diff --git a/SOURCES/0056-p11_child-check-if-card-is-present-in-wait_for_card.patch b/SOURCES/0056-p11_child-check-if-card-is-present-in-wait_for_card.patch new file mode 100644 index 0000000..e31740a --- /dev/null +++ b/SOURCES/0056-p11_child-check-if-card-is-present-in-wait_for_card.patch @@ -0,0 +1,86 @@ +From 7b647338a40d701c6a5bb51c48c10a31a6b72699 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 30 Jan 2020 13:14:14 +0100 +Subject: [PATCH 24/25] p11_child: check if card is present in wait_for_card() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Some implementations of C_WaitForSlotEvent() might return even if no +card was inserted. So it has to be checked if a card is really present. + +Resolves: https://pagure.io/SSSD/sssd/issue/4159 + +Reviewed-by: Pavel Březina +--- + src/p11_child/p11_child_openssl.c | 47 ++++++++++++++++--------------- + 1 file changed, 25 insertions(+), 22 deletions(-) + +diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c +index 56601b117..295715612 100644 +--- a/src/p11_child/p11_child_openssl.c ++++ b/src/p11_child/p11_child_openssl.c +@@ -1546,35 +1546,38 @@ static errno_t wait_for_card(CK_FUNCTION_LIST *module, CK_SLOT_ID *slot_id) + CK_RV rv; + CK_SLOT_INFO info; + +- rv = module->C_WaitForSlotEvent(wait_flags, slot_id, NULL); +- if (rv != CKR_OK) { +- if (rv != CKR_FUNCTION_NOT_SUPPORTED) { ++ do { ++ rv = module->C_WaitForSlotEvent(wait_flags, slot_id, NULL); ++ if (rv != CKR_OK && rv != CKR_FUNCTION_NOT_SUPPORTED) { + DEBUG(SSSDBG_OP_FAILURE, + "C_WaitForSlotEvent failed [%lu][%s].\n", + rv, p11_kit_strerror(rv)); + return EIO; + } + +- /* Poor man's wait */ +- do { ++ if (rv == CKR_FUNCTION_NOT_SUPPORTED) { ++ /* Poor man's wait */ + sleep(10); +- rv = module->C_GetSlotInfo(*slot_id, &info); +- if (rv != CKR_OK) { +- DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n"); +- return EIO; +- } +- DEBUG(SSSDBG_TRACE_ALL, +- "Description [%s] Manufacturer [%s] flags [%lu] " +- "removable [%s] token present [%s].\n", +- info.slotDescription, info.manufacturerID, info.flags, +- (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false", +- (info.flags & CKF_TOKEN_PRESENT) ? "true": "false"); +- if ((info.flags & CKF_REMOVABLE_DEVICE) +- && (info.flags & CKF_TOKEN_PRESENT)) { +- break; +- } +- } while (true); +- } ++ } ++ ++ rv = module->C_GetSlotInfo(*slot_id, &info); ++ if (rv != CKR_OK) { ++ DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n"); ++ return EIO; ++ } ++ DEBUG(SSSDBG_TRACE_ALL, ++ "Description [%s] Manufacturer [%s] flags [%lu] " ++ "removable [%s] token present [%s].\n", ++ info.slotDescription, info.manufacturerID, info.flags, ++ (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false", ++ (info.flags & CKF_TOKEN_PRESENT) ? "true": "false"); ++ ++ /* Check if really a token is present */ ++ if ((info.flags & CKF_REMOVABLE_DEVICE) ++ && (info.flags & CKF_TOKEN_PRESENT)) { ++ break; ++ } ++ } while (true); + + return EOK; + } +-- +2.20.1 + diff --git a/SOURCES/0057-PAM-client-only-require-UID-0-for-private-socket.patch b/SOURCES/0057-PAM-client-only-require-UID-0-for-private-socket.patch new file mode 100644 index 0000000..0127ff5 --- /dev/null +++ b/SOURCES/0057-PAM-client-only-require-UID-0-for-private-socket.patch @@ -0,0 +1,37 @@ +From 37780b895199bab991edae6b1eeb91b7b3966bcf Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 6 Feb 2020 14:50:23 +0100 +Subject: [PATCH 25/25] PAM client: only require UID 0 for private socket +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Some privileged services like e.g. gdm might only call with UID 0 but +with a different GID. This patch removes the GID 0 requirement to access +to private PAM socket so that e.g. gdm can use the wait-for-card option. + +Resolves: https://pagure.io/SSSD/sssd/issue/4159 + +Reviewed-by: Pavel Březina +--- + src/sss_client/common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/sss_client/common.c b/src/sss_client/common.c +index 270ca8b54..902438c86 100644 +--- a/src/sss_client/common.c ++++ b/src/sss_client/common.c +@@ -910,8 +910,8 @@ int sss_pam_make_request(enum sss_cli_command cmd, + goto out; + } + +- /* only root shall use the privileged pipe */ +- if (getuid() == 0 && getgid() == 0) { ++ /* only UID 0 shall use the privileged pipe */ ++ if (getuid() == 0) { + socket_name = SSS_PAM_PRIV_SOCKET_NAME; + errno = 0; + statret = stat(socket_name, &stat_buf); +-- +2.20.1 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 6903ad2..cc5f63f 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -24,7 +24,7 @@ Name: sssd Version: 2.2.0 -Release: 19%{?dist} +Release: 19%{?dist}.1 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -87,6 +87,8 @@ Patch0052: 0052-TESTS-Sync.-multihost-kcm-tests-with-master.patch Patch0053: 0053-KCM-Add-a-forgotten-return.patch Patch0054: 0054-KCM-Allow-modifications-of-ccache-s-principal.patch Patch0055: 0055-KCM-Fill-empty-cache-do-not-initialize-a-new-one.patch +Patch0056: 0056-p11_child-check-if-card-is-present-in-wait_for_card.patch +Patch0057: 0057-PAM-client-only-require-UID-0-for-private-socket.patch ### Downstream Patches ### @@ -1239,6 +1241,11 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Tue Mar 24 2020 Alexey Tikhonov - 2.2.0-19.1 +- Resolves: rhbz#1816591 - p11_child should have an option to skip + C_WaitForSlotEvent if the PKCS#11 module does not + implement it properly [rhel-8.1.0.z] + * Wed Sep 4 2019 Michal Židek - 2.2.0-19 - Resolves: rhbz#1712875 - Old kerberos credentials active instead of valid new ones (kcm)