From cd5612d3e6e9018830a589846aea4105a53dae3290b02e6752173e7e5568db1e Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Tue, 2 Aug 2011 07:04:28 +0000 Subject: [PATCH 1/2] Accepting request 77463 from home:jengelh:dev - Add patches to fix an fd leak in sssd_pam OBS-URL: https://build.opensuse.org/request/show/77463 OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=55 --- 0001-Silence-autoconf-2.28-warnings.patch | 34 ++++++++++++ ...lient-avoid-leaking-file-descriptors.patch | 55 +++++++++++++++++++ sssd.changes | 5 ++ sssd.spec | 3 + 4 files changed, 97 insertions(+) create mode 100644 0001-Silence-autoconf-2.28-warnings.patch create mode 100644 0001-sss_client-avoid-leaking-file-descriptors.patch diff --git a/0001-Silence-autoconf-2.28-warnings.patch b/0001-Silence-autoconf-2.28-warnings.patch new file mode 100644 index 0000000..ae9a899 --- /dev/null +++ b/0001-Silence-autoconf-2.28-warnings.patch @@ -0,0 +1,34 @@ +From 90fc734631c26c762cc87bd0cd90a8e6b3ee9e95 Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 29 Jul 2011 09:51:23 +0200 +Subject: [PATCH] Silence autoconf 2.28 warnings + +--- + configure.ac | 8 ++++---- + 1 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/configure.ac b/configure.ac +index ec29cb7..d79ccfd 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -177,13 +177,13 @@ AC_CHECK_HEADERS([sys/inotify.h]) + AC_CHECK_HEADERS([sasl/sasl.h],,AC_MSG_ERROR([Could not find SASL headers])) + + AC_CACHE_CHECK([whether compiler supports __attribute__((destructor))], +- sss_client_attribute_destructor, ++ sss_client_cv_attribute_destructor, + [AC_COMPILE_IFELSE( +- [__attribute__((destructor)) static void cleanup(void) { }], +- sss_client_attribute_destructor=yes) ++ [AC_LANG_SOURCE([__attribute__((destructor)) static void cleanup(void) { }])], ++ sss_client_cv_attribute_destructor=yes) + ]) + +-if test x"$sss_client_attribute_destructor" = xyes ; then ++if test x"$sss_client_cv_attribute_destructor" = xyes ; then + AC_DEFINE(HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR, 1, + [whether compiler supports __attribute__((destructor))]) + fi +-- +1.7.6 + diff --git a/0001-sss_client-avoid-leaking-file-descriptors.patch b/0001-sss_client-avoid-leaking-file-descriptors.patch new file mode 100644 index 0000000..5ae260a --- /dev/null +++ b/0001-sss_client-avoid-leaking-file-descriptors.patch @@ -0,0 +1,55 @@ +>From b28d5e5f7eddf504cbe36cff1ddba5b240822668 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 28 Jul 2011 15:15:26 -0400 +Subject: [PATCH] sss_client: avoid leaking file descriptors + +If a pam or nss module is dlcolse()d and unloaded we were leaking +the file descriptor used to communicate to sssd in the process. + +Make sure the fucntion used to close the socket file descriptor is +called on dlclose() +--- + configure.ac | 12 ++++++++++++ + src/sss_client/common.c | 3 +++ + 2 files changed, 15 insertions(+), 0 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 0e2e6d44a0cc4b33fda39b3eaf3dcd383d1e09dc..ec29cb71a2153d29f73231e92646ea46eacd68a2 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -176,6 +176,18 @@ AC_CHECK_HEADERS([sys/inotify.h]) + + AC_CHECK_HEADERS([sasl/sasl.h],,AC_MSG_ERROR([Could not find SASL headers])) + ++AC_CACHE_CHECK([whether compiler supports __attribute__((destructor))], ++ sss_client_attribute_destructor, ++ [AC_COMPILE_IFELSE( ++ [__attribute__((destructor)) static void cleanup(void) { }], ++ sss_client_attribute_destructor=yes) ++ ]) ++ ++if test x"$sss_client_attribute_destructor" = xyes ; then ++ AC_DEFINE(HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR, 1, ++ [whether compiler supports __attribute__((destructor))]) ++fi ++ + PKG_CHECK_MODULES([CHECK], [check >= 0.9.5], [have_check=1], [have_check=]) + if test x$have_check = x; then + AC_MSG_WARN([Without the 'CHECK' libraries, you will be unable to run all tests in the 'make check' suite]) +diff --git a/src/sss_client/common.c b/src/sss_client/common.c +index b603305596a3ed3fd653930388ff633daa187db2..55e393e57a1fc759dd7972a611a0d5e4e88abda7 100644 +--- a/src/sss_client/common.c ++++ b/src/sss_client/common.c +@@ -53,6 +53,9 @@ + int sss_cli_sd = -1; /* the sss client socket descriptor */ + struct stat sss_cli_sb; /* the sss client stat buffer */ + ++#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR ++__attribute__((destructor)) ++#endif + static void sss_cli_close_socket(void) + { + if (sss_cli_sd != -1) { +-- +1.7.6 + diff --git a/sssd.changes b/sssd.changes index c18bd02..f02f6fa 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Jul 29 10:39:51 UTC 2011 - jengelh@medozas.de + +- Add patches to fix an fd leak in sssd_pam + ------------------------------------------------------------------- Thu Jul 28 10:03:32 UTC 2011 - jengelh@medozas.de diff --git a/sssd.spec b/sssd.spec index e5b0d6c..aa356a2 100644 --- a/sssd.spec +++ b/sssd.spec @@ -26,6 +26,8 @@ License: GPLv3+ and LGPLv3+ Url: https://fedorahosted.org/sssd/ Source0: %{name}-%{version}.tar.bz2 Source1: baselibs.conf +Patch1: 0001-sss_client-avoid-leaking-file-descriptors.patch +Patch2: 0001-Silence-autoconf-2.28-warnings.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define servicename sssd @@ -109,6 +111,7 @@ Security Services Daemon (sssd). %prep %setup -q +%patch -P 1 -P 2 -p1 %build autoreconf From 6482163856d851eb76ec8dcadb5423595579a82aa385fabdb62e7875dfdd8427 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Tue, 2 Aug 2011 09:16:11 +0000 Subject: [PATCH 2/2] Accepting request 77655 from home:rhafer:branches:network:ldap bnc#705768,bnc#709747 OBS-URL: https://build.opensuse.org/request/show/77655 OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=56 --- 0001-Silence-autoconf-2.28-warnings.patch | 34 --------------- ...lient-avoid-leaking-file-descriptors.patch | 28 ++++++------- ...-control-unconditionally-during-bind.patch | 42 +++++++++++++++++++ ...cide-when-an-expiration-warning-is-w.patch | 33 +++++++++++++++ sssd.changes | 9 ++++ sssd.spec | 16 ++++--- 6 files changed, 107 insertions(+), 55 deletions(-) delete mode 100644 0001-Silence-autoconf-2.28-warnings.patch create mode 100644 0002-Request-password-control-unconditionally-during-bind.patch create mode 100644 0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch diff --git a/0001-Silence-autoconf-2.28-warnings.patch b/0001-Silence-autoconf-2.28-warnings.patch deleted file mode 100644 index ae9a899..0000000 --- a/0001-Silence-autoconf-2.28-warnings.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 90fc734631c26c762cc87bd0cd90a8e6b3ee9e95 Mon Sep 17 00:00:00 2001 -From: Jakub Hrozek -Date: Fri, 29 Jul 2011 09:51:23 +0200 -Subject: [PATCH] Silence autoconf 2.28 warnings - ---- - configure.ac | 8 ++++---- - 1 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/configure.ac b/configure.ac -index ec29cb7..d79ccfd 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -177,13 +177,13 @@ AC_CHECK_HEADERS([sys/inotify.h]) - AC_CHECK_HEADERS([sasl/sasl.h],,AC_MSG_ERROR([Could not find SASL headers])) - - AC_CACHE_CHECK([whether compiler supports __attribute__((destructor))], -- sss_client_attribute_destructor, -+ sss_client_cv_attribute_destructor, - [AC_COMPILE_IFELSE( -- [__attribute__((destructor)) static void cleanup(void) { }], -- sss_client_attribute_destructor=yes) -+ [AC_LANG_SOURCE([__attribute__((destructor)) static void cleanup(void) { }])], -+ sss_client_cv_attribute_destructor=yes) - ]) - --if test x"$sss_client_attribute_destructor" = xyes ; then -+if test x"$sss_client_cv_attribute_destructor" = xyes ; then - AC_DEFINE(HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR, 1, - [whether compiler supports __attribute__((destructor))]) - fi --- -1.7.6 - diff --git a/0001-sss_client-avoid-leaking-file-descriptors.patch b/0001-sss_client-avoid-leaking-file-descriptors.patch index 5ae260a..46aaa28 100644 --- a/0001-sss_client-avoid-leaking-file-descriptors.patch +++ b/0001-sss_client-avoid-leaking-file-descriptors.patch @@ -1,34 +1,32 @@ ->From b28d5e5f7eddf504cbe36cff1ddba5b240822668 Mon Sep 17 00:00:00 2001 +From 151681511c4519463c2fe10c656db29a12c01821 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 28 Jul 2011 15:15:26 -0400 -Subject: [PATCH] sss_client: avoid leaking file descriptors +Subject: sss_client: avoid leaking file descriptors If a pam or nss module is dlcolse()d and unloaded we were leaking the file descriptor used to communicate to sssd in the process. Make sure the fucntion used to close the socket file descriptor is called on dlclose() ---- - configure.ac | 12 ++++++++++++ - src/sss_client/common.c | 3 +++ - 2 files changed, 15 insertions(+), 0 deletions(-) + +Silence autoconf 2.28 warnings (Patch by Jakub Hrozek) diff --git a/configure.ac b/configure.ac -index 0e2e6d44a0cc4b33fda39b3eaf3dcd383d1e09dc..ec29cb71a2153d29f73231e92646ea46eacd68a2 100644 +index 84b83eb..c0b7f8f 100644 --- a/configure.ac +++ b/configure.ac -@@ -176,6 +176,18 @@ AC_CHECK_HEADERS([sys/inotify.h]) +@@ -170,6 +170,18 @@ AC_CHECK_HEADERS([sys/inotify.h]) AC_CHECK_HEADERS([sasl/sasl.h],,AC_MSG_ERROR([Could not find SASL headers])) +AC_CACHE_CHECK([whether compiler supports __attribute__((destructor))], -+ sss_client_attribute_destructor, ++ sss_client_cv_attribute_destructor, + [AC_COMPILE_IFELSE( -+ [__attribute__((destructor)) static void cleanup(void) { }], -+ sss_client_attribute_destructor=yes) ++ [AC_LANG_SOURCE([__attribute__((destructor)) static void cleanup(void) { }])], ++ sss_client_cv_attribute_destructor=yes) + ]) + -+if test x"$sss_client_attribute_destructor" = xyes ; then ++if test x"$sss_client_cv_attribute_destructor" = xyes ; then + AC_DEFINE(HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR, 1, + [whether compiler supports __attribute__((destructor))]) +fi @@ -37,10 +35,10 @@ index 0e2e6d44a0cc4b33fda39b3eaf3dcd383d1e09dc..ec29cb71a2153d29f73231e92646ea46 if test x$have_check = x; then AC_MSG_WARN([Without the 'CHECK' libraries, you will be unable to run all tests in the 'make check' suite]) diff --git a/src/sss_client/common.c b/src/sss_client/common.c -index b603305596a3ed3fd653930388ff633daa187db2..55e393e57a1fc759dd7972a611a0d5e4e88abda7 100644 +index c17629a..5f6af41 100644 --- a/src/sss_client/common.c +++ b/src/sss_client/common.c -@@ -53,6 +53,9 @@ +@@ -55,6 +55,9 @@ int sss_cli_sd = -1; /* the sss client socket descriptor */ struct stat sss_cli_sb; /* the sss client stat buffer */ @@ -51,5 +49,5 @@ index b603305596a3ed3fd653930388ff633daa187db2..55e393e57a1fc759dd7972a611a0d5e4 { if (sss_cli_sd != -1) { -- -1.7.6 +1.7.3.4 diff --git a/0002-Request-password-control-unconditionally-during-bind.patch b/0002-Request-password-control-unconditionally-during-bind.patch new file mode 100644 index 0000000..9992abf --- /dev/null +++ b/0002-Request-password-control-unconditionally-during-bind.patch @@ -0,0 +1,42 @@ +From 587b013d0b6f8a9411617b5faac2750d2e4b7a5d Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Mon, 1 Aug 2011 15:22:53 +0200 +Subject: Request password control unconditionally during bind + +https://fedorahosted.org/sssd/ticket/940 + +diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c +index cab3657..9d543ec 100644 +--- a/src/providers/ldap/sdap_async_connection.c ++++ b/src/providers/ldap/sdap_async_connection.c +@@ -437,10 +437,10 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx, + state->user_dn = user_dn; + state->pw = pw; + +- ret = sdap_control_create(state->sh, LDAP_CONTROL_PASSWORDPOLICYREQUEST, +- 0, NULL, 0, &ctrls[0]); ++ ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST, ++ 0, NULL, 0, &ctrls[0]); + if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) { +- DEBUG(1, ("sdap_control_create failed to create " ++ DEBUG(1, ("sss_ldap_control_create failed to create " + "Password Policy control.\n")); + goto fail; + } +@@ -1634,10 +1634,10 @@ static int sdap_rebind_proc(LDAP *ldap, LDAP_CONST char *url, ber_tag_t request, + sasl_mech = dp_opt_get_string(p->opts->basic, SDAP_SASL_MECH); + + if (sasl_mech == NULL) { +- ret = sdap_control_create(p->sh, LDAP_CONTROL_PASSWORDPOLICYREQUEST, +- 0, NULL, 0, &ctrls[0]); ++ ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST, ++ 0, NULL, 0, &ctrls[0]); + if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) { +- DEBUG(1, ("sdap_control_create failed to create " ++ DEBUG(1, ("sss_ldap_control_create failed to create " + "Password Policy control.\n")); + goto done; + } +-- +1.7.3.4 + diff --git a/0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch b/0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch new file mode 100644 index 0000000..753b96c --- /dev/null +++ b/0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch @@ -0,0 +1,33 @@ +From d0bf20038fddf5ad296287fb16bc80082088b770 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Mon, 1 Aug 2011 10:48:06 -0400 +Subject: Allow LDAP to decide when an expiration warning is warranted + +Previously, we were only displaying expiration warnings if the +password was going to expire within a day. We'll allow LDAP to +make this decision (by whether it passes us the expiration time). + +In the future, we can add an option to clamp this down to a +shorter period if the local admin prefers it. + +diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c +index 3c9d760..7fcf985 100644 +--- a/src/responder/pam/pamsrv_cmd.c ++++ b/src/responder/pam/pamsrv_cmd.c +@@ -409,9 +409,10 @@ static errno_t filter_responses(struct confdb_ctx *cdb, + } + memcpy(&expire_warn, resp->data + sizeof(uint32_t), + sizeof(uint32_t)); +- if(expire_warn > pam_expiration_warning * (60 * 60 * 24)) { +- resp->do_not_send_to_client = true; +- } ++ /* TODO: Add an option to limit the display of the ++ * expiration warning to a specified number of ++ * days (e.g. 14) ++ */ + break; + default: + DEBUG(7, ("User info type [%d] not filtered.\n")); +-- +1.7.3.4 + diff --git a/sssd.changes b/sssd.changes index f02f6fa..91b622d 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Tue Aug 2 08:46:53 UTC 2011 - rhafer@suse.de + +- Fixed typos in configure args +- Cherry-picked password policy fixes from 1.5 branch (bnc#705768) +- switched to fd-leak fix cherry-picked from 1.5 branch +- Add /usr/sbin to the search path to make configure find nscd + (bnc#709747) + ------------------------------------------------------------------- Fri Jul 29 10:39:51 UTC 2011 - jengelh@medozas.de diff --git a/sssd.spec b/sssd.spec index aa356a2..7dff9a5 100644 --- a/sssd.spec +++ b/sssd.spec @@ -26,8 +26,9 @@ License: GPLv3+ and LGPLv3+ Url: https://fedorahosted.org/sssd/ Source0: %{name}-%{version}.tar.bz2 Source1: baselibs.conf -Patch1: 0001-sss_client-avoid-leaking-file-descriptors.patch -Patch2: 0001-Silence-autoconf-2.28-warnings.patch +Patch1: 0001-sss_client-avoid-leaking-file-descriptors.patch +Patch2: 0002-Request-password-control-unconditionally-during-bind.patch +Patch3: 0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define servicename sssd @@ -111,24 +112,27 @@ Security Services Daemon (sssd). %prep %setup -q -%patch -P 1 -P 2 -p1 +%patch -P 1 -P 2 -P 3 -p1 %build autoreconf export LDB_LIBS="-lldb" export LDB_CFLAGS="-I/usr/include" + +# help configure find nscd +export PATH=$PATH:/usr/sbin/ + %configure \ - --without-tests \ --with-db-path=%{dbpath} \ --with-pipe-path=%{pipepath} \ --with-pubconf-path=%{pubconfpath} \ --with-init-dir=%{_initrddir} \ --enable-nsslibdir=/%{_lib} \ --enable-pammoddir=/%{_lib}/security \ - --enable-cryptp=yes \ + --enable-crypto=yes \ --with-ldb-lib-dir=%{_libdir}/ldb \ --with-selinux=no \ - --with-so=suse \ + --with-os=suse \ --with-semanage=no make %{?_smp_mflags}