diff --git a/backport-AD-Do-not-use-the-shortcut-when-filter_groups-is-set.patch b/backport-AD-Do-not-use-the-shortcut-when-filter_groups-is-set.patch new file mode 100644 index 0000000000000000000000000000000000000000..0b9763a590e5fc6122a46dfdd3f8764b50fbb72c --- /dev/null +++ b/backport-AD-Do-not-use-the-shortcut-when-filter_groups-is-set.patch @@ -0,0 +1,68 @@ +From c3d6cc9a374bd2d31af9ee35fda8c054fcab7c86 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= +Date: Wed, 8 Mar 2023 14:28:54 +0100 +Subject: [PATCH] AD: Do not use the shortcut when filter_groups is set. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When using 'id ', a shortcut avoids creating the proper group +object but, instead, one where the SID is the group name is created. +This prevents a proper filtering of groups which requires the actual +group name. + +Not using the shortcut will retrieve the group names and the filtering +will work. + +Resolves: https://github.com/SSSD/sssd/issues/6617 + +Reviewed-by: Sumit Bose +Reviewed-by: Tomáš Halman + +Reference:https://github.com/SSSD/sssd/commit/c3d6cc9a374bd2d31af9ee35fda8c054fcab7c86 +Conflict:NA + +--- + src/providers/ldap/sdap_async_initgroups_ad.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c +index d76b7c8b8..f5c88e2fb 100644 +--- a/src/providers/ldap/sdap_async_initgroups_ad.c ++++ b/src/providers/ldap/sdap_async_initgroups_ad.c +@@ -1591,6 +1591,8 @@ sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx, + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + errno_t ret; ++ bool use_shortcut; ++ char **param = NULL; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_ad_tokengroups_initgroups_state); +@@ -1611,9 +1613,22 @@ sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx, + * to avoid having to transfer and retain members when the fake + * tokengroups object without name is replaced by the full group object + */ ++ use_shortcut = false; + if (state->use_id_mapping + && !IS_SUBDOMAIN(state->domain) +- && state->domain->ignore_group_members == false) { ++ && !state->domain->ignore_group_members) { ++ ret = confdb_get_param(id_ctx->be->cdb, mem_ctx, id_ctx->be->conf_path, ++ CONFDB_NSS_FILTER_GROUPS, ¶m); ++ if (ret == EOK) { ++ use_shortcut = (param == NULL || param[0] == NULL); ++ talloc_free(param); ++ } else { ++ DEBUG(SSSDBG_MINOR_FAILURE, "Failed to access %s: %i (%s)\n", ++ CONFDB_NSS_FILTER_GROUPS, ret, sss_strerror(ret)); ++ /* Continue without using the shortcut. Safest option. */ ++ } ++ } ++ if (use_shortcut) { + subreq = sdap_ad_tokengroups_initgr_mapping_send(state, ev, opts, + sysdb, domain, sh, + name, orig_dn, +-- +2.33.0 + diff --git a/backport-Fixed-pid-wrapping-in-sss_cli_check_socket.patch b/backport-Fixed-pid-wrapping-in-sss_cli_check_socket.patch new file mode 100644 index 0000000000000000000000000000000000000000..c3d4a0ec67b50007c3bfb0639dd06d991a69fe9b --- /dev/null +++ b/backport-Fixed-pid-wrapping-in-sss_cli_check_socket.patch @@ -0,0 +1,59 @@ +From 0e25f0d19986d47c86c2e75ceaa3b66499a85ec9 Mon Sep 17 00:00:00 2001 +From: answer9030 +Date: Thu, 9 Mar 2023 14:47:37 +0800 +Subject: [PATCH] Fixed pid wrapping in sss_cli_check_socket + +Resolves: https://github.com/SSSD/sssd/issues/6592 + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Sumit Bose + +Reference:https://github.com/SSSD/sssd/commit/0e25f0d19986d47c86c2e75ceaa3b66499a85ec9 +Conflict:NA + +--- + src/sss_client/common.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/src/sss_client/common.c b/src/sss_client/common.c +index c8ade645b..39b107527 100644 +--- a/src/sss_client/common.c ++++ b/src/sss_client/common.c +@@ -684,21 +684,28 @@ static enum sss_status sss_cli_check_socket(int *errnop, + int timeout) + { + static pid_t mypid; +- struct stat mysb; ++ static struct stat selfsb; ++ struct stat mypid_sb, myself_sb; + int mysd; + int ret; + +- if (getpid() != mypid) { +- ret = fstat(sss_cli_sd, &mysb); ++ ret = lstat("/proc/self/", &myself_sb); ++ ++ if (getpid() != mypid || (ret == 0 && myself_sb.st_ino != selfsb.st_ino)) { ++ ret = fstat(sss_cli_sd, &mypid_sb); + if (ret == 0) { +- if (S_ISSOCK(mysb.st_mode) && +- mysb.st_dev == sss_cli_sb.st_dev && +- mysb.st_ino == sss_cli_sb.st_ino) { ++ if (S_ISSOCK(mypid_sb.st_mode) && ++ mypid_sb.st_dev == sss_cli_sb.st_dev && ++ mypid_sb.st_ino == sss_cli_sb.st_ino) { + sss_cli_close_socket(); + } + } + sss_cli_sd = -1; + mypid = getpid(); ++ ret = lstat("/proc/self/", &selfsb); ++ if (ret) { ++ memset(&selfsb, 0, sizeof(selfsb)); ++ } + } + + /* check if the socket has been closed on the other side */ +-- +2.33.0 + diff --git a/backport-Fixed-the-problem-of-calling-getpid-and-lstat-twice-.patch b/backport-Fixed-the-problem-of-calling-getpid-and-lstat-twice-.patch new file mode 100644 index 0000000000000000000000000000000000000000..d8aa8c1a68f8b406b18e1136a709df52cced2d4f --- /dev/null +++ b/backport-Fixed-the-problem-of-calling-getpid-and-lstat-twice-.patch @@ -0,0 +1,60 @@ +From 5c363bfbfb6aee507e4d966df4f45b39e5f00b91 Mon Sep 17 00:00:00 2001 +From: answer9030 +Date: Thu, 16 Mar 2023 14:49:51 +0800 +Subject: [PATCH] Fixed the problem of calling getpid() and lstat() twice in + sss_cli_check_socket() + +the second call to getpid() and lstat() is redundant. + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Sumit Bose + +Reference:https://github.com/SSSD/sssd/commit/5c363bfbfb6aee507e4d966df4f45b39e5f00b91 +Conflict:NA + +--- + src/sss_client/common.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/src/sss_client/common.c b/src/sss_client/common.c +index 39b107527..53ff6e8e9 100644 +--- a/src/sss_client/common.c ++++ b/src/sss_client/common.c +@@ -683,15 +683,16 @@ static enum sss_status sss_cli_check_socket(int *errnop, + const char *socket_name, + int timeout) + { +- static pid_t mypid; +- static struct stat selfsb; ++ static pid_t mypid_s; ++ static ino_t myself_ino; + struct stat mypid_sb, myself_sb; ++ pid_t mypid_d; + int mysd; + int ret; + + ret = lstat("/proc/self/", &myself_sb); +- +- if (getpid() != mypid || (ret == 0 && myself_sb.st_ino != selfsb.st_ino)) { ++ mypid_d = getpid(); ++ if (mypid_d != mypid_s || (ret == 0 && myself_sb.st_ino != myself_ino)) { + ret = fstat(sss_cli_sd, &mypid_sb); + if (ret == 0) { + if (S_ISSOCK(mypid_sb.st_mode) && +@@ -701,11 +702,8 @@ static enum sss_status sss_cli_check_socket(int *errnop, + } + } + sss_cli_sd = -1; +- mypid = getpid(); +- ret = lstat("/proc/self/", &selfsb); +- if (ret) { +- memset(&selfsb, 0, sizeof(selfsb)); +- } ++ mypid_s = mypid_d; ++ myself_ino = myself_sb.st_ino; + } + + /* check if the socket has been closed on the other side */ +-- +2.33.0 + diff --git a/backport-KCM-Switch-default-caches-only-when-there-is-no-curr.patch b/backport-KCM-Switch-default-caches-only-when-there-is-no-curr.patch new file mode 100644 index 0000000000000000000000000000000000000000..8cda193a6258336bfb27cb594bba4a6f8c61e18e --- /dev/null +++ b/backport-KCM-Switch-default-caches-only-when-there-is-no-curr.patch @@ -0,0 +1,41 @@ +From 55e27a423d4065aa419e1bd80db1826eb8264c4a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= +Date: Mon, 20 Mar 2023 15:24:03 +0100 +Subject: [PATCH] KCM: Switch default caches only when there is no current + default. + +Only when there was a current default cache +(uuid_is_null(old_dfl_uuid) == false), the default cache was switched. +This condition should be negated so that the cache is switched when +there is no current default. + +Resolves: https://github.com/SSSD/sssd/issues/6357 + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Justin Stephenson + +Reference:https://github.com/SSSD/sssd/commit/55e27a423d4065aa419e1bd80db1826eb8264c4a +Conflict:NA + +--- + src/responder/kcm/kcmsrv_ops.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c +index f7f80d850..33d7cd506 100644 +--- a/src/responder/kcm/kcmsrv_ops.c ++++ b/src/responder/kcm/kcmsrv_ops.c +@@ -668,8 +668,8 @@ static void kcm_op_initialize_got_default(struct tevent_req *subreq) + return; + } + +- if (uuid_is_null(old_dfl_uuid) == false) { +- /* If there was a previous default ccache, switch to the initialized ++ if (uuid_is_null(old_dfl_uuid)) { ++ /* If there was no previous default ccache, switch to the initialized + * one by default + */ + /* `dfl_uuid` is output arg and isn't read in kcm_cc_get_uuid() but +-- +2.33.0 + diff --git a/backport-SUDO-fix-mistype.patch b/backport-SUDO-fix-mistype.patch new file mode 100644 index 0000000000000000000000000000000000000000..7cd908fc71c7207c3ee0c230ea8f673d015e797c --- /dev/null +++ b/backport-SUDO-fix-mistype.patch @@ -0,0 +1,31 @@ +From e2106c946c933759f0769e5179bb9f743abc0574 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Tue, 21 Mar 2023 17:19:18 +0100 +Subject: [PATCH] SUDO: fix mistype + +Reviewed-by: Iker Pedrosa +Reviewed-by: Justin Stephenson + +Reference:https://github.com/SSSD/sssd/commit/e2106c946c933759f0769e5179bb9f743abc0574 +Conflict:NA + +--- + src/responder/sudo/sudosrv_query.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/responder/sudo/sudosrv_query.c b/src/responder/sudo/sudosrv_query.c +index 5b0edb644..a868ebeed 100644 +--- a/src/responder/sudo/sudosrv_query.c ++++ b/src/responder/sudo/sudosrv_query.c +@@ -235,7 +235,7 @@ errno_t sudosrv_build_response(TALLOC_CTX *mem_ctx, + if (ret != EOK) { + goto fail; + } +- DEBUG(SSSDBG_TRACE_INTERNAL, "rules_num: [%"PRIu32"]\n", error); ++ DEBUG(SSSDBG_TRACE_INTERNAL, "rules_num: [%"PRIu32"]\n", rules_num); + + /* rules */ + for (i = 0; i < rules_num; i++) { +-- +2.33.0 + diff --git a/backport-ad-skip-filtering-if-ad_enabled_domains-is-set.patch b/backport-ad-skip-filtering-if-ad_enabled_domains-is-set.patch new file mode 100644 index 0000000000000000000000000000000000000000..cdbf81344f14258cff427f1672eb47d5a3d84c42 --- /dev/null +++ b/backport-ad-skip-filtering-if-ad_enabled_domains-is-set.patch @@ -0,0 +1,87 @@ +From 9358a74d3a56c738890353aaf6bc956bfe72df99 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 19 Dec 2022 11:21:23 +0100 +Subject: [PATCH] ad: skip filtering if ad_enabled_domains is set +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The domain filtering based on LDAP attributes might be too strict in +forests which have a long and complex history where not all attributes +might be updated to reflect the current state, e.g. membership to the +local forest. To skip the filtering the ad_enabled_domains attribute can +be set to the list of expected domains. + +Resolves: https://github.com/SSSD/sssd/issues/6626 + +Reviewed-by: Alejandro López +Reviewed-by: Iker Pedrosa + +Reference:https://github.com/SSSD/sssd/commit/9358a74d3a56c738890353aaf6bc956bfe72df99 +Conflict:NA + +--- + src/man/sssd-ad.5.xml | 16 ++++++++++++---- + src/providers/ad/ad_subdomains.c | 19 +++++++++++++------ + 2 files changed, 25 insertions(+), 10 deletions(-) + +diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml +index 6f8e5990f..65778124b 100644 +--- a/src/man/sssd-ad.5.xml ++++ b/src/man/sssd-ad.5.xml +@@ -158,10 +158,18 @@ ldap_id_mapping = False + ad_enabled_domains (string) + + +- A comma-separated list of enabled Active Directory domains. +- If provided, SSSD will ignore any domains not listed in this +- option. If left unset, all domains from the AD forest will +- be available. ++ A comma-separated list of enabled Active Directory ++ domains. If provided, SSSD will ignore any domains ++ not listed in this option. If left unset, all ++ discovered domains from the AD forest will be ++ available. ++ ++ ++ During the discovery of the domains SSSD will ++ filter out some domains where flags or attributes ++ indicate that they do not belong to the local ++ forest or are not trusted. If ad_enabled_domains is ++ set, SSSD will try to enable all listed domains. + + + For proper operation, this option must be specified in all +diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c +index 09c5a892d..db7f1c3c7 100644 +--- a/src/providers/ad/ad_subdomains.c ++++ b/src/providers/ad/ad_subdomains.c +@@ -1524,12 +1524,19 @@ static void ad_get_root_domain_done(struct tevent_req *subreq) + goto done; + } + +- ret = ad_filter_domains(state, unfiltered_reply, unfiltered_reply_count, +- &state->reply, &state->reply_count); +- if (ret != EOK) { +- DEBUG(SSSDBG_OP_FAILURE, +- "Failed to filter list of returned domains.\n"); +- goto done; ++ if (state->sd_ctx->ad_enabled_domains == NULL) { ++ ret = ad_filter_domains(state, unfiltered_reply, unfiltered_reply_count, ++ &state->reply, &state->reply_count); ++ if (ret != EOK) { ++ DEBUG(SSSDBG_OP_FAILURE, ++ "Failed to filter list of returned domains.\n"); ++ goto done; ++ } ++ } else { ++ DEBUG(SSSDBG_TRACE_ALL, ++ "ad_enabled_domains is set, skipping domain filtering.\n"); ++ state->reply_count = unfiltered_reply_count; ++ state->reply = unfiltered_reply; + } + + if (state->reply_count == 0 +-- +2.33.0 + diff --git a/sssd.spec b/sssd.spec index b457ad6d8752aef4e4dbda577baed9adf76104cc..3008499535fa03c165a745ab02b651be4a108db2 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,6 +1,6 @@ Name: sssd Version: 2.6.1 -Release: 9 +Release: 10 Summary: System Security Services Daemon License: GPLv3+ and LGPLv3+ URL: https://pagure.io/SSSD/sssd/ @@ -14,6 +14,12 @@ Patch6004: PAM-P11-fixed-minor-mem-leak.patch Patch6005: SSS_CLIENT-mem-cache-fixed-missing-error-code.patch Patch6006: fix-coredump-during-ifp-reconnect.patch Patch6007: backport-MONITOR-fix-socket_activated-flag-initialization.patch +Patch6008: backport-SUDO-fix-mistype.patch +Patch6009: backport-KCM-Switch-default-caches-only-when-there-is-no-curr.patch +Patch6010: backport-Fixed-pid-wrapping-in-sss_cli_check_socket.patch +Patch6011: backport-Fixed-the-problem-of-calling-getpid-and-lstat-twice-.patch +Patch6012: backport-AD-Do-not-use-the-shortcut-when-filter_groups-is-set.patch +Patch6013: backport-ad-skip-filtering-if-ad_enabled_domains-is-set.patch Requires: python3-sssd = %{version}-%{release} Requires: libldb @@ -521,6 +527,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Wed Aug 2 2023 xuraoqing - 2.6.1-10 +- backport upstream patch + * Thu Mar 23 2023 yixiangzhike - 2.6.1-9 - backport upstream patch