subject:"\[SSSD\] \[sssd PR#5867\]\[synchronized\] usertools\: force local user for sssd process user"

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

2021-12-13 Thread ikerexxe

   URL: https://github.com/SSSD/sssd/pull/5867
Author: ikerexxe
 Title: #5867: usertools: force local user for sssd process user
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5867/head:pr5867
git checkout pr5867
From 34e778d3010c8c6c949c7ff9285fb8295db8b19f Mon Sep 17 00:00:00 2001
From: Iker Pedrosa 
Date: Mon, 23 Aug 2021 12:04:42 +0200
Subject: [PATCH 1/2] usertools: force local user for sssd process user

System hardening by forcing the sssd user to be loaded from a local
database (/etc/passwd) instead of using any remote user. This could
happen in very special conditions and might change the owner of the sssd
databases and generate a denial of service.

Signed-off-by: Iker Pedrosa 
---
 Makefile.am   |  3 +
 src/tests/cwrap/Makefile.am   |  8 ++-
 src/tests/cwrap/common_mock_nss_dl_load.c | 77 +++
 src/tests/cwrap/common_mock_nss_dl_load.h | 30 +
 src/tests/cwrap/test_responder_common.c   |  7 +++
 src/tests/cwrap/test_usertools.c  |  6 ++
 src/util/nss_dl_load.c| 13 +++-
 src/util/nss_dl_load.h|  3 +
 src/util/nss_dl_load_extra.c  | 40 
 src/util/usertools.c  | 32 +++---
 10 files changed, 207 insertions(+), 12 deletions(-)
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.c
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.h
 create mode 100644 src/util/nss_dl_load_extra.c

diff --git a/Makefile.am b/Makefile.am
index f6bc9414d0..ebd92afd55 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -884,6 +884,7 @@ dist_noinst_HEADERS = \
 src/tests/cmocka/test_expire_common.h \
 src/tests/cmocka/test_sdap_access.h \
 src/tests/cmocka/data_provider/mock_dp.h \
+src/tests/cwrap/common_mock_nss_dl_load.h \
 src/sss_client/pam_message.h \
 src/sss_client/ssh/sss_ssh_client.h \
 src/sss_client/sudo/sss_sudo.h \
@@ -1265,6 +1266,8 @@ libsss_util_la_SOURCES = \
 src/util/selinux.c \
 src/util/sss_regexp.c \
 src/util/sss_chain_id.c \
+src/util/nss_dl_load.c \
+src/util/nss_dl_load_extra.c \
 $(NULL)
 libsss_util_la_CFLAGS = \
 $(AM_CFLAGS) \
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
index 6d3dc45e57..72791aa590 100644
--- a/src/tests/cwrap/Makefile.am
+++ b/src/tests/cwrap/Makefile.am
@@ -141,15 +141,17 @@ endif
 
 usertools_tests_SOURCES = \
 test_usertools.c \
+common_mock_nss_dl_load.c \
+../../../src/util/usertools.c \
 $(NULL)
 usertools_tests_CFLAGS = \
 $(AM_CFLAGS) \
 $(NULL)
 usertools_tests_LDADD = \
+$(LIBADD_DL) \
 $(CMOCKA_LIBS) \
 $(POPT_LIBS) \
 $(TALLOC_LIBS) \
-$(abs_top_builddir)/libsss_util.la \
 $(abs_top_builddir)/libsss_debug.la \
 $(abs_top_builddir)/libsss_test_common.la \
 $(NULL)
@@ -159,9 +161,10 @@ endif
 
 responder_common_tests_SOURCES =\
 test_responder_common.c \
+common_mock_nss_dl_load.c \
 $(SSSD_RESPONDER_IFACE_OBJ) \
 ../../../src/responder/common/negcache_files.c \
-../../../src/util/nss_dl_load.c \
+../../../src/util/usertools.c \
 ../../../src/responder/common/negcache.c \
 ../../../src/responder/common/responder_common.c \
 ../../../src/responder/common/responder_packet.c \
@@ -179,7 +182,6 @@ responder_common_tests_LDADD = \
 $(SSSD_LIBS) \
 $(SELINUX_LIBS) \
 $(SYSTEMD_DAEMON_LIBS) \
-$(abs_top_builddir)/libsss_util.la \
 $(abs_top_builddir)/libsss_debug.la \
 $(abs_top_builddir)/libsss_test_common.la \
 $(abs_top_builddir)/libsss_iface.la \
diff --git a/src/tests/cwrap/common_mock_nss_dl_load.c b/src/tests/cwrap/common_mock_nss_dl_load.c
new file mode 100644
index 00..72f6c39ac6
--- /dev/null
+++ b/src/tests/cwrap/common_mock_nss_dl_load.c
@@ -0,0 +1,77 @@
+/*
+Authors:
+Iker Pedrosa 
+
+Copyright (C) 2021 Red Hat
+
+SSSD tests: Fake nss dl load
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see .
+*/
+
+#include 
+#include 
+#include 
+#include 
+
+#include "common_mock_nss_dl_load.h"
+
+
+static enum nss_status
+mock_getpwnam_r(const char *name, struct passwd *result,
+char *buffer, size_t buflen, int *errnop)
+{
+void *pwd_pointer = NULL;
+int rc;
+
+rc =

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

2021-12-13 Thread ikerexxe

   URL: https://github.com/SSSD/sssd/pull/5867
Author: ikerexxe
 Title: #5867: usertools: force local user for sssd process user
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5867/head:pr5867
git checkout pr5867
From e98fdc452a58992030d4a5648ade5fe830303c0c Mon Sep 17 00:00:00 2001
From: Iker Pedrosa 
Date: Mon, 23 Aug 2021 12:04:42 +0200
Subject: [PATCH 1/2] usertools: force local user for sssd process user

System hardening by forcing the sssd user to be loaded from a local
database (/etc/passwd) instead of using any remote user. This could
happen in very special conditions and might change the owner of the sssd
databases and generate a denial of service.

Signed-off-by: Iker Pedrosa 
---
 Makefile.am   |  3 +
 src/tests/cwrap/Makefile.am   |  8 ++-
 src/tests/cwrap/common_mock_nss_dl_load.c | 79 +++
 src/tests/cwrap/common_mock_nss_dl_load.h | 30 +
 src/tests/cwrap/test_responder_common.c   |  7 ++
 src/tests/cwrap/test_usertools.c  |  6 ++
 src/util/nss_dl_load.c| 13 +++-
 src/util/nss_dl_load.h|  3 +
 src/util/nss_dl_load_extra.c  | 51 +++
 src/util/usertools.c  | 32 ++---
 10 files changed, 220 insertions(+), 12 deletions(-)
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.c
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.h
 create mode 100644 src/util/nss_dl_load_extra.c

diff --git a/Makefile.am b/Makefile.am
index f6bc9414d0..ebd92afd55 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -884,6 +884,7 @@ dist_noinst_HEADERS = \
 src/tests/cmocka/test_expire_common.h \
 src/tests/cmocka/test_sdap_access.h \
 src/tests/cmocka/data_provider/mock_dp.h \
+src/tests/cwrap/common_mock_nss_dl_load.h \
 src/sss_client/pam_message.h \
 src/sss_client/ssh/sss_ssh_client.h \
 src/sss_client/sudo/sss_sudo.h \
@@ -1265,6 +1266,8 @@ libsss_util_la_SOURCES = \
 src/util/selinux.c \
 src/util/sss_regexp.c \
 src/util/sss_chain_id.c \
+src/util/nss_dl_load.c \
+src/util/nss_dl_load_extra.c \
 $(NULL)
 libsss_util_la_CFLAGS = \
 $(AM_CFLAGS) \
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
index 6d3dc45e57..72791aa590 100644
--- a/src/tests/cwrap/Makefile.am
+++ b/src/tests/cwrap/Makefile.am
@@ -141,15 +141,17 @@ endif
 
 usertools_tests_SOURCES = \
 test_usertools.c \
+common_mock_nss_dl_load.c \
+../../../src/util/usertools.c \
 $(NULL)
 usertools_tests_CFLAGS = \
 $(AM_CFLAGS) \
 $(NULL)
 usertools_tests_LDADD = \
+$(LIBADD_DL) \
 $(CMOCKA_LIBS) \
 $(POPT_LIBS) \
 $(TALLOC_LIBS) \
-$(abs_top_builddir)/libsss_util.la \
 $(abs_top_builddir)/libsss_debug.la \
 $(abs_top_builddir)/libsss_test_common.la \
 $(NULL)
@@ -159,9 +161,10 @@ endif
 
 responder_common_tests_SOURCES =\
 test_responder_common.c \
+common_mock_nss_dl_load.c \
 $(SSSD_RESPONDER_IFACE_OBJ) \
 ../../../src/responder/common/negcache_files.c \
-../../../src/util/nss_dl_load.c \
+../../../src/util/usertools.c \
 ../../../src/responder/common/negcache.c \
 ../../../src/responder/common/responder_common.c \
 ../../../src/responder/common/responder_packet.c \
@@ -179,7 +182,6 @@ responder_common_tests_LDADD = \
 $(SSSD_LIBS) \
 $(SELINUX_LIBS) \
 $(SYSTEMD_DAEMON_LIBS) \
-$(abs_top_builddir)/libsss_util.la \
 $(abs_top_builddir)/libsss_debug.la \
 $(abs_top_builddir)/libsss_test_common.la \
 $(abs_top_builddir)/libsss_iface.la \
diff --git a/src/tests/cwrap/common_mock_nss_dl_load.c b/src/tests/cwrap/common_mock_nss_dl_load.c
new file mode 100644
index 00..3de96f1734
--- /dev/null
+++ b/src/tests/cwrap/common_mock_nss_dl_load.c
@@ -0,0 +1,79 @@
+/*
+Authors:
+Iker Pedrosa 
+
+Copyright (C) 2021 Red Hat
+
+SSSD tests: Fake nss dl load
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see .
+*/
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include "common_mock_nss_dl_load.h"
+
+
+static enum nss_status
+mock_getpwnam_r(const char *name, struct passwd *result,
+char *buffer, size_t buflen, int *errnop)
+{
+void *pwd_pointer = NULL;
+

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

2021-12-09 Thread ikerexxe

   URL: https://github.com/SSSD/sssd/pull/5867
Author: ikerexxe
 Title: #5867: usertools: force local user for sssd process user
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5867/head:pr5867
git checkout pr5867
From 960e8eb116d107282b09236310116e95d9c056a0 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa 
Date: Mon, 23 Aug 2021 12:04:42 +0200
Subject: [PATCH 1/2] usertools: force local user for sssd process user

System hardening by forcing the sssd user to be loaded from a local
database (/etc/passwd) instead of using any remote user. This could
happen in very special conditions and might change the owner of the sssd
databases and generate a denial of service.

Signed-off-by: Iker Pedrosa 
---
 Makefile.am   |  3 +
 src/tests/cwrap/Makefile.am   |  8 ++-
 src/tests/cwrap/common_mock_nss_dl_load.c | 81 +++
 src/tests/cwrap/common_mock_nss_dl_load.h | 30 +
 src/tests/cwrap/test_responder_common.c   |  7 ++
 src/tests/cwrap/test_usertools.c  |  6 ++
 src/util/nss_dl_load.c| 13 +++-
 src/util/nss_dl_load.h|  3 +
 src/util/nss_dl_load_extra.c  | 51 ++
 src/util/usertools.c  | 32 ++---
 10 files changed, 223 insertions(+), 11 deletions(-)
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.c
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.h
 create mode 100644 src/util/nss_dl_load_extra.c

diff --git a/Makefile.am b/Makefile.am
index f6bc9414d0..ebd92afd55 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -884,6 +884,7 @@ dist_noinst_HEADERS = \
 src/tests/cmocka/test_expire_common.h \
 src/tests/cmocka/test_sdap_access.h \
 src/tests/cmocka/data_provider/mock_dp.h \
+src/tests/cwrap/common_mock_nss_dl_load.h \
 src/sss_client/pam_message.h \
 src/sss_client/ssh/sss_ssh_client.h \
 src/sss_client/sudo/sss_sudo.h \
@@ -1265,6 +1266,8 @@ libsss_util_la_SOURCES = \
 src/util/selinux.c \
 src/util/sss_regexp.c \
 src/util/sss_chain_id.c \
+src/util/nss_dl_load.c \
+src/util/nss_dl_load_extra.c \
 $(NULL)
 libsss_util_la_CFLAGS = \
 $(AM_CFLAGS) \
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
index 6d3dc45e57..24e6c4a7c1 100644
--- a/src/tests/cwrap/Makefile.am
+++ b/src/tests/cwrap/Makefile.am
@@ -141,15 +141,18 @@ endif
 
 usertools_tests_SOURCES = \
 test_usertools.c \
+common_mock_nss_dl_load.c \
+../../../src/util/usertools.c \
+../../../src/util/nss_dl_load.c \
 $(NULL)
 usertools_tests_CFLAGS = \
 $(AM_CFLAGS) \
 $(NULL)
 usertools_tests_LDADD = \
+$(LIBADD_DL) \
 $(CMOCKA_LIBS) \
 $(POPT_LIBS) \
 $(TALLOC_LIBS) \
-$(abs_top_builddir)/libsss_util.la \
 $(abs_top_builddir)/libsss_debug.la \
 $(abs_top_builddir)/libsss_test_common.la \
 $(NULL)
@@ -159,9 +162,11 @@ endif
 
 responder_common_tests_SOURCES =\
 test_responder_common.c \
+common_mock_nss_dl_load.c \
 $(SSSD_RESPONDER_IFACE_OBJ) \
 ../../../src/responder/common/negcache_files.c \
 ../../../src/util/nss_dl_load.c \
+../../../src/util/usertools.c \
 ../../../src/responder/common/negcache.c \
 ../../../src/responder/common/responder_common.c \
 ../../../src/responder/common/responder_packet.c \
@@ -179,7 +184,6 @@ responder_common_tests_LDADD = \
 $(SSSD_LIBS) \
 $(SELINUX_LIBS) \
 $(SYSTEMD_DAEMON_LIBS) \
-$(abs_top_builddir)/libsss_util.la \
 $(abs_top_builddir)/libsss_debug.la \
 $(abs_top_builddir)/libsss_test_common.la \
 $(abs_top_builddir)/libsss_iface.la \
diff --git a/src/tests/cwrap/common_mock_nss_dl_load.c b/src/tests/cwrap/common_mock_nss_dl_load.c
new file mode 100644
index 00..9e37f5e615
--- /dev/null
+++ b/src/tests/cwrap/common_mock_nss_dl_load.c
@@ -0,0 +1,81 @@
+/*
+Authors:
+Iker Pedrosa 
+
+Copyright (C) 2021 Red Hat
+
+SSSD tests: Fake nss dl load
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see .
+*/
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include "common_mock_nss_dl_load.h"
+
+
+static enum nss_status
+mock_getpwnam_r(const char *name, struct passwd *result,
+char *buffer, size_t buflen, int

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

2021-12-09 Thread ikerexxe

   URL: https://github.com/SSSD/sssd/pull/5867
Author: ikerexxe
 Title: #5867: usertools: force local user for sssd process user
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5867/head:pr5867
git checkout pr5867
From 7ab4e9d470018fabbceba7ad242e660e5a94a733 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa 
Date: Mon, 23 Aug 2021 12:04:42 +0200
Subject: [PATCH 1/2] usertools: force local user for sssd process user

System hardening by forcing the sssd user to be loaded from a local
database (/etc/passwd) instead of using any remote user. This could
happen in very special conditions and might change the owner of the sssd
databases and generate a denial of service.

Signed-off-by: Iker Pedrosa 
---
 Makefile.am   |  3 +
 src/tests/cwrap/Makefile.am   |  8 ++-
 src/tests/cwrap/common_mock_nss_dl_load.c | 76 +++
 src/tests/cwrap/common_mock_nss_dl_load.h | 30 +
 src/tests/cwrap/test_responder_common.c   |  7 +++
 src/tests/cwrap/test_usertools.c  |  6 ++
 src/util/nss_dl_load.c| 13 +++-
 src/util/nss_dl_load.h|  3 +
 src/util/nss_dl_load_extra.c  | 51 +++
 src/util/usertools.c  | 32 +++---
 10 files changed, 218 insertions(+), 11 deletions(-)
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.c
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.h
 create mode 100644 src/util/nss_dl_load_extra.c

diff --git a/Makefile.am b/Makefile.am
index f6bc9414d0..ebd92afd55 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -884,6 +884,7 @@ dist_noinst_HEADERS = \
 src/tests/cmocka/test_expire_common.h \
 src/tests/cmocka/test_sdap_access.h \
 src/tests/cmocka/data_provider/mock_dp.h \
+src/tests/cwrap/common_mock_nss_dl_load.h \
 src/sss_client/pam_message.h \
 src/sss_client/ssh/sss_ssh_client.h \
 src/sss_client/sudo/sss_sudo.h \
@@ -1265,6 +1266,8 @@ libsss_util_la_SOURCES = \
 src/util/selinux.c \
 src/util/sss_regexp.c \
 src/util/sss_chain_id.c \
+src/util/nss_dl_load.c \
+src/util/nss_dl_load_extra.c \
 $(NULL)
 libsss_util_la_CFLAGS = \
 $(AM_CFLAGS) \
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
index 6d3dc45e57..24e6c4a7c1 100644
--- a/src/tests/cwrap/Makefile.am
+++ b/src/tests/cwrap/Makefile.am
@@ -141,15 +141,18 @@ endif
 
 usertools_tests_SOURCES = \
 test_usertools.c \
+common_mock_nss_dl_load.c \
+../../../src/util/usertools.c \
+../../../src/util/nss_dl_load.c \
 $(NULL)
 usertools_tests_CFLAGS = \
 $(AM_CFLAGS) \
 $(NULL)
 usertools_tests_LDADD = \
+$(LIBADD_DL) \
 $(CMOCKA_LIBS) \
 $(POPT_LIBS) \
 $(TALLOC_LIBS) \
-$(abs_top_builddir)/libsss_util.la \
 $(abs_top_builddir)/libsss_debug.la \
 $(abs_top_builddir)/libsss_test_common.la \
 $(NULL)
@@ -159,9 +162,11 @@ endif
 
 responder_common_tests_SOURCES =\
 test_responder_common.c \
+common_mock_nss_dl_load.c \
 $(SSSD_RESPONDER_IFACE_OBJ) \
 ../../../src/responder/common/negcache_files.c \
 ../../../src/util/nss_dl_load.c \
+../../../src/util/usertools.c \
 ../../../src/responder/common/negcache.c \
 ../../../src/responder/common/responder_common.c \
 ../../../src/responder/common/responder_packet.c \
@@ -179,7 +184,6 @@ responder_common_tests_LDADD = \
 $(SSSD_LIBS) \
 $(SELINUX_LIBS) \
 $(SYSTEMD_DAEMON_LIBS) \
-$(abs_top_builddir)/libsss_util.la \
 $(abs_top_builddir)/libsss_debug.la \
 $(abs_top_builddir)/libsss_test_common.la \
 $(abs_top_builddir)/libsss_iface.la \
diff --git a/src/tests/cwrap/common_mock_nss_dl_load.c b/src/tests/cwrap/common_mock_nss_dl_load.c
new file mode 100644
index 00..88f8ae792e
--- /dev/null
+++ b/src/tests/cwrap/common_mock_nss_dl_load.c
@@ -0,0 +1,76 @@
+/*
+Authors:
+Iker Pedrosa 
+
+Copyright (C) 2021 Red Hat
+
+SSSD tests: Fake nss dl load
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see .
+*/
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include "common_mock_nss_dl_load.h"
+
+
+static enum nss_status
+mock_getpwnam_r(const char *name, struct passwd *result,
+char *buffer, size_t buflen, int

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

2021-12-02 Thread ikerexxe

   URL: https://github.com/SSSD/sssd/pull/5867
Author: ikerexxe
 Title: #5867: usertools: force local user for sssd process user
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5867/head:pr5867
git checkout pr5867
From 64debe4f7983ca26a60f693e09d112b09d624d60 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa 
Date: Mon, 23 Aug 2021 12:04:42 +0200
Subject: [PATCH 1/2] usertools: force local user for sssd process user

System hardening by forcing the sssd user to be loaded from a local
database (/etc/passwd) instead of using any remote user. This could
happen in very special conditions and might change the owner of the sssd
databases and generate a denial of service.

Signed-off-by: Iker Pedrosa 
---
 Makefile.am   |  3 +
 src/tests/cwrap/Makefile.am   |  8 ++-
 src/tests/cwrap/common_mock_nss_dl_load.c | 72 +++
 src/tests/cwrap/common_mock_nss_dl_load.h | 30 ++
 src/tests/cwrap/test_responder_common.c   |  7 +++
 src/tests/cwrap/test_usertools.c  |  6 ++
 src/util/nss_dl_load.c| 11 +++-
 src/util/nss_dl_load.h|  3 +
 src/util/nss_dl_load_extra.c  | 51 
 src/util/usertools.c  | 32 +++---
 10 files changed, 212 insertions(+), 11 deletions(-)
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.c
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.h
 create mode 100644 src/util/nss_dl_load_extra.c

diff --git a/Makefile.am b/Makefile.am
index f6bc9414d0..ebd92afd55 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -884,6 +884,7 @@ dist_noinst_HEADERS = \
 src/tests/cmocka/test_expire_common.h \
 src/tests/cmocka/test_sdap_access.h \
 src/tests/cmocka/data_provider/mock_dp.h \
+src/tests/cwrap/common_mock_nss_dl_load.h \
 src/sss_client/pam_message.h \
 src/sss_client/ssh/sss_ssh_client.h \
 src/sss_client/sudo/sss_sudo.h \
@@ -1265,6 +1266,8 @@ libsss_util_la_SOURCES = \
 src/util/selinux.c \
 src/util/sss_regexp.c \
 src/util/sss_chain_id.c \
+src/util/nss_dl_load.c \
+src/util/nss_dl_load_extra.c \
 $(NULL)
 libsss_util_la_CFLAGS = \
 $(AM_CFLAGS) \
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
index 6d3dc45e57..24e6c4a7c1 100644
--- a/src/tests/cwrap/Makefile.am
+++ b/src/tests/cwrap/Makefile.am
@@ -141,15 +141,18 @@ endif
 
 usertools_tests_SOURCES = \
 test_usertools.c \
+common_mock_nss_dl_load.c \
+../../../src/util/usertools.c \
+../../../src/util/nss_dl_load.c \
 $(NULL)
 usertools_tests_CFLAGS = \
 $(AM_CFLAGS) \
 $(NULL)
 usertools_tests_LDADD = \
+$(LIBADD_DL) \
 $(CMOCKA_LIBS) \
 $(POPT_LIBS) \
 $(TALLOC_LIBS) \
-$(abs_top_builddir)/libsss_util.la \
 $(abs_top_builddir)/libsss_debug.la \
 $(abs_top_builddir)/libsss_test_common.la \
 $(NULL)
@@ -159,9 +162,11 @@ endif
 
 responder_common_tests_SOURCES =\
 test_responder_common.c \
+common_mock_nss_dl_load.c \
 $(SSSD_RESPONDER_IFACE_OBJ) \
 ../../../src/responder/common/negcache_files.c \
 ../../../src/util/nss_dl_load.c \
+../../../src/util/usertools.c \
 ../../../src/responder/common/negcache.c \
 ../../../src/responder/common/responder_common.c \
 ../../../src/responder/common/responder_packet.c \
@@ -179,7 +184,6 @@ responder_common_tests_LDADD = \
 $(SSSD_LIBS) \
 $(SELINUX_LIBS) \
 $(SYSTEMD_DAEMON_LIBS) \
-$(abs_top_builddir)/libsss_util.la \
 $(abs_top_builddir)/libsss_debug.la \
 $(abs_top_builddir)/libsss_test_common.la \
 $(abs_top_builddir)/libsss_iface.la \
diff --git a/src/tests/cwrap/common_mock_nss_dl_load.c b/src/tests/cwrap/common_mock_nss_dl_load.c
new file mode 100644
index 00..ce8e344403
--- /dev/null
+++ b/src/tests/cwrap/common_mock_nss_dl_load.c
@@ -0,0 +1,72 @@
+/*
+Authors:
+Iker Pedrosa 
+
+Copyright (C) 2021 Red Hat
+
+SSSD tests: Fake nss dl load
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see .
+*/
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+#include "common_mock_nss_dl_load.h"
+
+
+static enum nss_status
+mock_getpwnam_r(const char *name, struct passwd *result,
+char *buffer, size_t buflen, int *errnop)
+{
+

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

2021-12-02 Thread ikerexxe

   URL: https://github.com/SSSD/sssd/pull/5867
Author: ikerexxe
 Title: #5867: usertools: force local user for sssd process user
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5867/head:pr5867
git checkout pr5867
From 119fa3c2bb0f2e1a6f10fcb32e18512d9cf150b6 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa 
Date: Mon, 23 Aug 2021 12:04:42 +0200
Subject: [PATCH 1/2] usertools: force local user for sssd process user

System hardening by forcing the sssd user to be loaded from a local
database (/etc/passwd) instead of using any remote user. This could
happen in very special conditions and might change the owner of the sssd
databases and generate a denial of service.

Signed-off-by: Iker Pedrosa 
---
 Makefile.am   |  3 +
 src/tests/cwrap/Makefile.am   |  8 ++-
 src/tests/cwrap/common_mock_nss_dl_load.c | 71 +++
 src/tests/cwrap/common_mock_nss_dl_load.h | 30 ++
 src/tests/cwrap/test_responder_common.c   |  7 +++
 src/tests/cwrap/test_usertools.c  |  6 ++
 src/util/nss_dl_load.c| 11 +++-
 src/util/nss_dl_load.h|  3 +
 src/util/nss_dl_load_extra.c  | 51 
 src/util/usertools.c  | 32 +++---
 10 files changed, 211 insertions(+), 11 deletions(-)
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.c
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.h
 create mode 100644 src/util/nss_dl_load_extra.c

diff --git a/Makefile.am b/Makefile.am
index f6bc9414d0..ebd92afd55 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -884,6 +884,7 @@ dist_noinst_HEADERS = \
 src/tests/cmocka/test_expire_common.h \
 src/tests/cmocka/test_sdap_access.h \
 src/tests/cmocka/data_provider/mock_dp.h \
+src/tests/cwrap/common_mock_nss_dl_load.h \
 src/sss_client/pam_message.h \
 src/sss_client/ssh/sss_ssh_client.h \
 src/sss_client/sudo/sss_sudo.h \
@@ -1265,6 +1266,8 @@ libsss_util_la_SOURCES = \
 src/util/selinux.c \
 src/util/sss_regexp.c \
 src/util/sss_chain_id.c \
+src/util/nss_dl_load.c \
+src/util/nss_dl_load_extra.c \
 $(NULL)
 libsss_util_la_CFLAGS = \
 $(AM_CFLAGS) \
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
index 6d3dc45e57..24e6c4a7c1 100644
--- a/src/tests/cwrap/Makefile.am
+++ b/src/tests/cwrap/Makefile.am
@@ -141,15 +141,18 @@ endif
 
 usertools_tests_SOURCES = \
 test_usertools.c \
+common_mock_nss_dl_load.c \
+../../../src/util/usertools.c \
+../../../src/util/nss_dl_load.c \
 $(NULL)
 usertools_tests_CFLAGS = \
 $(AM_CFLAGS) \
 $(NULL)
 usertools_tests_LDADD = \
+$(LIBADD_DL) \
 $(CMOCKA_LIBS) \
 $(POPT_LIBS) \
 $(TALLOC_LIBS) \
-$(abs_top_builddir)/libsss_util.la \
 $(abs_top_builddir)/libsss_debug.la \
 $(abs_top_builddir)/libsss_test_common.la \
 $(NULL)
@@ -159,9 +162,11 @@ endif
 
 responder_common_tests_SOURCES =\
 test_responder_common.c \
+common_mock_nss_dl_load.c \
 $(SSSD_RESPONDER_IFACE_OBJ) \
 ../../../src/responder/common/negcache_files.c \
 ../../../src/util/nss_dl_load.c \
+../../../src/util/usertools.c \
 ../../../src/responder/common/negcache.c \
 ../../../src/responder/common/responder_common.c \
 ../../../src/responder/common/responder_packet.c \
@@ -179,7 +184,6 @@ responder_common_tests_LDADD = \
 $(SSSD_LIBS) \
 $(SELINUX_LIBS) \
 $(SYSTEMD_DAEMON_LIBS) \
-$(abs_top_builddir)/libsss_util.la \
 $(abs_top_builddir)/libsss_debug.la \
 $(abs_top_builddir)/libsss_test_common.la \
 $(abs_top_builddir)/libsss_iface.la \
diff --git a/src/tests/cwrap/common_mock_nss_dl_load.c b/src/tests/cwrap/common_mock_nss_dl_load.c
new file mode 100644
index 00..f42c5be383
--- /dev/null
+++ b/src/tests/cwrap/common_mock_nss_dl_load.c
@@ -0,0 +1,71 @@
+/*
+Authors:
+Iker Pedrosa 
+
+Copyright (C) 2021 Red Hat
+
+SSSD tests: Fake nss dl load
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see .
+*/
+
+#include 
+#include 
+#include 
+#include 
+
+#include "common_mock_nss_dl_load.h"
+
+
+static enum nss_status
+mock_getpwnam_r(const char *name, struct passwd *result,
+char *buffer, size_t buflen, int *errnop)
+{
+void

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

2021-11-29 Thread ikerexxe

   URL: https://github.com/SSSD/sssd/pull/5867
Author: ikerexxe
 Title: #5867: usertools: force local user for sssd process user
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5867/head:pr5867
git checkout pr5867
From bf6b2409da7857f079cf0a9250df10f1bc71ed23 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa 
Date: Mon, 23 Aug 2021 12:04:42 +0200
Subject: [PATCH 1/2] usertools: force local user for sssd process user

System hardening by forcing the sssd user to be loaded from a local
database (/etc/passwd) instead of using any remote user. This could
happen in very special conditions and might change the owner of the sssd
databases and generate a denial of service.

Signed-off-by: Iker Pedrosa 
---
 Makefile.am   |   3 +
 src/tests/cwrap/Makefile.am   |   8 +-
 src/tests/cwrap/common_mock_nss_dl_load.c | 115 ++
 src/tests/cwrap/common_mock_nss_dl_load.h |  30 ++
 src/tests/cwrap/test_responder_common.c   |   7 ++
 src/tests/cwrap/test_usertools.c  |   6 ++
 src/util/usertools.c  |  28 --
 src/util/usertools_extra.c|  50 ++
 src/util/util.h   |   3 +
 9 files changed, 241 insertions(+), 9 deletions(-)
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.c
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.h
 create mode 100644 src/util/usertools_extra.c

diff --git a/Makefile.am b/Makefile.am
index f6bc9414d0..301f6b5800 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -884,6 +884,7 @@ dist_noinst_HEADERS = \
 src/tests/cmocka/test_expire_common.h \
 src/tests/cmocka/test_sdap_access.h \
 src/tests/cmocka/data_provider/mock_dp.h \
+src/tests/cwrap/common_mock_nss_dl_load.h \
 src/sss_client/pam_message.h \
 src/sss_client/ssh/sss_ssh_client.h \
 src/sss_client/sudo/sss_sudo.h \
@@ -1237,6 +1238,7 @@ libsss_util_la_SOURCES = \
 src/util/server.c \
 src/util/signal.c \
 src/util/usertools.c \
+src/util/usertools_extra.c \
 src/util/backup_file.c \
 src/util/strtonum.c \
 src/util/check_and_open.c \
@@ -1265,6 +1267,7 @@ libsss_util_la_SOURCES = \
 src/util/selinux.c \
 src/util/sss_regexp.c \
 src/util/sss_chain_id.c \
+src/util/nss_dl_load.c \
 $(NULL)
 libsss_util_la_CFLAGS = \
 $(AM_CFLAGS) \
diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am
index 6d3dc45e57..24e6c4a7c1 100644
--- a/src/tests/cwrap/Makefile.am
+++ b/src/tests/cwrap/Makefile.am
@@ -141,15 +141,18 @@ endif
 
 usertools_tests_SOURCES = \
 test_usertools.c \
+common_mock_nss_dl_load.c \
+../../../src/util/usertools.c \
+../../../src/util/nss_dl_load.c \
 $(NULL)
 usertools_tests_CFLAGS = \
 $(AM_CFLAGS) \
 $(NULL)
 usertools_tests_LDADD = \
+$(LIBADD_DL) \
 $(CMOCKA_LIBS) \
 $(POPT_LIBS) \
 $(TALLOC_LIBS) \
-$(abs_top_builddir)/libsss_util.la \
 $(abs_top_builddir)/libsss_debug.la \
 $(abs_top_builddir)/libsss_test_common.la \
 $(NULL)
@@ -159,9 +162,11 @@ endif
 
 responder_common_tests_SOURCES =\
 test_responder_common.c \
+common_mock_nss_dl_load.c \
 $(SSSD_RESPONDER_IFACE_OBJ) \
 ../../../src/responder/common/negcache_files.c \
 ../../../src/util/nss_dl_load.c \
+../../../src/util/usertools.c \
 ../../../src/responder/common/negcache.c \
 ../../../src/responder/common/responder_common.c \
 ../../../src/responder/common/responder_packet.c \
@@ -179,7 +184,6 @@ responder_common_tests_LDADD = \
 $(SSSD_LIBS) \
 $(SELINUX_LIBS) \
 $(SYSTEMD_DAEMON_LIBS) \
-$(abs_top_builddir)/libsss_util.la \
 $(abs_top_builddir)/libsss_debug.la \
 $(abs_top_builddir)/libsss_test_common.la \
 $(abs_top_builddir)/libsss_iface.la \
diff --git a/src/tests/cwrap/common_mock_nss_dl_load.c b/src/tests/cwrap/common_mock_nss_dl_load.c
new file mode 100644
index 00..ebe006b591
--- /dev/null
+++ b/src/tests/cwrap/common_mock_nss_dl_load.c
@@ -0,0 +1,115 @@
+/*
+Authors:
+Iker Pedrosa 
+
+Copyright (C) 2021 Red Hat
+
+SSSD tests: Fake nss dl load
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see .
+*/
+
+#include 
+#include 
+#include 
+#include 
+
+#include "common_mock_nss_dl_load.h"
+

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

2021-11-12 Thread ikerexxe

   URL: https://github.com/SSSD/sssd/pull/5867
Author: ikerexxe
 Title: #5867: usertools: force local user for sssd process user
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5867/head:pr5867
git checkout pr5867
From 18e8f2a37adbeece5aa3bff671eac7b5d1e8b720 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa 
Date: Mon, 23 Aug 2021 12:04:42 +0200
Subject: [PATCH 1/2] usertools: force local user for sssd process user

System hardening by forcing the sssd user to be loaded from a local
database (/etc/passwd) instead of using any remote user. This could
happen in very special conditions and might change the owner of the sssd
databases and generate a denial of service.

Signed-off-by: Iker Pedrosa 
---
 Makefile.am   |   3 +
 src/monitor/monitor.c |   6 +-
 src/providers/ipa/ipa_common.h|   3 +
 src/providers/ipa/ipa_subdomains_server.c |   3 +-
 src/responder/common/responder.h  |   5 +-
 src/responder/common/responder_common.c   |   6 +-
 src/responder/ifp/ifp_private.h   |   4 +
 src/responder/ifp/ifpsrv.c|   2 +-
 src/responder/nss/nss_private.h   |   4 +
 src/responder/nss/nsssrv.c|   4 +-
 src/responder/pac/pacsrv.c|   2 +-
 src/responder/pac/pacsrv.h|   4 +
 src/responder/pam/pamsrv.c|   2 +-
 src/responder/pam/pamsrv.h|   4 +
 src/tests/cwrap/Makefile.am   |   8 +-
 src/tests/cwrap/common_mock_nss_dl_load.c | 115 ++
 src/tests/cwrap/common_mock_nss_dl_load.h |  30 ++
 src/tests/cwrap/test_responder_common.c   |  22 -
 src/tests/cwrap/test_usertools.c  |  41 +++-
 src/tests/responder_socket_access-tests.c |  10 +-
 src/util/usertools.c  |  60 +--
 src/util/usertools_extra.c|  53 ++
 src/util/util.h   |   6 +-
 23 files changed, 365 insertions(+), 32 deletions(-)
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.c
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.h
 create mode 100644 src/util/usertools_extra.c

diff --git a/Makefile.am b/Makefile.am
index f6bc9414d0..301f6b5800 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -884,6 +884,7 @@ dist_noinst_HEADERS = \
 src/tests/cmocka/test_expire_common.h \
 src/tests/cmocka/test_sdap_access.h \
 src/tests/cmocka/data_provider/mock_dp.h \
+src/tests/cwrap/common_mock_nss_dl_load.h \
 src/sss_client/pam_message.h \
 src/sss_client/ssh/sss_ssh_client.h \
 src/sss_client/sudo/sss_sudo.h \
@@ -1237,6 +1238,7 @@ libsss_util_la_SOURCES = \
 src/util/server.c \
 src/util/signal.c \
 src/util/usertools.c \
+src/util/usertools_extra.c \
 src/util/backup_file.c \
 src/util/strtonum.c \
 src/util/check_and_open.c \
@@ -1265,6 +1267,7 @@ libsss_util_la_SOURCES = \
 src/util/selinux.c \
 src/util/sss_regexp.c \
 src/util/sss_chain_id.c \
+src/util/nss_dl_load.c \
 $(NULL)
 libsss_util_la_CFLAGS = \
 $(AM_CFLAGS) \
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 55cb0838aa..86ec612600 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -173,6 +173,9 @@ struct mt_ctx {
 /* For running unprivileged services */
 uid_t uid;
 gid_t gid;
+
+/* Dynamic library load */
+struct sss_nss_ops ops;
 };
 
 static int start_service(struct mt_svc *mt_svc);
@@ -882,7 +885,8 @@ static int get_service_user(struct mt_ctx *ctx)
 return ret;
 }
 
-ret = sss_user_by_name_or_uid(user_str, >uid, >gid);
+
+ret = sss_user_by_name_or_uid(>ops, user_str, >uid, >gid);
 talloc_free(user_str);
 if (ret != EOK) {
 DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set allowed UIDs.\n");
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index eb0eda8eb1..034af39efc 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -208,6 +208,9 @@ struct ipa_id_ctx {
 char *view_name;
 /* Only used with server mode */
 struct ipa_server_mode_ctx *server_mode;
+
+/* Dynamic library load */
+struct sss_nss_ops ops;
 };
 
 struct ipa_options {
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index deb2c2ceec..d355ccf25a 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -1195,7 +1195,8 @@ int ipa_ad_subdom_init(struct be_ctx *be_ctx,
 /* We need to handle keytabs created by IPA oddjob script gracefully
  * even if we're running as root and IPA creates them as the SSSD user
  */
-ret = sss_user_by_name_or_uid(SSSD_USER,
+ret = sss_user_by_name_or_uid(_ctx->ops,
+  SSSD_USER,

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

2021-11-10 Thread ikerexxe

   URL: https://github.com/SSSD/sssd/pull/5867
Author: ikerexxe
 Title: #5867: usertools: force local user for sssd process user
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5867/head:pr5867
git checkout pr5867
From e966aa8a212f0f6eaa5087a3ace8cdcd20dd69ec Mon Sep 17 00:00:00 2001
From: Iker Pedrosa 
Date: Mon, 23 Aug 2021 12:04:42 +0200
Subject: [PATCH 1/2] usertools: force local user for sssd process user

System hardening by forcing the sssd user to be loaded from a local
database (/etc/passwd) instead of using any remote user. This could
happen in very special conditions and might change the owner of the sssd
databases and generate a denial of service.

Signed-off-by: Iker Pedrosa 
---
 Makefile.am   |   3 +
 src/monitor/monitor.c |   6 +-
 src/providers/ipa/ipa_common.h|   3 +
 src/providers/ipa/ipa_subdomains_server.c |   3 +-
 src/responder/common/responder.h  |   5 +-
 src/responder/common/responder_common.c   |   6 +-
 src/responder/ifp/ifp_private.h   |   4 +
 src/responder/ifp/ifpsrv.c|   2 +-
 src/responder/nss/nss_private.h   |   4 +
 src/responder/nss/nsssrv.c|   4 +-
 src/responder/pac/pacsrv.c|   2 +-
 src/responder/pac/pacsrv.h|   4 +
 src/responder/pam/pamsrv.c|   2 +-
 src/responder/pam/pamsrv.h|   4 +
 src/tests/cwrap/Makefile.am   |   8 +-
 src/tests/cwrap/common_mock_nss_dl_load.c | 115 ++
 src/tests/cwrap/common_mock_nss_dl_load.h |  30 ++
 src/tests/cwrap/test_responder_common.c   |  22 -
 src/tests/cwrap/test_usertools.c  |  41 +++-
 src/tests/responder_socket_access-tests.c |  10 +-
 src/util/usertools.c  |  60 +--
 src/util/usertools_extra.c|  53 ++
 src/util/util.h   |   6 +-
 23 files changed, 365 insertions(+), 32 deletions(-)
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.c
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.h
 create mode 100644 src/util/usertools_extra.c

diff --git a/Makefile.am b/Makefile.am
index f6bc9414d0..301f6b5800 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -884,6 +884,7 @@ dist_noinst_HEADERS = \
 src/tests/cmocka/test_expire_common.h \
 src/tests/cmocka/test_sdap_access.h \
 src/tests/cmocka/data_provider/mock_dp.h \
+src/tests/cwrap/common_mock_nss_dl_load.h \
 src/sss_client/pam_message.h \
 src/sss_client/ssh/sss_ssh_client.h \
 src/sss_client/sudo/sss_sudo.h \
@@ -1237,6 +1238,7 @@ libsss_util_la_SOURCES = \
 src/util/server.c \
 src/util/signal.c \
 src/util/usertools.c \
+src/util/usertools_extra.c \
 src/util/backup_file.c \
 src/util/strtonum.c \
 src/util/check_and_open.c \
@@ -1265,6 +1267,7 @@ libsss_util_la_SOURCES = \
 src/util/selinux.c \
 src/util/sss_regexp.c \
 src/util/sss_chain_id.c \
+src/util/nss_dl_load.c \
 $(NULL)
 libsss_util_la_CFLAGS = \
 $(AM_CFLAGS) \
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 55cb0838aa..86ec612600 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -173,6 +173,9 @@ struct mt_ctx {
 /* For running unprivileged services */
 uid_t uid;
 gid_t gid;
+
+/* Dynamic library load */
+struct sss_nss_ops ops;
 };
 
 static int start_service(struct mt_svc *mt_svc);
@@ -882,7 +885,8 @@ static int get_service_user(struct mt_ctx *ctx)
 return ret;
 }
 
-ret = sss_user_by_name_or_uid(user_str, >uid, >gid);
+
+ret = sss_user_by_name_or_uid(>ops, user_str, >uid, >gid);
 talloc_free(user_str);
 if (ret != EOK) {
 DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set allowed UIDs.\n");
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index eb0eda8eb1..034af39efc 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -208,6 +208,9 @@ struct ipa_id_ctx {
 char *view_name;
 /* Only used with server mode */
 struct ipa_server_mode_ctx *server_mode;
+
+/* Dynamic library load */
+struct sss_nss_ops ops;
 };
 
 struct ipa_options {
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index deb2c2ceec..d355ccf25a 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -1195,7 +1195,8 @@ int ipa_ad_subdom_init(struct be_ctx *be_ctx,
 /* We need to handle keytabs created by IPA oddjob script gracefully
  * even if we're running as root and IPA creates them as the SSSD user
  */
-ret = sss_user_by_name_or_uid(SSSD_USER,
+ret = sss_user_by_name_or_uid(_ctx->ops,
+  SSSD_USER,

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

2021-11-10 Thread ikerexxe

   URL: https://github.com/SSSD/sssd/pull/5867
Author: ikerexxe
 Title: #5867: usertools: force local user for sssd process user
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/5867/head:pr5867
git checkout pr5867
From 6ae47cc580fbf644c56ace1fe54e40f6f01632a5 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa 
Date: Mon, 23 Aug 2021 12:04:42 +0200
Subject: [PATCH 1/2] usertools: force local user for sssd process user

System hardening by forcing the sssd user to be loaded from a local
database (/etc/passwd) instead of using any remote user. This could
happen in very special conditions and might change the owner of the sssd
databases and generate a denial of service.

Signed-off-by: Iker Pedrosa 
---
 Makefile.am   |   3 +
 src/monitor/monitor.c |   6 +-
 src/providers/ipa/ipa_common.h|   3 +
 src/providers/ipa/ipa_subdomains_server.c |   3 +-
 src/responder/common/responder.h  |   5 +-
 src/responder/common/responder_common.c   |   6 +-
 src/responder/ifp/ifp_private.h   |   4 +
 src/responder/ifp/ifpsrv.c|   2 +-
 src/responder/nss/nss_private.h   |   4 +
 src/responder/nss/nsssrv.c|   4 +-
 src/responder/pac/pacsrv.c|   2 +-
 src/responder/pac/pacsrv.h|   4 +
 src/responder/pam/pamsrv.c|   2 +-
 src/responder/pam/pamsrv.h|   4 +
 src/tests/cwrap/Makefile.am   |   8 +-
 src/tests/cwrap/common_mock_nss_dl_load.c | 115 ++
 src/tests/cwrap/common_mock_nss_dl_load.h |  30 ++
 src/tests/cwrap/test_responder_common.c   |  22 -
 src/tests/cwrap/test_usertools.c  |  41 +++-
 src/tests/responder_socket_access-tests.c |  11 ++-
 src/util/usertools.c  |  60 +--
 src/util/usertools_extra.c|  53 ++
 src/util/util.h   |   6 +-
 23 files changed, 366 insertions(+), 32 deletions(-)
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.c
 create mode 100644 src/tests/cwrap/common_mock_nss_dl_load.h
 create mode 100644 src/util/usertools_extra.c

diff --git a/Makefile.am b/Makefile.am
index f6bc9414d0..301f6b5800 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -884,6 +884,7 @@ dist_noinst_HEADERS = \
 src/tests/cmocka/test_expire_common.h \
 src/tests/cmocka/test_sdap_access.h \
 src/tests/cmocka/data_provider/mock_dp.h \
+src/tests/cwrap/common_mock_nss_dl_load.h \
 src/sss_client/pam_message.h \
 src/sss_client/ssh/sss_ssh_client.h \
 src/sss_client/sudo/sss_sudo.h \
@@ -1237,6 +1238,7 @@ libsss_util_la_SOURCES = \
 src/util/server.c \
 src/util/signal.c \
 src/util/usertools.c \
+src/util/usertools_extra.c \
 src/util/backup_file.c \
 src/util/strtonum.c \
 src/util/check_and_open.c \
@@ -1265,6 +1267,7 @@ libsss_util_la_SOURCES = \
 src/util/selinux.c \
 src/util/sss_regexp.c \
 src/util/sss_chain_id.c \
+src/util/nss_dl_load.c \
 $(NULL)
 libsss_util_la_CFLAGS = \
 $(AM_CFLAGS) \
diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
index 55cb0838aa..86ec612600 100644
--- a/src/monitor/monitor.c
+++ b/src/monitor/monitor.c
@@ -173,6 +173,9 @@ struct mt_ctx {
 /* For running unprivileged services */
 uid_t uid;
 gid_t gid;
+
+/* Dynamic library load */
+struct sss_nss_ops ops;
 };
 
 static int start_service(struct mt_svc *mt_svc);
@@ -882,7 +885,8 @@ static int get_service_user(struct mt_ctx *ctx)
 return ret;
 }
 
-ret = sss_user_by_name_or_uid(user_str, >uid, >gid);
+
+ret = sss_user_by_name_or_uid(>ops, user_str, >uid, >gid);
 talloc_free(user_str);
 if (ret != EOK) {
 DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set allowed UIDs.\n");
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index eb0eda8eb1..034af39efc 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -208,6 +208,9 @@ struct ipa_id_ctx {
 char *view_name;
 /* Only used with server mode */
 struct ipa_server_mode_ctx *server_mode;
+
+/* Dynamic library load */
+struct sss_nss_ops ops;
 };
 
 struct ipa_options {
diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c
index deb2c2ceec..d355ccf25a 100644
--- a/src/providers/ipa/ipa_subdomains_server.c
+++ b/src/providers/ipa/ipa_subdomains_server.c
@@ -1195,7 +1195,8 @@ int ipa_ad_subdom_init(struct be_ctx *be_ctx,
 /* We need to handle keytabs created by IPA oddjob script gracefully
  * even if we're running as root and IPA creates them as the SSSD user
  */
-ret = sss_user_by_name_or_uid(SSSD_USER,
+ret = sss_user_by_name_or_uid(_ctx->ops,
+  SSSD_USER,

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

[SSSD] [sssd PR#5867][synchronized] usertools: force local user for sssd process user

10 matches

Site Navigation

Mail list logo

Footer information