[PATCH] mmap_cache: Store corrupted mmap cache before reset
by Michal Židek
Hello,
I think it could be useful to store the corrupted memory cache
before reset. We have very little info about what was really
wrong in the cache when it was in inconsistent state. This way we
could ask users to send us copy of the corrupted cache if they
hit this issue. It could provide some more answers.
Patch is attached. It stores the corrupted cache in
/var/lib/sss/mc/<cache_name>_corrupted.
Thanks
Michal
10 years, 8 months
[PATCHES] Minor buildsystem patches
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Patch 0001: Add Eclipse project files to the .gitignore
Some of us use Eclipse as a code editor and would prefer not to see
the project files in 'git status'
Patch 0002: Fix contrib build macros to display warnings
There was an inconsistency with how the warnings were specified and
how they were consumed by the macros. The result was that warnings were
hidden.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIWHWgACgkQeiVVYja6o6M3SwCfXSKUgaT0H5huoWYAUWM+lkDn
680An2FoKu5kxFD5PoL8nnOMU5IcSMhE
=T734
-----END PGP SIGNATURE-----
10 years, 8 months
[PATCH] KRB5: Add new #define for collection cache types
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kerberos now supports multiple types of collection caches, not just
DIR: caches. We should add a macro for generic collection behavior
and use that where appropriate.
Since the execution path is the same for all collection types, it made
sense to convert the existing usages of HAVE_KRB5_DIRCACHE to
HAVE_KRB5_CC_COLLECTION instead.
This patch applies atop the two patches in the thread "[PATCH] KRB5:
Refactor cc_*_check_existing" and is a precursor to upcoming patches
for supporting the KEYRING cache type.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIWHjQACgkQeiVVYja6o6Mq9wCfXwRjbw35m2HXnP++OegleJoH
2+AAoJukrkpRk2PJ/90EyfYcxu2Fima6
=XAYG
-----END PGP SIGNATURE-----
10 years, 8 months
[PATCH] KRB5: Refactor cc_*_check_existing
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
There was duplicated code in cc_file_check_existing() and in
cc_dir_check_existing(). I pulled them into the same function.
There are two changes made to the original code here:
1) Fixes a use-after-free bug in cc_file_check_existing(). In the
original code, we called krb5_free_context() and then used that
context immediately after that in krb5_cc_close(). This patch
corrects the ordering
2) The krb5_cc_resolve() call handles KRB5_FCC_NOFILE for all
cache types. Previously, this was only handled for DIR caches.
This second part I need someone with Kerberos knowledge to verify. Is
there a risk of receiving this error for the FILE or KEYRING types,
and if so is this handling still acceptable or should they be
special-cased?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlIM+LYACgkQeiVVYja6o6MNjACfSxhKZIq3nr9YSG3lro9kKQ2A
zIIAni3Px6SSQ9CU/x3ltMW2VTJ1Scan
=pTjc
-----END PGP SIGNATURE-----
10 years, 8 months
[PATCH] Use conditional build for retrieving ccache.
by Lukas Slebodnik
ehlo,
Sumit wrote me yesterday, that some krb5 functions in
get_ccache_name_by_principal needn't be available in older version of libkrb5.
We noticed that this function is very similar to another function
get_ccache_for_princ and there was used conditional build.
Refactoring patch is attached.
LS
10 years, 8 months
[PATCHES] Fixes and improvements for ipa_server_mode
by Sumit Bose
Hi,
I wrote the following patches while testig the ipa_server_mode. While
the first three are needed fixes the fourth patch is an improvement
which might help to avoid an additional request to the LDAP server.
bye,
Sumit
10 years, 8 months
Re: [SSSD] [PATCH] mmap_cache: Check data->name value in client code
by Simo Sorce
On Tue, 2013-08-13 at 19:42 +0200, Michal Židek wrote:
> Thanks for the review Simo.
>
> On 08/12/2013 11:07 PM, Simo Sorce wrote:
> > What you need to check is somehing like:
> > if (data->name > offsetof(struct sss_mc_pwd_data, strs) +
> > data->strs_len) { return ENOENT; }
> >
> > ... except you should probably not trust strs_len entirely at this point
> > if you are trying to catch malformed data and you should also check that
> > data + strs_len is within the mmaped memory region.
> >
>
> Ok. The new check tests if data + strs_len is in the data_table
> (if it is somewhere else in the mmaped region it is already corrupted).
Sure.
> > Also at this point it may make sense to do a strlen(name) upfront and
> > check that strs_len > name and return immediately if not.
> >
>
> I added this one check too... I think it is not bad to have another
> line of defense.
Thanks.
> Btw. I think we have off-by-one error in cases where we use pattern:
> if (slot > MC_SIZE_TO_SLOTS(data_table_size) {
> return something (ENOENT/NULL);
> }
>
> If the slots are numbered from 0 and MC_SIZE_TO_SLOTS returns
> number of slots needed to store some amount of data, there should
> be '>=' no '>'. Please check my thinking. If I am correct then the
> second patch should fix it.
Let's look at MC_SIZE_TO_SLOTS() definition:
We always add (MC_SLOT_SIZE -1) to the requested size.
This means if you ask 1 byte you get 1 slot, if you ask for MC_SLOT_SIZE
+ 1 you get 2 slots.
Ie you get the right number of slots required for the size when you call
that macro.
So yeah good catch!
However I think I'd like to see this fixed in a different way, by using
a macro as we use this check elsewhere.
Something like:
#define MC_SLOT_WITHIN_BOUNDS(slot, size) \
(slot <= (size / MC_SLOT_SIZE))
and change the check to:
if (!MC_SLOT_WITHIN_BOUNDS(slot, mcc->dt_size)) { ...
This would be more error proof if someone should add code in future to
check bounds.
> I also removed the triple check at Lukas's request in the second
> patch, since it modifies the same parts already).
I would prefer this to be done in a separate patch please.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
10 years, 8 months
ssh client correctly denied access but sees "connection closed by IP"
by Sophit4
SSH Server is running on a RHEL 6.4 system with version
sssd-1.9.2-82.7.el6_4.x86_64.
I'm using access_provider = ldap in sssd.conf and ldap_access_filter =
memberOf=cn=GoodUsers,ou=x,ou=y,o=z
This is working as intended but remote ssh users not in group GoodUsers are
simply disconnected with no error message after successfully authenticating
via authorized_keys or LDAP password.
Is there a way to better inform the end user the general reason for the
disconnect?
Current behavior:
[usr1@test-client Desktop]$ ssh test-server
*Connection closed by* 192.168.1.22
[root@test-server ~]# tail -1 /var/log/secure
Aug 15 11:40:20 test-server sshd[5562]: *fatal*: Access denied for user
usr1 by PAM account configuration
Thanks in advance.
10 years, 8 months
