sssd: upgrade 2.9.2 -> 2.10.2

ChangeLog: https://github.com/SSSD/sssd/releases/tag/2.10.2 * Drop backport patches. * Update sssd.conf and volatile files. * Drop PACKAGECONFIG[infopipe] as it has been removed upstream. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Yi Zhao <yi.zhao@eng.windriver.com> 2025-03-27 21:23:26 +0800
committer: Armin Kuster <akuster808@gmail.com> 2025-04-13 14:07:57 -0400
commit: 0d6aa528cf91701cfc368dc3013d9bba84d2d831 (patch)
tree: a6e9887dd33fabd582481bf2cfa1ea95939fe52a /dynamic-layers/networking-layer/recipes-security/sssd/files
parent: b7b2d12c4f0e037894f2c8a46d3a254b5dc1b032 (diff)
download: meta-security-0d6aa528cf91701cfc368dc3013d9bba84d2d831.tar.gz
4 files changed, 2 insertions, 539 deletions
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch
deleted file mode 100644
index 6880405..0000000
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch
+++ /dev/null
@@ -1,318 +0,0 @@
-Backport patch to fix interpreter of sss_analyze.
-Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/ed3726c]
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-From ed3726c37fe07aab788404bfa2f9003db15f4210 Mon Sep 17 00:00:00 2001
-From: roy214 <abroy@redhat.com>
-Date: Tue, 25 Apr 2023 20:01:24 +0530
-Subject: [PATCH] sssctl: add error analyzer
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Also removing unused variable and import.
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
- src/tools/analyzer/Makefile.am        |  2 +
- src/tools/analyzer/modules/error.py   | 61 +++++++++++++++++++++++++++
- src/tools/analyzer/modules/request.py | 54 +++++-------------------
- src/tools/analyzer/sss_analyze        |  2 +-
- src/tools/analyzer/sss_analyze.py     |  3 ++
- src/tools/analyzer/util.py            | 44 +++++++++++++++++++
- 6 files changed, 121 insertions(+), 45 deletions(-)
- create mode 100644 src/tools/analyzer/modules/error.py
- create mode 100644 src/tools/analyzer/util.py
-diff --git a/src/tools/analyzer/Makefile.am b/src/tools/analyzer/Makefile.am
-index b40043d043..7692af8528 100644
--- a/src/tools/analyzer/Makefile.am
-+++ b/src/tools/analyzer/Makefile.am
-@@ -13,10 +13,12 @@ dist_pkgpython_DATA = \
-     source_reader.py \
-     parser.py \
-     sss_analyze.py \
-+    util.py \
-     $(NULL)
- 
- modulesdir = $(pkgpythondir)/modules
- dist_modules_DATA = \
-     modules/__init__.py \
-     modules/request.py \
-+    modules/error.py \
-     $(NULL)
-diff --git a/src/tools/analyzer/modules/error.py b/src/tools/analyzer/modules/error.py
-new file mode 100644
-index 0000000000..71173670c5
--- /dev/null
-+++ b/src/tools/analyzer/modules/error.py
-@@ -0,0 +1,61 @@
-+from sssd import util
-+from sssd.parser import SubparsersAction
-+from sssd import sss_analyze
-+
-+class ErrorAnalyzer:
-+    """
-+    An error analyzer module, list if there is any error reported by sssd_be
-+    """
-+    module_parser = None
-+    print_opts = []
-+
-+    def print_module_help(self, args):
-+        """
-+        Print the module parser help output
-+
-+        Args:
-+            args (Namespace): argparse parsed arguments
-+        """
-+        self.module_parser.print_help()
-+
-+    def setup_args(self, parser_grp, cli):
-+        """
-+        Setup module parser, subcommands, and options
-+
-+        Args:
-+            parser_grp (argparse.Action): Parser group to nest
-+               module and subcommands under
-+        """
-+        desc = "Analyze error check module"
-+        self.module_parser = parser_grp.add_parser('error',
-+                                                   description=desc,
-+                                                   help='Error checker')
-+
-+        subparser = self.module_parser.add_subparsers(title=None,
-+                                                      dest='subparser',
-+                                                      action=SubparsersAction,
-+                                                      metavar='COMMANDS')
-+
-+        subcmd_grp = subparser.add_parser_group('Operation Modes')
-+        cli.add_subcommand(subcmd_grp, 'list', 'Print error messages found in backend',
-+                           self.print_error, self.print_opts)
-+
-+        self.module_parser.set_defaults(func=self.print_module_help)
-+
-+        return self.module_parser
-+
-+    def print_error(self, args):
-+        err = 0
-+        utl = util.Utils()
-+        source = utl.load(args)
-+        component = source.Component.BE
-+        source.set_component(component, False)
-+        patterns = ['sdap_async_sys_connect request failed', 'terminated by own WATCHDOG',
-+            'ldap_sasl_interactive_bind_s failed', 'Communication with KDC timed out', 'SSSD is offline', 'Backend is offline',
-+            'tsig verify failure', 'ldap_install_tls failed', 's2n exop request failed']
-+        for line in utl.matched_line(source, patterns):
-+            err +=1
-+            print(line)
-+        if err > 0:
-+            print("For possible solutions please refer to https://sssd.io/troubleshooting/errors.html")
-+        return
-diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
-index d661dddb84..e4d5f060c7 100644
--- a/src/tools/analyzer/modules/request.py
-+++ b/src/tools/analyzer/modules/request.py
-@@ -1,6 +1,6 @@
- import re
- import logging
-
-+from sssd import util
- from sssd.parser import SubparsersAction
- from sssd.parser import Option
- 
-@@ -38,7 +38,6 @@ def print_module_help(self, args):
-     def setup_args(self, parser_grp, cli):
-         """
-         Setup module parser, subcommands, and options
-
-         Args:
-             parser_grp (argparse.Action): Parser group to nest
-                module and subcommands under
-@@ -63,42 +62,6 @@ def setup_args(self, parser_grp, cli):
- 
-         return self.module_parser
- 
-    def load(self, args):
-        """
-        Load the appropriate source reader.
-
-        Args:
-            args (Namespace): argparse parsed arguments
-
-        Returns:
-            Instantiated source object
-        """
-        if args.source == "journald":
-            from sssd.source_journald import Journald
-            source = Journald()
-        else:
-            from sssd.source_files import Files
-            source = Files(args.logdir)
-        return source
-
-    def matched_line(self, source, patterns):
-        """
-        Yield lines which match any number of patterns (OR) in
-        provided patterns list.
-
-        Args:
-            source (Reader): source Reader object
-        Yields:
-            lines matching the provided pattern(s)
-        """
-        for line in source:
-            for pattern in patterns:
-                re_obj = re.compile(pattern)
-                if re_obj.search(line):
-                    if line.startswith('   *  '):
-                        continue
-                    yield line
-
-     def get_linked_ids(self, source, pattern, regex):
-         """
-         Retrieve list of associated REQ_TRACE ids. Filter
-@@ -114,8 +77,9 @@ def get_linked_ids(self, source, pattern, regex):
-         Returns:
-             List of linked ids discovered
-         """
-+        utl = util.Utils()
-         linked_ids = []
-        for match in self.matched_line(source, pattern):
-+        for match in utl.matched_line(source, pattern):
-             id_re = re.compile(regex)
-             match = id_re.search(match)
-             if match:
-@@ -250,7 +214,8 @@ def list_requests(self, args):
-         Args:
-             args (Namespace):  populated argparse namespace
-         """
-        source = self.load(args)
-+        utl = util.Utils()
-+        source = utl.load(args)
-         component = source.Component.NSS
-         resp = "nss"
-         # Log messages matching the following regex patterns contain
-@@ -266,7 +231,7 @@ def list_requests(self, args):
-         if args.verbose:
-             self.print_formatted_verbose(source)
-         else:
-            for line in self.matched_line(source, patterns):
-+            for line in utl.matched_line(source, patterns):
-                 if type(source).__name__ == 'Journald':
-                     print(line)
-                 else:
-@@ -279,7 +244,8 @@ def track_request(self, args):
-         Args:
-             args (Namespace):  populated argparse namespace
-         """
-        source = self.load(args)
-+        utl = util.Utils()
-+        source = utl.load(args)
-         cid = args.cid
-         resp_results = False
-         be_results = False
-@@ -294,7 +260,7 @@ def track_request(self, args):
-         logger.info(f"******** Checking {resp} responder for Client ID"
-                     f" {cid} *******")
-         source.set_component(component, args.child)
-        for match in self.matched_line(source, pattern):
-+        for match in utl.matched_line(source, pattern):
-             resp_results = self.consume_line(match, source, args.merge)
- 
-         logger.info(f"********* Checking Backend for Client ID {cid} ********")
-@@ -307,7 +273,7 @@ def track_request(self, args):
-         pattern.clear()
-         [pattern.append(f'\\{id}') for id in be_ids]
- 
-        for match in self.matched_line(source, pattern):
-+        for match in utl.matched_line(source, pattern):
-             be_results = self.consume_line(match, source, args.merge)
- 
-         if args.merge:
-diff --git a/src/tools/analyzer/sss_analyze b/src/tools/analyzer/sss_analyze
-index 3f1beaf38b..6d4b5b30c6 100755
--- a/src/tools/analyzer/sss_analyze
-+++ b/src/tools/analyzer/sss_analyze
-@@ -1,4 +1,4 @@
-#!/usr/bin/env python
-+#!/usr/bin/env python3
- 
- from sssd import sss_analyze
- 
-diff --git a/src/tools/analyzer/sss_analyze.py b/src/tools/analyzer/sss_analyze.py
-index 18b998f380..dafc84fc03 100644
--- a/src/tools/analyzer/sss_analyze.py
-+++ b/src/tools/analyzer/sss_analyze.py
-@@ -1,6 +1,7 @@
- import argparse
- 
- from sssd.modules import request
-+from sssd.modules import error
- from sssd.parser import SubparsersAction
- 
- 
-@@ -55,9 +56,11 @@ def load_modules(self, parser, parser_grp):
-         """
-         # Currently only the 'request' module exists
-         req = request.RequestAnalyzer()
-+        err = error.ErrorAnalyzer()
-         cli = Analyzer()
- 
-         req.setup_args(parser_grp, cli)
-+        err.setup_args(parser_grp, cli)
- 
-     def setup_args(self):
-         """
-diff --git a/src/tools/analyzer/util.py b/src/tools/analyzer/util.py
-new file mode 100644
-index 0000000000..2a8d153a71
--- /dev/null
-+++ b/src/tools/analyzer/util.py
-@@ -0,0 +1,44 @@
-+import re
-+import logging
-+
-+from sssd.source_files import Files
-+from sssd.source_journald import Journald
-+
-+logger = logging.getLogger()
-+
-+
-+class Utils:
-+
-+    def load(self, args):
-+        """
-+        Load the appropriate source reader.
-+
-+        Args:
-+            args (Namespace): argparse parsed arguments
-+
-+        Returns:
-+            Instantiated source object
-+        """
-+        if args.source == "journald":
-+            source = Journald()
-+        else:
-+            source = Files(args.logdir)
-+        return source
-+
-+    def matched_line(self, source, patterns):
-+        """
-+        Yield lines which match any number of patterns (OR) in
-+        provided patterns list.
-+
-+        Args:
-+            source (Reader): source Reader object
-+        Yields:
-+            lines matching the provided pattern(s)
-+        """
-+        for line in source:
-+            for pattern in patterns:
-+                re_obj = re.compile(pattern)
-+                if re_obj.search(line):
-+                    if line.startswith('   *  '):
-+                        continue
-+                    yield line
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch
deleted file mode 100644
index 1e9fca5..0000000
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch
+++ /dev/null
@@ -1,219 +0,0 @@
-From f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 8 Nov 2023 14:50:24 +0100
-Subject: [PATCH] ad-gpo: use hash to store intermediate results
-Currently after the evaluation of a single GPO file the intermediate
-results are stored in the cache and this cache entry is updated until
-all applicable GPO files are evaluated. Finally the data in the cache is
-used to make the decision of access is granted or rejected.
-If there are two or more access-control request running in parallel one
-request might overwrite the cache object with intermediate data while
-another request reads the cached data for the access decision and as a
-result will do this decision based on intermediate data.
-To avoid this the intermediate results are not stored in the cache
-anymore but in hash tables which are specific to the request. Only the
-final result is written to the cache to have it available for offline
-authentication.
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a)
-Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726]
-CVE: CVE-2023-3758
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
- src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++-----
- 1 file changed, 102 insertions(+), 14 deletions(-)
-diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
-index 44e9cbb..cec0cb4 100644
--- a/src/providers/ad/ad_gpo.c
-+++ b/src/providers/ad/ad_gpo.c
-@@ -1317,6 +1317,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
-     return ret;
- }
-+static errno_t
-+add_result_to_hash(hash_table_t *hash, const char *key, char *value)
-+{
-+    int hret;
-+    hash_key_t k;
-+    hash_value_t v;
-+
-+    if (hash == NULL || key == NULL || value == NULL) {
-+        return EINVAL;
-+    }
-+
-+    k.type = HASH_KEY_CONST_STRING;
-+    k.c_str = key;
-+
-+    v.type = HASH_VALUE_PTR;
-+    v.ptr = value;
-+
-+    hret = hash_enter(hash, &k, &v);
-+    if (hret != HASH_SUCCESS) {
-+        DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",
-+                                 key, value, hash_error_string(hret));
-+        return EIO;
-+    }
-+
-+    return EOK;
-+}
-+
- /*
-  * This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,
-  * and stores the allow_key and deny_key of all of the gpo_map_types present
-@@ -1324,6 +1351,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
-  */
- static errno_t
- ad_gpo_store_policy_settings(struct sss_domain_info *domain,
-+                             hash_table_t *allow_maps, hash_table_t *deny_maps,
-                              const char *filename)
- {
-     struct ini_cfgfile *file_ctx = NULL;
-@@ -1457,14 +1485,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
-                 goto done;
-             } else if (ret != ENOENT) {
-                 const char *value = allow_value ? allow_value : empty_val;
-                ret = sysdb_gpo_store_gpo_result_setting(domain,
-                                                         allow_key,
-                                                         value);
-+                ret = add_result_to_hash(allow_maps, allow_key,
-+                                         talloc_strdup(allow_maps, value));
-                 if (ret != EOK) {
-                    DEBUG(SSSDBG_CRIT_FAILURE,
-                          "sysdb_gpo_store_gpo_result_setting failed for key:"
-                          "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,
-                          ret, sss_strerror(ret));
-+                    DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
-+                                               "value: [%s] to allow maps "
-+                                               "[%d][%s].\n",
-+                                               allow_key, value, ret,
-+                                               sss_strerror(ret));
-                     goto done;
-                 }
-             }
-@@ -1484,14 +1512,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
-                 goto done;
-             } else if (ret != ENOENT) {
-                 const char *value = deny_value ? deny_value : empty_val;
-                ret = sysdb_gpo_store_gpo_result_setting(domain,
-                                                         deny_key,
-                                                         value);
-+                ret = add_result_to_hash(deny_maps, deny_key,
-+                                         talloc_strdup(deny_maps, value));
-                 if (ret != EOK) {
-                    DEBUG(SSSDBG_CRIT_FAILURE,
-                          "sysdb_gpo_store_gpo_result_setting failed for key:"
-                          "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,
-                          ret, sss_strerror(ret));
-+                    DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
-+                                               "value: [%s] to deny maps "
-+                                               "[%d][%s].\n",
-+                                               deny_key, value, ret,
-+                                               sss_strerror(ret));
-                     goto done;
-                 }
-             }
-@@ -1784,6 +1812,8 @@ struct ad_gpo_access_state {
-     int num_cse_filtered_gpos;
-     int cse_gpo_index;
-     const char *ad_domain;
-+    hash_table_t *allow_maps;
-+    hash_table_t *deny_maps;
- };
- static void ad_gpo_connect_done(struct tevent_req *subreq);
-@@ -1906,6 +1936,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
-         goto immediately;
-     }
-+    ret = sss_hash_create(state, 0, &state->allow_maps);
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "
-+              "hash table [%d]: %s\n", ret, sss_strerror(ret));
-+        goto immediately;
-+    }
-+
-+    ret = sss_hash_create(state, 0, &state->deny_maps);
-+    if (ret != EOK) {
-+        DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "
-+              "hash table [%d]: %s\n", ret, sss_strerror(ret));
-+        goto immediately;
-+    }
-     subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
-     if (subreq == NULL) {
-@@ -2725,6 +2768,43 @@ ad_gpo_cse_step(struct tevent_req *req)
-     return EAGAIN;
- }
-+static errno_t
-+store_hash_maps_in_cache(struct sss_domain_info *domain,
-+                         hash_table_t *allow_maps, hash_table_t *deny_maps)
-+{
-+    int ret;
-+    struct hash_iter_context_t *iter;
-+    hash_entry_t *entry;
-+    size_t c;
-+    hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};
-+
-+
-+    for (c = 0; hash_list[c] != NULL; c++) {
-+        iter = new_hash_iter_context(hash_list[c]);
-+        if (iter == NULL) {
-+            DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");
-+            return EINVAL;
-+        }
-+
-+        while ((entry = iter->next(iter)) != NULL) {
-+            ret = sysdb_gpo_store_gpo_result_setting(domain,
-+                                                     entry->key.c_str,
-+                                                     entry->value.ptr);
-+            if (ret != EOK) {
-+                free(iter);
-+                DEBUG(SSSDBG_OP_FAILURE,
-+                      "sysdb_gpo_store_gpo_result_setting failed for key:"
-+                      "[%s] value:[%s] [%d][%s]\n", entry->key.c_str,
-+                      (char *) entry->value.ptr, ret, sss_strerror(ret));
-+                return ret;
-+            }
-+        }
-+        talloc_free(iter);
-+    }
-+
-+    return EOK;
-+}
-+
- /*
-  * This cse-specific function (GP_EXT_GUID_SECURITY) increments the
-  * cse_gpo_index until the policy settings for all applicable GPOs have been
-@@ -2766,6 +2846,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
-      * (as part of the GPO Result object in the sysdb cache).
-      */
-     ret = ad_gpo_store_policy_settings(state->host_domain,
-+                                       state->allow_maps, state->deny_maps,
-                                        cse_filtered_gpo->policy_filename);
-     if (ret != EOK && ret != ENOENT) {
-         DEBUG(SSSDBG_OP_FAILURE,
-@@ -2779,6 +2860,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)
-     if (ret == EOK) {
-         /* ret is EOK only after all GPO policy files have been downloaded */
-+        ret = store_hash_maps_in_cache(state->host_domain,
-+                                       state->allow_maps, state->deny_maps);
-+        if (ret != EOK) {
-+            DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "
-+                                     "[%d][%s].\n", ret, sss_strerror(ret));
-+            goto done;
-+        }
-         ret = ad_gpo_perform_hbac_processing(state,
-                                              state->gpo_mode,
-                                              state->gpo_map_type,
--
-2.25.1
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf b/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
index 1e8b537..2c9c6fc 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
@@ -7,7 +7,8 @@ domains = shadowutils
 [pam]
 [domain/shadowutils]
-id_provider = files
+id_provider = proxy
+proxy_lib_name = files
 auth_provider = proxy
 proxy_pam_target = sssd-shadowutils
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd b/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd
deleted file mode 100644
index 2a82413..0000000
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd
+++ /dev/null
@@ -1 +0,0 @@
-d root root 0750 /var/log/sssd none
author	Yi Zhao <yi.zhao@eng.windriver.com>	2025-03-27 21:23:26 +0800
committer	Armin Kuster <akuster808@gmail.com>	2025-04-13 14:07:57 -0400
commit	0d6aa528cf91701cfc368dc3013d9bba84d2d831 (patch)
tree	a6e9887dd33fabd582481bf2cfa1ea95939fe52a /dynamic-layers/networking-layer/recipes-security/sssd/files
parent	b7b2d12c4f0e037894f2c8a46d3a254b5dc1b032 (diff)
download	meta-security-0d6aa528cf91701cfc368dc3013d9bba84d2d831.tar.gz

diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch deleted file mode 100644 index 6880405..0000000 --- a/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch +++ /dev/null
@@ -1,318 +0,0 @@
1	Backport patch to fix interpreter of sss_analyze.
2
3	Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/ed3726c]
4
5	Signed-off-by: Kai Kang <kai.kang@windriver.com>
6
7	From ed3726c37fe07aab788404bfa2f9003db15f4210 Mon Sep 17 00:00:00 2001
8	From: roy214 <abroy@redhat.com>
9	Date: Tue, 25 Apr 2023 20:01:24 +0530
10	Subject: [PATCH] sssctl: add error analyzer
11	MIME-Version: 1.0
12	Content-Type: text/plain; charset=UTF-8
13	Content-Transfer-Encoding: 8bit
14
15	Also removing unused variable and import.
16
17	Reviewed-by: Justin Stephenson <jstephen@redhat.com>
18	Reviewed-by: Tomáš Halman <thalman@redhat.com>
19	---
20	src/tools/analyzer/Makefile.am \| 2 +
21	src/tools/analyzer/modules/error.py \| 61 +++++++++++++++++++++++++++
22	src/tools/analyzer/modules/request.py \| 54 +++++-------------------
23	src/tools/analyzer/sss_analyze \| 2 +-
24	src/tools/analyzer/sss_analyze.py \| 3 ++
25	src/tools/analyzer/util.py \| 44 +++++++++++++++++++
26	6 files changed, 121 insertions(+), 45 deletions(-)
27	create mode 100644 src/tools/analyzer/modules/error.py
28	create mode 100644 src/tools/analyzer/util.py
29
30	diff --git a/src/tools/analyzer/Makefile.am b/src/tools/analyzer/Makefile.am
31	index b40043d043..7692af8528 100644
32	--- a/src/tools/analyzer/Makefile.am
33	+++ b/src/tools/analyzer/Makefile.am
34	@@ -13,10 +13,12 @@ dist_pkgpython_DATA = \
35	source_reader.py \
36	parser.py \
37	sss_analyze.py \
38	+ util.py \
39	$(NULL)
40
41	modulesdir = $(pkgpythondir)/modules
42	dist_modules_DATA = \
43	modules/__init__.py \
44	modules/request.py \
45	+ modules/error.py \
46	$(NULL)
47	diff --git a/src/tools/analyzer/modules/error.py b/src/tools/analyzer/modules/error.py
48	new file mode 100644
49	index 0000000000..71173670c5
50	--- /dev/null
51	+++ b/src/tools/analyzer/modules/error.py
52	@@ -0,0 +1,61 @@
53	+from sssd import util
54	+from sssd.parser import SubparsersAction
55	+from sssd import sss_analyze
56	+
57	+class ErrorAnalyzer:
58	+ """
59	+ An error analyzer module, list if there is any error reported by sssd_be
60	+ """
61	+ module_parser = None
62	+ print_opts = []
63	+
64	+ def print_module_help(self, args):
65	+ """
66	+ Print the module parser help output
67	+
68	+ Args:
69	+ args (Namespace): argparse parsed arguments
70	+ """
71	+ self.module_parser.print_help()
72	+
73	+ def setup_args(self, parser_grp, cli):
74	+ """
75	+ Setup module parser, subcommands, and options
76	+
77	+ Args:
78	+ parser_grp (argparse.Action): Parser group to nest
79	+ module and subcommands under
80	+ """
81	+ desc = "Analyze error check module"
82	+ self.module_parser = parser_grp.add_parser('error',
83	+ description=desc,
84	+ help='Error checker')
85	+
86	+ subparser = self.module_parser.add_subparsers(title=None,
87	+ dest='subparser',
88	+ action=SubparsersAction,
89	+ metavar='COMMANDS')
90	+
91	+ subcmd_grp = subparser.add_parser_group('Operation Modes')
92	+ cli.add_subcommand(subcmd_grp, 'list', 'Print error messages found in backend',
93	+ self.print_error, self.print_opts)
94	+
95	+ self.module_parser.set_defaults(func=self.print_module_help)
96	+
97	+ return self.module_parser
98	+
99	+ def print_error(self, args):
100	+ err = 0
101	+ utl = util.Utils()
102	+ source = utl.load(args)
103	+ component = source.Component.BE
104	+ source.set_component(component, False)
105	+ patterns = ['sdap_async_sys_connect request failed', 'terminated by own WATCHDOG',
106	+ 'ldap_sasl_interactive_bind_s failed', 'Communication with KDC timed out', 'SSSD is offline', 'Backend is offline',
107	+ 'tsig verify failure', 'ldap_install_tls failed', 's2n exop request failed']
108	+ for line in utl.matched_line(source, patterns):
109	+ err +=1
110	+ print(line)
111	+ if err > 0:
112	+ print("For possible solutions please refer to https://sssd.io/troubleshooting/errors.html")
113	+ return
114	diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
115	index d661dddb84..e4d5f060c7 100644
116	--- a/src/tools/analyzer/modules/request.py
117	+++ b/src/tools/analyzer/modules/request.py
118	@@ -1,6 +1,6 @@
119	import re
120	import logging
121	-
122	+from sssd import util
123	from sssd.parser import SubparsersAction
124	from sssd.parser import Option
125
126	@@ -38,7 +38,6 @@ def print_module_help(self, args):
127	def setup_args(self, parser_grp, cli):
128	"""
129	Setup module parser, subcommands, and options
130	-
131	Args:
132	parser_grp (argparse.Action): Parser group to nest
133	module and subcommands under
134	@@ -63,42 +62,6 @@ def setup_args(self, parser_grp, cli):
135
136	return self.module_parser
137
138	- def load(self, args):
139	- """
140	- Load the appropriate source reader.
141	-
142	- Args:
143	- args (Namespace): argparse parsed arguments
144	-
145	- Returns:
146	- Instantiated source object
147	- """
148	- if args.source == "journald":
149	- from sssd.source_journald import Journald
150	- source = Journald()
151	- else:
152	- from sssd.source_files import Files
153	- source = Files(args.logdir)
154	- return source
155	-
156	- def matched_line(self, source, patterns):
157	- """
158	- Yield lines which match any number of patterns (OR) in
159	- provided patterns list.
160	-
161	- Args:
162	- source (Reader): source Reader object
163	- Yields:
164	- lines matching the provided pattern(s)
165	- """
166	- for line in source:
167	- for pattern in patterns:
168	- re_obj = re.compile(pattern)
169	- if re_obj.search(line):
170	- if line.startswith(' * '):
171	- continue
172	- yield line
173	-
174	def get_linked_ids(self, source, pattern, regex):
175	"""
176	Retrieve list of associated REQ_TRACE ids. Filter
177	@@ -114,8 +77,9 @@ def get_linked_ids(self, source, pattern, regex):
178	Returns:
179	List of linked ids discovered
180	"""
181	+ utl = util.Utils()
182	linked_ids = []
183	- for match in self.matched_line(source, pattern):
184	+ for match in utl.matched_line(source, pattern):
185	id_re = re.compile(regex)
186	match = id_re.search(match)
187	if match:
188	@@ -250,7 +214,8 @@ def list_requests(self, args):
189	Args:
190	args (Namespace): populated argparse namespace
191	"""
192	- source = self.load(args)
193	+ utl = util.Utils()
194	+ source = utl.load(args)
195	component = source.Component.NSS
196	resp = "nss"
197	# Log messages matching the following regex patterns contain
198	@@ -266,7 +231,7 @@ def list_requests(self, args):
199	if args.verbose:
200	self.print_formatted_verbose(source)
201	else:
202	- for line in self.matched_line(source, patterns):
203	+ for line in utl.matched_line(source, patterns):
204	if type(source).__name__ == 'Journald':
205	print(line)
206	else:
207	@@ -279,7 +244,8 @@ def track_request(self, args):
208	Args:
209	args (Namespace): populated argparse namespace
210	"""
211	- source = self.load(args)
212	+ utl = util.Utils()
213	+ source = utl.load(args)
214	cid = args.cid
215	resp_results = False
216	be_results = False
217	@@ -294,7 +260,7 @@ def track_request(self, args):
218	logger.info(f"******** Checking {resp} responder for Client ID"
219	f" {cid} *******")
220	source.set_component(component, args.child)
221	- for match in self.matched_line(source, pattern):
222	+ for match in utl.matched_line(source, pattern):
223	resp_results = self.consume_line(match, source, args.merge)
224
225	logger.info(f"******* Checking Backend for Client ID {cid} ******")
226	@@ -307,7 +273,7 @@ def track_request(self, args):
227	pattern.clear()
228	[pattern.append(f'\\{id}') for id in be_ids]
229
230	- for match in self.matched_line(source, pattern):
231	+ for match in utl.matched_line(source, pattern):
232	be_results = self.consume_line(match, source, args.merge)
233
234	if args.merge:
235	diff --git a/src/tools/analyzer/sss_analyze b/src/tools/analyzer/sss_analyze
236	index 3f1beaf38b..6d4b5b30c6 100755
237	--- a/src/tools/analyzer/sss_analyze
238	+++ b/src/tools/analyzer/sss_analyze
239	@@ -1,4 +1,4 @@
240	-#!/usr/bin/env python
241	+#!/usr/bin/env python3
242
243	from sssd import sss_analyze
244
245	diff --git a/src/tools/analyzer/sss_analyze.py b/src/tools/analyzer/sss_analyze.py
246	index 18b998f380..dafc84fc03 100644
247	--- a/src/tools/analyzer/sss_analyze.py
248	+++ b/src/tools/analyzer/sss_analyze.py
249	@@ -1,6 +1,7 @@
250	import argparse
251
252	from sssd.modules import request
253	+from sssd.modules import error
254	from sssd.parser import SubparsersAction
255
256
257	@@ -55,9 +56,11 @@ def load_modules(self, parser, parser_grp):
258	"""
259	# Currently only the 'request' module exists
260	req = request.RequestAnalyzer()
261	+ err = error.ErrorAnalyzer()
262	cli = Analyzer()
263
264	req.setup_args(parser_grp, cli)
265	+ err.setup_args(parser_grp, cli)
266
267	def setup_args(self):
268	"""
269	diff --git a/src/tools/analyzer/util.py b/src/tools/analyzer/util.py
270	new file mode 100644
271	index 0000000000..2a8d153a71
272	--- /dev/null
273	+++ b/src/tools/analyzer/util.py
274	@@ -0,0 +1,44 @@
275	+import re
276	+import logging
277	+
278	+from sssd.source_files import Files
279	+from sssd.source_journald import Journald
280	+
281	+logger = logging.getLogger()
282	+
283	+
284	+class Utils:
285	+
286	+ def load(self, args):
287	+ """
288	+ Load the appropriate source reader.
289	+
290	+ Args:
291	+ args (Namespace): argparse parsed arguments
292	+
293	+ Returns:
294	+ Instantiated source object
295	+ """
296	+ if args.source == "journald":
297	+ source = Journald()
298	+ else:
299	+ source = Files(args.logdir)
300	+ return source
301	+
302	+ def matched_line(self, source, patterns):
303	+ """
304	+ Yield lines which match any number of patterns (OR) in
305	+ provided patterns list.
306	+
307	+ Args:
308	+ source (Reader): source Reader object
309	+ Yields:
310	+ lines matching the provided pattern(s)
311	+ """
312	+ for line in source:
313	+ for pattern in patterns:
314	+ re_obj = re.compile(pattern)
315	+ if re_obj.search(line):
316	+ if line.startswith(' * '):
317	+ continue
318	+ yield line


diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch deleted file mode 100644 index 1e9fca5..0000000 --- a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch +++ /dev/null
@@ -1,219 +0,0 @@
1	From f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726 Mon Sep 17 00:00:00 2001
2	From: Sumit Bose <sbose@redhat.com>
3	Date: Wed, 8 Nov 2023 14:50:24 +0100
4	Subject: [PATCH] ad-gpo: use hash to store intermediate results
5
6	Currently after the evaluation of a single GPO file the intermediate
7	results are stored in the cache and this cache entry is updated until
8	all applicable GPO files are evaluated. Finally the data in the cache is
9	used to make the decision of access is granted or rejected.
10
11	If there are two or more access-control request running in parallel one
12	request might overwrite the cache object with intermediate data while
13	another request reads the cached data for the access decision and as a
14	result will do this decision based on intermediate data.
15
16	To avoid this the intermediate results are not stored in the cache
17	anymore but in hash tables which are specific to the request. Only the
18	final result is written to the cache to have it available for offline
19	authentication.
20
21	Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
22	Reviewed-by: Tomáš Halman <thalman@redhat.com>
23	(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a)
24
25	Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726]
26	CVE: CVE-2023-3758
27	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
28
29	---
30	src/providers/ad/ad_gpo.c \| 116 +++++++++++++++++++++++++++++++++-----
31	1 file changed, 102 insertions(+), 14 deletions(-)
32
33	diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
34	index 44e9cbb..cec0cb4 100644
35	--- a/src/providers/ad/ad_gpo.c
36	+++ b/src/providers/ad/ad_gpo.c
37	@@ -1317,6 +1317,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
38	return ret;
39	}
40
41	+static errno_t
42	+add_result_to_hash(hash_table_t hash, const char key, char *value)
43	+{
44	+ int hret;
45	+ hash_key_t k;
46	+ hash_value_t v;
47	+
48	+ if (hash == NULL \|\| key == NULL \|\| value == NULL) {
49	+ return EINVAL;
50	+ }
51	+
52	+ k.type = HASH_KEY_CONST_STRING;
53	+ k.c_str = key;
54	+
55	+ v.type = HASH_VALUE_PTR;
56	+ v.ptr = value;
57	+
58	+ hret = hash_enter(hash, &k, &v);
59	+ if (hret != HASH_SUCCESS) {
60	+ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",
61	+ key, value, hash_error_string(hret));
62	+ return EIO;
63	+ }
64	+
65	+ return EOK;
66	+}
67	+
68	/*
69	* This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,
70	* and stores the allow_key and deny_key of all of the gpo_map_types present
71	@@ -1324,6 +1351,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
72	*/
73	static errno_t
74	ad_gpo_store_policy_settings(struct sss_domain_info *domain,
75	+ hash_table_t allow_maps, hash_table_t deny_maps,
76	const char *filename)
77	{
78	struct ini_cfgfile *file_ctx = NULL;
79	@@ -1457,14 +1485,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
80	goto done;
81	} else if (ret != ENOENT) {
82	const char *value = allow_value ? allow_value : empty_val;
83	- ret = sysdb_gpo_store_gpo_result_setting(domain,
84	- allow_key,
85	- value);
86	+ ret = add_result_to_hash(allow_maps, allow_key,
87	+ talloc_strdup(allow_maps, value));
88	if (ret != EOK) {
89	- DEBUG(SSSDBG_CRIT_FAILURE,
90	- "sysdb_gpo_store_gpo_result_setting failed for key:"
91	- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,
92	- ret, sss_strerror(ret));
93	+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
94	+ "value: [%s] to allow maps "
95	+ "[%d][%s].\n",
96	+ allow_key, value, ret,
97	+ sss_strerror(ret));
98	goto done;
99	}
100	}
101	@@ -1484,14 +1512,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
102	goto done;
103	} else if (ret != ENOENT) {
104	const char *value = deny_value ? deny_value : empty_val;
105	- ret = sysdb_gpo_store_gpo_result_setting(domain,
106	- deny_key,
107	- value);
108	+ ret = add_result_to_hash(deny_maps, deny_key,
109	+ talloc_strdup(deny_maps, value));
110	if (ret != EOK) {
111	- DEBUG(SSSDBG_CRIT_FAILURE,
112	- "sysdb_gpo_store_gpo_result_setting failed for key:"
113	- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,
114	- ret, sss_strerror(ret));
115	+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
116	+ "value: [%s] to deny maps "
117	+ "[%d][%s].\n",
118	+ deny_key, value, ret,
119	+ sss_strerror(ret));
120	goto done;
121	}
122	}
123	@@ -1784,6 +1812,8 @@ struct ad_gpo_access_state {
124	int num_cse_filtered_gpos;
125	int cse_gpo_index;
126	const char *ad_domain;
127	+ hash_table_t *allow_maps;
128	+ hash_table_t *deny_maps;
129	};
130
131	static void ad_gpo_connect_done(struct tevent_req *subreq);
132	@@ -1906,6 +1936,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
133	goto immediately;
134	}
135
136	+ ret = sss_hash_create(state, 0, &state->allow_maps);
137	+ if (ret != EOK) {
138	+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "
139	+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
140	+ goto immediately;
141	+ }
142	+
143	+ ret = sss_hash_create(state, 0, &state->deny_maps);
144	+ if (ret != EOK) {
145	+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "
146	+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
147	+ goto immediately;
148	+ }
149
150	subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
151	if (subreq == NULL) {
152	@@ -2725,6 +2768,43 @@ ad_gpo_cse_step(struct tevent_req *req)
153	return EAGAIN;
154	}
155
156	+static errno_t
157	+store_hash_maps_in_cache(struct sss_domain_info *domain,
158	+ hash_table_t allow_maps, hash_table_t deny_maps)
159	+{
160	+ int ret;
161	+ struct hash_iter_context_t *iter;
162	+ hash_entry_t *entry;
163	+ size_t c;
164	+ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};
165	+
166	+
167	+ for (c = 0; hash_list[c] != NULL; c++) {
168	+ iter = new_hash_iter_context(hash_list[c]);
169	+ if (iter == NULL) {
170	+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");
171	+ return EINVAL;
172	+ }
173	+
174	+ while ((entry = iter->next(iter)) != NULL) {
175	+ ret = sysdb_gpo_store_gpo_result_setting(domain,
176	+ entry->key.c_str,
177	+ entry->value.ptr);
178	+ if (ret != EOK) {
179	+ free(iter);
180	+ DEBUG(SSSDBG_OP_FAILURE,
181	+ "sysdb_gpo_store_gpo_result_setting failed for key:"
182	+ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str,
183	+ (char *) entry->value.ptr, ret, sss_strerror(ret));
184	+ return ret;
185	+ }
186	+ }
187	+ talloc_free(iter);
188	+ }
189	+
190	+ return EOK;
191	+}
192	+
193	/*
194	* This cse-specific function (GP_EXT_GUID_SECURITY) increments the
195	* cse_gpo_index until the policy settings for all applicable GPOs have been
196	@@ -2766,6 +2846,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
197	* (as part of the GPO Result object in the sysdb cache).
198	*/
199	ret = ad_gpo_store_policy_settings(state->host_domain,
200	+ state->allow_maps, state->deny_maps,
201	cse_filtered_gpo->policy_filename);
202	if (ret != EOK && ret != ENOENT) {
203	DEBUG(SSSDBG_OP_FAILURE,
204	@@ -2779,6 +2860,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)
205
206	if (ret == EOK) {
207	/* ret is EOK only after all GPO policy files have been downloaded */
208	+ ret = store_hash_maps_in_cache(state->host_domain,
209	+ state->allow_maps, state->deny_maps);
210	+ if (ret != EOK) {
211	+ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "
212	+ "[%d][%s].\n", ret, sss_strerror(ret));
213	+ goto done;
214	+ }
215	ret = ad_gpo_perform_hbac_processing(state,
216	state->gpo_mode,
217	state->gpo_map_type,
218	--
219	2.25.1


diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf b/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf index 1e8b537..2c9c6fc 100644 --- a/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf +++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
@@ -7,7 +7,8 @@ domains = shadowutils
7	[pam]	7	[pam]
8		8
9	[domain/shadowutils]	9	[domain/shadowutils]
10	id_provider = files	10	id_provider = proxy
		11	proxy_lib_name = files
11		12
12	auth_provider = proxy	13	auth_provider = proxy
13	proxy_pam_target = sssd-shadowutils	14	proxy_pam_target = sssd-shadowutils


diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd b/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd deleted file mode 100644 index 2a82413..0000000 --- a/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd +++ /dev/null
@@ -1 +0,0 @@
1	d root root 0750 /var/log/sssd none