[SSSD] [sssd PR#498][closed] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Author: fidencio Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/498/head:pr498 git checkout pr498 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE fidencio commented: """ @lslebodn, I'd like to ask you to have a ticket opened about this and we'll treat it from there. Also, @simo5, would you mind giving your opinion here? """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-365847319 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][+Pushed] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#515][comment] sssctl: Showing help even when sssd not configured
URL: https://github.com/SSSD/sssd/pull/515 Title: #515: sssctl: Showing help even when sssd not configured centos-ci commented: """ Can one of the admins verify this patch? """ See the full comment at https://github.com/SSSD/sssd/pull/515#issuecomment-365845133 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#515][comment] sssctl: Showing help even when sssd not configured
URL: https://github.com/SSSD/sssd/pull/515 Title: #515: sssctl: Showing help even when sssd not configured centos-ci commented: """ Can one of the admins verify this patch? """ See the full comment at https://github.com/SSSD/sssd/pull/515#issuecomment-365845134 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#515][opened] sssctl: Showing help even when sssd not configured
URL: https://github.com/SSSD/sssd/pull/515 Author: amitkumar50 Title: #515: sssctl: Showing help even when sssd not configured Action: opened PR body: """ Current Issue: On a clean and unconfigured system, it's not possible to use --help. `# dnf install sssd-tools` `# sssctl cache-remove --help` Shows: [confdb_get_domains] (0x0010): No domains configured, fatal error! Solution: Donot check for confdb initialization when sssctl 3rd command line argument passed is '--help'. Please note when we run 'sssctl --help' on unconfigured system confdb check is not done and proper o/p is seen. Also suggest if we have better alternative.. Resolves: https://pagure.io/SSSD/sssd/issue/3634 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/515/head:pr515 git checkout pr515 From 68b27079c2b4472ed63c22e526e334a49d2fbdb9 Mon Sep 17 00:00:00 2001 From: amitkumaDate: Thu, 15 Feb 2018 18:21:10 +0530 Subject: [PATCH] sssctl: Showing help even when sssd not configured On a clean and unconfigured system, it's not possible to use --help. 1) dnf install sssd-tools 2) sssctl cache-remove --help Shows: [confdb_get_domains] (0x0010): No domains configured, fatal error! Solution: Donot check for confdb initialization when sssctl 3rd command line argument passed is '--help'. Please note when we run 'sssctl --help' on unconfigured system confdb check is not done and proper o/p is seen. Resolves: https://pagure.io/SSSD/sssd/issue/3634 --- src/tools/common/sss_tools.c | 16 +--- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c index e491a1286..bb63dc7c3 100644 --- a/src/tools/common/sss_tools.c +++ b/src/tools/common/sss_tools.c @@ -333,13 +333,15 @@ errno_t sss_tool_route(int argc, const char **argv, return tool_ctx->init_err; } -ret = tool_cmd_init(tool_ctx, [i]); -if (ret != EOK) { -DEBUG(SSSDBG_FATAL_FAILURE, - "Command initialization failed [%d] %s\n", - ret, sss_strerror(ret)); -return ret; -} + if(strcmp(argv[2],"--help")){ +ret = tool_cmd_init(tool_ctx, [i]); +if (ret != EOK) { +DEBUG(SSSDBG_FATAL_FAILURE, + "Command initialization failed [%d] %s\n", + ret, sss_strerror(ret)); +return ret; +} + } return commands[i].fn(, tool_ctx, pvt); } ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][-Pushed] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE Label: -Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE lslebodn commented: """ Unfortunately, it was pushed without careful review. That would not work when running sssd in non-privileged mode because `seteuid` will fail. And it was mentioned in upstream ticket https://pagure.io/SSSD/sssd/issue/3621 Quick POC ``` sh# su --shell=/bin/bash - sssd sh$ python Python 2.7.14 (default, Jan 31 2018, 14:27:00) [GCC 8.0.1 20180127 (Red Hat 8.0.1-0.6)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import os >>> os.getuid() 974 >>> os.geteuid() 974 >>> os.seteuid(1000) Traceback (most recent call last): File "", line 1, in OSError: [Errno 1] Operation not permitted ``` BTW I ran few basic tests in non-privileged mode and works like a charm with following IPA tests: selinux-usemap, sudo, hbac, user, group, netgroup, password changes, ssh keys, automount. I didn't test ad-trust tests because there is a known issue in non-privileged mode. """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-365839135 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][-Accepted] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE Label: -Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][reopened] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Author: fidencio Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE Action: reopened To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/498/head:pr498 git checkout pr498 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE jhrozek commented: """ * master: * f0cbe890adf696d8318373203580d709f3d38d8c * 1a011c4f20e80f2bcb4d10a4d690b3a88c2fd70d * 07ae0da06c0d94a3198e484d0de28c9282c4d6cd * 2c5b03913c54234efdabcff83de368bae72dc799 * b576b290d3d7e165269edf36d6be27bc1441a688 * 0fce902c563c3b54f2e67235668273ff7ff40752 """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-365744752 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][closed] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Author: fidencio Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/498/head:pr498 git checkout pr498 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][+Pushed] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE Label: +Pushed ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] Re: New sbus implementation
On Sat, Feb 03, 2018 at 12:58:26PM +0100, Pavel Březina wrote: > Hi team, > as you know, I have been working on this occasionally for a long time now. > The code can be found at [1]. > > It is completely new implementation of our internal D-Bus API called sbus. I > took all the good things started by Steff Walter few years ago and made them > better and more flexible. In short, it is everything you ever wanted and you > will not use D-Bus with it at all. > > There is a large README.md in the repo, that contains complete list of > features, explanation why I started working on this and what I wanted to > achieve. There is also shorter list of some chosen benefits to the SSSD > project so you can get the general idea without going through the all > feature list. > > I really believe that this will be a big step forward for SSSD project as it > will make the code much simpler and testable and it will allow us to extend > our D-Bus interface both external and internal. It will give us the > opportunity to improve the InfoPipe responder (and finally allow us to > implement write interface) but it also allows us to improve the > communications between providers, responders and even tools -- especially > sssctl. > > There is also a showcase application so you can see most of the features at > work. All is described in the readme file. > > It lacks unit tests at the moment. I would like to get some help from you in > this area, we should talk about it in the meeting or here. If we choose to > integrate this with our codebase, we should talk about schedule and test > plan. > > Also, I would like to strip it from SSSD's dependencies eventually and > release it as a public library. But that will not happen in near future. > > I hope you will like it. I didn't have the time to read the implementation at all, honestly, I only read the README.md. But I like the ideas, especially that we could finally get support for signals and that the processes could communicate with one another more easily. So I'm all for merging this. But I'm sure when will I have the time to review the code -- currently I'm busy looking at PRs for your other project :-) btw with my maintainer hat on -- I think changes like this would really require us to split master from sssd-2.0. ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#391][synchronized] Use dbus-daemon in cwrap enviroment for test
URL: https://github.com/SSSD/sssd/pull/391 Author: lslebodn Title: #391: Use dbus-daemon in cwrap enviroment for test Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/391/head:pr391 git checkout pr391 From 041b25fef6e027a8aeecf59fb213f943f9d9458c Mon Sep 17 00:00:00 2001 From: Lukas SlebodnikDate: Wed, 20 Sep 2017 15:57:26 +0200 Subject: [PATCH 1/5] intg: Build with optimisations and debug symbols We override CFLAGS for macro KCM_PEER_UID. Such change also remove standard CFLAGS (-O2 -g) and therefore it was not possible to debug processes in gdb unless environment variable CFLAGS was set. But we should test optimized code by default and let developers override default with environment variable CFLAGS and not vice versa. --- Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.am b/Makefile.am index d02f8fe1a..25e996d2d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -3607,7 +3607,7 @@ intgcheck-prepare: --without-semanage \ --with-session-recording-shell=/bin/false \ $(INTGCHECK_CONFIGURE_FLAGS) \ - CFLAGS="$$CFLAGS -DKCM_PEER_UID=$$(id -u)"; \ + CFLAGS="-O2 -g $$CFLAGS -DKCM_PEER_UID=$$(id -u)"; \ $(MAKE) $(AM_MAKEFLAGS) ; \ : Force single-thread install to workaround concurrency issues; \ $(MAKE) $(AM_MAKEFLAGS) -j1 install; \ From 80d1376c54ea6071eb32de4e16d0729010304d3d Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Sat, 18 Mar 2017 15:47:43 +0100 Subject: [PATCH 2/5] intg: Do not prefer builddir in PATH Binary files in builddir are shell wrapper for libtool Therefore we should prefer files which are installed in $prefix --- src/tests/intg/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am index 209e5a0c7..9c4079d97 100644 --- a/src/tests/intg/Makefile.am +++ b/src/tests/intg/Makefile.am @@ -85,7 +85,7 @@ intgcheck-installed: config.py passwd group unset HOME; \ PATH="$$(dirname -- $(SLAPD)):$$PATH" \ PATH="$(DESTDIR)$(sbindir):$(DESTDIR)$(bindir):$$PATH" \ - PATH="$(abs_builddir):$(abs_srcdir):$$PATH" \ + PATH="$$PATH:$(abs_builddir):$(abs_srcdir)" \ PYTHONPATH="$(abs_builddir):$(abs_srcdir)" \ LDB_MODULES_PATH="$(DESTDIR)$(ldblibdir)" \ NON_WRAPPED_UID=$$(id -u) \ From 2ba5ae78a2ee94e0e99f2b0e6cda37fca4b781e5 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Wed, 20 Sep 2017 15:40:07 +0200 Subject: [PATCH 3/5] intg: Install configuration for dbus daemon Resolves: https://pagure.io/SSSD/sssd/issue/2823 --- src/external/intgcheck.m4 | 2 + src/tests/intg/Makefile.am| 20 +++ src/tests/intg/data/cwrap-dbus-system.conf.in | 83 +++ 3 files changed, 105 insertions(+) create mode 100644 src/tests/intg/data/cwrap-dbus-system.conf.in diff --git a/src/external/intgcheck.m4 b/src/external/intgcheck.m4 index ac68b85dd..60a7bf306 100644 --- a/src/external/intgcheck.m4 +++ b/src/external/intgcheck.m4 @@ -31,3 +31,5 @@ AC_DEFUN([SSS_ENABLE_INTGCHECK_REQS], [ SSS_INTGCHECK_REQ([HAVE_PY2MOD_LDAP], [pyldb]) fi ]) + +AM_CONDITIONAL([INTG_BUILD], [test x"$enable_intgcheck_reqs" = xyes]) diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am index 9c4079d97..23737624d 100644 --- a/src/tests/intg/Makefile.am +++ b/src/tests/intg/Makefile.am @@ -37,6 +37,25 @@ dist_noinst_DATA = \ test_pysss_nss_idmap.py \ $(NULL) +EXTRA_DIST = data/cwrap-dbus-system.conf.in + +dbussysconfdir = $(sysconfdir)/dbus-1 +dbusservicedir = $(datadir)/dbus-1/system-services + +if INTG_BUILD +dist_dbussysconf_DATA = cwrap-dbus-system.conf + +install-data-hook: + $(MKDIR_P) $(DESTDIR)$(runstatedir)/dbus + $(MKDIR_P) $(DESTDIR)$(sysconfdir)/session.d + +endif + +cwrap-dbus-system.conf: data/cwrap-dbus-system.conf.in Makefile + $(SED) -e "s!@runstatedir[@]!$(runstatedir)!" \ + -e "s!@dbusservicedir[@]!$(dbusservicedir)!" \ + $< > $@ + config.py: config.py.m4 m4 -D "prefix=\`$(prefix)'" \ -D "sysconfdir=\`$(sysconfdir)'" \ @@ -70,6 +89,7 @@ CLEANFILES=config.py config.pyc passwd group clean-local: rm -Rf root + rm -f $(builddir)/cwrap-dbus-system.conf intgcheck-installed: config.py passwd group pipepath="$(DESTDIR)$(pipepath)"; \ diff --git a/src/tests/intg/data/cwrap-dbus-system.conf.in b/src/tests/intg/data/cwrap-dbus-system.conf.in new file mode 100644 index 0..7369054e7 --- /dev/null +++ b/src/tests/intg/data/cwrap-dbus-system.conf.in @@ -0,0 +1,83 @@ + + + + +http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd;> + + + + system + + + + + + + + + + + @dbusservicedir@ + + + + @runstatedir@/dbus/messagebus.pid + + + EXTERNAL + + + unix:path=@runstatedir@/dbus/system_bus_socket + + + + + + + + + + + system.d + +
[SSSD] [sssd PR#498][+Accepted] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE Label: +Accepted ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE fidencio commented: """ Adding the "Accepted" label as per @simo5's review and @olivergs's tests. """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-365685945 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE olivergs commented: """ After testing this patch in a clean environment it worked like a charm. Thanks! """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-365685736 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#514][opened] Backport several UPN related patches to sssd-1-13
URL: https://github.com/SSSD/sssd/pull/514 Author: jhrozek Title: #514: Backport several UPN related patches to sssd-1-13 Action: opened PR body: """ There are several patches that were applied to master, but never to sssd-1-13. The patches are needed to enable UPN logins in both direct join and trust-based setup. The patches were already tested by one affected RHEL customer, so I'm quite certain they work. It would be nice to run CI and Coverity to make sure we don't introduce any regressions. I did some basic sanity testing when backporting the fixes, but if you want to test the patches, first create a user with an 'enterprise principal', see e.g. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc772007(v=ws.11) then create an UPN that is different than the realm name. Restart SSSD to make sure the subdomains are refreshed. With a trust setup, you also might need to run 'ipa trustdomain-fetch' to make sure the suffix shows up. Then, login using the UPN as the username. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/514/head:pr514 git checkout pr514 From 30949ccf1d41b31c4a91445c5b78a494eb84e501 Mon Sep 17 00:00:00 2001 From: Jakub HrozekDate: Thu, 25 Jan 2018 17:25:50 +0100 Subject: [PATCH 1/3] Make get_object_from_cache() aware of UPN searches --- src/providers/ipa/ipa_subdomains_id.c | 16 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c index 0956046d7..223dbec15 100644 --- a/src/providers/ipa/ipa_subdomains_id.c +++ b/src/providers/ipa/ipa_subdomains_id.c @@ -1000,11 +1000,19 @@ errno_t get_object_from_cache(TALLOC_CTX *mem_ctx, case BE_REQ_INITGROUPS: case BE_REQ_USER: case BE_REQ_USER_AND_GROUP: -ret = sysdb_search_user_by_name(mem_ctx, dom, name, attrs, ); -if (ret == ENOENT && (ar->entry_type & BE_REQ_TYPE_MASK) +if (ar->extra_value +&& strcmp(ar->extra_value, EXTRA_NAME_IS_UPN) == 0) { +ret = sysdb_search_user_by_upn(mem_ctx, dom, name, + attrs, ); +} else { +ret = sysdb_search_user_by_name(mem_ctx, dom, name, +attrs, ); +if (ret == ENOENT && (ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_USER_AND_GROUP) { -ret = sysdb_search_group_by_name(mem_ctx, dom, name, - attrs, ); +ret = sysdb_search_group_by_name(mem_ctx, dom, + name, attrs, + ); +} } break; default: From 855fa6187314b5f56f69658f1f4faa81820a3011 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 29 Jun 2016 14:02:02 +0200 Subject: [PATCH 2/3] NSS: Fix domain for UPN based lookups Since sysdb_search_user_by_upn() searches the whole cache we have to set the domain so that it matches the result. Reviewed-by: Jakub Hrozek (cherry picked from commit f426a8b81a871188348b41aa52803a05bc3a02de) --- src/responder/nss/nsssrv_cmd.c | 29 + 1 file changed, 29 insertions(+) diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index 61e961efc..3ea43169f 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -975,6 +975,7 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx) struct ldb_message *msg; const char *extra_flag = NULL; char *neg_cache_name; +const char *sysdb_name; nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx); @@ -1077,6 +1078,23 @@ static int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx) } dctx->res->msgs[0] = talloc_steal(dctx->res->msgs, msg); + +/* Since sysdb_search_user_by_upn() searches the whole cache we + * have to set the domain so that it matches the result. */ +sysdb_name = ldb_msg_find_attr_as_string(dctx->res->msgs[0], + SYSDB_NAME, NULL); +if (sysdb_name == NULL) { +DEBUG(SSSDBG_CRIT_FAILURE, "Cached entry has no name.\n"); +return EINVAL; +} +dctx->domain = find_domain_by_object_name(get_domains_head(dom), + sysdb_name); +if (dctx->domain == NULL) { +DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot find matching domain for [%s].\n", +
[SSSD] [sssd PR#503][comment] Regression test for false possitive "corrupted" memory cache
URL: https://github.com/SSSD/sssd/pull/503 Title: #503: Regression test for false possitive "corrupted" memory cache lslebodn commented: """ > @lslebodn, I would it call just 'flags' as e.g. open(2). What about latest version? It is be backward compatible including negative test cases. But it allows to pass `NUL` character to input string. """ See the full comment at https://github.com/SSSD/sssd/pull/503#issuecomment-365672349 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#503][synchronized] Regression test for false possitive "corrupted" memory cache
URL: https://github.com/SSSD/sssd/pull/503 Author: lslebodn Title: #503: Regression test for false possitive "corrupted" memory cache Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/503/head:pr503 git checkout pr503 From 313af382da04ccb4d021a4325f0797ca2742f081 Mon Sep 17 00:00:00 2001 From: Lukas SlebodnikDate: Wed, 24 Jan 2018 11:24:01 +0100 Subject: [PATCH 1/4] pysss_murmur: Allow to have NUL character in python bindings --- src/python/pysss_murmur.c | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/python/pysss_murmur.c b/src/python/pysss_murmur.c index 060d29df3..8f1752a29 100644 --- a/src/python/pysss_murmur.c +++ b/src/python/pysss_murmur.c @@ -38,15 +38,16 @@ static PyObject * py_murmurhash3(PyObject *module, PyObject *args) long key_len; long long seed; uint32_t hash; +int input_len; -if (!PyArg_ParseTuple(args, sss_py_const_p(char, "slL"), - , _len, )) { +if (!PyArg_ParseTuple(args, sss_py_const_p(char, "z#lL"), + , _len, _len, )) { PyErr_Format(PyExc_ValueError, "Invalid argument\n"); return NULL; } if (seed > UINT32_MAX || key_len > INT_MAX || key_len < 0 || -(size_t)key_len > strlen(key)) { +(size_t)key_len > input_len) { PyErr_Format(PyExc_ValueError, "Invalid value\n"); return NULL; } From fac978156129ce13576a3494fb456086e4ce68f3 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Wed, 24 Jan 2018 11:34:59 +0100 Subject: [PATCH 2/4] TESTS: Extend code coverage for murmurhash3 * add positive test for trailing NUL character * add test for corner cases (0, input_len + 1) --- src/tests/pysss_murmur-test.py | 62 -- 1 file changed, 47 insertions(+), 15 deletions(-) diff --git a/src/tests/pysss_murmur-test.py b/src/tests/pysss_murmur-test.py index 7237c95b0..9fb1a0494 100755 --- a/src/tests/pysss_murmur-test.py +++ b/src/tests/pysss_murmur-test.py @@ -60,26 +60,53 @@ def testImport(self): raise e self.assertEqual(pysss_murmur.__file__, MODPATH + "/pysss_murmur.so") -class PySssMurmurTest(unittest.TestCase): -@classmethod -def tearDownClass(cls): -os.unlink(MODPATH + "/pysss_murmur.so") -os.rmdir(MODPATH) -def testExpectedHash(self): -hash = pysss_murmur.murmurhash3("S-1-5-21-215332-2176343378-3404031434", 41, 0xdeadbeef) -self.assertEqual(hash, 93103853) - -def testInvalidArguments(self): +class PySssMurmurTestNeg(unittest.TestCase): +def test_invalid_arguments(self): self.assertRaises(ValueError, pysss_murmur.murmurhash3, 1, 2, 3) self.assertRaises(ValueError, pysss_murmur.murmurhash3, "test", 2) self.assertRaises(ValueError, pysss_murmur.murmurhash3, "test") self.assertRaises(ValueError, pysss_murmur.murmurhash3) -self.assertRaises(ValueError, pysss_murmur.murmurhash3, "test", -1, 3) -self.assertRaises(ValueError, pysss_murmur.murmurhash3, "test", 2, - 0xff) + +def test_invalid_length(self): +seed = 12345 + +self.assertRaises(ValueError, pysss_murmur.murmurhash3, "t", -1, seed) +# length is off by one +self.assertRaises(ValueError, pysss_murmur.murmurhash3, "test", 5, + seed) self.assertRaises(ValueError, pysss_murmur.murmurhash3, "test", - 0xff, 3) + 0xff, seed) + + +class PySssMurmurTestPos(unittest.TestCase): +@classmethod +def tear_down_dlass(cls): +os.unlink(MODPATH + "/pysss_murmur.so") +os.rmdir(MODPATH) + +def testExpectedHash(self): +sid_str = "S-1-5-21-215332-2176343378-3404031434" +seed = 0xdeadbeef + +hash_val = pysss_murmur.murmurhash3(sid_str, 0, seed) +self.assertEqual(hash_val, 233162409) + +hash_val = pysss_murmur.murmurhash3(sid_str, len(sid_str), seed) +self.assertEqual(hash_val, 93103853) + +def test_memory_cache_usage(self): +seed = 0xbeefdead +input_str = "test_user1" +input_len = len(input_str) + +val_bin = pysss_murmur.murmurhash3(input_str + '\0', + input_len + 1, seed) +self.assertEqual(val_bin, 1198610880) + +val_bin = pysss_murmur.murmurhash3(input_str + '\0' * 5, + input_len + 5, seed) +self.assertEqual(val_bin, 2917868047) if __name__ == "__main__": @@ -97,9 +124,14 @@ def testInvalidArguments(self): sys.path.insert(0, MODPATH) import pysss_murmur -suite = unittest.TestLoader().loadTestsFromTestCase(PySssMurmurTest) +suite =
[SSSD] [sssd PR#496][comment] sysdb: sanitize search filter input - backport sssd-1-13
URL: https://github.com/SSSD/sssd/pull/496 Title: #496: sysdb: sanitize search filter input - backport sssd-1-13 lslebodn commented: """ I added in-line comment. """ See the full comment at https://github.com/SSSD/sssd/pull/496#issuecomment-365637557 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#496][+Changes requested] sysdb: sanitize search filter input - backport sssd-1-13
URL: https://github.com/SSSD/sssd/pull/496 Title: #496: sysdb: sanitize search filter input - backport sssd-1-13 Label: +Changes requested ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org