DESKPROFILE: Fix 'Improper use of negative value' This issue was found by Coverity. Similar as in code block before ret must be set to errno to allow proper log messages since initial ret will always be -1. Related to: https://pagure.io/SSSD/sssd/issue/3621 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

DESKPROFILE: Set the profile permissions to read-only Sumit suggested to have the profile permissions with the least possible permissions and it does make sense. So, let's change it from read-write to read-only. Related: https://pagure.io/SSSD/sssd/issue/362 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

DESKPROFILE: Use seteuid()/setegid() to delete the profile/user's dir Let's use seteuid()/setegid() in order to properly delete the desktop profiles related files. Some malabarism has been introduced in order to proper delete those dirs/files as: /var/lib/sss/deskprofile/ipa.example/admin/profile ------------------------ ----------- ----- ------- | | | | v | | | Created by sssd package, | | | not touching at all | | | v | | This one is owned by | | root:root and has 751 | | as permissions | | v | This one is owned by | admin:admins and has | 0700 as permissions | v This one is owned by admin:admins and has 0600 as permissions So, when deleting we do: - as admin: - sss_remove_subtree("/var/lib/sss/deskprofile/ipa.example/admin/"); We can't remove the "admin" dir itself as it would require different permissions in the domain's folder and that's something we don't want to change - as root: - sss_remove_tree("/var/lib/sss/deskprofile/ipa.example/admin/"); Now we just removed the "admin" dir. The main reason behind not being able to just delete it as root is because the permissions of the file and dirs do not allow root to access then when not relying in the CAP_DAC_OVERRIDE This issue was exposed due to the CAP_DAC_OVERRIDE being removed from Fedora package. Resolves: https://pagure.io/SSSD/sssd/issue/3621 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

DESKPROFILE: Use seteuid()/setegid() to create the profile In order to create the file, having its owner properly, let's use seteuid()/setegid() to create when creating the profile, as due to the drop of the CAP_DAC_OVERRIDE "root" doesn't have access to the folder where the profile will be created anymore. By adopting the seteuid()/setegid() solution, calling fchown() in the profile doesn't make sense, thus it was also removed. This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora package. Resolves: https://pagure.io/SSSD/sssd/issue/3621 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

DESKPROFILE: Fix the permissions and soften the umask for user's dir The user dir has been created as 0600 and owned by the user. It doesn't work anymore as CAP_DAC_OVERRIDE has been dropped from our systemd service upstream. In order to have it working again, let's change it to 0700 (as the executable bit is needed for creating a file inside a folder) and soften the default umask from (0177) to (0077) to be able to create this dir. This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora package. Resolves: https://pagure.io/SSSD/sssd/issue/3621 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

DESKPROFILE: Soften umask for the domain's dir The default umask (0177) is way too strict, not allowing us to create the domain's dir, which has to have its mode set as 751. In order to solve this, let's soften the umask to 0026. This issue was exposed due to CAP_DAC_OVERRIDE being removed from Fedora package. Resolves: https://pagure.io/SSSD/sssd/issue/3621 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

DESKPROFILE: Add checks for user and host category freeipa-deskprofile-plugin can have both user and host category set as "all" and when it happens, no users and groups or hosts or hostgroups are going to be set. Let's treat this expected (but so far missed) situation on SSSD side. Resolves: https://pagure.io/SSSD/sssd/issue/3449 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

IPA: format fixes There are format warnings when compiling on 32bit. One is about time_t where %ld should be used and the other is about size_t where %zu should be used. Related to https://pagure.io/SSSD/sssd/issue/2995 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

DESKPROFILE: Introduce the new IPA session provider In order to provide FleetCommander[0] integration, a session provider has been introduced for IPA. The design of this feature and more technical details can be found at [1] and [2], which are the design pages of both freeIPA and SSSD parts. As there's no way to test freeIPA integration with our upstream tests, no test has been provided yet. Is also worth to mention that the name "deskprofile" has been chosen instead of "fleetcmd" in order to match with the freeIPA plugin. It means that, for consistence, all source files, directories created, options added, functions prefixes and so on are following the choice accordingly. [0]: https://wiki.gnome.org/Projects/FleetCommander [1]: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki [2]: https://docs.pagure.org/SSSD.sssd/design_pages/fleet_commander_integration.html Resolves: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>