[SSSD] [sssd PR#5881][-Waiting for review] SDAP: Do not fail ASQ search when parsing a referenced entry fails

2021-11-19 Thread elkoniu 
  URL: https://github.com/SSSD/sssd/pull/5881
Title: #5881: SDAP: Do not fail ASQ search when parsing a referenced entry fails

Label: -Waiting for review
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5881][+Changes requested] SDAP: Do not fail ASQ search when parsing a referenced entry fails

2021-11-19 Thread elkoniu 
  URL: https://github.com/SSSD/sssd/pull/5881
Title: #5881: SDAP: Do not fail ASQ search when parsing a referenced entry fails

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5867][+Changes requested] usertools: force local user for sssd process user

2021-11-19 Thread alexey-tikhonov 
  URL: https://github.com/SSSD/sssd/pull/5867
Title: #5867: usertools: force local user for sssd process user

Label: +Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5867][-Waiting for review] usertools: force local user for sssd process user

2021-11-19 Thread alexey-tikhonov 
  URL: https://github.com/SSSD/sssd/pull/5867
Title: #5867: usertools: force local user for sssd process user

Label: -Waiting for review
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5867][comment] usertools: force local user for sssd process user

2021-11-19 Thread alexey-tikhonov 
  URL: https://github.com/SSSD/sssd/pull/5867
Title: #5867: usertools: force local user for sssd process user

alexey-tikhonov commented:
"""
Hi @ikerexxe,

Probably, https://github.com/SSSD/sssd/pull/5867#discussion_r753554361 should 
be answered first.

Imo, humber of changes can be reduced significantly (and thus some other 
comments will not require addressing).
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5867#issuecomment-974500428
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5863][comment] Responder and Child process tevent chain id improvements

2021-11-19 Thread sumit-bose 
  URL: https://github.com/SSSD/sssd/pull/5863
Title: #5863: Responder and Child process tevent chain id improvements

sumit-bose commented:
"""
Hi,

I'm fine with the patches and test are working locally for me. I restarted the 
CI task to hopefully get some CI results as well.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5863#issuecomment-974286264
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5872][+Accepted] p11_child: Fixes for authentication

2021-11-19 Thread sumit-bose 
  URL: https://github.com/SSSD/sssd/pull/5872
Title: #5872: p11_child: Fixes for authentication

Label: +Accepted
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5872][comment] p11_child: Fixes for authentication

2021-11-19 Thread sumit-bose 
  URL: https://github.com/SSSD/sssd/pull/5872
Title: #5872: p11_child: Fixes for authentication

sumit-bose commented:
"""
Hi,

thanks a lot for the patches. I agree with all the changes and have no further 
comments. I was thinking about how to add tests for the `--wait_for_card` 
option but this is clearly out of scope here. ACK.

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5872#issuecomment-974261642
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5881][comment] SDAP: Do not fail ASQ search when parsing a referenced entry fails

2021-11-19 Thread scabrero 
  URL: https://github.com/SSSD/sssd/pull/5881
Title: #5881: SDAP: Do not fail ASQ search when parsing a referenced entry fails

scabrero commented:
"""
> Hi,
> 
> thanks for the patch. I think an option is needed to control this behavior 
> because SSSD does not know if the denied LDAP access was intentional or not. 
> If it is intentional then just ignoring the object which cannot be accessed 
> is ok.
> 
> But if it is not intentional and the unreadable object is a group used in 
> `simple_deny_groups` or in a `Deny*LogonRight` GPO in AD the user will be 
> permitted to access the system although it was expected that access is denied 
> by adding the user to this group.
> 
> What do you think about it?

Hi @sumit-bose, I agree there is no way to know if the denied access was 
intentional or not, so adding a new configuration option seems appropriate. 
What do you think about "ldap_asq_ignore_unreadable_references"?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5881#issuecomment-974067095
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5881][comment] SDAP: Do not fail ASQ search when parsing a referenced entry fails

2021-11-19 Thread sumit-bose 
  URL: https://github.com/SSSD/sssd/pull/5881
Title: #5881: SDAP: Do not fail ASQ search when parsing a referenced entry fails

sumit-bose commented:
"""
Hi,

thanks for the patch. I think an option is needed to control this behavior 
because SSSD does not know if the denied LDAP access was intentional or not. If 
it is intentional then just ignoring the object which cannot be accessed is ok.

But if it is not intentional and the unreadable object is a group used in 
`simple_deny_groups` or in a `Deny*LogonRight` GPO in AD the user will be 
permitted to access the system although it was expected that access is denied 
by adding the user to this group.

What do you think about it?

bye,
Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5881#issuecomment-974022679
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5883][+Waiting for review] Various fixes related forest and site name discovery

2021-11-19 Thread alexey-tikhonov 
  URL: https://github.com/SSSD/sssd/pull/5883
Title: #5883: Various fixes related forest and site name discovery

Label: +Waiting for review
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5883][+Bugzilla] Various fixes related forest and site name discovery

2021-11-19 Thread alexey-tikhonov 
  URL: https://github.com/SSSD/sssd/pull/5883
Title: #5883: Various fixes related forest and site name discovery

Label: +Bugzilla
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5863][-Changes requested] Responder and Child process tevent chain id improvements

2021-11-19 Thread alexey-tikhonov 
  URL: https://github.com/SSSD/sssd/pull/5863
Title: #5863: Responder and Child process tevent chain id improvements

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5863][+Waiting for review] Responder and Child process tevent chain id improvements

2021-11-19 Thread alexey-tikhonov 
  URL: https://github.com/SSSD/sssd/pull/5863
Title: #5863: Responder and Child process tevent chain id improvements

Label: +Waiting for review
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5882][-Changes requested] CONFDB: check the return values

2021-11-19 Thread thalman 
  URL: https://github.com/SSSD/sssd/pull/5882
Title: #5882: CONFDB: check the return values

Label: -Changes requested
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5882][+Waiting for review] CONFDB: check the return values

2021-11-19 Thread thalman 
  URL: https://github.com/SSSD/sssd/pull/5882
Title: #5882: CONFDB: check the return values

Label: +Waiting for review
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5882][synchronized] CONFDB: check the return values

2021-11-19 Thread thalman 
   URL: https://github.com/SSSD/sssd/pull/5882
Author: thalman
 Title: #5882: CONFDB: check the return values
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5882/head:pr5882
git checkout pr5882
From 0db7c401ee40a1351da7d915a7e3d6a5539522dc Mon Sep 17 00:00:00 2001
From: Tomas Halman 
Date: Thu, 18 Nov 2021 17:43:19 +0100
Subject: [PATCH] CONFDB: check the return values

Covscan pointed out that return value of chown and sete[ug]id is
not checked in some cases. There is not much we can do
in case of failure so only minor failure is logged.

Resolves: https://github.com/SSSD/sssd/issues/5876
---
 src/confdb/confdb.c  |  6 +-
 src/util/usertools.c | 25 +
 2 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
index 6a6fac916e..e557b469cb 100644
--- a/src/confdb/confdb.c
+++ b/src/confdb/confdb.c
@@ -685,7 +685,11 @@ int confdb_init(TALLOC_CTX *mem_ctx,
 old_umask = umask(SSS_DFL_UMASK);
 /* file may exists and could be owned by root from previous version */
 sss_sssd_user_uid_and_gid(_uid, _gid);
-chown(confdb_location, sssd_uid, sssd_gid);
+ret = chown(confdb_location, sssd_uid, sssd_gid);
+if (ret != EOK && errno != ENOENT) {
+DEBUG(SSSDBG_MINOR_FAILURE, "Unable to chown config database [%s]: %s\n",
+  confdb_location, sss_strerror(errno));
+}
 sss_set_sssd_user_eid();
 
 ret = ldb_connect(cdb->ldb, confdb_location, 0, NULL);
diff --git a/src/util/usertools.c b/src/util/usertools.c
index 370a98b417..72dec6 100644
--- a/src/util/usertools.c
+++ b/src/util/usertools.c
@@ -863,17 +863,34 @@ void sss_set_sssd_user_eid(void)
 uid_t uid;
 gid_t gid;
 
+
 if (geteuid() == 0) {
 sss_sssd_user_uid_and_gid(, );
-seteuid(uid);
-setegid(gid);
+if (seteuid(uid) != EOK) {
+DEBUG(SSSDBG_MINOR_FAILURE,
+  "Failed to set euid to %"SPRIuid": %s\n",
+  uid, sss_strerror(errno));
+}
+if (setegid(gid) != EOK) {
+DEBUG(SSSDBG_MINOR_FAILURE,
+  "Failed to set egid to %"SPRIgid": %s\n",
+  gid, sss_strerror(errno));
+}
 }
 }
 
 void sss_restore_sssd_user_eid(void)
 {
 if (getuid() == 0) {
-seteuid(getuid());
-setegid(getgid());
+if (seteuid(getuid()) != EOK) {
+DEBUG(SSSDBG_MINOR_FAILURE,
+  "Failed to restore euid: %s\n",
+  sss_strerror(errno));
+}
+if (setegid(getgid()) != EOK) {
+DEBUG(SSSDBG_MINOR_FAILURE,
+  "Failed to restore egid: %s\n",
+  sss_strerror(errno));
+}
 }
 }
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5882][comment] CONFDB: check the return values

2021-11-19 Thread thalman 
  URL: https://github.com/SSSD/sssd/pull/5882
Title: #5882: CONFDB: check the return values

thalman commented:
"""
> In the commit message you mention fixing `setuid()` and `setegid()` but you 
> are also fixing `chown()` in this PR.

Fixing chown return value is also claimed in the commit message 


"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5882#issuecomment-973860781
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure