From nobody Mon Jun 24 14:36:07 2024 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4W79WC4jRfz5P19s; Mon, 24 Jun 2024 14:36:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4W79WC4DC7z46PW; Mon, 24 Jun 2024 14:36:07 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1719239767; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7EvrV7A1K1xoLxLRDXjFIuAIxgMeit9TAW1lXtbvzsg=; b=x6dG46R00adm/9Gt282+SXSNSoCUmfZQtEXFFbLmOsJAJECOPTTAInYjI7P3tQtsdI4muV RV8vjeb9vzLBDnJJ8Mg7qR8vI/39KhfluPJtV481b4L9gj/ZyrUIGaDEku1m6LkX7tRoIB xALsazMhI98E3NveqjBWvIOxFhYO/2bEDLBfKXKHnhKLqL+DAwcAsQzP9pgns+6urRuj+M iPypfEh1b0PJ17jenzXUnO9My3u6mAKW4tbPbLH+nFLqv5dSCCgWA+VBFrcGxwK5R/HmwM GSp7TfVe7tMwyAPHsr6QURaZT1K0cbk6q6IP3kEzB48NOjYyO4Sxw13HiDbd/Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1719239767; a=rsa-sha256; cv=none; b=DONr7EMlEAFm6gBOLYxXf+ppv8N3vZr7WQPOT2LQSsD9K5JpmONhjjENFCDXF/XbXd/R26 GdSLmCm+qRNo6v7+85byHMo0wpQI2MoXByD/Qb8mjx27yaCLw9wF5IlGmXP2IQOj7pEdWb cgBJRYKQA3pZI/b3Qc5foWs6G6Fo+3tzijBryNeTflmEgdLYy1DMBuJmyd1XjaRlNYZu5T O1Tz0lLUqMUk8/hf4fVK+7t3nnj+5WPeB3j+l1E2ZsyTYtVwJFBd2arAocESSUYvm11sCb 9TGIgyyjzo7a1bmDdoEI9w8ne6sD+Fa4fzdahNjZ+hZ6SL2zRDIWlC72Lr0lnQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1719239767; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7EvrV7A1K1xoLxLRDXjFIuAIxgMeit9TAW1lXtbvzsg=; b=aBaF3iehG74ylhsCqO2BoQlnbf7vlzQWslQYqO47SMUpCPe7uaAf6pMDUbw4u+AeoLw77J T8LfbaVOPpv5+FjzwfRgb+2YajILBusa1rWrRSPp9KlGQ6dA2xSesHmnzz7qaL9yzg1aiS ++/zvFxIU+p5JXe8qQ4cGjuwbFj6BISna+299gTb0j4WdRpdn8bs+Gp7zEYaeIOkP61zAr 0BBXJMhuKkm2kJw9z1mcKwEoIRrEJObBLlGv2scoLTNdSa9ufUN/aaLX5f9ZUhBUF+xlzT 6eQRIksFykYZ5Bx/ueNP1ygz/Sl3Wl4efv0ZvjulPO0lkPR8mRCsIe15+AYWMw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4W79WC3r2gzMLj; Mon, 24 Jun 2024 14:36:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 45OEa7cJ070422; Mon, 24 Jun 2024 14:36:07 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 45OEa7Bv070419; Mon, 24 Jun 2024 14:36:07 GMT (envelope-from git) Date: Mon, 24 Jun 2024 14:36:07 GMT Message-Id: <202406241436.45OEa7Bv070419@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: John Hixson Subject: git: ee81c8e455ef - main - security/sssd2: Add patch to enumerate UIDs List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-all@freebsd.org Sender: owner-dev-commits-ports-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhixson X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: ee81c8e455ef5c11a6d2f40d51a05d5d0b4708be Auto-Submitted: auto-generated The branch main has been updated by jhixson: URL: https://cgit.FreeBSD.org/ports/commit/?id=ee81c8e455ef5c11a6d2f40d51a05d5d0b4708be commit ee81c8e455ef5c11a6d2f40d51a05d5d0b4708be Author: John Hixson AuthorDate: 2024-06-24 06:01:08 +0000 Commit: John Hixson CommitDate: 2024-06-24 14:35:36 +0000 security/sssd2: Add patch to enumerate UIDs The legacy security/sssd port has a patch which lets one set krb5_store_password_if_offline=True in a IPA provider configuration block. The patch fixes some code which uses /proc to enumerate the UIDs of logged-in users. Without the patch, if one has this configuration variable set, sssd dies with an obscure error. This caused some pain when a user was updating from sssd to sssd2. Sponsored by: Serenity Cybersecurity, LLC PR: 279255 Reported by: markj@freebsd.org, arrowd@freebsd.org Obtained from: arrowd@freebsd.org --- security/sssd2/Makefile | 2 +- security/sssd2/files/patch-src__util__find_uid.c | 227 +++++++++++++++++++++++ 2 files changed, 228 insertions(+), 1 deletion(-) diff --git a/security/sssd2/Makefile b/security/sssd2/Makefile index d2b6ca35c7ef..0a2a9527d468 100644 --- a/security/sssd2/Makefile +++ b/security/sssd2/Makefile @@ -1,6 +1,6 @@ PORTNAME= sssd PORTVERSION= 2.9.4 -PORTREVISION= 5 +PORTREVISION= 6 CATEGORIES= security PKGNAMESUFFIX= 2 diff --git a/security/sssd2/files/patch-src__util__find_uid.c b/security/sssd2/files/patch-src__util__find_uid.c new file mode 100644 index 000000000000..e319f3289a0a --- /dev/null +++ b/security/sssd2/files/patch-src__util__find_uid.c @@ -0,0 +1,227 @@ +--- src/util/find_uid.c.orig 2024-01-12 12:05:40 UTC ++++ src/util/find_uid.c +@@ -58,6 +58,97 @@ static void hash_talloc_free(void *ptr, void *pvt) + talloc_free(ptr); + } + ++static int parse_procfs_linux(const char* buf, uid_t *uid, bool *is_systemd) ++{ ++ char *p; ++ char *e; ++ char *endptr; ++ uint32_t num=0; ++ errno_t error=EOK; ++ ++ /* Get uid */ ++ p = strstr(buf, "\nUid:\t"); ++ if (p != NULL) { ++ p += 6; ++ e = strchr(p,'\t'); ++ if (e == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "missing delimiter.\n"); ++ return EINVAL; ++ } else { ++ *e = '\0'; ++ } ++ num = (uint32_t) strtoint32(p, &endptr, 10); ++ error = errno; ++ if (error != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "strtol failed [%s].\n", strerror(error)); ++ return error; ++ } ++ if (*endptr != '\0') { ++ DEBUG(SSSDBG_CRIT_FAILURE, "uid contains extra characters\n"); ++ return EINVAL; ++ } ++ ++ } else { ++ DEBUG(SSSDBG_CRIT_FAILURE, "format error\n"); ++ return EINVAL; ++ } ++ ++ /* Get process name. */ ++ p = strstr(buf, "Name:\t"); ++ if (p == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "format error\n"); ++ return EINVAL; ++ } ++ p += 6; ++ e = strchr(p,'\n'); ++ if (e == NULL) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "format error\n"); ++ return EINVAL; ++ } ++ if (strncmp(p, "systemd", e-p) == 0 || strncmp(p, "(sd-pam)", e-p) == 0) { ++ *is_systemd = true; ++ } else { ++ *is_systemd = false; ++ } ++ ++ *uid = num; ++ ++ return error; ++} ++ ++static int parse_procfs_freebsd(char* buf, uid_t *uid, bool *is_systemd) ++{ ++ uint32_t field_idx=0; ++ errno_t error=EOK; ++ char** str = &buf, *token; ++ ++ /* See man procfs ++ nextcloud 21186 4726 110 90383 ttyv0 ctty 1718001838,183475 11,76617 2,473238 select 1001 1001 1001,1001,0,5,44,920 - ++ |uid| ++ */ ++ while ((token = strsep(str, " ")) != NULL && field_idx < 11) { ++ field_idx++; ++ } ++ ++ if (token == NULL || field_idx != 11) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "format error %d %d\n", token, field_idx); ++ return EINVAL; ++ } ++ ++ *uid = (uint32_t) strtoint32(token, NULL, 10); ++ error = errno; ++ if (error != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, ++ "strtol failed [%s].\n", strerror(error)); ++ return error; ++ } ++ ++ *is_systemd = false; ++ ++ return error; ++} ++ + static errno_t get_uid_from_pid(const pid_t pid, uid_t *uid, bool *is_systemd) + { + int ret; +@@ -65,10 +156,6 @@ static errno_t get_uid_from_pid(const pid_t pid, uid_t + struct stat stat_buf; + int fd; + char buf[BUFSIZE]; +- char *p; +- char *e; +- char *endptr; +- uint32_t num=0; + errno_t error; + + ret = snprintf(path, PATHLEN, "/proc/%d/status", pid); +@@ -138,56 +225,14 @@ static errno_t get_uid_from_pid(const pid_t pid, uid_t + "close failed [%d][%s].\n", error, strerror(error)); + } + +- /* Get uid */ +- p = strstr(buf, "\nUid:\t"); +- if (p != NULL) { +- p += 6; +- e = strchr(p,'\t'); +- if (e == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "missing delimiter.\n"); +- return EINVAL; +- } else { +- *e = '\0'; +- } +- num = (uint32_t) strtoint32(p, &endptr, 10); +- error = errno; +- if (error != 0) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "strtol failed [%s].\n", strerror(error)); +- return error; +- } +- if (*endptr != '\0') { +- DEBUG(SSSDBG_CRIT_FAILURE, "uid contains extra characters\n"); +- return EINVAL; +- } ++#if defined(__linux__) ++ return parse_procfs_linux(buf, uid, is_systemd); ++#elif defined(__FreeBSD__) ++ return parse_procfs_freebsd(buf, uid, is_systemd); ++#else ++ return ENOSYS; ++#endif + +- } else { +- DEBUG(SSSDBG_CRIT_FAILURE, "format error\n"); +- return EINVAL; +- } +- +- /* Get process name. */ +- p = strstr(buf, "Name:\t"); +- if (p == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "format error\n"); +- return EINVAL; +- } +- p += 6; +- e = strchr(p,'\n'); +- if (e == NULL) { +- DEBUG(SSSDBG_CRIT_FAILURE, "format error\n"); +- return EINVAL; +- } +- if (strncmp(p, "systemd", e-p) == 0 || strncmp(p, "(sd-pam)", e-p) == 0) { +- *is_systemd = true; +- } else { +- *is_systemd = false; +- } +- +- *uid = num; +- +- return EOK; +- + fail_fd: + close(fd); + return error; +@@ -212,7 +257,12 @@ static errno_t name_to_pid(const char *name, pid_t *pi + return EINVAL; + } + ++ /* FreeBSD has /proc/0/... */ ++#if defined(__FreeBSD__) ++ if (num < 0 || num >= INT_MAX) { ++#else + if (num <= 0 || num >= INT_MAX) { ++#endif + DEBUG(SSSDBG_CRIT_FAILURE, "pid out of range.\n"); + return ERANGE; + } +@@ -228,7 +278,7 @@ static int only_numbers(char *p) + return *p; + } + +-static errno_t get_active_uid_linux(hash_table_t *table, uid_t search_uid) ++static errno_t get_active_uid_procfs(hash_table_t *table, uid_t search_uid) + { + DIR *proc_dir = NULL; + struct dirent *dirent; +@@ -327,7 +377,7 @@ errno_t get_uid_table(TALLOC_CTX *mem_ctx, hash_table_ + + errno_t get_uid_table(TALLOC_CTX *mem_ctx, hash_table_t **table) + { +-#ifdef __linux__ ++#if defined(__linux__) || defined(__FreeBSD__) + int ret; + + ret = hash_create_ex(0, table, 0, 0, 0, 0, +@@ -339,7 +389,7 @@ errno_t get_uid_table(TALLOC_CTX *mem_ctx, hash_table_ + return ENOMEM; + } + +- return get_active_uid_linux(*table, 0); ++ return get_active_uid_procfs(*table, 0); + #else + return ENOSYS; + #endif +@@ -365,9 +415,9 @@ errno_t check_if_uid_is_active(uid_t uid, bool *result + /* fall back to the old method */ + #endif + +- ret = get_active_uid_linux(NULL, uid); ++ ret = get_active_uid_procfs(NULL, uid); + if (ret != EOK && ret != ENOENT) { +- DEBUG(SSSDBG_CRIT_FAILURE, "get_active_uid_linux() failed.\n"); ++ DEBUG(SSSDBG_CRIT_FAILURE, "get_active_uid_procfs() failed.\n"); + return ret; + } +