pool/sssd
SHA256
2
0
Fork 3
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 160208 from network:ldap

Browse Source 
CVE-2013-0287 (bnc#809153) (forwarded request 160207 from rhafer)

OBS-URL: https://build.opensuse.org/request/show/160208
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=44
This commit is contained in:
Stephan Kulow 2013-03-21 09:40:29 +00:00 committed by Git OBS Bridge
commit fba252c3a3
6 changed files with 2338 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

414
Add-unit-tests-for-simple-access-test-by-groups.patch Normal file
View File

@ -0,0 +1,414 @@
From e5f0ef211e81fcd7a87d5e37b0aadca50201c6d6 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sun, 3 Mar 2013 21:43:44 +0100
Subject: Add unit tests for simple access test by groups
I realized that the current unit tests for the simple access provider
only tested the user directives. To have a baseline and be able to
detect new bugs in the upcoming patch, I implemented unit tests for the
group lists, too.
(cherry picked from commit 754b09b5444e6da88ed58d6deaed8b815e268b6b)
---
src/tests/simple_access-tests.c | 285 +++++++++++++++++++++++++++++++++++-----
1 file changed, 253 insertions(+), 32 deletions(-)
diff --git a/src/tests/simple_access-tests.c b/src/tests/simple_access-tests.c
index c61814e..577c6d3 100644
--- a/src/tests/simple_access-tests.c
+++ b/src/tests/simple_access-tests.c
@@ -30,39 +30,152 @@
#include "providers/simple/simple_access.h"
#include "tests/common.h"
+#define TESTS_PATH "tests_simple_access"
+#define TEST_CONF_FILE "tests_conf.ldb"
+
const char *ulist_1[] = {"u1", "u2", NULL};
+const char *glist_1[] = {"g1", "g2", NULL};
+
+struct simple_test_ctx *test_ctx = NULL;
+
+struct simple_test_ctx {
+ struct sysdb_ctx *sysdb;
+ struct confdb_ctx *confdb;
-struct simple_ctx *ctx = NULL;
+ struct simple_ctx *ctx;
+};
void setup_simple(void)
{
- fail_unless(ctx == NULL, "Simple context already initialized.");
- ctx = talloc_zero(NULL, struct simple_ctx);
- fail_unless(ctx != NULL, "Cannot create simple context.");
-
- ctx->domain = talloc_zero(ctx, struct sss_domain_info);
- fail_unless(ctx != NULL, "Cannot create domain in simple context.");
- ctx->domain->case_sensitive = true;
+ errno_t ret;
+ char *conf_db;
+ const char *val[2];
+ val[1] = NULL;
+
+ /* Create tests directory if it doesn't exist */
+ /* (relative to current dir) */
+ ret = mkdir(TESTS_PATH, 0775);
+ fail_if(ret == -1 && errno != EEXIST,
+ "Could not create %s directory", TESTS_PATH);
+
+ fail_unless(test_ctx == NULL, "Simple context already initialized.");
+ test_ctx = talloc_zero(NULL, struct simple_test_ctx);
+ fail_unless(test_ctx != NULL, "Cannot create simple test context.");
+
+ test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx);
+ fail_unless(test_ctx->ctx != NULL, "Cannot create simple context.");
+
+ conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE);
+ fail_if(conf_db == NULL, "Out of memory, aborting!");
+ DEBUG(SSSDBG_TRACE_LIBS, ("CONFDB: %s\n", conf_db));
+
+ /* Connect to the conf db */
+ ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db);
+ fail_if(ret != EOK, "Could not initialize connection to the confdb");
+
+ val[0] = "LOCAL";
+ ret = confdb_add_param(test_ctx->confdb, true,
+ "config/sssd", "domains", val);
+ fail_if(ret != EOK, "Could not initialize domains placeholder");
+
+ val[0] = "local";
+ ret = confdb_add_param(test_ctx->confdb, true,
+ "config/domain/LOCAL", "id_provider", val);
+ fail_if(ret != EOK, "Could not initialize provider");
+
+ val[0] = "TRUE";
+ ret = confdb_add_param(test_ctx->confdb, true,
+ "config/domain/LOCAL", "enumerate", val);
+ fail_if(ret != EOK, "Could not initialize LOCAL domain");
+
+ val[0] = "TRUE";
+ ret = confdb_add_param(test_ctx->confdb, true,
+ "config/domain/LOCAL", "cache_credentials", val);
+ fail_if(ret != EOK, "Could not initialize LOCAL domain");
+
+ ret = sysdb_init_domain_and_sysdb(test_ctx, test_ctx->confdb, "local",
+ TESTS_PATH,
+ &test_ctx->ctx->domain, &test_ctx->ctx->sysdb);
+ fail_if(ret != EOK, "Could not initialize connection to the sysdb (%d)", ret);
+ test_ctx->ctx->domain->case_sensitive = true;
}
void teardown_simple(void)
{
int ret;
- fail_unless(ctx != NULL, "Simple context already freed.");
- ret = talloc_free(ctx);
- ctx = NULL;
+ fail_unless(test_ctx != NULL, "Simple context already freed.");
+ ret = talloc_free(test_ctx);
+ test_ctx = NULL;
fail_unless(ret == 0, "Connot free simple context.");
}
+void setup_simple_group(void)
+{
+ errno_t ret;
+
+ setup_simple();
+
+ /* Add test users u1 and u2 that would be members of test groups
+ * g1 and g2 respectively */
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
+ "u1", NULL, 123, 0, "u1", "/home/u1",
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
+ fail_if(ret != EOK, "Could not add u1");
+
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
+ "u2", NULL, 456, 0, "u1", "/home/u1",
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
+ fail_if(ret != EOK, "Could not add u2");
+
+ ret = sysdb_store_user(test_ctx->ctx->sysdb,
+ "u3", NULL, 789, 0, "u1", "/home/u1",
+ "/bin/bash", NULL, NULL, NULL, -1, 0);
+ fail_if(ret != EOK, "Could not add u3");
+
+ ret = sysdb_add_group(test_ctx->ctx->sysdb,
+ "g1", 321, NULL, 0, 0);
+ fail_if(ret != EOK, "Could not add g1");
+
+ ret = sysdb_add_group(test_ctx->ctx->sysdb,
+ "g2", 654, NULL, 0, 0);
+ fail_if(ret != EOK, "Could not add g2");
+
+ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
+ "g1", "u1", SYSDB_MEMBER_USER);
+ fail_if(ret != EOK, "Could not add u1 to g1");
+
+ ret = sysdb_add_group_member(test_ctx->ctx->sysdb,
+ "g2", "u2", SYSDB_MEMBER_USER);
+ fail_if(ret != EOK, "Could not add u2 to g2");
+}
+
+void teardown_simple_group(void)
+{
+ errno_t ret;
+
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u1", 0);
+ fail_if(ret != EOK, "Could not delete u1");
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u2", 0);
+ fail_if(ret != EOK, "Could not delete u2");
+ ret = sysdb_delete_user(test_ctx->ctx->sysdb, "u3", 0);
+ fail_if(ret != EOK, "Could not delete u3");
+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g1", 0);
+ fail_if(ret != EOK, "Could not delete g1");
+ ret = sysdb_delete_group(test_ctx->ctx->sysdb, "g2", 0);
+ fail_if(ret != EOK, "Could not delete g2");
+
+ teardown_simple();
+}
+
START_TEST(test_both_empty)
{
int ret;
bool access_granted = false;
- ctx->allow_users = NULL;
- ctx->deny_users = NULL;
+ test_ctx->ctx->allow_users = NULL;
+ test_ctx->ctx->deny_users = NULL;
- ret = simple_access_check(ctx, "u1", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == true, "Access denied "
"while both lists are empty.");
@@ -74,15 +187,15 @@ START_TEST(test_allow_empty)
int ret;
bool access_granted = true;
- ctx->allow_users = NULL;
- ctx->deny_users = discard_const(ulist_1);
+ test_ctx->ctx->allow_users = NULL;
+ test_ctx->ctx->deny_users = discard_const(ulist_1);
- ret = simple_access_check(ctx, "u1", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == false, "Access granted "
"while user is in deny list.");
- ret = simple_access_check(ctx, "u3", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == true, "Access denied "
"while user is not in deny list.");
@@ -94,15 +207,15 @@ START_TEST(test_deny_empty)
int ret;
bool access_granted = false;
- ctx->allow_users = discard_const(ulist_1);
- ctx->deny_users = NULL;
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
+ test_ctx->ctx->deny_users = NULL;
- ret = simple_access_check(ctx, "u1", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == true, "Access denied "
"while user is in allow list.");
- ret = simple_access_check(ctx, "u3", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == false, "Access granted "
"while user is not in allow list.");
@@ -114,15 +227,15 @@ START_TEST(test_both_set)
int ret;
bool access_granted = false;
- ctx->allow_users = discard_const(ulist_1);
- ctx->deny_users = discard_const(ulist_1);
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
+ test_ctx->ctx->deny_users = discard_const(ulist_1);
- ret = simple_access_check(ctx, "u1", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == false, "Access granted "
"while user is in deny list.");
- ret = simple_access_check(ctx, "u3", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == false, "Access granted "
"while user is not in allow list.");
@@ -134,18 +247,18 @@ START_TEST(test_case)
int ret;
bool access_granted = false;
- ctx->allow_users = discard_const(ulist_1);
- ctx->deny_users = NULL;
+ test_ctx->ctx->allow_users = discard_const(ulist_1);
+ test_ctx->ctx->deny_users = NULL;
- ret = simple_access_check(ctx, "U1", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == false, "Access granted "
"for user with different case "
"in case-sensitive domain");
- ctx->domain->case_sensitive = false;
+ test_ctx->ctx->domain->case_sensitive = false;
- ret = simple_access_check(ctx, "U1", &access_granted);
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
fail_unless(ret == EOK, "access_simple_check failed.");
fail_unless(access_granted == true, "Access denied "
"for user with different case "
@@ -153,11 +266,95 @@ START_TEST(test_case)
}
END_TEST
+START_TEST(test_group_allow_empty)
+{
+ int ret;
+ bool access_granted = true;
+
+ test_ctx->ctx->allow_groups = NULL;
+ test_ctx->ctx->deny_groups = discard_const(glist_1);
+
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "while group is in deny list.");
+
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == true, "Access denied "
+ "while group is not in deny list.");
+}
+END_TEST
+
+START_TEST(test_group_deny_empty)
+{
+ int ret;
+ bool access_granted = false;
+
+ test_ctx->ctx->allow_groups = discard_const(glist_1);
+ test_ctx->ctx->deny_groups = NULL;
+
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == true, "Access denied "
+ "while group is in allow list.");
+
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "while group is not in allow list.");
+}
+END_TEST
+
+START_TEST(test_group_both_set)
+{
+ int ret;
+ bool access_granted = false;
+
+ test_ctx->ctx->allow_groups = discard_const(ulist_1);
+ test_ctx->ctx->deny_groups = discard_const(ulist_1);
+
+ ret = simple_access_check(test_ctx->ctx, "u1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "while group is in deny list.");
+
+ ret = simple_access_check(test_ctx->ctx, "u3", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "while group is not in allow list.");
+}
+END_TEST
+
+START_TEST(test_group_case)
+{
+ int ret;
+ bool access_granted = false;
+
+ test_ctx->ctx->allow_groups = discard_const(ulist_1);
+ test_ctx->ctx->deny_groups = NULL;
+
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == false, "Access granted "
+ "for group with different case "
+ "in case-sensitive domain");
+
+ test_ctx->ctx->domain->case_sensitive = false;
+
+ ret = simple_access_check(test_ctx->ctx, "U1", &access_granted);
+ fail_unless(ret == EOK, "access_simple_check failed.");
+ fail_unless(access_granted == true, "Access denied "
+ "for group with different case "
+ "in case-insensitive domain");
+}
+END_TEST
+
Suite *access_simple_suite (void)
{
Suite *s = suite_create("access_simple");
- TCase *tc_allow_deny = tcase_create("allow/deny");
+ TCase *tc_allow_deny = tcase_create("user allow/deny");
tcase_add_checked_fixture(tc_allow_deny, setup_simple, teardown_simple);
tcase_add_test(tc_allow_deny, test_both_empty);
tcase_add_test(tc_allow_deny, test_allow_empty);
@@ -166,6 +363,15 @@ Suite *access_simple_suite (void)
tcase_add_test(tc_allow_deny, test_case);
suite_add_tcase(s, tc_allow_deny);
+ TCase *tc_grp_allow_deny = tcase_create("group allow/deny");
+ tcase_add_checked_fixture(tc_grp_allow_deny,
+ setup_simple_group, teardown_simple_group);
+ tcase_add_test(tc_grp_allow_deny, test_group_allow_empty);
+ tcase_add_test(tc_grp_allow_deny, test_group_deny_empty);
+ tcase_add_test(tc_grp_allow_deny, test_group_both_set);
+ tcase_add_test(tc_grp_allow_deny, test_group_case);
+ suite_add_tcase(s, tc_grp_allow_deny);
+
return s;
}
@@ -174,6 +380,7 @@ int main(int argc, const char *argv[])
int opt;
poptContext pc;
int number_failed;
+ int ret;
struct poptOption long_options[] = {
POPT_AUTOHELP
@@ -205,6 +412,20 @@ int main(int argc, const char *argv[])
srunner_run_all(sr, CK_ENV);
number_failed = srunner_ntests_failed(sr);
srunner_free(sr);
+
+ ret = unlink(TESTS_PATH"/"TEST_CONF_FILE);
+ if (ret != EOK) {
+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
+ errno, strerror(errno));
+ return EXIT_FAILURE;
+ }
+ ret = unlink(TESTS_PATH"/"LOCAL_SYSDB_FILE);
+ if (ret != EOK) {
+ fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n",
+ errno, strerror(errno));
+ return EXIT_FAILURE;
+ }
+
return (number_failed==0 ? EXIT_SUCCESS : EXIT_FAILURE);
}
--
1.8.1.4

41
Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch Normal file
View File

@ -0,0 +1,41 @@
From 8dfcfe629db83eb58dd6613aa174222cb853afb1 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 4 Mar 2013 16:37:04 +0100
Subject: Do not compile main() in DP if UNIT_TESTING is defined
The simple access provider unit tests now need to link against the Data
Provider when they start using the be_file_account_request() function.
But then we would start having conflicts as at least the main()
functions would clash.
If UNIT_TESTING is defined, then the data_provider_be.c module does not
contain the main() function and can be linked against directly from
another module that contains its own main() function
(cherry picked from commit 26590d31f492dbbd36be6d0bde46a4bd3b221edb)
---
src/providers/data_provider_be.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index f85a04d..33590ae 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -2651,6 +2651,7 @@ fail:
return ret;
}
+#ifndef UNIT_TESTING
int main(int argc, const char *argv[])
{
int opt;
@@ -2732,6 +2733,7 @@ int main(int argc, const char *argv[])
return 0;
}
+#endif
static int data_provider_res_init(DBusMessage *message,
struct sbus_connection *conn)
--
1.8.1.4

237
Provide-a-be_get_account_info_send-function.patch Normal file
View File

@ -0,0 +1,237 @@
From 455737c0b4b0c1bfeed54f2e27e397ce403acbca Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 22 Feb 2013 11:01:38 +0100
Subject: Provide a be_get_account_info_send function
In order to resolve group names in the simple access provider we need to
contact the Data Provider in a generic fashion from the access provider.
We can't call any particular implementation (like sdap_generic_send())
because we have no idea what kind of provider is configured as the
id_provider.
This patch splits introduces the be_file_account_request() function into
the data_provider_be module and makes it public.
A future patch should make the be_get_account_info function use the
be_get_account_info_send function.
(cherry picked from commit b63830b142053f99bfe954d4be5a2b0f68ce3a93)
---
src/providers/data_provider_be.c | 153 ++++++++++++++++++++++++++++++++++-----
src/providers/dp_backend.h | 15 ++++
2 files changed, 149 insertions(+), 19 deletions(-)
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
index b261bf8..f85a04d 100644
--- a/src/providers/data_provider_be.c
+++ b/src/providers/data_provider_be.c
@@ -717,6 +717,34 @@ static errno_t be_initgroups_prereq(struct be_req *be_req)
}
static errno_t
+be_file_account_request(struct be_req *be_req, struct be_acct_req *ar)
+{
+ errno_t ret;
+ struct be_ctx *be_ctx = be_req->be_ctx;
+
+ be_req->req_data = ar;
+
+ /* see if we need a pre request call, only done for initgroups for now */
+ if ((ar->entry_type & 0xFF) == BE_REQ_INITGROUPS) {
+ ret = be_initgroups_prereq(be_req);
+ if (ret) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Prerequest failed"));
+ return ret;
+ }
+ }
+
+ /* process request */
+ ret = be_file_request(be_ctx, be_req,
+ be_ctx->bet_info[BET_ID].bet_ops->handler);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Failed to file request"));
+ return ret;
+ }
+
+ return EOK;
+}
+
+static errno_t
split_name_extended(TALLOC_CTX *mem_ctx,
const char *filter,
char **name,
@@ -742,6 +770,110 @@ split_name_extended(TALLOC_CTX *mem_ctx,
return EOK;
}
+static void
+be_get_account_info_done(struct be_req *be_req,
+ int dp_err, int dp_ret,
+ const char *errstr);
+
+struct be_get_account_info_state {
+ int err_maj;
+ int err_min;
+ const char *err_msg;
+};
+
+struct tevent_req *
+be_get_account_info_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct be_client *becli,
+ struct be_ctx *be_ctx,
+ struct be_acct_req *ar)
+{
+ struct tevent_req *req;
+ struct be_get_account_info_state *state;
+ struct be_req *be_req;
+ errno_t ret;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct be_get_account_info_state);
+ if (!req) return NULL;
+
+ be_req = talloc_zero(mem_ctx, struct be_req);
+ if (be_req == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+
+ be_req->becli = becli;
+ be_req->be_ctx = be_ctx;
+ be_req->fn = be_get_account_info_done;
+ be_req->pvt = req;
+
+ ret = be_file_account_request(be_req, ar);
+ if (ret != EOK) {
+ goto done;
+ }
+
+ return req;
+
+done:
+ tevent_req_error(req, ret);
+ tevent_req_post(req, ev);
+ return req;
+}
+
+static void
+be_get_account_info_done(struct be_req *be_req,
+ int dp_err, int dp_ret,
+ const char *errstr)
+{
+ struct tevent_req *req;
+ struct be_get_account_info_state *state;
+
+ req = talloc_get_type(be_req->pvt, struct tevent_req);
+ state = tevent_req_data(req, struct be_get_account_info_state);
+
+ state->err_maj = dp_err;
+ state->err_min = dp_ret;
+ if (errstr) {
+ state->err_msg = talloc_strdup(state, errstr);
+ if (state->err_msg == NULL) {
+ talloc_free(be_req);
+ tevent_req_error(req, ENOMEM);
+ return;
+ }
+ }
+
+ talloc_free(be_req);
+ tevent_req_done(req);
+}
+
+errno_t be_get_account_info_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ int *_err_maj,
+ int *_err_min,
+ const char **_err_msg)
+{
+ struct be_get_account_info_state *state;
+
+ state = tevent_req_data(req, struct be_get_account_info_state);
+
+ TEVENT_REQ_RETURN_ON_ERROR(req);
+
+ if (_err_maj) {
+ *_err_maj = state->err_maj;
+ }
+
+ if (_err_min) {
+ *_err_min = state->err_min;
+ }
+
+ if (_err_msg) {
+ *_err_msg = talloc_steal(mem_ctx, state->err_msg);
+ }
+
+ return EOK;
+}
+
static int be_get_account_info(DBusMessage *message, struct sbus_connection *conn)
{
struct be_acct_req *req;
@@ -845,8 +977,6 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
goto done;
}
- be_req->req_data = req;
-
if ((attr_type != BE_ATTR_CORE) &&
(attr_type != BE_ATTR_MEM) &&
(attr_type != BE_ATTR_ALL)) {
@@ -893,26 +1023,11 @@ static int be_get_account_info(DBusMessage *message, struct sbus_connection *con
goto done;
}
- /* see if we need a pre request call, only done for initgroups for now */
- if ((type & 0xFF) == BE_REQ_INITGROUPS) {
- ret = be_initgroups_prereq(be_req);
- if (ret) {
- err_maj = DP_ERR_FATAL;
- err_min = ret;
- err_msg = "Prerequest failed";
- goto done;
- }
- }
-
- /* process request */
-
- ret = be_file_request(becli->bectx->bet_info[BET_ID].pvt_bet_data,
- be_req,
- becli->bectx->bet_info[BET_ID].bet_ops->handler);
+ ret = be_file_account_request(be_req, req);
if (ret != EOK) {
err_maj = DP_ERR_FATAL;
err_min = ret;
- err_msg = "Failed to file request";
+ err_msg = "Cannot file account request";
goto done;
}
diff --git a/src/providers/dp_backend.h b/src/providers/dp_backend.h
index 58a9b74..743b6f4 100644
--- a/src/providers/dp_backend.h
+++ b/src/providers/dp_backend.h
@@ -258,4 +258,19 @@ int be_fo_run_callbacks_at_next_request(struct be_ctx *ctx,
const char *service_name);
void reset_fo(struct be_ctx *be_ctx);
+
+/* Request account information */
+struct tevent_req *
+be_get_account_info_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct be_client *becli,
+ struct be_ctx *be_ctx,
+ struct be_acct_req *ar);
+
+errno_t be_get_account_info_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ int *_err_maj,
+ int *_err_min,
+ const char **_err_msg);
+
#endif /* __DP_BACKEND_H___ */
--
1.8.1.4

1624
Resolve-GIDs-in-the-simple-access-provider.patch Normal file
View File

File diff suppressed because it is too large Load Diff

15
sssd.changes
View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Wed Mar 20 10:05:00 UTC 2013 - rhafer@suse.com
- Fixed security issue: CVE-2013-0287 (bnc#809153):
When SSSD is configured as an Active Directory client by using
the new Active Directory provider or equivalent configuration
of the LDAP provider, the Simple Access Provider does not
handle access control correctly. If any groups are specified
with the simple_deny_groups option, the group members are
permitted access. New patches:
* Provide-a-be_get_account_info_send-function.patch
* Add-unit-tests-for-simple-access-test-by-groups.patch
* Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch
* Resolve-GIDs-in-the-simple-access-provider.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Feb 26 08:29:43 UTC 2013 - jengelh@inai.de Tue Feb 26 08:29:43 UTC 2013 - jengelh@inai.de

8
sssd.spec
View File

@ -32,6 +32,12 @@ Patch1: 0005-implicit-decl.diff
Patch2: sssd-ldflags.diff Patch2: sssd-ldflags.diff
Patch3: sssd-no-ldb-check.diff Patch3: sssd-no-ldb-check.diff
Patch4: sssd-sysdb-binary-attrs.diff Patch4: sssd-sysdb-binary-attrs.diff
# Fixes for CVE-2013-0287 (will be part of 1.9.5) when released
Patch5: Provide-a-be_get_account_info_send-function.patch
Patch6: Add-unit-tests-for-simple-access-test-by-groups.patch
Patch7: Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch
Patch8: Resolve-GIDs-in-the-simple-access-provider.patch
# End Fixed for CVE-2013-0287
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define servicename sssd %define servicename sssd
@ -200,7 +206,7 @@ Security Services Daemon (sssd).
%prep %prep
%setup -q %setup -q
%patch -P 1 -P 2 -P 3 -P 4 -p1 %patch -P 1 -P 2 -P 3 -P 4 -P 5 -P 6 -P 7 -P 8 -p1
%build %build
%if 0%{?suse_version} < 1210 %if 0%{?suse_version} < 1210