diff --git a/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch b/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch deleted file mode 100644 index 60feeceb8df6b08f32b0e640affcceb76e5fe7ba..0000000000000000000000000000000000000000 --- a/0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch +++ /dev/null @@ -1,158 +0,0 @@ -From d7da2966f5931bac3b17f42e251adbbb7e793619 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Pavel=20B=C5=99ezina?= -Date: Thu, 8 Dec 2022 15:14:05 +0100 -Subject: [PATCH] ldap: update shadow last change in sysdb as well -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Otherwise pam can use the changed information whe id chaching is -enabled, so next authentication that fits into the id timeout -(5 seconds by default) will still sees the password as expired. - -Resolves: https://github.com/SSSD/sssd/issues/6477 - -Reviewed-by: Sumit Bose -Reviewed-by: Tomáš Halman -(cherry picked from commit 7e8b97c14b8ef218d6ea23214be28d25dba13886) ---- - src/db/sysdb.h | 4 ++++ - src/db/sysdb_ops.c | 32 ++++++++++++++++++++++++++++++++ - src/providers/ldap/ldap_auth.c | 21 ++++++++++++++++----- - 3 files changed, 52 insertions(+), 5 deletions(-) - -diff --git a/src/db/sysdb.h b/src/db/sysdb.h -index 7c666f5c4..06b44f5ba 100644 ---- a/src/db/sysdb.h -+++ b/src/db/sysdb.h -@@ -1061,6 +1061,10 @@ int sysdb_set_user_attr(struct sss_domain_info *domain, - struct sysdb_attrs *attrs, - int mod_op); - -+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain, -+ const char *name, -+ const char *attrname); -+ - /* Replace group attrs */ - int sysdb_set_group_attr(struct sss_domain_info *domain, - const char *name, -diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c -index 0d6f2d5cd..ed0df9872 100644 ---- a/src/db/sysdb_ops.c -+++ b/src/db/sysdb_ops.c -@@ -1485,6 +1485,38 @@ done: - return ret; - } - -+errno_t sysdb_update_user_shadow_last_change(struct sss_domain_info *domain, -+ const char *name, -+ const char *attrname) -+{ -+ struct sysdb_attrs *attrs; -+ char *value; -+ errno_t ret; -+ -+ attrs = sysdb_new_attrs(NULL); -+ if (attrs == NULL) { -+ return ENOMEM; -+ } -+ -+ /* The attribute contains number of days since the epoch */ -+ value = talloc_asprintf(attrs, "%ld", (long)time(NULL)/86400); -+ if (value == NULL) { -+ ret = ENOMEM; -+ goto done; -+ } -+ -+ ret = sysdb_attrs_add_string(attrs, attrname, value); -+ if (ret != EOK) { -+ goto done; -+ } -+ -+ ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP); -+ -+done: -+ talloc_free(attrs); -+ return ret; -+} -+ - /* =Replace-Attributes-On-Group=========================================== */ - - int sysdb_set_group_attr(struct sss_domain_info *domain, -diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c -index 6404a9d3a..96b9d6df4 100644 ---- a/src/providers/ldap/ldap_auth.c -+++ b/src/providers/ldap/ldap_auth.c -@@ -1240,6 +1240,7 @@ struct sdap_pam_chpass_handler_state { - struct pam_data *pd; - struct sdap_handle *sh; - char *dn; -+ enum pwexpire pw_expire_type; - }; - - static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq); -@@ -1339,7 +1340,6 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - { - struct sdap_pam_chpass_handler_state *state; - struct tevent_req *req; -- enum pwexpire pw_expire_type; - void *pw_expire_data; - size_t msg_len; - uint8_t *msg; -@@ -1349,7 +1349,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - state = tevent_req_data(req, struct sdap_pam_chpass_handler_state); - - ret = auth_recv(subreq, state, &state->sh, &state->dn, -- &pw_expire_type, &pw_expire_data); -+ &state->pw_expire_type, &pw_expire_data); - talloc_free(subreq); - - if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) && -@@ -1361,7 +1361,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - } - - if (ret == EOK) { -- switch (pw_expire_type) { -+ switch (state->pw_expire_type) { - case PWEXPIRE_SHADOW: - ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL); - break; -@@ -1381,7 +1381,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - break; - default: - DEBUG(SSSDBG_CRIT_FAILURE, -- "Unknown password expiration type %d.\n", pw_expire_type); -+ "Unknown password expiration type %d.\n", -+ state->pw_expire_type); - state->pd->pam_status = PAM_SYSTEM_ERR; - goto done; - } -@@ -1392,7 +1393,8 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) - case ERR_PASSWORD_EXPIRED: - DEBUG(SSSDBG_TRACE_LIBS, - "user [%s] successfully authenticated.\n", state->dn); -- ret = sdap_pam_chpass_handler_change_step(state, req, pw_expire_type); -+ ret = sdap_pam_chpass_handler_change_step(state, req, -+ state->pw_expire_type); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "sdap_pam_chpass_handler_change_step() failed.\n"); -@@ -1506,6 +1508,15 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq) - - switch (ret) { - case EOK: -+ if (state->pw_expire_type == PWEXPIRE_SHADOW) { -+ ret = sysdb_update_user_shadow_last_change(state->be_ctx->domain, -+ state->pd->user, SYSDB_SHADOWPW_LASTCHANGE); -+ if (ret != EOK) { -+ state->pd->pam_status = PAM_SYSTEM_ERR; -+ goto done; -+ } -+ } -+ - state->pd->pam_status = PAM_SUCCESS; - break; - case ERR_CHPASS_DENIED: --- -2.37.3 - diff --git a/0005-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch b/0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch similarity index 94% rename from 0005-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch rename to 0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch index 19f2218c3014d5c6e00bbb9c370db6bee54c62bb..436992ca45cdb5e3c0bb106a599630f2fcb913d2 100644 --- a/0005-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch +++ b/0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch @@ -1,7 +1,7 @@ -From 2cd5a6a2c8fd1826177d6bb51e7d4f4ad368bcfb Mon Sep 17 00:00:00 2001 +From f16e570838d1c6cd30b5883f364b0f437c314b1f Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 9 Jun 2023 12:31:39 +0200 -Subject: [PATCH 5/6] watchdog: add arm_watchdog() and disarm_watchdog() calls +Subject: [PATCH 1/2] watchdog: add arm_watchdog() and disarm_watchdog() calls MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -22,10 +22,10 @@ Reviewed-by: Pavel Březina 2 files changed, 38 insertions(+), 2 deletions(-) diff --git a/src/util/util.h b/src/util/util.h -index a8356e0cd..9dbcf3301 100644 +index 11dc40d57..02fd53237 100644 --- a/src/util/util.h +++ b/src/util/util.h -@@ -756,6 +756,18 @@ int setup_watchdog(struct tevent_context *ev, int interval); +@@ -791,6 +791,18 @@ int setup_watchdog(struct tevent_context *ev, int interval); void teardown_watchdog(void); int get_watchdog_ticks(void); diff --git a/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch b/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch deleted file mode 100644 index fdc756a285e7cc81af3eb29fc897fdce901b0e66..0000000000000000000000000000000000000000 --- a/0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch +++ /dev/null @@ -1,58 +0,0 @@ -From f3333b9dbeda33a9344b458accaa4ff372adb660 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Fri, 3 Feb 2023 11:35:42 +0100 -Subject: [PATCH 2/4] SSS_CLIENT: fix error codes returned by common - read/write/check helpers. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -It's kind of expected that in case `(POLLERR | POLLHUP | POLLNVAL)` -error condition is detected, regular `POLLIN/POLLOUT` won't be set. -Error code set by error condition should have a priority. This enables -users of this helper to retry attempt (as designed). - -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose -(cherry picked from commit 0b8638d8de435384562f17d041655887b73523cd) ---- - src/sss_client/common.c | 9 +++------ - 1 file changed, 3 insertions(+), 6 deletions(-) - -diff --git a/src/sss_client/common.c b/src/sss_client/common.c -index 2c888faa9..27e09f6f3 100644 ---- a/src/sss_client/common.c -+++ b/src/sss_client/common.c -@@ -161,8 +161,7 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd, - case 1: - if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { - *errnop = EPIPE; -- } -- if (!(pfd.revents & POLLOUT)) { -+ } else if (!(pfd.revents & POLLOUT)) { - *errnop = EBUSY; - } - break; -@@ -273,8 +272,7 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd, - } - if (pfd.revents & (POLLERR | POLLNVAL)) { - *errnop = EPIPE; -- } -- if (!(pfd.revents & POLLIN)) { -+ } else if (!(pfd.revents & POLLIN)) { - *errnop = EBUSY; - } - break; -@@ -725,8 +723,7 @@ static enum sss_status sss_cli_check_socket(int *errnop, - case 1: - if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { - *errnop = EPIPE; -- } -- if (!(pfd.revents & (POLLIN | POLLOUT))) { -+ } else if (!(pfd.revents & (POLLIN | POLLOUT))) { - *errnop = EBUSY; - } - break; --- -2.37.3 - diff --git a/0006-sbus-arm-watchdog-for-sbus_connect_init_send.patch b/0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch similarity index 77% rename from 0006-sbus-arm-watchdog-for-sbus_connect_init_send.patch rename to 0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch index 7c86bf2164b449422b84deb8a62356361a5859d5..655cf29dabc0d26f04707dd136bf4e66c64a6ccf 100644 --- a/0006-sbus-arm-watchdog-for-sbus_connect_init_send.patch +++ b/0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch @@ -1,7 +1,7 @@ -From 55564defec8fdbb4d9df6b0124a8b18b31743230 Mon Sep 17 00:00:00 2001 +From 27987c791bc452f53696a3a33f0d607ab040e78d Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 9 Jun 2023 13:01:47 +0200 -Subject: [PATCH 6/6] sbus: arm watchdog for sbus_connect_init_send() +Subject: [PATCH 2/2] sbus: arm watchdog for sbus_connect_init_send() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -23,9 +23,22 @@ Reviewed-by: Alexey Tikhonov Reviewed-by: Pavel Březina (cherry picked from commit cca9361d92501e0be34d264d370fe897a0c970af) --- + Makefile.am | 1 - src/sbus/connection/sbus_connection_connect.c | 4 ++++ - 1 file changed, 4 insertions(+) + 2 files changed, 4 insertions(+), 1 deletion(-) +diff --git a/Makefile.am b/Makefile.am +index e780e8a14..23c63ec1e 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -4672,7 +4672,6 @@ krb5_child_LDADD = \ + $(CLIENT_LIBS) \ + $(SYSTEMD_LOGIN_LIBS) \ + $(JANSSON_LIBS) \ +- libsss_sbus.la \ + $(NULL) + + ldap_child_SOURCES = \ diff --git a/src/sbus/connection/sbus_connection_connect.c b/src/sbus/connection/sbus_connection_connect.c index 45a0fa491..edc090e15 100644 --- a/src/sbus/connection/sbus_connection_connect.c diff --git a/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch b/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch deleted file mode 100644 index d7c875fe449e2b4da0c1038c84ae12ae24a8b77d..0000000000000000000000000000000000000000 --- a/0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch +++ /dev/null @@ -1,63 +0,0 @@ -From a40b25a3af29706c058ce5a02dd0ba294dbb6874 Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 8 Feb 2023 17:48:52 +0100 -Subject: [PATCH 3/4] SSS_CLIENT: if poll() returns POLLNVAL then socket is - alredy closed (or wasn't open) so it shouldn't be closed again. Otherwise - there is a risk to close "foreign" socket opened in another thread. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose -(cherry picked from commit ef93284b5a1f196425d9a61e8e24de8972240eb3) ---- - src/sss_client/common.c | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - -diff --git a/src/sss_client/common.c b/src/sss_client/common.c -index 27e09f6f3..c8ade645b 100644 ---- a/src/sss_client/common.c -+++ b/src/sss_client/common.c -@@ -159,7 +159,11 @@ static enum sss_status sss_cli_send_req(enum sss_cli_command cmd, - *errnop = ETIME; - break; - case 1: -- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { -+ if (pfd.revents & (POLLERR | POLLHUP)) { -+ *errnop = EPIPE; -+ } else if (pfd.revents & POLLNVAL) { -+ /* Invalid request: fd is not opened */ -+ sss_cli_sd = -1; - *errnop = EPIPE; - } else if (!(pfd.revents & POLLOUT)) { - *errnop = EBUSY; -@@ -270,7 +274,11 @@ static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd, - if (pfd.revents & (POLLHUP)) { - pollhup = true; - } -- if (pfd.revents & (POLLERR | POLLNVAL)) { -+ if (pfd.revents & POLLERR) { -+ *errnop = EPIPE; -+ } else if (pfd.revents & POLLNVAL) { -+ /* Invalid request: fd is not opened */ -+ sss_cli_sd = -1; - *errnop = EPIPE; - } else if (!(pfd.revents & POLLIN)) { - *errnop = EBUSY; -@@ -721,7 +729,11 @@ static enum sss_status sss_cli_check_socket(int *errnop, - *errnop = ETIME; - break; - case 1: -- if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { -+ if (pfd.revents & (POLLERR | POLLHUP)) { -+ *errnop = EPIPE; -+ } else if (pfd.revents & POLLNVAL) { -+ /* Invalid request: fd is not opened */ -+ sss_cli_sd = -1; - *errnop = EPIPE; - } else if (!(pfd.revents & (POLLIN | POLLOUT))) { - *errnop = EBUSY; --- -2.37.3 - diff --git a/0003-mc-recover-from-invalid-memory-cache-size.patch b/0003-mc-recover-from-invalid-memory-cache-size.patch new file mode 100644 index 0000000000000000000000000000000000000000..de35768bef672e33ea8356fe02e0675ed9839a14 --- /dev/null +++ b/0003-mc-recover-from-invalid-memory-cache-size.patch @@ -0,0 +1,224 @@ +From be1ff918d0fd1701a21c3688daad0a90682a1f1d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Fri, 4 Aug 2023 12:19:49 +0200 +Subject: [PATCH] mc: recover from invalid memory cache size + +If we access the mmap file outside its boundaries a SIGBUS is raised. +We can now safely recover if the file has unexpected size. + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Sumit Bose +(cherry picked from commit 641e5f73d3bd5b3d32cafd551013d3bfd2a52732) +--- + src/responder/nss/nsssrv_mmap_cache.c | 86 +++++++++++++++++++++------ + src/sss_client/nss_mc_common.c | 42 +++++++++---- + 2 files changed, 100 insertions(+), 28 deletions(-) + +diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c +index 12c299659..bd814f3bc 100644 +--- a/src/responder/nss/nsssrv_mmap_cache.c ++++ b/src/responder/nss/nsssrv_mmap_cache.c +@@ -722,6 +722,57 @@ static errno_t sss_mmap_cache_invalidate(struct sss_mc_ctx *mcc, + return EOK; + } + ++static errno_t sss_mmap_cache_validate_or_reinit(struct sss_mc_ctx **_mcc) ++{ ++ struct sss_mc_ctx *mcc = *_mcc; ++ struct stat fdstat; ++ bool reinit = false; ++ errno_t ret; ++ ++ /* No mcc initialized? Memory cache may be disabled. */ ++ if (mcc == NULL || mcc->fd < 0) { ++ ret = EINVAL; ++ reinit = false; ++ goto done; ++ } ++ ++ if (fstat(mcc->fd, &fdstat) == -1) { ++ ret = errno; ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Unable to stat memory cache [file=%s, fd=%d] [%d]: %s\n", ++ mcc->file, mcc->fd, ret, sss_strerror(ret)); ++ reinit = true; ++ goto done; ++ } ++ ++ if (fdstat.st_nlink == 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Memory cache file was removed\n"); ++ ret = ENOENT; ++ reinit = true; ++ goto done; ++ } ++ ++ if (fdstat.st_size != mcc->mmap_size) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "Memory cache is corrupted, invalid size [file=%s, fd=%d, " ++ "expected_size=%zu, real_size=%zu]\n", ++ mcc->file, mcc->fd, mcc->mmap_size, fdstat.st_size); ++ ret = EINVAL; ++ reinit = true; ++ goto done; ++ } ++ ++ ret = EOK; ++ reinit = false; ++ ++done: ++ if (reinit) { ++ return sss_mmap_cache_reinit(talloc_parent(mcc), -1, -1, -1, -1, _mcc); ++ } ++ ++ return ret; ++} ++ + /*************************************************************************** + * passwd map + ***************************************************************************/ +@@ -744,9 +795,9 @@ errno_t sss_mmap_cache_pw_store(struct sss_mc_ctx **_mcc, + size_t pos; + int ret; + +- if (mcc == NULL) { +- /* cache not initialized? */ +- return EINVAL; ++ ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ if (ret != EOK) { ++ return ret; + } + + ret = snprintf(uidstr, 11, "%ld", (long)uid); +@@ -815,9 +866,9 @@ errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx *mcc, uid_t uid) + char *uidstr; + errno_t ret; + +- if (mcc == NULL) { +- /* cache not initialized? */ +- return EINVAL; ++ ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ if (ret != EOK) { ++ return ret; + } + + uidstr = talloc_asprintf(NULL, "%ld", (long)uid); +@@ -886,9 +937,9 @@ int sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc, + size_t pos; + int ret; + +- if (mcc == NULL) { +- /* cache not initialized? */ +- return EINVAL; ++ ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ if (ret != EOK) { ++ return ret; + } + + ret = snprintf(gidstr, 11, "%ld", (long)gid); +@@ -953,9 +1004,9 @@ errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx *mcc, gid_t gid) + char *gidstr; + errno_t ret; + +- if (mcc == NULL) { +- /* cache not initialized? */ +- return EINVAL; ++ ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ if (ret != EOK) { ++ return ret; + } + + gidstr = talloc_asprintf(NULL, "%ld", (long)gid); +@@ -1018,9 +1069,9 @@ errno_t sss_mmap_cache_initgr_store(struct sss_mc_ctx **_mcc, + size_t pos; + int ret; + +- if (mcc == NULL) { +- /* cache not initialized? */ +- return EINVAL; ++ ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ if (ret != EOK) { ++ return ret; + } + + /* array of gids + name + unique_name */ +@@ -1087,8 +1138,9 @@ errno_t sss_mmap_cache_sid_store(struct sss_mc_ctx **_mcc, + size_t rec_len; + int ret; + +- if (mcc == NULL) { +- return EINVAL; ++ ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ if (ret != EOK) { ++ return ret; + } + + ret = snprintf(idkey, sizeof(idkey), "%d-%ld", +diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c +index 3128861bf..e227c0bae 100644 +--- a/src/sss_client/nss_mc_common.c ++++ b/src/sss_client/nss_mc_common.c +@@ -69,13 +69,43 @@ static void sss_mt_unlock(struct sss_cli_mc_ctx *ctx) + #endif + } + ++static errno_t sss_nss_mc_validate(struct sss_cli_mc_ctx *ctx) ++{ ++ struct stat fdstat; ++ ++ /* No mc ctx initialized?*/ ++ if (ctx == NULL || ctx->fd < 0) { ++ return EINVAL; ++ } ++ ++ if (fstat(ctx->fd, &fdstat) == -1) { ++ return errno; ++ } ++ ++ /* Memcache was removed. */ ++ if (fdstat.st_nlink == 0) { ++ return ENOENT; ++ } ++ ++ /* Invalid size. */ ++ if (fdstat.st_size != ctx->mmap_size) { ++ return ERANGE; ++ } ++ ++ return EOK; ++} ++ + errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx) + { + struct sss_mc_header h; + bool copy_ok; + int count; + int ret; +- struct stat fdstat; ++ ++ ret = sss_nss_mc_validate(ctx); ++ if (ret != EOK) { ++ return ret; ++ } + + /* retry barrier protected reading max 5 times then give up */ + for (count = 5; count > 0; count--) { +@@ -115,16 +145,6 @@ errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx) + } + } + +- ret = fstat(ctx->fd, &fdstat); +- if (ret == -1) { +- return EIO; +- } +- +- if (fdstat.st_nlink == 0) { +- /* memory cache was removed; we need to reinitialize it. */ +- return EINVAL; +- } +- + return 0; + } + +-- +2.41.0 + diff --git a/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch b/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch deleted file mode 100644 index dee9c9d5bfb9a60db4c58c5a69de7c611a8507fe..0000000000000000000000000000000000000000 --- a/0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 1fd7a5ecb46a02a29ebf42039575b5344307bfbb Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 8 Feb 2023 18:58:37 +0100 -Subject: [PATCH 4/4] PAM_SSS: close(sss_cli_sd) should also be protected with - mutex. Otherwise a thread calling pam_end() can close socket mid pam - transaction in another thread. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Bug only manifested on platforms where "lockfree client" -feature wasn't built. - -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose -(cherry picked from commit bf3f73ea0ee123fe4e7c4bdd2287ac5a5e6d9082) ---- - src/sss_client/pam_sss.c | 3 +++ - src/sss_client/pam_sss_gss.c | 2 ++ - 2 files changed, 5 insertions(+) - -diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c -index afbdef59a..39ad17188 100644 ---- a/src/sss_client/pam_sss.c -+++ b/src/sss_client/pam_sss.c -@@ -117,7 +117,10 @@ static void close_fd(pam_handle_t *pamh, void *ptr, int err) - #endif /* PAM_DATA_REPLACE */ - - D(("Closing the fd")); -+ -+ sss_pam_lock(); - sss_cli_close_socket(); -+ sss_pam_unlock(); - } - - struct cert_auth_info { -diff --git a/src/sss_client/pam_sss_gss.c b/src/sss_client/pam_sss_gss.c -index 1109ec570..dd578ae5d 100644 ---- a/src/sss_client/pam_sss_gss.c -+++ b/src/sss_client/pam_sss_gss.c -@@ -581,7 +581,9 @@ int pam_sm_authenticate(pam_handle_t *pamh, - } - - done: -+ sss_pam_lock(); - sss_cli_close_socket(); -+ sss_pam_unlock(); - free(username); - free(domain); - free(target); --- -2.37.3 - diff --git a/0004-sss_iface-do-not-add-cli_id-to-chain-key.patch b/0004-sss_iface-do-not-add-cli_id-to-chain-key.patch new file mode 100644 index 0000000000000000000000000000000000000000..b87470a547e3c352ac6b755716930869c6aedf96 --- /dev/null +++ b/0004-sss_iface-do-not-add-cli_id-to-chain-key.patch @@ -0,0 +1,404 @@ +From adbd7c6e6b872d24784e3073bbdc44418af9ea45 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 4 Sep 2023 14:12:58 +0200 +Subject: [PATCH] sss_iface: do not add cli_id to chain key + +Otherwise we only chain identical requests from the same client +which effectively renders chaining not functional. + +Resolves: https://github.com/SSSD/sssd/issues/6911 + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Justin Stephenson +(cherry picked from commit 1e5dfc187c7659cca567d2f7d5592e72794ef13c) +--- + src/sss_iface/sbus_sss_client_async.c | 12 +++---- + src/sss_iface/sbus_sss_interface.h | 24 ++++++------- + src/sss_iface/sbus_sss_keygens.c | 50 +++++++++++++-------------- + src/sss_iface/sbus_sss_keygens.h | 10 +++--- + src/sss_iface/sss_iface.xml | 12 +++---- + 5 files changed, 54 insertions(+), 54 deletions(-) + +diff --git a/src/sss_iface/sbus_sss_client_async.c b/src/sss_iface/sbus_sss_client_async.c +index 042d1b7b3..5ca925283 100644 +--- a/src/sss_iface/sbus_sss_client_async.c ++++ b/src/sss_iface/sbus_sss_client_async.c +@@ -1861,7 +1861,7 @@ sbus_call_dp_autofs_Enumerate_send + const char * arg_mapname, + uint32_t arg_cli_id) + { +- return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1_2, ++ return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1, + busname, object_path, "sssd.DataProvider.Autofs", "Enumerate", arg_dp_flags, arg_mapname, arg_cli_id); + } + +@@ -1883,7 +1883,7 @@ sbus_call_dp_autofs_GetEntry_send + const char * arg_entryname, + uint32_t arg_cli_id) + { +- return sbus_method_in_ussu_out__send(mem_ctx, conn, _sbus_sss_key_ussu_0_1_2_3, ++ return sbus_method_in_ussu_out__send(mem_ctx, conn, _sbus_sss_key_ussu_0_1_2, + busname, object_path, "sssd.DataProvider.Autofs", "GetEntry", arg_dp_flags, arg_mapname, arg_entryname, arg_cli_id); + } + +@@ -1904,7 +1904,7 @@ sbus_call_dp_autofs_GetMap_send + const char * arg_mapname, + uint32_t arg_cli_id) + { +- return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1_2, ++ return sbus_method_in_usu_out__send(mem_ctx, conn, _sbus_sss_key_usu_0_1, + busname, object_path, "sssd.DataProvider.Autofs", "GetMap", arg_dp_flags, arg_mapname, arg_cli_id); + } + +@@ -2142,7 +2142,7 @@ sbus_call_dp_dp_getAccountDomain_send + const char * arg_filter, + uint32_t arg_cli_id) + { +- return sbus_method_in_uusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusu_0_1_2_3, ++ return sbus_method_in_uusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusu_0_1_2, + busname, object_path, "sssd.dataprovider", "getAccountDomain", arg_dp_flags, arg_entry_type, arg_filter, arg_cli_id); + } + +@@ -2170,7 +2170,7 @@ sbus_call_dp_dp_getAccountInfo_send + const char * arg_extra, + uint32_t arg_cli_id) + { +- return sbus_method_in_uusssu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusssu_0_1_2_3_4_5, ++ return sbus_method_in_uusssu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uusssu_0_1_2_3_4, + busname, object_path, "sssd.dataprovider", "getAccountInfo", arg_dp_flags, arg_entry_type, arg_filter, arg_domain, arg_extra, arg_cli_id); + } + +@@ -2267,7 +2267,7 @@ sbus_call_dp_dp_resolverHandler_send + const char * arg_filter_value, + uint32_t arg_cli_id) + { +- return sbus_method_in_uuusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uuusu_0_1_2_3_4, ++ return sbus_method_in_uuusu_out_qus_send(mem_ctx, conn, _sbus_sss_key_uuusu_0_1_2_3, + busname, object_path, "sssd.dataprovider", "resolverHandler", arg_dp_flags, arg_entry_type, arg_filter_type, arg_filter_value, arg_cli_id); + } + +diff --git a/src/sss_iface/sbus_sss_interface.h b/src/sss_iface/sbus_sss_interface.h +index fc86c71d9..5b4d1c362 100644 +--- a/src/sss_iface/sbus_sss_interface.h ++++ b/src/sss_iface/sbus_sss_interface.h +@@ -166,7 +166,7 @@ + &_sbus_sss_args_sssd_DataProvider_Autofs_Enumerate, \ + NULL, \ + _sbus_sss_invoke_in_usu_out__send, \ +- _sbus_sss_key_usu_0_1_2, \ ++ _sbus_sss_key_usu_0_1, \ + (handler), (data)); \ + }) + +@@ -177,7 +177,7 @@ + &_sbus_sss_args_sssd_DataProvider_Autofs_Enumerate, \ + NULL, \ + _sbus_sss_invoke_in_usu_out__send, \ +- _sbus_sss_key_usu_0_1_2, \ ++ _sbus_sss_key_usu_0_1, \ + (handler_send), (handler_recv), (data)); \ + }) + +@@ -188,7 +188,7 @@ + &_sbus_sss_args_sssd_DataProvider_Autofs_GetEntry, \ + NULL, \ + _sbus_sss_invoke_in_ussu_out__send, \ +- _sbus_sss_key_ussu_0_1_2_3, \ ++ _sbus_sss_key_ussu_0_1_2, \ + (handler), (data)); \ + }) + +@@ -199,7 +199,7 @@ + &_sbus_sss_args_sssd_DataProvider_Autofs_GetEntry, \ + NULL, \ + _sbus_sss_invoke_in_ussu_out__send, \ +- _sbus_sss_key_ussu_0_1_2_3, \ ++ _sbus_sss_key_ussu_0_1_2, \ + (handler_send), (handler_recv), (data)); \ + }) + +@@ -210,7 +210,7 @@ + &_sbus_sss_args_sssd_DataProvider_Autofs_GetMap, \ + NULL, \ + _sbus_sss_invoke_in_usu_out__send, \ +- _sbus_sss_key_usu_0_1_2, \ ++ _sbus_sss_key_usu_0_1, \ + (handler), (data)); \ + }) + +@@ -221,7 +221,7 @@ + &_sbus_sss_args_sssd_DataProvider_Autofs_GetMap, \ + NULL, \ + _sbus_sss_invoke_in_usu_out__send, \ +- _sbus_sss_key_usu_0_1_2, \ ++ _sbus_sss_key_usu_0_1, \ + (handler_send), (handler_recv), (data)); \ + }) + +@@ -522,7 +522,7 @@ + &_sbus_sss_args_sssd_dataprovider_getAccountDomain, \ + NULL, \ + _sbus_sss_invoke_in_uusu_out_qus_send, \ +- _sbus_sss_key_uusu_0_1_2_3, \ ++ _sbus_sss_key_uusu_0_1_2, \ + (handler), (data)); \ + }) + +@@ -533,7 +533,7 @@ + &_sbus_sss_args_sssd_dataprovider_getAccountDomain, \ + NULL, \ + _sbus_sss_invoke_in_uusu_out_qus_send, \ +- _sbus_sss_key_uusu_0_1_2_3, \ ++ _sbus_sss_key_uusu_0_1_2, \ + (handler_send), (handler_recv), (data)); \ + }) + +@@ -544,7 +544,7 @@ + &_sbus_sss_args_sssd_dataprovider_getAccountInfo, \ + NULL, \ + _sbus_sss_invoke_in_uusssu_out_qus_send, \ +- _sbus_sss_key_uusssu_0_1_2_3_4_5, \ ++ _sbus_sss_key_uusssu_0_1_2_3_4, \ + (handler), (data)); \ + }) + +@@ -555,7 +555,7 @@ + &_sbus_sss_args_sssd_dataprovider_getAccountInfo, \ + NULL, \ + _sbus_sss_invoke_in_uusssu_out_qus_send, \ +- _sbus_sss_key_uusssu_0_1_2_3_4_5, \ ++ _sbus_sss_key_uusssu_0_1_2_3_4, \ + (handler_send), (handler_recv), (data)); \ + }) + +@@ -632,7 +632,7 @@ + &_sbus_sss_args_sssd_dataprovider_resolverHandler, \ + NULL, \ + _sbus_sss_invoke_in_uuusu_out_qus_send, \ +- _sbus_sss_key_uuusu_0_1_2_3_4, \ ++ _sbus_sss_key_uuusu_0_1_2_3, \ + (handler), (data)); \ + }) + +@@ -643,7 +643,7 @@ + &_sbus_sss_args_sssd_dataprovider_resolverHandler, \ + NULL, \ + _sbus_sss_invoke_in_uuusu_out_qus_send, \ +- _sbus_sss_key_uuusu_0_1_2_3_4, \ ++ _sbus_sss_key_uuusu_0_1_2_3, \ + (handler_send), (handler_recv), (data)); \ + }) + +diff --git a/src/sss_iface/sbus_sss_keygens.c b/src/sss_iface/sbus_sss_keygens.c +index 1bffc1360..0bded60f8 100644 +--- a/src/sss_iface/sbus_sss_keygens.c ++++ b/src/sss_iface/sbus_sss_keygens.c +@@ -90,86 +90,86 @@ _sbus_sss_key_ussu_0_1 + } + + const char * +-_sbus_sss_key_ussu_0_1_2_3 ++_sbus_sss_key_ussu_0_1_2 + (TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct _sbus_sss_invoker_args_ussu *args) + { + if (sbus_req->sender == NULL) { +- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%s:%" PRIu32 "", ++ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%s", + sbus_req->type, sbus_req->interface, sbus_req->member, +- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3); ++ sbus_req->path, args->arg0, args->arg1, args->arg2); + } + +- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%s:%" PRIu32 "", ++ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%s", + sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member, +- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3); ++ sbus_req->path, args->arg0, args->arg1, args->arg2); + } + + const char * +-_sbus_sss_key_usu_0_1_2 ++_sbus_sss_key_usu_0_1 + (TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct _sbus_sss_invoker_args_usu *args) + { + if (sbus_req->sender == NULL) { +- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s:%" PRIu32 "", ++ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%s", + sbus_req->type, sbus_req->interface, sbus_req->member, +- sbus_req->path, args->arg0, args->arg1, args->arg2); ++ sbus_req->path, args->arg0, args->arg1); + } + +- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s:%" PRIu32 "", ++ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%s", + sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member, +- sbus_req->path, args->arg0, args->arg1, args->arg2); ++ sbus_req->path, args->arg0, args->arg1); + } + + const char * +-_sbus_sss_key_uusssu_0_1_2_3_4_5 ++_sbus_sss_key_uusssu_0_1_2_3_4 + (TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct _sbus_sss_invoker_args_uusssu *args) + { + if (sbus_req->sender == NULL) { +- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s:%" PRIu32 "", ++ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s", + sbus_req->type, sbus_req->interface, sbus_req->member, +- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4, args->arg5); ++ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4); + } + +- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s:%" PRIu32 "", ++ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%s:%s", + sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member, +- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4, args->arg5); ++ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4); + } + + const char * +-_sbus_sss_key_uusu_0_1_2_3 ++_sbus_sss_key_uusu_0_1_2 + (TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct _sbus_sss_invoker_args_uusu *args) + { + if (sbus_req->sender == NULL) { +- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "", ++ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s", + sbus_req->type, sbus_req->interface, sbus_req->member, +- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3); ++ sbus_req->path, args->arg0, args->arg1, args->arg2); + } + +- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "", ++ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%s", + sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member, +- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3); ++ sbus_req->path, args->arg0, args->arg1, args->arg2); + } + + const char * +-_sbus_sss_key_uuusu_0_1_2_3_4 ++_sbus_sss_key_uuusu_0_1_2_3 + (TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct _sbus_sss_invoker_args_uuusu *args) + { + if (sbus_req->sender == NULL) { +- return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "", ++ return talloc_asprintf(mem_ctx, "-:%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s", + sbus_req->type, sbus_req->interface, sbus_req->member, +- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4); ++ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3); + } + +- return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s:%" PRIu32 "", ++ return talloc_asprintf(mem_ctx, "%"PRIi64":%u:%s.%s:%s:%" PRIu32 ":%" PRIu32 ":%" PRIu32 ":%s", + sbus_req->sender->uid, sbus_req->type, sbus_req->interface, sbus_req->member, +- sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3, args->arg4); ++ sbus_req->path, args->arg0, args->arg1, args->arg2, args->arg3); + } +diff --git a/src/sss_iface/sbus_sss_keygens.h b/src/sss_iface/sbus_sss_keygens.h +index 8f09b46de..7e42c2c53 100644 +--- a/src/sss_iface/sbus_sss_keygens.h ++++ b/src/sss_iface/sbus_sss_keygens.h +@@ -49,31 +49,31 @@ _sbus_sss_key_ussu_0_1 + struct _sbus_sss_invoker_args_ussu *args); + + const char * +-_sbus_sss_key_ussu_0_1_2_3 ++_sbus_sss_key_ussu_0_1_2 + (TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct _sbus_sss_invoker_args_ussu *args); + + const char * +-_sbus_sss_key_usu_0_1_2 ++_sbus_sss_key_usu_0_1 + (TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct _sbus_sss_invoker_args_usu *args); + + const char * +-_sbus_sss_key_uusssu_0_1_2_3_4_5 ++_sbus_sss_key_uusssu_0_1_2_3_4 + (TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct _sbus_sss_invoker_args_uusssu *args); + + const char * +-_sbus_sss_key_uusu_0_1_2_3 ++_sbus_sss_key_uusu_0_1_2 + (TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct _sbus_sss_invoker_args_uusu *args); + + const char * +-_sbus_sss_key_uuusu_0_1_2_3_4 ++_sbus_sss_key_uuusu_0_1_2_3 + (TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct _sbus_sss_invoker_args_uuusu *args); +diff --git a/src/sss_iface/sss_iface.xml b/src/sss_iface/sss_iface.xml +index 6709c4e48..82c65aa0b 100644 +--- a/src/sss_iface/sss_iface.xml ++++ b/src/sss_iface/sss_iface.xml +@@ -91,18 +91,18 @@ + + + +- ++ + + + + + +- ++ + + + + +- ++ + + + +@@ -133,7 +133,7 @@ + + + +- ++ + + + +@@ -150,7 +150,7 @@ + + + +- ++ + + + +@@ -159,7 +159,7 @@ + + + +- ++ + + + +-- +2.41.0 + diff --git a/0005-MC-a-couple-of-additions-to-recover-from-invalid-mem.patch b/0005-MC-a-couple-of-additions-to-recover-from-invalid-mem.patch new file mode 100644 index 0000000000000000000000000000000000000000..76307958407ec5a3eb6cb9265b06217bc68bdbf9 --- /dev/null +++ b/0005-MC-a-couple-of-additions-to-recover-from-invalid-mem.patch @@ -0,0 +1,336 @@ +From f3b5389aaa9f8285451a61b2b9a6fcaddf067d07 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 25 Sep 2023 12:36:09 +0200 +Subject: [PATCH] MC: a couple of additions to 'recover from invalid memory + cache size' patch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Additions to 641e5f73d3bd5b3d32cafd551013d3bfd2a52732 : + + - handle all invalidations consistently + - supply a valid pointer to `sss_mmap_cache_validate_or_reinit()`, + not a pointer to a local var + +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +(cherry picked from commit 88d8afbb115f18007dcc11f7ebac1b238c3ebd98) +--- + src/responder/nss/nss_get_object.c | 10 ++--- + src/responder/nss/nss_iface.c | 8 ++-- + src/responder/nss/nsssrv_mmap_cache.c | 64 ++++++++++++++++++--------- + src/responder/nss/nsssrv_mmap_cache.h | 10 ++--- + 4 files changed, 56 insertions(+), 36 deletions(-) + +diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c +index 5d62dd098..29f9cb59b 100644 +--- a/src/responder/nss/nss_get_object.c ++++ b/src/responder/nss/nss_get_object.c +@@ -34,13 +34,13 @@ memcache_delete_entry_by_name(struct sss_nss_ctx *nss_ctx, + + switch (type) { + case SSS_MC_PASSWD: +- ret = sss_mmap_cache_pw_invalidate(nss_ctx->pwd_mc_ctx, name); ++ ret = sss_mmap_cache_pw_invalidate(&nss_ctx->pwd_mc_ctx, name); + break; + case SSS_MC_GROUP: +- ret = sss_mmap_cache_gr_invalidate(nss_ctx->grp_mc_ctx, name); ++ ret = sss_mmap_cache_gr_invalidate(&nss_ctx->grp_mc_ctx, name); + break; + case SSS_MC_INITGROUPS: +- ret = sss_mmap_cache_initgr_invalidate(nss_ctx->initgr_mc_ctx, name); ++ ret = sss_mmap_cache_initgr_invalidate(&nss_ctx->initgr_mc_ctx, name); + break; + default: + return EINVAL; +@@ -66,10 +66,10 @@ memcache_delete_entry_by_id(struct sss_nss_ctx *nss_ctx, + + switch (type) { + case SSS_MC_PASSWD: +- ret = sss_mmap_cache_pw_invalidate_uid(nss_ctx->pwd_mc_ctx, (uid_t)id); ++ ret = sss_mmap_cache_pw_invalidate_uid(&nss_ctx->pwd_mc_ctx, (uid_t)id); + break; + case SSS_MC_GROUP: +- ret = sss_mmap_cache_gr_invalidate_gid(nss_ctx->grp_mc_ctx, (gid_t)id); ++ ret = sss_mmap_cache_gr_invalidate_gid(&nss_ctx->grp_mc_ctx, (gid_t)id); + break; + default: + return EINVAL; +diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c +index 07e91aa81..db743f8b7 100644 +--- a/src/responder/nss/nss_iface.c ++++ b/src/responder/nss/nss_iface.c +@@ -78,7 +78,7 @@ sss_nss_update_initgr_memcache(struct sss_nss_ctx *nctx, + + if (ret == ENOENT || res->count == 0) { + /* The user is gone. Invalidate the mc record */ +- ret = sss_mmap_cache_pw_invalidate(nctx->pwd_mc_ctx, delete_name); ++ ret = sss_mmap_cache_pw_invalidate(&nctx->pwd_mc_ctx, delete_name); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Internal failure in memory cache code: %d [%s]\n", +@@ -125,7 +125,7 @@ sss_nss_update_initgr_memcache(struct sss_nss_ctx *nctx, + for (i = 0; i < gnum; i++) { + id = groups[i]; + +- ret = sss_mmap_cache_gr_invalidate_gid(nctx->grp_mc_ctx, id); ++ ret = sss_mmap_cache_gr_invalidate_gid(&nctx->grp_mc_ctx, id); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Internal failure in memory cache code: %d [%s]\n", +@@ -134,7 +134,7 @@ sss_nss_update_initgr_memcache(struct sss_nss_ctx *nctx, + } + + to_sized_string(delete_name, fq_name); +- ret = sss_mmap_cache_initgr_invalidate(nctx->initgr_mc_ctx, ++ ret = sss_mmap_cache_initgr_invalidate(&nctx->initgr_mc_ctx, + delete_name); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, +@@ -208,7 +208,7 @@ sss_nss_memorycache_invalidate_group_by_id(TALLOC_CTX *mem_ctx, + DEBUG(SSSDBG_TRACE_LIBS, + "Invalidating group %u from memory cache\n", gid); + +- sss_mmap_cache_gr_invalidate_gid(nctx->grp_mc_ctx, gid); ++ sss_mmap_cache_gr_invalidate_gid(&nctx->grp_mc_ctx, gid); + + return EOK; + } +diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c +index bd814f3bc..cacdc7cc5 100644 +--- a/src/responder/nss/nsssrv_mmap_cache.c ++++ b/src/responder/nss/nsssrv_mmap_cache.c +@@ -701,16 +701,22 @@ static inline void sss_mmap_chain_in_rec(struct sss_mc_ctx *mcc, + * generic invalidation + ***************************************************************************/ + +-static errno_t sss_mmap_cache_invalidate(struct sss_mc_ctx *mcc, ++static errno_t sss_mmap_cache_validate_or_reinit(struct sss_mc_ctx **_mcc); ++ ++static errno_t sss_mmap_cache_invalidate(struct sss_mc_ctx **_mcc, + const struct sized_string *key) + { ++ struct sss_mc_ctx *mcc; + struct sss_mc_rec *rec; ++ int ret; + +- if (mcc == NULL) { +- /* cache not initialized? */ +- return EINVAL; ++ ret = sss_mmap_cache_validate_or_reinit(_mcc); ++ if (ret != EOK) { ++ return ret; + } + ++ mcc = *_mcc; ++ + rec = sss_mc_find_record(mcc, key); + if (rec == NULL) { + /* nothing to invalidate */ +@@ -785,7 +791,7 @@ errno_t sss_mmap_cache_pw_store(struct sss_mc_ctx **_mcc, + const struct sized_string *homedir, + const struct sized_string *shell) + { +- struct sss_mc_ctx *mcc = *_mcc; ++ struct sss_mc_ctx *mcc; + struct sss_mc_rec *rec; + struct sss_mc_pwd_data *data; + struct sized_string uidkey; +@@ -795,11 +801,13 @@ errno_t sss_mmap_cache_pw_store(struct sss_mc_ctx **_mcc, + size_t pos; + int ret; + +- ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ ret = sss_mmap_cache_validate_or_reinit(_mcc); + if (ret != EOK) { + return ret; + } + ++ mcc = *_mcc; ++ + ret = snprintf(uidstr, 11, "%ld", (long)uid); + if (ret > 10) { + return EINVAL; +@@ -851,14 +859,15 @@ errno_t sss_mmap_cache_pw_store(struct sss_mc_ctx **_mcc, + return EOK; + } + +-errno_t sss_mmap_cache_pw_invalidate(struct sss_mc_ctx *mcc, ++errno_t sss_mmap_cache_pw_invalidate(struct sss_mc_ctx **_mcc, + const struct sized_string *name) + { +- return sss_mmap_cache_invalidate(mcc, name); ++ return sss_mmap_cache_invalidate(_mcc, name); + } + +-errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx *mcc, uid_t uid) ++errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx **_mcc, uid_t uid) + { ++ struct sss_mc_ctx *mcc; + struct sss_mc_rec *rec = NULL; + struct sss_mc_pwd_data *data; + uint32_t hash; +@@ -866,11 +875,13 @@ errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx *mcc, uid_t uid) + char *uidstr; + errno_t ret; + +- ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ ret = sss_mmap_cache_validate_or_reinit(_mcc); + if (ret != EOK) { + return ret; + } + ++ mcc = *_mcc; ++ + uidstr = talloc_asprintf(NULL, "%ld", (long)uid); + if (!uidstr) { + return ENOMEM; +@@ -927,7 +938,7 @@ int sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc, + gid_t gid, size_t memnum, + const char *membuf, size_t memsize) + { +- struct sss_mc_ctx *mcc = *_mcc; ++ struct sss_mc_ctx *mcc; + struct sss_mc_rec *rec; + struct sss_mc_grp_data *data; + struct sized_string gidkey; +@@ -937,11 +948,13 @@ int sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc, + size_t pos; + int ret; + +- ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ ret = sss_mmap_cache_validate_or_reinit(_mcc); + if (ret != EOK) { + return ret; + } + ++ mcc = *_mcc; ++ + ret = snprintf(gidstr, 11, "%ld", (long)gid); + if (ret > 10) { + return EINVAL; +@@ -989,14 +1002,15 @@ int sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc, + return EOK; + } + +-errno_t sss_mmap_cache_gr_invalidate(struct sss_mc_ctx *mcc, ++errno_t sss_mmap_cache_gr_invalidate(struct sss_mc_ctx **_mcc, + const struct sized_string *name) + { +- return sss_mmap_cache_invalidate(mcc, name); ++ return sss_mmap_cache_invalidate(_mcc, name); + } + +-errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx *mcc, gid_t gid) ++errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx **_mcc, gid_t gid) + { ++ struct sss_mc_ctx *mcc; + struct sss_mc_rec *rec = NULL; + struct sss_mc_grp_data *data; + uint32_t hash; +@@ -1004,11 +1018,13 @@ errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx *mcc, gid_t gid) + char *gidstr; + errno_t ret; + +- ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ ret = sss_mmap_cache_validate_or_reinit(_mcc); + if (ret != EOK) { + return ret; + } + ++ mcc = *_mcc; ++ + gidstr = talloc_asprintf(NULL, "%ld", (long)gid); + if (!gidstr) { + return ENOMEM; +@@ -1061,7 +1077,7 @@ errno_t sss_mmap_cache_initgr_store(struct sss_mc_ctx **_mcc, + uint32_t num_groups, + const uint8_t *gids_buf) + { +- struct sss_mc_ctx *mcc = *_mcc; ++ struct sss_mc_ctx *mcc; + struct sss_mc_rec *rec; + struct sss_mc_initgr_data *data; + size_t data_len; +@@ -1069,11 +1085,13 @@ errno_t sss_mmap_cache_initgr_store(struct sss_mc_ctx **_mcc, + size_t pos; + int ret; + +- ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ ret = sss_mmap_cache_validate_or_reinit(_mcc); + if (ret != EOK) { + return ret; + } + ++ mcc = *_mcc; ++ + /* array of gids + name + unique_name */ + data_len = num_groups * sizeof(uint32_t) + name->len + unique_name->len; + rec_len = sizeof(struct sss_mc_rec) + sizeof(struct sss_mc_initgr_data) +@@ -1119,10 +1137,10 @@ errno_t sss_mmap_cache_initgr_store(struct sss_mc_ctx **_mcc, + return EOK; + } + +-errno_t sss_mmap_cache_initgr_invalidate(struct sss_mc_ctx *mcc, ++errno_t sss_mmap_cache_initgr_invalidate(struct sss_mc_ctx **_mcc, + const struct sized_string *name) + { +- return sss_mmap_cache_invalidate(mcc, name); ++ return sss_mmap_cache_invalidate(_mcc, name); + } + + errno_t sss_mmap_cache_sid_store(struct sss_mc_ctx **_mcc, +@@ -1131,18 +1149,20 @@ errno_t sss_mmap_cache_sid_store(struct sss_mc_ctx **_mcc, + uint32_t type, + bool explicit_lookup) + { +- struct sss_mc_ctx *mcc = *_mcc; ++ struct sss_mc_ctx *mcc; + struct sss_mc_rec *rec; + struct sss_mc_sid_data *data; + char idkey[16]; + size_t rec_len; + int ret; + +- ret = sss_mmap_cache_validate_or_reinit(&mcc); ++ ret = sss_mmap_cache_validate_or_reinit(_mcc); + if (ret != EOK) { + return ret; + } + ++ mcc = *_mcc; ++ + ret = snprintf(idkey, sizeof(idkey), "%d-%ld", + (type == SSS_ID_TYPE_GID) ? SSS_ID_TYPE_GID : SSS_ID_TYPE_UID, + (long)id); +diff --git a/src/responder/nss/nsssrv_mmap_cache.h b/src/responder/nss/nsssrv_mmap_cache.h +index 686b8e1b2..28ee5adb6 100644 +--- a/src/responder/nss/nsssrv_mmap_cache.h ++++ b/src/responder/nss/nsssrv_mmap_cache.h +@@ -63,17 +63,17 @@ errno_t sss_mmap_cache_sid_store(struct sss_mc_ctx **_mcc, + uint32_t type, /* enum sss_id_type*/ + bool explicit_lookup); /* false ~ by_id(), true ~ by_uid/gid() */ + +-errno_t sss_mmap_cache_pw_invalidate(struct sss_mc_ctx *mcc, ++errno_t sss_mmap_cache_pw_invalidate(struct sss_mc_ctx **_mcc, + const struct sized_string *name); + +-errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx *mcc, uid_t uid); ++errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx **_mcc, uid_t uid); + +-errno_t sss_mmap_cache_gr_invalidate(struct sss_mc_ctx *mcc, ++errno_t sss_mmap_cache_gr_invalidate(struct sss_mc_ctx **_mcc, + const struct sized_string *name); + +-errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx *mcc, gid_t gid); ++errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx **_mcc, gid_t gid); + +-errno_t sss_mmap_cache_initgr_invalidate(struct sss_mc_ctx *mcc, ++errno_t sss_mmap_cache_initgr_invalidate(struct sss_mc_ctx **_mcc, + const struct sized_string *name); + + errno_t sss_mmap_cache_reinit(TALLOC_CTX *mem_ctx, +-- +2.41.0 + diff --git a/0007-sysdb-fix-string-comparison-when-checking-for-overri.patch b/0007-sysdb-fix-string-comparison-when-checking-for-overri.patch deleted file mode 100644 index 5a953ce0147af0954203da94a5654522780242c1..0000000000000000000000000000000000000000 --- a/0007-sysdb-fix-string-comparison-when-checking-for-overri.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 41f1901230099c2a8b5c4b117bddd993665430cc Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 10 May 2023 10:27:08 +0200 -Subject: [PATCH] sysdb: fix string comparison when checking for overrides - -When checking if the input group-name is the original name from AD or an -overwritten one the comparison is currently done case sensitive. Since -AD handles names case-insensitive and hence SSSD should do this as well -this comparison might cause issues. - -The patch replace the case sensitive comparison with a comparison with -respects the case_sensitive of the domain the object is coming from. - -Resolves: https://github.com/SSSD/sssd/issues/6720 - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Iker Pedrosa -(cherry picked from commit 01d02794e02f051ea9a78cd63b30384de3e7c9b0) - -Reviewed-by: Alexey Tikhonov ---- - src/db/sysdb_search.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/db/sysdb_search.c b/src/db/sysdb_search.c -index 7efd570e7..e4c53b853 100644 ---- a/src/db/sysdb_search.c -+++ b/src/db/sysdb_search.c -@@ -1225,7 +1225,9 @@ int sysdb_getgrnam(TALLOC_CTX *mem_ctx, - res->msgs[0], ORIGINALAD_PREFIX SYSDB_NAME, NULL); - - if (originalad_sanitized_name != NULL -- && strcmp(originalad_sanitized_name, sanitized_name) != 0) { -+ && !sss_string_equal(domain->case_sensitive, -+ originalad_sanitized_name, -+ sanitized_name)) { - fmt_filter = SYSDB_GRNAM_FILTER; - base_dn = sysdb_group_base_dn(tmp_ctx, domain); - res = NULL; --- -2.38.1 - diff --git a/dist b/dist index 9c0e36ec42a2d9bfefacb21ac6354c9ddd910533..37a6f9cba7a88cbcf8ab13c9187a23e686af9edd 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8 +an8_9 diff --git a/download b/download index 80ddd9aa0ab73979c5030394b230dec490fcbd57..f8a44ae3e10af751b6da4c095549db9949a72fea 100644 --- a/download +++ b/download @@ -1 +1 @@ -e7647d20b1376df6ec61b8346e3060d4 sssd-2.8.2.tar.gz +96d16913bfe5e60d93febf76275e688d sssd-2.9.1.tar.gz diff --git a/sssd.spec b/sssd.spec index 2922712d93bf082c34eb6f00e64f969954fa4339..8f7840d48de60f9bc1e295f4fe669deead61595c 100644 --- a/sssd.spec +++ b/sssd.spec @@ -18,8 +18,8 @@ %global enable_systemtap_opt --enable-systemtap Name: sssd -Version: 2.8.2 -Release: 3%{?dist} +Version: 2.9.1 +Release: 4%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -27,13 +27,11 @@ URL: https://github.com/SSSD/sssd Source0: https://github.com/SSSD/sssd/releases/download/%{version}/sssd-%{version}.tar.gz ### Patches ### -Patch0001: 0001-ldap-update-shadow-last-change-in-sysdb-as-well.patch -Patch0002: 0002-SSS_CLIENT-fix-error-codes-returned-by-common-read-w.patch -Patch0003: 0003-SSS_CLIENT-if-poll-returns-POLLNVAL-then-socket-is-a.patch -Patch0004: 0004-PAM_SSS-close-sss_cli_sd-should-also-be-protected-wi.patch -Patch0005: 0005-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch -Patch0006: 0006-sbus-arm-watchdog-for-sbus_connect_init_send.patch -Patch0007: 0007-sysdb-fix-string-comparison-when-checking-for-overri.patch +Patch0001: 0001-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch +Patch0002: 0002-sbus-arm-watchdog-for-sbus_connect_init_send.patch +Patch0003: 0003-mc-recover-from-invalid-memory-cache-size.patch +Patch0004: 0004-sss_iface-do-not-add-cli_id-to-chain-key.patch +Patch0005: 0005-MC-a-couple-of-additions-to-recover-from-invalid-mem.patch ### Downstream Patches ### @@ -217,7 +215,6 @@ Summary: Userspace tools for use with the SSSD Group: Applications/System License: GPLv3+ Requires: sssd-common = %{version}-%{release} -Requires: libsss_simpleifp = %{version}-%{release} # required by sss_obfuscate Requires: python3-sss = %{version}-%{release} Requires: python3-sssdconfig = %{version}-%{release} @@ -597,6 +594,8 @@ autoreconf -ivf --with-initscript=systemd \ --with-syslog=journald \ --with-subid \ + --with-files-provider \ + --with-libsifp \ --enable-sss-default-nss-plugin \ --without-python2-bindings \ --with-sssd-user=sssd \ @@ -913,7 +912,7 @@ done %{_mandir}/man5/sssd-ifp.5* %{_unitdir}/sssd-ifp.service # InfoPipe DBus plumbing -%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf +%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf %{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service %files -n libsss_simpleifp @@ -1216,9 +1215,45 @@ fi %systemd_postun_with_restart sssd.service %changelog -* Mon Jul 10 2023 Alexey Tikhonov - 2.8.2-3 -- Resolves: rhbz#2219351 - [sssd] SSSD enters failed state after heavy load in the system [rhel-8.8.0.z] -- Resolves: rhbz#2196838 - [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed' [rhel-8.8.0.z] +* Mon Oct 03 2023 Eduardo Lima (Etrunko) - 2.9.1-4 +- Related: rhbz#2236414 - dbus and crond getting terminated with SIGBUS in sss_client code + Handle all invalidations consistently + Supply a valid pointer to `sss_mmap_cache_validate_or_reinit()`, not a pointer to a local var + +* Tue Sep 12 2023 Eduardo Lima (Etrunko) - 2.9.1-3 +- Resolves: rhbz#2236414 - dbus and crond getting terminated with SIGBUS in sss_client code +- Resolves: rhbz#2237302 - SSSD runs multiples lookup search for each NFS request (SBUS req chaining stopped working in sssd-2.7) + +* Mon Jul 10 2023 Alexey Tikhonov - 2.9.1-2 +- Resolves: rhbz#2149241 - [sssd] SSSD enters failed state after heavy load in the system + +* Fri Jun 23 2023 Alexey Tikhonov - 2.9.1-1 +- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 +- Resolves: rhbz#2196521 - [RHEL8] sssd : AD user login problem when modify ldap_user_name= name and restricted by GPO Policy +- Resolves: rhbz#2195919 - sssd-be tends to run out of system resources, hitting the maximum number of open files +- Resolves: rhbz#2192708 - [RHEL8] [sssd] User lookup on IPA client fails with 's2n get_fqlist request failed' +- Resolves: rhbz#2139467 - [RHEL8] sssd attempts LDAP password modify extended op after BIND failure +- Resolves: rhbz#2054825 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 error 4 in libc-2.28.so[7f16b5e72000+1bc000] +- Resolves: rhbz#2189583 - [sssd] RHEL 8.9 Tier 0 Localization +- Resolves: rhbz#2170720 - [RHEL8] When adding attributes in sssd.conf that we have already, the cross-forest query just stop working +- Resolves: rhbz#2096183 - BE_REQ_USER_AND_GROUP LDAP search filter can inadvertently catch multiple overrides +- Resolves: rhbz#2151450 - [RHEL8] SSSD missing group membership when evaluating GPO policy with 'auto_private_groups = true' + +* Tue May 30 2023 Alexey Tikhonov - 2.9.0-4 +- Related: rhbz#2190417 - Rebase Samba to the latest 4.18.x release + Rebuild against rebased Samba libs + +* Thu May 25 2023 Alexey Tikhonov - 2.9.0-3 +- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 + +* Mon May 15 2023 Alexey Tikhonov - 2.9.0-1 +- Resolves: rhbz#2167836 - Rebase SSSD for RHEL 8.9 +- Resolves: rhbz#2101489 - [sssd] Auth fails if client cannot speak to forest root domain (ldap_sasl_interactive_bind_s failed) +- Resolves: rhbz#2143925 - kinit switches KCM away from the newly issued ticket +- Resolves: rhbz#2151403 - AD user is not found on IPA client after upgrading to RHEL8.7 +- Resolves: rhbz#2164805 - man page entry should make clear that a nested group needs a name +- Resolves: rhbz#2170484 - Unable to lookup AD user from child domain (or "make filtering of the domains more configurable") +- Resolves: rhbz#2180981 - sss allows extraneous @ characters prefixed to username # * Mon Feb 13 2023 Alexey Tikhonov - 2.8.2-2 - Resolves: rhbz#2149091 - Update to sssd-2.7.3-4.el8_7.1.x86_64 resulted in "Request to sssd failed. Device or resource busy"