[Pkg-sssd-devel] sssd: Changes to 'ubuntu'
Timo Aaltonen
tjaalton-guest at alioth.debian.org
Wed Apr 17 18:23:40 UTC 2013
debian/changelog | 31
debian/libnss-sss.postrm | 15
debian/libsss-sudo.postrm | 16
debian/patches/cve-2013-0287-1.diff | 230 +++++
debian/patches/cve-2013-0287-2.diff | 408 +++++++++
debian/patches/cve-2013-0287-3.diff | 35
debian/patches/cve-2013-0287-4.diff | 1613 ++++++++++++++++++++++++++++++++++++
debian/patches/fix-linking.diff | 10
debian/patches/series | 6
9 files changed, 2345 insertions(+), 19 deletions(-)
New commits:
commit c371e82a2063013a6915edc6de77f9fff3535703
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed Apr 17 17:42:35 2013 +0300
update the changelog
diff --git a/debian/changelog b/debian/changelog
index 0485b43..55e236f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ sssd (1.9.4-0ubuntu4) raring; urgency=low
- cve-2013-0287-*.diff: Patches from upstream stable tree to fix
CVE-2013-0287 (versions 1.9.0 and up)
- libsss-sudo.postrm: Run ldconfig on remove/purge
+ - fix-linking.diff: simple_access_tests need -ldl.
-- Timo Aaltonen <tjaalton at ubuntu.com> Wed, 17 Apr 2013 11:44:29 +0300
commit 8be25dc6d1e2e79743381585854ea67d442cd2d3
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed Apr 17 17:19:22 2013 +0300
fix-linking.diff: simple_access_tests need -ldl.
diff --git a/debian/changelog b/debian/changelog
index 38e8084..45e1c2d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -44,6 +44,7 @@ sssd (1.9.4-1) UNRELEASED; urgency=low
* cve-2013-0287-*.diff: Patches from upstream stable tree to fix
CVE-2013-0287 (versions 1.9.0 and up).
* libsss-sudo.postrm: Run ldconfig on remove/purge.
+ * fix-linking.diff: simple_access_tests need -ldl.
[ Stéphane Graber ]
* Add postinst/postrm script for libsss-sudo. Those will add a "sudoers"
diff --git a/debian/patches/fix-linking.diff b/debian/patches/fix-linking.diff
new file mode 100644
index 0000000..2067105
--- /dev/null
+++ b/debian/patches/fix-linking.diff
@@ -0,0 +1,10 @@
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -1022,6 +1022,7 @@ simple_access_tests_LDADD = \
+ $(CARES_LIBS) \
+ $(CHECK_LIBS) \
+ $(PAM_LIBS) \
++ -ldl \
+ libsss_util.la \
+ libsss_test_common.la
+
diff --git a/debian/patches/series b/debian/patches/series
index 4de20b8..64e60c9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ cve-2013-0287-1.diff
cve-2013-0287-2.diff
cve-2013-0287-3.diff
cve-2013-0287-4.diff
+fix-linking.diff
commit ad3285daed1aa8c0c573c40545942447cc22dec7
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed Apr 17 12:04:06 2013 +0300
release to raring
diff --git a/debian/changelog b/debian/changelog
index a81d857..fe9ab4d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+sssd (1.9.4-0ubuntu4) raring; urgency=low
+
+ * Merge from unreleased debian git
+ - cve-2013-0287-*.diff: Patches from upstream stable tree to fix
+ CVE-2013-0287 (versions 1.9.0 and up)
+ - libsss-sudo.postrm: Run ldconfig on remove/purge
+
+ -- Timo Aaltonen <tjaalton at ubuntu.com> Wed, 17 Apr 2013 11:44:29 +0300
+
sssd (1.9.4-0ubuntu3) raring; urgency=low
* sssd.dirs: Add krb5 include dir.
commit 7e955c0942e6b76de04d4a16f86868e9eb24aef7
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed Apr 10 10:11:40 2013 +0300
libsss-sudo.postrm: Run ldconfig on remove/purge.
diff --git a/debian/changelog b/debian/changelog
index 8454e43..38e8084 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -43,6 +43,7 @@ sssd (1.9.4-1) UNRELEASED; urgency=low
* fix-cve-2013-0219*.diff, -0220.diff: Dropped, included upstream.
* cve-2013-0287-*.diff: Patches from upstream stable tree to fix
CVE-2013-0287 (versions 1.9.0 and up).
+ * libsss-sudo.postrm: Run ldconfig on remove/purge.
[ Stéphane Graber ]
* Add postinst/postrm script for libsss-sudo. Those will add a "sudoers"
diff --git a/debian/libsss-sudo.postrm b/debian/libsss-sudo.postrm
index 18e7ead..fbcf104 100644
--- a/debian/libsss-sudo.postrm
+++ b/debian/libsss-sudo.postrm
@@ -27,6 +27,7 @@ remove_nss_entry() {
case "$1" in
remove|purge)
remove_nss_entry
+ ldconfig
;;
upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
;;
commit 697c5a6e53cc2a6e32dbc9b62e8adb45d25eda79
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed Apr 10 10:10:48 2013 +0300
fix lib{nss-sss,sss-sudo}.postrm to use 'case'
diff --git a/debian/libnss-sss.postrm b/debian/libnss-sss.postrm
index baae1b1..84873db 100755
--- a/debian/libnss-sss.postrm
+++ b/debian/libnss-sss.postrm
@@ -24,8 +24,15 @@ remove_nss_entry() {
' /etc/nsswitch.conf
}
-action="$1"
+case "$1" in
+ remove|purge)
+ remove_nss_entry
+ ;;
+ upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+ ;;
-if [ "$action" = remove ]; then
- remove_nss_entry
-fi
+ *)
+ echo "postrm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
diff --git a/debian/libsss-sudo.postrm b/debian/libsss-sudo.postrm
index aaeb4de..18e7ead 100644
--- a/debian/libsss-sudo.postrm
+++ b/debian/libsss-sudo.postrm
@@ -24,8 +24,15 @@ remove_nss_entry() {
' /etc/nsswitch.conf
}
-action="$1"
+case "$1" in
+ remove|purge)
+ remove_nss_entry
+ ;;
+ upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+ ;;
-if [ "$action" = remove ]; then
- remove_nss_entry
-fi
+ *)
+ echo "postrm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
commit ae9efb25d843f5b242c380943d0301e0cec1b33e
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Mon Apr 8 17:44:02 2013 +0300
cve-2013-0287-*.diff: Patches from upstream stable tree to fix CVE-2013-0287 (versions 1.9.0 and up).
diff --git a/debian/changelog b/debian/changelog
index bb7c635..8454e43 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -41,6 +41,8 @@ sssd (1.9.4-1) UNRELEASED; urgency=low
correctly substituted. (LP: #1079938)
* sssd.dirs: Add krb5 include dir.
* fix-cve-2013-0219*.diff, -0220.diff: Dropped, included upstream.
+ * cve-2013-0287-*.diff: Patches from upstream stable tree to fix
+ CVE-2013-0287 (versions 1.9.0 and up).
[ Stéphane Graber ]
* Add postinst/postrm script for libsss-sudo. Those will add a "sudoers"
diff --git a/debian/patches/cve-2013-0287-1.diff b/debian/patches/cve-2013-0287-1.diff
new file mode 100644
index 0000000..f8eff05
--- /dev/null
+++ b/debian/patches/cve-2013-0287-1.diff
@@ -0,0 +1,230 @@
+commit b63830b142053f99bfe954d4be5a2b0f68ce3a93
+Author: Jakub Hrozek <jhrozek at redhat.com>
+Date: Fri Feb 22 11:01:38 2013 +0100
+
+ Provide a be_get_account_info_send function
+
+ In order to resolve group names in the simple access provider we need to
+ contact the Data Provider in a generic fashion from the access provider.
+ We can't call any particular implementation (like sdap_generic_send())
+ because we have no idea what kind of provider is configured as the
+ id_provider.
+
+ This patch splits introduces the be_file_account_request() function into
+ the data_provider_be module and makes it public.
+
+ A future patch should make the be_get_account_info function use the
+ be_get_account_info_send function.
+
+diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
+index b261bf8..f85a04d 100644
+--- a/src/providers/data_provider_be.c
++++ b/src/providers/data_provider_be.c
+@@ -717,6 +717,34 @@ static errno_t be_initgroups_prereq(struct be_req *be_req)
+ }
+
+ static errno_t
++be_file_account_request(struct be_req *be_req, struct be_acct_req *ar)
++{
++ errno_t ret;
++ struct be_ctx *be_ctx = be_req->be_ctx;
++
++ be_req->req_data = ar;
++
++ /* see if we need a pre request call, only done for initgroups for now */
++ if ((ar->entry_type & 0xFF) == BE_REQ_INITGROUPS) {
++ ret = be_initgroups_prereq(be_req);
++ if (ret) {
++ DEBUG(SSSDBG_CRIT_FAILURE, ("Prerequest failed"));
++ return ret;
++ }
++ }
++
++ /* process request */
++ ret = be_file_request(be_ctx, be_req,
++ be_ctx->bet_info[BET_ID].bet_ops->handler);
++ if (ret != EOK) {
++ DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to file request"));
++ return ret;
++ }
++
++ return EOK;
++}
++
++static errno_t
+ split_name_extended(TALLOC_CTX *mem_ctx,
+ const char *filter,
+ char **name,
+@@ -742,6 +770,110 @@ split_name_extended(TALLOC_CTX *mem_ctx,
+ return EOK;
+ }
+
++static void
++be_get_account_info_done(struct be_req *be_req,
++ int dp_err, int dp_ret,
++ const char *errstr);
++
++struct be_get_account_info_state {
++ int err_maj;
++ int err_min;
++ const char *err_msg;
++};
++
++struct tevent_req *
++be_get_account_info_send(TALLOC_CTX *mem_ctx,
++ struct tevent_context *ev,
++ struct be_client *becli,
++ struct be_ctx *be_ctx,
++ struct be_acct_req *ar)
++{
++ struct tevent_req *req;
++ struct be_get_account_info_state *state;
++ struct be_req *be_req;
++ errno_t ret;
++
++ req = tevent_req_create(mem_ctx, &state,
++ struct be_get_account_info_state);
++ if (!req) return NULL;
++
++ be_req = talloc_zero(mem_ctx, struct be_req);
++ if (be_req == NULL) {
++ ret = ENOMEM;
++ goto done;
++ }
++
++ be_req->becli = becli;
++ be_req->be_ctx = be_ctx;
++ be_req->fn = be_get_account_info_done;
++ be_req->pvt = req;
++
++ ret = be_file_account_request(be_req, ar);
++ if (ret != EOK) {
++ goto done;
++ }
++
++ return req;
++
++done:
++ tevent_req_error(req, ret);
++ tevent_req_post(req, ev);
++ return req;
++}
++
++static void
++be_get_account_info_done(struct be_req *be_req,
++ int dp_err, int dp_ret,
++ const char *errstr)
++{
++ struct tevent_req *req;
++ struct be_get_account_info_state *state;
++
++ req = talloc_get_type(be_req->pvt, struct tevent_req);
++ state = tevent_req_data(req, struct be_get_account_info_state);
++
++ state->err_maj = dp_err;
++ state->err_min = dp_ret;
++ if (errstr) {
++ state->err_msg = talloc_strdup(state, errstr);
++ if (state->err_msg == NULL) {
++ talloc_free(be_req);
++ tevent_req_error(req, ENOMEM);
++ return;
++ }
++ }
++
++ talloc_free(be_req);
++ tevent_req_done(req);
++}
++
++errno_t be_get_account_info_recv(struct tevent_req *req,
++ TALLOC_CTX *mem_ctx,
++ int *_err_maj,
++ int *_err_min,
++ const char **_err_msg)
++{
++ struct be_get_account_info_state *state;
++
++ state = tevent_req_data(req, struct be_get_account_info_state);
++
++ TEVENT_REQ_RETURN_ON_ERROR(req);
++
++ if (_err_maj) {
++ *_err_maj = state->err_maj;
++ }
++
++ if (_err_min) {
++ *_err_min = state->err_min;
++ }
++
++ if (_err_msg) {
++ *_err_msg = talloc_steal(mem_ctx, state->err_msg);
++ }
++
++ return EOK;
++}
++
+ static int be_get_account_info(DBusMessage *message, struct sbus_connection *conn)
+ {
+ struct be_acct_req *req;
+@@ -845,8 +977,6 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
+ goto done;
+ }
+
+- be_req->req_data = req;
+-
+ if ((attr_type != BE_ATTR_CORE) &&
+ (attr_type != BE_ATTR_MEM) &&
+ (attr_type != BE_ATTR_ALL)) {
+@@ -893,26 +1023,11 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
+ goto done;
+ }
+
+- /* see if we need a pre request call, only done for initgroups for now */
+- if ((type & 0xFF) == BE_REQ_INITGROUPS) {
+- ret = be_initgroups_prereq(be_req);
+- if (ret) {
+- err_maj = DP_ERR_FATAL;
+- err_min = ret;
+- err_msg = "Prerequest failed";
+- goto done;
+- }
+- }
+-
+- /* process request */
+-
+- ret = be_file_request(becli->bectx->bet_info[BET_ID].pvt_bet_data,
+- be_req,
+- becli->bectx->bet_info[BET_ID].bet_ops->handler);
++ ret = be_file_account_request(be_req, req);
+ if (ret != EOK) {
+ err_maj = DP_ERR_FATAL;
+ err_min = ret;
+- err_msg = "Failed to file request";
++ err_msg = "Cannot file account request";
+ goto done;
+ }
+
+diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h
+index 58a9b74..743b6f4 100644
+--- a/src/providers/dp_backend.h
++++ b/src/providers/dp_backend.h
+@@ -258,4 +258,19 @@ int be_fo_run_callbacks_at_next_request(struct be_ctx *ctx,
+ const char *service_name);
+
+ void reset_fo(struct be_ctx *be_ctx);
++
++/* Request account information */
++struct tevent_req *
++be_get_account_info_send(TALLOC_CTX *mem_ctx,
++ struct tevent_context *ev,
++ struct be_client *becli,
++ struct be_ctx *be_ctx,
++ struct be_acct_req *ar);
++
++errno_t be_get_account_info_recv(struct tevent_req *req,
++ TALLOC_CTX *mem_ctx,
++ int *_err_maj,
++ int *_err_min,
++ const char **_err_msg);
++
+ #endif /* __DP_BACKEND_H___ */
diff --git a/debian/patches/cve-2013-0287-2.diff b/debian/patches/cve-2013-0287-2.diff
new file mode 100644
index 0000000..b6339e1
--- /dev/null
+++ b/debian/patches/cve-2013-0287-2.diff
@@ -0,0 +1,408 @@
+commit 754b09b5444e6da88ed58d6deaed8b815e268b6b
+Author: Jakub Hrozek <jhrozek at redhat.com>
+Date: Sun Mar 3 21:43:44 2013 +0100
+
+ Add unit tests for simple access test by groups
+
+ I realized that the current unit tests for the simple access provider
+ only tested the user directives. To have a baseline and be able to
+ detect new bugs in the upcoming patch, I implemented unit tests for the
+ group lists, too.
+
+diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c
+index c61814e..577c6d3 100644
+--- a/src/tests/simple_access-tests.c
++++ b/src/tests/simple_access-tests.c
+@@ -30,39 +30,152 @@
+ #include "providers/simple/simple_access.h"
+ #include "tests/common.h"
+
++#define TESTS_PATH "tests_simple_access"
++#define TEST_CONF_FILE "tests_conf.ldb"
++
+ const char *ulist_1[] = {"u1", "u2", NULL};
++const char *glist_1[] = {"g1", "g2", NULL};
++
++struct simple_test_ctx *test_ctx = NULL;
++
++struct simple_test_ctx {
++ struct sysdb_ctx *sysdb;
++ struct confdb_ctx *confdb;
+
+-struct simple_ctx *ctx = NULL;
++ struct simple_ctx *ctx;
++};
+
+ void setup_simple(void)
+ {
+- fail_unless(ctx == NULL, "Simple context already initialized.");
+- ctx = talloc_zero(NULL, struct simple_ctx);
+- fail_unless(ctx != NULL, "Cannot create simple context.");
+-
+- ctx->domain = talloc_zero(ctx, struct sss_domain_info);
+- fail_unless(ctx != NULL, "Cannot create domain in simple context.");
+- ctx->domain->case_sensitive = true;
++ errno_t ret;
++ char *conf_db;
++ const char *val[2];
++ val[1] = NULL;
++
++ /* Create tests directory if it doesn't exist */
++ /* (relative to current dir) */
++ ret = mkdir(TESTS_PATH, 0775);
++ fail_if(ret == -1 && errno != EEXIST,
++ "Could not create %s directory", TESTS_PATH);
++
++ fail_unless(test_ctx == NULL, "Simple context already initialized.");
++ test_ctx = talloc_zero(NULL, struct simple_test_ctx);
++ fail_unless(test_ctx != NULL, "Cannot create simple test context.");
++
++ test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx);
++ fail_unless(test_ctx->ctx != NULL, "Cannot create simple context.");
++
++ conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE);
++ fail_if(conf_db == NULL, "Out of memory, aborting!");
++ DEBUG(SSSDBG_TRACE_LIBS, ("CONFDB: %s\n", conf_db));
++
++ /* Connect to the conf db */
++ ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db);
++ fail_if(ret != EOK, "Could not initialize connection to the confdb");
++
++ val[0] = "LOCAL";
++ ret = confdb_add_param(test_ctx->confdb, true,
++ "config/sssd", "domains", val);
++ fail_if(ret != EOK, "Could not initialize domains placeholder");
++
++ val[0] = "local";
++ ret = confdb_add_param(test_ctx->confdb, true,
++ "config/domain/LOCAL", "id_provider", val);
++ fail_if(ret != EOK, "Could not initialize provider");
++
++ val[0] = "TRUE";
++ ret = confdb_add_param(test_ctx->confdb, true,
++ "config/domain/LOCAL", "enumerate", val);
++ fail_if(ret != EOK, "Could not initialize LOCAL domain");
++
++ val[0] = "TRUE";
++ ret = confdb_add_param(test_ctx->confdb, true,
++ "config/domain/LOCAL", "cache_credentials", val);
++ fail_if(ret != EOK, "Could not initialize LOCAL domain");
++
++ ret = sysdb_init_domain_and_sysdb(test_ctx, test_ctx->confdb, "local",
++ TESTS_PATH,
++ &test_ctx->ctx->domain, &test_ctx->ctx->sysdb);
++ fail_if(ret != EOK, "Could not initialize connection to the sysdb (%d)", ret);
++ test_ctx->ctx->domain->case_sensitive = true;
+ }
+
+ void teardown_simple(void)
+ {
+ int ret;
+- fail_unless(ctx != NULL, "Simple context already freed.");
+- ret = talloc_free(ctx);
+- ctx = NULL;
++ fail_unless(test_ctx != NULL, "Simple context already freed.");
++ ret = talloc_free(test_ctx);
++ test_ctx = NULL;
+ fail_unless(ret == 0, "Connot free simple context.");
+ }
+
++void setup_simple_group(void)
++{
++ errno_t ret;
++
++ setup_simple();
++
++ /* Add test users u1 and u2 that would be members of test groups
++ * g1 and g2 respectively */
++ ret = sysdb_store_user(test_ctx->ctx->sysdb,
++ "u1", NULL, 123, 0, "u1", "/home/u1",
++ "/bin/bash", NULL, NULL, NULL, -1, 0);
++ fail_if(ret != EOK, "Could not add u1");
++
++ ret = sysdb_store_user(test_ctx->ctx->sysdb,
++ "u2", NULL, 456, 0, "u1", "/home/u1",
++ "/bin/bash", NULL, NULL, NULL, -1, 0);
++ fail_if(ret != EOK, "Could not add u2");
++
++ ret = sysdb_store_user(test_ctx->ctx->sysdb,
++ "u3", NULL, 789, 0, "u1", "/home/u1",
++ "/bin/bash", NULL, NULL, NULL, -1, 0);
++ fail_if(ret != EOK, "Could not add u3");
++
++ ret = sysdb_add_group(test_ctx->ctx->sysdb,
++ "g1", 321, NULL, 0, 0);
++ fail_if(ret != EOK, "Could not add g1");
++
++ ret = sysdb_add_group(test_ctx->ctx->sysdb,
++ "g2", 654, NULL, 0, 0);
++ fail_if(ret != EOK, "Could not add g2");
++
++ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
++ "g1", "u1", SYSDB_MEMBER_USER);
++ fail_if(ret != EOK, "Could not add u1 to g1");
++
++ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
++ "g2", "u2", SYSDB_MEMBER_USER);
++ fail_if(ret != EOK, "Could not add u2 to g2");
++}
++
++void teardown_simple_group(void)
++{
++ errno_t ret;
++
++ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u1", 0);
++ fail_if(ret != EOK, "Could not delete u1");
++ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u2", 0);
++ fail_if(ret != EOK, "Could not delete u2");
++ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u3", 0);
++ fail_if(ret != EOK, "Could not delete u3");
++ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g1", 0);
++ fail_if(ret != EOK, "Could not delete g1");
++ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g2", 0);
++ fail_if(ret != EOK, "Could not delete g2");
++
++ teardown_simple();
++}
++
+ START_TEST(test_both_empty)
+ {
+ int ret;
+ bool access_granted = false;
+
+- ctx->allow_users = NULL;
+- ctx->deny_users = NULL;
++ test_ctx->ctx->allow_users = NULL;
++ test_ctx->ctx->deny_users = NULL;
+
+- ret = simple_access_check(ctx, "u1", &access_granted);
++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == true, "Access denied "
+ "while both lists are empty.");
+@@ -74,15 +187,15 @@ START_TEST(test_allow_empty)
+ int ret;
+ bool access_granted = true;
+
+- ctx->allow_users = NULL;
+- ctx->deny_users = discard_const(ulist_1);
++ test_ctx->ctx->allow_users = NULL;
++ test_ctx->ctx->deny_users = discard_const(ulist_1);
+
+- ret = simple_access_check(ctx, "u1", &access_granted);
++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "while user is in deny list.");
+
+- ret = simple_access_check(ctx, "u3", &access_granted);
++ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == true, "Access denied "
+ "while user is not in deny list.");
+@@ -94,15 +207,15 @@ START_TEST(test_deny_empty)
+ int ret;
+ bool access_granted = false;
+
+- ctx->allow_users = discard_const(ulist_1);
+- ctx->deny_users = NULL;
++ test_ctx->ctx->allow_users = discard_const(ulist_1);
++ test_ctx->ctx->deny_users = NULL;
+
+- ret = simple_access_check(ctx, "u1", &access_granted);
++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == true, "Access denied "
+ "while user is in allow list.");
+
+- ret = simple_access_check(ctx, "u3", &access_granted);
++ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "while user is not in allow list.");
+@@ -114,15 +227,15 @@ START_TEST(test_both_set)
+ int ret;
+ bool access_granted = false;
+
+- ctx->allow_users = discard_const(ulist_1);
+- ctx->deny_users = discard_const(ulist_1);
++ test_ctx->ctx->allow_users = discard_const(ulist_1);
++ test_ctx->ctx->deny_users = discard_const(ulist_1);
+
+- ret = simple_access_check(ctx, "u1", &access_granted);
++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "while user is in deny list.");
+
+- ret = simple_access_check(ctx, "u3", &access_granted);
++ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "while user is not in allow list.");
+@@ -134,18 +247,18 @@ START_TEST(test_case)
+ int ret;
+ bool access_granted = false;
+
+- ctx->allow_users = discard_const(ulist_1);
+- ctx->deny_users = NULL;
++ test_ctx->ctx->allow_users = discard_const(ulist_1);
++ test_ctx->ctx->deny_users = NULL;
+
+- ret = simple_access_check(ctx, "U1", &access_granted);
++ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "for user with different case "
+ "in case-sensitive domain");
+
+- ctx->domain->case_sensitive = false;
++ test_ctx->ctx->domain->case_sensitive = false;
+
+- ret = simple_access_check(ctx, "U1", &access_granted);
++ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == true, "Access denied "
+ "for user with different case "
+@@ -153,11 +266,95 @@ START_TEST(test_case)
+ }
+ END_TEST
+
++START_TEST(test_group_allow_empty)
++{
++ int ret;
++ bool access_granted = true;
++
++ test_ctx->ctx->allow_groups = NULL;
++ test_ctx->ctx->deny_groups = discard_const(glist_1);
++
++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
++ fail_unless(ret == EOK, "access_simple_check failed.");
++ fail_unless(access_granted == false, "Access granted "
++ "while group is in deny list.");
++
++ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
++ fail_unless(ret == EOK, "access_simple_check failed.");
++ fail_unless(access_granted == true, "Access denied "
++ "while group is not in deny list.");
++}
++END_TEST
++
++START_TEST(test_group_deny_empty)
++{
++ int ret;
++ bool access_granted = false;
++
++ test_ctx->ctx->allow_groups = discard_const(glist_1);
++ test_ctx->ctx->deny_groups = NULL;
++
++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
++ fail_unless(ret == EOK, "access_simple_check failed.");
++ fail_unless(access_granted == true, "Access denied "
++ "while group is in allow list.");
++
++ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
++ fail_unless(ret == EOK, "access_simple_check failed.");
++ fail_unless(access_granted == false, "Access granted "
++ "while group is not in allow list.");
++}
++END_TEST
++
++START_TEST(test_group_both_set)
++{
++ int ret;
++ bool access_granted = false;
++
++ test_ctx->ctx->allow_groups = discard_const(ulist_1);
++ test_ctx->ctx->deny_groups = discard_const(ulist_1);
++
++ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
++ fail_unless(ret == EOK, "access_simple_check failed.");
++ fail_unless(access_granted == false, "Access granted "
++ "while group is in deny list.");
++
++ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
++ fail_unless(ret == EOK, "access_simple_check failed.");
++ fail_unless(access_granted == false, "Access granted "
++ "while group is not in allow list.");
++}
++END_TEST
++
++START_TEST(test_group_case)
++{
++ int ret;
++ bool access_granted = false;
++
++ test_ctx->ctx->allow_groups = discard_const(ulist_1);
++ test_ctx->ctx->deny_groups = NULL;
++
++ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
++ fail_unless(ret == EOK, "access_simple_check failed.");
++ fail_unless(access_granted == false, "Access granted "
++ "for group with different case "
++ "in case-sensitive domain");
++
++ test_ctx->ctx->domain->case_sensitive = false;
++
++ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
++ fail_unless(ret == EOK, "access_simple_check failed.");
++ fail_unless(access_granted == true, "Access denied "
++ "for group with different case "
++ "in case-insensitive domain");
++}
++END_TEST
++
+ Suite *access_simple_suite (void)
+ {
+ Suite *s = suite_create("access_simple");
+
+- TCase *tc_allow_deny = tcase_create("allow/deny");
++ TCase *tc_allow_deny = tcase_create("user allow/deny");
+ tcase_add_checked_fixture(tc_allow_deny, setup_simple, teardown_simple);
+ tcase_add_test(tc_allow_deny, test_both_empty);
+ tcase_add_test(tc_allow_deny, test_allow_empty);
+@@ -166,6 +363,15 @@ Suite *access_simple_suite (void)
+ tcase_add_test(tc_allow_deny, test_case);
+ suite_add_tcase(s, tc_allow_deny);
+
++ TCase *tc_grp_allow_deny = tcase_create("group allow/deny");
++ tcase_add_checked_fixture(tc_grp_allow_deny,
++ setup_simple_group, teardown_simple_group);
++ tcase_add_test(tc_grp_allow_deny, test_group_allow_empty);
++ tcase_add_test(tc_grp_allow_deny, test_group_deny_empty);
++ tcase_add_test(tc_grp_allow_deny, test_group_both_set);
++ tcase_add_test(tc_grp_allow_deny, test_group_case);
++ suite_add_tcase(s, tc_grp_allow_deny);
++
+ return s;
+ }
+
+@@ -174,6 +380,7 @@ int main(int argc, const char *argv[])
+ int opt;
+ poptContext pc;
+ int number_failed;
++ int ret;
+
+ struct poptOption long_options[] = {
+ POPT_AUTOHELP
+@@ -205,6 +412,20 @@ int main(int argc, const char *argv[])
+ srunner_run_all(sr, CK_ENV);
+ number_failed = srunner_ntests_failed(sr);
+ srunner_free(sr);
++
++ ret = unlink(TESTS_PATH"/"TEST_CONF_FILE);
++ if (ret != EOK) {
++ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
++ errno, strerror(errno));
++ return EXIT_FAILURE;
++ }
++ ret = unlink(TESTS_PATH"/"LOCAL_SYSDB_FILE);
++ if (ret != EOK) {
++ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
++ errno, strerror(errno));
++ return EXIT_FAILURE;
++ }
++
+ return (number_failed==0 ? EXIT_SUCCESS : EXIT_FAILURE);
+ }
+
diff --git a/debian/patches/cve-2013-0287-3.diff b/debian/patches/cve-2013-0287-3.diff
new file mode 100644
index 0000000..3c9fa5b
--- /dev/null
+++ b/debian/patches/cve-2013-0287-3.diff
@@ -0,0 +1,35 @@
+commit 26590d31f492dbbd36be6d0bde46a4bd3b221edb
+Author: Jakub Hrozek <jhrozek at redhat.com>
+Date: Mon Mar 4 16:37:04 2013 +0100
+
+ Do not compile main() in DP if UNIT_TESTING is defined
+
+ The simple access provider unit tests now need to link against the Data
+ Provider when they start using the be_file_account_request() function.
+ But then we would start having conflicts as at least the main()
+ functions would clash.
+
+ If UNIT_TESTING is defined, then the data_provider_be.c module does not
+ contain the main() function and can be linked against directly from
+ another module that contains its own main() function
+
+diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
+index f85a04d..33590ae 100644
+--- a/src/providers/data_provider_be.c
++++ b/src/providers/data_provider_be.c
+@@ -2651,6 +2651,7 @@ fail:
+ return ret;
+ }
+
++#ifndef UNIT_TESTING
+ int main(int argc, const char *argv[])
+ {
+ int opt;
+@@ -2732,6 +2733,7 @@ int main(int argc, const char *argv[])
+
+ return 0;
+ }
++#endif
+
+ static int data_provider_res_init(DBusMessage *message,
+ struct sbus_connection *conn)
diff --git a/debian/patches/cve-2013-0287-4.diff b/debian/patches/cve-2013-0287-4.diff
new file mode 100644
index 0000000..7c3d965
--- /dev/null
+++ b/debian/patches/cve-2013-0287-4.diff
@@ -0,0 +1,1613 @@
+commit 8b8019fe3dd1564fba657e219ec20ff816c7ffdb
+Author: Jakub Hrozek <jhrozek at redhat.com>
+Date: Sat Feb 23 10:44:54 2013 +0100
+
+ Resolve GIDs in the simple access provider
+
+ Changes the simple access provider's interface to be asynchronous. When
+ the simple access provider encounters a group that has gid, but no
+ meaningful name, it attempts to resolve the name using the
+ be_file_account_request function.
+
+ Some providers (like the AD provider) might perform initgroups
+ without resolving the group names. In order for the simple access
+ provider to work correctly, we need to resolve the groups before
+ performing the access check. In AD provider, the situation is
+ even more tricky b/c the groups HAVE name, but their name
+ attribute is set to SID and they are set as non-POSIX
+
+diff --git a/Makefile.am b/Makefile.am
+index dc0465a..eea535e 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -1008,14 +1008,22 @@ ad_ldap_opt_tests_LDADD = \
+ simple_access_tests_SOURCES = \
+ src/tests/simple_access-tests.c \
+ src/tests/common.c \
+- src/providers/simple/simple_access.c
++ src/providers/simple/simple_access_check.c \
++ src/providers/data_provider_be.c \
++ src/providers/data_provider_fo.c \
++ src/providers/data_provider_callbacks.c \
++ $(SSSD_FAILOVER_OBJ)
+ simple_access_tests_CFLAGS = \
+ $(AM_CFLAGS) \
+- $(CHECK_CFLAGS)
++ $(CHECK_CFLAGS) \
++ -DUNIT_TESTING
+ simple_access_tests_LDADD = \
+ $(SSSD_LIBS) \
++ $(CARES_LIBS) \
+ $(CHECK_LIBS) \
+- libsss_util.la
++ $(PAM_LIBS) \
++ libsss_util.la \
++ libsss_test_common.la
+
+ util_tests_SOURCES = \
+ src/tests/util-tests.c
+@@ -1347,7 +1355,8 @@ libsss_proxy_la_LDFLAGS = \
+ -module
+
+ libsss_simple_la_SOURCES = \
+- src/providers/simple/simple_access.c
++ src/providers/simple/simple_access.c \
++ src/providers/simple/simple_access_check.c
+ libsss_simple_la_CFLAGS = \
+ $(AM_CFLAGS)
+ libsss_simple_la_LIBADD = \
+diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c
+index 70d1f07..d53a04b 100644
+--- a/src/providers/simple/simple_access.c
++++ b/src/providers/simple/simple_access.c
+@@ -35,227 +35,52 @@
+ #define CONFDB_SIMPLE_ALLOW_GROUPS "simple_allow_groups"
+ #define CONFDB_SIMPLE_DENY_GROUPS "simple_deny_groups"
+
+-errno_t simple_access_check(struct simple_ctx *ctx, const char *username,
+- bool *access_granted)
+-{
+- int i, j;
+- errno_t ret;
+- TALLOC_CTX *tmp_ctx = NULL;
+- const char *user_attrs[] = { SYSDB_MEMBEROF,
+- SYSDB_GIDNUM,
+- NULL };
+- const char *group_attrs[] = { SYSDB_NAME,
+- NULL };
+- struct ldb_message *msg;
+- struct ldb_message_element *el;
+- char **groups;
+- const char *primary_group;
+- gid_t gid;
+- bool matched;
+- bool cs = ctx->domain->case_sensitive;
+-
+- *access_granted = false;
+-
+- /* First, check whether the user is in the allowed users list */
+- if (ctx->allow_users != NULL) {
+- for(i = 0; ctx->allow_users[i] != NULL; i++) {
+- if (sss_string_equal(cs, username, ctx->allow_users[i])) {
+- DEBUG(9, ("User [%s] found in allow list, access granted.\n",
+- username));
+-
+- /* Do not return immediately on explicit allow
+- * We need to make sure none of the user's groups
+- * are denied.
+- */
+- *access_granted = true;
More information about the Pkg-sssd-devel
mailing list