From 5ddef62b37609f4521b505c149088fab6ba1b66d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Dec 13 2022 10:59:23 +0000 Subject: import sssd-1.16.5-10.el7_9.14 --- diff --git a/SOURCES/0091-RESPONDER-don-t-execute-sss_dp_callback_destructor-i.patch b/SOURCES/0091-RESPONDER-don-t-execute-sss_dp_callback_destructor-i.patch new file mode 100644 index 0000000..5623960 --- /dev/null +++ b/SOURCES/0091-RESPONDER-don-t-execute-sss_dp_callback_destructor-i.patch @@ -0,0 +1,56 @@ +From ecbc3329788de254346d7ea84770e09cc22dbc9c Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 18 Jul 2022 21:59:03 +0200 +Subject: [PATCH] RESPONDER: don't execute sss_dp_callback_destructor() if + responder is being shut down. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Resolves: https://github.com/SSSD/sssd/issues/6270 + +Reviewed-by: Pavel Březina +Reviewed-by: Tomáš Halman +--- + src/responder/common/responder_dp.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c +index a49b31528..0cc5c5424 100644 +--- a/src/responder/common/responder_dp.c ++++ b/src/responder/common/responder_dp.c +@@ -35,6 +35,7 @@ struct sss_dp_callback { + struct sss_dp_callback *prev; + struct sss_dp_callback *next; + ++ struct resp_ctx *rctx; + struct tevent_req *req; + struct sss_dp_req *sdp_req; + }; +@@ -58,9 +59,14 @@ static int sss_dp_callback_destructor(void *ptr) + struct sss_dp_callback *cb = + talloc_get_type(ptr, struct sss_dp_callback); + ++ /* `sdp_req` might be already freed if responder is being shut down */ ++ if (cb->rctx->shutting_down) { ++ return 0; ++ } ++ + DLIST_REMOVE(cb->sdp_req->cb_list, cb); + +- return EOK; ++ return 0; + } + + static int sss_dp_req_destructor(void *ptr) +@@ -396,6 +402,7 @@ sss_dp_issue_request(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx, + goto fail; + } + ++ cb->rctx = rctx; + cb->req = nreq; + cb->sdp_req = sdp_req; + +-- +2.37.3 + diff --git a/SOURCES/0092-IFP-reset-idle-timer-on-any-DBUS-activity.patch b/SOURCES/0092-IFP-reset-idle-timer-on-any-DBUS-activity.patch new file mode 100644 index 0000000..a3b5d35 --- /dev/null +++ b/SOURCES/0092-IFP-reset-idle-timer-on-any-DBUS-activity.patch @@ -0,0 +1,57 @@ +From 352544558cef26c9ef4a7393cbf98776155efcdb Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Tue, 19 Jul 2022 12:50:35 +0200 +Subject: [PATCH] IFP: reset idle timer on any DBUS activity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Resolves: https://github.com/SSSD/sssd/issues/6269 + +Reviewed-by: Alejandro Lopez +Reviewed-by: Pavel Březina +--- + src/responder/ifp/ifpsrv.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c +index 2bd4e3703..97034d9d0 100644 +--- a/src/responder/ifp/ifpsrv.c ++++ b/src/responder/ifp/ifpsrv.c +@@ -94,7 +94,7 @@ static errno_t + sysbus_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *dbus_name, +- void *pvt, ++ struct ifp_ctx *ifp_ctx, + struct sysbus_ctx **sysbus) + { + DBusError dbus_error; +@@ -138,20 +138,21 @@ sysbus_init(TALLOC_CTX *mem_ctx, + /* Integrate with tevent loop */ + ret = sbus_init_connection(system_bus, ev, conn, + SBUS_CONN_TYPE_SYSBUS, +- NULL, NULL, &system_bus->conn); ++ &ifp_ctx->rctx->last_request_time, ++ NULL, &system_bus->conn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not integrate D-BUS into mainloop.\n"); + goto fail; + } + +- ret = ifp_register_sbus_interface(system_bus->conn, pvt); ++ ret = ifp_register_sbus_interface(system_bus->conn, ifp_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not register interfaces\n"); + goto fail; + } + +- ifp_register_nodes(pvt, system_bus->conn); ++ ifp_register_nodes(ifp_ctx, system_bus->conn); + + *sysbus = system_bus; + return EOK; +-- +2.37.3 + diff --git a/SOURCES/0093-RESPONDER-fixed-condition-in-responder_idle_handler.patch b/SOURCES/0093-RESPONDER-fixed-condition-in-responder_idle_handler.patch new file mode 100644 index 0000000..bb8a5dc --- /dev/null +++ b/SOURCES/0093-RESPONDER-fixed-condition-in-responder_idle_handler.patch @@ -0,0 +1,44 @@ +From f37e15e9134ff22d03c4997fd1c76754b67d3539 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Tue, 19 Jul 2022 14:28:35 +0200 +Subject: [PATCH] RESPONDER: fixed condition in responder_idle_handler() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Man page says about `responder_idle_timeout` the following: +``` +number of seconds that an SSSD responder process can be up without being used. +``` +Idle timer fires every responder_idle_timeout/2 seconds and checks if +current_time > (last_request_time + timeout). +In a trivial case - no additional requests after initial one / startup - +condition will became 'true' only when timer fires for a 3rd time, i.e. +after 3*(timeout/2) seconds. This contradicts man page statement. + +This patch changes condition to '>=' so that responder would be terminated +in 2*(timeout/2) seconds. + +Reviewed-by: Alejandro Lopez +Reviewed-by: Pavel Březina +(cherry picked from commit 473752e261d8d166b16f95fe4ddc8d320ae0faf4) +--- + src/responder/common/responder_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c +index fb2a31bb0..4c6445311 100644 +--- a/src/responder/common/responder_common.c ++++ b/src/responder/common/responder_common.c +@@ -374,7 +374,7 @@ static void responder_idle_handler(struct tevent_context *ev, + goto end; + } + +- if ((now - rctx->last_request_time) > rctx->idle_timeout) { ++ if ((now - rctx->last_request_time) >= rctx->idle_timeout) { + /* This responder is idle. Terminate it */ + DEBUG(SSSDBG_TRACE_INTERNAL, + "Terminating idle responder [%p]\n", rctx); +-- +2.37.3 + diff --git a/SOURCES/0094-SUDO-Fix-timezone-issues-with-sudoNotBefore-and-sudo.patch b/SOURCES/0094-SUDO-Fix-timezone-issues-with-sudoNotBefore-and-sudo.patch new file mode 100644 index 0000000..9b9830c --- /dev/null +++ b/SOURCES/0094-SUDO-Fix-timezone-issues-with-sudoNotBefore-and-sudo.patch @@ -0,0 +1,122 @@ +From 1bb93f70de9907d88b2ebc5c6ffee14417d90fee Mon Sep 17 00:00:00 2001 +From: Anton Bobrov +Date: Mon, 19 Sep 2022 17:51:07 +0200 +Subject: [PATCH] SUDO: Fix timezone issues with sudoNotBefore and sudoNotAfter +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The current code does not respect generalized time as specified in related before/after attributes. +The problem with the current implementation is that it essentially treats them as local time, +with no regard to TZ and DST. + +This patch is using timegm(3) instead of mktime(3) to address said timezone issues and some bare +minimum static unit tests with known verified values to make sure the API is consitent with them. + +Resolves: +https://github.com/SSSD/sssd/issues/6354 + +Reviewed-by: Iker Pedrosa +Reviewed-by: Pavel Březina +(cherry picked from commit 0198f64ce231e9608b14152c64426fb9e015fd33) +--- + configure.ac | 3 +++ + src/db/sysdb_sudo.c | 11 ++++++++++- + src/tests/cmocka/test_sysdb_sudo.c | 29 +++++++++++++++++++++++++++++ + 3 files changed, 42 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 89abddef4..a90e16642 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -92,6 +92,9 @@ LIBS=$SAVE_LIBS + AC_CHECK_FUNCS([ utimensat \ + futimens ]) + ++# Check for the timegm() function (not part of POSIX / Open Group specs) ++AC_CHECK_FUNC([timegm], [], [AC_MSG_ERROR([timegm() function not found])]) ++ + #Check for endian headers + AC_CHECK_HEADERS([endian.h sys/endian.h byteswap.h]) + +diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c +index 59d6824c0..3a918e9c6 100644 +--- a/src/db/sysdb_sudo.c ++++ b/src/db/sysdb_sudo.c +@@ -60,9 +60,18 @@ static errno_t sysdb_sudo_convert_time(const char *str, time_t *unix_time) + for (format = formats; *format != NULL; format++) { + /* strptime() may leave some fields uninitialized */ + memset(&tm, 0, sizeof(struct tm)); ++ /* Let underlying implementation figure out DST */ ++ tm.tm_isdst = -1; + tret = strptime(str, *format, &tm); + if (tret != NULL && *tret == '\0') { +- *unix_time = mktime(&tm); ++ /* Convert broken-down time to local time */ ++ if (tm.tm_gmtoff == 0) { ++ *unix_time = timegm(&tm); ++ } else { ++ long offset = tm.tm_gmtoff; ++ tm.tm_gmtoff = 0; ++ *unix_time = timegm(&tm) - offset; ++ } + return EOK; + } + } +diff --git a/src/tests/cmocka/test_sysdb_sudo.c b/src/tests/cmocka/test_sysdb_sudo.c +index fc6a47a16..f852427fd 100644 +--- a/src/tests/cmocka/test_sysdb_sudo.c ++++ b/src/tests/cmocka/test_sysdb_sudo.c +@@ -44,6 +44,12 @@ + #define OVERRIDE_GROUP_NAME "group_sudo_test" + #define OVERRIDE_UID 2112 + ++/* sysdb_sudo_convert_time function is static */ ++extern char *strptime(const char *__restrict __s, ++ const char *__restrict __fmt, ++ struct tm *__tp); ++#include "src/db/sysdb_sudo.c" ++ + struct test_user { + const char *name; + uid_t uid; +@@ -949,6 +955,26 @@ void test_filter_rules_by_time(void **state) + talloc_zfree(_rules); + } + ++void test_sudo_convert_time(void **state) ++{ ++ /* Each ctime should map to its corresponding utime */ ++ const char *ctimes[] = {"20220715090000Z", ++ "20220715090000+0200", ++ "20220715090000-0200"}; ++ const time_t utimes[] = {1657875600, ++ 1657868400, ++ 1657882800}; ++ const int ntimes = sizeof(ctimes) / sizeof(ctimes[0]); ++ time_t converted; ++ errno_t ret; ++ ++ for (int i = 0; i < ntimes; i++) { ++ ret = sysdb_sudo_convert_time(ctimes[i], &converted); ++ assert_int_equal(ret, EOK); ++ assert_int_equal(converted, utimes[i]); ++ } ++} ++ + int main(int argc, const char *argv[]) + { + int rv; +@@ -1029,6 +1055,9 @@ int main(int argc, const char *argv[]) + cmocka_unit_test_setup_teardown(test_filter_rules_by_time, + test_sysdb_setup, + test_sysdb_teardown), ++ ++ /* sysdb_sudo_convert_time() */ ++ cmocka_unit_test(test_sudo_convert_time) + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ +-- +2.37.3 + diff --git a/SOURCES/0095-BACKEND-Reload-resolv.conf-after-initialization.patch b/SOURCES/0095-BACKEND-Reload-resolv.conf-after-initialization.patch new file mode 100644 index 0000000..ed67840 --- /dev/null +++ b/SOURCES/0095-BACKEND-Reload-resolv.conf-after-initialization.patch @@ -0,0 +1,59 @@ +From c52a5a640f0574f28281dd62238ffc7303eb4391 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= +Date: Fri, 4 Nov 2022 12:18:50 +0100 +Subject: [PATCH] BACKEND: Reload resolv.conf after initialization +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Once the backend initialization is finished, in particular after D-Bus +is initialized, reload the resolv.conf file to reload any change +signaled through D-Bus before its initializiation. + +Resolves: https://github.com/SSSD/sssd/issues/6383 + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Pavel Březina +--- + src/monitor/monitor_sbus.c | 5 +++++ + src/providers/data_provider_be.c | 8 ++++++++ + 2 files changed, 13 insertions(+) + +diff --git a/src/monitor/monitor_sbus.c b/src/monitor/monitor_sbus.c +index 9d3cd478e..cf70552b3 100644 +--- a/src/monitor/monitor_sbus.c ++++ b/src/monitor/monitor_sbus.c +@@ -156,6 +156,11 @@ int monitor_common_res_init(struct sbus_request *dbus_req, void *data) + return EIO; + } + ++ if (dbus_req == NULL) { ++ /* No reply needed */ ++ return EOK; ++ } ++ + /* Send an empty reply to acknowledge receipt */ + return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID); + } +diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c +index fb72d99e3..2699f3b3a 100644 +--- a/src/providers/data_provider_be.c ++++ b/src/providers/data_provider_be.c +@@ -549,6 +549,14 @@ errno_t be_process_init(TALLOC_CTX *mem_ctx, + goto done; + } + ++ /* Load the resolv.conf file in case a call to dbus' resInit() was missed */ ++ if (monitor_be_methods.resInit != NULL) { ++ ret = monitor_be_methods.resInit(NULL, (void *) be_ctx); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_MINOR_FAILURE, "Unable to reload resolv.conf\n"); ++ } ++ } ++ + ret = EOK; + + done: +-- +2.37.3 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index b8f71fa..28908f9 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -50,7 +50,7 @@ Name: sssd Version: 1.16.5 -Release: 10%{?dist}.13 +Release: 10%{?dist}.14 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -149,6 +149,11 @@ Patch0087: 0087-pam-better-SC-fallback-message.patch Patch0088: 0088-pam_sss-fix-for-old-GDM-screen-lock.patch Patch0089: 0089-ad-use-right-sdap_domain-in-ad_domain_info_send.patch Patch0090: 0090-ad-add-fallback-in-ad_domain_info_send.patch +Patch0091: 0091-RESPONDER-don-t-execute-sss_dp_callback_destructor-i.patch +Patch0092: 0092-IFP-reset-idle-timer-on-any-DBUS-activity.patch +Patch0093: 0093-RESPONDER-fixed-condition-in-responder_idle_handler.patch +Patch0094: 0094-SUDO-Fix-timezone-issues-with-sudoNotBefore-and-sudo.patch +Patch0095: 0095-BACKEND-Reload-resolv.conf-after-initialization.patch #Those patches should not be removed in RHEL-7 Patch0999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec @@ -1324,6 +1329,11 @@ systemctl try-restart sssd >/dev/null 2>&1 || : } %changelog +* Tue Nov 15 2022 Alexey Tikhonov 1.16.5-10.14 +- Resolves: rhbz#2097014 - SSSD -> sssd_be and sssd_ifp coredump [rhel-7.9.z] +- Resolves: rhbz#2107380 - sssd timezone issues sudonotafter [rhel-7.9.z] +- Resolves: rhbz#2116207 - SSSD starting offline after reboot [rhel-7.9.z] + * Fri Jun 10 2022 Alexey Tikhonov 1.16.5-10.13 - Resolves: rhbz#2079441 - SSSD update prompts for smartcard pin twice - After update to 7.9 [rhel-7.9.z] - Resolves: rhbz#2073352 - Use right sdap_domain in ad_domain_info_send [rhel-7.9.z]