sbus_req); +} + struct iface_nss_memorycache iface_nss_memorycache = { { _nss_memorycache_meta, 0 }, .UpdateInitgroups = nss_memorycache_update_initgroups, .InvalidateAllUsers = nss_memorycache_invalidate_users, .InvalidateAllGroups = nss_memorycache_invalidate_groups, .InvalidateAllInitgroups = nss_memorycache_invalidate_initgroups, +.InvalidateGroupById = nss_memorycache_invalidate_group_by_id, }; static struct sbus_iface_map iface_map[] = { diff --git a/src/responder/nss/nss_iface.xml b/src/responder/nss/nss_iface.xml index 27aae0197..4d8cf14f9 100644 --- a/src/responder/nss/nss_iface.xml +++ b/src/responder/nss/nss_iface.xml @@ -14,5 +14,8 @@ + + + diff --git a/src/responder/nss/nss_iface_generated.c b/src/responder/nss/nss_iface_generated.c index 4a8b704da..8d5a4584b 100644 --- a/src/responder/nss/nss_iface_generated.c +++ b/src/responder/nss/nss_iface_generated.c @@ -12,6 +12,9 @@ /* invokes a handler with a 'ssau' DBus signature */ static int invoke_ssau_method(struct sbus_request *dbus_req, void *function_ptr); +/* invokes a handler with a 'u' DBus signature */ +static int invoke_u_method(struct sbus_request *dbus_req, void *function_ptr); + /* arguments for org.freedesktop.sssd.nss.MemoryCache.UpdateInitgroups */ const struct sbus_arg_meta iface_nss_memorycache_UpdateInitgroups__in[] = { { "user", "s" }, @@ -44,6 +47,18 @@ int iface_nss_memorycache_InvalidateAllInitgroups_finish(struct sbus_request *re DBUS_TYPE_INVALID); } +/* arguments for org.freedesktop.sssd.nss.MemoryCache.InvalidateGroupById */ +const struct sbus_arg_meta iface_nss_memorycache_InvalidateGroupById__in[] = { +{ "gid", "u" }, +{ NULL, } +}; + +int iface_nss_memorycache_InvalidateGroupById_finish(struct sbus_request *req) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_INVALID); +} + /* methods for org.freedesktop.sssd.nss.MemoryCache */ const struct sbus_method_meta iface_nss_memorycache__methods[] = { { @@ -74,6 +89,13 @@ const struct sbus_method_meta iface_nss_memorycache__methods[] = { offsetof(struct iface_nss_memorycache, InvalidateAllInitgroups), NULL, /* no invoker */ }, +{ +"InvalidateGroupById", /* name */ +iface_nss_memorycache_InvalidateGroupById__in, +NULL, /* no out_args */ +offsetof(struct iface_nss_memorycache, InvalidateGroupById), +invoke_u_method, +}, { NULL, } }; @@ -86,6 +108,22 @@ const struct sbus_interface_meta iface_nss_memorycache_meta = { sbus_invoke_get_all, /* GetAll invoker */ }; +/* invokes a handler with a 'u' DBus signature */ +static int invoke_u_method(struct
[SSSD] [sssd PR#517][comment] Fix two memory leaks in the AD provider
URL: https://github.com/SSSD/sssd/pull/517 Title: #517: Fix two memory leaks in the AD provider sumit-bose commented: """ Sorry, there were some unrelated changes in the last commit. """ See the full comment at https://github.com/SSSD/sssd/pull/517#issuecomment-366748803 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#517][-Changes requested] Fix two memory leaks in the AD provider
URL: https://github.com/SSSD/sssd/pull/517 Title: #517: Fix two memory leaks in the AD provider Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#517][comment] Fix two memory leaks in the AD provider
URL: https://github.com/SSSD/sssd/pull/517 Title: #517: Fix two memory leaks in the AD provider sumit-bose commented: """ oopsy, fixed version pushed. """ See the full comment at https://github.com/SSSD/sssd/pull/517#issuecomment-366703772 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#517][synchronized] Fix two memory leaks in the AD provider
URL: https://github.com/SSSD/sssd/pull/517 Author: sumit-bose Title: #517: Fix two memory leaks in the AD provider Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/517/head:pr517 git checkout pr517 From 3296630559b3dfd697700cb73f32422c327e6379 Mon Sep 17 00:00:00 2001 From: Sumit BoseDate: Fri, 16 Feb 2018 12:07:28 +0100 Subject: [PATCH 1/2] AD: sdap_get_ad_tokengroups_done() allocate temporary data on state Related to https://pagure.io/SSSD/sssd/issue/3639 --- src/providers/ldap/sdap_async_initgroups_ad.c | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c index 9da671a99..30f1d3db2 100644 --- a/src/providers/ldap/sdap_async_initgroups_ad.c +++ b/src/providers/ldap/sdap_async_initgroups_ad.c @@ -372,7 +372,6 @@ sdap_get_ad_tokengroups_send(TALLOC_CTX *mem_ctx, static void sdap_get_ad_tokengroups_done(struct tevent_req *subreq) { -TALLOC_CTX *tmp_ctx = NULL; struct sdap_get_ad_tokengroups_state *state = NULL; struct tevent_req *req = NULL; struct sysdb_attrs **users = NULL; @@ -386,7 +385,7 @@ static void sdap_get_ad_tokengroups_done(struct tevent_req *subreq) req = tevent_req_callback_data(subreq, struct tevent_req); state = tevent_req_data(req, struct sdap_get_ad_tokengroups_state); -ret = sdap_get_generic_recv(subreq, tmp_ctx, _users, ); +ret = sdap_get_generic_recv(subreq, state, _users, ); talloc_zfree(subreq); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, @@ -449,8 +448,6 @@ static void sdap_get_ad_tokengroups_done(struct tevent_req *subreq) ret = EOK; done: -talloc_free(tmp_ctx); - if (ret != EOK) { tevent_req_error(req, ret); return; From 95f2375a904ae489f51ce6acc4a5318d591b86f1 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 16 Feb 2018 12:09:01 +0100 Subject: [PATCH 2/2] AD: do not allocate temporary data on long living context Related to https://pagure.io/SSSD/sssd/issue/3639 --- src/providers/ad/ad_common.c | 5 +++-- src/providers/ad/ad_common.h | 3 ++- src/providers/ad/ad_id.c | 2 +- src/providers/ipa/ipa_deskprofile_rules_util.c | 1 + src/sss_client/common.c| 2 +- src/tests/cmocka/test_ad_common.c | 4 ++-- 6 files changed, 10 insertions(+), 7 deletions(-) diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c index 84845e285..2a1647173 100644 --- a/src/providers/ad/ad_common.c +++ b/src/providers/ad/ad_common.c @@ -1402,13 +1402,14 @@ ad_ldap_conn_list(TALLOC_CTX *mem_ctx, } struct sdap_id_conn_ctx ** -ad_user_conn_list(struct ad_id_ctx *ad_ctx, +ad_user_conn_list(TALLOC_CTX *mem_ctx, + struct ad_id_ctx *ad_ctx, struct sss_domain_info *dom) { struct sdap_id_conn_ctx **clist; int cindex = 0; -clist = talloc_zero_array(ad_ctx, struct sdap_id_conn_ctx *, 3); +clist = talloc_zero_array(mem_ctx, struct sdap_id_conn_ctx *, 3); if (clist == NULL) { return NULL; } diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h index ce33b37c7..931aafc6c 100644 --- a/src/providers/ad/ad_common.h +++ b/src/providers/ad/ad_common.h @@ -175,7 +175,8 @@ ad_ldap_conn_list(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom); struct sdap_id_conn_ctx ** -ad_user_conn_list(struct ad_id_ctx *ad_ctx, +ad_user_conn_list(TALLOC_CTX *mem_ctx, + struct ad_id_ctx *ad_ctx, struct sss_domain_info *dom); struct sdap_id_conn_ctx * diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c index 0b8f49819..782d9bc40 100644 --- a/src/providers/ad/ad_id.c +++ b/src/providers/ad/ad_id.c @@ -367,7 +367,7 @@ get_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx, switch (ar->entry_type & BE_REQ_TYPE_MASK) { case BE_REQ_USER: /* user */ -clist = ad_user_conn_list(ad_ctx, dom); +clist = ad_user_conn_list(mem_ctx, ad_ctx, dom); break; case BE_REQ_BY_SECID: /* by SID */ case BE_REQ_USER_AND_GROUP: /* get SID */ diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c index e52587378..8f4d4c90c 100644 --- a/src/providers/ipa/ipa_deskprofile_rules_util.c +++ b/src/providers/ipa/ipa_deskprofile_rules_util.c @@ -1065,6 +1065,7 @@ ipa_deskprofile_rules_remove_user_dir(const char *user_dir, if (getegid() != orig_gid) { ret = setegid(orig_gid); if (ret == -1) { +ret = errno; DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set effective user id (%"PRIu32") of the " "domain's process [%d]: %s\n", diff --git a/src/sss_client/common.c
[SSSD] [sssd PR#517][comment] Fix two memory leaks in the AD provider
URL: https://github.com/SSSD/sssd/pull/517 Title: #517: Fix two memory leaks in the AD provider jhrozek commented: """ I think the patches look good in general, but the tests don't compile at the moment: ``` /home/remote/jhrozek/devel/sssd/src/tests/cmocka/test_ad_common.c: In function ‘test_user_conn_list’: /home/remote/jhrozek/devel/sssd/src/tests/cmocka/test_ad_common.c:775:35: warning: passing argument 2 of ‘ad_user_conn_list’ from incompatible pointer type [-Wincompatible-pointer-types] test_ctx->dom); ^~~~ In file included from /home/remote/jhrozek/devel/sssd/src/tests/cmocka/test_ad_common.c:40:0: /home/remote/jhrozek/devel/sssd/src/providers/ad/ad_common.c:1405:1: note: expected ‘struct ad_id_ctx *’ but argument is of type ‘struct sss_domain_info *’ ad_user_conn_list(TALLOC_CTX *mem_ctx, ^ /home/remote/jhrozek/devel/sssd/src/tests/cmocka/test_ad_common.c:774:17: error: too few arguments to function ‘ad_user_conn_list’ conn_list = ad_user_conn_list(test_ctx->ad_ctx, ^ In file included from /home/remote/jhrozek/devel/sssd/src/tests/cmocka/test_ad_common.c:40:0: /home/remote/jhrozek/devel/sssd/src/providers/ad/ad_common.c:1405:1: note: declared here ad_user_conn_list(TALLOC_CTX *mem_ctx, ^ /home/remote/jhrozek/devel/sssd/src/tests/cmocka/test_ad_common.c:784:35: warning: passing argument 2 of ‘ad_user_conn_list’ from incompatible pointer type [-Wincompatible-pointer-types] test_ctx->subdom); ^~~~ In file included from /home/remote/jhrozek/devel/sssd/src/tests/cmocka/test_ad_common.c:40:0: /home/remote/jhrozek/devel/sssd/src/providers/ad/ad_common.c:1405:1: note: expected ‘struct ad_id_ctx *’ but argument is of type ‘struct sss_domain_info *’ ad_user_conn_list(TALLOC_CTX *mem_ctx, ^
[SSSD] [sssd PR#517][+Changes requested] Fix two memory leaks in the AD provider
URL: https://github.com/SSSD/sssd/pull/517 Title: #517: Fix two memory leaks in the AD provider Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org