CLIENT: Fix warning Wstringop-overflow It could not cause any problem because all strings were compile time constants (defines). But it's better to check that we have enough data for storing NUL terminated string in nssaddr.sun_path src/sss_client/common.c: In function ‘sss_cli_check_socket’: src/sss_client/common.c:544:5: warning: ‘strncpy’ specified bound depends on the length of the source argument [-Wstringop-overflow=] strncpy(nssaddr.sun_path, socket_name, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ strlen(socket_name) + 1); ~~~~~~~~~~~~~~~~~~~~~~~~ src/sss_client/common.c:545:13: note: length computed here strlen(socket_name) + 1); ^~~~~~~~~~~~~~~~~~~ Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

Fix minor spelling mistakes in sss_client/* Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

nss-idmap: add nss like calls with timeout and flags This patch adds new calls to libsss_nss_idmap to get NSS like user and group information directly from SSSD without using the system's NSS interfaces. Additionally a timeout and a flags options are added which are not available for system's NSS. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sss_client: refactor internal timeout handling This patch adds a timeout option to the internal client calls so that the timeout is not hard-coded anymore in the low level poll() calls but can be set by the caller with sss_nss_make_request_timeout(). Since the old timeout value is not changed by this patch there is no functional change expected. Related to https://pagure.io/SSSD/sssd/issue/2478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

sssd_client: add mutex protected call to the PAC responder SSSD's plugin for MIT Kerberos to send the PAC to the PAC responder currently uses sss_pac_make_request() which does not protect the communication with the PAC responder with a mutex as e.g. the NSS and PAM clients. If an application using threads loads this plugin via libkrb5 in different threads and is heavily processing Kerberos tickets with PACs chances are that two threads try to communicate with SSSD at once. In this case one of the threads will miss a reply and will wait for it until the default client timeout of 300s is passed. This patch adds a call which uses a mutex to protect the communication which will avoid the 300s delay mentioned above. Resolves: https://pagure.io/SSSD/sssd/issue/3518 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

sss_client: Defer thread cancellation until completion of nss/pam operations The client code is not cancellation-safe, an application which has cancelled an NSS operation will experience subtle bugs, hence thread cancellation is deferred until completion of client operations. Resolves: https://fedorahosted.org/sssd/ticket/3156 Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Florian Weimer <fweimer@redhat.com>

CLIENT: Retry request after EPIPE We have a function sss_cli_check_socket which checks socket in client code. The socket is reopened in case of some issues e.g. responder terminated connections ... We use syscall poll for checking status of socket. It's not 100% reliable method because there is still chance that responder will terminate socket after this check. Here is a schema of sss_*_make_request functions: sss_cli_check_socket sss_cli_make_request_nochecks { sss_cli_send_req { poll send } sss_cli_recv_rep { poll read } } The syscall pool does not return EPIPE directly but we convert special revents from poll to EPIPE. As it was mentioned earlier, checking of socket in the sss_cli_check_socket is not 100% reliable. It can happen very rarely due to TOCTOU issue (Time of check to time of use) We can return EPIPE from the sss_cli_make_request_nochecks function in case of failure in poll in sss_cli_send_req. The send function in sss_cli_send_req can also return EPIPE is responder close socket in the same time. The send function can succeed in sss_cli_send_req but it does not mean that responder read the message. It can happen that timer for closing socket can be handled before reading a message. Therefore there is a still a chance that we might return EPIPE in case of failure in poll in sss_cli_recv_rep. Therefore we need to reconnect to responder(sss_cli_check_socket) in case of EPIPE returned from sss_cli_make_request_nochecks and try to do the same request one more time. Resolves: https://fedorahosted.org/sssd/ticket/2626 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

CLIENT: Reduce code duplication Patch for #2626 will be simpler with this small refactoring Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Fix minor typos Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sss_client: Use unique lock for memory cache Previously the sma lock was used as for communication with responder. However it would cause a deadlock in case of re-checking memcache after acquiring the lock and before communication with responder.. Required by: https://fedorahosted.org/sssd/ticket/2581 Reviewed-by: Michal Židek <mzidek@redhat.com>

CLIENT: Clear errno with enabled sss-default-nss-plugin Although errno was cleared in function sss_nss_make_request some sss glic functions set errno with value of output argument errnop. Reproducer: * sssd compiled with enabled option sss-default-nss-plugin * sss is the last value in group (/etc/nsswitch.conf) * sssd-client is installed but sssd is stopped. C-program: #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <grp.h> int main(int argc, char *argv[]) { struct group *p_group; setgrent(); while (1) { errno = 0; /* initialize for getgrent() */ p_group = getgrent(); if (p_group == NULL) { if (errno == 0) { break; /* end of groups */ } else { perror("getgrent"); printf("getgrent error %d \n", errno); endgrent(); exit(-2); } } printf("getgrent() OK group(%d) = %s \n", p_group->gr_gid, p_group->gr_name); } exit(0); } Resolves: https://fedorahosted.org/sssd/ticket/2619 Reviewed-by: Pavel Reichl <preichl@redhat.com>

Open the PAC socket from krb5_child before dropping root The PAC responder by default allows only connections from the root user. This patch opens the socket to the PAC responder before the krb5_child drops privileges so the connection seemingly comes from root. https://fedorahosted.org/sssd/ticket/2559 Reviewed-by: Sumit Bose <sbose@redhat.com>

sss_client: Work around glibc bug glibc is inconsistent with how it treats and returns NSS_STATUS_UNAVAIL. The sss nss plugin is present in nsswitch by default on some platforms due to glibc caching and problem with long living applications (e.g. GNOME). But sssd needn't be configuread and it cause problems in some programs. In this situation, the SSSD nss plugin should behave as if it was functioning but had no data even thought sssd is not running. The errors have to be passed from nss plugin up to the user with minimal moidiffication. Thanks to Stephen Gallagher for initial patch. Resolves: https://fedorahosted.org/sssd/ticket/2439 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Use pattern #elif defined(identifier) We had in source code following pattern #elif HAVE_<name> It worked because undefined identifier(in some cases) was evaluated to 0. But we do not care about value of HAVE_SOMETHING. We just need to know whether identifier was defined. There is not equivalent to #ifdef (short for of #if definded) We need to use long form: #elif defined HAVE_<name> It causes also compiler warning with enabled compiler flag -Wundef. Reviewed-by: Pavel Reichl <preichl@redhat.com>

sss_client: Use SAFEALIGN_COPY_<type> macros where appropriate. resolves: https://fedorahosted.org/sssd/ticket/1359

CLIENT: Fix non gnu sss_strnlen implementation last argument of function sss_strnlen "size_t *len" is output variable. We need to increment value of size_t being pointed to by pointer instead of incrementing pointer.

Fix errors reported by rpmlint

PAM: fix handling the client fd in pam destructor * Protect the fd with a mutex when closing * Set it to a safe value after closing

PAM: close socket fd with pam_set_data https://fedorahosted.org/sssd/ticket/1569

do not fail if POLLHUP occurs while reading data This cause troubles when we send data to a pipe and close the file descriptor before data is read. The pipe is still readable, but POLLHUP is detected and we fail to read them. For example, this may cause a user beeing unable to log in. Now if POLLHUP appears, we read the pipe and then close it on the client side too.

Use PTHREAD_MUTEX_ROBUST to avoid deadlock in the client https://fedorahosted.org/sssd/ticket/1460

Fix uninitialized values https://fedorahosted.org/sssd/ticket/1379

PAC client: add basic support in common client code

Do not send SIGPIPE on disconnection Note we set MSG_NOSIGNAL to avoid having to fiddle with signal masks but also do not want to die in case SIGPIPE gets raised and the application does not handle it.

Set return errno to the value prior to calling close().

SSH: Common client code

AUTOFS: a client library This is the library the autofs client is using. automounter dlopen()s the library so there is no header file, no pkgconfig file and the library is in the libsss_autofs package, not in -devel. The library provides the following interface: * _sss_setautomntent() - select the map for processing * _sss_getautomntent_r() - iterates through key/value pairs in the selected map. The key is usually the mount point, the value is mount information (server:/export) * _sss_getautomntbyname_r() - returns value for a specific key. * _sss_endautomntent() deselect a map, clean up

NSS: Add sss_readrep_copy_string There were many places in the client code where we were duplicating a loop to copy data in from the response buffer. This patch turns those loops into a function for easier maintenance and easier-to-read *readrep() routines.

SUDO integration - client common interface

Fixed implicit declaration of function 'time' in src/sss_client/common.c.

sss_client: avoid leaking file descriptors If a pam or nss module is dlcolse()d and unloaded we were leaking the file descriptor used to communicate to sssd in the process. Make sure the fucntion used to close the socket file descriptor is called on dlclose() Silence autoconf 2.28 warnings (Patch by Jakub Hrozek)

Set _GNU_SOURCE globally

clients: use poll instead of select select is limited to fd numbers up to 1024, we need to use poll() here to avoid causing memory corruption in the calling process. Fixes: https://fedorahosted.org/sssd/ticket/861

Use neutral name for functions used by both pam and nss

Check that the socket is really ours before attempting to close it. Fixes: https://fedorahosted.org/sssd/ticket/790

Fix another possible memory leak in sss_nss_recv_rep() https://fedorahosted.org/sssd/ticket/723

Fix possible memory leak in sss_nss_recv_rep() https://fedorahosted.org/sssd/ticket/723

sss_client: make code thread-safe Add mutexes around nss operations and serialize them. This is necessary because nss operations may have global state. For pam it is sufficient to protect socket operations instead. As pam functions use only the provided pam handler. Fixes: https://fedorahosted.org/sssd/ticket/640

Fix incorrect type comparison https://fedorahosted.org/sssd/ticket/657

Add utility function sss_strnlen() This is useful for guaranteeing the size of an input buffer.

Allow sssd clients to reconnect Currently the PAM and NSS client just return an error if there are problems on an open socket. This will lead to problems in long running programs like gdm if sssd is restarted, e.g. during an update. With this patch the socket is closed and reopened.

Properly handle read() and write() throughout the SSSD We need to guarantee at all times that reads and writes complete successfully. This means that they must be checked for returning EINTR and EAGAIN, and all writes must be wrapped in a loop to ensure that they do not truncate their output.

Use SO_PEERCRED on the PAM socket This is the second attempt to let the PAM client and the PAM responder exchange their credentials, i.e. uid, gid and pid. Because this approach does not require any message interchange between the client and the server the protocol version number is not changed. On the client side the connection is terminated it the responder is not run by root. On the server side the effective uid and gid and the pid of the client are available for future use. The following additional changes are made by this patch: - the checks of the ownership and the permissions on the PAM sockets are enhanced - internal error codes are introduced on the client side to generate more specific log messages if an error occurs

Revert "Add better checks on PAM socket" This reverts commit 5a88e963744e5da453e88b5c36499f04712df097.

Fixed buffer alignment in exchange_credentials(). buf needs to be 32 bit aligned on ARM. Also made the fix on the server side. Signed-off-by: George McCollister <George.McCollister@gmail.com>

Add better checks on PAM socket - check if the public socket belongs to root and has 0666 permissions - use a SCM_CREDENTIALS message if available

Rename server/ directory to src/ Also update BUILD.txt