Cross Reference: /sssd-io/src/providers/ipa/ipa_deskprofile_rules

History log of /sssd-io/src/providers/ipa/ipa_deskprofile_rules_util.h
Revision		Date	Author	Comments Expand
1a011c4f20e80f2bcb4d10a4d690b3a88c2fd70d		14-Feb-2018	Fabiano Fidêncio <fidencio@redhat.com>	DESKPROFILE: Use seteuid()/setegid() to delete the profile/user's dir Let's use seteuid()/setegid() in order to properly delete the desktop profiles related files. Some malabarism has been introduced in order to proper delete those dirs/files as: /var/lib/sss/deskprofile/ipa.example/admin/profile ------------------------ ----------- ----- ------- \| \| \| \| v \| \| \| Created by sssd package, \| \| \| not touching at all \| \| \| v \| \| This one is owned by \| \| root:root and has 751 \| \| as permissions \| \| v \| This one is owned by \| admin:admins and has \| 0700 as permissions \| v This one is owned by admin:admins and has 0600 as permissions So, when deleting we do: - as admin: - sss_remove_subtree("/var/lib/sss/deskprofile/ipa.example/admin/"); We can't remove the "admin" dir itself as it would require different permissions in the domain's folder and that's something we don't want to change - as root: - sss_remove_tree("/var/lib/sss/deskprofile/ipa.example/admin/"); Now we just removed the "admin" dir. The main reason behind not being able to just delete it as root is because the permissions of the file and dirs do not allow root to access then when not relying in the CAP_DAC_OVERRIDE This issue was exposed due to the CAP_DAC_OVERRIDE being removed from Fedora package. Resolves: https://pagure.io/SSSD/sssd/issue/3621 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> ipa_deskprofile_rules_util.c ipa_deskprofile_rules_util.h ipa_session.c
f982039c75ec064894deb676ae53ee57de868590		28-Aug-2017	Fabiano Fidêncio <fidencio@redhat.com>	DESKPROFILE: Introduce the new IPA session provider In order to provide FleetCommander[0] integration, a session provider has been introduced for IPA. The design of this feature and more technical details can be found at [1] and [2], which are the design pages of both freeIPA and SSSD parts. As there's no way to test freeIPA integration with our upstream tests, no test has been provided yet. Is also worth to mention that the name "deskprofile" has been chosen instead of "fleetcmd" in order to match with the freeIPA plugin. It means that, for consistence, all source files, directories created, options added, functions prefixes and so on are following the choice accordingly. [0]: https://wiki.gnome.org/Projects/FleetCommander [1]: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki [2]: https://docs.pagure.org/SSSD.sssd/design_pages/fleet_commander_integration.html Resolves: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> /sssd-io/Makefile.am /sssd-io/contrib/sssd.spec.in /sssd-io/src/confdb/confdb.h /sssd-io/src/config/SSSDConfig/__init__.py.in /sssd-io/src/config/SSSDConfig/sssd_upgrade_config.py /sssd-io/src/config/SSSDConfigTest.py /sssd-io/src/config/cfg_rules.ini /sssd-io/src/config/etc/sssd.api.conf /sssd-io/src/config/etc/sssd.api.d/sssd-ipa.conf /sssd-io/src/man/sssd-ipa.5.xml /sssd-io/src/man/sssd.conf.5.xml /sssd-io/src/providers/data_provider/dp.h /sssd-io/src/providers/data_provider/dp_target_auth.c /sssd-io/src/providers/data_provider/dp_targets.c ipa_common.c ipa_common.h ipa_deskprofile_config.c ipa_deskprofile_config.h ipa_deskprofile_private.h ipa_deskprofile_rules.c ipa_deskprofile_rules.h ipa_deskprofile_rules_util.c ipa_deskprofile_rules_util.h ipa_init.c ipa_opts.c ipa_session.c ipa_session.h /sssd-io/src/responder/ifp/ifp_components.c