New announcement from SSSD
by Transifex
Hello sssd, this is Transifex at https://www.transifex.com.
A new announcement has been posted from project 'SSSD':
## Restoring String Freeze for SSSD 1.9.0
As of now, the SSSD is again in string freeze for the SSSD 1.9.0 upstream release. We will be accepting translations until the release date which has been rescheduled for September 14th.
Thank you in advance for your contributions!
-
To view the announcement in Transifex, please visit the following link:
http://www.transifex.com/projects/p/sssd/announcement/2887/
Always at your service.
--
Transifex -- Open Translation Platform
To change your notification settings, please visit your profile page at https://www.transifex.com/notices/.
11 years, 8 months
A security bug in 1.9.0 beta6 (CVE-2012-3462)
by Jakub Hrozek
================= A security bug in 1.9.0 beta6 ===============
=
= Subject: HBAC rules ignored if SELinux processing
= is enabled
=
= CVE ID#: CVE-2012-3462
=
= Summary: A flaw in the SSSD's access-provider
= logic causes the result of the HBAC
= rule processing to be ignored in the
= event that the access-provider is
= also handling the setup of the user's
= SELinux user context.
=
=
=
= Impact: moderate
=
= Affects default
= configuration: yes (IPA provider only)
=
= Introduced with: 1.9.0 beta6
=
===============================================================
==== DESCRIPTION ====
The latest development release of the SSSD is vulnerable to a security bug.
When the SSSD is configured as an IPA client and the access provider is
also handling the evaluation of user's SELinux user context, the result
of Host Based Access Control rules is ignored.
We decided not to release a full release, for two reasons:
* the number of users running the beta is very small. Furthermore,
the beta releases are not fully tested and suitable for production
anyway
* the next release - 1.9.0 RC1 is coming very soon. It is tentatively
scheduled for 2012-08-23
==== WORKAROUND ====
If you don't rely on the evaluation of user's SELinux user context, you
can turn off their processing by setting:
selinux_provider = none
in the sssd.conf config file. That would cause the correct access control
code to be returned to the PAM service.
==== PATCH AVAILABILITY ====
The patch is available at:
http://git.fedorahosted.org/cgit/sssd.git/commit/?id=ffcf27b0b773b580289d...
11 years, 8 months
Review of the realmd dbus interface
by Stef Walter
Are any of you interested in reviewing the realmd DBus interface, and
making sure I'm not screwing up in an obvious way?
By the time Fedora 18 releases I'd like to have this interface be
stable. Obviously new properties and methods can be added later, but I'd
like to try and not change the current properties and methods (and their
semantics) after that point.
Even if another project (like sssd) ends up re-implementing the
interfaces, it would be nice if we manage to keep them stable so callers
don't have to change.
Documentation:
http://www.freedesktop.org/software/realmd/docs/index.html
Source:
http://cgit.freedesktop.org/realmd/realmd/tree/dbus/org.freedesktop.realm...
The interfaces are used to discover/enroll/unenroll realms/domains and
manage login policy. Things to keep in mind:
* There are multiple providers like samba-ad, sssd-ad, sssd-ipa, at
different object paths. And a single provider combining them all
at a top level object path. This way it's easy to discover using
any provider with one operation, or get all the realms.
* Multiple realm objects can be returned from a discovery for the same
actual realm. These are ordered by relevance, and most callers would
choose the first realm returned from a discovery. But more advanced
callers can choose a realm based on the implementation (ie: winbind
vs. sssd).
Anyway. Thank you in advance for any time spent on looking this over. I
appreciate it.
Cheers,
Stef
11 years, 8 months
[PATCH] Don't use server after SRV data collapsed
by Jakub Hrozek
Collapsing servers previsouly expanded from a SRV query leads to a small
window where we use memory that was already freed.
I originally suspected this was the cause for the failover crash we've
been seeing lately, but I was wrong. I'll keep looking.
11 years, 8 months