[sssd/f19] Remove the ability to create public ccachedir (#1015089)
Jakub Hrozek
jhrozek at fedoraproject.org
Wed Oct 9 08:09:57 UTC 2013
commit 724093789cf5d2704c1a9e9a8659f86260bda1de
Author: Jakub Hrozek <jhrozek at redhat.com>
Date: Fri Oct 4 09:51:35 2013 +0200
Remove the ability to create public ccachedir (#1015089)
...move-ability-to-create-public-directories.patch | 284 +++++++++++++
0002-krb5-Fix-unit-tests.patch | 432 ++++++++++++++++++++
sssd.spec | 7 +-
3 files changed, 722 insertions(+), 1 deletions(-)
---
diff --git a/0001-krb5-Remove-ability-to-create-public-directories.patch b/0001-krb5-Remove-ability-to-create-public-directories.patch
new file mode 100644
index 0000000..367e26c
--- /dev/null
+++ b/0001-krb5-Remove-ability-to-create-public-directories.patch
@@ -0,0 +1,284 @@
+From 121baf75c457c2642a2408173c5240027734a3fd Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo at redhat.com>
+Date: Tue, 3 Sep 2013 22:48:02 -0400
+Subject: [PATCH 1/2] krb5: Remove ability to create public directories
+
+Setting up public directories is the job of the admin, and
+current sssd syntax can't express the actual intention of the admin with
+regrads to which parts of the path should be public or private.
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/2071
+---
+ src/providers/krb5/krb5_auth.c | 7 ++-
+ src/providers/krb5/krb5_utils.c | 96 ++++++++++++++---------------------------
+ src/providers/krb5/krb5_utils.h | 6 +--
+ 3 files changed, 38 insertions(+), 71 deletions(-)
+
+diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
+index 51c0d739247b7d40a17b6ee367c502df140a7383..a16b5395d21c40e53a5e69519141cbd3c47d7907 100644
+--- a/src/providers/krb5/krb5_auth.c
++++ b/src/providers/krb5/krb5_auth.c
+@@ -292,7 +292,7 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr,
+ struct be_ctx *be_ctx)
+ {
+ const char *ccname_template;
+- bool private_path = false;
++ const char *realm;
+ errno_t ret;
+
+ if (!kr->is_offline) {
+@@ -317,8 +317,7 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr,
+ ccname_template = dp_opt_get_cstring(kr->krb5_ctx->opts,
+ KRB5_CCNAME_TMPL);
+ kr->ccname = expand_ccname_template(kr, kr, ccname_template, true,
+- be_ctx->domain->case_sensitive,
+- &private_path);
++ be_ctx->domain->case_sensitive);
+ if (kr->ccname == NULL) {
+ DEBUG(1, ("expand_ccname_template failed.\n"));
+ return ENOMEM;
+@@ -326,7 +325,7 @@ static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr,
+
+ ret = sss_krb5_precreate_ccache(kr->ccname,
+ kr->krb5_ctx->illegal_path_re,
+- kr->uid, kr->gid, private_path);
++ kr->uid, kr->gid);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, ("ccache creation failed.\n"));
+ return ret;
+diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c
+index e6860482d9d330cbf12ad42d04e2e3af894cee89..cf6d72ad2e67f0d09ce423738003aa719cc43456 100644
+--- a/src/providers/krb5/krb5_utils.c
++++ b/src/providers/krb5/krb5_utils.c
+@@ -203,7 +203,7 @@ done:
+
+ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
+ const char *template, bool file_mode,
+- bool case_sensitive, bool *private_path)
++ bool case_sensitive)
+ {
+ char *copy;
+ char *p;
+@@ -217,8 +217,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
+ char action;
+ bool rerun;
+
+- *private_path = false;
+-
+ if (template == NULL) {
+ DEBUG(1, ("Missing template.\n"));
+ return NULL;
+@@ -269,7 +267,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
+
+ result = talloc_asprintf_append(result, "%s%s", p,
+ name);
+- if (!file_mode) *private_path = true;
+ break;
+ case 'U':
+ if (kr->uid <= 0) {
+@@ -279,7 +276,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
+ }
+ result = talloc_asprintf_append(result, "%s%"SPRIuid, p,
+ kr->uid);
+- if (!file_mode) *private_path = true;
+ break;
+ case 'p':
+ if (kr->upn == NULL) {
+@@ -288,7 +284,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
+ goto done;
+ }
+ result = talloc_asprintf_append(result, "%s%s", p, kr->upn);
+- if (!file_mode) *private_path = true;
+ break;
+ case '%':
+ result = talloc_asprintf_append(result, "%s%%", p);
+@@ -308,7 +303,6 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
+ goto done;
+ }
+ result = talloc_asprintf_append(result, "%s%s", p, kr->homedir);
+- if (!file_mode) *private_path = true;
+ break;
+ case 'd':
+ if (file_mode) {
+@@ -320,8 +314,7 @@ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
+ }
+
+ dummy = expand_ccname_template(tmp_ctx, kr, cache_dir_tmpl,
+- false, case_sensitive,
+- private_path);
++ false, case_sensitive);
+ if (dummy == NULL) {
+ DEBUG(1, ("Expanding credential cache directory "
+ "template failed.\n"));
+@@ -414,41 +407,30 @@ done:
+ return res;
+ }
+
+-static errno_t check_parent_stat(bool private_path, struct stat *parent_stat,
++static errno_t check_parent_stat(struct stat *parent_stat,
+ uid_t uid, gid_t gid)
+ {
+- if (private_path) {
+- if (!((parent_stat->st_uid == 0 && parent_stat->st_gid == 0) ||
+- parent_stat->st_uid == uid)) {
+- DEBUG(1, ("Private directory can only be created below a "
+- "directory belonging to root or to "
+- "[%"SPRIuid"][%"SPRIgid"].\n", uid, gid));
+- return EINVAL;
+- }
++ if (!((parent_stat->st_uid == 0 && parent_stat->st_gid == 0) ||
++ parent_stat->st_uid == uid)) {
++ DEBUG(SSSDBG_CRIT_FAILURE,
++ ("Private directory can only be created below a directory "
++ "belonging to root or to [%"SPRIuid"][%"SPRIgid"].\n",
++ uid, gid));
++ return EINVAL;
++ }
+
+- if (parent_stat->st_uid == uid) {
+- if (!(parent_stat->st_mode & S_IXUSR)) {
+- DEBUG(1, ("Parent directory does have the search bit set for "
+- "the owner.\n"));
+- return EINVAL;
+- }
+- } else {
+- if (!(parent_stat->st_mode & S_IXOTH)) {
+- DEBUG(1, ("Parent directory does have the search bit set for "
+- "others.\n"));
+- return EINVAL;
+- }
++ if (parent_stat->st_uid == uid) {
++ if (!(parent_stat->st_mode & S_IXUSR)) {
++ DEBUG(SSSDBG_CRIT_FAILURE,
++ ("Parent directory does not have the search bit set for "
++ "the owner.\n"));
++ return EINVAL;
+ }
+ } else {
+- if (parent_stat->st_uid != 0 || parent_stat->st_gid != 0) {
+- DEBUG(1, ("Public directory cannot be created below a user "
+- "directory.\n"));
+- return EINVAL;
+- }
+-
+ if (!(parent_stat->st_mode & S_IXOTH)) {
+- DEBUG(1, ("Parent directory does have the search bit set for "
+- "others.\n"));
++ DEBUG(SSSDBG_CRIT_FAILURE,
++ ("Parent directory does not have the search bit set for "
++ "others.\n"));
+ return EINVAL;
+ }
+ }
+@@ -559,7 +541,7 @@ check_ccache_re(const char *filename, pcre *illegal_re)
+
+ errno_t
+ create_ccache_dir(const char *ccdirname, pcre *illegal_re,
+- uid_t uid, gid_t gid, bool private_path)
++ uid_t uid, gid_t gid)
+ {
+ int ret = EFAULT;
+ struct stat parent_stat;
+@@ -598,27 +580,17 @@ create_ccache_dir(const char *ccdirname, pcre *illegal_re,
+ goto done;
+ }
+
+- ret = check_parent_stat(private_path, &parent_stat, uid, gid);
++ ret = check_parent_stat(&parent_stat, uid, gid);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE,
+- ("check_parent_stat failed for %s directory [%s].\n",
+- private_path ? "private" : "public", ccdirname));
++ ("check_parent_stat failed for directory [%s].\n", ccdirname));
+ goto done;
+ }
+
+ DLIST_FOR_EACH(li, missing_parents) {
+ DEBUG(SSSDBG_TRACE_INTERNAL,
+ ("Creating directory [%s].\n", li->s));
+- if (li->next == NULL) {
+- new_dir_mode = private_path ? 0700 : 01777;
+- } else {
+- if (private_path &&
+- parent_stat.st_uid == uid && parent_stat.st_gid == gid) {
+- new_dir_mode = 0700;
+- } else {
+- new_dir_mode = 0755;
+- }
+- }
++ new_dir_mode = 0700;
+
+ old_umask = umask(0000);
+ ret = mkdir(li->s, new_dir_mode);
+@@ -630,16 +602,12 @@ create_ccache_dir(const char *ccdirname, pcre *illegal_re,
+ strerror(ret)));
+ goto done;
+ }
+- if (private_path &&
+- ((parent_stat.st_uid == uid && parent_stat.st_gid == gid) ||
+- li->next == NULL)) {
+- ret = chown(li->s, uid, gid);
+- if (ret != EOK) {
+- ret = errno;
+- DEBUG(SSSDBG_MINOR_FAILURE,
+- ("chown failed [%d][%s].\n", ret, strerror(ret)));
+- goto done;
+- }
++ ret = chown(li->s, uid, gid);
++ if (ret != EOK) {
++ ret = errno;
++ DEBUG(SSSDBG_MINOR_FAILURE,
++ ("chown failed [%d][%s].\n", ret, strerror(ret)));
++ goto done;
+ }
+ }
+
+@@ -758,7 +726,7 @@ done:
+ }
+
+ errno_t sss_krb5_precreate_ccache(const char *ccname, pcre *illegal_re,
+- uid_t uid, gid_t gid, bool private_path)
++ uid_t uid, gid_t gid)
+ {
+ TALLOC_CTX *tmp_ctx = NULL;
+ const char *filename;
+@@ -802,7 +770,7 @@ errno_t sss_krb5_precreate_ccache(const char *ccname, pcre *illegal_re,
+ *end = '\0';
+ } while (*(end+1) == '\0');
+
+- ret = create_ccache_dir(ccdirname, illegal_re, uid, gid, private_path);
++ ret = create_ccache_dir(ccdirname, illegal_re, uid, gid);
+ done:
+ talloc_free(tmp_ctx);
+ return ret;
+diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h
+index 33cc6112b02af6991ef4aa4f1988dcbe08ed9266..4b1ebb0bb7a9e13d68ee62820f6408d029a2f072 100644
+--- a/src/providers/krb5/krb5_utils.h
++++ b/src/providers/krb5/krb5_utils.h
+@@ -43,11 +43,11 @@ errno_t check_if_cached_upn_needs_update(struct sysdb_ctx *sysdb,
+ const char *upn);
+
+ errno_t create_ccache_dir(const char *dirname, pcre *illegal_re,
+- uid_t uid, gid_t gid, bool private_path);
++ uid_t uid, gid_t gid);
+
+ char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr,
+ const char *template, bool file_mode,
+- bool case_sensitive, bool *private_path);
++ bool case_sensitive);
+
+ errno_t become_user(uid_t uid, gid_t gid);
+ struct sss_creds;
+@@ -58,7 +58,7 @@ errno_t switch_creds(TALLOC_CTX *mem_ctx,
+ errno_t restore_creds(struct sss_creds *saved_creds);
+
+ errno_t sss_krb5_precreate_ccache(const char *ccname, pcre *illegal_re,
+- uid_t uid, gid_t gid, bool private_path);
++ uid_t uid, gid_t gid);
+ errno_t sss_krb5_cc_destroy(const char *ccname, uid_t uid, gid_t gid);
+ errno_t sss_krb5_check_ccache_princ(uid_t uid, gid_t gid,
+ const char *ccname, const char *principal);
+--
+1.8.3.1
+
diff --git a/0002-krb5-Fix-unit-tests.patch b/0002-krb5-Fix-unit-tests.patch
new file mode 100644
index 0000000..369c1f3
--- /dev/null
+++ b/0002-krb5-Fix-unit-tests.patch
@@ -0,0 +1,432 @@
+From adf0fd14ea54a3b015efe8a6d67532b87a064cdd Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek at redhat.com>
+Date: Fri, 4 Oct 2013 09:40:34 +0200
+Subject: [PATCH 2/2] krb5: Fix unit tests
+
+---
+ src/tests/krb5_child-test.c | 5 +-
+ src/tests/krb5_utils-tests.c | 126 +++++++++++++++----------------------------
+ 2 files changed, 46 insertions(+), 85 deletions(-)
+
+diff --git a/src/tests/krb5_child-test.c b/src/tests/krb5_child-test.c
+index 959b1bd698284d0db16634357e39fcd076b9fa00..0c6b68b82c648b8e83f5d11b613dd57be89482a0 100644
+--- a/src/tests/krb5_child-test.c
++++ b/src/tests/krb5_child-test.c
+@@ -198,7 +198,6 @@ create_dummy_req(TALLOC_CTX *mem_ctx, const char *user,
+ {
+ struct krb5child_req *kr;
+ struct passwd *pwd;
+- bool private = false;
+ errno_t ret;
+
+ /* The top level child request */
+@@ -246,7 +245,7 @@ create_dummy_req(TALLOC_CTX *mem_ctx, const char *user,
+ kr->ccname = expand_ccname_template(kr, kr,
+ dp_opt_get_cstring(kr->krb5_ctx->opts,
+ KRB5_CCNAME_TMPL),
+- true, true, &private);
++ true, true);
+ if (!kr->ccname) goto fail;
+
+ DEBUG(SSSDBG_FUNC_DATA, ("ccname [%s] uid [%llu] gid [%llu]\n",
+@@ -262,7 +261,7 @@ create_dummy_req(TALLOC_CTX *mem_ctx, const char *user,
+
+ ret = sss_krb5_precreate_ccache(kr->ccname,
+ kr->krb5_ctx->illegal_path_re,
+- kr->uid, kr->gid, private);
++ kr->uid, kr->gid);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, ("create_ccache_dir failed.\n"));
+ goto fail;
+diff --git a/src/tests/krb5_utils-tests.c b/src/tests/krb5_utils-tests.c
+index ea0292569135e0fc22a44251cfc4e8719a15837f..3e0c607a58b9ff0840a93867c1ad61cc5a2ae665 100644
+--- a/src/tests/krb5_utils-tests.c
++++ b/src/tests/krb5_utils-tests.c
+@@ -117,13 +117,13 @@ START_TEST(test_pub_ccache_dir)
+
+ ret = chmod(testpath, 0754);
+ fail_unless(ret == EOK, "chmod failed.");
+- ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345, false);
++ ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345);
+ fail_unless(ret == EINVAL, "sss_krb5_precreate_ccache does not return EINVAL "
+ "while x-bit is missing.");
+
+ ret = chmod(testpath, 0755);
+ fail_unless(ret == EOK, "chmod failed.");
+- ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345, false);
++ ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345);
+ fail_unless(ret == EOK, "sss_krb5_precreate_ccache failed.");
+
+ check_dir(subdirname, 0, 0, 01777);
+@@ -158,7 +158,7 @@ START_TEST(test_pub_ccache_dir_in_user_dir)
+ filename = talloc_asprintf(tmp_ctx, "%s/ccfile", subdirname);
+ fail_unless(filename != NULL, "talloc_asprintf failed.");
+
+- ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345, false);
++ ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345);
+ fail_unless(ret == EINVAL, "Creating public ccache dir in user dir "
+ "does not failed with EINVAL.");
+
+@@ -193,13 +193,13 @@ START_TEST(test_priv_ccache_dir)
+
+ ret = chmod(testpath, 0754);
+ fail_unless(ret == EOK, "chmod failed.");
+- ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid, true);
++ ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid);
+ fail_unless(ret == EINVAL, "sss_krb5_precreate_ccache does not return EINVAL "
+ "while x-bit is missing.");
+
+ ret = chmod(testpath, 0755);
+ fail_unless(ret == EOK, "chmod failed.");
+- ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid, true);
++ ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid);
+ fail_unless(ret == EOK, "sss_krb5_precreate_ccache failed.");
+
+ check_dir(subdir, uid, gid, 0700);
+@@ -248,13 +248,13 @@ START_TEST(test_private_ccache_dir_in_user_dir)
+
+ ret = chmod(user_dir, 0600);
+ fail_unless(ret == EOK, "chmod failed.");
+- ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid, true);
++ ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid);
+ fail_unless(ret == EINVAL, "sss_krb5_precreate_ccache does not return EINVAL "
+ "while x-bit is missing.");
+
+ ret = chmod(user_dir, 0700);
+ fail_unless(ret == EOK, "chmod failed.");
+- ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid, true);
++ ret = sss_krb5_precreate_ccache(filename, NULL, uid, gid);
+ fail_unless(ret == EOK, "sss_krb5_precreate_ccache failed.");
+
+ check_dir(dn3, uid, gid, 0700);
+@@ -292,7 +292,7 @@ START_TEST(test_private_ccache_dir_in_wrong_user_dir)
+ filename = talloc_asprintf(tmp_ctx, "%s/ccfile", subdirname);
+ fail_unless(filename != NULL, "talloc_asprintf failed.");
+
+- ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345, true);
++ ret = sss_krb5_precreate_ccache(filename, NULL, 12345, 12345);
+ fail_unless(ret == EINVAL, "Creating private ccache dir in wrong user "
+ "dir does not failed with EINVAL.");
+
+@@ -329,27 +329,27 @@ START_TEST(test_illegal_patterns)
+
+ filename = talloc_asprintf(tmp_ctx, "abc/./ccfile");
+ fail_unless(filename != NULL, "talloc_asprintf failed.");
+- ret = create_ccache_dir(filename, illegal_re, uid, gid, true);
++ ret = create_ccache_dir(filename, illegal_re, uid, gid);
+ fail_unless(ret == EINVAL, "create_ccache_dir allowed relative path [%s].",
+ filename);
+
+ filename = talloc_asprintf(tmp_ctx, "%s/abc/./ccfile", dirname);
+ fail_unless(filename != NULL, "talloc_asprintf failed.");
+- ret = create_ccache_dir(filename, illegal_re, uid, gid, true);
++ ret = create_ccache_dir(filename, illegal_re, uid, gid);
+ fail_unless(ret == EINVAL, "create_ccache_dir allowed "
+ "illegal pattern '/./' in filename [%s].",
+ filename);
+
+ filename = talloc_asprintf(tmp_ctx, "%s/abc/../ccfile", dirname);
+ fail_unless(filename != NULL, "talloc_asprintf failed.");
+- ret = create_ccache_dir(filename, illegal_re, uid, gid, true);
++ ret = create_ccache_dir(filename, illegal_re, uid, gid);
+ fail_unless(ret == EINVAL, "create_ccache_dir allowed "
+ "illegal pattern '/../' in filename [%s].",
+ filename);
+
+ filename = talloc_asprintf(tmp_ctx, "%s/abc//ccfile", dirname);
+ fail_unless(filename != NULL, "talloc_asprintf failed.");
+- ret = create_ccache_dir(filename, illegal_re, uid, gid, true);
++ ret = create_ccache_dir(filename, illegal_re, uid, gid);
+ fail_unless(ret == EINVAL, "create_ccache_dir allowed "
+ "illegal pattern '//' in filename [%s].",
+ filename);
+@@ -385,7 +385,7 @@ START_TEST(test_cc_dir_create)
+ residual = talloc_asprintf(tmp_ctx, "DIR:%s/%s", dirname, "ccdir");
+ fail_unless(residual != NULL, "talloc_asprintf failed.");
+
+- ret = sss_krb5_precreate_ccache(residual, illegal_re, uid, gid, true);
++ ret = sss_krb5_precreate_ccache(residual, illegal_re, uid, gid);
+ fail_unless(ret == EOK, "sss_krb5_precreate_ccache failed\n");
+ ret = rmdir(dirname);
+ if (ret < 0) ret = errno;
+@@ -398,7 +398,7 @@ START_TEST(test_cc_dir_create)
+ residual = talloc_asprintf(tmp_ctx, "DIR:%s/%s", dirname, "ccdir/");
+ fail_unless(residual != NULL, "talloc_asprintf failed.");
+
+- ret = sss_krb5_precreate_ccache(residual, illegal_re, uid, gid, true);
++ ret = sss_krb5_precreate_ccache(residual, illegal_re, uid, gid);
+ fail_unless(ret == EOK, "sss_krb5_precreate_ccache failed\n");
+ ret = rmdir(dirname);
+ if (ret < 0) ret = errno;
+@@ -463,40 +463,34 @@ void free_talloc_context(void)
+ }
+
+ static void do_test(const char *file_template, const char *dir_template,
+- const char *expected, const bool expected_private_path)
++ const char *expected)
+ {
+ char *result;
+ int ret;
+- bool private_path = false;
+
+ ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, dir_template);
+ fail_unless(ret == EOK, "Failed to set Ccache dir");
+
+- result = expand_ccname_template(tmp_ctx, kr, file_template, true,
+- true, &private_path);
++ result = expand_ccname_template(tmp_ctx, kr, file_template, true, true);
+
+ fail_unless(result != NULL, "Cannot expand template [%s].", file_template);
+ fail_unless(strcmp(result, expected) == 0,
+ "Expansion failed, result [%s], expected [%s].",
+ result, expected);
+- fail_unless(private_path == expected_private_path,
+- "Unexpected private path, get [%s], expected [%s].",
+- private_path ? "true" : "false",
+- expected_private_path ? "true" : "false");
+ }
+
+ START_TEST(test_multiple_substitutions)
+ {
+- do_test(BASE"_%u_%U_%u", CCACHE_DIR, BASE"_"USERNAME"_"UID"_"USERNAME, false);
++ do_test(BASE"_%u_%U_%u", CCACHE_DIR, BASE"_"USERNAME"_"UID"_"USERNAME);
+ do_test("%d/"FILENAME, BASE"_%u_%U_%u",
+- BASE"_"USERNAME"_"UID"_"USERNAME"/"FILENAME, true);
++ BASE"_"USERNAME"_"UID"_"USERNAME"/"FILENAME);
+ }
+ END_TEST
+
+ START_TEST(test_username)
+ {
+- do_test(BASE"_%u", CCACHE_DIR, BASE"_"USERNAME, false);
+- do_test("%d/"FILENAME, BASE"_%u", BASE"_"USERNAME"/"FILENAME, true);
++ do_test(BASE"_%u", CCACHE_DIR, BASE"_"USERNAME);
++ do_test("%d/"FILENAME, BASE"_%u", BASE"_"USERNAME"/"FILENAME);
+ }
+ END_TEST
+
+@@ -504,7 +498,6 @@ START_TEST(test_case_sensitive)
+ {
+ char *result;
+ int ret;
+- bool private_path = false;
+ const char *file_template = BASE"_%u";
+ const char *expected_cs = BASE"_TestUser";
+ const char *expected_ci = BASE"_testuser";
+@@ -513,16 +506,14 @@ START_TEST(test_case_sensitive)
+ ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, CCACHE_DIR);
+ fail_unless(ret == EOK, "Failed to set Ccache dir");
+
+- result = expand_ccname_template(tmp_ctx, kr, file_template, true,
+- true, &private_path);
++ result = expand_ccname_template(tmp_ctx, kr, file_template, true, true);
+
+ fail_unless(result != NULL, "Cannot expand template [%s].", file_template);
+ fail_unless(strcmp(result, expected_cs) == 0,
+ "Expansion failed, result [%s], expected [%s].",
+ result, expected_cs);
+
+- result = expand_ccname_template(tmp_ctx, kr, file_template, true,
+- false, &private_path);
++ result = expand_ccname_template(tmp_ctx, kr, file_template, true, false);
+
+ fail_unless(result != NULL, "Cannot expand template [%s].", file_template);
+ fail_unless(strcmp(result, expected_ci) == 0,
+@@ -533,29 +524,29 @@ END_TEST
+
+ START_TEST(test_uid)
+ {
+- do_test(BASE"_%U", CCACHE_DIR, BASE"_"UID, false);
+- do_test("%d/"FILENAME, BASE"_%U", BASE"_"UID"/"FILENAME, true);
++ do_test(BASE"_%U", CCACHE_DIR, BASE"_"UID);
++ do_test("%d/"FILENAME, BASE"_%U", BASE"_"UID"/"FILENAME);
+ }
+ END_TEST
+
+ START_TEST(test_upn)
+ {
+- do_test(BASE"_%p", CCACHE_DIR, BASE"_"PRINCIPAL_NAME, false);
+- do_test("%d/"FILENAME, BASE"_%p", BASE"_"PRINCIPAL_NAME"/"FILENAME, true);
++ do_test(BASE"_%p", CCACHE_DIR, BASE"_"PRINCIPAL_NAME);
++ do_test("%d/"FILENAME, BASE"_%p", BASE"_"PRINCIPAL_NAME"/"FILENAME);
+ }
+ END_TEST
+
+ START_TEST(test_realm)
+ {
+- do_test(BASE"_%r", CCACHE_DIR, BASE"_"REALM, false);
+- do_test("%d/"FILENAME, BASE"_%r", BASE"_"REALM"/"FILENAME, false);
++ do_test(BASE"_%r", CCACHE_DIR, BASE"_"REALM);
++ do_test("%d/"FILENAME, BASE"_%r", BASE"_"REALM"/"FILENAME);
+ }
+ END_TEST
+
+ START_TEST(test_home)
+ {
+- do_test(BASE"_%h", CCACHE_DIR, BASE"_"HOME_DIRECTORY, false);
+- do_test("%d/"FILENAME, BASE"_%h", BASE"_"HOME_DIRECTORY"/"FILENAME, true);
++ do_test(BASE"_%h", CCACHE_DIR, BASE"_"HOME_DIRECTORY);
++ do_test("%d/"FILENAME, BASE"_%h", BASE"_"HOME_DIRECTORY"/"FILENAME);
+ }
+ END_TEST
+
+@@ -563,20 +554,15 @@ START_TEST(test_ccache_dir)
+ {
+ char *result;
+ int ret;
+- bool private_path = false;
+
+- do_test(BASE"_%d", CCACHE_DIR, BASE"_"CCACHE_DIR, false);
++ do_test(BASE"_%d", CCACHE_DIR, BASE"_"CCACHE_DIR);
+
+ ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, BASE"_%d");
+ fail_unless(ret == EOK, "Failed to set Ccache dir");
+
+- result = expand_ccname_template(tmp_ctx, kr, "%d/"FILENAME, true,
+- true, &private_path);
++ result = expand_ccname_template(tmp_ctx, kr, "%d/"FILENAME, true, true);
+
+ fail_unless(result == NULL, "Using %%d in ccache dir should fail.");
+- fail_unless(private_path == false,
+- "Unexpected private path, get [%s], expected [%s].",
+- private_path ? "true" : "false", "false");
+ }
+ END_TEST
+
+@@ -584,39 +570,32 @@ START_TEST(test_pid)
+ {
+ char *result;
+ int ret;
+- bool private_path = false;
+
+- do_test(BASE"_%P", CCACHE_DIR, BASE"_"PID, false);
++ do_test(BASE"_%P", CCACHE_DIR, BASE"_"PID);
+
+ ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, BASE"_%P");
+ fail_unless(ret == EOK, "Failed to set Ccache dir");
+
+- result = expand_ccname_template(tmp_ctx, kr, "%d/"FILENAME, true,
+- true, &private_path);
++ result = expand_ccname_template(tmp_ctx, kr, "%d/"FILENAME, true, true);
+
+ fail_unless(result == NULL, "Using %%P in ccache dir should fail.");
+- fail_unless(private_path == false,
+- "Unexpected private path, get [%s], expected [%s].",
+- private_path ? "true" : "false", "false");
+ }
+ END_TEST
+
+ START_TEST(test_percent)
+ {
+- do_test(BASE"_%%", CCACHE_DIR, BASE"_%", false);
+- do_test("%d/"FILENAME, BASE"_%%", BASE"_%/"FILENAME, false);
++ do_test(BASE"_%%", CCACHE_DIR, BASE"_%");
++ do_test("%d/"FILENAME, BASE"_%%", BASE"_%/"FILENAME);
+ }
+ END_TEST
+
+-START_TEST(test_unknow_template)
++START_TEST(test_unknown_template)
+ {
+ const char *test_template = BASE"_%X";
+ char *result;
+ int ret;
+- bool private_path = false;
+
+- result = expand_ccname_template(tmp_ctx, kr, test_template, true,
+- true, &private_path);
++ result = expand_ccname_template(tmp_ctx, kr, test_template, true, true);
+
+ fail_unless(result == NULL, "Unknown template [%s] should fail.",
+ test_template);
+@@ -624,14 +603,10 @@ START_TEST(test_unknow_template)
+ ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, BASE"_%X");
+ fail_unless(ret == EOK, "Failed to set Ccache dir");
+ test_template = "%d/"FILENAME;
+- result = expand_ccname_template(tmp_ctx, kr, test_template, true,
+- true, &private_path);
++ result = expand_ccname_template(tmp_ctx, kr, test_template, true, true);
+
+ fail_unless(result == NULL, "Unknown template [%s] should fail.",
+ test_template);
+- fail_unless(private_path == false,
+- "Unexpected private path, get [%s], expected [%s].",
+- private_path ? "true" : "false", "false");
+ }
+ END_TEST
+
+@@ -639,16 +614,11 @@ START_TEST(test_NULL)
+ {
+ char *test_template = NULL;
+ char *result;
+- bool private_path = false;
+
+- result = expand_ccname_template(tmp_ctx, kr, test_template, true,
+- true, &private_path);
++ result = expand_ccname_template(tmp_ctx, kr, test_template, true, true);
+
+ fail_unless(result == NULL, "Expected NULL as a result for an empty input.",
+ test_template);
+- fail_unless(private_path == false,
+- "Unexpected private path, get [%s], expected [%s].",
+- private_path ? "true" : "false", "false");
+ }
+ END_TEST
+
+@@ -656,32 +626,25 @@ START_TEST(test_no_substitution)
+ {
+ const char *test_template = BASE;
+ char *result;
+- bool private_path = false;
+
+- result = expand_ccname_template(tmp_ctx, kr, test_template, true,
+- true, &private_path);
++ result = expand_ccname_template(tmp_ctx, kr, test_template, true, true);
+
+ fail_unless(result != NULL, "Cannot expand template [%s].", test_template);
+ fail_unless(strcmp(result, test_template) == 0,
+ "Expansion failed, result [%s], expected [%s].",
+ result, test_template);
+- fail_unless(private_path == false,
+- "Unexpected private path, get [%s], expected [%s].",
+- private_path ? "true" : "false", "false");
+ }
+ END_TEST
+
+ START_TEST(test_krb5_style_expansion)
+ {
+ char *result;
+- bool private_path = false;
+ const char *file_template;
+ const char *expected;
+
+ file_template = BASE"/%{uid}/%{USERID}/%{euid}/%{username}";
+ expected = BASE"/"UID"/"UID"/"UID"/"USERNAME;
+- result = expand_ccname_template(tmp_ctx, kr, file_template, true,
+- true, &private_path);
++ result = expand_ccname_template(tmp_ctx, kr, file_template, true, true);
+
+ fail_unless(result != NULL, "Cannot expand template [%s].", file_template);
+ fail_unless(strcmp(result, expected) == 0,
+@@ -690,8 +653,7 @@ START_TEST(test_krb5_style_expansion)
+
+ file_template = BASE"/%{unknown}";
+ expected = BASE"/%{unknown}";
+- result = expand_ccname_template(tmp_ctx, kr, file_template, true,
+- false, &private_path);
++ result = expand_ccname_template(tmp_ctx, kr, file_template, true, false);
+
+ fail_unless(result != NULL, "Cannot expand template [%s].", file_template);
+ fail_unless(strcmp(result, expected) == 0,
+@@ -754,7 +716,7 @@ Suite *krb5_utils_suite (void)
+ free_talloc_context);
+ tcase_add_test (tc_ccname_template, test_no_substitution);
+ tcase_add_test (tc_ccname_template, test_NULL);
+- tcase_add_test (tc_ccname_template, test_unknow_template);
++ tcase_add_test (tc_ccname_template, test_unknown_template);
+ tcase_add_test (tc_ccname_template, test_username);
+ tcase_add_test (tc_ccname_template, test_case_sensitive);
+ tcase_add_test (tc_ccname_template, test_uid);
+--
+1.8.3.1
+
diff --git a/sssd.spec b/sssd.spec
index 5e2f862..4b8c365 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -8,7 +8,7 @@
Name: sssd
Version: 1.11.1
-Release: 1%{?dist}
+Release: 2%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -17,6 +17,8 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
+Patch0001: 0001-krb5-Remove-ability-to-create-public-directories.patch
+Patch0002: 0002-krb5-Fix-unit-tests.patch
### Dependencies ###
Requires: sssd-common = %{version}-%{release}
@@ -704,6 +706,9 @@ fi
%postun -n libsss_idmap -p /sbin/ldconfig
%changelog
+* Fri Oct 04 2013 Jakub Hrozek <jhrozek at redhat.com> - 1.11.1-1
+- Remove the ability to create public ccachedir (#1015089)
+
* Fri Sep 27 2013 Jakub Hrozek <jhrozek at redhat.com> - 1.11.1-1
- New upstream release 1.11.1
- https://fedorahosted.org/sssd/wiki/Releases/Notes-1.11.1
More information about the scm-commits
mailing list