DESKPROFILE: Use seteuid()/setegid() to delete the profile/user's dir Let's use seteuid()/setegid() in order to properly delete the desktop profiles related files. Some malabarism has been introduced in order to proper delete those dirs/files as: /var/lib/sss/deskprofile/ipa.example/admin/profile ------------------------ ----------- ----- ------- | | | | v | | | Created by sssd package, | | | not touching at all | | | v | | This one is owned by | | root:root and has 751 | | as permissions | | v | This one is owned by | admin:admins and has | 0700 as permissions | v This one is owned by admin:admins and has 0600 as permissions So, when deleting we do: - as admin: - sss_remove_subtree("/var/lib/sss/deskprofile/ipa.example/admin/"); We can't remove the "admin" dir itself as it would require different permissions in the domain's folder and that's something we don't want to change - as root: - sss_remove_tree("/var/lib/sss/deskprofile/ipa.example/admin/"); Now we just removed the "admin" dir. The main reason behind not being able to just delete it as root is because the permissions of the file and dirs do not allow root to access then when not relying in the CAP_DAC_OVERRIDE This issue was exposed due to the CAP_DAC_OVERRIDE being removed from Fedora package. Resolves: https://pagure.io/SSSD/sssd/issue/3621 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

IPA: format fixes There are format warnings when compiling on 32bit. One is about time_t where %ld should be used and the other is about size_t where %zu should be used. Related to https://pagure.io/SSSD/sssd/issue/2995 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

DESKPROFILE: Add ipa_deskprofile_request_interval This option has been added to avoid contacting the Data Provider when no rules were found in the previous request. By adding this configurable option we avoid contacting the Data Provider too often in the case described above and also when the server doesn't support Desktop Profile's integration. Resolves: https://pagure.io/SSSD/sssd/issue/3482 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

DESKPROFILE: Introduce the new IPA session provider In order to provide FleetCommander[0] integration, a session provider has been introduced for IPA. The design of this feature and more technical details can be found at [1] and [2], which are the design pages of both freeIPA and SSSD parts. As there's no way to test freeIPA integration with our upstream tests, no test has been provided yet. Is also worth to mention that the name "deskprofile" has been chosen instead of "fleetcmd" in order to match with the freeIPA plugin. It means that, for consistence, all source files, directories created, options added, functions prefixes and so on are following the choice accordingly. [0]: https://wiki.gnome.org/Projects/FleetCommander [1]: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki [2]: https://docs.pagure.org/SSSD.sssd/design_pages/fleet_commander_integration.html Resolves: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Provide counter of possible matches in SELinux IPA provider The counter is important so the for cycle doesn't depend on the first NULL pointer. That would cause potential errors if more records are following after this first NULL pointer.

Fix linking of HBAC rules and SELinux user maps Translate manually memberHost and memberUser to originalMemberUser and originalMemberHost. Without this, the HBAC rule won't be matched against current user and/or host, meaning that no SELinux user map connected to it will be matched againts any user on the system.

Remove ipa_selinux_map_merge() This function is no longer necessary since sysdb interface for copying elements has been implemented.

Added some DEBUG statements into SELinux related code

Fix uninitialized values https://fedorahosted.org/sssd/ticket/1379

IPA: Return and save all SELinux rules in the provider https://fedorahosted.org/sssd/ticket/1421

IPA: Download defaults even if there are no SELinux mappings We should always download the defaults because even if there are no rules, we might want to use (or update) the defaults.

Modify priority evaluation in SELinux user maps The functionality now is following: When rule is being matched, its priority is determined as a combination of user and host specificity (host taking preference). After the rule is matched in provider, only its host priority is stored in sysdb for later usage. When rules are matched in the responder, their user priority is determined. After that their host priority is retrieved directly from sysdb and sum of both priorities is user to determine whether to use that rule or not. If more rules have the same priority, the order given in IPA config is used. https://fedorahosted.org/sssd/ticket/1360 https://fedorahosted.org/sssd/ticket/1395

Fixed issue in SELinux user maps There was an issue when IPA provider didn't set PAM_SUCCESS when successfully finished loading SELinux user maps. This lead to the map not being read in the responder.

IPA hosts refactoring

IPA: Add host info handler

Session target in IPA provider