[SSSD] [sssd PR#5867][opened] usertools: force local user for sssd process user

2021-11-10 Thread ikerexxe 
   URL: https://github.com/SSSD/sssd/pull/5867
Author: ikerexxe
 Title: #5867: usertools: force local user for sssd process user
Action: opened

PR body:
"""
System hardening by forcing the sssd user to be loaded from a local database 
(/etc/passwd) instead of using any remote user. This could happen in very 
special conditions and might change the owner of the sssd databases and 
generate a denial of service.

Moreover, clarify user option in sssd.conf, as it accepts both the user name 
and the id as input. The only constraint is that the user should be present in 
the local database (/etc/passwd).
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5867/head:pr5867
git checkout pr5867
From 58f1abf4a556d3af1208b088f07172ddc88cfa6c Mon Sep 17 00:00:00 2001
From: Iker Pedrosa 
Date: Mon, 23 Aug 2021 12:04:42 +0200
Subject: [PATCH 1/2] usertools: force local user for sssd process user

System hardening by forcing the sssd user to be loaded from a local
database (/etc/passwd) instead of using any remote user. This could
happen in very special conditions and might change the owner of the sssd
databases and generate a denial of service.

Signed-off-by: Iker Pedrosa 
---
 Makefile.am   |   2 +
 src/monitor/monitor.c |   6 +-
 src/providers/ipa/ipa_common.h|   3 +
 src/providers/ipa/ipa_subdomains_server.c |   3 +-
 src/responder/common/responder.h  |   5 +-
 src/responder/common/responder_common.c   |   6 +-
 src/responder/ifp/ifp_private.h   |   4 +
 src/responder/ifp/ifpsrv.c|   2 +-
 src/responder/nss/nss_private.h   |   4 +
 src/responder/nss/nsssrv.c|   4 +-
 src/responder/pac/pacsrv.c|   2 +-
 src/responder/pac/pacsrv.h|   4 +
 src/responder/pam/pamsrv.c|   2 +-
 src/responder/pam/pamsrv.h|   4 +
 src/tests/cwrap/Makefile.am   |   8 +-
 src/tests/cwrap/common_mock_nss_dl_load.c | 118 ++
 src/tests/cwrap/common_mock_nss_dl_load.h |  30 ++
 src/tests/cwrap/test_responder_common.c   |  21 +++-
 src/tests/cwrap/test_usertools.c  |  43 +++-
 src/tests/responder_socket_access-tests.c |   9 +-
 src/util/usertools.c  |  60 +--
 src/util/usertools_extra.c|  53 ++
 src/util/util.h   |   6 +-
 23 files changed, 367 insertions(+), 32 deletions(-)
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.c
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.h
 create mode 100644 src/util/usertools_extra.c

diff --git a/Makefile.am b/Makefile.am
index f6bc9414d0..bb1aac2bb3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1237,6 +1237,7 @@ libsss_util_la_SOURCES = \
 src/util/server.c \
 src/util/signal.c \
 src/util/usertools.c \
+src/util/usertools_extra.c \
 src/util/backup_file.c \
 src/util/strtonum.c \
 src/util/check_and_open.c \
@@ -1265,6 +1266,7 @@ libsss_util_la_SOURCES = \
 src/util/selinux.c \
 src/util/sss_regexp.c \
 src/util/sss_chain_id.c \
+src/util/nss_dl_load.c \
 $(NULL)
 libsss_util_la_CFLAGS = \
 $(AM_CFLAGS) \
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 55cb0838aa..86ec612600 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -173,6 +173,9 @@ struct mt_ctx {
 /* For running unprivileged services */
 uid_t uid;
 gid_t gid;
+
+/* Dynamic library load */
+struct sss_nss_ops ops;
 };
 
 static int start_service(struct mt_svc *mt_svc);
@@ -882,7 +885,8 @@ static int get_service_user(struct mt_ctx *ctx)
 return ret;
 }
 
-ret = sss_user_by_name_or_uid(user_str, >uid, >gid);
+
+ret = sss_user_by_name_or_uid(>ops, user_str, >uid, >gid);
 talloc_free(user_str);
 if (ret != EOK) {
 DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set allowed UIDs.\n");
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index eb0eda8eb1..034af39efc 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -208,6 +208,9 @@ struct ipa_id_ctx {
 char *view_name;
 /* Only used with server mode */
 struct ipa_server_mode_ctx *server_mode;
+
+/* Dynamic library load */
+struct sss_nss_ops ops;
 };
 
 struct ipa_options {
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index deb2c2ceec..d355ccf25a 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -1195,7 +1195,8 @@ int ipa_ad_subdom_init(struct be_ctx *be_ctx,
 /* We need to handle keytabs created by IPA oddjob script gracefully
  * even if we're running as root and IPA creates them as the SSSD user
  */
-ret = sss_user_by_name_or_uid(SSSD_USER,
+ret =

[SSSD] [sssd PR#5869][opened] Translations update from Weblate

2021-11-10 Thread weblate 
   URL: https://github.com/SSSD/sssd/pull/5869
Author: weblate
 Title: #5869: Translations update from Weblate
Action: opened

PR body:
"""
Translations update from 
[Weblate](https://translate.fedoraproject.org/projects/sssd/sssd-master/) for 
SSSD/sssd.



Current translation status:

![Weblate translation 
status](https://translate.fedoraproject.org/widgets/sssd/-/sssd-master/horizontal-auto.svg)

"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5869/head:pr5869
git checkout pr5869
From d7a3756dbf7edfe87ab97ebef48caba9a3daeef1 Mon Sep 17 00:00:00 2001
From: Weblate 
Date: Wed, 10 Nov 2021 15:06:11 +0100
Subject: [PATCH] Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/

po: update translations

(Korean) currently translated at 13.0% (341 of 2615 strings)
Translation: SSSD/sssd-manpage
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-manpage-master/ko/

po: update translations

(Korean) currently translated at 30.7% (190 of 617 strings)
Translation: SSSD/sssd
Translate-URL: https://translate.fedoraproject.org/projects/sssd/sssd-master/ko/
---
 po/ko.po |  1 +
 src/man/po/ko.po | 24 +---
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/po/ko.po b/po/ko.po
index 2887344bd6..55e4dcf29d 100644
--- a/po/ko.po
+++ b/po/ko.po
@@ -773,6 +773,7 @@ msgid ""
 "The amount of time in seconds between lookups of the Desktop Profile rules "
 "against the IPA server"
 msgstr ""
+"IPA 서버에 대응하는 데스크탑 프로파일 규칙의 검색 사이에서 초 단위 시간의 양"
 
 #: src/config/SSSDConfig/sssdoptions.py:241
 msgid ""
diff --git a/src/man/po/ko.po b/src/man/po/ko.po
index 422171a822..a3d04d20af 100644
--- a/src/man/po/ko.po
+++ b/src/man/po/ko.po
@@ -8,7 +8,7 @@ msgstr ""
 "Project-Id-Version: sssd-docs 2.5.2\n"
 "Report-Msgid-Bugs-To: sssd-de...@redhat.com\n"
 "POT-Creation-Date: 2021-07-12 20:51+0200\n"
-"PO-Revision-Date: 2021-11-09 05:05+\n"
+"PO-Revision-Date: 2021-11-10 14:05+\n"
 "Last-Translator: simmon \n"
 "Language-Team: Korean \n"
@@ -17,7 +17,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "Plural-Forms: nplurals=1; plural=0;\n"
-"X-Generator: Weblate 4.8\n"
+"X-Generator: Weblate 4.8.1\n"
 
 #. type: Content of: 
 #: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 pam_sss_gss.8.xml:5 sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5
@@ -10703,17 +10703,17 @@ msgstr ""
 #. type: Content of: 
 #: sssd-ad.5.xml:792
 msgid "ftp"
-msgstr ""
+msgstr "ftp"
 
 #. type: Content of: 
 #: sssd-ad.5.xml:797
 msgid "samba"
-msgstr ""
+msgstr "삼바"
 
 #. type: Content of: 
 #: sssd-ad.5.xml:806
 msgid "ad_gpo_map_batch (string)"
-msgstr ""
+msgstr "ad_gpo_map_batch (문자열)"
 
 #. type: Content of: 
 #: sssd-ad.5.xml:809
@@ -10744,6 +10744,8 @@ msgid ""
 "ad_gpo_map_batch = +my_pam_service, -crond\n"
 ""
 msgstr ""
+"ad_gpo_map_batch = +my_pam_service, -crond\n"
+""
 
 #. type: Content of: 
 #: sssd-ad.5.xml:832
@@ -10917,7 +10919,7 @@ msgstr "네트워크"
 #. type: Content of: 
 #: sssd-ad.5.xml:1013
 msgid "batch"
-msgstr ""
+msgstr "batch"
 
 #. type: Content of: 
 #: sssd-ad.5.xml:1018
@@ -12319,7 +12321,7 @@ msgstr ""
 #. type: Content of: 
 #: sssd-krb5.5.xml:165 include/override_homedir.xml:11
 msgid "%u"
-msgstr ""
+msgstr "%u"
 
 #. type: Content of: 
 #: sssd-krb5.5.xml:166 include/override_homedir.xml:12
@@ -12329,17 +12331,17 @@ msgstr "로그인 이름"
 #. type: Content of: 
 #: sssd-krb5.5.xml:169 include/override_homedir.xml:15
 msgid "%U"
-msgstr ""
+msgstr "%U"
 
 #. type: Content of: 
 #: sssd-krb5.5.xml:170
 msgid "login UID"
-msgstr ""
+msgstr "로그인 UID"
 
 #. type: Content of: 
 #: sssd-krb5.5.xml:173
 msgid "%p"
-msgstr ""
+msgstr "%p"
 
 #. type: Content of: 
 #: sssd-krb5.5.xml:174
@@ -16858,7 +16860,7 @@ msgstr ""
 #. type: Content of: 
 #: sssd-ldap-attributes.5.xml:714
 msgid "ldap_group_objectsid (string)"
-msgstr ""
+msgstr "ldap_group_objectsid (문자열)"
 
 #. type: Content of: 
 #: sssd-ldap-attributes.5.xml:717
___
sssd-devel

[SSSD] [sssd PR#5829][comment] DP: Resolve intermediate groups prior to SR overlay

2021-11-10 Thread justin-stephenson 
  URL: https://github.com/SSSD/sssd/pull/5829
Title: #5829: DP: Resolve intermediate groups prior to SR overlay

justin-stephenson commented:
"""
> I'm gonna do the release, pushing now.

Thank you!
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5829#issuecomment-965328446
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5867][comment] usertools: force local user for sssd process user

2021-11-10 Thread alexey-tikhonov 
  URL: https://github.com/SSSD/sssd/pull/5867
Title: #5867: usertools: force local user for sssd process user

alexey-tikhonov commented:
"""
There are memory leaks:
```
FAIL: usertools-tests
FAIL: responder_common-tests
```

Did you try to run `make check-valgrind-memcheck` locally?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5867#issuecomment-965394706
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5762][edited] krb5: add support for idp:oauth2 challenge

2021-11-10 Thread pbrezina 
   URL: https://github.com/SSSD/sssd/pull/5762
Author: pbrezina
 Title: #5762: krb5: add support for idp:oauth2 challenge
Action: edited

 Changed field: body
Original value:
"""
## How to test

1. Install IPA server
2. On IPA server: install patched ipa:

```console
$ sudo dnf copr enable pbrezina/idp 
$ sudo dnf upgrade freeipa\*
$ kinit admin
$ ipa user-add tuser --user-auth-type=idp --first Test --last User
$ sudo cp /usr/share/sssd/krb5-snippets/sssd_enable_oauth2 /etc/krb5.conf.d
$ sudo systemctl restart krb5kdc
```

Now authenticate as the `tuser`

```
# via kinit
kinit -n @IPA.VM -c armor
kinit -T armor tu...@ipa.vm
Authenticate with PIN 123456 at https://visit.me and press ENTER.: 

# via sssd
su tu...@ipa.vm
Authenticate with PIN 123456 at https://visit.me and press ENTER.
```

The patched IPA does not make contact to any IdP, it just provides mocked 
values and grants access.
"""

___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5867][comment] usertools: force local user for sssd process user

2021-11-10 Thread alexey-tikhonov 
  URL: https://github.com/SSSD/sssd/pull/5867
Title: #5867: usertools: force local user for sssd process user

alexey-tikhonov commented:
"""
There are memory leaks:
https://s3.eu-central-1.amazonaws.com/sssd-ci/PR-5867/3/debian10/ci-make-check-valgrind.log
```
FAIL: usertools-tests
FAIL: responder_common-tests
```

Did you try to run `make check-valgrind-memcheck` locally?
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5867#issuecomment-965394706
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5867][+Waiting for review] usertools: force local user for sssd process user

2021-11-10 Thread ikerexxe 
  URL: https://github.com/SSSD/sssd/pull/5867
Title: #5867: usertools: force local user for sssd process user

Label: +Waiting for review
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

2021-11-10 Thread ikerexxe 
   URL: https://github.com/SSSD/sssd/pull/5867
Author: ikerexxe
 Title: #5867: usertools: force local user for sssd process user
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5867/head:pr5867
git checkout pr5867
From e966aa8a212f0f6eaa5087a3ace8cdcd20dd69ec Mon Sep 17 00:00:00 2001
From: Iker Pedrosa 
Date: Mon, 23 Aug 2021 12:04:42 +0200
Subject: [PATCH 1/2] usertools: force local user for sssd process user

System hardening by forcing the sssd user to be loaded from a local
database (/etc/passwd) instead of using any remote user. This could
happen in very special conditions and might change the owner of the sssd
databases and generate a denial of service.

Signed-off-by: Iker Pedrosa 
---
 Makefile.am   |   3 +
 src/monitor/monitor.c |   6 +-
 src/providers/ipa/ipa_common.h|   3 +
 src/providers/ipa/ipa_subdomains_server.c |   3 +-
 src/responder/common/responder.h  |   5 +-
 src/responder/common/responder_common.c   |   6 +-
 src/responder/ifp/ifp_private.h   |   4 +
 src/responder/ifp/ifpsrv.c|   2 +-
 src/responder/nss/nss_private.h   |   4 +
 src/responder/nss/nsssrv.c|   4 +-
 src/responder/pac/pacsrv.c|   2 +-
 src/responder/pac/pacsrv.h|   4 +
 src/responder/pam/pamsrv.c|   2 +-
 src/responder/pam/pamsrv.h|   4 +
 src/tests/cwrap/Makefile.am   |   8 +-
 src/tests/cwrap/common_mock_nss_dl_load.c | 115 ++
 src/tests/cwrap/common_mock_nss_dl_load.h |  30 ++
 src/tests/cwrap/test_responder_common.c   |  22 -
 src/tests/cwrap/test_usertools.c  |  41 +++-
 src/tests/responder_socket_access-tests.c |  10 +-
 src/util/usertools.c  |  60 +--
 src/util/usertools_extra.c|  53 ++
 src/util/util.h   |   6 +-
 23 files changed, 365 insertions(+), 32 deletions(-)
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.c
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.h
 create mode 100644 src/util/usertools_extra.c

diff --git a/Makefile.am b/Makefile.am
index f6bc9414d0..301f6b5800 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -884,6 +884,7 @@ dist_noinst_HEADERS = \
 src/tests/cmocka/test_expire_common.h \
 src/tests/cmocka/test_sdap_access.h \
 src/tests/cmocka/data_provider/mock_dp.h \
+src/tests/cwrap/common_mock_nss_dl_load.h \
 src/sss_client/pam_message.h \
 src/sss_client/ssh/sss_ssh_client.h \
 src/sss_client/sudo/sss_sudo.h \
@@ -1237,6 +1238,7 @@ libsss_util_la_SOURCES = \
 src/util/server.c \
 src/util/signal.c \
 src/util/usertools.c \
+src/util/usertools_extra.c \
 src/util/backup_file.c \
 src/util/strtonum.c \
 src/util/check_and_open.c \
@@ -1265,6 +1267,7 @@ libsss_util_la_SOURCES = \
 src/util/selinux.c \
 src/util/sss_regexp.c \
 src/util/sss_chain_id.c \
+src/util/nss_dl_load.c \
 $(NULL)
 libsss_util_la_CFLAGS = \
 $(AM_CFLAGS) \
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 55cb0838aa..86ec612600 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -173,6 +173,9 @@ struct mt_ctx {
 /* For running unprivileged services */
 uid_t uid;
 gid_t gid;
+
+/* Dynamic library load */
+struct sss_nss_ops ops;
 };
 
 static int start_service(struct mt_svc *mt_svc);
@@ -882,7 +885,8 @@ static int get_service_user(struct mt_ctx *ctx)
 return ret;
 }
 
-ret = sss_user_by_name_or_uid(user_str, >uid, >gid);
+
+ret = sss_user_by_name_or_uid(>ops, user_str, >uid, >gid);
 talloc_free(user_str);
 if (ret != EOK) {
 DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set allowed UIDs.\n");
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index eb0eda8eb1..034af39efc 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -208,6 +208,9 @@ struct ipa_id_ctx {
 char *view_name;
 /* Only used with server mode */
 struct ipa_server_mode_ctx *server_mode;
+
+/* Dynamic library load */
+struct sss_nss_ops ops;
 };
 
 struct ipa_options {
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index deb2c2ceec..d355ccf25a 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -1195,7 +1195,8 @@ int ipa_ad_subdom_init(struct be_ctx *be_ctx,
 /* We need to handle keytabs created by IPA oddjob script gracefully
  * even if we're running as root and IPA creates them as the SSSD user
  */
-ret = sss_user_by_name_or_uid(SSSD_USER,
+ret = sss_user_by_name_or_uid(_ctx->ops,
+  SSSD_USER,

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

2021-11-10 Thread ikerexxe 
   URL: https://github.com/SSSD/sssd/pull/5867
Author: ikerexxe
 Title: #5867: usertools: force local user for sssd process user
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5867/head:pr5867
git checkout pr5867
From 6ae47cc580fbf644c56ace1fe54e40f6f01632a5 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa 
Date: Mon, 23 Aug 2021 12:04:42 +0200
Subject: [PATCH 1/2] usertools: force local user for sssd process user

System hardening by forcing the sssd user to be loaded from a local
database (/etc/passwd) instead of using any remote user. This could
happen in very special conditions and might change the owner of the sssd
databases and generate a denial of service.

Signed-off-by: Iker Pedrosa 
---
 Makefile.am   |   3 +
 src/monitor/monitor.c |   6 +-
 src/providers/ipa/ipa_common.h|   3 +
 src/providers/ipa/ipa_subdomains_server.c |   3 +-
 src/responder/common/responder.h  |   5 +-
 src/responder/common/responder_common.c   |   6 +-
 src/responder/ifp/ifp_private.h   |   4 +
 src/responder/ifp/ifpsrv.c|   2 +-
 src/responder/nss/nss_private.h   |   4 +
 src/responder/nss/nsssrv.c|   4 +-
 src/responder/pac/pacsrv.c|   2 +-
 src/responder/pac/pacsrv.h|   4 +
 src/responder/pam/pamsrv.c|   2 +-
 src/responder/pam/pamsrv.h|   4 +
 src/tests/cwrap/Makefile.am   |   8 +-
 src/tests/cwrap/common_mock_nss_dl_load.c | 115 ++
 src/tests/cwrap/common_mock_nss_dl_load.h |  30 ++
 src/tests/cwrap/test_responder_common.c   |  22 -
 src/tests/cwrap/test_usertools.c  |  41 +++-
 src/tests/responder_socket_access-tests.c |  11 ++-
 src/util/usertools.c  |  60 +--
 src/util/usertools_extra.c|  53 ++
 src/util/util.h   |   6 +-
 23 files changed, 366 insertions(+), 32 deletions(-)
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.c
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.h
 create mode 100644 src/util/usertools_extra.c

diff --git a/Makefile.am b/Makefile.am
index f6bc9414d0..301f6b5800 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -884,6 +884,7 @@ dist_noinst_HEADERS = \
 src/tests/cmocka/test_expire_common.h \
 src/tests/cmocka/test_sdap_access.h \
 src/tests/cmocka/data_provider/mock_dp.h \
+src/tests/cwrap/common_mock_nss_dl_load.h \
 src/sss_client/pam_message.h \
 src/sss_client/ssh/sss_ssh_client.h \
 src/sss_client/sudo/sss_sudo.h \
@@ -1237,6 +1238,7 @@ libsss_util_la_SOURCES = \
 src/util/server.c \
 src/util/signal.c \
 src/util/usertools.c \
+src/util/usertools_extra.c \
 src/util/backup_file.c \
 src/util/strtonum.c \
 src/util/check_and_open.c \
@@ -1265,6 +1267,7 @@ libsss_util_la_SOURCES = \
 src/util/selinux.c \
 src/util/sss_regexp.c \
 src/util/sss_chain_id.c \
+src/util/nss_dl_load.c \
 $(NULL)
 libsss_util_la_CFLAGS = \
 $(AM_CFLAGS) \
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 55cb0838aa..86ec612600 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -173,6 +173,9 @@ struct mt_ctx {
 /* For running unprivileged services */
 uid_t uid;
 gid_t gid;
+
+/* Dynamic library load */
+struct sss_nss_ops ops;
 };
 
 static int start_service(struct mt_svc *mt_svc);
@@ -882,7 +885,8 @@ static int get_service_user(struct mt_ctx *ctx)
 return ret;
 }
 
-ret = sss_user_by_name_or_uid(user_str, >uid, >gid);
+
+ret = sss_user_by_name_or_uid(>ops, user_str, >uid, >gid);
 talloc_free(user_str);
 if (ret != EOK) {
 DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set allowed UIDs.\n");
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index eb0eda8eb1..034af39efc 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -208,6 +208,9 @@ struct ipa_id_ctx {
 char *view_name;
 /* Only used with server mode */
 struct ipa_server_mode_ctx *server_mode;
+
+/* Dynamic library load */
+struct sss_nss_ops ops;
 };
 
 struct ipa_options {
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index deb2c2ceec..d355ccf25a 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -1195,7 +1195,8 @@ int ipa_ad_subdom_init(struct be_ctx *be_ctx,
 /* We need to handle keytabs created by IPA oddjob script gracefully
  * even if we're running as root and IPA creates them as the SSSD user
  */
-ret = sss_user_by_name_or_uid(SSSD_USER,
+ret = sss_user_by_name_or_uid(_ctx->ops,
+  SSSD_USER,

[SSSD] [sssd PR#5863][comment] Responder and Child process tevent chain id improvements

2021-11-10 Thread justin-stephenson 
  URL: https://github.com/SSSD/sssd/pull/5863
Title: #5863: Responder and Child process tevent chain id improvements

justin-stephenson commented:
"""
> 
> Hi,
> 
> I tend to the latter. The idea of the tool is to help to find issues. Adding 
> the child logs by default might make this harder especially if the issue is 
> not related to a child process. It might be even worth to be able to switch 
> on only a single child, e.g. `--child=krb5_child`.

Okay agreed, I went ahead and added a `--child` boolean option defaulting to 
false to the `request show` subcommand
> 
> Is there a reason you mostly send the id together with other data via stdin 
> and not with a command line option? Personally I would prefer a comand line 
> option because it makes the child process more easy to use manually. E.g. 
> currently you can run `p11_child` manually even in auth mode by calling
> 
> ```
> echo -n PIN | /usr/libexec/sssd/p11_child --auth .
> ```
> 
> Now additional 8 bytes are expected, which still would allow to call 
> `p11_child` manually but it would be less obvious. The PIN has to be send via 
> stdin, otherwise it would be visible on the command line and so visible for 
> everyone calling `ps`.

Understood, I went ahead and switched to sending the chain ID as a command line 
argument for each child process. Could you please test the p11 child works as 
expected now?

> 
> bye, Sumit
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5863#issuecomment-965727885
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5863][synchronized] Responder and Child process tevent chain id improvements

2021-11-10 Thread justin-stephenson 
   URL: https://github.com/SSSD/sssd/pull/5863
Author: justin-stephenson
 Title: #5863: Responder and Child process tevent chain id improvements
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5863/head:pr5863
git checkout pr5863
From b0a413efc48994c0fd0f01055c8158cdfcb14856 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Wed, 10 Nov 2021 15:41:23 +
Subject: [PATCH 01/12] util: Split chain ID tevent functions

Commonly used chain ID functions sss_chain_id_get() and
sss_chain_id_set() will be isolated from requiring
tevent when building sources.
---
 Makefile.am  |   2 +
 src/providers/data_provider_be.c |   1 +
 src/util/sss_chain_id.c  | 130 +
 src/util/sss_chain_id.h  |   7 +-
 src/util/sss_chain_id_tevent.c   | 138 +++
 src/util/sss_chain_id_tevent.h   |  29 +++
 6 files changed, 175 insertions(+), 132 deletions(-)
 create mode 100644 src/util/sss_chain_id_tevent.c
 create mode 100644 src/util/sss_chain_id_tevent.h

diff --git a/Makefile.am b/Makefile.am
index f6bc9414d0..5174eba05a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -684,6 +684,7 @@ dist_noinst_HEADERS = \
 src/util/session_recording.h \
 src/util/strtonum.h \
 src/util/sss_cli_cmd.h \
+src/util/sss_chain_id_tevent.h \
 src/util/sss_chain_id.h \
 src/util/sss_ptr_hash.h \
 src/util/sss_ptr_list.h \
@@ -1264,6 +1265,7 @@ libsss_util_la_SOURCES = \
 src/util/files.c \
 src/util/selinux.c \
 src/util/sss_regexp.c \
+src/util/sss_chain_id_tevent.c \
 src/util/sss_chain_id.c \
 $(NULL)
 libsss_util_la_CFLAGS = \
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 9d63b448ea..c632ec9461 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -47,6 +47,7 @@
 #include "util/child_common.h"
 #include "resolv/async_resolv.h"
 #include "sss_iface/sss_iface_async.h"
+#include "util/sss_chain_id_tevent.h"
 #include "util/sss_chain_id.h"
 
 #define ONLINE_CB_RETRY 3
diff --git a/src/util/sss_chain_id.c b/src/util/sss_chain_id.c
index f892e2eb78..db312698ab 100644
--- a/src/util/sss_chain_id.c
+++ b/src/util/sss_chain_id.c
@@ -18,115 +18,8 @@
 along with this program.  If not, see .
 */
 
-#include "config.h"
-
-#include 
-
-#ifdef BUILD_CHAIN_ID
-extern uint64_t debug_chain_id;
-
-static void sss_chain_id_trace_fde(struct tevent_fd *fde,
-   enum tevent_event_trace_point point,
-   void *private_data)
-{
-switch (point) {
-case TEVENT_EVENT_TRACE_ATTACH:
-/* Assign the current chain id when the event is created. */
-tevent_fd_set_tag(fde, debug_chain_id);
-break;
-case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
-/* Set the chain id when a handler is being called. */
-debug_chain_id = tevent_fd_get_tag(fde);
-break;
-default:
-/* Do nothing. */
-break;
-}
-}
-
-static void sss_chain_id_trace_signal(struct tevent_signal *se,
-  enum tevent_event_trace_point point,
-  void *private_data)
-{
-switch (point) {
-case TEVENT_EVENT_TRACE_ATTACH:
-/* Assign the current chain id when the event is created. */
-tevent_signal_set_tag(se, debug_chain_id);
-break;
-case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
-/* Set the chain id when a handler is being called. */
-debug_chain_id = tevent_signal_get_tag(se);
-break;
-default:
-/* Do nothing. */
-break;
-}
-}
-
-static void sss_chain_id_trace_timer(struct tevent_timer *timer,
- enum tevent_event_trace_point point,
- void *private_data)
-{
-switch (point) {
-case TEVENT_EVENT_TRACE_ATTACH:
-/* Assign the current chain id when the event is created. */
-tevent_timer_set_tag(timer, debug_chain_id);
-break;
-case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
-/* Set the chain id when a handler is being called. */
-debug_chain_id = tevent_timer_get_tag(timer);
-break;
-default:
-/* Do nothing. */
-break;
-}
-}
-
-static void sss_chain_id_trace_immediate(struct tevent_immediate *im,
- enum tevent_event_trace_point point,
- void *private_data)
-{
-switch (point) {
-case TEVENT_EVENT_TRACE_ATTACH:
-/* Assign the current chain id when the event is created. */
-tevent_immediate_set_tag(im, debug_chain_id);
-break;
-case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
-/* Set the chain id when a handler is being called. */
-debug_chain_id =

[SSSD] [sssd PR#5863][synchronized] Responder and Child process tevent chain id improvements

2021-11-10 Thread justin-stephenson 
   URL: https://github.com/SSSD/sssd/pull/5863
Author: justin-stephenson
 Title: #5863: Responder and Child process tevent chain id improvements
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5863/head:pr5863
git checkout pr5863
From b0a413efc48994c0fd0f01055c8158cdfcb14856 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Wed, 10 Nov 2021 15:41:23 +
Subject: [PATCH 01/11] util: Split chain ID tevent functions

Commonly used chain ID functions sss_chain_id_get() and
sss_chain_id_set() will be isolated from requiring
tevent when building sources.
---
 Makefile.am  |   2 +
 src/providers/data_provider_be.c |   1 +
 src/util/sss_chain_id.c  | 130 +
 src/util/sss_chain_id.h  |   7 +-
 src/util/sss_chain_id_tevent.c   | 138 +++
 src/util/sss_chain_id_tevent.h   |  29 +++
 6 files changed, 175 insertions(+), 132 deletions(-)
 create mode 100644 src/util/sss_chain_id_tevent.c
 create mode 100644 src/util/sss_chain_id_tevent.h

diff --git a/Makefile.am b/Makefile.am
index f6bc9414d0..5174eba05a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -684,6 +684,7 @@ dist_noinst_HEADERS = \
 src/util/session_recording.h \
 src/util/strtonum.h \
 src/util/sss_cli_cmd.h \
+src/util/sss_chain_id_tevent.h \
 src/util/sss_chain_id.h \
 src/util/sss_ptr_hash.h \
 src/util/sss_ptr_list.h \
@@ -1264,6 +1265,7 @@ libsss_util_la_SOURCES = \
 src/util/files.c \
 src/util/selinux.c \
 src/util/sss_regexp.c \
+src/util/sss_chain_id_tevent.c \
 src/util/sss_chain_id.c \
 $(NULL)
 libsss_util_la_CFLAGS = \
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 9d63b448ea..c632ec9461 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -47,6 +47,7 @@
 #include "util/child_common.h"
 #include "resolv/async_resolv.h"
 #include "sss_iface/sss_iface_async.h"
+#include "util/sss_chain_id_tevent.h"
 #include "util/sss_chain_id.h"
 
 #define ONLINE_CB_RETRY 3
diff --git a/src/util/sss_chain_id.c b/src/util/sss_chain_id.c
index f892e2eb78..db312698ab 100644
--- a/src/util/sss_chain_id.c
+++ b/src/util/sss_chain_id.c
@@ -18,115 +18,8 @@
 along with this program.  If not, see .
 */
 
-#include "config.h"
-
-#include 
-
-#ifdef BUILD_CHAIN_ID
-extern uint64_t debug_chain_id;
-
-static void sss_chain_id_trace_fde(struct tevent_fd *fde,
-   enum tevent_event_trace_point point,
-   void *private_data)
-{
-switch (point) {
-case TEVENT_EVENT_TRACE_ATTACH:
-/* Assign the current chain id when the event is created. */
-tevent_fd_set_tag(fde, debug_chain_id);
-break;
-case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
-/* Set the chain id when a handler is being called. */
-debug_chain_id = tevent_fd_get_tag(fde);
-break;
-default:
-/* Do nothing. */
-break;
-}
-}
-
-static void sss_chain_id_trace_signal(struct tevent_signal *se,
-  enum tevent_event_trace_point point,
-  void *private_data)
-{
-switch (point) {
-case TEVENT_EVENT_TRACE_ATTACH:
-/* Assign the current chain id when the event is created. */
-tevent_signal_set_tag(se, debug_chain_id);
-break;
-case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
-/* Set the chain id when a handler is being called. */
-debug_chain_id = tevent_signal_get_tag(se);
-break;
-default:
-/* Do nothing. */
-break;
-}
-}
-
-static void sss_chain_id_trace_timer(struct tevent_timer *timer,
- enum tevent_event_trace_point point,
- void *private_data)
-{
-switch (point) {
-case TEVENT_EVENT_TRACE_ATTACH:
-/* Assign the current chain id when the event is created. */
-tevent_timer_set_tag(timer, debug_chain_id);
-break;
-case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
-/* Set the chain id when a handler is being called. */
-debug_chain_id = tevent_timer_get_tag(timer);
-break;
-default:
-/* Do nothing. */
-break;
-}
-}
-
-static void sss_chain_id_trace_immediate(struct tevent_immediate *im,
- enum tevent_event_trace_point point,
- void *private_data)
-{
-switch (point) {
-case TEVENT_EVENT_TRACE_ATTACH:
-/* Assign the current chain id when the event is created. */
-tevent_immediate_set_tag(im, debug_chain_id);
-break;
-case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
-/* Set the chain id when a handler is being called. */
-debug_chain_id =

[SSSD] [sssd PR#5863][comment] Responder and Child process tevent chain id improvements

2021-11-10 Thread justin-stephenson 
  URL: https://github.com/SSSD/sssd/pull/5863
Title: #5863: Responder and Child process tevent chain id improvements

justin-stephenson commented:
"""
> Isn't it required to set `debug_from_responder` in `p11_child`?

Yes, fixed.
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5863#issuecomment-965730359
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5863][synchronized] Responder and Child process tevent chain id improvements

2021-11-10 Thread justin-stephenson 
   URL: https://github.com/SSSD/sssd/pull/5863
Author: justin-stephenson
 Title: #5863: Responder and Child process tevent chain id improvements
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5863/head:pr5863
git checkout pr5863
From b0a413efc48994c0fd0f01055c8158cdfcb14856 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Wed, 10 Nov 2021 15:41:23 +
Subject: [PATCH 01/11] util: Split chain ID tevent functions

Commonly used chain ID functions sss_chain_id_get() and
sss_chain_id_set() will be isolated from requiring
tevent when building sources.
---
 Makefile.am  |   2 +
 src/providers/data_provider_be.c |   1 +
 src/util/sss_chain_id.c  | 130 +
 src/util/sss_chain_id.h  |   7 +-
 src/util/sss_chain_id_tevent.c   | 138 +++
 src/util/sss_chain_id_tevent.h   |  29 +++
 6 files changed, 175 insertions(+), 132 deletions(-)
 create mode 100644 src/util/sss_chain_id_tevent.c
 create mode 100644 src/util/sss_chain_id_tevent.h

diff --git a/Makefile.am b/Makefile.am
index f6bc9414d0..5174eba05a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -684,6 +684,7 @@ dist_noinst_HEADERS = \
 src/util/session_recording.h \
 src/util/strtonum.h \
 src/util/sss_cli_cmd.h \
+src/util/sss_chain_id_tevent.h \
 src/util/sss_chain_id.h \
 src/util/sss_ptr_hash.h \
 src/util/sss_ptr_list.h \
@@ -1264,6 +1265,7 @@ libsss_util_la_SOURCES = \
 src/util/files.c \
 src/util/selinux.c \
 src/util/sss_regexp.c \
+src/util/sss_chain_id_tevent.c \
 src/util/sss_chain_id.c \
 $(NULL)
 libsss_util_la_CFLAGS = \
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 9d63b448ea..c632ec9461 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -47,6 +47,7 @@
 #include "util/child_common.h"
 #include "resolv/async_resolv.h"
 #include "sss_iface/sss_iface_async.h"
+#include "util/sss_chain_id_tevent.h"
 #include "util/sss_chain_id.h"
 
 #define ONLINE_CB_RETRY 3
diff --git a/src/util/sss_chain_id.c b/src/util/sss_chain_id.c
index f892e2eb78..db312698ab 100644
--- a/src/util/sss_chain_id.c
+++ b/src/util/sss_chain_id.c
@@ -18,115 +18,8 @@
 along with this program.  If not, see .
 */
 
-#include "config.h"
-
-#include 
-
-#ifdef BUILD_CHAIN_ID
-extern uint64_t debug_chain_id;
-
-static void sss_chain_id_trace_fde(struct tevent_fd *fde,
-   enum tevent_event_trace_point point,
-   void *private_data)
-{
-switch (point) {
-case TEVENT_EVENT_TRACE_ATTACH:
-/* Assign the current chain id when the event is created. */
-tevent_fd_set_tag(fde, debug_chain_id);
-break;
-case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
-/* Set the chain id when a handler is being called. */
-debug_chain_id = tevent_fd_get_tag(fde);
-break;
-default:
-/* Do nothing. */
-break;
-}
-}
-
-static void sss_chain_id_trace_signal(struct tevent_signal *se,
-  enum tevent_event_trace_point point,
-  void *private_data)
-{
-switch (point) {
-case TEVENT_EVENT_TRACE_ATTACH:
-/* Assign the current chain id when the event is created. */
-tevent_signal_set_tag(se, debug_chain_id);
-break;
-case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
-/* Set the chain id when a handler is being called. */
-debug_chain_id = tevent_signal_get_tag(se);
-break;
-default:
-/* Do nothing. */
-break;
-}
-}
-
-static void sss_chain_id_trace_timer(struct tevent_timer *timer,
- enum tevent_event_trace_point point,
- void *private_data)
-{
-switch (point) {
-case TEVENT_EVENT_TRACE_ATTACH:
-/* Assign the current chain id when the event is created. */
-tevent_timer_set_tag(timer, debug_chain_id);
-break;
-case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
-/* Set the chain id when a handler is being called. */
-debug_chain_id = tevent_timer_get_tag(timer);
-break;
-default:
-/* Do nothing. */
-break;
-}
-}
-
-static void sss_chain_id_trace_immediate(struct tevent_immediate *im,
- enum tevent_event_trace_point point,
- void *private_data)
-{
-switch (point) {
-case TEVENT_EVENT_TRACE_ATTACH:
-/* Assign the current chain id when the event is created. */
-tevent_immediate_set_tag(im, debug_chain_id);
-break;
-case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
-/* Set the chain id when a handler is being called. */
-debug_chain_id =

[SSSD] [sssd PR#5863][synchronized] Responder and Child process tevent chain id improvements

2021-11-10 Thread justin-stephenson 
   URL: https://github.com/SSSD/sssd/pull/5863
Author: justin-stephenson
 Title: #5863: Responder and Child process tevent chain id improvements
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5863/head:pr5863
git checkout pr5863
From b0a413efc48994c0fd0f01055c8158cdfcb14856 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Wed, 10 Nov 2021 15:41:23 +
Subject: [PATCH 01/11] util: Split chain ID tevent functions

Commonly used chain ID functions sss_chain_id_get() and
sss_chain_id_set() will be isolated from requiring
tevent when building sources.
---
 Makefile.am  |   2 +
 src/providers/data_provider_be.c |   1 +
 src/util/sss_chain_id.c  | 130 +
 src/util/sss_chain_id.h  |   7 +-
 src/util/sss_chain_id_tevent.c   | 138 +++
 src/util/sss_chain_id_tevent.h   |  29 +++
 6 files changed, 175 insertions(+), 132 deletions(-)
 create mode 100644 src/util/sss_chain_id_tevent.c
 create mode 100644 src/util/sss_chain_id_tevent.h

diff --git a/Makefile.am b/Makefile.am
index f6bc9414d0..5174eba05a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -684,6 +684,7 @@ dist_noinst_HEADERS = \
 src/util/session_recording.h \
 src/util/strtonum.h \
 src/util/sss_cli_cmd.h \
+src/util/sss_chain_id_tevent.h \
 src/util/sss_chain_id.h \
 src/util/sss_ptr_hash.h \
 src/util/sss_ptr_list.h \
@@ -1264,6 +1265,7 @@ libsss_util_la_SOURCES = \
 src/util/files.c \
 src/util/selinux.c \
 src/util/sss_regexp.c \
+src/util/sss_chain_id_tevent.c \
 src/util/sss_chain_id.c \
 $(NULL)
 libsss_util_la_CFLAGS = \
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 9d63b448ea..c632ec9461 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -47,6 +47,7 @@
 #include "util/child_common.h"
 #include "resolv/async_resolv.h"
 #include "sss_iface/sss_iface_async.h"
+#include "util/sss_chain_id_tevent.h"
 #include "util/sss_chain_id.h"
 
 #define ONLINE_CB_RETRY 3
diff --git a/src/util/sss_chain_id.c b/src/util/sss_chain_id.c
index f892e2eb78..db312698ab 100644
--- a/src/util/sss_chain_id.c
+++ b/src/util/sss_chain_id.c
@@ -18,115 +18,8 @@
 along with this program.  If not, see .
 */
 
-#include "config.h"
-
-#include 
-
-#ifdef BUILD_CHAIN_ID
-extern uint64_t debug_chain_id;
-
-static void sss_chain_id_trace_fde(struct tevent_fd *fde,
-   enum tevent_event_trace_point point,
-   void *private_data)
-{
-switch (point) {
-case TEVENT_EVENT_TRACE_ATTACH:
-/* Assign the current chain id when the event is created. */
-tevent_fd_set_tag(fde, debug_chain_id);
-break;
-case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
-/* Set the chain id when a handler is being called. */
-debug_chain_id = tevent_fd_get_tag(fde);
-break;
-default:
-/* Do nothing. */
-break;
-}
-}
-
-static void sss_chain_id_trace_signal(struct tevent_signal *se,
-  enum tevent_event_trace_point point,
-  void *private_data)
-{
-switch (point) {
-case TEVENT_EVENT_TRACE_ATTACH:
-/* Assign the current chain id when the event is created. */
-tevent_signal_set_tag(se, debug_chain_id);
-break;
-case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
-/* Set the chain id when a handler is being called. */
-debug_chain_id = tevent_signal_get_tag(se);
-break;
-default:
-/* Do nothing. */
-break;
-}
-}
-
-static void sss_chain_id_trace_timer(struct tevent_timer *timer,
- enum tevent_event_trace_point point,
- void *private_data)
-{
-switch (point) {
-case TEVENT_EVENT_TRACE_ATTACH:
-/* Assign the current chain id when the event is created. */
-tevent_timer_set_tag(timer, debug_chain_id);
-break;
-case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
-/* Set the chain id when a handler is being called. */
-debug_chain_id = tevent_timer_get_tag(timer);
-break;
-default:
-/* Do nothing. */
-break;
-}
-}
-
-static void sss_chain_id_trace_immediate(struct tevent_immediate *im,
- enum tevent_event_trace_point point,
- void *private_data)
-{
-switch (point) {
-case TEVENT_EVENT_TRACE_ATTACH:
-/* Assign the current chain id when the event is created. */
-tevent_immediate_set_tag(im, debug_chain_id);
-break;
-case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
-/* Set the chain id when a handler is being called. */
-debug_chain_id =

[SSSD] [sssd PR#5863][comment] Responder and Child process tevent chain id improvements

2021-11-10 Thread justin-stephenson 
  URL: https://github.com/SSSD/sssd/pull/5863
Title: #5863: Responder and Child process tevent chain id improvements

justin-stephenson commented:
"""
Now that the chain ID is logged in responder log files, should the analyzer 
tool always grep responder log files for `CID#` in `request show` output? This 
is simple but it means removing the `--cachereq`  option as those logs would 
always be included in the output then.

I added a commit for this `Analyzer: Search all responder log files` in case 
this is agreed upon behavior (will drop it if not). It does produce more output 
but it would  be useful in solving any responder-logged problems
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/5863#issuecomment-965751719
___
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[SSSD] [sssd PR#5863][synchronized] Responder and Child process tevent chain id improvements

2021-11-10 Thread justin-stephenson 
   URL: https://github.com/SSSD/sssd/pull/5863
Author: justin-stephenson
 Title: #5863: Responder and Child process tevent chain id improvements
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5863/head:pr5863
git checkout pr5863
From b0a413efc48994c0fd0f01055c8158cdfcb14856 Mon Sep 17 00:00:00 2001
From: Justin Stephenson 
Date: Wed, 10 Nov 2021 15:41:23 +
Subject: [PATCH 01/12] util: Split chain ID tevent functions

Commonly used chain ID functions sss_chain_id_get() and
sss_chain_id_set() will be isolated from requiring
tevent when building sources.
---
 Makefile.am  |   2 +
 src/providers/data_provider_be.c |   1 +
 src/util/sss_chain_id.c  | 130 +
 src/util/sss_chain_id.h  |   7 +-
 src/util/sss_chain_id_tevent.c   | 138 +++
 src/util/sss_chain_id_tevent.h   |  29 +++
 6 files changed, 175 insertions(+), 132 deletions(-)
 create mode 100644 src/util/sss_chain_id_tevent.c
 create mode 100644 src/util/sss_chain_id_tevent.h

diff --git a/Makefile.am b/Makefile.am
index f6bc9414d0..5174eba05a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -684,6 +684,7 @@ dist_noinst_HEADERS = \
 src/util/session_recording.h \
 src/util/strtonum.h \
 src/util/sss_cli_cmd.h \
+src/util/sss_chain_id_tevent.h \
 src/util/sss_chain_id.h \
 src/util/sss_ptr_hash.h \
 src/util/sss_ptr_list.h \
@@ -1264,6 +1265,7 @@ libsss_util_la_SOURCES = \
 src/util/files.c \
 src/util/selinux.c \
 src/util/sss_regexp.c \
+src/util/sss_chain_id_tevent.c \
 src/util/sss_chain_id.c \
 $(NULL)
 libsss_util_la_CFLAGS = \
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index 9d63b448ea..c632ec9461 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -47,6 +47,7 @@
 #include "util/child_common.h"
 #include "resolv/async_resolv.h"
 #include "sss_iface/sss_iface_async.h"
+#include "util/sss_chain_id_tevent.h"
 #include "util/sss_chain_id.h"
 
 #define ONLINE_CB_RETRY 3
diff --git a/src/util/sss_chain_id.c b/src/util/sss_chain_id.c
index f892e2eb78..db312698ab 100644
--- a/src/util/sss_chain_id.c
+++ b/src/util/sss_chain_id.c
@@ -18,115 +18,8 @@
 along with this program.  If not, see .
 */
 
-#include "config.h"
-
-#include 
-
-#ifdef BUILD_CHAIN_ID
-extern uint64_t debug_chain_id;
-
-static void sss_chain_id_trace_fde(struct tevent_fd *fde,
-   enum tevent_event_trace_point point,
-   void *private_data)
-{
-switch (point) {
-case TEVENT_EVENT_TRACE_ATTACH:
-/* Assign the current chain id when the event is created. */
-tevent_fd_set_tag(fde, debug_chain_id);
-break;
-case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
-/* Set the chain id when a handler is being called. */
-debug_chain_id = tevent_fd_get_tag(fde);
-break;
-default:
-/* Do nothing. */
-break;
-}
-}
-
-static void sss_chain_id_trace_signal(struct tevent_signal *se,
-  enum tevent_event_trace_point point,
-  void *private_data)
-{
-switch (point) {
-case TEVENT_EVENT_TRACE_ATTACH:
-/* Assign the current chain id when the event is created. */
-tevent_signal_set_tag(se, debug_chain_id);
-break;
-case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
-/* Set the chain id when a handler is being called. */
-debug_chain_id = tevent_signal_get_tag(se);
-break;
-default:
-/* Do nothing. */
-break;
-}
-}
-
-static void sss_chain_id_trace_timer(struct tevent_timer *timer,
- enum tevent_event_trace_point point,
- void *private_data)
-{
-switch (point) {
-case TEVENT_EVENT_TRACE_ATTACH:
-/* Assign the current chain id when the event is created. */
-tevent_timer_set_tag(timer, debug_chain_id);
-break;
-case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
-/* Set the chain id when a handler is being called. */
-debug_chain_id = tevent_timer_get_tag(timer);
-break;
-default:
-/* Do nothing. */
-break;
-}
-}
-
-static void sss_chain_id_trace_immediate(struct tevent_immediate *im,
- enum tevent_event_trace_point point,
- void *private_data)
-{
-switch (point) {
-case TEVENT_EVENT_TRACE_ATTACH:
-/* Assign the current chain id when the event is created. */
-tevent_immediate_set_tag(im, debug_chain_id);
-break;
-case TEVENT_EVENT_TRACE_BEFORE_HANDLER:
-/* Set the chain id when a handler is being called. */
-debug_chain_id =