[Pkg-sssd-devel] sssd: Changes to 'ubuntu-trusty'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Tue Nov 22 08:01:36 UTC 2016
debian/changelog | 7 +
debian/patches/fix-upstream-2519.diff | 170 ++++++++++++++++++++++++++++++++++
debian/patches/series | 1
3 files changed, 178 insertions(+)
New commits:
commit 80368dd8db259d2bc381c12ebf973f3afd30ad6c
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Tue Nov 22 09:58:43 2016 +0200
d/p/fix-upstream-2519.diff SSSD should not fail authentication when only allow rules are used (LP: #1640805)
diff --git a/debian/changelog b/debian/changelog
index 91f4542..06d213e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+sssd (1.11.8-0ubuntu0.3) trusty; urgency=medium
+
+ * d/p/fix-upstream-2519.diff SSSD should not fail authentication when only
+ allow rules are used (LP: #1640805)
+
+ -- Christian Ehrhardt <christian.ehrhardt at canonical.com> Fri, 11 Nov 2016 09:23:35 +0100
+
sssd (1.11.8-0ubuntu0.2) trusty; urgency=medium
* control: Drop check from build-depends (ftbfs).
diff --git a/debian/patches/fix-upstream-2519.diff b/debian/patches/fix-upstream-2519.diff
new file mode 100644
index 0000000..1f14ab9
--- /dev/null
+++ b/debian/patches/fix-upstream-2519.diff
@@ -0,0 +1,170 @@
+Description: SSSD should not fail authentication when only allow rules are used
+
+Backport from upstream issue fix 2519 that slipped into the last bugfix update.
+This consists of two parts that got upstream in 1.12.3 and 1.12.5.
+
+Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
+
+Origin: https://fedorahosted.org/sssd/ticket/2519
+Author: Christian Ehrhardt <christian.ehrhardt at canonical.com>
+Last-Update: 2016-11-14
+--- a/src/providers/simple/simple_access_check.c
++++ b/src/providers/simple/simple_access_check.c
+@@ -24,6 +24,11 @@
+ #include "util/sss_utf8.h"
+ #include "db/sysdb.h"
+
++#define NON_EXIST_USR_ALLOW "The user %s does not exist. Possible typo in simple_allow_users.\n"
++#define NON_EXIST_USR_DENY "The user %s does not exist. Possible typo in simple_deny_users.\n"
++#define NON_EXIST_GRP_ALLOW "The group %s does not exist. Possible typo in simple_allow_groups.\n"
++#define NON_EXIST_GRP_DENY "The group %s does not exist. Possible typo in simple_deny_groups.\n"
++
+ static bool
+ is_posix(const struct ldb_message *group)
+ {
+@@ -53,9 +58,11 @@
+ domain = find_subdomain_by_object_name(ctx->domain,
+ ctx->allow_users[i]);
+ if (domain == NULL) {
+- DEBUG(SSSDBG_CRIT_FAILURE, "Invalid user %s!\n",
+- ctx->allow_users[i]);
+- return EINVAL;
++ DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_USR_ALLOW,
++ ctx->allow_users[i]);
++ sss_log(SSS_LOG_CRIT, NON_EXIST_USR_ALLOW,
++ ctx->allow_users[i]);
++ continue;
+ }
+
+ if (sss_string_equal(domain->case_sensitive, username,
+@@ -86,8 +93,10 @@
+ domain = find_subdomain_by_object_name(ctx->domain,
+ ctx->deny_users[i]);
+ if (domain == NULL) {
+- DEBUG(SSSDBG_CRIT_FAILURE, "Invalid user %s!\n",
+- ctx->deny_users[i]);
++ DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_USR_DENY,
++ ctx->deny_users[i]);
++ sss_log(SSS_LOG_CRIT, NON_EXIST_USR_DENY,
++ ctx->deny_users[i]);
+ return EINVAL;
+ }
+
+@@ -125,9 +134,12 @@
+ domain = find_subdomain_by_object_name(ctx->domain,
+ ctx->allow_groups[i]);
+ if (domain == NULL) {
+- DEBUG(SSSDBG_CRIT_FAILURE, "Invalid group %s!\n",
+- ctx->allow_groups[i]);
+- return EINVAL;
++ DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_GRP_ALLOW,
++ ctx->allow_groups[i]);
++ sss_log(SSS_LOG_CRIT, NON_EXIST_GRP_ALLOW,
++ ctx->allow_groups[i]);
++
++ continue;
+ }
+
+ for(j = 0; group_names[j]; j++) {
+@@ -158,8 +170,11 @@
+ domain = find_subdomain_by_object_name(ctx->domain,
+ ctx->deny_groups[i]);
+ if (domain == NULL) {
+- DEBUG(SSSDBG_CRIT_FAILURE, "Invalid group %s!\n",
+- ctx->deny_groups[i]);
++ DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_GRP_DENY,
++ ctx->deny_groups[i]);
++ sss_log(SSS_LOG_CRIT, NON_EXIST_GRP_DENY,
++ ctx->deny_groups[i]);
++
+ return EINVAL;
+ }
+
+@@ -379,6 +394,8 @@
+
+ const char **group_names;
+ size_t num_names;
++
++ bool failed_to_resolve_groups;
+ };
+
+ static void simple_check_get_groups_next(struct tevent_req *subreq);
+@@ -414,6 +431,7 @@
+
+ state->ev = ev;
+ state->ctx = ctx;
++ state->failed_to_resolve_groups = false;
+
+ DEBUG(SSSDBG_TRACE_LIBS, "Looking up groups for user %s\n", username);
+
+@@ -532,11 +550,10 @@
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Could not resolve name of group with GID %"SPRIgid"\n",
+ state->lookup_groups[state->giter].gid);
+- tevent_req_error(req, ret);
+- return;
++ state->failed_to_resolve_groups = true;
++ } else {
++ state->num_names++;
+ }
+-
+- state->num_names++;
+ state->giter++;
+
+ if (state->giter < state->num_groups) {
+@@ -670,6 +687,9 @@
+ TEVENT_REQ_RETURN_ON_ERROR(req);
+
+ *_group_names = talloc_steal(mem_ctx, state->group_names);
++ if (state->failed_to_resolve_groups) {
++ return ERR_SIMPLE_GROUPS_MISSING;
++ }
+ return EOK;
+ }
+
+@@ -759,12 +779,25 @@
+
+ /* We know the names now. Run the check. */
+ ret = simple_check_get_groups_recv(subreq, state, &state->group_names);
++
+ talloc_zfree(subreq);
+ if (ret == ENOENT) {
+ /* If the user wasn't found, just shortcut */
+ state->access_granted = false;
+ tevent_req_done(req);
+ return;
++ } else if (ret == ERR_SIMPLE_GROUPS_MISSING) {
++ DEBUG(SSSDBG_OP_FAILURE,
++ "Could not collect groups of user %s\n", state->username);
++ if (state->ctx->deny_groups == NULL) {
++ DEBUG(SSSDBG_TRACE_FUNC,
++ "But no deny groups were defined so we can continue.\n");
++ } else {
++ DEBUG(SSSDBG_OP_FAILURE,
++ "Some deny groups were defined, we can't continue\n");
++ tevent_req_error(req, ret);
++ return;
++ }
+ } else if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Could not collect groups of user %s\n", state->username);
+--- a/src/util/util_errors.c
++++ b/src/util/util_errors.c
+@@ -60,6 +60,7 @@
+ { "Bus message has no sender" }, /* ERR_SBUS_NO_SENDER */
+ { "Cannot connect to system bus" }, /* ERR_NO_SYSBUS */
+ { "LDAP search returned a referral" }, /* ERR_REFERRAL */
++ { "Failed to resolve one of user groups." }, /* ERR_SIMPLE_GROUPS_MISSING */
+ };
+
+
+--- a/src/util/util_errors.h
++++ b/src/util/util_errors.h
+@@ -82,6 +82,7 @@
+ ERR_SBUS_NO_SENDER,
+ ERR_NO_SYSBUS,
+ ERR_REFERRAL,
++ ERR_SIMPLE_GROUPS_MISSING,
+ ERR_LAST /* ALWAYS LAST */
+ };
+
diff --git a/debian/patches/series b/debian/patches/series
index a3a3966..5e3b4d5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ fix-upstream-2620.diff
AD-add-new-option-ad_site.diff
AD-support-for-AD-site-override.diff
AD-SRV-prefer-site-local-DCs-in-LDAP-ping.diff
+fix-upstream-2519.diff
More information about the Pkg-sssd-devel
mailing list