Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
The idea is to rename session provider to selinux provider. Processing
of SELinux rules has to be performed in account stack in order to ensure
that pam_selinux (which is the first module in PAM session stack) will
get the correct input from SSSD.
Processing of account PAM stack is bound to access provider. That means
we need to have two providers executed when SSS_PAM_ACCT_MGMT message
is received from PAM responder. Change in data_provider_be.c ensures
just that - after access provider finishes its actions, the control is
given to selinux provider and only after this provider finishes is the
result returned to PAM responder.
|
|
|
|
In case of error the request wasn't freed and the callback just ended.
|
|
The counter is important so the for cycle doesn't depend on the first
NULL pointer. That would cause potential errors if more records are
following after this first NULL pointer.
|
|
Translate manually memberHost and memberUser to originalMemberUser and
originalMemberHost. Without this, the HBAC rule won't be matched against
current user and/or host, meaning that no SELinux user map connected to
it will be matched againts any user on the system.
|
|
This function is no longer necessary since sysdb interface for copying
elements has been implemented.
|
|
|
|
SSH utilities were included in see also section even if SSSD is
built without SSH support.
|
|
https://fedorahosted.org/sssd/ticket/1368
|
|
This patch adds the possibility for user/host category attributes to
have more than one value. It also fixes semantically wrong evaluation of
SELinux map priority.
|
|
|
|
|
|
|
|
There was a logic bug in sysdb_search_selinux_usermap_by_username that
resulted in returning the value the variable "ret" had after the last
call to sysdb_attrs_get_uint32_t, which in cases the last rule processed
did not have the requested attributes led to using the default user
context.
|
|
If override_shell is specified in the [nss] section, all users
managed by SSSD will have their shell set to this value. If it is
specified in the [domain/DOMAINNAME] section, it will apply to
only that domain (and override the [nss] value, if any).
https://fedorahosted.org/sssd/ticket/1087
|
|
Add information about ID mapping (including how to disable it) as
well as information on how to handle homedir and shell.
https://fedorahosted.org/sssd/ticket/1433
|
|
https://fedorahosted.org/sssd/ticket/1432
|
|
|
|
|
|
|
|
The AD provider cannot function with canonicalization because of
a bug in Active Directory rendering it unable to complete a
password-change while canonicalization is enabled.
|
|
https://fedorahosted.org/sssd/ticket/1379
|
|
https://fedorahosted.org/sssd/ticket/1421
|
|
|
|
We should always download the defaults because even if there are no
rules, we might want to use (or update) the defaults.
|
|
The functionality now is following:
When rule is being matched, its priority is determined as a combination
of user and host specificity (host taking preference).
After the rule is matched in provider, only its host priority is stored
in sysdb for later usage.
When rules are matched in the responder, their user priority is
determined. After that their host priority is retrieved directly from
sysdb and sum of both priorities is user to determine whether to use
that rule or not. If more rules have the same priority, the order given
in IPA config is used.
https://fedorahosted.org/sssd/ticket/1360
https://fedorahosted.org/sssd/ticket/1395
|
|
This function copies all values from one sysdb_attrs structure to
another
|
|
|
|
https://fedorahosted.org/sssd/ticket/1411
|
|
|
|
The attribute is supposed to contain number of days since the epoch, not
the number of seconds.
|
|
SIGSEGV occured when sss_sudo_cli was run without any arguments.
|
|
allocated on stack
If we provide a hostname that was allocated on stack, it may contain
invalid data in the time when it is actually resolved.
This patch fixes it.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The name context was not being initialized for local provider
domains because it was handled after skipping over the back-end
initialization routine. This patch moves the name context init
routine to occur earlier.
https://fedorahosted.org/sssd/ticket/1412
|
|
A check for allowed UIDs is added in the common responder code directly
after accept(). If the platform does not support reading the UID of the
peer but allowed UIDs are configured, access is denied.
Currently only the PAC responder sets the allowed UIDs for a socket. The
default is that only root is allowed to access the socket of the PAC
responder.
Fixes: https://fedorahosted.org/sssd/ticket/1382
|
|
Fixes https://fedorahosted.org/sssd/ticket/1410
|
|
Fixes https://fedorahosted.org/sssd/ticket/1409
|
|
Coverity #12770
|