diff --git a/backport-CONFDB-check-the-return-values.patch b/backport-CONFDB-check-the-return-values.patch new file mode 100644 index 0000000000000000000000000000000000000000..cb859db3081d1b50d2345a5ec4ebbda88e52c947 --- /dev/null +++ b/backport-CONFDB-check-the-return-values.patch @@ -0,0 +1,83 @@ +From 54dd529d2777edc625e25c5ebd259b396360337c Mon Sep 17 00:00:00 2001 +From: Tomas Halman +Date: Thu, 18 Nov 2021 17:43:19 +0100 +Subject: [PATCH] CONFDB: check the return values + +Covscan pointed out that return value of chown and sete[ug]id is +not checked in some cases. There is not much we can do +in case of failure so only minor failure is logged. + +Resolves: https://github.com/SSSD/sssd/issues/5876 + +Reviewed-by: Pawel Polawski + +Reference: https://github.com/SSSD/sssd/commit/54dd529d2777edc625e25c5ebd259b396360337c +Conflict: NA +--- + src/confdb/confdb.c | 6 +++++- + src/util/usertools.c | 25 +++++++++++++++++++++---- + 2 files changed, 26 insertions(+), 5 deletions(-) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index 6a6fac916..e557b469c 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -685,7 +685,11 @@ int confdb_init(TALLOC_CTX *mem_ctx, + old_umask = umask(SSS_DFL_UMASK); + /* file may exists and could be owned by root from previous version */ + sss_sssd_user_uid_and_gid(&sssd_uid, &sssd_gid); +- chown(confdb_location, sssd_uid, sssd_gid); ++ ret = chown(confdb_location, sssd_uid, sssd_gid); ++ if (ret != EOK && errno != ENOENT) { ++ DEBUG(SSSDBG_MINOR_FAILURE, "Unable to chown config database [%s]: %s\n", ++ confdb_location, sss_strerror(errno)); ++ } + sss_set_sssd_user_eid(); + + ret = ldb_connect(cdb->ldb, confdb_location, 0, NULL); +diff --git a/src/util/usertools.c b/src/util/usertools.c +index 370a98b41..72deceeee 100644 +--- a/src/util/usertools.c ++++ b/src/util/usertools.c +@@ -863,17 +863,34 @@ void sss_set_sssd_user_eid(void) + uid_t uid; + gid_t gid; + ++ + if (geteuid() == 0) { + sss_sssd_user_uid_and_gid(&uid, &gid); +- seteuid(uid); +- setegid(gid); ++ if (seteuid(uid) != EOK) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "Failed to set euid to %"SPRIuid": %s\n", ++ uid, sss_strerror(errno)); ++ } ++ if (setegid(gid) != EOK) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "Failed to set egid to %"SPRIgid": %s\n", ++ gid, sss_strerror(errno)); ++ } + } + } + + void sss_restore_sssd_user_eid(void) + { + if (getuid() == 0) { +- seteuid(getuid()); +- setegid(getgid()); ++ if (seteuid(getuid()) != EOK) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "Failed to restore euid: %s\n", ++ sss_strerror(errno)); ++ } ++ if (setegid(getgid()) != EOK) { ++ DEBUG(SSSDBG_MINOR_FAILURE, ++ "Failed to restore egid: %s\n", ++ sss_strerror(errno)); ++ } + } + } +-- +2.27.0 + diff --git a/backport-KRB5-avoid-FORWARD_NULL.patch b/backport-KRB5-avoid-FORWARD_NULL.patch new file mode 100644 index 0000000000000000000000000000000000000000..42dd88292d41b0ce9939babb066aa570c5e2cb40 --- /dev/null +++ b/backport-KRB5-avoid-FORWARD_NULL.patch @@ -0,0 +1,33 @@ +From 7f308c6fe01408fa6beb48b9f7627068968da771 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 19 Jun 2023 21:46:08 +0200 +Subject: [PATCH] KRB5: avoid FORWARD_NULL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Alejandro López +Reviewed-by: Tomáš Halman + +Reference: https://github.com/SSSD/sssd/commit/7f308c6fe01408fa6beb48b9f7627068968da771 +Conflict: NA +--- + src/providers/krb5/krb5_ccache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/providers/krb5/krb5_ccache.c b/src/providers/krb5/krb5_ccache.c +index 20d932e53..88f75a8d8 100644 +--- a/src/providers/krb5/krb5_ccache.c ++++ b/src/providers/krb5/krb5_ccache.c +@@ -788,7 +788,7 @@ done: + DEBUG(SSSDBG_OP_FAILURE, "krb5_cc_close failed.\n"); + } + +- if (krb5_cc_close(kctx, mem_ccache) != 0) { ++ if ((mem_ccache != NULL) && (krb5_cc_close(kctx, mem_ccache) != 0)) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_cc_close failed.\n"); + } + +-- +2.27.0 + diff --git a/backport-KRB5-avoid-RESOURCE_LEAK.patch b/backport-KRB5-avoid-RESOURCE_LEAK.patch new file mode 100644 index 0000000000000000000000000000000000000000..a4b2d33a7069c855a83b4e389c6590c8de42dcd0 --- /dev/null +++ b/backport-KRB5-avoid-RESOURCE_LEAK.patch @@ -0,0 +1,32 @@ +From a83be8fb51172d4e1a282a0a078d81ee93afdcb5 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 19 Jun 2023 22:03:43 +0200 +Subject: [PATCH] KRB5: avoid RESOURCE_LEAK +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Alejandro López +Reviewed-by: Tomáš Halman + +Reference: https://github.com/SSSD/sssd/commit/a83be8fb51172d4e1a282a0a078d81ee93afdcb5 +Conflict: NA +--- + src/providers/krb5/krb5_child.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c +index 158831198..a3d83b4c8 100644 +--- a/src/providers/krb5/krb5_child.c ++++ b/src/providers/krb5/krb5_child.c +@@ -1869,6 +1869,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) + &validation_princ); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_copy_principal failed.\n"); ++ krb5_kt_end_seq_get(kr->ctx, keytab, &cursor); + goto done; + } + +-- +2.27.0 + diff --git a/backport-KRB5-avoid-another-attempt-to-free-cc-in-done-sectio.patch b/backport-KRB5-avoid-another-attempt-to-free-cc-in-done-sectio.patch new file mode 100644 index 0000000000000000000000000000000000000000..19402bc52a547b433b1f4d132ad9c15a5ee5e772 --- /dev/null +++ b/backport-KRB5-avoid-another-attempt-to-free-cc-in-done-sectio.patch @@ -0,0 +1,39 @@ +From f6bbd591d636e4309ec37659f825b0f9c53d4b6b Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 19 Jun 2023 20:56:14 +0200 +Subject: [PATCH] KRB5: avoid another attempt to free 'cc' in 'done:' section + if first attempt failed. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Alejandro López +Reviewed-by: Tomáš Halman + +Reference: https://github.com/SSSD/sssd/commit/f6bbd591d636e4309ec37659f825b0f9c53d4b6b +Conflict: NA +--- + src/providers/krb5/krb5_ccache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/providers/krb5/krb5_ccache.c b/src/providers/krb5/krb5_ccache.c +index 5b80fec52..72c3a23de 100644 +--- a/src/providers/krb5/krb5_ccache.c ++++ b/src/providers/krb5/krb5_ccache.c +@@ -637,12 +637,12 @@ errno_t get_ccache_file_data(const char *ccache_file, const char *client_name, + krb5_free_cred_contents(ctx, &cred); + + kerr = krb5_cc_close(ctx, cc); ++ cc = NULL; + if (kerr != 0) { + KRB5_DEBUG(SSSDBG_OP_FAILURE, ctx, kerr); + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_cc_close failed.\n"); + goto done; + } +- cc = NULL; + + kerr = 0; + +-- +2.27.0 + diff --git a/backport-KRB5-fix-memory-leak-1.patch b/backport-KRB5-fix-memory-leak-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..33116ca68bf100bb593bbe054d4a792fda497da0 --- /dev/null +++ b/backport-KRB5-fix-memory-leak-1.patch @@ -0,0 +1,34 @@ +From b69ff375a2b185219bae91c48aa7bfb3138b98f2 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 19 Jun 2023 21:53:28 +0200 +Subject: [PATCH] KRB5: fix memory leak +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Alejandro López +Reviewed-by: Tomáš Halman + +Reference: https://github.com/SSSD/sssd/commit/b69ff375a2b185219bae91c48aa7bfb3138b98f2 +Conflict: NA +--- + src/providers/krb5/krb5_child.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c +index f69cd6d54..774b47e3a 100644 +--- a/src/providers/krb5/krb5_child.c ++++ b/src/providers/krb5/krb5_child.c +@@ -1400,6 +1400,9 @@ done: + /* FIXME: should we krb5_cc_destroy in case of error? */ + krb5_cc_close(kctx, kcc); + } ++ ++ krb5_free_context(kctx); ++ + return kerr; + } + +-- +2.27.0 + diff --git a/backport-KRB5-fix-memory-leak-2.patch b/backport-KRB5-fix-memory-leak-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..3c49c18ce5963e89af276525d6ce557f53cb0a3c --- /dev/null +++ b/backport-KRB5-fix-memory-leak-2.patch @@ -0,0 +1,32 @@ +From 75822701770179582c344960603cce8bd54a7890 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 19 Jun 2023 21:56:13 +0200 +Subject: [PATCH] KRB5: fix memory leak +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Alejandro López +Reviewed-by: Tomáš Halman + +Reference: https://github.com/SSSD/sssd/commit/75822701770179582c344960603cce8bd54a7890 +Conflict: NA +--- + src/providers/krb5/krb5_child.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c +index 774b47e3a..158831198 100644 +--- a/src/providers/krb5/krb5_child.c ++++ b/src/providers/krb5/krb5_child.c +@@ -1854,6 +1854,7 @@ static krb5_error_code validate_tgt(struct krb5_req *kr) + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "error reading keytab [%s], " \ + "not verifying TGT.\n", kr->keytab); ++ krb5_kt_close(kr->ctx, keytab); + return kerr; + } + +-- +2.27.0 + diff --git a/backport-KRB5-fixed-RESOURCE_LEAK.patch b/backport-KRB5-fixed-RESOURCE_LEAK.patch new file mode 100644 index 0000000000000000000000000000000000000000..a2f5850259d9f5c68b7562ad1f0711f3c7101464 --- /dev/null +++ b/backport-KRB5-fixed-RESOURCE_LEAK.patch @@ -0,0 +1,34 @@ +From 01f0d067f1e4ba8ec3710f515d21631a53c9c9ef Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Tue, 20 Jun 2023 16:48:07 +0200 +Subject: [PATCH] KRB5: fixed RESOURCE_LEAK +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Alejandro López +Reviewed-by: Tomáš Halman + +Reference: https://github.com/SSSD/sssd/commit/01f0d067f1e4ba8ec3710f515d21631a53c9c9ef +Conflict: NA +--- + src/providers/krb5/krb5_keytab.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/providers/krb5/krb5_keytab.c b/src/providers/krb5/krb5_keytab.c +index e70408b9b..db383d411 100644 +--- a/src/providers/krb5/krb5_keytab.c ++++ b/src/providers/krb5/krb5_keytab.c +@@ -214,6 +214,9 @@ done: + + if (kerr != 0) { + talloc_free(mem_name); ++ if ((mem_keytab != NULL) && krb5_kt_close(kctx, mem_keytab) != 0) { ++ DEBUG(SSSDBG_MINOR_FAILURE, "krb5_kt_close failed.\n"); ++ } + } + + if (tmp_mem_keytab != NULL && krb5_kt_close(kctx, tmp_mem_keytab) != 0) { +-- +2.27.0 + diff --git a/backport-LDAP-fixed-RESOURCE_LEAK.patch b/backport-LDAP-fixed-RESOURCE_LEAK.patch new file mode 100644 index 0000000000000000000000000000000000000000..7310fbaa40018cd295707bad5d172c53640a73a9 --- /dev/null +++ b/backport-LDAP-fixed-RESOURCE_LEAK.patch @@ -0,0 +1,32 @@ +From fd7da517ddd0e220f081ad9e7b5d7fcb0cae39b7 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Tue, 20 Jun 2023 17:22:07 +0200 +Subject: [PATCH] LDAP: fixed RESOURCE_LEAK +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Alejandro López +Reviewed-by: Tomáš Halman + +Reference: https://github.com/SSSD/sssd/commit/fd7da517ddd0e220f081ad9e7b5d7fcb0cae39b7 +Conflict: NA +--- + src/providers/ldap/ldap_child.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c +index 4818240d4..6ad2fb63a 100644 +--- a/src/providers/ldap/ldap_child.c ++++ b/src/providers/ldap/ldap_child.c +@@ -212,6 +212,7 @@ static int lc_verify_keytab_ex(const char *principal, + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not parse keytab entry\n"); + sss_log(SSS_LOG_ERR, "Could not parse keytab entry\n"); ++ krb5_kt_end_seq_get(context, keytab, &cursor); + return EIO; + } + +-- +2.27.0 + diff --git a/backport-LDAP-fixed-leak-of-kprinc.patch b/backport-LDAP-fixed-leak-of-kprinc.patch new file mode 100644 index 0000000000000000000000000000000000000000..45f506e3efe170b513252fba283af9605af759ca --- /dev/null +++ b/backport-LDAP-fixed-leak-of-kprinc.patch @@ -0,0 +1,52 @@ +From eca00ef4719c44c4e68ead3346a16229b6471d13 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Tue, 20 Jun 2023 17:41:36 +0200 +Subject: [PATCH] LDAP: fixed leak of `kprinc` +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Alejandro López +Reviewed-by: Tomáš Halman + +Reference: https://github.com/SSSD/sssd/commit/eca00ef4719c44c4e68ead3346a16229b6471d13 +Conflict: NA +--- + src/providers/ldap/ldap_child.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c +index 6ad2fb63a..6c167d239 100644 +--- a/src/providers/ldap/ldap_child.c ++++ b/src/providers/ldap/ldap_child.c +@@ -367,12 +367,6 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, + } + DEBUG(SSSDBG_CONF_SETTINGS, "Principal name is: [%s]\n", full_princ); + +- krberr = krb5_parse_name(context, full_princ, &kprinc); +- if (krberr != 0) { +- DEBUG(SSSDBG_OP_FAILURE, "krb5_parse_name() failed: %d\n", krberr); +- goto done; +- } +- + if (keytab_name) { + krberr = krb5_kt_resolve(context, keytab_name, &keytab); + } else { +@@ -447,8 +441,14 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, + goto done; + } + ++ krberr = krb5_parse_name(context, full_princ, &kprinc); ++ if (krberr != 0) { ++ DEBUG(SSSDBG_OP_FAILURE, "krb5_parse_name() failed: %d\n", krberr); ++ goto done; ++ } + krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc, + keytab, 0, NULL, options); ++ krb5_free_principal(context, kprinc); + if (krberr != 0) { + DEBUG(SSSDBG_OP_FAILURE, + "krb5_get_init_creds_keytab() failed: %d\n", krberr); +-- +2.27.0 + diff --git a/backport-SYSDB-in-case-ignore_group_members-true-group-is-act.patch b/backport-SYSDB-in-case-ignore_group_members-true-group-is-act.patch new file mode 100644 index 0000000000000000000000000000000000000000..09002245c69049755d2b1d1898faa9aeca18b09c --- /dev/null +++ b/backport-SYSDB-in-case-ignore_group_members-true-group-is-act.patch @@ -0,0 +1,50 @@ +From 2fd5374fdf78bc7330bd9e6f3b86bec86bdf592b Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Sat, 10 Jun 2023 16:28:23 +0200 +Subject: [PATCH] SYSDB: in case (ignore_group_members == true) group is + actually complete +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Example workflow: + - SSSD client is enrolled into AD domain (Token-Groups are enabled) + - `id $user` is executed + - initgroups() is called for this user + - during processing of initgroups() sssd_be obtains a list of group SIDs + user is a member of, and then partially resolves those groups and adds + it to the local cache as "incomplete" (i.e. 'expired') + - as a next step `id` calls getgrnam() for every group in initgroups() list + - since groups are saved into the cache as "incomplete" (technically - "expired") + this again results in LDAP search of this group. + But if `ignore_group_members = true` this search doesn't provide + new information. "Incomplete" groups could be used instead. + +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose + +Reference: https://github.com/SSSD/sssd/commit/2fd5374fdf78bc7330bd9e6f3b86bec86bdf592b +Conflict: NA +--- + src/db/sysdb_ops.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c +index d11d8d956..7a3c00213 100644 +--- a/src/db/sysdb_ops.c ++++ b/src/db/sysdb_ops.c +@@ -2307,8 +2307,10 @@ int sysdb_add_incomplete_group(struct sss_domain_info *domain, + ret = sysdb_attrs_add_time_t(attrs, SYSDB_LAST_UPDATE, now); + if (ret) goto done; + ++ /* in case (ignore_group_members == true) group is actually complete */ + ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE, +- now-1); ++ domain->ignore_group_members ? ++ (now + domain->group_timeout) : (now-1)); + if (ret) goto done; + + ret = sysdb_attrs_add_bool(attrs, SYSDB_POSIX, posix); +-- +2.27.0 + diff --git a/backport-UTILS-swap-order-of-seteuid-setegid.patch b/backport-UTILS-swap-order-of-seteuid-setegid.patch new file mode 100644 index 0000000000000000000000000000000000000000..64e58085c56fade28045af97a20ca76ffd0a69ea --- /dev/null +++ b/backport-UTILS-swap-order-of-seteuid-setegid.patch @@ -0,0 +1,69 @@ +From fcfffb5cf14ddd2ff28873e2274bca226441b40b Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 7 Aug 2023 18:51:54 +0200 +Subject: [PATCH] UTILS: swap order of seteuid()/setegid() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise it fails with: +``` +6906 16:40:32.455571 setresuid(-1, 996, -1) = 0 +6906 16:40:32.455590 setresgid(-1, 993, -1) = -1 EPERM (Operation not permitted) +``` + +Reviewed-by: Alejandro López +Reviewed-by: Iker Pedrosa + +Reference: https://github.com/SSSD/sssd/commit/fcfffb5cf14ddd2ff28873e2274bca226441b40b +Conflict: NA +--- + src/util/usertools.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/src/util/usertools.c b/src/util/usertools.c +index 40c141032..8084760a0 100644 +--- a/src/util/usertools.c ++++ b/src/util/usertools.c +@@ -860,16 +860,17 @@ void sss_set_sssd_user_eid(void) + + if (geteuid() == 0) { + sss_sssd_user_uid_and_gid(&uid, &gid); +- if (seteuid(uid) != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, +- "Failed to set euid to %"SPRIuid": %s\n", +- uid, sss_strerror(errno)); +- } ++ + if (setegid(gid) != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, ++ DEBUG(SSSDBG_IMPORTANT_INFO, + "Failed to set egid to %"SPRIgid": %s\n", + gid, sss_strerror(errno)); + } ++ if (seteuid(uid) != EOK) { ++ DEBUG(SSSDBG_IMPORTANT_INFO, ++ "Failed to set euid to %"SPRIuid": %s\n", ++ uid, sss_strerror(errno)); ++ } + } + } + +@@ -877,12 +878,12 @@ void sss_restore_sssd_user_eid(void) + { + if (getuid() == 0) { + if (seteuid(getuid()) != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, ++ DEBUG(SSSDBG_IMPORTANT_INFO, + "Failed to restore euid: %s\n", + sss_strerror(errno)); + } + if (setegid(getgid()) != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, ++ DEBUG(SSSDBG_IMPORTANT_INFO, + "Failed to restore egid: %s\n", + sss_strerror(errno)); + } +-- +2.27.0 + diff --git a/backport-ad-use-sAMAccountName-to-lookup-hosts.patch b/backport-ad-use-sAMAccountName-to-lookup-hosts.patch new file mode 100644 index 0000000000000000000000000000000000000000..03141980af51062ec3f9966ed7dd5f7b10a34135 --- /dev/null +++ b/backport-ad-use-sAMAccountName-to-lookup-hosts.patch @@ -0,0 +1,48 @@ +From 67c11c2ebae843f7ddd6b857efa2e1f6449986f3 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 7 Jun 2023 10:45:59 +0200 +Subject: [PATCH] ad: use sAMAccountName to lookup hosts + +To determine which GPOs apply to the host running SSSD the full DN of +the host object in AD is needed. To fine this object we use the NetBIOS +name of the host which is stored in AD in the sAMAccountName attribute. +Using other attributes, e.g. if ldap_user_name is set to a different +attribute, will most probably cause a failure since those attributes are +not managed as expected for host object. As a result sAMAccountName +should be hardcoded here to avoid issues. + +Resolves: https://github.com/SSSD/sssd/issues/6766 + +Reviewed-by: Iker Pedrosa +Reviewed-by: Justin Stephenson + +Reference: https://github.com/SSSD/sssd/commit/67c11c2ebae843f7ddd6b857efa2e1f6449986f3 +Conflict: NA +--- + src/providers/ad/ad_gpo.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c +index 4b7bbf182..44e9cbb27 100644 +--- a/src/providers/ad/ad_gpo.c ++++ b/src/providers/ad/ad_gpo.c +@@ -59,6 +59,7 @@ + + #define AD_AT_DN "distinguishedName" + #define AD_AT_UAC "userAccountControl" ++#define AD_AT_SAMACCOUNTNAME "sAMAccountName" + #define AD_AT_CONFIG_NC "configurationNamingContext" + #define AD_AT_GPLINK "gPLink" + #define AD_AT_GPOPTIONS "gpOptions" +@@ -2061,7 +2062,7 @@ ad_gpo_connect_done(struct tevent_req *subreq) + filter = talloc_asprintf(state, + "(&(objectclass=%s)(%s=%s))", + state->opts->user_map[SDAP_OC_USER].name, +- state->opts->user_map[SDAP_AT_USER_NAME].name, ++ AD_AT_SAMACCOUNTNAME, + sam_account_name); + if (filter == NULL) { + ret = ENOMEM; +-- +2.27.0 + diff --git a/backport-fail_over-protect-against-a-segmentation-fault.patch b/backport-fail_over-protect-against-a-segmentation-fault.patch new file mode 100644 index 0000000000000000000000000000000000000000..77088c51ecee97d447a0903d4e1da51a11961780 --- /dev/null +++ b/backport-fail_over-protect-against-a-segmentation-fault.patch @@ -0,0 +1,172 @@ +From 8a8869994745429b3f5535a5d0b91f1d0b2fa723 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 29 Mar 2023 12:58:37 +0200 +Subject: [PATCH] fail_over: protect against a segmentation fault +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A missing server name in struct fo_server will cause a segmentation +fault. Currently it is unclear why the server name is missing at this +point. To avoid the segmentation fault it is checked before if the +server name is missing. Additionally the state of some internal +structures is added to the debug logs to help debugging why the server +name is missing. + +Resolves: https://github.com/SSSD/sssd/issues/6659 + +Reviewed-by: Alejandro López +Reviewed-by: Alexey Tikhonov + +Reference: https://github.com/SSSD/sssd/commit/8a8869994745429b3f5535a5d0b91f1d0b2fa723 +Conflict: data_provider_fo.c +--- + src/providers/data_provider_fo.c | 14 +++++++++ + src/providers/fail_over.c | 53 ++++++++++++++++++++++++++++++++ + src/providers/fail_over.h | 3 ++ + 3 files changed, 70 insertions(+) + +diff --git a/src/external/sizes.m4 b/src/external/sizes.m4 +index c4f00d66ff..0b6b630026 100644 +--- a/src/external/sizes.m4 ++++ b/src/external/sizes.m4 +@@ -9,6 +9,7 @@ AC_CHECK_SIZEOF(long long) + AC_CHECK_SIZEOF(uid_t) + AC_CHECK_SIZEOF(gid_t) + AC_CHECK_SIZEOF(id_t) ++AC_CHECK_SIZEOF(time_t) + + if test $ac_cv_sizeof_long_long -lt 8 ; then + AC_MSG_ERROR([SSSD requires long long of 64-bits]) + +diff --git a/src/util/sss_format.h b/src/util/sss_format.h +index 9a30417..a9f3770 100644 +--- a/src/util/sss_format.h ++++ b/src/util/sss_format.h +@@ -64,5 +64,12 @@ + # error Unexpected sizeof gid_t + #endif /* SIZEOF_GID_T */ + ++#if SIZEOF_TIME_T == 8 ++# define SPRItime PRId64 ++#elif SIZEOF_TIME_T == 4 ++# define SPRItime PRId32 ++#else ++# error Unexpected sizeof time_t ++#endif /*SIZEOF_TIME_T*/ + + #endif /* __SSS_FORMAT_H__ */ + +diff --git a/src/providers/data_provider_fo.c b/src/providers/data_provider_fo.c +index eca5f2f8e..b0aed54e9 100644 +--- a/src/providers/data_provider_fo.c ++++ b/src/providers/data_provider_fo.c +@@ -594,6 +594,14 @@ fail: + tevent_req_error(req, ret); + } + ++static void dump_be_svc_data(const struct be_svc_data *svc) ++{ ++ DEBUG(SSSDBG_OP_FAILURE, "be_svc_data: name=[%s] last_good_srv=[%s] " ++ "last_good_port=[%d] last_status_change=[%"SPRItime"]\n", ++ svc->name, svc->last_good_srv, svc->last_good_port, ++ svc->last_status_change); ++} ++ + errno_t be_resolve_server_process(struct tevent_req *subreq, + struct be_resolve_server_state *state, + struct tevent_req **new_subreq) +@@ -681,6 +689,12 @@ errno_t be_resolve_server_process(struct tevent_req *subreq, + DEBUG(SSSDBG_FUNC_DATA, "Found address for server %s: [%s] TTL %d\n", + fo_get_server_str_name(state->srv), ipaddr, + srvaddr->addr_list[0]->ttl); ++ } else { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Missing server name.\n"); ++ dump_be_svc_data(state->svc); ++ dump_fo_server(state->srv); ++ dump_fo_server_list(state->srv); ++ return ENOENT; + } + + srv_status_change = fo_get_server_hostname_last_change(state->srv); +diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c +index 9cb26838c..7cb642448 100644 +--- a/src/providers/fail_over.c ++++ b/src/providers/fail_over.c +@@ -200,6 +200,59 @@ str_srv_data_status(enum srv_lookup_status status) + return "unknown SRV lookup status"; + } + ++static void dump_srv_data(const struct srv_data *srv_data) ++{ ++ if (srv_data == NULL) { ++ DEBUG(SSSDBG_OP_FAILURE, "srv_data is NULL\n"); ++ return; ++ } ++ ++ DEBUG(SSSDBG_OP_FAILURE, "srv_data: dns_domain [%s] discovery_domain [%s] " ++ "sssd_domain [%s] proto [%s] srv [%s] " ++ "srv_lookup_status [%s] ttl [%d] " ++ "last_status_change [%"SPRItime"]\n", ++ srv_data->dns_domain == NULL ? "dns_domain is NULL" ++ : srv_data->dns_domain, ++ srv_data->discovery_domain == NULL ? "discovery_domain is NULL" ++ : srv_data->discovery_domain, ++ srv_data->sssd_domain == NULL ? "sssd_domain is NULL" ++ : srv_data->sssd_domain, ++ srv_data->proto == NULL ? "proto is NULL" ++ : srv_data->proto, ++ srv_data->srv == NULL ? "srv is NULL" ++ : srv_data->srv, ++ str_srv_data_status(srv_data->srv_lookup_status), ++ srv_data->ttl, srv_data->last_status_change.tv_sec); ++} ++ ++void dump_fo_server(const struct fo_server *srv) ++{ ++ DEBUG(SSSDBG_OP_FAILURE, "fo_server: primary [%s] port [%d] " ++ "port_status [%s] common->name [%s].\n", ++ srv->primary ? "true" : "false", srv->port, ++ str_port_status(srv->port_status), ++ srv->common == NULL ? "common is NULL" ++ : (srv->common->name == NULL ++ ? "common->name is NULL" ++ : srv->common->name)); ++ dump_srv_data(srv->srv_data); ++} ++ ++void dump_fo_server_list(const struct fo_server *srv) ++{ ++ const struct fo_server *s; ++ ++ s = srv; ++ while (s->prev != NULL) { ++ s = s->prev; ++ } ++ ++ while (s != NULL) { ++ dump_fo_server(s); ++ s = s->next; ++ } ++} ++ + static const char * + str_server_status(enum server_status status) + { +diff --git a/src/providers/fail_over.h b/src/providers/fail_over.h +index 92a0456b5..36021ad6f 100644 +--- a/src/providers/fail_over.h ++++ b/src/providers/fail_over.h +@@ -88,6 +88,9 @@ struct fo_options { + enum restrict_family family_order; + }; + ++void dump_fo_server(const struct fo_server *srv); ++void dump_fo_server_list(const struct fo_server *srv); ++ + /* + * Create a new fail over context based on options passed in the + * opts parameter +-- +2.27.0 + diff --git a/backport-ipa-correctly-remove-missing-attributes-on-netgroup-.patch b/backport-ipa-correctly-remove-missing-attributes-on-netgroup-.patch new file mode 100644 index 0000000000000000000000000000000000000000..8553da0bcdf2d961879a1f5c8ece530d3c5620cc --- /dev/null +++ b/backport-ipa-correctly-remove-missing-attributes-on-netgroup-.patch @@ -0,0 +1,250 @@ +From b033b0dda972e885f63234aa81dca317c8234c2c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Tue, 23 May 2023 12:21:44 +0200 +Subject: [PATCH] ipa: correctly remove missing attributes on netgroup update +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When a netgroup is updated, previously it did not remove the missing +attributes. This caused an issue especially when a member was removed. + +Resolves: https://github.com/SSSD/sssd/issues/6652 + +Reviewed-by: Alejandro López +Reviewed-by: Iker Pedrosa + +Reference: https://github.com/SSSD/sssd/commit/b033b0dda972e885f63234aa81dca317c8234c2c +Conflict: NA +--- + src/db/sysdb.c | 9 ++ + src/db/sysdb.h | 1 + + src/providers/ipa/ipa_netgroups.c | 35 +++++++- + src/tests/system/tests/test_netgroups.py | 108 +++++++++++++++++++++++ + 4 files changed, 151 insertions(+), 2 deletions(-) + create mode 100644 src/tests/system/tests/test_netgroups.py + +diff --git a/src/db/sysdb.c b/src/db/sysdb.c +index 649e79fca..1faa11b16 100644 +--- a/src/db/sysdb.c ++++ b/src/db/sysdb.c +@@ -523,6 +523,15 @@ static int sysdb_attrs_add_val_int(struct sysdb_attrs *attrs, + + return EOK; + } ++ ++int sysdb_attrs_add_empty(struct sysdb_attrs *attrs, const char *name) ++{ ++ struct ldb_message_element *el; ++ ++ /* Calling this will create the element if it does not exist. */ ++ return sysdb_attrs_get_el_ext(attrs, name, true, &el); ++} ++ + int sysdb_attrs_add_val(struct sysdb_attrs *attrs, + const char *name, const struct ldb_val *val) + { +diff --git a/src/db/sysdb.h b/src/db/sysdb.h +index 2f20692cc..887a9630e 100644 +--- a/src/db/sysdb.h ++++ b/src/db/sysdb.h +@@ -398,6 +398,7 @@ enum sysdb_obj_type { + extern const char *sysdb_ts_cache_attrs[]; + + /* values are copied in the structure, allocated on "attrs" */ ++int sysdb_attrs_add_empty(struct sysdb_attrs *attrs, const char *name); + int sysdb_attrs_add_val(struct sysdb_attrs *attrs, + const char *name, const struct ldb_val *val); + int sysdb_attrs_add_val_safe(struct sysdb_attrs *attrs, +diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c +index 52d90af4f..57f11a507 100644 +--- a/src/providers/ipa/ipa_netgroups.c ++++ b/src/providers/ipa/ipa_netgroups.c +@@ -70,7 +70,10 @@ static errno_t ipa_save_netgroup(TALLOC_CTX *mem_ctx, + struct ldb_message_element *el; + struct sysdb_attrs *netgroup_attrs; + const char *name = NULL; ++ char **missing; ++ int missing_index; + int ret; ++ int i; + size_t c; + + ret = sysdb_attrs_get_el(attrs, +@@ -90,6 +93,23 @@ static errno_t ipa_save_netgroup(TALLOC_CTX *mem_ctx, + goto fail; + } + ++ missing = talloc_zero_array(netgroup_attrs, char *, attrs->num + 1); ++ if (missing == NULL) { ++ ret = ENOMEM; ++ goto fail; ++ } ++ ++ for (i = 0, missing_index = 0; i < attrs->num; i++) { ++ if (attrs->a[i].num_values == 0) { ++ missing[missing_index] = talloc_strdup(missing, attrs->a[i].name); ++ if (missing[missing_index] == NULL) { ++ ret = ENOMEM; ++ goto fail; ++ } ++ missing_index++; ++ } ++ } ++ + ret = sysdb_attrs_get_el(attrs, SYSDB_ORIG_DN, &el); + if (ret) { + goto fail; +@@ -138,7 +158,6 @@ static errno_t ipa_save_netgroup(TALLOC_CTX *mem_ctx, + if (el->num_values == 0) { + DEBUG(SSSDBG_TRACE_LIBS, + "No original members for netgroup [%s]\n", name); +- + } else { + DEBUG(SSSDBG_TRACE_LIBS, + "Adding original members to netgroup [%s]\n", name); +@@ -173,7 +192,7 @@ static errno_t ipa_save_netgroup(TALLOC_CTX *mem_ctx, + + DEBUG(SSSDBG_TRACE_FUNC, "Storing info for netgroup %s\n", name); + +- ret = sysdb_add_netgroup(dom, name, NULL, netgroup_attrs, NULL, ++ ret = sysdb_add_netgroup(dom, name, NULL, netgroup_attrs, missing, + dom->netgroup_timeout, 0); + if (ret) goto fail; + +@@ -866,6 +885,18 @@ static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state) + + hash_iterate(state->new_netgroups, extract_netgroups, state); + for (i = 0; i < state->netgroups_count; i++) { ++ /* Make sure these attributes always exist, so we can remove them if ++ * there are no members. */ ++ ret = sysdb_attrs_add_empty(state->netgroups[i], SYSDB_NETGROUP_MEMBER); ++ if (ret != EOK) { ++ goto done; ++ } ++ ++ ret = sysdb_attrs_add_empty(state->netgroups[i], SYSDB_NETGROUP_TRIPLE); ++ if (ret != EOK) { ++ goto done; ++ } ++ + /* load all its member netgroups, translate */ + DEBUG(SSSDBG_TRACE_INTERNAL, "Extracting netgroup members of netgroup %d\n", i); + ret = sysdb_attrs_get_string_array(state->netgroups[i], +diff --git a/src/tests/system/tests/test_netgroups.py b/src/tests/system/tests/test_netgroups.py +new file mode 100644 +index 000000000..6b6bc8e8b +--- /dev/null ++++ b/src/tests/system/tests/test_netgroups.py +@@ -0,0 +1,108 @@ ++""" ++Netgroup tests. ++ ++:requirement: netgroup ++""" ++ ++from __future__ import annotations ++ ++import pytest ++from sssd_test_framework.roles.client import Client ++from sssd_test_framework.roles.generic import GenericProvider ++from sssd_test_framework.topology import KnownTopologyGroup ++ ++ ++@pytest.mark.tier(1) ++@pytest.mark.ticket(gh=6652, bz=2162552) ++@pytest.mark.topology(KnownTopologyGroup.AnyProvider) ++def test_netgroups__add_remove_netgroup_triple(client: Client, provider: GenericProvider): ++ """ ++ :title: Netgroup triple is correctly removed from cached record ++ :setup: ++ 1. Create local user "user-1" ++ 2. Create netgroup "ng-1" ++ 3. Add "(-,user-1,)" triple to the netgroup ++ 4. Start SSSD ++ :steps: ++ 1. Run "getent netgroup ng-1" ++ 2. Remove "(-,user-1,)" triple from "ng-1" ++ 3. Invalidate netgroup in cache "sssctl cache-expire -n ng-1" ++ 4. Run "getent netgroup ng-1" ++ :expectedresults: ++ 1. "(-,user-1,)" is present in the netgroup ++ 2. Triple was removed from the netgroup ++ 3. Cached record was invalidated ++ 4. "(-,user-1,)" is not present in the netgroup ++ :customerscenario: True ++ """ ++ user = provider.user("user-1").add() ++ ng = provider.netgroup("ng-1").add().add_member(user=user) ++ ++ client.sssd.start() ++ ++ result = client.tools.getent.netgroup("ng-1") ++ assert result is not None ++ assert result.name == "ng-1" ++ assert len(result.members) == 1 ++ assert "(-, user-1)" in result.members ++ ++ ng.remove_member(user=user) ++ client.sssctl.cache_expire(netgroups=True) ++ ++ result = client.tools.getent.netgroup("ng-1") ++ assert result is not None ++ assert result.name == "ng-1" ++ assert len(result.members) == 0 ++ ++ ++@pytest.mark.tier(1) ++@pytest.mark.ticket(gh=6652, bz=2162552) ++@pytest.mark.topology(KnownTopologyGroup.AnyProvider) ++def test_netgroups__add_remove_netgroup_member(client: Client, provider: GenericProvider): ++ """ ++ :title: Netgroup member is correctly removed from cached record ++ :setup: ++ 1. Create local user "user-1" ++ 2. Create local user "user-2" ++ 3. Create netgroup "ng-1" ++ 4. Create netgroup "ng-2" ++ 5. Add "(-,user-1,)" triple to the netgroup "ng-1" ++ 6. Add "(-,user-2,)" triple to the netgroup "ng-2" ++ 7. Add "ng-1" as a member to "ng-2" ++ 8. Start SSSD ++ :steps: ++ 1. Run "getent netgroup ng-2" ++ 2. Remove "ng-1" from "ng-2" ++ 3. Invalidate netgroup "ng-2" in cache "sssctl cache-expire -n ng-2" ++ 4. Run "getent netgroup ng-2" ++ :expectedresults: ++ 1. "(-,user-1,)", "(-,user-2,)" is present in the netgroup ++ 2. Netgroup member was removed from the netgroup ++ 3. Cached record was invalidated ++ 4. "(-,user-1,)" is not present in the netgroup, only "(-,user-2,)" ++ :customerscenario: True ++ """ ++ u1 = provider.user("user-1").add() ++ u2 = provider.user("user-2").add() ++ ++ ng1 = provider.netgroup("ng-1").add().add_member(user=u1) ++ ng2 = provider.netgroup("ng-2").add().add_member(user=u2, ng=ng1) ++ ++ client.sssd.start() ++ ++ result = client.tools.getent.netgroup("ng-2") ++ assert result is not None ++ assert result.name == "ng-2" ++ assert len(result.members) == 2 ++ assert "(-, user-1)" in result.members ++ assert "(-, user-2)" in result.members ++ ++ ng2.remove_member(ng=ng1) ++ client.sssctl.cache_expire(netgroups=True) ++ ++ result = client.tools.getent.netgroup("ng-2") ++ assert result is not None ++ assert result.name == "ng-2" ++ assert len(result.members) == 1 ++ assert "(-, user-1)" not in result.members ++ assert "(-, user-2)" in result.members +-- +2.27.0 + diff --git a/backport-sbus-arm-watchdog-for-sbus_connect_init_send.patch b/backport-sbus-arm-watchdog-for-sbus_connect_init_send.patch new file mode 100644 index 0000000000000000000000000000000000000000..f1c124b5d62d11573810e74230f6d471831c7280 --- /dev/null +++ b/backport-sbus-arm-watchdog-for-sbus_connect_init_send.patch @@ -0,0 +1,55 @@ +From cca9361d92501e0be34d264d370fe897a0c970af Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 9 Jun 2023 13:01:47 +0200 +Subject: [PATCH] sbus: arm watchdog for sbus_connect_init_send() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There seem to be conditions where the reply in the +sbus_call_DBus_Hello_send() request gets lost and the backend cannot +properly initialize its sbus/DBus server. Since the backend cannot be +connected by the frontends in this state the best way to recover would +be a restart. Since the event-loop is active in this state, e.g. waiting +for the reply, the watchdog will not consider the process as hung and +will not restart the process. + +To make the watchdog handle this case arm_watchdog() and +disarm_watchdog() are called before and after the request, respectively. + +Resolves: https://github.com/SSSD/sssd/issues/6803 + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Pavel Březina + +Reference: https://github.com/SSSD/sssd/commit/cca9361d92501e0be34d264d370fe897a0c970af +Conflict: Makefile.am +--- + src/sbus/connection/sbus_connection_connect.c | 4 ++++ + 1 files changed, 4 insertions(+) + +diff --git a/src/sbus/connection/sbus_connection_connect.c b/src/sbus/connection/sbus_connection_connect.c +index 45a0fa491..edc090e15 100644 +--- a/src/sbus/connection/sbus_connection_connect.c ++++ b/src/sbus/connection/sbus_connection_connect.c +@@ -67,6 +67,8 @@ sbus_connect_init_send(TALLOC_CTX *mem_ctx, + + tevent_req_set_callback(subreq, sbus_connect_init_hello_done, req); + ++ arm_watchdog(); ++ + return req; + } + +@@ -111,6 +113,8 @@ static void sbus_connect_init_done(struct tevent_req *subreq) + uint32_t res; + errno_t ret; + ++ disarm_watchdog(); ++ + req = tevent_req_callback_data(subreq, struct tevent_req); + + ret = sbus_call_DBus_RequestName_recv(subreq, &res); +-- +2.27.0 + diff --git a/backport-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch b/backport-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch new file mode 100644 index 0000000000000000000000000000000000000000..40020e4e95261ade4b97091bff5f33c7bbea08c3 --- /dev/null +++ b/backport-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch @@ -0,0 +1,108 @@ +From 75f2b35ad3b9256de905d05c5108400d35688554 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 9 Jun 2023 12:31:39 +0200 +Subject: [PATCH] watchdog: add arm_watchdog() and disarm_watchdog() calls +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Those two new calls can be used if there are requests stuck by e.g. +waiting on replies where there is no other way to handle the timeout and +get the system back into a stable state. They should be only used as a +last resort. + +Resolves: https://github.com/SSSD/sssd/issues/6803 + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Pavel Březina + +Reference: https://github.com/SSSD/sssd/commit/75f2b35ad3b9256de905d05c5108400d35688554 +Conflict: NA +--- + src/util/util.h | 12 ++++++++++++ + src/util/util_watchdog.c | 28 ++++++++++++++++++++++++++-- + 2 files changed, 38 insertions(+), 2 deletions(-) + +diff --git a/src/util/util.h b/src/util/util.h +index 11dc40d57..02fd53237 100644 +--- a/src/util/util.h ++++ b/src/util/util.h +@@ -791,6 +791,18 @@ int setup_watchdog(struct tevent_context *ev, int interval); + void teardown_watchdog(void); + int get_watchdog_ticks(void); + ++/* The arm_watchdog() and disarm_watchdog() calls will disable and re-enable ++ * the watchdog reset, respectively. This means that after arm_watchdog() is ++ * called the watchdog will not be resetted anymore and it will kill the ++ * process if disarm_watchdog() wasn't called before. ++ * Those calls should only be used when there is no other way to handle ++ * waiting request and recover into a stable state. ++ * Those calls cannot be nested, i.e. after calling arm_watchdog() it should ++ * not be called a second time in a different request because then ++ * disarm_watchdog() will disable the watchdog coverage for both. */ ++void arm_watchdog(void); ++void disarm_watchdog(void); ++ + /* from files.c */ + int sss_remove_tree(const char *root); + int sss_remove_subtree(const char *root); +diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c +index b1534e499..abafd94b9 100644 +--- a/src/util/util_watchdog.c ++++ b/src/util/util_watchdog.c +@@ -40,6 +40,7 @@ struct watchdog_ctx { + time_t timestamp; + struct tevent_fd *tfd; + int pipefd[2]; ++ bool armed; /* if 'true' ticks counter will not be reset */ + } watchdog_ctx; + + static void watchdog_detect_timeshift(void) +@@ -89,8 +90,13 @@ static void watchdog_event_handler(struct tevent_context *ev, + struct timeval current_time, + void *private_data) + { +- /* first thing reset the watchdog ticks */ +- watchdog_reset(); ++ if (!watchdog_ctx.armed) { ++ /* first thing reset the watchdog ticks */ ++ watchdog_reset(); ++ } else { ++ DEBUG(SSSDBG_IMPORTANT_INFO, ++ "Watchdog armed, process might be terminated soon.\n"); ++ } + + /* then set a new watchodg event */ + watchdog_ctx.te = tevent_add_timer(ev, ev, +@@ -197,6 +203,7 @@ int setup_watchdog(struct tevent_context *ev, int interval) + watchdog_ctx.ev = ev; + watchdog_ctx.input_interval = interval; + watchdog_ctx.timestamp = time(NULL); ++ watchdog_ctx.armed = false; + + ret = pipe(watchdog_ctx.pipefd); + if (ret == -1) { +@@ -264,3 +271,20 @@ int get_watchdog_ticks(void) + { + return __sync_add_and_fetch(&watchdog_ctx.ticks, 0); + } ++ ++void arm_watchdog(void) ++{ ++ if (watchdog_ctx.armed) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "arm_watchdog() is called although the watchdog is already armed. " ++ "This indicates a programming error and should be avoided because " ++ "it will most probably not work as expected.\n"); ++ } ++ ++ watchdog_ctx.armed = true; ++} ++ ++void disarm_watchdog(void) ++{ ++ watchdog_ctx.armed = false; ++} +-- +2.27.0 + diff --git a/sssd.spec b/sssd.spec index 54af711410f4ef85134e617232d3a71c86403750..0eed70346530c46a99bd31fefb4a79a5dbaaf114 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,6 +1,6 @@ Name: sssd Version: 2.6.1 -Release: 10 +Release: 11 Summary: System Security Services Daemon License: GPLv3+ and LGPLv3+ URL: https://pagure.io/SSSD/sssd/ @@ -20,6 +20,22 @@ Patch6010: backport-Fixed-pid-wrapping-in-sss_cli_check_socket.patch Patch6011: backport-Fixed-the-problem-of-calling-getpid-and-lstat-twice-.patch Patch6012: backport-AD-Do-not-use-the-shortcut-when-filter_groups-is-set.patch Patch6013: backport-ad-skip-filtering-if-ad_enabled_domains-is-set.patch +Patch6014: backport-fail_over-protect-against-a-segmentation-fault.patch +Patch6015: backport-ipa-correctly-remove-missing-attributes-on-netgroup-.patch +Patch6016: backport-ad-use-sAMAccountName-to-lookup-hosts.patch +Patch6017: backport-KRB5-avoid-FORWARD_NULL.patch +Patch6018: backport-KRB5-fix-memory-leak-1.patch +Patch6019: backport-KRB5-fix-memory-leak-2.patch +Patch6020: backport-KRB5-avoid-RESOURCE_LEAK.patch +Patch6021: backport-KRB5-fixed-RESOURCE_LEAK.patch +Patch6022: backport-LDAP-fixed-RESOURCE_LEAK.patch +Patch6023: backport-LDAP-fixed-leak-of-kprinc.patch +Patch6024: backport-watchdog-add-arm_watchdog-and-disarm_watchdog-calls.patch +Patch6025: backport-sbus-arm-watchdog-for-sbus_connect_init_send.patch +Patch6026: backport-SYSDB-in-case-ignore_group_members-true-group-is-act.patch +Patch6027: backport-KRB5-avoid-another-attempt-to-free-cc-in-done-sectio.patch +Patch6028: backport-CONFDB-check-the-return-values.patch +Patch6029: backport-UTILS-swap-order-of-seteuid-setegid.patch Requires: python3-sssd = %{version}-%{release} Requires: libldb @@ -557,6 +573,9 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Fri Sep 22 2023 fuanan - 2.6.1-11 +- backport upstream patches + * Wed Aug 2 2023 xuraoqing - 2.6.1-10 - backport upstream patch