diff --git a/SOURCES/0157-SSH-Use-default_domain_suffix-for-users-authorized-k.patch b/SOURCES/0157-SSH-Use-default_domain_suffix-for-users-authorized-k.patch new file mode 100644 index 0000000..cbfdcb1 --- /dev/null +++ b/SOURCES/0157-SSH-Use-default_domain_suffix-for-users-authorized-k.patch @@ -0,0 +1,80 @@ +From dfdd2fe5c177d70a0c5db383820f237ebc7e722f Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Thu, 24 Nov 2016 18:07:56 +0100 +Subject: [PATCH 157/157] SSH: Use default_domain_suffix for users' authorized + keys + +In commit eeecc48d22a28bb69da56f6ffd8824163fc9bf00 we disabled +default_domain_suffix for the SSH responder, but in a wrong way -- we +disabled the functionality completely, also for users, not only for +computers. This might have been correct at the time, since SSH keys in ID +overrides are a relatively new feature, but it's definitely not correct +in general. + +Instead, this patch restores the use of default_domain_suffix, but only +for looking up public keys of users, not of computers. + +Resolves: +https://fedorahosted.org/sssd/ticket/3259 + +Reviewed-by: Petr Cech +(cherry picked from commit ed71fba97dfcf5b3f0f1834c06660c481b9ab3ce) +(cherry picked from commit 2949fe58ac344c44d756ca309d4b2b7f3590cee3) +--- + src/responder/ssh/sshsrv_cmd.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c +index ab721d66e5299ba6810a599a15a10094d5792092..2e64893dfc2018727e6fc5fb80b47bd7eb1fac58 100644 +--- a/src/responder/ssh/sshsrv_cmd.c ++++ b/src/responder/ssh/sshsrv_cmd.c +@@ -36,7 +36,8 @@ + #include "responder/ssh/sshsrv_private.h" + + static errno_t +-ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx); ++ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx, ++ char *default_domain); + + static errno_t + ssh_user_pubkeys_search(struct ssh_cmd_ctx *cmd_ctx); +@@ -57,7 +58,7 @@ sss_ssh_cmd_get_user_pubkeys(struct cli_ctx *cctx) + cmd_ctx->cctx = cctx; + cmd_ctx->is_user = true; + +- ret = ssh_cmd_parse_request(cmd_ctx); ++ ret = ssh_cmd_parse_request(cmd_ctx, cctx->rctx->default_domain); + if (ret != EOK) { + goto done; + } +@@ -107,7 +108,7 @@ sss_ssh_cmd_get_host_pubkeys(struct cli_ctx *cctx) + cmd_ctx->cctx = cctx; + cmd_ctx->is_user = false; + +- ret = ssh_cmd_parse_request(cmd_ctx); ++ ret = ssh_cmd_parse_request(cmd_ctx, NULL); + if (ret != EOK) { + goto done; + } +@@ -681,7 +682,8 @@ done: + } + + static errno_t +-ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx) ++ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx, ++ char *default_domain) + { + struct cli_protocol *pctx; + struct ssh_ctx *ssh_ctx; +@@ -754,6 +756,8 @@ ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx) + return EINVAL; + } + c += domain_len; ++ } else { ++ domain = default_domain; + } + + DEBUG(SSSDBG_TRACE_FUNC, +-- +2.9.3 + diff --git a/SOURCES/0158-SERVER-Set-the-process-group-during-server_setup.patch b/SOURCES/0158-SERVER-Set-the-process-group-during-server_setup.patch new file mode 100644 index 0000000..7fc6190 --- /dev/null +++ b/SOURCES/0158-SERVER-Set-the-process-group-during-server_setup.patch @@ -0,0 +1,92 @@ +From 7e0a61d1c10f30e694f5f536b374c72f774b50a1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Sun, 8 Jan 2017 23:27:57 +0100 +Subject: [PATCH 158/160] SERVER: Set the process group during server_setup() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +By calling setpgid() in server_setup() we are able to kill the process +in the watchdog by simply doing kill(-getpid(), SIGTERM). + +However, in order to have it working properly the SELinux policy for +SSSD has to be updated and unless SSSD is ran with SELinux on permissive +mode, each of the responders and the monitor will trigger a similar +message: + + Jan 09 14:31:50 client1.ipa.example audit[11630]: AVC avc: denied + { setpgid } for pid=11630 comm="sssd_pac" + scontext=system_u:system_r:sssd_t:s0 + tcontext=system_u:system_r:sssd_t:s0 tclass=process permissive=0 + +It's important to say that till SELinux policy is fixed, we might end up +leaking some processes. + +Related: +https://fedorahosted.org/sssd/ticket/3266 + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Lukáš Slebodník +(cherry picked from commit 087162b85e191af51637904702813969b35eaadc) +(cherry picked from commit 442985a7af2262fab57f56c7a8cd40af10081610) +--- + src/monitor/monitor.c | 6 +++--- + src/util/server.c | 11 +++++++++++ + 2 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c +index 0f01580e01b6a0a9ab507a54183e5813133be5a9..17e980dbf165634491a05012399945f2d21c2056 100644 +--- a/src/monitor/monitor.c ++++ b/src/monitor/monitor.c +@@ -1606,7 +1606,7 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret) + "Terminating [%s][%d]\n", svc->name, svc->pid); + do { + errno = 0; +- kret = kill(svc->pid, SIGTERM); ++ kret = kill(-svc->pid, SIGTERM); + if (kret < 0) { + error = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Couldn't kill [%s][%d]: [%s]\n", +@@ -1627,7 +1627,7 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret) + "[%d][%s] while waiting for [%s]\n", + error, strerror(error), svc->name); + /* Forcibly kill this child */ +- kill(svc->pid, SIGKILL); ++ kill(-svc->pid, SIGKILL); + break; + } + } else if (pid != 0) { +@@ -1642,7 +1642,7 @@ static void monitor_quit(struct mt_ctx *mt_ctx, int ret) + DEBUG(SSSDBG_FATAL_FAILURE, + "Child [%s] did not exit cleanly\n", svc->name); + /* Forcibly kill this child */ +- kill(svc->pid, SIGKILL); ++ kill(-svc->pid, SIGKILL); + } + killed = true; + } +diff --git a/src/util/server.c b/src/util/server.c +index 013e572e6284b16534910088f7801219251896d8..d333c3c3c771c38005183831fc7a4b004a59a6c3 100644 +--- a/src/util/server.c ++++ b/src/util/server.c +@@ -460,6 +460,17 @@ int server_setup(const char *name, int flags, + struct logrotate_ctx *lctx; + char *locale; + int watchdog_interval; ++ pid_t my_pid; ++ ++ my_pid = getpid(); ++ ret = setpgid(my_pid, my_pid); ++ if (ret != EOK) { ++ ret = errno; ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "Failed setting process group: %s[%d]. " ++ "We might leak processes in case of failure\n", ++ sss_strerror(ret), ret); ++ } + + ret = chown_debug_file(NULL, uid, gid); + if (ret != EOK) { +-- +2.9.3 + diff --git a/SOURCES/0159-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch b/SOURCES/0159-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch new file mode 100644 index 0000000..9e2d757 --- /dev/null +++ b/SOURCES/0159-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch @@ -0,0 +1,44 @@ +From 57404a6b7ca0d86ba661e358f3544a32ef4e15bc Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Mon, 15 Aug 2016 12:54:20 +0200 +Subject: [PATCH 159/160] WATCHDOG: define and use _MAX_TICKS as 3 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Instead of using the number 3 directly, let's introduce and use +WATCHDOG_MAX_TICKS. + +Reviewed-by: Petr Čech +(cherry picked from commit d7075a255a1f28e890539072e06d0140ffe0927c) +--- + src/util/util_watchdog.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c +index 1c27d73f13b3042ecb549a2184e1368e8339d199..c184fbd759bdbca4a9eae379ff0d87e2d1628470 100644 +--- a/src/util/util_watchdog.c ++++ b/src/util/util_watchdog.c +@@ -22,6 +22,7 @@ + #include "util/util.h" + + #define WATCHDOG_DEF_INTERVAL 10 ++#define WATCHDOG_MAX_TICKS 3 + + /* this is intentionally a global variable */ + struct watchdog_ctx { +@@ -75,9 +76,8 @@ static void watchdog_handler(int sig) + return; + } + +- /* if 3 ticks passed by kills itself */ +- +- if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > 3) { ++ /* if a pre-defined number of ticks passed by kills itself */ ++ if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > WATCHDOG_MAX_TICKS) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Watchdog timer overflow, killing process!\n"); + orderly_shutdown(1); +-- +2.9.3 + diff --git a/SOURCES/0160-WATCHDOG-Avoid-non-async-signal-safe-from-the-signal.patch b/SOURCES/0160-WATCHDOG-Avoid-non-async-signal-safe-from-the-signal.patch new file mode 100644 index 0000000..68c466e --- /dev/null +++ b/SOURCES/0160-WATCHDOG-Avoid-non-async-signal-safe-from-the-signal.patch @@ -0,0 +1,294 @@ +From 6955a5c2a0abf38adace2553f21ea072416b1f61 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Wed, 7 Dec 2016 21:36:56 +0100 +Subject: [PATCH 160/160] WATCHDOG: Avoid non async-signal-safe from the + signal_handler +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +While debugging rhbz#1396912 a deadlock on sssd_be was noticed[0] and +it's been caused by the use of non async-signal-safe functions from the +signal_handler (please, see man 7 signal for more info about which are +the async-signal-safe functions that can be used). + +In order to work this situation around a pipe has been added to the +watchdog_ctx structure and, in case of clock screw, a single byte is +written to this pipe (which is an async-signal-safe operation) and the +logic currently done by the timer handler to reset the watchdog will be +done inside the fd handler in a safe way. + +With this patch we ended up losing some debug messages as +orderly_shutdown() has been replaced by kill(-getpgrp(), SIGTERM) (or +_exit(1) considering the cases where setting up the process group during +the server_setup() has failed). +Personally I don't think is worth the trouble to try to log those messages +properly in this specific case. + +It's really worth to mention that a proper fix the clock screw situation +should be implemented on samba's side, by having tevent using monotonic +(or boottime) clock. + +[0]: + [root@dusan ~]# pstack 17922 + #0 __lll_lock_wait_private () at ../nptl/sysdeps/unix/sysv/linux/x86_64/lowlevellock.S:95 + #1 0x00007fe707d04f93 in _L_lock_14932 () from /lib64/libc.so.6 + #2 0x00007fe707d02013 in __GI___libc_malloc (bytes=140630248638304, bytes@entry=15) at malloc.c:2891 + #3 0x00007fe707d0888a in __GI___strdup (s=0x7fe707dff4f7 "/etc/localtime") at strdup.c:42 + #4 0x00007fe707d31b61 in tzset_internal (always=, explicit=explicit@entry=1) at tzset.c:438 + #5 0x00007fe707d32523 in __tz_convert (timer=timer@entry=0x7ffcd5d2b090, use_localtime=use_localtime@entry=1, tp=tp@entry=0x7fe708041d40 <_tmbuf>) at tzset.c:621 + #6 0x00007fe707d30521 in __GI_localtime (t=t@entry=0x7ffcd5d2b090) at localtime.c:42 + #7 0x00007fe70886c7b0 in sss_vdebug_fn (file=, line=, function=0x7fe70bff27f0 <__FUNCTION__.9379> "watchdog_handler", level=16, flags=flags@entry=0, format=format@entry=0x7fe70bff2760 "Watchdog timer overflow, killing process!\n", ap=ap@entry=0x7ffcd5d2b130) at src/util/debug.c:248 + #8 0x00007fe70886c995 in sss_debug_fn (file=file@entry=0x7fe70bff263b "src/util/util_watchdog.c", line=line@entry=82, function=function@entry=0x7fe70bff27f0 <__FUNCTION__.9379> "watchdog_handler", level=level@entry=16, format=format@entry=0x7fe70bff2760 "Watchdog timer overflow, killing process!\n") at src/util/debug.c:284 + #9 0x00007fe70bfdb409 in watchdog_handler (sig=) at src/util/util_watchdog.c:81 + #10 + #11 0x00007fe707cff664 in _int_malloc (av=av@entry=0x7fe70803c760 , bytes=bytes@entry=151) at malloc.c:3494 + #12 0x00007fe707d01fbc in __GI___libc_malloc (bytes=bytes@entry=151) at malloc.c:2893 + #13 0x00007fe708450749 in __talloc_with_prefix (prefix_len=0, size=55, context=0x7fe718373210) at ../talloc.c:668 + #14 __talloc (size=55, context=0x7fe718373210) at ../talloc.c:708 + #15 _talloc_named_const (name=0x7fe70bb7015d "../common/ldb_pack.c:425", size=55, context=0x7fe718373210) at ../talloc.c:865 + #16 talloc_named_const (context=, size=size@entry=55, name=name@entry=0x7fe70bb7015d "../common/ldb_pack.c:425") at ../talloc.c:1606 + #17 0x00007fe70bb61803 in ldb_unpack_data_only_attr_list (ldb=ldb@entry=0x7fe70e4d52c0, data=data@entry=0x7ffcd5d2b990, message=0x7fe7184aa1e0, list=list@entry=0x0, list_size=list_size@entry=0, nb_elements_in_db=nb_elements_in_db@entry=0x0) at ../common/ldb_pack.c:425 + #18 0x00007fe70bb61a7d in ldb_unpack_data (ldb=ldb@entry=0x7fe70e4d52c0, data=data@entry=0x7ffcd5d2b990, message=) at ../common/ldb_pack.c:470 + #19 0x00007fe6fdc29b46 in ltdb_parse_data_unpack (key=..., data=..., private_data=0x7ffcd5d2ba70) at ../ldb_tdb/ldb_search.c:249 + #20 0x00007fe70a5e0a24 in tdb_parse_data (tdb=tdb@entry=0x7fe70e4eaa10, key=..., offset=15619748, len=414772, parser=parser@entry=0x7fe6fdc29b10 , private_data=private_data@entry=0x7ffcd5d2ba70) at ../common/io.c:637 + #21 0x00007fe70a5dc1fc in tdb_parse_record (tdb=0x7fe70e4eaa10, key=..., parser=parser@entry=0x7fe6fdc29b10 , private_data=private_data@entry=0x7ffcd5d2ba70) at ../common/tdb.c:253 + #22 0x00007fe6fdc29e7b in ltdb_search_dn1 (module=module@entry=0x7fe70e4eab50, dn=dn@entry=0x7fe7183c4940, msg=msg@entry=0x7fe7184aa1e0) at ../ldb_tdb/ldb_search.c:287 + #23 0x00007fe6fdc2acbb in ltdb_dn_list_load (module=module@entry=0x7fe70e4eab50, dn=dn@entry=0x7fe7183c4940, list=list@entry=0x7fe7183c3a30) at ../ldb_tdb/ldb_index.c:181 + #24 0x00007fe6fdc2bbbb in ltdb_index_add1 (module=module@entry=0x7fe70e4eab50, dn=dn@entry=0x7fe7183bf3e0 "name=testuser7045@domain.com,cn=users,cn=DOMAIN.COM,cn=sysdb", v_idx=v_idx@entry=0, el=, el=) at ../ldb_tdb/ldb_index.c:1134 + #25 0x00007fe6fdc2c62c in ltdb_index_add_el (el=0x7fe7184aa3e0, dn=0x7fe7183bf3e0 "name=testuser7045@domain.com,cn=users,cn=DOMAIN.COM,cn=sysdb", module=0x7fe70e4eab50) at ../ldb_tdb/ldb_index.c:1180 + #26 ltdb_index_add_element (module=module@entry=0x7fe70e4eab50, dn=, el=el@entry=0x7fe7184aa3e0) at ../ldb_tdb/ldb_index.c:1290 + #27 0x00007fe6fdc290bb in ltdb_modify_internal (module=module@entry=0x7fe70e4eab50, msg=0x7fe7183bf0c0, req=req@entry=0x7fe7183bdc10) at ../ldb_tdb/ldb_tdb.c:903 + #28 0x00007fe6fdc2958a in ltdb_modify (ctx=0x7fe7183c2950, ctx=0x7fe7183c2950) at ../ldb_tdb/ldb_tdb.c:998 + #29 ltdb_callback (ev=, te=, t=..., private_data=) at ../ldb_tdb/ldb_tdb.c:1380 + #30 0x00007fe708664b4f in tevent_common_loop_timer_delay (ev=ev@entry=0x7fe70e4d2890) at ../tevent_timed.c:341 + #31 0x00007fe708665b5a in epoll_event_loop_once (ev=0x7fe70e4d2890, location=) at ../tevent_epoll.c:911 + #32 0x00007fe708664257 in std_event_loop_once (ev=0x7fe70e4d2890, location=0x7fe70bb72ec5 "../common/ldb.c:631") at ../tevent_standard.c:114 + #33 0x00007fe70866040d in _tevent_loop_once (ev=ev@entry=0x7fe70e4d2890, location=location@entry=0x7fe70bb72ec5 "../common/ldb.c:631") at ../tevent.c:533 + #34 0x00007fe70bb6bc4f in ldb_wait (handle=0x7fe7183c4530, type=) at ../common/ldb.c:631 + #35 0x00007fe70bb6c793 in ldb_autotransaction_request (ldb=0x7fe70e4d52c0, req=0x7fe7183bdc10) at ../common/ldb.c:573 + #36 0x00007fe70bb6d263 in ldb_modify (ldb=ldb@entry=0x7fe70e4d52c0, message=) at ../common/ldb.c:1655 + #37 0x00007fe70bfa2ab5 in sysdb_set_cache_entry_attr (ldb=0x7fe70e4d52c0, entry_dn=entry_dn@entry=0x7fe7183c4760, attrs=attrs@entry=0x7fe7183bf680, mod_op=mod_op@entry=2) at src/db/sysdb_ops.c:1159 + #38 0x00007fe70bfa304d in sysdb_rep_ts_entry_attr (sysdb=0x7fe70e4eadd0, attrs=0x7fe7183bf680, entry_dn=0x7fe7183c4760) at src/db/sysdb_ops.c:1218 + #39 sysdb_set_ts_entry_attr (sysdb=sysdb@entry=0x7fe70e4eadd0, entry_dn=entry_dn@entry=0x7fe7183c4760, attrs=attrs@entry=0x7fe7183bb840, mod_op=mod_op@entry=2) at src/db/sysdb_ops.c:1248 + #40 0x00007fe70bfa4aa9 in sysdb_set_entry_attr (sysdb=0x7fe70e4eadd0, entry_dn=0x7fe7183c4760, attrs=attrs@entry=0x7fe7183bb840, mod_op=mod_op@entry=2) at src/db/sysdb_ops.c:1199 + #41 0x00007fe70bfa4b5f in sysdb_set_user_attr (domain=domain@entry=0x7fe70e4d62f0, name=name@entry=0x7fe7183c01f0 "testuser7045@domain.com", attrs=attrs@entry=0x7fe7183bb840, mod_op=mod_op@entry=2) at src/db/sysdb_ops.c:1285 + #42 0x00007fe70bfa58c3 in sysdb_add_user (domain=domain@entry=0x7fe70e4d62f0, name=name@entry=0x7fe7183c01f0 "testuser7045@domain.com", uid=uid@entry=1415408147, gid=, gid@entry=1415400513, gecos=gecos@entry=0x7fe710465d00 "Test User7045", homedir=homedir@entry=0x0, shell=shell@entry=0x0, orig_dn=orig_dn@entry=0x7fe710465940 "CN=Test User7045,OU=Sales,DC=DOMAIN,DC=COM", attrs=attrs@entry=0x7fe7183bb840, cache_timeout=cache_timeout@entry=5400, now=now@entry=1481105315) at src/db/sysdb_ops.c:1928 + #43 0x00007fe70bfab271 in sysdb_store_new_user (now=1481105315, cache_timeout=5400, attrs=0x7fe7183bb840, orig_dn=0x7fe710465940 "CN=Test User7045,OU=Sales,DC=DOMAIN,DC=COM", shell=0x0, homedir=0x0, gecos=0x7fe710465d00 "Test User7045", gid=1415400513, uid=1415408147, name=0x7fe7183c01f0 "testuser7045@domain.com", domain=0x7fe70e4d62f0) at src/db/sysdb_ops.c:2549 + #44 sysdb_store_user (domain=domain@entry=0x7fe70e4d62f0, name=0x7fe7183c01f0 "testuser7045@domain.com", pwd=pwd@entry=0x0, uid=1415408147, gid=1415400513, gecos=gecos@entry=0x7fe710465d00 "Test User7045", homedir=homedir@entry=0x0, shell=shell@entry=0x0, orig_dn=orig_dn@entry=0x7fe710465940 "CN=Test User7045,OU=Sales,DC=DOMAIN,DC=COM", attrs=attrs@entry=0x7fe7183bb840, remove_attrs=0x7fe7183c08a0, cache_timeout=cache_timeout@entry=5400, now=now@entry=1481105315) at src/db/sysdb_ops.c:2499 + #45 0x00007fe6fba0d9f9 in sdap_save_user (memctx=memctx@entry=0x7fe70e544ee0, opts=opts@entry=0x7fe70e518400, dom=dom@entry=0x7fe70e4d62f0, attrs=, _usn_value=_usn_value@entry=0x7ffcd5d2c260, now=now@entry=1481105315) at src/providers/ldap/sdap_async_users.c:509 + #46 0x00007fe6fba0df9a in sdap_save_users (memctx=memctx@entry=0x7fe70e544e40, sysdb=0x7fe70e4eadd0, dom=0x7fe70e4d62f0, opts=0x7fe70e518400, users=, num_users=10006, _usn_value=_usn_value@entry=0x7fe70e544e60) at src/providers/ldap/sdap_async_users.c:572 + #47 0x00007fe6fba0e460 in sdap_get_users_done (subreq=) at src/providers/ldap/sdap_async_users.c:938 + #48 0x00007fe6fba0c9d5 in sdap_search_user_process (subreq=0x0) at src/providers/ldap/sdap_async_users.c:814 + #49 0x00007fe6fba07379 in generic_ext_search_handler (subreq=0x0, opts=) at src/providers/ldap/sdap_async.c:1689 + #50 0x00007fe6fba0991b in sdap_get_generic_op_finished (op=, reply=, error=, pvt=) at src/providers/ldap/sdap_async.c:1621 + #51 0x00007fe6fba083cd in sdap_process_message (ev=, sh=, msg=0x7fe70e5f9ce0) at src/providers/ldap/sdap_async.c:353 + #52 sdap_process_result (ev=, pvt=) at src/providers/ldap/sdap_async.c:197 + #53 0x00007fe708664b4f in tevent_common_loop_timer_delay (ev=ev@entry=0x7fe70e4cbc30) at ../tevent_timed.c:341 + #54 0x00007fe708665b5a in epoll_event_loop_once (ev=0x7fe70e4cbc30, location=) at ../tevent_epoll.c:911 + #55 0x00007fe708664257 in std_event_loop_once (ev=0x7fe70e4cbc30, location=0x7fe70bfee8e7 "src/util/server.c:702") at ../tevent_standard.c:114 + #56 0x00007fe70866040d in _tevent_loop_once (ev=ev@entry=0x7fe70e4cbc30, location=location@entry=0x7fe70bfee8e7 "src/util/server.c:702") at ../tevent.c:533 + #57 0x00007fe7086605ab in tevent_common_loop_wait (ev=0x7fe70e4cbc30, location=0x7fe70bfee8e7 "src/util/server.c:702") at ../tevent.c:637 + #58 0x00007fe7086641f7 in std_event_loop_wait (ev=0x7fe70e4cbc30, location=0x7fe70bfee8e7 "src/util/server.c:702") at ../tevent_standard.c:140 + #59 0x00007fe70bfd1993 in server_loop (main_ctx=0x7fe70e4cd080) at src/util/server.c:702 + #60 0x00007fe70c84cb82 in main (argc=8, argv=) at src/providers/data_provider_be.c:587 + +Resolves: +https://fedorahosted.org/sssd/ticket/3266 + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Pavel Březina +Reviewed-by: Jakub Hrozek +Reviewed-by: Simo Sorce +(cherry picked from commit e6a5f8c58539fc31fd81fac89cfc85703b4250ea) +(cherry picked from commit 0606a71b698c4acf954ba7284e62acbd0aa5e52d) +--- + src/util/util_watchdog.c | 118 ++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 96 insertions(+), 22 deletions(-) + +diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c +index c184fbd759bdbca4a9eae379ff0d87e2d1628470..0df85b71c0b078dc2dfd23a39df82d1a10bad7d6 100644 +--- a/src/util/util_watchdog.c ++++ b/src/util/util_watchdog.c +@@ -23,6 +23,7 @@ + + #define WATCHDOG_DEF_INTERVAL 10 + #define WATCHDOG_MAX_TICKS 3 ++#define DEFAULT_BUFFER_SIZE 4096 + + /* this is intentionally a global variable */ + struct watchdog_ctx { +@@ -35,32 +36,27 @@ struct watchdog_ctx { + struct tevent_context *ev; + int input_interval; + time_t timestamp; ++ struct tevent_fd *tfd; ++ int pipefd[2]; + } watchdog_ctx; + +-static bool watchdog_detect_timeshift(void) ++static void watchdog_detect_timeshift(void) + { + time_t prev_time; + time_t cur_time; +- errno_t ret; + + prev_time = watchdog_ctx.timestamp; + cur_time = watchdog_ctx.timestamp = time(NULL); + if (cur_time < prev_time) { + /* Time shift detected. We need to restart watchdog. */ +- DEBUG(SSSDBG_IMPORTANT_INFO, "Time shift detected, " +- "restarting watchdog!\n"); +- teardown_watchdog(); +- ret = setup_watchdog(watchdog_ctx.ev, watchdog_ctx.input_interval); +- if (ret != EOK) { +- DEBUG(SSSDBG_FATAL_FAILURE, "Unable to restart watchdog " +- "[%d]: %s\n", ret, sss_strerror(ret)); +- orderly_shutdown(1); ++ if (write(watchdog_ctx.pipefd[1], "1", 1) != 1) { ++ if (getpid() == getpgrp()) { ++ kill(-getpgrp(), SIGTERM); ++ } else { ++ _exit(1); ++ } + } +- +- return true; + } +- +- return false; + } + + /* the watchdog is purposefully *not* handled by the tevent +@@ -70,17 +66,16 @@ static bool watchdog_detect_timeshift(void) + * signals either */ + static void watchdog_handler(int sig) + { +- /* Do not count ticks if time shift was detected +- * since watchdog was restarted. */ +- if (watchdog_detect_timeshift()) { +- return; +- } ++ ++ watchdog_detect_timeshift(); + + /* if a pre-defined number of ticks passed by kills itself */ + if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > WATCHDOG_MAX_TICKS) { +- DEBUG(SSSDBG_FATAL_FAILURE, +- "Watchdog timer overflow, killing process!\n"); +- orderly_shutdown(1); ++ if (getpid() == getpgrp()) { ++ kill(-getpgrp(), SIGTERM); ++ } else { ++ _exit(1); ++ } + } + } + +@@ -109,10 +104,67 @@ static void watchdog_event_handler(struct tevent_context *ev, + } + } + ++static errno_t watchdog_fd_recv_data(int fd) ++{ ++ ssize_t len; ++ char buffer[DEFAULT_BUFFER_SIZE]; ++ errno_t ret; ++ ++ errno = 0; ++ len = read(fd, buffer, DEFAULT_BUFFER_SIZE); ++ if (len == -1) { ++ if (errno == EAGAIN || errno == EWOULDBLOCK || errno == EINTR) { ++ return EAGAIN; ++ } else { ++ ret = errno; ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "write failed [%d]: %s\n", ret, strerror(ret)); ++ return ret; ++ } ++ } ++ ++ return EOK; ++} ++ ++static void watchdog_fd_read_handler(struct tevent_context *ev, ++ struct tevent_fd *fde, ++ uint16_t flags, ++ void *data) ++{ ++ errno_t ret; ++ ++ ret = watchdog_fd_recv_data(watchdog_ctx.pipefd[0]); ++ switch(ret) { ++ case EAGAIN: ++ DEBUG(SSSDBG_TRACE_ALL, ++ "Interrupted before any data could be read, retry later.\n"); ++ return; ++ case EOK: ++ /* all fine */ ++ break; ++ default: ++ DEBUG(SSSDBG_FATAL_FAILURE, ++ "Failed to receive data [%d]: %s. " ++ "orderly_shutdown() will be called.\n", ret, strerror(ret)); ++ orderly_shutdown(1); ++ } ++ ++ DEBUG(SSSDBG_IMPORTANT_INFO, "Time shift detected, " ++ "restarting watchdog!\n"); ++ teardown_watchdog(); ++ ret = setup_watchdog(watchdog_ctx.ev, watchdog_ctx.input_interval); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_FATAL_FAILURE, "Unable to restart watchdog " ++ "[%d]: %s\n", ret, sss_strerror(ret)); ++ orderly_shutdown(1); ++ } ++} ++ + int setup_watchdog(struct tevent_context *ev, int interval) + { + struct sigevent sev; + struct itimerspec its; ++ struct tevent_fd *tfd; + int signum = SIGRTMIN; + int ret; + +@@ -142,6 +194,21 @@ int setup_watchdog(struct tevent_context *ev, int interval) + watchdog_ctx.input_interval = interval; + watchdog_ctx.timestamp = time(NULL); + ++ ret = pipe(watchdog_ctx.pipefd); ++ if (ret == -1) { ++ ret = errno; ++ DEBUG(SSSDBG_FATAL_FAILURE, ++ "pipe failed [%d] [%s].\n", ret, strerror(ret)); ++ return ret; ++ } ++ ++ sss_fd_nonblocking(watchdog_ctx.pipefd[0]); ++ sss_fd_nonblocking(watchdog_ctx.pipefd[1]); ++ ++ tfd = tevent_add_fd(ev, (TALLOC_CTX *)ev, watchdog_ctx.pipefd[0], ++ TEVENT_FD_READ, watchdog_fd_read_handler, NULL); ++ watchdog_ctx.tfd = tfd; ++ + /* Start the timer */ + /* we give 1 second head start to the watchdog event */ + its.it_value.tv_sec = interval + 1; +@@ -178,6 +245,13 @@ void teardown_watchdog(void) + ret, strerror(ret)); + } + ++ /* Free the tevent_fd */ ++ talloc_zfree(watchdog_ctx.tfd); ++ ++ /* Close the pipefds */ ++ PIPE_FD_CLOSE(watchdog_ctx.pipefd[0]); ++ PIPE_FD_CLOSE(watchdog_ctx.pipefd[1]); ++ + /* and kill the watchdog event */ + talloc_free(watchdog_ctx.te); + } +-- +2.9.3 + diff --git a/SOURCES/0161-TESTS-Extending-sysdb-sudo-store-tests.patch b/SOURCES/0161-TESTS-Extending-sysdb-sudo-store-tests.patch new file mode 100644 index 0000000..23939a1 --- /dev/null +++ b/SOURCES/0161-TESTS-Extending-sysdb-sudo-store-tests.patch @@ -0,0 +1,225 @@ +From e2f39220bc1cbfc87bbe41e84042ab8be9d046ec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20=C4=8Cech?= +Date: Thu, 13 Oct 2016 09:31:52 +0200 +Subject: [PATCH 161/162] TESTS: Extending sysdb sudo store tests +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We covered diference between case sensitive and case insensitive +domains. If domain is case insensitive we add lowercase form of +sudoUser to local sysdb cache. + +Resolves: +https://fedorahosted.org/sssd/ticket/3203 + +Reviewed-by: Pavel Březina +(cherry picked from commit 23637e2fd2b1fe42bdd2335893a11ac8016f56bc) +(cherry picked from commit 143b1dcbbe865a139616a22b139e19bd772e46f0) +--- + src/tests/cmocka/test_sysdb_sudo.c | 168 ++++++++++++++++++++++++++++++++++++- + 1 file changed, 167 insertions(+), 1 deletion(-) + +diff --git a/src/tests/cmocka/test_sysdb_sudo.c b/src/tests/cmocka/test_sysdb_sudo.c +index 889de72371ac724de7c791d889a670cf25a36968..f21ff3655efbdc5b66a1fdbc24a51ec8174c3c8c 100644 +--- a/src/tests/cmocka/test_sysdb_sudo.c ++++ b/src/tests/cmocka/test_sysdb_sudo.c +@@ -44,7 +44,7 @@ struct test_user { + const char *name; + uid_t uid; + gid_t gid; +-} users[] = { { "test_user1", 1001, 1001 }, ++} users[] = { { "test_USER1", 1001, 1001 }, + { "test_user2", 1002, 1002 }, + { "test_user3", 1003, 1003 } }; + +@@ -104,6 +104,29 @@ static void create_rule_attrs(struct sysdb_attrs *rule, int i) + assert_int_equal(ret, EOK); + } + ++static void create_rule_attrs_multiple_sudoUser(struct sysdb_attrs *rule) ++{ ++ errno_t ret; ++ ++ ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_CN, ++ rules[0].name); ++ assert_int_equal(ret, EOK); ++ ++ ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_HOST, ++ rules[0].host); ++ assert_int_equal(ret, EOK); ++ ++ ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_RUNASUSER, ++ rules[0].as_user); ++ assert_int_equal(ret, EOK); ++ ++ for (int i = 0; i < 3; i++ ) { ++ ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_USER, ++ users[i].name); ++ assert_int_equal(ret, EOK); ++ } ++} ++ + static int get_stored_rules_count(struct sysdb_test_ctx *test_ctx) + { + errno_t ret; +@@ -217,6 +240,143 @@ void test_store_sudo(void **state) + talloc_zfree(msgs); + } + ++void test_store_sudo_case_sensitive(void **state) ++{ ++ errno_t ret; ++ char *filter; ++ const char *attrs[] = { SYSDB_SUDO_CACHE_AT_CN, SYSDB_SUDO_CACHE_AT_HOST, ++ SYSDB_SUDO_CACHE_AT_RUNASUSER, ++ SYSDB_SUDO_CACHE_AT_USER, NULL }; ++ struct ldb_message **msgs = NULL; ++ size_t msgs_count; ++ const char *result; ++ struct ldb_message_element *element; ++ struct sysdb_attrs *rule; ++ struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, ++ struct sysdb_test_ctx); ++ const char *lowered_name = sss_tc_utf8_str_tolower(test_ctx, users[0].name); ++ ++ rule = sysdb_new_attrs(test_ctx); ++ assert_non_null(rule); ++ create_rule_attrs_multiple_sudoUser(rule); ++ ++ test_ctx->tctx->dom->case_sensitive = true; ++ ++ ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1); ++ assert_int_equal(ret, EOK); ++ ++ filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); ++ assert_non_null(filter); ++ ++ ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter, ++ attrs, &msgs_count, &msgs); ++ assert_int_equal(ret, EOK); ++ ++ assert_int_equal(msgs_count, 1); ++ ++ result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_CN, NULL); ++ assert_non_null(result); ++ assert_string_equal(result, rules[0].name); ++ ++ result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_HOST, ++ NULL); ++ assert_non_null(result); ++ assert_string_equal(result, rules[0].host); ++ ++ result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_RUNASUSER, ++ NULL); ++ assert_non_null(result); ++ assert_string_equal(result, rules[0].as_user); ++ ++ ret = ldb_msg_check_string_attribute(msgs[0], SYSDB_SUDO_CACHE_AT_USER, ++ users[0].name); ++ assert_int_equal(ret, 1); ++ ++ ret = ldb_msg_check_string_attribute(msgs[0], SYSDB_SUDO_CACHE_AT_USER, ++ lowered_name); ++ assert_int_equal(ret, 0); ++ ++ ret = ldb_msg_check_string_attribute(msgs[0], SYSDB_SUDO_CACHE_AT_USER, ++ users[1].name); ++ assert_int_equal(ret, 1); ++ ++ ret = ldb_msg_check_string_attribute(msgs[0], SYSDB_SUDO_CACHE_AT_USER, ++ users[2].name); ++ assert_int_equal(ret, 1); ++ ++ element = ldb_msg_find_element(msgs[0], SYSDB_SUDO_CACHE_AT_USER); ++ assert_int_equal(element->num_values, 3); ++ ++ talloc_zfree(lowered_name); ++ talloc_zfree(rule); ++ talloc_zfree(filter); ++ talloc_zfree(msgs); ++} ++ ++void test_store_sudo_case_insensitive(void **state) ++{ ++ errno_t ret; ++ char *filter; ++ const char *attrs[] = { SYSDB_SUDO_CACHE_AT_CN, SYSDB_SUDO_CACHE_AT_HOST, ++ SYSDB_SUDO_CACHE_AT_RUNASUSER, ++ SYSDB_SUDO_CACHE_AT_USER, NULL }; ++ struct ldb_message **msgs = NULL; ++ size_t msgs_count; ++ const char *result; ++ struct ldb_message_element *element; ++ struct sysdb_attrs *rule; ++ struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, ++ struct sysdb_test_ctx); ++ const char *lowered_name = sss_tc_utf8_str_tolower(test_ctx, users[0].name); ++ ++ rule = sysdb_new_attrs(test_ctx); ++ assert_non_null(rule); ++ create_rule_attrs_multiple_sudoUser(rule); ++ ++ test_ctx->tctx->dom->case_sensitive = false; ++ ++ ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1); ++ assert_int_equal(ret, EOK); ++ ++ filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); ++ assert_non_null(filter); ++ ++ ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter, ++ attrs, &msgs_count, &msgs); ++ assert_int_equal(ret, EOK); ++ ++ assert_int_equal(msgs_count, 1); ++ ++ result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_CN, NULL); ++ assert_non_null(result); ++ assert_string_equal(result, rules[0].name); ++ ++ result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_HOST, ++ NULL); ++ assert_non_null(result); ++ assert_string_equal(result, rules[0].host); ++ ++ result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_RUNASUSER, ++ NULL); ++ assert_non_null(result); ++ assert_string_equal(result, rules[0].as_user); ++ ++ for (int i = 0; i < 3; i++) { ++ ret = ldb_msg_check_string_attribute(msgs[0], SYSDB_SUDO_CACHE_AT_USER, ++ users[i].name); ++ assert_int_equal(ret, 1); ++ } ++ ++ /* test there is no duplication of lowercase forms */ ++ element = ldb_msg_find_element(msgs[0], SYSDB_SUDO_CACHE_AT_USER); ++ assert_int_equal(element->num_values, 4); ++ ++ talloc_zfree(lowered_name); ++ talloc_zfree(rule); ++ talloc_zfree(filter); ++ talloc_zfree(msgs); ++} ++ + void test_sudo_purge_by_filter(void **state) + { + errno_t ret; +@@ -648,6 +808,12 @@ int main(int argc, const char *argv[]) + cmocka_unit_test_setup_teardown(test_store_sudo, + test_sysdb_setup, + test_sysdb_teardown), ++ cmocka_unit_test_setup_teardown(test_store_sudo_case_sensitive, ++ test_sysdb_setup, ++ test_sysdb_teardown), ++ cmocka_unit_test_setup_teardown(test_store_sudo_case_insensitive, ++ test_sysdb_setup, ++ test_sysdb_teardown), + + /* sysdb_sudo_purge() */ + cmocka_unit_test_setup_teardown(test_sudo_purge_by_filter, +-- +2.9.3 + diff --git a/SOURCES/0162-SUDO-Only-store-lowercased-attribute-value-once.patch b/SOURCES/0162-SUDO-Only-store-lowercased-attribute-value-once.patch new file mode 100644 index 0000000..7435a9f --- /dev/null +++ b/SOURCES/0162-SUDO-Only-store-lowercased-attribute-value-once.patch @@ -0,0 +1,85 @@ +From 68cf1c69d2a19caca93d838745389f005ad66f5c Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Sun, 5 Feb 2017 20:25:23 +0100 +Subject: [PATCH 162/162] SUDO: Only store lowercased attribute value once +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The current code doesn't handle the situation where lowercasing the +sudoUser attribute would yield the same value again. + +For example: + sudoUser: TUSER + sudoUser tuser +would break. + +This patch switches to using the utility function +sysdb_attrs_add_lower_case_string() which already checks for duplicates. + +Resolves: +https://fedorahosted.org/sssd/ticket/3301 + +Reviewed-by: Fabiano Fidêncio +Reviewed-by: Pavel Březina +(cherry picked from commit a5ecc93abb01cece628fdef04ebad43bba267419) +(cherry picked from commit d5ddca8b44d00b92d4a70ea90d48247635a4e1ca) +--- + src/db/sysdb_sudo.c | 17 +++-------------- + src/tests/cmocka/test_sysdb_sudo.c | 5 +++++ + 2 files changed, 8 insertions(+), 14 deletions(-) + +diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c +index f5160f19012028f92723b9012fad85d803aa5137..97a1bee99c0255579f42cc7263d3d755429cd417 100644 +--- a/src/db/sysdb_sudo.c ++++ b/src/db/sysdb_sudo.c +@@ -857,7 +857,6 @@ static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, + { + TALLOC_CTX *tmp_ctx; + const char **users = NULL; +- const char *lowered = NULL; + errno_t ret; + + if (domain->case_sensitive == true || rule == NULL) { +@@ -884,19 +883,9 @@ static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, + } + + for (int i = 0; users[i] != NULL; i++) { +- lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]); +- if (lowered == NULL) { +- DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); +- ret = ENOMEM; +- goto done; +- } +- +- if (strcmp(users[i], lowered) == 0) { +- /* It protects us from adding duplicate. */ +- continue; +- } +- +- ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered); ++ ret = sysdb_attrs_add_lower_case_string(rule, true, ++ SYSDB_SUDO_CACHE_AT_USER, ++ users[i]); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to add %s attribute [%d]: %s\n", +diff --git a/src/tests/cmocka/test_sysdb_sudo.c b/src/tests/cmocka/test_sysdb_sudo.c +index f21ff3655efbdc5b66a1fdbc24a51ec8174c3c8c..34afe120d97e99e3213a85bf7489a5e0f6309e4b 100644 +--- a/src/tests/cmocka/test_sysdb_sudo.c ++++ b/src/tests/cmocka/test_sysdb_sudo.c +@@ -335,6 +335,11 @@ void test_store_sudo_case_insensitive(void **state) + + test_ctx->tctx->dom->case_sensitive = false; + ++ ret = sysdb_attrs_add_lower_case_string(rule, false, ++ SYSDB_SUDO_CACHE_AT_USER, ++ users[0].name); ++ assert_int_equal(ret, EOK); ++ + ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1); + assert_int_equal(ret, EOK); + +-- +2.9.3 + diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec index 7cc3dc1..6d572df 100644 --- a/SPECS/sssd.spec +++ b/SPECS/sssd.spec @@ -33,7 +33,7 @@ Name: sssd Version: 1.14.0 -Release: 43%{?dist}.11 +Release: 43%{?dist}.14 Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -197,6 +197,12 @@ Patch0153: 0153-SYSDB-Fixing-of-sudorule-without-a-sudoUser.patch Patch0154: 0154-MONITOR-Do-not-set-up-watchdog-for-monitor.patch Patch0155: 0155-AUTOFS-Fix-offline-resolution-of-autofs-maps.patch Patch0156: 0156-Prevent-use-after-free-in-fd_input_available.patch +Patch0157: 0157-SSH-Use-default_domain_suffix-for-users-authorized-k.patch +Patch0158: 0158-SERVER-Set-the-process-group-during-server_setup.patch +Patch0159: 0159-WATCHDOG-define-and-use-_MAX_TICKS-as-3.patch +Patch0160: 0160-WATCHDOG-Avoid-non-async-signal-safe-from-the-signal.patch +Patch0161: 0161-TESTS-Extending-sysdb-sudo-store-tests.patch +Patch0162: 0162-SUDO-Only-store-lowercased-attribute-value-once.patch #This patch should not be removed in RHEL-7 Patch999: 0999-NOUPSTREAM-Default-to-root-if-sssd-user-is-not-spec @@ -288,10 +294,10 @@ Summary: Common files for the SSSD Group: Applications/System License: GPLv3+ # Conflicts -Conflicts: selinux-policy < 3.10.0-46 Conflicts: sssd < 1.10.0-8%{?dist}.beta2 -# Requires +# Requires +Requires: selinux-policy >= 3.13.1-102.el7_3.15 Requires: sssd-client%{?_isa} = %{version}-%{release} Requires: libsss_idmap%{?_isa} = %{version}-%{release} Requires: libsss_sudo%{?_isa} = %{version}-%{release} @@ -1191,6 +1197,21 @@ fi /usr/bin/rm -f /var/tmp/sssd.upgrade || : %changelog +* Wed Feb 15 2017 Jakub Hrozek - 1.14.0-43.14 +- Resolves: rhbz#1422183 - Fails to accept any sudo rules if there are + two user entries in an ldap role with the same + sudo user. + +* Fri Feb 3 2017 Jakub Hrozek - 1.14.0-43.13 +- Resolves: rhbz#1418943 - If a long-running task (e.g. enumeration) blocks the + sssd_be process, sssd_be can deadlock +- Also Require a new-enough version of selinux-policy so that setpgid() by sssd + is allowed + +* Wed Jan 11 2017 Jakub Hrozek - 1.14.0-43.12 +- Resolves: rhbz#1405584 - SSH: default_domain_suffix is not being used + for users' authorized keys + * Tue Dec 13 2016 Jakub Hrozek - 1.14.0-43.11 - Resolves: rhbz#1404340 - Use-after free in resolver in case the fd is writeable and readable at the same time