[Pkg-sssd-devel] sssd: Changes to 'debian-unstable'
Timo Aaltonen
tjaalton-guest at alioth.debian.org
Mon Apr 8 14:44:57 UTC 2013
Rebased ref, commits from common ancestor:
commit ae9efb25d843f5b242c380943d0301e0cec1b33e
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Mon Apr 8 17:44:02 2013 +0300
cve-2013-0287-*.diff: Patches from upstream stable tree to fix CVE-2013-0287 (versions 1.9.0 and up).
diff --git a/debian/changelog b/debian/changelog
index bb7c635..8454e43 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -41,6 +41,8 @@ sssd (1.9.4-1) UNRELEASED; urgency=low
correctly substituted. (LP: #1079938)
* sssd.dirs: Add krb5 include dir.
* fix-cve-2013-0219*.diff, -0220.diff: Dropped, included upstream.
+ * cve-2013-0287-*.diff: Patches from upstream stable tree to fix
+ CVE-2013-0287 (versions 1.9.0 and up).
[ Stéphane Graber ]
* Add postinst/postrm script for libsss-sudo. Those will add a "sudoers"
diff --git a/debian/patches/cve-2013-0287-1.diff b/debian/patches/cve-2013-0287-1.diff
new file mode 100644
index 0000000..f8eff05
--- /dev/null
+++ b/debian/patches/cve-2013-0287-1.diff
@@ -0,0 +1,230 @@
+commit b63830b142053f99bfe954d4be5a2b0f68ce3a93
+Author: Jakub Hrozek <jhrozek at redhat.com>
+Date: Fri Feb 22 11:01:38 2013 +0100
+
+ Provide a be_get_account_info_send function
+
+ In order to resolve group names in the simple access provider we need to
+ contact the Data Provider in a generic fashion from the access provider.
+ We can't call any particular implementation (like sdap_generic_send())
+ because we have no idea what kind of provider is configured as the
+ id_provider.
+
+ This patch splits introduces the be_file_account_request() function into
+ the data_provider_be module and makes it public.
+
+ A future patch should make the be_get_account_info function use the
+ be_get_account_info_send function.
+
+diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
+index b261bf8..f85a04d 100644
+--- a/src/providers/data_provider_be.c
++++ b/src/providers/data_provider_be.c
+@@ -717,6 +717,34 @@ static errno_t be_initgroups_prereq(struct be_req *be_req)
+ }
+
+ static errno_t
++be_file_account_request(struct be_req *be_req, struct be_acct_req *ar)
++{
++ errno_t ret;
++ struct be_ctx *be_ctx = be_req->be_ctx;
++
++ be_req->req_data = ar;
++
++ /* see if we need a pre request call, only done for initgroups for now */
++ if ((ar->entry_type & 0xFF) == BE_REQ_INITGROUPS) {
++ ret = be_initgroups_prereq(be_req);
++ if (ret) {
++ DEBUG(SSSDBG_CRIT_FAILURE, ("Prerequest failed"));
++ return ret;
++ }
++ }
++
++ /* process request */
++ ret = be_file_request(be_ctx, be_req,
++ be_ctx->bet_info[BET_ID].bet_ops->handler);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to file request"));
++ return ret;
++ }
++
++ return EOK;
++}
++
++static errno_t
+ split_name_extended(TALLOC_CTX *mem_ctx,
+ const char *filter,
+ char **name,
+@@ -742,6 +770,110 @@ split_name_extended(TALLOC_CTX *mem_ctx,
+ return EOK;
+ }
+
++static void
++be_get_account_info_done(struct be_req *be_req,
++ int dp_err, int dp_ret,
++ const char *errstr);
++
++struct be_get_account_info_state {
++ int err_maj;
++ int err_min;
++ const char *err_msg;
++};
++
++struct tevent_req *
++be_get_account_info_send(TALLOC_CTX *mem_ctx,
++ struct tevent_context *ev,
++ struct be_client *becli,
++ struct be_ctx *be_ctx,
++ struct be_acct_req *ar)
++{
++ struct tevent_req *req;
++ struct be_get_account_info_state *state;
++ struct be_req *be_req;
++ errno_t ret;
++
++ req = tevent_req_create(mem_ctx, &state,
++ struct be_get_account_info_state);
++ if (!req) return NULL;
++
++ be_req = talloc_zero(mem_ctx, struct be_req);
++ if (be_req == NULL) {
++ ret = ENOMEM;
++ goto done;
++ }
++
++ be_req->becli = becli;
++ be_req->be_ctx = be_ctx;
++ be_req->fn = be_get_account_info_done;
++ be_req->pvt = req;
++
++ ret = be_file_account_request(be_req, ar);
++ if (ret != EOK) {
++ goto done;
++ }
++
++ return req;
++
++done:
++ tevent_req_error(req, ret);
++ tevent_req_post(req, ev);
++ return req;
++}
++
++static void
++be_get_account_info_done(struct be_req *be_req,
++ int dp_err, int dp_ret,
++ const char *errstr)
++{
++ struct tevent_req *req;
++ struct be_get_account_info_state *state;
++
++ req = talloc_get_type(be_req->pvt, struct tevent_req);
++ state = tevent_req_data(req, struct be_get_account_info_state);
++
++ state->err_maj = dp_err;
++ state->err_min = dp_ret;
++ if (errstr) {
++ state->err_msg = talloc_strdup(state, errstr);
++ if (state->err_msg == NULL) {
++ talloc_free(be_req);
++ tevent_req_error(req, ENOMEM);
++ return;
++ }
++ }
++
++ talloc_free(be_req);
++ tevent_req_done(req);
++}
++
++errno_t be_get_account_info_recv(struct tevent_req *req,
++ TALLOC_CTX *mem_ctx,
++ int *_err_maj,
++ int *_err_min,
++ const char **_err_msg)
++{
++ struct be_get_account_info_state *state;
++
++ state = tevent_req_data(req, struct be_get_account_info_state);
++
++ TEVENT_REQ_RETURN_ON_ERROR(req);
++
++ if (_err_maj) {
++ *_err_maj = state->err_maj;
++ }
++
++ if (_err_min) {
++ *_err_min = state->err_min;
++ }
++
++ if (_err_msg) {
++ *_err_msg = talloc_steal(mem_ctx, state->err_msg);
++ }
++
++ return EOK;
++}
++
+ static int be_get_account_info(DBusMessage *message, struct sbus_connection *conn)
+ {
+ struct be_acct_req *req;
+@@ -845,8 +977,6 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
+ goto done;
+ }
+
+- be_req->req_data = req;
+-
+ if ((attr_type != BE_ATTR_CORE) &&
+ (attr_type != BE_ATTR_MEM) &&
+ (attr_type != BE_ATTR_ALL)) {
+@@ -893,26 +1023,11 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
+ goto done;
+ }
+
+- /* see if we need a pre request call, only done for initgroups for now */
+- if ((type & 0xFF) == BE_REQ_INITGROUPS) {
+- ret = be_initgroups_prereq(be_req);
+- if (ret) {
+- err_maj = DP_ERR_FATAL;
+- err_min = ret;
+- err_msg = "Prerequest failed";
+- goto done;
+- }
+- }
+-
+- /* process request */
+-
+- ret = be_file_request(becli->bectx->bet_info[BET_ID].pvt_bet_data,
+- be_req,
+- becli->bectx->bet_info[BET_ID].bet_ops->handler);
++ ret = be_file_account_request(be_req, req);
+ if (ret != EOK) {
+ err_maj = DP_ERR_FATAL;
+ err_min = ret;
+- err_msg = "Failed to file request";
++ err_msg = "Cannot file account request";
+ goto done;
+ }
+
+diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h
+index 58a9b74..743b6f4 100644
+--- a/src/providers/dp_backend.h
++++ b/src/providers/dp_backend.h
+@@ -258,4 +258,19 @@ int be_fo_run_callbacks_at_next_request(struct be_ctx *ctx,
+ const char *service_name);
+
+ void reset_fo(struct be_ctx *be_ctx);
++
++/* Request account information */
++struct tevent_req *
++be_get_account_info_send(TALLOC_CTX *mem_ctx,
++ struct tevent_context *ev,
++ struct be_client *becli,
++ struct be_ctx *be_ctx,
++ struct be_acct_req *ar);
++
++errno_t be_get_account_info_recv(struct tevent_req *req,
++ TALLOC_CTX *mem_ctx,
++ int *_err_maj,
++ int *_err_min,
++ const char **_err_msg);
++
+ #endif /* __DP_BACKEND_H___ */
diff --git a/debian/patches/cve-2013-0287-2.diff b/debian/patches/cve-2013-0287-2.diff
new file mode 100644
index 0000000..b6339e1
--- /dev/null
+++ b/debian/patches/cve-2013-0287-2.diff
@@ -0,0 +1,408 @@
+commit 754b09b5444e6da88ed58d6deaed8b815e268b6b
+Author: Jakub Hrozek <jhrozek at redhat.com>
+Date: Sun Mar 3 21:43:44 2013 +0100
+
+ Add unit tests for simple access test by groups
+
+ I realized that the current unit tests for the simple access provider
+ only tested the user directives. To have a baseline and be able to
+ detect new bugs in the upcoming patch, I implemented unit tests for the
+ group lists, too.
+
+diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c
+index c61814e..577c6d3 100644
+--- a/src/tests/simple_access-tests.c
++++ b/src/tests/simple_access-tests.c
+@@ -30,39 +30,152 @@
+ #include "providers/simple/simple_access.h"
+ #include "tests/common.h"
+
++#define TESTS_PATH "tests_simple_access"
++#define TEST_CONF_FILE "tests_conf.ldb"
++
+ const char *ulist_1[] = {"u1", "u2", NULL};
++const char *glist_1[] = {"g1", "g2", NULL};
++
++struct simple_test_ctx *test_ctx = NULL;
++
++struct simple_test_ctx {
++ struct sysdb_ctx *sysdb;
++ struct confdb_ctx *confdb;
+
+-struct simple_ctx *ctx = NULL;
++ struct simple_ctx *ctx;
++};
+
+ void setup_simple(void)
+ {
+- fail_unless(ctx == NULL, "Simple context already initialized.");
+- ctx = talloc_zero(NULL, struct simple_ctx);
+- fail_unless(ctx != NULL, "Cannot create simple context.");
+-
+- ctx->domain = talloc_zero(ctx, struct sss_domain_info);
+- fail_unless(ctx != NULL, "Cannot create domain in simple context.");
+- ctx->domain->case_sensitive = true;
++ errno_t ret;
++ char *conf_db;
++ const char *val[2];
++ val[1] = NULL;
++
++ /* Create tests directory if it doesn't exist */
++ /* (relative to current dir) */
++ ret = mkdir(TESTS_PATH, 0775);
++ fail_if(ret == -1 && errno != EEXIST,
++ "Could not create %s directory", TESTS_PATH);
++
++ fail_unless(test_ctx == NULL, "Simple context already initialized.");
++ test_ctx = talloc_zero(NULL, struct simple_test_ctx);
++ fail_unless(test_ctx != NULL, "Cannot create simple test context.");
++
++ test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx);
++ fail_unless(test_ctx->ctx != NULL, "Cannot create simple context.");
++
++ conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE);
++ fail_if(conf_db == NULL, "Out of memory, aborting!");
++ DEBUG(SSSDBG_TRACE_LIBS, ("CONFDB: %s\n", conf_db));
++
++ /* Connect to the conf db */
++ ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db);
++ fail_if(ret != EOK, "Could not initialize connection to the confdb");
++
++ val[0] = "LOCAL";
++ ret = confdb_add_param(test_ctx->confdb, true,
++ "config/sssd", "domains", val);
++ fail_if(ret != EOK, "Could not initialize domains placeholder");
++
++ val[0] = "local";
++ ret = confdb_add_param(test_ctx->confdb, true,
++ "config/domain/LOCAL", "id_provider", val);
++ fail_if(ret != EOK, "Could not initialize provider");
++
++ val[0] = "TRUE";
++ ret = confdb_add_param(test_ctx->confdb, true,
++ "config/domain/LOCAL", "enumerate", val);
++ fail_if(ret != EOK, "Could not initialize LOCAL domain");
++
++ val[0] = "TRUE";
++ ret = confdb_add_param(test_ctx->confdb, true,
++ "config/domain/LOCAL", "cache_credentials", val);
++ fail_if(ret != EOK, "Could not initialize LOCAL domain");
++
++ ret = sysdb_init_domain_and_sysdb(test_ctx, test_ctx->confdb, "local",
++ TESTS_PATH,
++ &test_ctx->ctx->domain, &test_ctx->ctx->sysdb);
++ fail_if(ret != EOK, "Could not initialize connection to the sysdb (%d)", ret);
++ test_ctx->ctx->domain->case_sensitive = true;
+ }
+
+ void teardown_simple(void)
+ {
+ int ret;
+- fail_unless(ctx != NULL, "Simple context already freed.");
+- ret = talloc_free(ctx);
+- ctx = NULL;
++ fail_unless(test_ctx != NULL, "Simple context already freed.");
++ ret = talloc_free(test_ctx);
++ test_ctx = NULL;
+ fail_unless(ret == 0, "Connot free simple context.");
+ }
+
++void setup_simple_group(void)
++{
++ errno_t ret;
++
++ setup_simple();
++
++ /* Add test users u1 and u2 that would be members of test groups
++ * g1 and g2 respectively */
++ ret = sysdb_store_user(test_ctx->ctx->sysdb,
++ "u1", NULL, 123, 0, "u1", "/home/u1",
++ "/bin/bash", NULL, NULL, NULL, -1, 0);
++ fail_if(ret != EOK, "Could not add u1");
++
++ ret = sysdb_store_user(test_ctx->ctx->sysdb,
++ "u2", NULL, 456, 0, "u1", "/home/u1",
++ "/bin/bash", NULL, NULL, NULL, -1, 0);
++ fail_if(ret != EOK, "Could not add u2");
++
++ ret = sysdb_store_user(test_ctx->ctx->sysdb,
++ "u3", NULL, 789, 0, "u1", "/home/u1",
++ "/bin/bash", NULL, NULL, NULL, -1, 0);
++ fail_if(ret != EOK, "Could not add u3");
++
++ ret = sysdb_add_group(test_ctx->ctx->sysdb,
++ "g1", 321, NULL, 0, 0);
++ fail_if(ret != EOK, "Could not add g1");
++
++ ret = sysdb_add_group(test_ctx->ctx->sysdb,
++ "g2", 654, NULL, 0, 0);
++ fail_if(ret != EOK, "Could not add g2");
++
++ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
++ "g1", "u1", SYSDB_MEMBER_USER);
++ fail_if(ret != EOK, "Could not add u1 to g1");
++
++ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
++ "g2", "u2", SYSDB_MEMBER_USER);
++ fail_if(ret != EOK, "Could not add u2 to g2");
++}
++
++void teardown_simple_group(void)
++{
++ errno_t ret;
++
++ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u1", 0);
++ fail_if(ret != EOK, "Could not delete u1");
++ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u2", 0);
++ fail_if(ret != EOK, "Could not delete u2");
++ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u3", 0);
++ fail_if(ret != EOK, "Could not delete u3");
++ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g1", 0);
++ fail_if(ret != EOK, "Could not delete g1");
++ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g2", 0);
++ fail_if(ret != EOK, "Could not delete g2");
++
++ teardown_simple();
++}
++
+ START_TEST(test_both_empty)
+ {
+ int ret;
+ bool access_granted = false;
+
+- ctx->allow_users = NULL;
+- ctx->deny_users = NULL;
++ test_ctx->ctx->allow_users = NULL;
++ test_ctx->ctx->deny_users = NULL;
+
+- ret = simple_access_check(ctx, "u1", &access_granted);
++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == true, "Access denied "
+ "while both lists are empty.");
+@@ -74,15 +187,15 @@ START_TEST(test_allow_empty)
+ int ret;
+ bool access_granted = true;
+
+- ctx->allow_users = NULL;
+- ctx->deny_users = discard_const(ulist_1);
++ test_ctx->ctx->allow_users = NULL;
++ test_ctx->ctx->deny_users = discard_const(ulist_1);
+
+- ret = simple_access_check(ctx, "u1", &access_granted);
++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "while user is in deny list.");
+
+- ret = simple_access_check(ctx, "u3", &access_granted);
++ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == true, "Access denied "
+ "while user is not in deny list.");
+@@ -94,15 +207,15 @@ START_TEST(test_deny_empty)
+ int ret;
+ bool access_granted = false;
+
+- ctx->allow_users = discard_const(ulist_1);
+- ctx->deny_users = NULL;
++ test_ctx->ctx->allow_users = discard_const(ulist_1);
++ test_ctx->ctx->deny_users = NULL;
+
+- ret = simple_access_check(ctx, "u1", &access_granted);
++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == true, "Access denied "
+ "while user is in allow list.");
+
+- ret = simple_access_check(ctx, "u3", &access_granted);
++ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "while user is not in allow list.");
+@@ -114,15 +227,15 @@ START_TEST(test_both_set)
+ int ret;
+ bool access_granted = false;
+
+- ctx->allow_users = discard_const(ulist_1);
+- ctx->deny_users = discard_const(ulist_1);
++ test_ctx->ctx->allow_users = discard_const(ulist_1);
++ test_ctx->ctx->deny_users = discard_const(ulist_1);
+
+- ret = simple_access_check(ctx, "u1", &access_granted);
++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "while user is in deny list.");
+
+- ret = simple_access_check(ctx, "u3", &access_granted);
++ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "while user is not in allow list.");
+@@ -134,18 +247,18 @@ START_TEST(test_case)
+ int ret;
+ bool access_granted = false;
+
+- ctx->allow_users = discard_const(ulist_1);
+- ctx->deny_users = NULL;
++ test_ctx->ctx->allow_users = discard_const(ulist_1);
++ test_ctx->ctx->deny_users = NULL;
+
+- ret = simple_access_check(ctx, "U1", &access_granted);
++ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "for user with different case "
+ "in case-sensitive domain");
+
+- ctx->domain->case_sensitive = false;
++ test_ctx->ctx->domain->case_sensitive = false;
+
+- ret = simple_access_check(ctx, "U1", &access_granted);
++ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == true, "Access denied "
+ "for user with different case "
+@@ -153,11 +266,95 @@ START_TEST(test_case)
+ }
+ END_TEST
+
++START_TEST(test_group_allow_empty)
++{
++ int ret;
++ bool access_granted = true;
++
++ test_ctx->ctx->allow_groups = NULL;
++ test_ctx->ctx->deny_groups = discard_const(glist_1);
++
++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
++ fail_unless(ret == EOK, "access_simple_check failed.");
++ fail_unless(access_granted == false, "Access granted "
++ "while group is in deny list.");
++
++ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
++ fail_unless(ret == EOK, "access_simple_check failed.");
++ fail_unless(access_granted == true, "Access denied "
++ "while group is not in deny list.");
++}
++END_TEST
++
++START_TEST(test_group_deny_empty)
++{
++ int ret;
++ bool access_granted = false;
++
++ test_ctx->ctx->allow_groups = discard_const(glist_1);
++ test_ctx->ctx->deny_groups = NULL;
++
++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
++ fail_unless(ret == EOK, "access_simple_check failed.");
++ fail_unless(access_granted == true, "Access denied "
++ "while group is in allow list.");
++
++ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
++ fail_unless(ret == EOK, "access_simple_check failed.");
++ fail_unless(access_granted == false, "Access granted "
++ "while group is not in allow list.");
++}
++END_TEST
++
++START_TEST(test_group_both_set)
++{
++ int ret;
++ bool access_granted = false;
++
++ test_ctx->ctx->allow_groups = discard_const(ulist_1);
++ test_ctx->ctx->deny_groups = discard_const(ulist_1);
++
++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
++ fail_unless(ret == EOK, "access_simple_check failed.");
++ fail_unless(access_granted == false, "Access granted "
++ "while group is in deny list.");
++
++ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
++ fail_unless(ret == EOK, "access_simple_check failed.");
++ fail_unless(access_granted == false, "Access granted "
++ "while group is not in allow list.");
++}
++END_TEST
++
++START_TEST(test_group_case)
++{
++ int ret;
++ bool access_granted = false;
++
++ test_ctx->ctx->allow_groups = discard_const(ulist_1);
++ test_ctx->ctx->deny_groups = NULL;
++
++ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
++ fail_unless(ret == EOK, "access_simple_check failed.");
++ fail_unless(access_granted == false, "Access granted "
++ "for group with different case "
++ "in case-sensitive domain");
++
++ test_ctx->ctx->domain->case_sensitive = false;
++
++ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
++ fail_unless(ret == EOK, "access_simple_check failed.");
++ fail_unless(access_granted == true, "Access denied "
++ "for group with different case "
++ "in case-insensitive domain");
++}
++END_TEST
++
+ Suite *access_simple_suite (void)
+ {
+ Suite *s = suite_create("access_simple");
+
+- TCase *tc_allow_deny = tcase_create("allow/deny");
++ TCase *tc_allow_deny = tcase_create("user allow/deny");
+ tcase_add_checked_fixture(tc_allow_deny, setup_simple, teardown_simple);
+ tcase_add_test(tc_allow_deny, test_both_empty);
+ tcase_add_test(tc_allow_deny, test_allow_empty);
+@@ -166,6 +363,15 @@ Suite *access_simple_suite (void)
+ tcase_add_test(tc_allow_deny, test_case);
+ suite_add_tcase(s, tc_allow_deny);
+
++ TCase *tc_grp_allow_deny = tcase_create("group allow/deny");
++ tcase_add_checked_fixture(tc_grp_allow_deny,
++ setup_simple_group, teardown_simple_group);
++ tcase_add_test(tc_grp_allow_deny, test_group_allow_empty);
++ tcase_add_test(tc_grp_allow_deny, test_group_deny_empty);
++ tcase_add_test(tc_grp_allow_deny, test_group_both_set);
++ tcase_add_test(tc_grp_allow_deny, test_group_case);
++ suite_add_tcase(s, tc_grp_allow_deny);
++
+ return s;
+ }
+
+@@ -174,6 +380,7 @@ int main(int argc, const char *argv[])
+ int opt;
+ poptContext pc;
+ int number_failed;
++ int ret;
+
+ struct poptOption long_options[] = {
+ POPT_AUTOHELP
+@@ -205,6 +412,20 @@ int main(int argc, const char *argv[])
+ srunner_run_all(sr, CK_ENV);
+ number_failed = srunner_ntests_failed(sr);
+ srunner_free(sr);
++
++ ret = unlink(TESTS_PATH"/"TEST_CONF_FILE);
++ if (ret != EOK) {
++ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
++ errno, strerror(errno));
++ return EXIT_FAILURE;
++ }
++ ret = unlink(TESTS_PATH"/"LOCAL_SYSDB_FILE);
++ if (ret != EOK) {
++ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
++ errno, strerror(errno));
++ return EXIT_FAILURE;
++ }
++
+ return (number_failed==0 ? EXIT_SUCCESS : EXIT_FAILURE);
+ }
+
diff --git a/debian/patches/cve-2013-0287-3.diff b/debian/patches/cve-2013-0287-3.diff
new file mode 100644
index 0000000..3c9fa5b
--- /dev/null
+++ b/debian/patches/cve-2013-0287-3.diff
@@ -0,0 +1,35 @@
+commit 26590d31f492dbbd36be6d0bde46a4bd3b221edb
+Author: Jakub Hrozek <jhrozek at redhat.com>
+Date: Mon Mar 4 16:37:04 2013 +0100
+
+ Do not compile main() in DP if UNIT_TESTING is defined
+
+ The simple access provider unit tests now need to link against the Data
+ Provider when they start using the be_file_account_request() function.
+ But then we would start having conflicts as at least the main()
+ functions would clash.
+
+ If UNIT_TESTING is defined, then the data_provider_be.c module does not
+ contain the main() function and can be linked against directly from
+ another module that contains its own main() function
+
+diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
+index f85a04d..33590ae 100644
+--- a/src/providers/data_provider_be.c
++++ b/src/providers/data_provider_be.c
+@@ -2651,6 +2651,7 @@ fail:
+ return ret;
+ }
+
++#ifndef UNIT_TESTING
+ int main(int argc, const char *argv[])
+ {
+ int opt;
+@@ -2732,6 +2733,7 @@ int main(int argc, const char *argv[])
+
+ return 0;
+ }
++#endif
+
+ static int data_provider_res_init(DBusMessage *message,
+ struct sbus_connection *conn)
diff --git a/debian/patches/cve-2013-0287-4.diff b/debian/patches/cve-2013-0287-4.diff
new file mode 100644
index 0000000..7c3d965
--- /dev/null
+++ b/debian/patches/cve-2013-0287-4.diff
@@ -0,0 +1,1613 @@
+commit 8b8019fe3dd1564fba657e219ec20ff816c7ffdb
+Author: Jakub Hrozek <jhrozek at redhat.com>
+Date: Sat Feb 23 10:44:54 2013 +0100
+
+ Resolve GIDs in the simple access provider
+
+ Changes the simple access provider's interface to be asynchronous. When
+ the simple access provider encounters a group that has gid, but no
+ meaningful name, it attempts to resolve the name using the
+ be_file_account_request function.
+
+ Some providers (like the AD provider) might perform initgroups
+ without resolving the group names. In order for the simple access
+ provider to work correctly, we need to resolve the groups before
+ performing the access check. In AD provider, the situation is
+ even more tricky b/c the groups HAVE name, but their name
+ attribute is set to SID and they are set as non-POSIX
+
+diff --git a/Makefile.am b/Makefile.am
+index dc0465a..eea535e 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -1008,14 +1008,22 @@ ad_ldap_opt_tests_LDADD = \
+ simple_access_tests_SOURCES = \
+ src/tests/simple_access-tests.c \
+ src/tests/common.c \
+- src/providers/simple/simple_access.c
++ src/providers/simple/simple_access_check.c \
++ src/providers/data_provider_be.c \
++ src/providers/data_provider_fo.c \
++ src/providers/data_provider_callbacks.c \
++ $(SSSD_FAILOVER_OBJ)
+ simple_access_tests_CFLAGS = \
+ $(AM_CFLAGS) \
+- $(CHECK_CFLAGS)
++ $(CHECK_CFLAGS) \
++ -DUNIT_TESTING
+ simple_access_tests_LDADD = \
+ $(SSSD_LIBS) \
++ $(CARES_LIBS) \
+ $(CHECK_LIBS) \
+- libsss_util.la
++ $(PAM_LIBS) \
++ libsss_util.la \
++ libsss_test_common.la
+
+ util_tests_SOURCES = \
+ src/tests/util-tests.c
+@@ -1347,7 +1355,8 @@ libsss_proxy_la_LDFLAGS = \
+ -module
+
+ libsss_simple_la_SOURCES = \
+- src/providers/simple/simple_access.c
++ src/providers/simple/simple_access.c \
++ src/providers/simple/simple_access_check.c
+ libsss_simple_la_CFLAGS = \
+ $(AM_CFLAGS)
+ libsss_simple_la_LIBADD = \
+diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c
+index 70d1f07..d53a04b 100644
+--- a/src/providers/simple/simple_access.c
++++ b/src/providers/simple/simple_access.c
+@@ -35,227 +35,52 @@
+ #define CONFDB_SIMPLE_ALLOW_GROUPS "simple_allow_groups"
+ #define CONFDB_SIMPLE_DENY_GROUPS "simple_deny_groups"
+
+-errno_t simple_access_check(struct simple_ctx *ctx, const char *username,
+- bool *access_granted)
+-{
+- int i, j;
+- errno_t ret;
+- TALLOC_CTX *tmp_ctx = NULL;
+- const char *user_attrs[] = { SYSDB_MEMBEROF,
+- SYSDB_GIDNUM,
+- NULL };
+- const char *group_attrs[] = { SYSDB_NAME,
+- NULL };
+- struct ldb_message *msg;
+- struct ldb_message_element *el;
+- char **groups;
+- const char *primary_group;
+- gid_t gid;
+- bool matched;
+- bool cs = ctx->domain->case_sensitive;
+-
+- *access_granted = false;
+-
+- /* First, check whether the user is in the allowed users list */
+- if (ctx->allow_users != NULL) {
+- for(i = 0; ctx->allow_users[i] != NULL; i++) {
+- if (sss_string_equal(cs, username, ctx->allow_users[i])) {
+- DEBUG(9, ("User [%s] found in allow list, access granted.\n",
+- username));
+-
+- /* Do not return immediately on explicit allow
+- * We need to make sure none of the user's groups
+- * are denied.
+- */
+- *access_granted = true;
+- }
+- }
+- } else if (!ctx->allow_groups) {
+- /* If neither allow rule is in place, we'll assume allowed
+- * unless a deny rule disables us below.
+- */
+- *access_granted = true;
+- }
++static void simple_access_check(struct tevent_req *req);
+
+- /* Next check whether this user has been specifically denied */
+- if (ctx->deny_users != NULL) {
+- for(i = 0; ctx->deny_users[i] != NULL; i++) {
+- if (sss_string_equal(cs, username, ctx->deny_users[i])) {
+- DEBUG(9, ("User [%s] found in deny list, access denied.\n",
+- username));
+-
+- /* Return immediately on explicit denial */
+- *access_granted = false;
+- return EOK;
+- }
+- }
+- }
++void simple_access_handler(struct be_req *be_req)
++{
++ struct be_ctx *be_ctx = be_req->be_ctx;
++ struct pam_data *pd;
++ struct tevent_req *req;
++ struct simple_ctx *ctx;
+
+- if (!ctx->allow_groups && !ctx->deny_groups) {
+- /* There are no group restrictions, so just return
+- * here with whatever we've decided.
+- */
+- return EOK;
+- }
++ pd = talloc_get_type(be_req->req_data, struct pam_data);
+
+- /* Now get a list of this user's groups and check those against the
+- * simple_allow_groups list.
+- */
+- tmp_ctx = talloc_new(NULL);
+- if (!tmp_ctx) {
+- ret = ENOMEM;
+- goto done;
+- }
++ pd->pam_status = PAM_SYSTEM_ERR;
+
+- ret = sysdb_search_user_by_name(tmp_ctx, ctx->sysdb,
+- username, user_attrs, &msg);
+- if (ret != EOK) {
+- DEBUG(1, ("Could not look up username [%s]: [%d][%s]\n",
+- username, ret, strerror(ret)));
++ if (pd->cmd != SSS_PAM_ACCT_MGMT) {
++ DEBUG(4, ("simple access does not handles pam task %d.\n", pd->cmd));
++ pd->pam_status = PAM_MODULE_UNKNOWN;
+ goto done;
+ }
+
+- /* Construct a list of the user's groups */
+- el = ldb_msg_find_element(msg, SYSDB_MEMBEROF);
+- if (el && el->num_values) {
+- /* Get the groups from the memberOf entries
+- * Allocate the array with room for both the NULL
+- * terminator and the primary group
+- */
+- groups = talloc_array(tmp_ctx, char *, el->num_values + 2);
+- if (!groups) {
+- ret = ENOMEM;
+- goto done;
+- }
+-
+- for (j = 0; j < el->num_values; j++) {
+- ret = sysdb_group_dn_name(
+- ctx->sysdb, tmp_ctx,
+- (char *)el->values[j].data,
+- &groups[j]);
+- if (ret != EOK) {
+- goto done;
+- }
+- }
+- } else {
+- /* User is not a member of any groups except primary */
+- groups = talloc_array(tmp_ctx, char *, 2);
+- if (!groups) {
+- ret = ENOMEM;
+- goto done;
+- }
+- j = 0;
+- }
++ ctx = talloc_get_type(be_req->be_ctx->bet_info[BET_ACCESS].pvt_bet_data,
++ struct simple_ctx);
+
+- /* Get the user's primary group */
+- gid = ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 0);
+- if (!gid) {
+- ret = EINVAL;
++ req = simple_access_check_send(be_req, be_ctx->ev, ctx, pd->user);
++ if (!req) {
++ pd->pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+- talloc_zfree(msg);
+-
+- ret = sysdb_search_group_by_gid(tmp_ctx, ctx->sysdb,
+- gid, group_attrs, &msg);
+- if (ret != EOK) {
+- DEBUG(1, ("Could not look up primary group [%lu]: [%d][%s]\n",
+- gid, ret, strerror(ret)));
+- /* We have to treat this as non-fatal, because the primary
+- * group may be local to the machine and not available in
+- * our ID provider.
+- */
+- } else {
+- primary_group = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
+- if (!primary_group) {
+- ret = EINVAL;
+- goto done;
+- }
+-
+- groups[j] = talloc_strdup(tmp_ctx, primary_group);
+- if (!groups[j]) {
+- ret = ENOMEM;
+- goto done;
+- }
+- j++;
+-
+- talloc_zfree(msg);
+- }
+-
+- groups[j] = NULL;
+-
+- /* Now process allow and deny group rules
+- * If access was already granted above, we'll skip
+- * this redundant rule check
+- */
+- if (ctx->allow_groups && !*access_granted) {
+- matched = false;
+- for (i = 0; ctx->allow_groups[i]; i++) {
+- for(j = 0; groups[j]; j++) {
+- if (sss_string_equal(cs, groups[j], ctx->allow_groups[i])) {
+- matched = true;
+- break;
+- }
+- }
+-
+- /* If any group has matched, we can skip out on the
+- * processing early
+- */
+- if (matched) {
+- *access_granted = true;
+- break;
+- }
+- }
+- }
+-
+- /* Finally, process the deny group rules */
+- if (ctx->deny_groups) {
+- matched = false;
+- for (i = 0; ctx->deny_groups[i]; i++) {
+- for(j = 0; groups[j]; j++) {
+- if (sss_string_equal(cs, groups[j], ctx->deny_groups[i])) {
+- matched = true;
+- break;
+- }
+- }
+-
+- /* If any group has matched, we can skip out on the
+- * processing early
+- */
+- if (matched) {
+- *access_granted = false;
+- break;
+- }
+- }
+- }
+-
+- ret = EOK;
++ tevent_req_set_callback(req, simple_access_check, be_req);
++ return;
+
+ done:
+- talloc_free(tmp_ctx);
+- return ret;
More information about the Pkg-sssd-devel
mailing list