diff --git a/0001-sss_client-avoid-leaking-file-descriptors.patch b/0001-sss_client-avoid-leaking-file-descriptors.patch new file mode 100644 index 0000000..46aaa28 --- /dev/null +++ b/0001-sss_client-avoid-leaking-file-descriptors.patch @@ -0,0 +1,53 @@ +From 151681511c4519463c2fe10c656db29a12c01821 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 28 Jul 2011 15:15:26 -0400 +Subject: sss_client: avoid leaking file descriptors + +If a pam or nss module is dlcolse()d and unloaded we were leaking +the file descriptor used to communicate to sssd in the process. + +Make sure the fucntion used to close the socket file descriptor is +called on dlclose() + +Silence autoconf 2.28 warnings (Patch by Jakub Hrozek) + +diff --git a/configure.ac b/configure.ac +index 84b83eb..c0b7f8f 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -170,6 +170,18 @@ AC_CHECK_HEADERS([sys/inotify.h]) + + AC_CHECK_HEADERS([sasl/sasl.h],,AC_MSG_ERROR([Could not find SASL headers])) + ++AC_CACHE_CHECK([whether compiler supports __attribute__((destructor))], ++ sss_client_cv_attribute_destructor, ++ [AC_COMPILE_IFELSE( ++ [AC_LANG_SOURCE([__attribute__((destructor)) static void cleanup(void) { }])], ++ sss_client_cv_attribute_destructor=yes) ++ ]) ++ ++if test x"$sss_client_cv_attribute_destructor" = xyes ; then ++ AC_DEFINE(HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR, 1, ++ [whether compiler supports __attribute__((destructor))]) ++fi ++ + PKG_CHECK_MODULES([CHECK], [check >= 0.9.5], [have_check=1], [have_check=]) + if test x$have_check = x; then + AC_MSG_WARN([Without the 'CHECK' libraries, you will be unable to run all tests in the 'make check' suite]) +diff --git a/src/sss_client/common.c b/src/sss_client/common.c +index c17629a..5f6af41 100644 +--- a/src/sss_client/common.c ++++ b/src/sss_client/common.c +@@ -55,6 +55,9 @@ + int sss_cli_sd = -1; /* the sss client socket descriptor */ + struct stat sss_cli_sb; /* the sss client stat buffer */ + ++#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR ++__attribute__((destructor)) ++#endif + static void sss_cli_close_socket(void) + { + if (sss_cli_sd != -1) { +-- +1.7.3.4 + diff --git a/0002-Request-password-control-unconditionally-during-bind.patch b/0002-Request-password-control-unconditionally-during-bind.patch new file mode 100644 index 0000000..9992abf --- /dev/null +++ b/0002-Request-password-control-unconditionally-during-bind.patch @@ -0,0 +1,42 @@ +From 587b013d0b6f8a9411617b5faac2750d2e4b7a5d Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Mon, 1 Aug 2011 15:22:53 +0200 +Subject: Request password control unconditionally during bind + +https://fedorahosted.org/sssd/ticket/940 + +diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c +index cab3657..9d543ec 100644 +--- a/src/providers/ldap/sdap_async_connection.c ++++ b/src/providers/ldap/sdap_async_connection.c +@@ -437,10 +437,10 @@ static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx, + state->user_dn = user_dn; + state->pw = pw; + +- ret = sdap_control_create(state->sh, LDAP_CONTROL_PASSWORDPOLICYREQUEST, +- 0, NULL, 0, &ctrls[0]); ++ ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST, ++ 0, NULL, 0, &ctrls[0]); + if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) { +- DEBUG(1, ("sdap_control_create failed to create " ++ DEBUG(1, ("sss_ldap_control_create failed to create " + "Password Policy control.\n")); + goto fail; + } +@@ -1634,10 +1634,10 @@ static int sdap_rebind_proc(LDAP *ldap, LDAP_CONST char *url, ber_tag_t request, + sasl_mech = dp_opt_get_string(p->opts->basic, SDAP_SASL_MECH); + + if (sasl_mech == NULL) { +- ret = sdap_control_create(p->sh, LDAP_CONTROL_PASSWORDPOLICYREQUEST, +- 0, NULL, 0, &ctrls[0]); ++ ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST, ++ 0, NULL, 0, &ctrls[0]); + if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) { +- DEBUG(1, ("sdap_control_create failed to create " ++ DEBUG(1, ("sss_ldap_control_create failed to create " + "Password Policy control.\n")); + goto done; + } +-- +1.7.3.4 + diff --git a/0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch b/0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch new file mode 100644 index 0000000..753b96c --- /dev/null +++ b/0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch @@ -0,0 +1,33 @@ +From d0bf20038fddf5ad296287fb16bc80082088b770 Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Mon, 1 Aug 2011 10:48:06 -0400 +Subject: Allow LDAP to decide when an expiration warning is warranted + +Previously, we were only displaying expiration warnings if the +password was going to expire within a day. We'll allow LDAP to +make this decision (by whether it passes us the expiration time). + +In the future, we can add an option to clamp this down to a +shorter period if the local admin prefers it. + +diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c +index 3c9d760..7fcf985 100644 +--- a/src/responder/pam/pamsrv_cmd.c ++++ b/src/responder/pam/pamsrv_cmd.c +@@ -409,9 +409,10 @@ static errno_t filter_responses(struct confdb_ctx *cdb, + } + memcpy(&expire_warn, resp->data + sizeof(uint32_t), + sizeof(uint32_t)); +- if(expire_warn > pam_expiration_warning * (60 * 60 * 24)) { +- resp->do_not_send_to_client = true; +- } ++ /* TODO: Add an option to limit the display of the ++ * expiration warning to a specified number of ++ * days (e.g. 14) ++ */ + break; + default: + DEBUG(7, ("User info type [%d] not filtered.\n")); +-- +1.7.3.4 + diff --git a/sssd.changes b/sssd.changes index c18bd02..91b622d 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Tue Aug 2 08:46:53 UTC 2011 - rhafer@suse.de + +- Fixed typos in configure args +- Cherry-picked password policy fixes from 1.5 branch (bnc#705768) +- switched to fd-leak fix cherry-picked from 1.5 branch +- Add /usr/sbin to the search path to make configure find nscd + (bnc#709747) + +------------------------------------------------------------------- +Fri Jul 29 10:39:51 UTC 2011 - jengelh@medozas.de + +- Add patches to fix an fd leak in sssd_pam + ------------------------------------------------------------------- Thu Jul 28 10:03:32 UTC 2011 - jengelh@medozas.de diff --git a/sssd.spec b/sssd.spec index e5b0d6c..7dff9a5 100644 --- a/sssd.spec +++ b/sssd.spec @@ -26,6 +26,9 @@ License: GPLv3+ and LGPLv3+ Url: https://fedorahosted.org/sssd/ Source0: %{name}-%{version}.tar.bz2 Source1: baselibs.conf +Patch1: 0001-sss_client-avoid-leaking-file-descriptors.patch +Patch2: 0002-Request-password-control-unconditionally-during-bind.patch +Patch3: 0003-Allow-LDAP-to-decide-when-an-expiration-warning-is-w.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %define servicename sssd @@ -109,23 +112,27 @@ Security Services Daemon (sssd). %prep %setup -q +%patch -P 1 -P 2 -P 3 -p1 %build autoreconf export LDB_LIBS="-lldb" export LDB_CFLAGS="-I/usr/include" + +# help configure find nscd +export PATH=$PATH:/usr/sbin/ + %configure \ - --without-tests \ --with-db-path=%{dbpath} \ --with-pipe-path=%{pipepath} \ --with-pubconf-path=%{pubconfpath} \ --with-init-dir=%{_initrddir} \ --enable-nsslibdir=/%{_lib} \ --enable-pammoddir=/%{_lib}/security \ - --enable-cryptp=yes \ + --enable-crypto=yes \ --with-ldb-lib-dir=%{_libdir}/ldb \ --with-selinux=no \ - --with-so=suse \ + --with-os=suse \ --with-semanage=no make %{?_smp_mflags}