[Pkg-sssd-devel] sssd: Changes to 'debian-unstable'
Timo Aaltonen
tjaalton-guest at alioth.debian.org
Fri Apr 26 12:57:42 UTC 2013
Makefile.am | 25
configure.ac | 3
contrib/sssd.spec.in | 2
debian/changelog | 4
debian/patches/cve-2013-0287-1.diff | 230 --
debian/patches/cve-2013-0287-2.diff | 408 ---
debian/patches/cve-2013-0287-3.diff | 35
debian/patches/cve-2013-0287-4.diff | 1613 --------------
debian/patches/series | 4
po/bg.po | 10
po/ca.po | 641 +++--
po/de.po | 10
po/es.po | 89
po/eu.po | 8
po/fr.po | 43
po/hu.po | 45
po/id.po | 6
po/it.po | 8
po/ja.po | 39
po/nb.po | 8
po/nl.po | 47
po/pl.po | 38
po/pt.po | 6
po/ru.po | 10
po/sssd.pot | 4
po/sv.po | 14
po/tg.po | 6
po/tr.po | 10
po/uk.po | 40
po/zh_CN.po | 13
po/zh_TW.po | 6
src/confdb/confdb.c | 11
src/config/etc/sssd.api.d/sssd-ad.conf | 1
src/config/etc/sssd.api.d/sssd-ipa.conf | 1
src/config/etc/sssd.api.d/sssd-ldap.conf | 1
src/db/sysdb.c | 10
src/db/sysdb.h | 2
src/external/krb5.m4 | 2
src/man/po/br.po | 793 +++----
src/man/po/ca.po | 884 +++----
src/man/po/cs.po | 785 +++----
src/man/po/es.po | 1206 +++-------
src/man/po/eu.po | 785 +++----
src/man/po/fr.po | 3216 ++++++++++++++++++-----------
src/man/po/ja.po | 1111 +++-------
src/man/po/lv.po | 807 +++----
src/man/po/nl.po | 793 +++----
src/man/po/pt.po | 829 +++----
src/man/po/ru.po | 789 +++----
src/man/po/sssd-docs.pot | 765 +++---
src/man/po/tg.po | 787 +++----
src/man/po/uk.po | 1244 +++++------
src/man/po/zh_CN.po | 791 +++----
src/man/sssd-ad.5.xml | 14
src/man/sssd-ldap.5.xml | 32
src/man/sssd.conf.5.xml | 7
src/providers/ad/ad_opts.h | 1
src/providers/data_provider_be.c | 155 +
src/providers/dp_backend.h | 15
src/providers/ipa/ipa_opts.h | 1
src/providers/ipa/ipa_s2n_exop.c | 1
src/providers/ipa/ipa_subdomains.c | 26
src/providers/krb5/krb5_auth.c | 12
src/providers/krb5/krb5_utils.c | 115 -
src/providers/ldap/ldap_id.c | 39
src/providers/ldap/ldap_opts.h | 1
src/providers/ldap/sdap.c | 8
src/providers/ldap/sdap.h | 1
src/providers/ldap/sdap_async.c | 4
src/providers/ldap/sdap_async_groups.c | 26
src/providers/ldap/sdap_async_initgroups.c | 17
src/providers/ldap/sdap_async_private.h | 10
src/providers/ldap/sdap_async_users.c | 91
src/providers/ldap/sdap_users.h | 43
src/providers/simple/simple_access.c | 228 --
src/providers/simple/simple_access.h | 11
src/providers/simple/simple_access_check.c | 716 ++++++
src/responder/autofs/autofssrv_cmd.c | 6
src/responder/nss/nsssrv_cmd.c | 11
src/responder/nss/nsssrv_mmap_cache.c | 66
src/responder/pac/pacsrv_utils.c | 2
src/responder/pam/pamsrv.h | 6
src/responder/pam/pamsrv_cmd.c | 35
src/responder/pam/pamsrv_dp.c | 41
src/tests/krb5_utils-tests.c | 2
src/tests/simple_access-tests.c | 524 ++++
src/tools/files.c | 10
src/util/sss_krb5.c | 8
src/util/sss_nss.c | 14
src/util/sss_nss.h | 2
version.m4 | 2
91 files changed, 10798 insertions(+), 10543 deletions(-)
New commits:
commit 3b95cbd16700c34df4fcc7344d4dedec4df9f62f
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Fri Apr 26 14:57:25 2013 +0300
bump version, drop patches
diff --git a/debian/changelog b/debian/changelog
index 45e1c2d..9b18402 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-sssd (1.9.4-1) UNRELEASED; urgency=low
+sssd (1.9.5-1) UNRELEASED; urgency=low
[ Timo Aaltonen ]
* New upstream release 1.9.4.
@@ -41,8 +41,6 @@ sssd (1.9.4-1) UNRELEASED; urgency=low
correctly substituted. (LP: #1079938)
* sssd.dirs: Add krb5 include dir.
* fix-cve-2013-0219*.diff, -0220.diff: Dropped, included upstream.
- * cve-2013-0287-*.diff: Patches from upstream stable tree to fix
- CVE-2013-0287 (versions 1.9.0 and up).
* libsss-sudo.postrm: Run ldconfig on remove/purge.
* fix-linking.diff: simple_access_tests need -ldl.
diff --git a/debian/patches/cve-2013-0287-1.diff b/debian/patches/cve-2013-0287-1.diff
deleted file mode 100644
index f8eff05..0000000
--- a/debian/patches/cve-2013-0287-1.diff
+++ /dev/null
@@ -1,230 +0,0 @@
-commit b63830b142053f99bfe954d4be5a2b0f68ce3a93
-Author: Jakub Hrozek <jhrozek at redhat.com>
-Date: Fri Feb 22 11:01:38 2013 +0100
-
- Provide a be_get_account_info_send function
-
- In order to resolve group names in the simple access provider we need to
- contact the Data Provider in a generic fashion from the access provider.
- We can't call any particular implementation (like sdap_generic_send())
- because we have no idea what kind of provider is configured as the
- id_provider.
-
- This patch splits introduces the be_file_account_request() function into
- the data_provider_be module and makes it public.
-
- A future patch should make the be_get_account_info function use the
- be_get_account_info_send function.
-
-diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
-index b261bf8..f85a04d 100644
---- a/src/providers/data_provider_be.c
-+++ b/src/providers/data_provider_be.c
-@@ -717,6 +717,34 @@ static errno_t be_initgroups_prereq(struct be_req *be_req)
- }
-
- static errno_t
-+be_file_account_request(struct be_req *be_req, struct be_acct_req *ar)
-+{
-+ errno_t ret;
-+ struct be_ctx *be_ctx = be_req->be_ctx;
-+
-+ be_req->req_data = ar;
-+
-+ /* see if we need a pre request call, only done for initgroups for now */
-+ if ((ar->entry_type & 0xFF) == BE_REQ_INITGROUPS) {
-+ ret = be_initgroups_prereq(be_req);
-+ if (ret) {
-+ DEBUG(SSSDBG_CRIT_FAILURE, ("Prerequest failed"));
-+ return ret;
-+ }
-+ }
-+
-+ /* process request */
-+ ret = be_file_request(be_ctx, be_req,
-+ be_ctx->bet_info[BET_ID].bet_ops->handler);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to file request"));
-+ return ret;
-+ }
-+
-+ return EOK;
-+}
-+
-+static errno_t
- split_name_extended(TALLOC_CTX *mem_ctx,
- const char *filter,
- char **name,
-@@ -742,6 +770,110 @@ split_name_extended(TALLOC_CTX *mem_ctx,
- return EOK;
- }
-
-+static void
-+be_get_account_info_done(struct be_req *be_req,
-+ int dp_err, int dp_ret,
-+ const char *errstr);
-+
-+struct be_get_account_info_state {
-+ int err_maj;
-+ int err_min;
-+ const char *err_msg;
-+};
-+
-+struct tevent_req *
-+be_get_account_info_send(TALLOC_CTX *mem_ctx,
-+ struct tevent_context *ev,
-+ struct be_client *becli,
-+ struct be_ctx *be_ctx,
-+ struct be_acct_req *ar)
-+{
-+ struct tevent_req *req;
-+ struct be_get_account_info_state *state;
-+ struct be_req *be_req;
-+ errno_t ret;
-+
-+ req = tevent_req_create(mem_ctx, &state,
-+ struct be_get_account_info_state);
-+ if (!req) return NULL;
-+
-+ be_req = talloc_zero(mem_ctx, struct be_req);
-+ if (be_req == NULL) {
-+ ret = ENOMEM;
-+ goto done;
-+ }
-+
-+ be_req->becli = becli;
-+ be_req->be_ctx = be_ctx;
-+ be_req->fn = be_get_account_info_done;
-+ be_req->pvt = req;
-+
-+ ret = be_file_account_request(be_req, ar);
-+ if (ret != EOK) {
-+ goto done;
-+ }
-+
-+ return req;
-+
-+done:
-+ tevent_req_error(req, ret);
-+ tevent_req_post(req, ev);
-+ return req;
-+}
-+
-+static void
-+be_get_account_info_done(struct be_req *be_req,
-+ int dp_err, int dp_ret,
-+ const char *errstr)
-+{
-+ struct tevent_req *req;
-+ struct be_get_account_info_state *state;
-+
-+ req = talloc_get_type(be_req->pvt, struct tevent_req);
-+ state = tevent_req_data(req, struct be_get_account_info_state);
-+
-+ state->err_maj = dp_err;
-+ state->err_min = dp_ret;
-+ if (errstr) {
-+ state->err_msg = talloc_strdup(state, errstr);
-+ if (state->err_msg == NULL) {
-+ talloc_free(be_req);
-+ tevent_req_error(req, ENOMEM);
-+ return;
-+ }
-+ }
-+
-+ talloc_free(be_req);
-+ tevent_req_done(req);
-+}
-+
-+errno_t be_get_account_info_recv(struct tevent_req *req,
-+ TALLOC_CTX *mem_ctx,
-+ int *_err_maj,
-+ int *_err_min,
-+ const char **_err_msg)
-+{
-+ struct be_get_account_info_state *state;
-+
-+ state = tevent_req_data(req, struct be_get_account_info_state);
-+
-+ TEVENT_REQ_RETURN_ON_ERROR(req);
-+
-+ if (_err_maj) {
-+ *_err_maj = state->err_maj;
-+ }
-+
-+ if (_err_min) {
-+ *_err_min = state->err_min;
-+ }
-+
-+ if (_err_msg) {
-+ *_err_msg = talloc_steal(mem_ctx, state->err_msg);
-+ }
-+
-+ return EOK;
-+}
-+
- static int be_get_account_info(DBusMessage *message, struct sbus_connection *conn)
- {
- struct be_acct_req *req;
-@@ -845,8 +977,6 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
- goto done;
- }
-
-- be_req->req_data = req;
--
- if ((attr_type != BE_ATTR_CORE) &&
- (attr_type != BE_ATTR_MEM) &&
- (attr_type != BE_ATTR_ALL)) {
-@@ -893,26 +1023,11 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
- goto done;
- }
-
-- /* see if we need a pre request call, only done for initgroups for now */
-- if ((type & 0xFF) == BE_REQ_INITGROUPS) {
-- ret = be_initgroups_prereq(be_req);
-- if (ret) {
-- err_maj = DP_ERR_FATAL;
-- err_min = ret;
-- err_msg = "Prerequest failed";
-- goto done;
-- }
-- }
--
-- /* process request */
--
-- ret = be_file_request(becli->bectx->bet_info[BET_ID].pvt_bet_data,
-- be_req,
-- becli->bectx->bet_info[BET_ID].bet_ops->handler);
-+ ret = be_file_account_request(be_req, req);
- if (ret != EOK) {
- err_maj = DP_ERR_FATAL;
- err_min = ret;
-- err_msg = "Failed to file request";
-+ err_msg = "Cannot file account request";
- goto done;
- }
-
-diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h
-index 58a9b74..743b6f4 100644
---- a/src/providers/dp_backend.h
-+++ b/src/providers/dp_backend.h
-@@ -258,4 +258,19 @@ int be_fo_run_callbacks_at_next_request(struct be_ctx *ctx,
- const char *service_name);
-
- void reset_fo(struct be_ctx *be_ctx);
-+
-+/* Request account information */
-+struct tevent_req *
-+be_get_account_info_send(TALLOC_CTX *mem_ctx,
-+ struct tevent_context *ev,
-+ struct be_client *becli,
-+ struct be_ctx *be_ctx,
-+ struct be_acct_req *ar);
-+
-+errno_t be_get_account_info_recv(struct tevent_req *req,
-+ TALLOC_CTX *mem_ctx,
-+ int *_err_maj,
-+ int *_err_min,
-+ const char **_err_msg);
-+
- #endif /* __DP_BACKEND_H___ */
diff --git a/debian/patches/cve-2013-0287-2.diff b/debian/patches/cve-2013-0287-2.diff
deleted file mode 100644
index b6339e1..0000000
--- a/debian/patches/cve-2013-0287-2.diff
+++ /dev/null
@@ -1,408 +0,0 @@
-commit 754b09b5444e6da88ed58d6deaed8b815e268b6b
-Author: Jakub Hrozek <jhrozek at redhat.com>
-Date: Sun Mar 3 21:43:44 2013 +0100
-
- Add unit tests for simple access test by groups
-
- I realized that the current unit tests for the simple access provider
- only tested the user directives. To have a baseline and be able to
- detect new bugs in the upcoming patch, I implemented unit tests for the
- group lists, too.
-
-diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c
-index c61814e..577c6d3 100644
---- a/src/tests/simple_access-tests.c
-+++ b/src/tests/simple_access-tests.c
-@@ -30,39 +30,152 @@
- #include "providers/simple/simple_access.h"
- #include "tests/common.h"
-
-+#define TESTS_PATH "tests_simple_access"
-+#define TEST_CONF_FILE "tests_conf.ldb"
-+
- const char *ulist_1[] = {"u1", "u2", NULL};
-+const char *glist_1[] = {"g1", "g2", NULL};
-+
-+struct simple_test_ctx *test_ctx = NULL;
-+
-+struct simple_test_ctx {
-+ struct sysdb_ctx *sysdb;
-+ struct confdb_ctx *confdb;
-
--struct simple_ctx *ctx = NULL;
-+ struct simple_ctx *ctx;
-+};
-
- void setup_simple(void)
- {
-- fail_unless(ctx == NULL, "Simple context already initialized.");
-- ctx = talloc_zero(NULL, struct simple_ctx);
-- fail_unless(ctx != NULL, "Cannot create simple context.");
--
-- ctx->domain = talloc_zero(ctx, struct sss_domain_info);
-- fail_unless(ctx != NULL, "Cannot create domain in simple context.");
-- ctx->domain->case_sensitive = true;
-+ errno_t ret;
-+ char *conf_db;
-+ const char *val[2];
-+ val[1] = NULL;
-+
-+ /* Create tests directory if it doesn't exist */
-+ /* (relative to current dir) */
-+ ret = mkdir(TESTS_PATH, 0775);
-+ fail_if(ret == -1 && errno != EEXIST,
-+ "Could not create %s directory", TESTS_PATH);
-+
-+ fail_unless(test_ctx == NULL, "Simple context already initialized.");
-+ test_ctx = talloc_zero(NULL, struct simple_test_ctx);
-+ fail_unless(test_ctx != NULL, "Cannot create simple test context.");
-+
-+ test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx);
-+ fail_unless(test_ctx->ctx != NULL, "Cannot create simple context.");
-+
-+ conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE);
-+ fail_if(conf_db == NULL, "Out of memory, aborting!");
-+ DEBUG(SSSDBG_TRACE_LIBS, ("CONFDB: %s\n", conf_db));
-+
-+ /* Connect to the conf db */
-+ ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db);
-+ fail_if(ret != EOK, "Could not initialize connection to the confdb");
-+
-+ val[0] = "LOCAL";
-+ ret = confdb_add_param(test_ctx->confdb, true,
-+ "config/sssd", "domains", val);
-+ fail_if(ret != EOK, "Could not initialize domains placeholder");
-+
-+ val[0] = "local";
-+ ret = confdb_add_param(test_ctx->confdb, true,
-+ "config/domain/LOCAL", "id_provider", val);
-+ fail_if(ret != EOK, "Could not initialize provider");
-+
-+ val[0] = "TRUE";
-+ ret = confdb_add_param(test_ctx->confdb, true,
-+ "config/domain/LOCAL", "enumerate", val);
-+ fail_if(ret != EOK, "Could not initialize LOCAL domain");
-+
-+ val[0] = "TRUE";
-+ ret = confdb_add_param(test_ctx->confdb, true,
-+ "config/domain/LOCAL", "cache_credentials", val);
-+ fail_if(ret != EOK, "Could not initialize LOCAL domain");
-+
-+ ret = sysdb_init_domain_and_sysdb(test_ctx, test_ctx->confdb, "local",
-+ TESTS_PATH,
-+ &test_ctx->ctx->domain, &test_ctx->ctx->sysdb);
-+ fail_if(ret != EOK, "Could not initialize connection to the sysdb (%d)", ret);
-+ test_ctx->ctx->domain->case_sensitive = true;
- }
-
- void teardown_simple(void)
- {
- int ret;
-- fail_unless(ctx != NULL, "Simple context already freed.");
-- ret = talloc_free(ctx);
-- ctx = NULL;
-+ fail_unless(test_ctx != NULL, "Simple context already freed.");
-+ ret = talloc_free(test_ctx);
-+ test_ctx = NULL;
- fail_unless(ret == 0, "Connot free simple context.");
- }
-
-+void setup_simple_group(void)
-+{
-+ errno_t ret;
-+
-+ setup_simple();
-+
-+ /* Add test users u1 and u2 that would be members of test groups
-+ * g1 and g2 respectively */
-+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
-+ "u1", NULL, 123, 0, "u1", "/home/u1",
-+ "/bin/bash", NULL, NULL, NULL, -1, 0);
-+ fail_if(ret != EOK, "Could not add u1");
-+
-+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
-+ "u2", NULL, 456, 0, "u1", "/home/u1",
-+ "/bin/bash", NULL, NULL, NULL, -1, 0);
-+ fail_if(ret != EOK, "Could not add u2");
-+
-+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
-+ "u3", NULL, 789, 0, "u1", "/home/u1",
-+ "/bin/bash", NULL, NULL, NULL, -1, 0);
-+ fail_if(ret != EOK, "Could not add u3");
-+
-+ ret = sysdb_add_group(test_ctx->ctx->sysdb,
-+ "g1", 321, NULL, 0, 0);
-+ fail_if(ret != EOK, "Could not add g1");
-+
-+ ret = sysdb_add_group(test_ctx->ctx->sysdb,
-+ "g2", 654, NULL, 0, 0);
-+ fail_if(ret != EOK, "Could not add g2");
-+
-+ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
-+ "g1", "u1", SYSDB_MEMBER_USER);
-+ fail_if(ret != EOK, "Could not add u1 to g1");
-+
-+ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
-+ "g2", "u2", SYSDB_MEMBER_USER);
-+ fail_if(ret != EOK, "Could not add u2 to g2");
-+}
-+
-+void teardown_simple_group(void)
-+{
-+ errno_t ret;
-+
-+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u1", 0);
-+ fail_if(ret != EOK, "Could not delete u1");
-+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u2", 0);
-+ fail_if(ret != EOK, "Could not delete u2");
-+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u3", 0);
-+ fail_if(ret != EOK, "Could not delete u3");
-+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g1", 0);
-+ fail_if(ret != EOK, "Could not delete g1");
-+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g2", 0);
-+ fail_if(ret != EOK, "Could not delete g2");
-+
-+ teardown_simple();
-+}
-+
- START_TEST(test_both_empty)
- {
- int ret;
- bool access_granted = false;
-
-- ctx->allow_users = NULL;
-- ctx->deny_users = NULL;
-+ test_ctx->ctx->allow_users = NULL;
-+ test_ctx->ctx->deny_users = NULL;
-
-- ret = simple_access_check(ctx, "u1", &access_granted);
-+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
- fail_unless(ret == EOK, "access_simple_check failed.");
- fail_unless(access_granted == true, "Access denied "
- "while both lists are empty.");
-@@ -74,15 +187,15 @@ START_TEST(test_allow_empty)
- int ret;
- bool access_granted = true;
-
-- ctx->allow_users = NULL;
-- ctx->deny_users = discard_const(ulist_1);
-+ test_ctx->ctx->allow_users = NULL;
-+ test_ctx->ctx->deny_users = discard_const(ulist_1);
-
-- ret = simple_access_check(ctx, "u1", &access_granted);
-+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
- fail_unless(ret == EOK, "access_simple_check failed.");
- fail_unless(access_granted == false, "Access granted "
- "while user is in deny list.");
-
-- ret = simple_access_check(ctx, "u3", &access_granted);
-+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
- fail_unless(ret == EOK, "access_simple_check failed.");
- fail_unless(access_granted == true, "Access denied "
- "while user is not in deny list.");
-@@ -94,15 +207,15 @@ START_TEST(test_deny_empty)
- int ret;
- bool access_granted = false;
-
-- ctx->allow_users = discard_const(ulist_1);
-- ctx->deny_users = NULL;
-+ test_ctx->ctx->allow_users = discard_const(ulist_1);
-+ test_ctx->ctx->deny_users = NULL;
-
-- ret = simple_access_check(ctx, "u1", &access_granted);
-+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
- fail_unless(ret == EOK, "access_simple_check failed.");
- fail_unless(access_granted == true, "Access denied "
- "while user is in allow list.");
-
-- ret = simple_access_check(ctx, "u3", &access_granted);
-+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
- fail_unless(ret == EOK, "access_simple_check failed.");
- fail_unless(access_granted == false, "Access granted "
- "while user is not in allow list.");
-@@ -114,15 +227,15 @@ START_TEST(test_both_set)
- int ret;
- bool access_granted = false;
-
-- ctx->allow_users = discard_const(ulist_1);
-- ctx->deny_users = discard_const(ulist_1);
-+ test_ctx->ctx->allow_users = discard_const(ulist_1);
-+ test_ctx->ctx->deny_users = discard_const(ulist_1);
-
-- ret = simple_access_check(ctx, "u1", &access_granted);
-+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
- fail_unless(ret == EOK, "access_simple_check failed.");
- fail_unless(access_granted == false, "Access granted "
- "while user is in deny list.");
-
-- ret = simple_access_check(ctx, "u3", &access_granted);
-+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
- fail_unless(ret == EOK, "access_simple_check failed.");
- fail_unless(access_granted == false, "Access granted "
- "while user is not in allow list.");
-@@ -134,18 +247,18 @@ START_TEST(test_case)
- int ret;
- bool access_granted = false;
-
-- ctx->allow_users = discard_const(ulist_1);
-- ctx->deny_users = NULL;
-+ test_ctx->ctx->allow_users = discard_const(ulist_1);
-+ test_ctx->ctx->deny_users = NULL;
-
-- ret = simple_access_check(ctx, "U1", &access_granted);
-+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
- fail_unless(ret == EOK, "access_simple_check failed.");
- fail_unless(access_granted == false, "Access granted "
- "for user with different case "
- "in case-sensitive domain");
-
-- ctx->domain->case_sensitive = false;
-+ test_ctx->ctx->domain->case_sensitive = false;
-
-- ret = simple_access_check(ctx, "U1", &access_granted);
-+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
- fail_unless(ret == EOK, "access_simple_check failed.");
- fail_unless(access_granted == true, "Access denied "
- "for user with different case "
-@@ -153,11 +266,95 @@ START_TEST(test_case)
- }
- END_TEST
-
-+START_TEST(test_group_allow_empty)
-+{
-+ int ret;
-+ bool access_granted = true;
-+
-+ test_ctx->ctx->allow_groups = NULL;
-+ test_ctx->ctx->deny_groups = discard_const(glist_1);
-+
-+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
-+ fail_unless(ret == EOK, "access_simple_check failed.");
-+ fail_unless(access_granted == false, "Access granted "
-+ "while group is in deny list.");
-+
-+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
-+ fail_unless(ret == EOK, "access_simple_check failed.");
-+ fail_unless(access_granted == true, "Access denied "
-+ "while group is not in deny list.");
-+}
-+END_TEST
-+
-+START_TEST(test_group_deny_empty)
-+{
-+ int ret;
-+ bool access_granted = false;
-+
-+ test_ctx->ctx->allow_groups = discard_const(glist_1);
-+ test_ctx->ctx->deny_groups = NULL;
-+
-+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
-+ fail_unless(ret == EOK, "access_simple_check failed.");
-+ fail_unless(access_granted == true, "Access denied "
-+ "while group is in allow list.");
-+
-+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
-+ fail_unless(ret == EOK, "access_simple_check failed.");
-+ fail_unless(access_granted == false, "Access granted "
-+ "while group is not in allow list.");
-+}
-+END_TEST
-+
-+START_TEST(test_group_both_set)
-+{
-+ int ret;
-+ bool access_granted = false;
-+
-+ test_ctx->ctx->allow_groups = discard_const(ulist_1);
-+ test_ctx->ctx->deny_groups = discard_const(ulist_1);
-+
-+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
-+ fail_unless(ret == EOK, "access_simple_check failed.");
-+ fail_unless(access_granted == false, "Access granted "
-+ "while group is in deny list.");
-+
-+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
-+ fail_unless(ret == EOK, "access_simple_check failed.");
-+ fail_unless(access_granted == false, "Access granted "
-+ "while group is not in allow list.");
-+}
-+END_TEST
-+
-+START_TEST(test_group_case)
-+{
-+ int ret;
-+ bool access_granted = false;
-+
-+ test_ctx->ctx->allow_groups = discard_const(ulist_1);
-+ test_ctx->ctx->deny_groups = NULL;
-+
-+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
-+ fail_unless(ret == EOK, "access_simple_check failed.");
-+ fail_unless(access_granted == false, "Access granted "
-+ "for group with different case "
-+ "in case-sensitive domain");
-+
-+ test_ctx->ctx->domain->case_sensitive = false;
-+
-+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
-+ fail_unless(ret == EOK, "access_simple_check failed.");
-+ fail_unless(access_granted == true, "Access denied "
-+ "for group with different case "
-+ "in case-insensitive domain");
-+}
-+END_TEST
-+
- Suite *access_simple_suite (void)
- {
- Suite *s = suite_create("access_simple");
-
-- TCase *tc_allow_deny = tcase_create("allow/deny");
-+ TCase *tc_allow_deny = tcase_create("user allow/deny");
- tcase_add_checked_fixture(tc_allow_deny, setup_simple, teardown_simple);
- tcase_add_test(tc_allow_deny, test_both_empty);
- tcase_add_test(tc_allow_deny, test_allow_empty);
-@@ -166,6 +363,15 @@ Suite *access_simple_suite (void)
- tcase_add_test(tc_allow_deny, test_case);
- suite_add_tcase(s, tc_allow_deny);
-
-+ TCase *tc_grp_allow_deny = tcase_create("group allow/deny");
-+ tcase_add_checked_fixture(tc_grp_allow_deny,
-+ setup_simple_group, teardown_simple_group);
-+ tcase_add_test(tc_grp_allow_deny, test_group_allow_empty);
-+ tcase_add_test(tc_grp_allow_deny, test_group_deny_empty);
-+ tcase_add_test(tc_grp_allow_deny, test_group_both_set);
-+ tcase_add_test(tc_grp_allow_deny, test_group_case);
-+ suite_add_tcase(s, tc_grp_allow_deny);
-+
- return s;
- }
-
-@@ -174,6 +380,7 @@ int main(int argc, const char *argv[])
- int opt;
- poptContext pc;
- int number_failed;
-+ int ret;
-
- struct poptOption long_options[] = {
- POPT_AUTOHELP
-@@ -205,6 +412,20 @@ int main(int argc, const char *argv[])
- srunner_run_all(sr, CK_ENV);
- number_failed = srunner_ntests_failed(sr);
- srunner_free(sr);
-+
-+ ret = unlink(TESTS_PATH"/"TEST_CONF_FILE);
-+ if (ret != EOK) {
-+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
-+ errno, strerror(errno));
-+ return EXIT_FAILURE;
-+ }
-+ ret = unlink(TESTS_PATH"/"LOCAL_SYSDB_FILE);
-+ if (ret != EOK) {
-+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
-+ errno, strerror(errno));
-+ return EXIT_FAILURE;
-+ }
-+
- return (number_failed==0 ? EXIT_SUCCESS : EXIT_FAILURE);
- }
-
diff --git a/debian/patches/cve-2013-0287-3.diff b/debian/patches/cve-2013-0287-3.diff
deleted file mode 100644
index 3c9fa5b..0000000
--- a/debian/patches/cve-2013-0287-3.diff
+++ /dev/null
@@ -1,35 +0,0 @@
-commit 26590d31f492dbbd36be6d0bde46a4bd3b221edb
-Author: Jakub Hrozek <jhrozek at redhat.com>
-Date: Mon Mar 4 16:37:04 2013 +0100
-
- Do not compile main() in DP if UNIT_TESTING is defined
-
- The simple access provider unit tests now need to link against the Data
- Provider when they start using the be_file_account_request() function.
- But then we would start having conflicts as at least the main()
- functions would clash.
-
- If UNIT_TESTING is defined, then the data_provider_be.c module does not
- contain the main() function and can be linked against directly from
- another module that contains its own main() function
-
-diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
-index f85a04d..33590ae 100644
---- a/src/providers/data_provider_be.c
-+++ b/src/providers/data_provider_be.c
-@@ -2651,6 +2651,7 @@ fail:
- return ret;
- }
-
-+#ifndef UNIT_TESTING
- int main(int argc, const char *argv[])
- {
- int opt;
-@@ -2732,6 +2733,7 @@ int main(int argc, const char *argv[])
-
- return 0;
- }
-+#endif
-
- static int data_provider_res_init(DBusMessage *message,
- struct sbus_connection *conn)
diff --git a/debian/patches/cve-2013-0287-4.diff b/debian/patches/cve-2013-0287-4.diff
deleted file mode 100644
index 7c3d965..0000000
--- a/debian/patches/cve-2013-0287-4.diff
+++ /dev/null
@@ -1,1613 +0,0 @@
-commit 8b8019fe3dd1564fba657e219ec20ff816c7ffdb
-Author: Jakub Hrozek <jhrozek at redhat.com>
-Date: Sat Feb 23 10:44:54 2013 +0100
-
- Resolve GIDs in the simple access provider
-
- Changes the simple access provider's interface to be asynchronous. When
- the simple access provider encounters a group that has gid, but no
- meaningful name, it attempts to resolve the name using the
- be_file_account_request function.
-
- Some providers (like the AD provider) might perform initgroups
- without resolving the group names. In order for the simple access
- provider to work correctly, we need to resolve the groups before
- performing the access check. In AD provider, the situation is
- even more tricky b/c the groups HAVE name, but their name
- attribute is set to SID and they are set as non-POSIX
-
-diff --git a/Makefile.am b/Makefile.am
-index dc0465a..eea535e 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -1008,14 +1008,22 @@ ad_ldap_opt_tests_LDADD = \
- simple_access_tests_SOURCES = \
- src/tests/simple_access-tests.c \
- src/tests/common.c \
-- src/providers/simple/simple_access.c
-+ src/providers/simple/simple_access_check.c \
-+ src/providers/data_provider_be.c \
-+ src/providers/data_provider_fo.c \
-+ src/providers/data_provider_callbacks.c \
-+ $(SSSD_FAILOVER_OBJ)
- simple_access_tests_CFLAGS = \
- $(AM_CFLAGS) \
-- $(CHECK_CFLAGS)
-+ $(CHECK_CFLAGS) \
-+ -DUNIT_TESTING
- simple_access_tests_LDADD = \
- $(SSSD_LIBS) \
-+ $(CARES_LIBS) \
- $(CHECK_LIBS) \
-- libsss_util.la
-+ $(PAM_LIBS) \
-+ libsss_util.la \
-+ libsss_test_common.la
-
- util_tests_SOURCES = \
- src/tests/util-tests.c
-@@ -1347,7 +1355,8 @@ libsss_proxy_la_LDFLAGS = \
- -module
-
- libsss_simple_la_SOURCES = \
-- src/providers/simple/simple_access.c
-+ src/providers/simple/simple_access.c \
-+ src/providers/simple/simple_access_check.c
- libsss_simple_la_CFLAGS = \
- $(AM_CFLAGS)
- libsss_simple_la_LIBADD = \
-diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c
-index 70d1f07..d53a04b 100644
---- a/src/providers/simple/simple_access.c
-+++ b/src/providers/simple/simple_access.c
-@@ -35,227 +35,52 @@
- #define CONFDB_SIMPLE_ALLOW_GROUPS "simple_allow_groups"
- #define CONFDB_SIMPLE_DENY_GROUPS "simple_deny_groups"
-
--errno_t simple_access_check(struct simple_ctx *ctx, const char *username,
-- bool *access_granted)
--{
-- int i, j;
-- errno_t ret;
-- TALLOC_CTX *tmp_ctx = NULL;
-- const char *user_attrs[] = { SYSDB_MEMBEROF,
-- SYSDB_GIDNUM,
-- NULL };
-- const char *group_attrs[] = { SYSDB_NAME,
-- NULL };
-- struct ldb_message *msg;
-- struct ldb_message_element *el;
-- char **groups;
-- const char *primary_group;
-- gid_t gid;
-- bool matched;
-- bool cs = ctx->domain->case_sensitive;
--
-- *access_granted = false;
--
-- /* First, check whether the user is in the allowed users list */
-- if (ctx->allow_users != NULL) {
-- for(i = 0; ctx->allow_users[i] != NULL; i++) {
-- if (sss_string_equal(cs, username, ctx->allow_users[i])) {
-- DEBUG(9, ("User [%s] found in allow list, access granted.\n",
-- username));
--
-- /* Do not return immediately on explicit allow
-- * We need to make sure none of the user's groups
-- * are denied.
-- */
-- *access_granted = true;
-- }
-- }
-- } else if (!ctx->allow_groups) {
-- /* If neither allow rule is in place, we'll assume allowed
-- * unless a deny rule disables us below.
-- */
-- *access_granted = true;
-- }
-+static void simple_access_check(struct tevent_req *req);
-
-- /* Next check whether this user has been specifically denied */
-- if (ctx->deny_users != NULL) {
-- for(i = 0; ctx->deny_users[i] != NULL; i++) {
-- if (sss_string_equal(cs, username, ctx->deny_users[i])) {
-- DEBUG(9, ("User [%s] found in deny list, access denied.\n",
-- username));
--
-- /* Return immediately on explicit denial */
-- *access_granted = false;
-- return EOK;
-- }
-- }
-- }
-+void simple_access_handler(struct be_req *be_req)
-+{
-+ struct be_ctx *be_ctx = be_req->be_ctx;
-+ struct pam_data *pd;
-+ struct tevent_req *req;
-+ struct simple_ctx *ctx;
-
-- if (!ctx->allow_groups && !ctx->deny_groups) {
-- /* There are no group restrictions, so just return
-- * here with whatever we've decided.
-- */
-- return EOK;
-- }
-+ pd = talloc_get_type(be_req->req_data, struct pam_data);
-
-- /* Now get a list of this user's groups and check those against the
-- * simple_allow_groups list.
-- */
-- tmp_ctx = talloc_new(NULL);
-- if (!tmp_ctx) {
-- ret = ENOMEM;
-- goto done;
-- }
-+ pd->pam_status = PAM_SYSTEM_ERR;
-
-- ret = sysdb_search_user_by_name(tmp_ctx, ctx->sysdb,
-- username, user_attrs, &msg);
-- if (ret != EOK) {
-- DEBUG(1, ("Could not look up username [%s]: [%d][%s]\n",
-- username, ret, strerror(ret)));
-+ if (pd->cmd != SSS_PAM_ACCT_MGMT) {
-+ DEBUG(4, ("simple access does not handles pam task %d.\n", pd->cmd));
-+ pd->pam_status = PAM_MODULE_UNKNOWN;
- goto done;
- }
-
-- /* Construct a list of the user's groups */
-- el = ldb_msg_find_element(msg, SYSDB_MEMBEROF);
-- if (el && el->num_values) {
-- /* Get the groups from the memberOf entries
-- * Allocate the array with room for both the NULL
-- * terminator and the primary group
-- */
-- groups = talloc_array(tmp_ctx, char *, el->num_values + 2);
-- if (!groups) {
-- ret = ENOMEM;
-- goto done;
-- }
--
-- for (j = 0; j < el->num_values; j++) {
-- ret = sysdb_group_dn_name(
-- ctx->sysdb, tmp_ctx,
-- (char *)el->values[j].data,
-- &groups[j]);
-- if (ret != EOK) {
-- goto done;
-- }
-- }
-- } else {
-- /* User is not a member of any groups except primary */
-- groups = talloc_array(tmp_ctx, char *, 2);
-- if (!groups) {
More information about the Pkg-sssd-devel
mailing list