[SSSD] [sssd PR#5881][-Waiting for review] SDAP: Do not fail ASQ search when parsing a referenced entry fails
URL: https://github.com/SSSD/sssd/pull/5881 Title: #5881: SDAP: Do not fail ASQ search when parsing a referenced entry fails Label: -Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5881][+Changes requested] SDAP: Do not fail ASQ search when parsing a referenced entry fails
URL: https://github.com/SSSD/sssd/pull/5881 Title: #5881: SDAP: Do not fail ASQ search when parsing a referenced entry fails Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5867][+Changes requested] usertools: force local user for sssd process user
URL: https://github.com/SSSD/sssd/pull/5867 Title: #5867: usertools: force local user for sssd process user Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5867][-Waiting for review] usertools: force local user for sssd process user
URL: https://github.com/SSSD/sssd/pull/5867 Title: #5867: usertools: force local user for sssd process user Label: -Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5867][comment] usertools: force local user for sssd process user
URL: https://github.com/SSSD/sssd/pull/5867 Title: #5867: usertools: force local user for sssd process user alexey-tikhonov commented: """ Hi @ikerexxe, Probably, https://github.com/SSSD/sssd/pull/5867#discussion_r753554361 should be answered first. Imo, humber of changes can be reduced significantly (and thus some other comments will not require addressing). """ See the full comment at https://github.com/SSSD/sssd/pull/5867#issuecomment-974500428 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5863][comment] Responder and Child process tevent chain id improvements
URL: https://github.com/SSSD/sssd/pull/5863 Title: #5863: Responder and Child process tevent chain id improvements sumit-bose commented: """ Hi, I'm fine with the patches and test are working locally for me. I restarted the CI task to hopefully get some CI results as well. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5863#issuecomment-974286264 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5872][+Accepted] p11_child: Fixes for authentication
URL: https://github.com/SSSD/sssd/pull/5872 Title: #5872: p11_child: Fixes for authentication Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5872][comment] p11_child: Fixes for authentication
URL: https://github.com/SSSD/sssd/pull/5872 Title: #5872: p11_child: Fixes for authentication sumit-bose commented: """ Hi, thanks a lot for the patches. I agree with all the changes and have no further comments. I was thinking about how to add tests for the `--wait_for_card` option but this is clearly out of scope here. ACK. bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5872#issuecomment-974261642 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5881][comment] SDAP: Do not fail ASQ search when parsing a referenced entry fails
URL: https://github.com/SSSD/sssd/pull/5881 Title: #5881: SDAP: Do not fail ASQ search when parsing a referenced entry fails scabrero commented: """ > Hi, > > thanks for the patch. I think an option is needed to control this behavior > because SSSD does not know if the denied LDAP access was intentional or not. > If it is intentional then just ignoring the object which cannot be accessed > is ok. > > But if it is not intentional and the unreadable object is a group used in > `simple_deny_groups` or in a `Deny*LogonRight` GPO in AD the user will be > permitted to access the system although it was expected that access is denied > by adding the user to this group. > > What do you think about it? Hi @sumit-bose, I agree there is no way to know if the denied access was intentional or not, so adding a new configuration option seems appropriate. What do you think about "ldap_asq_ignore_unreadable_references"? """ See the full comment at https://github.com/SSSD/sssd/pull/5881#issuecomment-974067095 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5881][comment] SDAP: Do not fail ASQ search when parsing a referenced entry fails
URL: https://github.com/SSSD/sssd/pull/5881 Title: #5881: SDAP: Do not fail ASQ search when parsing a referenced entry fails sumit-bose commented: """ Hi, thanks for the patch. I think an option is needed to control this behavior because SSSD does not know if the denied LDAP access was intentional or not. If it is intentional then just ignoring the object which cannot be accessed is ok. But if it is not intentional and the unreadable object is a group used in `simple_deny_groups` or in a `Deny*LogonRight` GPO in AD the user will be permitted to access the system although it was expected that access is denied by adding the user to this group. What do you think about it? bye, Sumit """ See the full comment at https://github.com/SSSD/sssd/pull/5881#issuecomment-974022679 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5883][+Waiting for review] Various fixes related forest and site name discovery
URL: https://github.com/SSSD/sssd/pull/5883 Title: #5883: Various fixes related forest and site name discovery Label: +Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5883][+Bugzilla] Various fixes related forest and site name discovery
URL: https://github.com/SSSD/sssd/pull/5883 Title: #5883: Various fixes related forest and site name discovery Label: +Bugzilla ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5863][-Changes requested] Responder and Child process tevent chain id improvements
URL: https://github.com/SSSD/sssd/pull/5863 Title: #5863: Responder and Child process tevent chain id improvements Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5863][+Waiting for review] Responder and Child process tevent chain id improvements
URL: https://github.com/SSSD/sssd/pull/5863 Title: #5863: Responder and Child process tevent chain id improvements Label: +Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5882][-Changes requested] CONFDB: check the return values
URL: https://github.com/SSSD/sssd/pull/5882 Title: #5882: CONFDB: check the return values Label: -Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5882][+Waiting for review] CONFDB: check the return values
URL: https://github.com/SSSD/sssd/pull/5882 Title: #5882: CONFDB: check the return values Label: +Waiting for review ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5882][synchronized] CONFDB: check the return values
URL: https://github.com/SSSD/sssd/pull/5882 Author: thalman Title: #5882: CONFDB: check the return values Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5882/head:pr5882 git checkout pr5882 From 0db7c401ee40a1351da7d915a7e3d6a5539522dc Mon Sep 17 00:00:00 2001 From: Tomas Halman Date: Thu, 18 Nov 2021 17:43:19 +0100 Subject: [PATCH] CONFDB: check the return values Covscan pointed out that return value of chown and sete[ug]id is not checked in some cases. There is not much we can do in case of failure so only minor failure is logged. Resolves: https://github.com/SSSD/sssd/issues/5876 --- src/confdb/confdb.c | 6 +- src/util/usertools.c | 25 + 2 files changed, 26 insertions(+), 5 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index 6a6fac916e..e557b469cb 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -685,7 +685,11 @@ int confdb_init(TALLOC_CTX *mem_ctx, old_umask = umask(SSS_DFL_UMASK); /* file may exists and could be owned by root from previous version */ sss_sssd_user_uid_and_gid(_uid, _gid); -chown(confdb_location, sssd_uid, sssd_gid); +ret = chown(confdb_location, sssd_uid, sssd_gid); +if (ret != EOK && errno != ENOENT) { +DEBUG(SSSDBG_MINOR_FAILURE, "Unable to chown config database [%s]: %s\n", + confdb_location, sss_strerror(errno)); +} sss_set_sssd_user_eid(); ret = ldb_connect(cdb->ldb, confdb_location, 0, NULL); diff --git a/src/util/usertools.c b/src/util/usertools.c index 370a98b417..72dec6 100644 --- a/src/util/usertools.c +++ b/src/util/usertools.c @@ -863,17 +863,34 @@ void sss_set_sssd_user_eid(void) uid_t uid; gid_t gid; + if (geteuid() == 0) { sss_sssd_user_uid_and_gid(, ); -seteuid(uid); -setegid(gid); +if (seteuid(uid) != EOK) { +DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to set euid to %"SPRIuid": %s\n", + uid, sss_strerror(errno)); +} +if (setegid(gid) != EOK) { +DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to set egid to %"SPRIgid": %s\n", + gid, sss_strerror(errno)); +} } } void sss_restore_sssd_user_eid(void) { if (getuid() == 0) { -seteuid(getuid()); -setegid(getgid()); +if (seteuid(getuid()) != EOK) { +DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to restore euid: %s\n", + sss_strerror(errno)); +} +if (setegid(getgid()) != EOK) { +DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to restore egid: %s\n", + sss_strerror(errno)); +} } } ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD] [sssd PR#5882][comment] CONFDB: check the return values
URL: https://github.com/SSSD/sssd/pull/5882 Title: #5882: CONFDB: check the return values thalman commented: """ > In the commit message you mention fixing `setuid()` and `setegid()` but you > are also fixing `chown()` in this PR. Fixing chown return value is also claimed in the commit message """ See the full comment at https://github.com/SSSD/sssd/pull/5882#issuecomment-973860781 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure