diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2019-03-19 11:37:34 +0000 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2019-03-19 11:37:34 +0000 |
| commit | b7b97785ebbb2f11d24d14dab8b81ed274f4ce6a (patch) | |
| tree | 9fd110f9fc996e8a4213eeda994a8c112491b86d /sys-auth/sssd/files | |
| parent | 066d27181e9a797ad9f8fc43b49fc9a10ff2f707 (diff) | |
gentoo resync : 19.03.2019
Diffstat (limited to 'sys-auth/sssd/files')
| -rw-r--r-- | sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch b/sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch new file mode 100644 index 000000000000..87db45fd24bb --- /dev/null +++ b/sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch @@ -0,0 +1,96 @@ +From 28792523a01a7d21bcc8931794164f253e691a68 Mon Sep 17 00:00:00 2001 +From: Tomas Halman <thalman@redhat.com> +Date: Mon, 3 Dec 2018 14:11:31 +0100 +Subject: [PATCH] nss: sssd returns '/' for emtpy home directories + +For empty home directory in passwd file sssd returns "/". Sssd +should respect system behaviour and return the same as nsswitch +"files" module - return empty string. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3901 + +Reviewed-by: Simo Sorce <simo@redhat.com> +Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> +(cherry picked from commit 90f32399b4100ce39cf665649fde82d215e5eb49) +--- + src/confdb/confdb.c | 9 +++++++++ + src/man/include/ad_modified_defaults.xml | 19 +++++++++++++++++++ + src/responder/nss/nss_protocol_pwent.c | 2 +- + src/tests/intg/test_files_provider.py | 2 +- + 4 files changed, 30 insertions(+), 2 deletions(-) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index a3eb9c66d9..17bb4f8274 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -1301,6 +1301,15 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, + ret = ENOMEM; + goto done; + } ++ } else { ++ if (strcasecmp(domain->provider, "ad") == 0) { ++ /* ad provider default */ ++ domain->fallback_homedir = talloc_strdup(domain, "/home/%d/%u"); ++ if (!domain->fallback_homedir) { ++ ret = ENOMEM; ++ goto done; ++ } ++ } + } + + tmp = ldb_msg_find_attr_as_string(res->msgs[0], +diff --git a/src/man/include/ad_modified_defaults.xml b/src/man/include/ad_modified_defaults.xml +index 818a2bf787..425b7e8ee0 100644 +--- a/src/man/include/ad_modified_defaults.xml ++++ b/src/man/include/ad_modified_defaults.xml +@@ -76,4 +76,23 @@ + </listitem> + </itemizedlist> + </refsect2> ++ <refsect2 id='nss_modifications'> ++ <title>NSS configuration</title> ++ <itemizedlist> ++ <listitem> ++ <para> ++ fallback_homedir = /home/%d/%u ++ </para> ++ <para> ++ The AD provider automatically sets ++ "fallback_homedir = /home/%d/%u" to provide personal ++ home directories for users without the homeDirectory ++ attribute. If your AD Domain is properly ++ populated with Posix attributes, and you want to avoid ++ this fallback behavior, you can explicitly ++ set "fallback_homedir = %o". ++ </para> ++ </listitem> ++ </itemizedlist> ++ </refsect2> + </refsect1> +diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c +index af9e74fc86..86fa4ec465 100644 +--- a/src/responder/nss/nss_protocol_pwent.c ++++ b/src/responder/nss/nss_protocol_pwent.c +@@ -118,7 +118,7 @@ nss_get_homedir(TALLOC_CTX *mem_ctx, + + homedir = nss_get_homedir_override(mem_ctx, msg, nss_ctx, domain, &hd_ctx); + if (homedir == NULL) { +- return "/"; ++ return ""; + } + + return homedir; +diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py +index ead1cc4c34..4761f1bd15 100644 +--- a/src/tests/intg/test_files_provider.py ++++ b/src/tests/intg/test_files_provider.py +@@ -678,7 +678,7 @@ def test_user_no_dir(setup_pw_with_canary, files_domain_only): + Test that resolving a user without a homedir defined works and returns + a fallback value + """ +- check_user(incomplete_user_setup(setup_pw_with_canary, 'dir', '/')) ++ check_user(incomplete_user_setup(setup_pw_with_canary, 'dir', '')) + + + def test_user_no_gecos(setup_pw_with_canary, files_domain_only): |