Date: Tue, 17 Nov 2020 20:42:17 +0000 (UTC) From: Rene Ladan <rene@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r555585 - in head/security/sssd: . files Message-ID: <202011172042.0AHKgHnj049541@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rene Date: Tue Nov 17 20:42:16 2020 New Revision: 555585 URL: https://svnweb.freebsd.org/changeset/ports/555585 Log: security/sssd: update to 1.16.5 This fixes several security vulnerabilities and unexpires the port because it moves to Python 3. PR: 241347 Submitted by: lukas.slebodnik@intrak.sk (initial patch) MFH: 2020Q4 Security: CVE-2018-16838 Security: CVE-2019-3811 Added: head/security/sssd/files/patch-src__external__ldap.m4 (contents, props changed) head/security/sssd/files/patch-src__external__pac_responder.m4 (contents, props changed) head/security/sssd/files/patch-src__lib__winbind_idmap_sss__winbind_idmap_sss.h (contents, props changed) head/security/sssd/files/patch-src__providers__ad__ad_common.c (contents, props changed) head/security/sssd/files/patch-src__providers__ad__ad_pac.h (contents, props changed) head/security/sssd/files/patch-src__providers__data_provider_fo.c (contents, props changed) head/security/sssd/files/patch-src__providers__ipa__ipa_common.c (contents, props changed) head/security/sssd/files/patch-src__providers__ipa__ipa_deskprofile_rules_util.c (contents, props changed) head/security/sssd/files/patch-src__providers__ldap__ldap_child.c (contents, props changed) head/security/sssd/files/patch-src__providers__ldap__sdap_async_groups.c (contents, props changed) head/security/sssd/files/patch-src__providers__ldap__sdap_async_initgroups.c (contents, props changed) head/security/sssd/files/patch-src__providers__ldap__sdap_async_initgroups_ad.c (contents, props changed) head/security/sssd/files/patch-src__providers__ldap__sdap_async_sudo_hostinfo.c (contents, props changed) head/security/sssd/files/patch-src__providers__ldap__sdap_async_users.c (contents, props changed) head/security/sssd/files/patch-src__resolv__async_resolv_utils.c (contents, props changed) head/security/sssd/files/patch-src__sbus__sbus_codegen (contents, props changed) head/security/sssd/files/patch-src__sss_client__pam_sss.c (contents, props changed) head/security/sssd/files/patch-src__tests__cmocka__test_authtok.c (contents, props changed) head/security/sssd/files/patch-src__tests__cmocka__test_pam_srv.c (contents, props changed) head/security/sssd/files/patch-src__tests__cwrap__test_responder_common.c (contents, props changed) head/security/sssd/files/patch-src__tests__cwrap__test_server.c (contents, props changed) head/security/sssd/files/patch-src__tests__dlopen-tests.c (contents, props changed) head/security/sssd/files/patch-src__util__nss_dl_load.c (contents, props changed) head/security/sssd/files/patch-src__util__sss_endian.h (contents, props changed) head/security/sssd/files/patch-src__util__sss_krb5.c (contents, props changed) head/security/sssd/files/patch-src__util__sss_sockets.c (contents, props changed) head/security/sssd/files/patch-src__util__util.c (contents, props changed) Deleted: head/security/sssd/files/patch-src-monitor-monitor.c head/security/sssd/files/patch-src__util__signal.c head/security/sssd/files/patch-src__util__sss_ldap.c head/security/sssd/files/patch-src_external_pac__responder.m4 Modified: head/security/sssd/Makefile head/security/sssd/distinfo head/security/sssd/files/patch-Makefile.am head/security/sssd/files/patch-configure.ac head/security/sssd/files/patch-src__confdb__confdb.c head/security/sssd/files/patch-src__external__inotify.m4 head/security/sssd/files/patch-src__external__krb5.m4 head/security/sssd/files/patch-src__providers__krb5__krb5_delayed_online_authentication.c head/security/sssd/files/patch-src__providers__ldap__ldap_auth.c head/security/sssd/files/patch-src__providers__ldap__sdap_access.c head/security/sssd/files/patch-src__sss_client__common.c head/security/sssd/files/patch-src__sss_client__nss_group.c head/security/sssd/files/patch-src__sss_client__sss_nss.exports head/security/sssd/files/patch-src__util__crypto__libcrypto__crypto_sha512crypt.c head/security/sssd/files/patch-src__util__crypto__nss__nss_sha512crypt.c head/security/sssd/files/patch-src__util__find_uid.c head/security/sssd/files/patch-src__util__server.c head/security/sssd/files/patch-src__util__util.h head/security/sssd/files/pkg-message.in head/security/sssd/files/sssd.in head/security/sssd/pkg-plist Modified: head/security/sssd/Makefile ============================================================================== --- head/security/sssd/Makefile Tue Nov 17 20:34:50 2020 (r555584) +++ head/security/sssd/Makefile Tue Nov 17 20:42:16 2020 (r555585) @@ -2,8 +2,7 @@ # $FreeBSD$ PORTNAME= sssd -PORTVERSION= 1.11.7 -PORTREVISION= 22 +PORTVERSION= 1.16.5 CATEGORIES= security MASTER_SITES= https://releases.pagure.org/SSSD/${PORTNAME}/ @@ -13,14 +12,11 @@ COMMENT= System Security Services Daemon LICENSE= GPLv3+ LICENSE_FILE= ${WRKSRC}/COPYING -DEPRECATED= Uses deprecated version of python -EXPIRATION_DATE= 2020-09-15 - LIB_DEPENDS= libpopt.so:devel/popt \ libtalloc.so:devel/talloc \ libtevent.so:devel/tevent \ libtdb.so:databases/tdb \ - libldb.so:databases/ldb14 \ + libldb.so:databases/ldb20 \ libcares.so:dns/c-ares \ libdbus-1.so:devel/dbus \ libdhash.so:devel/ding-libs \ @@ -37,33 +33,37 @@ BUILD_DEPENDS= xmlcatalog:textproc/libxml2 \ krb5>=1.10:security/krb5 \ nsupdate:dns/bind-tools -USES= autoreconf cpe gettext gmake iconv libtool pathfix pkgconfig \ - python:2.7 shebangfix gssapi:mit - -USE_LDCONFIG= yes -USE_OPENLDAP= yes - GNU_CONFIGURE= yes -CONFIGURE_ARGS= --with-selinux=no --with-semanage=no \ +CONFIGURE_ARGS= --without-selinux --without-semanage \ + --without-libnl --without-nfsv4-idmapd-plugin \ + --without-autofs --without-secrets --without-kcm \ + --without-python2-bindings \ + --with-init-dir=no \ + --disable-cifs-idmap-plugin \ + --with-unicode-lib=libunistring \ --with-ldb-lib-dir=${LOCALBASE}/lib/shared-modules/ldb \ --with-xml-catalog-path=${LOCALBASE}/share/xml/catalog \ - --with-libnl=no --with-init-dir=no --datadir=${DATADIR} \ - --docdir=${DOCSDIR} --with-pid-path=/var/run \ - --localstatedir=/var --enable-pammoddir=${PREFIX}/lib \ - --with-db-path=/var/db/sss --with-pipe-path=/var/run/sss \ - --with-pubconf-path=/var/run/sss --with-mcache-path=/var/db/sss_mc \ - --with-unicode-lib=libunistring --with-autofs=no \ - --disable-cifs-idmap-plugin --disable-config-lib \ - --with-krb5-conf=/etc/krb5.conf + --datadir=${DATADIR} --docdir=${DOCSDIR} --localstatedir=/var \ + --with-db-path=/var/db/sss/db --with-mcache-path=/var/db/sss/mc \ + --with-pubconf-path=/var/db/sss/pubconf \ + --with-gpo-cache-path=/var/db/sss/gpo_cache \ + --with-pid-path=/var/run --with-pipe-path=/var/run/sss/pipes \ + --with-krb5-conf=/etc/krb5.conf \ + --enable-pammoddir=${PREFIX}/lib CFLAGS+= -fstack-protector-all PLIST_SUB= PYTHON_VER=${PYTHON_VER} #DEBUG_FLAGS= -g MAKE_ENV+= LINGUAS="bg de eu es fr hu id it ja nb nl pl pt ru sv tg tr uk zh_CN zh_TW" SUB_FILES= pkg-message +USES= autoreconf cpe gettext gmake iconv libtool pathfix pkgconfig \ + python:3.7 shebangfix gssapi:mit +USE_LDCONFIG= yes +USE_OPENLDAP= yes INSTALL_TARGET= install-strip CPE_VENDOR= fedoraproject +BINARY_ALIAS= python3=python${PYTHON_VER} SHEBANG_FILES= src/tools/sss_obfuscate \ src/sbus/sbus_codegen @@ -73,18 +73,17 @@ PORTDATA= * OPTIONS_DEFINE= DOCS SMB OPTIONS_SUB= yes -# If the port fails to package with SMB=on due to some missing files from -# pkg-plist, check if there was a version bump of security/krb5 and -# update files/patch-src__external__krb5.m4 accordingly. -# -# See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=244778 - SMB_DESC= Install IPA and AD providers (requires Samba4) -SMB_USES= samba:lib # libndr-krb5pac libndr-nbt libndr libsamba-util -SMB_CONFIGURE_WITH= samba +SMB_USES= samba:lib +SMB_CONFIGURE_WITH= samba smb-idmap-interface-version=6 +SMB_LIB_DEPENDS= libndr-nbt.so.0:net/samba410 \ + libndr-krb5pac.so.0:net/samba410 \ + libndr-standard.so.0:net/samba410 \ + libndr.so.0:net/samba410 \ + libsamba-util.so.0:net/samba410 \ + libsmbclient.so.0:net/samba410 post-patch: - @${REINPLACE_CMD} -e 's|SIGCLD|SIGCHLD|g' ${WRKSRC}/src/util/signal.c @${REINPLACE_CMD} -e 's|NSS_STATUS_NOTFOUND|NS_NOTFOUND|g' \ -e 's|NSS_STATUS_UNAVAIL|NS_UNAVAIL|g' \ -e 's|NSS_STATUS_TRYAGAIN|NS_TRYAGAIN|g' \ @@ -108,12 +107,9 @@ post-install: ${INSTALL_DATA} ${WRKSRC}/src/examples/sssd-example.conf \ ${STAGEDIR}${ETCDIR}/sssd.conf.sample ${LN} -sf nss_sss.so ${STAGEDIR}${PREFIX}/lib/nss_sss.so.1 -# clean these up from the install; we create them in rc script start_precmd -.for d in db/sss db/sss_mc log/sssd run/sss/krb5.include.d run/sss/private run/sss - @${RMDIR} ${STAGEDIR}/var/${d} -.endfor + # clean unused man dirs -.for i in nl/man1 nl/man5 pt/man1 pt/man5 +.for i in es/man1 nl/man1 nl/man5 pt/man1 pt/man5 sv/man1 @${RMDIR} ${STAGEDIR}${PREFIX}/man/${i} .endfor Modified: head/security/sssd/distinfo ============================================================================== --- head/security/sssd/distinfo Tue Nov 17 20:34:50 2020 (r555584) +++ head/security/sssd/distinfo Tue Nov 17 20:42:16 2020 (r555585) @@ -1,2 +1,3 @@ -SHA256 (sssd-1.11.7.tar.gz) = ff12d5730a6d7d08fe11140aa58e544900b75c63902b7a07bbbc12d6a99cb5b5 -SIZE (sssd-1.11.7.tar.gz) = 3661227 +TIMESTAMP = 1587639728 +SHA256 (sssd-1.16.5.tar.gz) = 2e1a7bf036b583f686d35164f2d79bdf4857b98f51fe8b0d17aa0fa756e4d0c0 +SIZE (sssd-1.16.5.tar.gz) = 6639917 Modified: head/security/sssd/files/patch-Makefile.am ============================================================================== --- head/security/sssd/files/patch-Makefile.am Tue Nov 17 20:34:50 2020 (r555584) +++ head/security/sssd/files/patch-Makefile.am Tue Nov 17 20:42:16 2020 (r555585) @@ -1,22 +1,38 @@ ---- Makefile.am.orig 2020-03-16 18:30:24 UTC +diff --git Makefile.am Makefile.am +index be17d6a59..03386d1f8 100644 +--- Makefile.am +++ Makefile.am -@@ -311,6 +311,7 @@ AM_CPPFLAGS = \ - $(LIBNL_CFLAGS) \ - $(OPENLDAP_CFLAGS) \ - $(GLIB2_CFLAGS) \ -+ -DHOST_NAME_MAX=_POSIX_HOST_NAME_MAX \ - -DLIBDIR=\"$(libdir)\" \ - -DVARDIR=\"$(localstatedir)\" \ - -DSHLIBEXT=\"$(SHLIBEXT)\" \ -@@ -378,6 +379,7 @@ SSSD_LIBS = \ - $(DHASH_LIBS) \ - $(SSS_CRYPT_LIBS) \ - $(OPENLDAP_LIBS) \ -+ $(LTLIBINTL) \ - $(TDB_LIBS) +@@ -61,7 +61,7 @@ sssdapiplugindir = $(sssddatadir)/sssd.api.d + sssdtapscriptdir = $(sssddatadir)/systemtap + dbuspolicydir = $(sysconfdir)/dbus-1/system.d + dbusservicedir = $(datadir)/dbus-1/system-services +-sss_statedir = $(localstatedir)/lib/sss ++sss_statedir = $(localstatedir)/db/sss + runstatedir = @runstatedir@ + localedir = @localedir@ + nsslibdir = @nsslibdir@ +@@ -378,12 +378,6 @@ sssdlib_LTLIBRARIES += \ + libsss_ad.la + endif - PYTHON_BINDINGS_LIBS = \ -@@ -433,6 +435,7 @@ dist_noinst_HEADERS = \ +-if HAVE_INOTIFY +-sssdlib_LTLIBRARIES += \ +- libsss_files.la \ +- $(NULL) +-endif # HAVE_INOTIFY +- + ldblib_LTLIBRARIES = \ + memberof.la + +@@ -610,6 +604,7 @@ SSSD_FAILOVER_OBJ = \ + + SSSD_LIBS = \ + $(TALLOC_LIBS) \ ++ $(LTLIBINTL) \ + $(TEVENT_LIBS) \ + $(POPT_LIBS) \ + $(LDB_LIBS) \ +@@ -664,6 +659,7 @@ dist_noinst_HEADERS = \ src/util/sss_ssh.h \ src/util/sss_ini.h \ src/util/sss_format.h \ @@ -24,7 +40,137 @@ src/util/refcount.h \ src/util/find_uid.h \ src/util/user_info_msg.h \ -@@ -1700,9 +1703,10 @@ endif +@@ -1358,6 +1354,7 @@ sssd_LDADD = \ + $(SSSD_LIBS) \ + $(INOTIFY_LIBS) \ + $(LIBNL_LIBS) \ ++ $(LTLIBINTL) \ + $(KEYUTILS_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) +@@ -1381,6 +1378,7 @@ sssd_nss_SOURCES = \ + sssd_nss_LDADD = \ + $(TDB_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + libsss_idmap.la \ + libsss_cert.la \ + $(SYSTEMD_DAEMON_LIBS) \ +@@ -1397,6 +1395,7 @@ sssd_pam_SOURCES = \ + sssd_pam_LDADD = \ + $(TDB_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SELINUX_LIBS) \ + $(PAM_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ +@@ -1414,6 +1413,7 @@ sssd_sudo_SOURCES = \ + $(SSSD_RESPONDER_OBJ) + sssd_sudo_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) + endif +@@ -1426,6 +1426,7 @@ sssd_autofs_SOURCES = \ + $(SSSD_RESPONDER_OBJ) + sssd_autofs_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) + endif +@@ -1441,6 +1442,7 @@ sssd_ssh_SOURCES = \ + $(NULL) + sssd_ssh_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_cert.la \ +@@ -1481,6 +1483,7 @@ sssd_ifp_CFLAGS = \ + $(AM_CFLAGS) + sssd_ifp_LDADD = \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_cert.la \ +@@ -1604,6 +1607,7 @@ sssd_be_SOURCES = \ + sssd_be_LDADD = \ + $(LIBADD_DL) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(CARES_LIBS) \ + $(PAM_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) +@@ -1726,6 +1730,7 @@ sss_signal_SOURCES = \ + src/tools/common/sss_process.c + $(NULL) + sss_signal_LDADD = \ ++ $(LTLIBINTL) \ + libsss_debug.la \ + $(NULL) + +@@ -2318,6 +2323,7 @@ test_ssh_client_CFLAGS = \ + test_ssh_client_LDADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(NULL) + + if BUILD_DBUS_TESTS +@@ -2602,6 +2608,7 @@ test_authtok_LDADD = \ + $(CMOCKA_LIBS) \ + $(DHASH_LIBS) \ + $(POPT_LIBS) \ ++ $(LTLIBINTL) \ + libsss_test_common.la \ + libsss_debug.la \ + $(NULL) +@@ -2622,6 +2629,7 @@ deskprofile_utils_tests_SOURCES = \ + deskprofile_utils_tests_CFLAGS = \ + $(AM_CFLAGS) + deskprofile_utils_tests_LDADD = \ ++ $(LTLIBINTL) \ + $(CMOCKA_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la +@@ -2654,6 +2662,7 @@ domain_resolution_order_tests_CFLAGS = \ + $(AM_CFLAGS) + domain_resolution_order_tests_LDADD = \ + $(CMOCKA_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +@@ -2738,6 +2747,7 @@ test_search_bases_LDADD = \ + $(CMOCKA_LIBS) \ + $(TALLOC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ ++ $(LTLIBINTL) \ + libsss_ldap_common.la \ + libsss_test_common.la \ + libdlopen_test_providers.la \ +@@ -3545,6 +3555,7 @@ test_inotify_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ ++ $(INOTIFY_LIBS) \ + $(LIBADD_DL) \ + libsss_test_common.la \ + $(NULL) +@@ -3637,9 +3648,6 @@ endif + if BUILD_WITH_LIBCURL + noinst_PROGRAMS += tcurl-test-tool + endif +-if BUILD_PAC_RESPONDER +- noinst_PROGRAMS += sssd_pac_test_client +-endif + + if BUILD_AUTOFS + autofs_test_client_SOURCES = \ +@@ -3730,9 +3738,10 @@ intgcheck: # Client Libraries # #################### @@ -37,9 +183,9 @@ src/sss_client/nss_passwd.c \ src/sss_client/nss_group.c \ src/sss_client/nss_netgroup.c \ -@@ -1715,9 +1719,9 @@ libnss_sss_la_SOURCES = \ - src/sss_client/nss_mc_passwd.c \ +@@ -3748,9 +3757,9 @@ libnss_sss_la_SOURCES = \ src/sss_client/nss_mc_group.c \ + src/sss_client/nss_mc_initgr.c \ src/sss_client/nss_mc.h -libnss_sss_la_LIBADD = \ +nss_sss_la_LIBADD = \ @@ -49,20 +195,43 @@ -module \ -version-info 2:0:0 \ -Wl,--version-script,$(srcdir)/src/sss_client/sss_nss.exports -@@ -2086,6 +2090,7 @@ ldap_child_LDADD = \ - $(POPT_LIBS) \ +@@ -3908,6 +3917,7 @@ libsss_ldap_common_la_LIBADD = \ $(OPENLDAP_LIBS) \ $(DHASH_LIBS) \ + $(KRB5_LIBS) \ + $(LTLIBINTL) \ - $(KRB5_LIBS) + libsss_krb5_common.la \ + libsss_idmap.la \ + libsss_certmap.la \ +@@ -4271,6 +4281,7 @@ ldap_child_CFLAGS = \ + $(KRB5_CFLAGS) + ldap_child_LDADD = \ + libsss_debug.la \ ++ $(LTLIBINTL) \ + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ + $(DHASH_LIBS) \ +@@ -4313,6 +4324,7 @@ gpo_child_CFLAGS = \ + $(SMBCLIENT_CFLAGS) + gpo_child_LDADD = \ + libsss_debug.la \ ++ $(LTLIBINTL) \ + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ + $(DHASH_LIBS) \ +@@ -4329,6 +4341,7 @@ proxy_child_CFLAGS = \ + proxy_child_LDADD = \ + $(PAM_LIBS) \ + $(SSSD_LIBS) \ ++ $(LTLIBINTL) \ + $(SSSD_INTERNAL_LTLIBS) - proxy_child_SOURCES = \ -@@ -2333,7 +2338,7 @@ else - mkdir -p $(DESTDIR)$(initdir) - endif + p11_child_SOURCES = \ +@@ -4361,6 +4374,7 @@ endif --install-data-hook: -+notinstall-data-hook: - rm $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 \ - $(DESTDIR)/$(nsslibdir)/libnss_sss.so - mv $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2.0.0 $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 + p11_child_LDADD = \ + libsss_debug.la \ ++ $(LTLIBINTL) \ + $(TALLOC_LIBS) \ + $(DHASH_LIBS) \ + $(POPT_LIBS) \ Modified: head/security/sssd/files/patch-configure.ac ============================================================================== --- head/security/sssd/files/patch-configure.ac Tue Nov 17 20:34:50 2020 (r555584) +++ head/security/sssd/files/patch-configure.ac Tue Nov 17 20:42:16 2020 (r555585) @@ -1,20 +1,13 @@ ---- configure.ac.orig 2014-09-17 13:01:37 UTC +diff --git configure.ac configure.ac +index 9df463d9c..17d0d9ea7 100644 +--- configure.ac +++ configure.ac -@@ -5,14 +5,14 @@ AC_INIT([sssd], - VERSION_NUMBER, - [sssd-devel@lists.fedorahosted.org]) +@@ -44,8 +44,6 @@ AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes]) + AC_CHECK_HEADERS(stdint.h dlfcn.h) + AC_CONFIG_HEADER(config.h) -+AC_CONFIG_SRCDIR([BUILD.txt]) -+AC_CONFIG_AUX_DIR([build]) -+ - m4_ifdef([AC_USE_SYSTEM_EXTENSIONS], - [AC_USE_SYSTEM_EXTENSIONS], - [AC_GNU_SOURCE]) - - CFLAGS="$CFLAGS -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE" +-AC_CHECK_TYPES([errno_t], [], [], [[#include <errno.h>]]) - --AC_CONFIG_SRCDIR([BUILD.txt]) --AC_CONFIG_AUX_DIR([build]) + m4_include([src/build_macros.m4]) + BUILD_WITH_SHARED_BUILD_DIR - AM_INIT_AUTOMAKE([-Wall foreign subdir-objects tar-pax]) - AM_PROG_CC_C_O Modified: head/security/sssd/files/patch-src__confdb__confdb.c ============================================================================== --- head/security/sssd/files/patch-src__confdb__confdb.c Tue Nov 17 20:34:50 2020 (r555584) +++ head/security/sssd/files/patch-src__confdb__confdb.c Tue Nov 17 20:42:16 2020 (r555585) @@ -1,4 +1,6 @@ ---- src/confdb/confdb.c.orig 2014-09-17 13:01:37 UTC +diff --git src/confdb/confdb.c src/confdb/confdb.c +index e55f88e4e..81fd3417a 100644 +--- src/confdb/confdb.c +++ src/confdb/confdb.c @@ -28,6 +28,11 @@ #include "util/strtonum.h" Modified: head/security/sssd/files/patch-src__external__inotify.m4 ============================================================================== --- head/security/sssd/files/patch-src__external__inotify.m4 Tue Nov 17 20:34:50 2020 (r555584) +++ head/security/sssd/files/patch-src__external__inotify.m4 Tue Nov 17 20:42:16 2020 (r555585) @@ -1,4 +1,6 @@ ---- src/external/inotify.m4.orig 2014-09-17 13:01:37 UTC +diff --git src/external/inotify.m4 src/external/inotify.m4 +index 3ae5ae314..e88bd3ffc 100644 +--- src/external/inotify.m4 +++ src/external/inotify.m4 @@ -20,10 +20,10 @@ int main () { AS_IF([test x"$inotify_works" != xyes], Modified: head/security/sssd/files/patch-src__external__krb5.m4 ============================================================================== --- head/security/sssd/files/patch-src__external__krb5.m4 Tue Nov 17 20:34:50 2020 (r555584) +++ head/security/sssd/files/patch-src__external__krb5.m4 Tue Nov 17 20:42:16 2020 (r555585) @@ -1,11 +1,13 @@ ---- src/external/krb5.m4.orig 2014-09-17 13:01:37 UTC +diff --git src/external/krb5.m4 src/external/krb5.m4 +index b844c2fbe..856ef56fe 100644 +--- src/external/krb5.m4 +++ src/external/krb5.m4 @@ -9,7 +9,7 @@ if test x$KRB5_CFLAGS != x; then KRB5_PASSED_CFLAGS=$KRB5_CFLAGS fi --AC_PATH_PROG(KRB5_CONFIG, krb5-config) -+AC_PATH_PROG(KRB5_CONFIG, krb5-config, [], [/usr/local/bin:$PATH]) +-AC_PATH_TOOL(KRB5_CONFIG, krb5-config) ++AC_PATH_TOOL(KRB5_CONFIG, krb5-config, [], [/usr/local/bin:$PATH]) AC_MSG_CHECKING(for working krb5-config) if test -x "$KRB5_CONFIG"; then KRB5_CFLAGS="`$KRB5_CONFIG --cflags`" Added: head/security/sssd/files/patch-src__external__ldap.m4 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sssd/files/patch-src__external__ldap.m4 Tue Nov 17 20:42:16 2020 (r555585) @@ -0,0 +1,24 @@ +diff --git src/external/ldap.m4 src/external/ldap.m4 +index cd13fde62..73ca93674 100644 +--- src/external/ldap.m4 ++++ src/external/ldap.m4 +@@ -32,8 +32,7 @@ dnl Check for other libraries we need to link with to get the main routines. + test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) } + test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) } + test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) } +-CFLAGS=$SAVE_CFLAGS +-LIBS=$SAVE_LIBS ++ + dnl Recently, we need -lber even though the main routines are elsewhere, + dnl because otherwise we get link errors w.r.t. ber_pvt_opt_on. So just + dnl check for that (it's a variable not a fun but that doesn't seem to +@@ -42,6 +41,9 @@ dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who + dnl #### understands LDAP needs to fix this properly. + test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) } + ++CFLAGS=$SAVE_CFLAGS ++LIBS=$SAVE_LIBS ++ + if test "$with_ldap" = "yes"; then + if test "$with_ldap_des" = "yes" ; then + OPENLDAP_LIBS="${OPENLDAP_LIBS} -ldes" Added: head/security/sssd/files/patch-src__external__pac_responder.m4 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sssd/files/patch-src__external__pac_responder.m4 Tue Nov 17 20:42:16 2020 (r555585) @@ -0,0 +1,13 @@ +diff --git src/external/pac_responder.m4 src/external/pac_responder.m4 +index dc986a1b8..09efdb139 100644 +--- src/external/pac_responder.m4 ++++ src/external/pac_responder.m4 +@@ -7,7 +7,7 @@ AC_ARG_ENABLE([pac-responder], + krb5_version_ok=no + if test x$build_pac_responder = xyes + then +- AC_PATH_PROG(KRB5_CONFIG, krb5-config) ++ AC_PATH_TOOL(KRB5_CONFIG, krb5-config, [], [/usr/local/bin:$PATH]) + AC_MSG_CHECKING(for supported MIT krb5 version) + KRB5_VERSION="`$KRB5_CONFIG --version`" + case $KRB5_VERSION in Added: head/security/sssd/files/patch-src__lib__winbind_idmap_sss__winbind_idmap_sss.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sssd/files/patch-src__lib__winbind_idmap_sss__winbind_idmap_sss.h Tue Nov 17 20:42:16 2020 (r555585) @@ -0,0 +1,13 @@ +diff --git src/lib/winbind_idmap_sss/winbind_idmap_sss.h src/lib/winbind_idmap_sss/winbind_idmap_sss.h +index 868049fff..cb1604ef1 100644 +--- src/lib/winbind_idmap_sss/winbind_idmap_sss.h ++++ src/lib/winbind_idmap_sss/winbind_idmap_sss.h +@@ -29,6 +29,8 @@ + #include <stdbool.h> + + #include <core/ntstatus.h> ++#include <unistd.h> ++#include <time.h> + #include <ndr.h> + #include <gen_ndr/security.h> + Added: head/security/sssd/files/patch-src__providers__ad__ad_common.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sssd/files/patch-src__providers__ad__ad_common.c Tue Nov 17 20:42:16 2020 (r555585) @@ -0,0 +1,31 @@ +diff --git src/providers/ad/ad_common.c src/providers/ad/ad_common.c +index 0d154ca57..407d37a37 100644 +--- src/providers/ad/ad_common.c ++++ src/providers/ad/ad_common.c +@@ -419,7 +419,7 @@ ad_get_common_options(TALLOC_CTX *mem_ctx, + char *server; + char *realm; + char *ad_hostname; +- char hostname[HOST_NAME_MAX + 1]; ++ char hostname[_POSIX_HOST_NAME_MAX + 1]; + char *case_sensitive_opt; + const char *opt_override; + +@@ -458,7 +458,7 @@ ad_get_common_options(TALLOC_CTX *mem_ctx, + */ + ad_hostname = dp_opt_get_string(opts->basic, AD_HOSTNAME); + if (ad_hostname == NULL) { +- gret = gethostname(hostname, sizeof(hostname)); ++ gret = gethostname(hostname, _POSIX_HOST_NAME_MAX); + if (gret != 0) { + ret = errno; + DEBUG(SSSDBG_FATAL_FAILURE, +@@ -466,7 +466,7 @@ ad_get_common_options(TALLOC_CTX *mem_ctx, + strerror(ret)); + goto done; + } +- hostname[HOST_NAME_MAX] = '\0'; ++ hostname[_POSIX_HOST_NAME_MAX] = '\0'; + DEBUG(SSSDBG_CONF_SETTINGS, + "Setting ad_hostname to [%s].\n", hostname); + ret = dp_opt_set_string(opts->basic, AD_HOSTNAME, hostname); Added: head/security/sssd/files/patch-src__providers__ad__ad_pac.h ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sssd/files/patch-src__providers__ad__ad_pac.h Tue Nov 17 20:42:16 2020 (r555585) @@ -0,0 +1,13 @@ +diff --git src/providers/ad/ad_pac.h src/providers/ad/ad_pac.h +index 34f1e92c7..00a53cccd 100644 +--- src/providers/ad/ad_pac.h ++++ src/providers/ad/ad_pac.h +@@ -32,6 +32,8 @@ + #ifdef ldb_val + #error Please make sure to include ad_pac.h before ldb.h + #endif ++#include <unistd.h> ++#include <time.h> + #include <ndr.h> + #include <gen_ndr/krb5pac.h> + #include <gen_ndr/ndr_krb5pac.h> Added: head/security/sssd/files/patch-src__providers__data_provider_fo.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sssd/files/patch-src__providers__data_provider_fo.c Tue Nov 17 20:42:16 2020 (r555585) @@ -0,0 +1,26 @@ +diff --git src/providers/data_provider_fo.c src/providers/data_provider_fo.c +index 473b667e5..63f2dd131 100644 +--- src/providers/data_provider_fo.c ++++ src/providers/data_provider_fo.c +@@ -235,18 +235,18 @@ errno_t be_fo_set_dns_srv_lookup_plugin(struct be_ctx *be_ctx, + const char *hostname) + { + struct fo_resolve_srv_dns_ctx *srv_ctx = NULL; +- char resolved_hostname[HOST_NAME_MAX + 1]; ++ char resolved_hostname[_POSIX_HOST_NAME_MAX + 1]; + errno_t ret; + + if (hostname == NULL) { +- ret = gethostname(resolved_hostname, sizeof(resolved_hostname)); ++ ret = gethostname(resolved_hostname, _POSIX_HOST_NAME_MAX); + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "gethostname() failed: [%d]: %s\n", ret, strerror(ret)); + return ret; + } +- resolved_hostname[HOST_NAME_MAX] = '\0'; ++ resolved_hostname[_POSIX_HOST_NAME_MAX] = '\0'; + hostname = resolved_hostname; + } + Added: head/security/sssd/files/patch-src__providers__ipa__ipa_common.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sssd/files/patch-src__providers__ipa__ipa_common.c Tue Nov 17 20:42:16 2020 (r555585) @@ -0,0 +1,30 @@ +diff --git src/providers/ipa/ipa_common.c src/providers/ipa/ipa_common.c +index 17d14e6b0..681ac8615 100644 +--- src/providers/ipa/ipa_common.c ++++ src/providers/ipa/ipa_common.c +@@ -49,7 +49,7 @@ int ipa_get_options(TALLOC_CTX *memctx, + char *realm; + char *ipa_hostname; + int ret; +- char hostname[HOST_NAME_MAX + 1]; ++ char hostname[_POSIX_HOST_NAME_MAX + 1]; + + opts = talloc_zero(memctx, struct ipa_options); + if (!opts) return ENOMEM; +@@ -79,14 +79,14 @@ int ipa_get_options(TALLOC_CTX *memctx, + + ipa_hostname = dp_opt_get_string(opts->basic, IPA_HOSTNAME); + if (ipa_hostname == NULL) { +- ret = gethostname(hostname, sizeof(hostname)); ++ ret = gethostname(hostname, _POSIX_HOST_NAME_MAX); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "gethostname failed [%d][%s].\n", errno, + strerror(errno)); + ret = errno; + goto done; + } +- hostname[HOST_NAME_MAX] = '\0'; ++ hostname[_POSIX_HOST_NAME_MAX] = '\0'; + DEBUG(SSSDBG_TRACE_ALL, "Setting ipa_hostname to [%s].\n", hostname); + ret = dp_opt_set_string(opts->basic, IPA_HOSTNAME, hostname); + if (ret != EOK) { Added: head/security/sssd/files/patch-src__providers__ipa__ipa_deskprofile_rules_util.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sssd/files/patch-src__providers__ipa__ipa_deskprofile_rules_util.c Tue Nov 17 20:42:16 2020 (r555585) @@ -0,0 +1,13 @@ +diff --git src/providers/ipa/ipa_deskprofile_rules_util.c src/providers/ipa/ipa_deskprofile_rules_util.c +index 991c6053d..59483b452 100644 +--- src/providers/ipa/ipa_deskprofile_rules_util.c ++++ src/providers/ipa/ipa_deskprofile_rules_util.c +@@ -25,6 +25,8 @@ + #include "providers/ipa/ipa_rules_common.h" + #include <ctype.h> + #include <fcntl.h> ++#include <sys/types.h> ++#include <signal.h> + + #define DESKPROFILE_GLOBAL_POLICY_MIN_VALUE 1 + #define DESKPROFILE_GLOBAL_POLICY_MAX_VALUE 24 Modified: head/security/sssd/files/patch-src__providers__krb5__krb5_delayed_online_authentication.c ============================================================================== --- head/security/sssd/files/patch-src__providers__krb5__krb5_delayed_online_authentication.c Tue Nov 17 20:34:50 2020 (r555584) +++ head/security/sssd/files/patch-src__providers__krb5__krb5_delayed_online_authentication.c Tue Nov 17 20:42:16 2020 (r555585) @@ -1,6 +1,8 @@ ---- src/providers/krb5/krb5_delayed_online_authentication.c.orig 2014-09-17 13:01:37 UTC +diff --git src/providers/krb5/krb5_delayed_online_authentication.c src/providers/krb5/krb5_delayed_online_authentication.c +index 1cb7eade0..4aaeb84b2 100644 +--- src/providers/krb5/krb5_delayed_online_authentication.c +++ src/providers/krb5/krb5_delayed_online_authentication.c -@@ -320,6 +320,7 @@ errno_t init_delayed_online_authentication(struct krb5 +@@ -328,6 +328,7 @@ errno_t init_delayed_online_authentication(struct krb5_ctx *krb5_ctx, struct tevent_context *ev) { int ret; @@ -8,7 +10,7 @@ hash_table_t *tmp_table; ret = get_uid_table(krb5_ctx, &tmp_table); -@@ -339,6 +340,7 @@ errno_t init_delayed_online_authentication(struct krb5 +@@ -347,6 +348,7 @@ errno_t init_delayed_online_authentication(struct krb5_ctx *krb5_ctx, "hash_destroy failed [%s].\n", hash_error_string(ret)); return EFAULT; } Modified: head/security/sssd/files/patch-src__providers__ldap__ldap_auth.c ============================================================================== --- head/security/sssd/files/patch-src__providers__ldap__ldap_auth.c Tue Nov 17 20:34:50 2020 (r555584) +++ head/security/sssd/files/patch-src__providers__ldap__ldap_auth.c Tue Nov 17 20:42:16 2020 (r555585) @@ -1,4 +1,6 @@ ---- src/providers/ldap/ldap_auth.c.orig 2014-09-17 13:01:37 UTC +diff --git src/providers/ldap/ldap_auth.c src/providers/ldap/ldap_auth.c +index de22689ae..fdfd67cf4 100644 +--- src/providers/ldap/ldap_auth.c +++ src/providers/ldap/ldap_auth.c @@ -37,7 +37,6 @@ #include <sys/time.h> @@ -8,10 +10,10 @@ #include <security/pam_modules.h> #include "util/util.h" -@@ -56,6 +55,22 @@ enum pwexpire { - PWEXPIRE_SHADOW - }; +@@ -52,6 +51,22 @@ + #define LDAP_PWEXPIRE_WARNING_TIME 0 + +struct spwd +{ + char *sp_namp; /* Login name. */ @@ -31,20 +33,9 @@ static errno_t add_expired_warning(struct pam_data *pd, long exp_time) { int ret; -@@ -109,6 +124,7 @@ static errno_t check_pwexpire_kerberos(const char *exp - return EINVAL; +@@ -97,9 +112,9 @@ static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now, } -+ tzset(); - expire_time = mktime(&tm); - if (expire_time == -1) { - DEBUG(SSSDBG_CRIT_FAILURE, -@@ -116,12 +132,10 @@ static errno_t check_pwexpire_kerberos(const char *exp - return EINVAL; - } - -- tzset(); -- expire_time -= timezone; DEBUG(SSSDBG_TRACE_ALL, - "Time info: tzname[0] [%s] tzname[1] [%s] timezone [%ld] " - "daylight [%d] now [%ld] expire_time [%ld].\n", tzname[0], @@ -55,7 +46,59 @@ if (difftime(now, expire_time) > 0.0) { DEBUG(SSSDBG_CONF_SETTINGS, "Kerberos password expired.\n"); -@@ -924,7 +938,7 @@ void sdap_pam_chpass_handler(struct be_req *breq) +@@ -946,14 +961,14 @@ sdap_pam_auth_handler_send(TALLOC_CTX *mem_ctx, + + state->pd = pd; + state->be_ctx = params->be_ctx; +- pd->pam_status = PAM_SYSTEM_ERR; ++ pd->pam_status = PAM_SERVICE_ERR; + + switch (pd->cmd) { + case SSS_PAM_AUTHENTICATE: + subreq = auth_send(state, params->ev, auth_ctx, + pd->user, pd->authtok, false); + if (subreq == NULL) { +- pd->pam_status = PAM_SYSTEM_ERR; ++ pd->pam_status = PAM_SERVICE_ERR; + goto immediately; + } + +@@ -963,14 +978,14 @@ sdap_pam_auth_handler_send(TALLOC_CTX *mem_ctx, + subreq = auth_send(state, params->ev, auth_ctx, + pd->user, pd->authtok, true); + if (subreq == NULL) { +- pd->pam_status = PAM_SYSTEM_ERR; ++ pd->pam_status = PAM_SERVICE_ERR; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_pam_auth_handler_done, req); + break; + case SSS_PAM_CHAUTHTOK: +- pd->pam_status = PAM_SYSTEM_ERR; ++ pd->pam_status = PAM_SERVICE_ERR; + goto immediately; + + case SSS_PAM_ACCT_MGMT: +@@ -1015,7 +1030,7 @@ static void sdap_pam_auth_handler_done(struct tevent_req *subreq) + state->be_ctx->domain->pwd_expiration_warning); + if (ret == EINVAL) { + /* Unknown password expiration type. */ +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + } +@@ -1049,7 +1064,7 @@ static void sdap_pam_auth_handler_done(struct tevent_req *subreq) + state->pd->pam_status = PAM_BAD_ITEM; + break; + default: +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + break; + } + +@@ -1271,7 +1286,7 @@ sdap_pam_chpass_handler_send(TALLOC_CTX *mem_ctx, DEBUG(SSSDBG_OP_FAILURE, "starting password change request for user [%s].\n", pd->user); @@ -64,16 +107,61 @@ if (pd->cmd != SSS_PAM_CHAUTHTOK && pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) { DEBUG(SSSDBG_OP_FAILURE, -@@ -1069,7 +1083,7 @@ static void sdap_auth4chpass_done(struct tevent_req *r - dp_err = DP_ERR_OFFLINE; +@@ -1282,7 +1297,7 @@ sdap_pam_chpass_handler_send(TALLOC_CTX *mem_ctx, + subreq = auth_send(state, params->ev, auth_ctx, + pd->user, pd->authtok, true); + if (subreq == NULL) { +- pd->pam_status = PAM_SYSTEM_ERR; ++ pd->pam_status = PAM_SERVICE_ERR; + goto immediately; + } + +@@ -1335,7 +1350,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + if (ret == ERR_PASSWORD_EXPIRED) { + DEBUG(SSSDBG_CRIT_FAILURE, "LDAP provider cannot change " + "kerberos passwords.\n"); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + break; +@@ -1344,7 +1359,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown password expiration type.\n"); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + } +@@ -1369,7 +1384,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to change password for " + "%s\n", state->pd->user); +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + goto done; + } + +@@ -1401,7 +1416,7 @@ static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) + be_mark_offline(state->be_ctx); + break; + default: +- state->pd->pam_status = PAM_SYSTEM_ERR; ++ state->pd->pam_status = PAM_SERVICE_ERR; + break; + } + +@@ -1437,7 +1452,7 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq) + state->pd->pam_status = PAM_AUTHTOK_ERR; break; default: - state->pd->pam_status = PAM_SYSTEM_ERR; + state->pd->pam_status = PAM_SERVICE_ERR; + break; } - done: -@@ -1131,7 +1145,7 @@ static void sdap_pam_chpass_done(struct tevent_req *re +@@ -1463,7 +1478,7 @@ static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq) state->sh, state->dn, lastchanged_name); if (subreq == NULL) { @@ -82,30 +170,12 @@ goto done; } -@@ -1152,7 +1166,7 @@ static void sdap_lastchange_done(struct tevent_req *re +@@ -1489,7 +1504,7 @@ static void sdap_pam_chpass_handler_last_done(struct tevent_req *subreq) + talloc_free(subreq); - ret = sdap_modify_shadow_lastchange_recv(req); if (ret != EOK) { - state->pd->pam_status = PAM_SYSTEM_ERR; + state->pd->pam_status = PAM_SERVICE_ERR; goto done; - } - -@@ -1193,7 +1207,7 @@ void sdap_pam_auth_handler(struct be_req *breq) - goto done; - } - -- pd->pam_status = PAM_SYSTEM_ERR; -+ pd->pam_status = PAM_SERVICE_ERR; - - switch (pd->cmd) { - case SSS_PAM_AUTHENTICATE: -@@ -1291,7 +1305,7 @@ static void sdap_pam_auth_done(struct tevent_req *req) - state->pd->pam_status = PAM_NEW_AUTHTOK_REQD; - break; - default: -- state->pd->pam_status = PAM_SYSTEM_ERR; -+ state->pd->pam_status = PAM_SERVICE_ERR; - dp_err = DP_ERR_FATAL; } Added: head/security/sssd/files/patch-src__providers__ldap__ldap_child.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sssd/files/patch-src__providers__ldap__ldap_child.c Tue Nov 17 20:42:16 2020 (r555585) @@ -0,0 +1,22 @@ +diff --git src/providers/ldap/ldap_child.c src/providers/ldap/ldap_child.c +index 368bb91e1..1bc86ecb5 100644 +--- src/providers/ldap/ldap_child.c ++++ src/providers/ldap/ldap_child.c +@@ -324,14 +324,14 @@ static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, + full_princ = talloc_strdup(tmp_ctx, princ_str); + } + } else { +- char hostname[HOST_NAME_MAX + 1]; ++ char hostname[_POSIX_HOST_NAME_MAX + 1]; + +- ret = gethostname(hostname, sizeof(hostname)); ++ ret = gethostname(hostname, _POSIX_HOST_NAME_MAX); + if (ret == -1) { + krberr = KRB5KRB_ERR_GENERIC; + goto done; + } +- hostname[HOST_NAME_MAX] = '\0'; ++ hostname[_POSIX_HOST_NAME_MAX] = '\0'; + + DEBUG(SSSDBG_TRACE_LIBS, "got hostname: [%s]\n", hostname); + Modified: head/security/sssd/files/patch-src__providers__ldap__sdap_access.c ============================================================================== --- head/security/sssd/files/patch-src__providers__ldap__sdap_access.c Tue Nov 17 20:34:50 2020 (r555584) +++ head/security/sssd/files/patch-src__providers__ldap__sdap_access.c Tue Nov 17 20:42:16 2020 (r555585) @@ -1,19 +1,9 @@ ---- src/providers/ldap/sdap_access.c.orig 2014-09-17 13:01:37 UTC +diff --git src/providers/ldap/sdap_access.c src/providers/ldap/sdap_access.c +index dd04ec512..58a3766fc 100644 +--- src/providers/ldap/sdap_access.c +++ src/providers/ldap/sdap_access.c -@@ -499,6 +499,7 @@ static bool nds_check_expired(const char *exp_time_str - return true; - } +@@ -562,9 +562,9 @@ bool nds_check_expired(const char *exp_time_str) -+ tzset(); - expire_time = mktime(&tm); - if (expire_time == -1) { - DEBUG(SSSDBG_CRIT_FAILURE, -@@ -506,13 +507,11 @@ static bool nds_check_expired(const char *exp_time_str - return true; - } - -- tzset(); -- expire_time -= timezone; now = time(NULL); DEBUG(SSSDBG_TRACE_ALL, - "Time info: tzname[0] [%s] tzname[1] [%s] timezone [%ld] " @@ -25,3 +15,27 @@ if (difftime(now, expire_time) > 0.0) { DEBUG(SSSDBG_CONF_SETTINGS, "NDS account expired.\n"); +@@ -1247,7 +1247,7 @@ static errno_t sdap_access_host(struct ldb_message *user_entry) + struct ldb_message_element *el; + unsigned int i; + char *host; +- char hostname[HOST_NAME_MAX + 1]; ++ char hostname[_POSIX_HOST_NAME_MAX + 1]; + + el = ldb_msg_find_element(user_entry, SYSDB_AUTHORIZED_HOST); + if (!el || el->num_values == 0) { +@@ -1255,12 +1255,12 @@ static errno_t sdap_access_host(struct ldb_message *user_entry) + return ERR_ACCESS_DENIED; + } + +- if (gethostname(hostname, sizeof(hostname)) == -1) { ++ if (gethostname(hostname, _POSIX_HOST_NAME_MAX) == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to get system hostname. Access denied\n"); + return ERR_ACCESS_DENIED; + } +- hostname[HOST_NAME_MAX] = '\0'; ++ hostname[_POSIX_HOST_NAME_MAX] = '\0'; + + /* FIXME: PADL's pam_ldap also calls gethostbyname() on the hostname + * in some attempt to get aliases and/or FQDN for the machine. Added: head/security/sssd/files/patch-src__providers__ldap__sdap_async_groups.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sssd/files/patch-src__providers__ldap__sdap_async_groups.c Tue Nov 17 20:42:16 2020 (r555585) @@ -0,0 +1,22 @@ +diff --git src/providers/ldap/sdap_async_groups.c src/providers/ldap/sdap_async_groups.c +index 09e15bc3d..c74e4c3ea 100644 +--- src/providers/ldap/sdap_async_groups.c ++++ src/providers/ldap/sdap_async_groups.c +@@ -505,6 +505,7 @@ static int sdap_save_group(TALLOC_CTX *memctx, + struct sysdb_attrs *group_attrs; + const char *group_name = NULL; + gid_t gid; ++ id_t temp_id; + errno_t ret; + char *usn_value = NULL; + TALLOC_CTX *tmpctx = NULL; +@@ -615,7 +616,8 @@ static int sdap_save_group(TALLOC_CTX *memctx, + group_name, sid_str); + + /* Convert the SID into a UNIX group ID */ +- ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &gid); ++ ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &temp_id); ++ gid = (gid_t) temp_id; + if (ret == ENOTSUP) { + /* ENOTSUP is returned if built-in SID was provided + * => do not store the group, but return EOK */ Added: head/security/sssd/files/patch-src__providers__ldap__sdap_async_initgroups.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sssd/files/patch-src__providers__ldap__sdap_async_initgroups.c Tue Nov 17 20:42:16 2020 (r555585) @@ -0,0 +1,41 @@ +diff --git src/providers/ldap/sdap_async_initgroups.c src/providers/ldap/sdap_async_initgroups.c +index 620782b6f..9831ac1d6 100644 +--- src/providers/ldap/sdap_async_initgroups.c ++++ src/providers/ldap/sdap_async_initgroups.c +@@ -45,6 +45,7 @@ errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb, + const char *uuid = NULL; + char **missing; + gid_t gid; ++ id_t temp_id; + int ret; + errno_t sret; *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202011172042.0AHKgHnj049541>