summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)AuthorFilesLines
2013-01-23SYSDB: Expire group if adding ghost users fails with EEXISTJakub Hrozek1-2/+36
2013-01-23SYSDB: make the sss_ldb_modify_permissive function publicJakub Hrozek2-2/+11
2013-01-23TOOLS: Use file descriptor to avoid races when creating a home directoryJakub Hrozek4-354/+364
When creating a home directory, the destination tree can be modified in various ways while it is being constructed because directory permissions are set before populating the directory. This can lead to file creation and permission changes outside the target directory tree, using hard links. This security problem was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782
2013-01-23TOOLS: Use openat/unlinkat when removing the homedirJakub Hrozek1-42/+41
The removal of a home directory is sensitive to concurrent modification of the directory tree being removed and can unlink files outside the directory tree. This security issue was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782
2013-01-23Check that strings do not go beyond the end of the packet body in autofs and ↵Jan Cholasta2-7/+7
SSH requests. This fixes CVE-2013-0220. https://fedorahosted.org/sssd/ticket/1781
2013-01-22sudo responder: change num_rules type from size_t to uint32_tPavel Březina7-25/+25
https://fedorahosted.org/sssd/ticket/1779 2^32 should be enough to store sudo rules. size_t type was causing troubles on big endian architectures, because it wasn't used correctly in combination with D-Bus.
2013-01-22Convert the value of pwd_exp_warning to secondsJakub Hrozek1-5/+6
When read from the domain section, the pwd_expiration_warning was properly converted to seconds from days, but not the pam_pwd_expiration_warning set in the [pam] section. https://fedorahosted.org/sssd/ticket/1773
2013-01-22fix backend callbacks: remove callback properly from dlistPavel Březina1-6/+18
https://fedorahosted.org/sssd/ticket/1776 Although cb->list got updated when the callback is removed, this change did not propagate to be_ctx->*_cb_list which caused dlist having invalid records.
2013-01-22Fix code styleJakub Hrozek1-1/+2
2013-01-21Make struct be_req opaqueSimo Sorce2-18/+18
2013-01-21Add be_req_get_data() helper funciton.Simo Sorce17-32/+45
In preparation for making struct be_req opaque.
2013-01-21Add be_req_get_be_ctx() helper.Simo Sorce22-133/+155
In preparation for making be_req opaque
2013-01-21Add be_req_create() helperSimo Sorce3-40/+38
2013-01-21Introduce be_req_terminate() helperSimo Sorce18-129/+84
Call it everywhere instead of directly dereferencing be_req->fn This is in preparation of making be_req opaque.
2013-01-21Remove domain from be_req structureSimo Sorce7-64/+46
2013-01-21Pass domain not be_req to access check functionsSimo Sorce5-22/+33
2013-01-21Split simple_access_check function outSimo Sorce3-206/+225
Need to split out the function or new additions to the handler funtion will not allow simple access tests to compile anymore.
2013-01-21Do not pass NULL to ipa_subdomain_retrieve()Simo Sorce1-18/+20
2013-01-21Move hbac_ctx_is_offline()Simo Sorce2-7/+6
2013-01-21Remove hbac_ctx_sdap_id_[ctx|op]()Simo Sorce2-18/+6
2013-01-21Remove hbac_ctx_ev()Simo Sorce2-10/+3
2013-01-21Remove hbac_ctx_be()Simo Sorce3-12/+4
2013-01-21Remove hbac_ctx_sysdb()Simo Sorce2-12/+4
2013-01-21Remove sysdb argument from hbac_get_cached_rules()Simo Sorce3-9/+6
2013-01-21Remove sysdb arg from [ipa_]hbac_sysdb_save()Simo Sorce3-36/+25
Also make ipa_hbac_save_list() static
2013-01-21Remove sysdb arg from ipa_hbac_service_info_send()Simo Sorce3-5/+0
2013-01-21Remove sysdb arg from hbac_*host_attrs_to_rule()Simo Sorce3-11/+4
2013-01-21Remove sysdb arg from hbac_service_attrs_to_rule()Simo Sorce3-5/+2
2013-01-21Remove sysdb argument from hbac_user_attrs_to_rule()Simo Sorce3-6/+4
2013-01-21Remove unused structureSimo Sorce1-6/+0
2013-01-21Remove sysdb argument from ipa_host_info_send()Simo Sorce5-9/+3
2013-01-21Remove sysdb as a be request structure memberSimo Sorce7-12/+9
The sysdb context is already available through the 'domain' context.
2013-01-21Remove sysdb as a be context structure memberSimo Sorce27-56/+52
The sysdb context is already available through the 'domain' structure.
2013-01-21Move ldap provider access functionsSimo Sorce2-59/+86
It was confusing to see the ldap provider own handler mixed with the generic ldap access code used also by the ipa and ad providers. So move the ldap provider handler code in its own file.
2013-01-21TOOLS: invalidate parent groups in memory cache, tooJakub Hrozek4-8/+71
https://fedorahosted.org/sssd/ticket/1775 In addition to invalidating the group being added to when adding a member group/user, we also need to invalidate all its parent groups, otherwise this getgrnam("parent") wouldn't report the members newly added to its child groups.
2013-01-21LDAP: Compare lists of DNs when saving autofs entriesJakub Hrozek3-143/+178
https://fedorahosted.org/sssd/ticket/1758 The autofs entries do not have the key as an unique identifier, but rather the full (key, value) tuple as some keys have a special meaning, such as the direct mount key (/-) and may be present in a single map multiple times. Comparing the full DN that contains both the key and the value will allow for working updates if either key or value changes.
2013-01-19set struct bet_info->bet_typePavel Březina1-0/+1
2013-01-16Invalidate user entry even if there are no groupsJakub Hrozek2-11/+8
Related to https://fedorahosted.org/sssd/ticket/1757 Previously we would optimize the mc invalidate code for cases where the user was a member of some groups. But if the user was removed from the server while being in memory cache, we would only invalidate the mc record if he was a member of at least one supplementary group.
2013-01-16NSS: invalidate memcache user entry on initgr, tooJakub Hrozek1-0/+11
https://fedorahosted.org/sssd/ticket/1757 When the user entry was missing completely after initgroups, we would never invalidate the user entry from cache. This led to dangling cache entried in memory cache if the user was removed from the server while still being in memory cache.
2013-01-16Remove outdated code.Simo Sorce1-10/+0
This code should not be necessary anymore since June 2010 with commit: 90acbcf20b5f896ca8f631923afe946c90d90de7
2013-01-16Tidy up BASE dn macrosSimo Sorce1-4/+4
2013-01-16tools: Respect use_fully_qualified_namesMichal Zidek1-0/+9
Tools for LOCAL domain should require FQDN if option 'use_fuly_quallified_names = TRUE' was configured. https://fedorahosted.org/sssd/ticket/1746
2013-01-16sss_cache: Call DEBUG_INIT soonerMichal Zidek1-2/+3
If bad parameteres were passed to sss_cache, the init function returned without calling DEBUG_INIT macro and unnecessary level 1 debug message was printed. https://fedorahosted.org/sssd/ticket/1745
2013-01-16autofs: Use SAFEALIGN_SET_UINT32 instead of SAFEALIGN_COPY_UINT32Jakub Hrozek1-10/+5
2013-01-16Correct format security for talloc_named of auth tokensStephen Gallagher1-1/+1
2013-01-15LDAP: avoid complex realloc logic in save_rfc2307bis_group_membershipsJakub Hrozek1-12/+4
https://fedorahosted.org/sssd/ticket/1761 The function tried to be smart and realloc only when needed, but that only lead to hard-to find bugs where the logic would not allocate the proper space. Remove the reallocation and prefer readability over speed in this case.
2013-01-15TOOLS: Refresh memcache after changes to local users and groupsJakub Hrozek2-0/+42
2013-01-15TOOLS: Provide a convenience function to refresh a list of groupsJakub Hrozek2-0/+22
2013-01-15TOOLS: Split querying nss responder into a separate functionJakub Hrozek4-32/+68
The tools query the responder in order to sync the memcache after performing changes to the local database. The functions will be reused by other tools so I split them into a separate functions.
2013-01-15TOOLS: move memcache related functions to tools_mc_utils.cJakub Hrozek3-161/+188
The upcoming patches will link only users of this file with client libs, so it's better to have it separate. There is no functional change in this patch