summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)AuthorFilesLines
2013-04-05Wrong condition after waitpid.Michal Zidek1-1/+1
On success, waitpid() returns pid of terminated child, not 0.
2013-04-05Check for waitpid failure at wrong place.Michal Zidek2-10/+9
Coverity bugs. https://fedorahosted.org/sssd/ticket/1865
2013-04-05Check for the correct variablesJakub Hrozek1-2/+2
https://fedorahosted.org/sssd/ticket/1864
2013-04-05Further restrict become_user drop of privileges.Simo Sorce1-15/+18
We never need to regain root after we call become_user() so tighten up even further our privilege drop. Add a setgroups() call to remove all secondary groups root may have been given for whateve reason. Then use the setres[ug]id function to also drop the saved uid/gid so the process cannot regain back root id. Capabilities are also implicitly dropped here, no more CAP_SETUID so this is a Point of No Return, once changed to non-root the process can't get back. Remove redefinition of sys/types.h and unistd.h, they are already defined in util.h and they need to be included after _GNU_SOURCE/_BSD_SOURCE is defined or the prototypes for setres[ug]id will not be found. Add grp.h after util.h for the same reason.
2013-04-04dyndns: Fix initializing sdap_id_ctxJakub Hrozek1-1/+1
2013-04-04LDAP: Fix value initialization warningsLukas Slebodnik2-2/+2
2013-04-03Centralize resolv_init, remove resolv context listJakub Hrozek5-43/+7
2013-04-03Init failover with be_res optionsJakub Hrozek8-131/+124
2013-04-03Allow setting krb5_renew_interval with a delimiterAriel Barria9-13/+59
https://fedorahosted.org/sssd/ticket/902 changed the data type the krb5_renew_interval to string. function krb5_string_to_deltat is used to convert and allow delimiters
2013-04-03Check for correct variable nameJakub Hrozek6-9/+5
https://fedorahosted.org/sssd/ticket/1864
2013-04-03Return errno, not -1 on failure in files.cJakub Hrozek1-0/+1
https://fedorahosted.org/sssd/ticket/1862
2013-04-03Fix potential out-of-bounds write in sss_idmap_sid_to_dom_sidJakub Hrozek1-1/+1
https://fedorahosted.org/sssd/ticket/1861
2013-04-03pidfile(): Do not leak fd on errorJakub Hrozek1-0/+1
https://fedorahosted.org/sssd/ticket/1860
2013-04-03krb5 child: Use the correct type when processing OTPJakub Hrozek1-1/+1
2013-04-03Fix typos in man pagesYuri Chornoivan2-2/+2
2013-04-02Updating the translations for the 1.10 alpha releaseJakub Hrozek16-8900/+31591
2013-04-02Improve syslog message when configuration cannot be loadedAriel Barria1-1/+3
https://fedorahosted.org/sssd/ticket/1414 Error code was added and strerror(errno) to show cause in sss_log
2013-04-02Making the authtok structure really opaque.Lukas Slebodnik19-137/+186
Definition of structure sss_auth_token was removed from header file authtok.h and there left only declaration of this structure. Therefore only way how to use this structure is to use accessory function from same header file. To creating new empty authotok can only be used newly created function sss_authtok_new(). TALLOC context was removed from copy and setter functions, because pointer to stuct sss_auth_token is used as a memory context. All declaration of struct sss_auth_token variables was replaced with pointer to this structure and related changes was made in source code. Function copy_pam_data can copy from argument src which was dynamically allocated with function create_pam_data() or zero initialized struct pam_data allocated on stack. https://fedorahosted.org/sssd/ticket/1830
2013-04-02Reusing create_pam_data() on the other places.Lukas Slebodnik5-4/+16
Function create_pam_data() should be only one way how to create new struct pam_data, because it also initialize destructor to created object.
2013-04-02refactor nested group processing: replace old codePavel Březina2-1721/+21
https://fedorahosted.org/sssd/ticket/1784
2013-04-02refactor nested group processing: add new codePavel Březina1-0/+2229
https://fedorahosted.org/sssd/ticket/1784 1. initialization (main-req), returns members of input group 2. evaluate group members (group) 3. perform individual search (no-deref) or dereference attribute (deref) 4a. no-deref 1. perform a lookup depending on the type of the member object 2. all direct members are evaluated first 3. then we step down in nesting level and evaluate nested groups 4b. deref 1. perform a dereference lookup on member attribute 2. all direct members are evaluated first 3. then we step down in nesting level and evaluate nested groups Tevent request flow: main-req | group |------------------------| no-deref deref | | |----|------|---------| | user group unknown recurse recurse / \ | | | ... | | | ... user group group group
2013-03-27Provide libnl3 supportOndrej Kos3-78/+201
https://fedorahosted.org/sssd/ticket/812 Update the monitor code to be using the new libnl3 API. Changed configure option --with-libnl By default, it tries to build with libnl3, if not found, then with libnl1, if this isn't found either, build proceeds without libnl, just with warning. Specifing --with-libnl=<libnl3|libnl1|no> checks for the specific given version, if not found, configure ends with error.
2013-03-27selinux: Remove unused parameterJakub Hrozek1-1/+0
https://fedorahosted.org/sssd/ticket/1848
2013-03-27LDAP: Fix value initializationOndrej Kos1-1/+1
2013-03-27filename in comment is correctedAbhishek Singh1-1/+1
2013-03-25Include config.h to build io.c on RHEL5Jakub Hrozek1-0/+2
2013-03-21Document what does access_provider=ad doJakub Hrozek1-0/+14
https://fedorahosted.org/sssd/ticket/1841
2013-03-21LDAP: If deref search fails, try again without derefJan Cholasta5-4/+50
https://fedorahosted.org/sssd/ticket/1660
2013-03-21Move signal.m4 from src/util to externalJakub Hrozek1-0/+0
2013-03-21Fixing duplicate constLukas Slebodnik1-3/+3
const char const * --> const char *const
2013-03-20Return error code from ipa_subdom_storeJakub Hrozek1-5/+13
2013-03-20coding style fixPavel Březina1-1/+1
2013-03-20change responder contexts hierarchyPavel Březina6-65/+94
https://fedorahosted.org/sssd/ticket/1575 The hierarchy is now: main_ctx -> responder_ctx -> specific_ctx where specific_ctx is one of sudo, pam, etc.
2013-03-20do not leak memory on failure in *_process_init()Pavel Březina7-35/+62
2013-03-20tests: Print warning if LDB_MODULES_PATH is not setMichal Zidek4-0/+21
Print warning if sysdb-tests or sysdb-ssh test are run individually and LDB_MODULES_PATH was not set. https://fedorahosted.org/sssd/ticket/1820
2013-03-20correct order in error_to_str tablePavel Březina1-1/+1
Also fixed typo.
2013-03-20Making the ldb check configurableLukas Slebodnik2-2/+17
It is possible to enable/disable checking in LDB memberof plugin whether it was built against the same version of LDB that is present on the system. This feature is turned off by default and enabled in Fedora/RHEL spec file. https://fedorahosted.org/sssd/ticket/1813
2013-03-20ldap: Fallback option for rfc2307 schemaSimo Sorce13-11/+227
Add option to fallback to fetch local users if rfc2307is being used. This is useful for cases where people added local users as LDAP members and rely on these group memberships to be maintained on the local host. Disabled by default as it violates identity domain separation. Ticket: https://fedorahosted.org/sssd/ticket/1020
2013-03-19Convert sdap_access to new error codesSimo Sorce7-480/+214
Also simplify sdap_access_send to avoid completely fake _send() routines.
2013-03-19Resolve GIDs in the simple access providerJakub Hrozek4-223/+915
Changes the simple access provider's interface to be asynchronous. When the simple access provider encounters a group that has gid, but no meaningful name, it attempts to resolve the name using the be_file_account_request function. Some providers (like the AD provider) might perform initgroups without resolving the group names. In order for the simple access provider to work correctly, we need to resolve the groups before performing the access check. In AD provider, the situation is even more tricky b/c the groups HAVE name, but their name attribute is set to SID and they are set as non-POSIX
2013-03-19Do not compile main() in DP if UNIT_TESTING is definedJakub Hrozek1-0/+2
The simple access provider unit tests now need to link against the Data Provider when they start using the be_file_account_request() function. But then we would start having conflicts as at least the main() functions would clash. If UNIT_TESTING is defined, then the data_provider_be.c module does not contain the main() function and can be linked against directly from another module that contains its own main() function
2013-03-19Add unit tests for simple access test by groupsJakub Hrozek1-31/+253
I realized that the current unit tests for the simple access provider only tested the user directives. To have a baseline and be able to detect new bugs in the upcoming patch, I implemented unit tests for the group lists, too.
2013-03-19Provide a be_get_account_info_send functionJakub Hrozek2-19/+144
In order to resolve group names in the simple access provider we need to contact the Data Provider in a generic fashion from the access provider. We can't call any particular implementation (like sdap_generic_send()) because we have no idea what kind of provider is configured as the id_provider. This patch splits introduces the be_file_account_request() function into the data_provider_be module and makes it public. A future patch should make the be_get_account_info function use the be_get_account_info_send function.
2013-03-19Make the SELinux refresh time configurable.Michal Zidek6-2/+24
Option ipa_selinux_refresh is added to basic ipa options.
2013-03-19Reuse cached SELinux mappings.Michal Zidek2-3/+29
Reuse cached SELinux maps when they are requested within time interval (in this patch it is hardcoded to be 5 seconds). https://fedorahosted.org/sssd/ticket/1744
2013-03-19Move SELinux processing to provider.Michal Zidek6-452/+393
The SELinux processing was distributed between provider and pam responder which resulted in hard to maintain code. This patch moves the logic to provider. IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because the provider also writes the content of selinux login file to disk (which was done by responder before). https://fedorahosted.org/sssd/ticket/1743
2013-03-19Removing unused declaration of functions and variable.Lukas Slebodnik4-15/+2
Variables dir_cc and file_cc are used in three modules: krb5_common.c, krb5_utils.c, krb5_child-test.c, therefore should be declared with extern in krb5_utils.h.
2013-03-19Use common error facility instead of sdap_resultSimo Sorce11-355/+238
Simplifies and consolidates error reporting for ldap authentication paths. Adds 3 new error codes: ERR_CHPASS_DENIED - Used when password constraints deny password changes ERR_ACCOUNT_EXPIRED - Account is expired ERR_PASSWORD_EXPIRED - Password is expired
2013-03-18Decrease krb5_auth_timeout defaultOndrej Kos4-4/+4
https://fedorahosted.org/sssd/ticket/1738
2013-03-18Retry the correct service on krb5 child timeoutJakub Hrozek1-1/+1