rpms/nss_ldap/F-11 nss_ldap-264-checkcase.patch, NONE, 1.1 nss_ldap-264-cloexec.patch, NONE, 1.1 nss_ldap-264-ent_internal.patch, NONE, 1.1 pam_ldap-183-releaseconfig.patch, NONE, 1.1 nss_ldap.spec, 1.107, 1.108
Nalin Dahyabhai
nalin at fedoraproject.org
Tue Jul 28 18:42:16 UTC 2009
Author: nalin
Update of /cvs/pkgs/rpms/nss_ldap/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31638
Modified Files:
nss_ldap.spec
Added Files:
nss_ldap-264-checkcase.patch nss_ldap-264-cloexec.patch
nss_ldap-264-ent_internal.patch
pam_ldap-183-releaseconfig.patch
Log Message:
- resync with devel stream to pick up fixes; no version bumps
nss_ldap-264-checkcase.patch:
ldap-automount.c | 2 +-
ldap-grp.c | 3 ++-
ldap-nss.c | 13 +++++++++++++
ldap-nss.h | 4 ++++
ldap-parse.h | 7 ++++++-
ldap-proto.c | 3 ++-
ldap-pwd.c | 3 ++-
ldap-rpc.c | 3 ++-
ldap-service.c | 12 ++++++++----
ldap-spwd.c | 3 ++-
10 files changed, 42 insertions(+), 11 deletions(-)
--- NEW FILE nss_ldap-264-checkcase.patch ---
Search attribute which are not case-sensitive in a directory, but which
are in local files on a glibc-based system:
posixAccount.uid: struct passwd.pw_name
shadowAccount.uid: struct shadow.sp_namp
posixGroup.cn: struct group.gr_name
ipService.cn,ipServiceProtocol: struct servent.s_name,s_proto
ipProtocol.cn: struct protoent.p_name
ipHost.cn: OK, actually not case-sensitive in local files
ipNetwork.cn: OK, actually not case-sensitive in local files
rfc822MailAlias.cn: OK, actually not case-sensitive in local files
oncRpc.cn: struct rpcent.r_name
nisNetgroup.cn: N/A
nisMap.nisMapName: N/A
nisObject.nisMapName: N/A
nisObject.cn: N/A
ieee802Device: N/A
bootableDevice: N/A
automount.automountKey: no defined structure
This patch adds additional logic to reject the result of a search if the
field in the result which corresponds to the original request differs
by case from the actual request (for example, when a search for a group
named "bob" turns up a group named "Bob"), but currently only covers
glibc-style systems. Upstream #399.
diff -ur nss_ldap-264/ldap-grp.c nss_ldap-264/ldap-grp.c
--- nss_ldap-264/ldap-grp.c 2009-07-02 11:01:03.000000000 -0400
+++ nss_ldap-264/ldap-grp.c 2009-07-02 10:57:37.000000000 -0400
@@ -1201,7 +1201,8 @@
char *buffer, size_t buflen, int *errnop)
{
LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getgrnam,
- LM_GROUP, _nss_ldap_parse_gr, LDAP_NSS_BUFLEN_GROUP);
+ LM_GROUP, _nss_ldap_parse_gr, LDAP_NSS_BUFLEN_GROUP)
+ AND_REQUIRE_MATCH(name, result->gr_name);
}
#elif defined(HAVE_NSSWITCH_H)
static NSS_STATUS
diff -ur nss_ldap-264/ldap-nss.c nss_ldap-264/ldap-nss.c
--- nss_ldap-264/ldap-nss.c 2009-07-02 11:01:03.000000000 -0400
+++ nss_ldap-264/ldap-nss.c 2009-07-02 10:46:39.000000000 -0400
@@ -4300,4 +4300,17 @@
return lderrno;
}
+NSS_STATUS _nss_ldap_expect_name(NSS_STATUS result,
+ const char *requested_name,
+ const char *actual_name)
+{
+ if ((result == NSS_SUCCESS) &&
+ (requested_name != NULL) &&
+ (actual_name != NULL) &&
+ (strcasecmp(requested_name, actual_name) == 0) &&
+ (strcmp(requested_name, actual_name) != 0)) {
+ return NSS_NOTFOUND;
+ }
+ return result;
+}
diff -ur nss_ldap-264/ldap-nss.h nss_ldap-264/ldap-nss.h
--- nss_ldap-264/ldap-nss.h 2009-07-02 11:01:03.000000000 -0400
+++ nss_ldap-264/ldap-nss.h 2009-07-02 10:28:59.000000000 -0400
@@ -911,4 +911,8 @@
#ifdef CONFIGURE_KRB5_KEYTAB
int do_init_krb5_cache(ldap_config_t *config);
#endif /* CONFIGURE_KRB5_KEYTAB */
+NSS_STATUS _nss_ldap_expect_name(NSS_STATUS result,
+ const char *requested_name,
+ const char *actual_name);
+
#endif /* _LDAP_NSS_LDAP_LDAP_NSS_H */
diff -ur nss_ldap-264/ldap-parse.h nss_ldap-264/ldap-parse.h
--- nss_ldap-264/ldap-parse.h 2006-09-13 02:42:08.000000000 -0400
+++ nss_ldap-264/ldap-parse.h 2009-07-02 10:56:54.000000000 -0400
@@ -94,6 +94,7 @@
#define LOOKUP_NAME(name, result, buffer, buflen, errnop, filter, selector, parser, req_buflen) \
ldap_args_t a; \
+ NSS_STATUS s; \
if (buflen < req_buflen) { \
*errnop = ERANGE; \
return NSS_TRYAGAIN; \
@@ -101,7 +102,8 @@
LA_INIT(a); \
LA_STRING(a) = name; \
LA_TYPE(a) = LA_TYPE_STRING; \
- return _nss_ldap_getbyname(&a, result, buffer, buflen, errnop, filter, selector, parser);
+ s = _nss_ldap_getbyname(&a, result, buffer, buflen, errnop, filter, selector, parser); \
+ return s
#define LOOKUP_NUMBER(number, result, buffer, buflen, errnop, filter, selector, parser, req_buflen) \
ldap_args_t a; \
if (buflen < req_buflen) { \
@@ -199,4 +201,7 @@
#endif /* HAVE_NSSWITCH_H */
+#define AND_REQUIRE_MATCH(name,field) \
+ == NSS_SUCCESS ? _nss_ldap_expect_name(s,name,field) : s
+
#endif /* _LDAP_NSS_LDAP_LDAP_PARSE_H */
diff -ur nss_ldap-264/ldap-proto.c nss_ldap-264/ldap-proto.c
--- nss_ldap-264/ldap-proto.c 2006-09-13 02:42:08.000000000 -0400
+++ nss_ldap-264/ldap-proto.c 2009-07-02 10:58:25.000000000 -0400
@@ -113,7 +113,8 @@
{
LOOKUP_NAME (name, result, buffer, buflen, errnop,
_nss_ldap_filt_getprotobyname, LM_PROTOCOLS,
- _nss_ldap_parse_proto, LDAP_NSS_BUFLEN_DEFAULT);
+ _nss_ldap_parse_proto, LDAP_NSS_BUFLEN_DEFAULT)
+ AND_REQUIRE_MATCH(name, result->p_name);
}
#endif
diff -ur nss_ldap-264/ldap-pwd.c nss_ldap-264/ldap-pwd.c
--- nss_ldap-264/ldap-pwd.c 2009-07-02 11:01:03.000000000 -0400
+++ nss_ldap-264/ldap-pwd.c 2009-07-02 10:57:15.000000000 -0400
@@ -243,7 +243,8 @@
char *buffer, size_t buflen, int *errnop)
{
LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam,
- LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT);
+ LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT)
+ AND_REQUIRE_MATCH(name, result->pw_name);
}
#elif defined(HAVE_NSSWITCH_H)
static NSS_STATUS
diff -ur nss_ldap-264/ldap-rpc.c nss_ldap-264/ldap-rpc.c
--- nss_ldap-264/ldap-rpc.c 2009-07-02 11:01:03.000000000 -0400
+++ nss_ldap-264/ldap-rpc.c 2009-07-02 10:58:01.000000000 -0400
@@ -123,7 +123,8 @@
{
LOOKUP_NAME (name, result, buffer, buflen, errnop,
_nss_ldap_filt_getrpcbyname, LM_RPC, _nss_ldap_parse_rpc,
- LDAP_NSS_BUFLEN_DEFAULT);
+ LDAP_NSS_BUFLEN_DEFAULT)
+ AND_REQUIRE_MATCH(name, result->r_name);
}
#endif
diff -ur nss_ldap-264/ldap-service.c nss_ldap-264/ldap-service.c
--- nss_ldap-264/ldap-service.c 2009-07-02 15:44:14.000000000 -0400
+++ nss_ldap-264/ldap-service.c 2009-07-02 15:45:07.000000000 -0400
@@ -230,16 +230,20 @@
char *buffer, size_t buflen, int *errnop)
{
ldap_args_t a;
+ NSS_STATUS s;
LA_INIT (a);
LA_STRING (a) = name;
LA_TYPE (a) = (proto == NULL) ? LA_TYPE_STRING : LA_TYPE_STRING_AND_STRING;
LA_STRING2 (a) = proto;
- return _nss_ldap_getbyname (&a, result, buffer, buflen, errnop,
- ((proto == NULL) ? _nss_ldap_filt_getservbyname
- : _nss_ldap_filt_getservbynameproto),
- LM_SERVICES, _nss_ldap_parse_serv);
+ s = _nss_ldap_getbyname (&a, result, buffer, buflen, errnop,
+ ((proto == NULL) ? _nss_ldap_filt_getservbyname
+ : _nss_ldap_filt_getservbynameproto),
+ LM_SERVICES, _nss_ldap_parse_serv);
+ s = _nss_ldap_expect_name(s, name, result->s_name);
+ s = _nss_ldap_expect_name(s, proto, result->s_proto);
+ return s;
}
#endif
diff -ur nss_ldap-264/ldap-spwd.c nss_ldap-264/ldap-spwd.c
--- nss_ldap-264/ldap-spwd.c 2009-07-02 11:01:03.000000000 -0400
+++ nss_ldap-264/ldap-spwd.c 2009-07-02 10:58:50.000000000 -0400
@@ -149,7 +149,8 @@
char *buffer, size_t buflen, int *errnop)
{
LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getspnam,
- LM_SHADOW, _nss_ldap_parse_sp, LDAP_NSS_BUFLEN_DEFAULT);
+ LM_SHADOW, _nss_ldap_parse_sp, LDAP_NSS_BUFLEN_DEFAULT)
+ AND_REQUIRE_MATCH (name, result->sp_namp);
}
#elif defined(HAVE_NSSWITCH_H)
static NSS_STATUS
--- nss_ldap-264/ldap-automount.c 2009-07-02 16:03:30.000000000 -0400
+++ nss_ldap-264/ldap-automount.c 2009-07-02 16:03:48.000000000 -0400
@@ -384,7 +384,7 @@
_nss_ldap_filt_getautomntbyname,
LM_AUTOMOUNT,
_nss_ldap_parse_automount);
-
+ stat = _nss_ldap_expect_name(stat, key, canon_key ? *canon_key : NULL);
if (stat != NSS_NOTFOUND)
{
break; /* on success or error other than not found */
nss_ldap-264-cloexec.patch:
ldap-nss.c | 1 +
1 file changed, 1 insertion(+)
--- NEW FILE nss_ldap-264-cloexec.patch ---
diff -up nss_ldap-264/ldap-nss.c nss_ldap-264/ldap-nss.c
--- nss_ldap-264/ldap-nss.c 2009-07-23 18:55:15.290388484 -0400
+++ nss_ldap-264/ldap-nss.c 2009-07-23 19:01:33.328398737 -0400
@@ -896,6 +896,7 @@ do_drop_connection(int sd, int closeSd)
/* we must let dup2 close sd for us to avoid race conditions
* in multithreaded code.
*/
+ fcntl (dummyfd, F_SETFD, 1L);
do_dupfd (dummyfd, sd);
do_closefd (dummyfd);
}
nss_ldap-264-ent_internal.patch:
ldap-grp.c | 4 ++--
ldap-netgrp.c | 2 +-
ldap-nss.c | 13 ++++++++++++-
ldap-nss.h | 11 +++++++++++
4 files changed, 26 insertions(+), 4 deletions(-)
--- NEW FILE nss_ldap-264-ent_internal.patch ---
Distinguish between contexts that are somewhat persistent and one-offs
which are used to fulfill part of a larger request.
diff -up nss_ldap/ldap-grp.c nss_ldap/ldap-grp.c
--- nss_ldap/ldap-grp.c
+++ nss_ldap/ldap-grp.c
@@ -857,7 +857,7 @@ ng_chase (const char *dn, ldap_initgroup
LA_STRING (a) = dn;
LA_TYPE (a) = LA_TYPE_STRING;
- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
+ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
{
return NSS_UNAVAIL;
}
@@ -930,7 +930,7 @@ ng_chase_backlink (const char ** members
LA_STRING_LIST (a) = filteredMembersOf;
LA_TYPE (a) = LA_TYPE_STRING_LIST_OR;
- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
+ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
{
free (filteredMembersOf);
return NSS_UNAVAIL;
diff -up nss_ldap/ldap-netgrp.c nss_ldap/ldap-netgrp.c
--- nss_ldap/ldap-netgrp.c
+++ nss_ldap/ldap-netgrp.c
@@ -691,7 +691,7 @@ do_innetgr_nested (ldap_innetgr_args_t *
LA_TYPE (a) = LA_TYPE_STRING;
LA_STRING (a) = nested; /* memberNisNetgroup */
- if (_nss_ldap_ent_context_init_locked (&ctx) == NULL)
+ if (_nss_ldap_ent_context_init_internal_locked (&ctx) == NULL)
{
debug ("<== do_innetgr_nested: failed to initialize context");
return NSS_UNAVAIL;
diff -up nss_ldap/ldap-nss.c nss_ldap/ldap-nss.c
--- nss_ldap/ldap-nss.c
+++ nss_ldap/ldap-nss.c
@@ -1961,6 +1961,7 @@ _nss_ldap_ent_context_init_locked (ent_c
debug ("<== _nss_ldap_ent_context_init_locked");
return NULL;
}
+ ctx->ec_internal = 0;
*pctx = ctx;
}
else
@@ -1990,6 +1991,15 @@ _nss_ldap_ent_context_init_locked (ent_c
return ctx;
}
+ent_context_t *
+_nss_ldap_ent_context_init_internal_locked (ent_context_t ** pctx)
+{
+ ent_context_t *ctx;
+ ctx = _nss_ldap_ent_context_init_locked (pctx);
+ if (ctx != NULL)
+ ctx->ec_internal = 1;
+ return ctx;
+}
/*
* Clears a given context; we require the caller
@@ -2031,7 +2041,8 @@ _nss_ldap_ent_context_release (ent_conte
LS_INIT (ctx->ec_state);
- if (_nss_ldap_test_config_flag (NSS_LDAP_FLAGS_CONNECT_POLICY_ONESHOT))
+ if (!ctx->ec_internal &&
+ _nss_ldap_test_config_flag (NSS_LDAP_FLAGS_CONNECT_POLICY_ONESHOT))
{
do_close ();
}
diff -up nss_ldap/ldap-nss.h nss_ldap/ldap-nss.h
--- nss_ldap/ldap-nss.h
+++ nss_ldap/ldap-nss.h
@@ -560,6 +560,8 @@ struct ent_context
ldap_state_t ec_state; /* eg. for services */
int ec_msgid; /* message ID */
LDAPMessage *ec_res; /* result chain */
+ int ec_internal; /* this context is just a part of a larger
+ * query for information */
ldap_service_search_descriptor_t *ec_sd; /* current sd */
struct berval *ec_cookie; /* cookie for paged searches */
int ec_eof; /* reached notional end of file */
@@ -744,6 +746,15 @@ ent_context_t *_nss_ldap_ent_context_ini
ent_context_t *_nss_ldap_ent_context_init_locked (ent_context_t **);
/*
+ * _nss_ldap_ent_context_init_internal_locked() has the same
+ * behaviour, except it marks the context as one that's being
+ * used to fetch additional data used in answering a request, i.e.
+ * that this isn't the "main" context
+ */
+
+ent_context_t *_nss_ldap_ent_context_init_internal_locked (ent_context_t **);
+
+/*
* _nss_ldap_ent_context_release() is used to manually free a context
*/
void _nss_ldap_ent_context_release (ent_context_t *);
pam_ldap-183-releaseconfig.patch:
pam_ldap.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 44 insertions(+)
--- NEW FILE pam_ldap-183-releaseconfig.patch ---
diff -up pam_ldap/pam_ldap.c pam_ldap/pam_ldap.c
--- pam_ldap/pam_ldap.c 2009-07-22 15:55:42.000000000 -0400
+++ pam_ldap/pam_ldap.c 2009-07-22 16:00:23.000000000 -0400
@@ -437,6 +437,7 @@ static void
_release_config (pam_ldap_config_t ** pconfig)
{
pam_ldap_config_t *c;
+ pam_ssd_t *ssd, *next_ssd;
c = *pconfig;
if (c == NULL)
@@ -445,6 +446,9 @@ _release_config (pam_ldap_config_t ** pc
if (c->configFile != NULL)
free (c->configFile);
+ if (c->uri != NULL)
+ free (c->uri);
+
if (c->host != NULL)
free (c->host);
@@ -474,6 +478,16 @@ _release_config (pam_ldap_config_t ** pc
free (c->sslpath);
}
+ ssd = c->ssd;
+ while ( ssd != NULL )
+ {
+ next_ssd = ssd->next;
+ free (ssd->base);
+ free (ssd->filter);
+ free (ssd);
+ ssd = next_ssd;
+ }
+
if (c->userattr != NULL)
{
free (c->userattr);
@@ -509,6 +523,36 @@ _release_config (pam_ldap_config_t ** pc
free (c->logdir);
}
+ if (c->tls_cacertfile != NULL)
+ {
+ free (c->tls_cacertfile);
+ }
+
+ if (c->tls_cacertdir != NULL)
+ {
+ free (c->tls_cacertdir);
+ }
+
+ if (c->tls_ciphers != NULL)
+ {
+ free (c->tls_ciphers);
+ }
+
+ if (c->tls_cert != NULL)
+ {
+ free (c->tls_cert);
+ }
+
+ if (c->tls_key != NULL)
+ {
+ free (c->tls_key);
+ }
+
+ if (c->tls_randfile != NULL)
+ {
+ free (c->tls_randfile);
+ }
+
if (c->sasl_mechanism != NULL)
{
free (c->sasl_mechanism);
Index: nss_ldap.spec
===================================================================
RCS file: /cvs/pkgs/rpms/nss_ldap/F-11/nss_ldap.spec,v
retrieving revision 1.107
retrieving revision 1.108
diff -u -p -r1.107 -r1.108
--- nss_ldap.spec 26 Feb 2009 06:13:39 -0000 1.107
+++ nss_ldap.spec 28 Jul 2009 18:42:16 -0000 1.108
@@ -2,7 +2,7 @@
Summary: NSS library and PAM module for LDAP
Name: nss_ldap
Version: 264
-Release: 2%{?dist}
+Release: 6%{?dist}
Source0: ftp://ftp.padl.com/pub/nss_ldap-%{version}.tar.gz
Source1: ftp://ftp.padl.com/pub/pam_ldap-%{pam_ldap_version}.tar.gz
Source3: nss_ldap.versions
@@ -24,13 +24,17 @@ Patch16: pam_ldap-184-referral-passwd2.p
Patch17: nss_ldap-259-res_init.patch
Patch19: pam_ldap-184-broken-sasl-rebind.patch
Patch20: pam_ldap-184-nsrole.patch
+Patch21: nss_ldap-264-checkcase.patch
+Patch22: nss_ldap-264-ent_internal.patch
+Patch23: pam_ldap-183-releaseconfig.patch
+Patch24: nss_ldap-264-cloexec.patch
URL: http://www.padl.com/
License: LGPLv2+
Group: System Environment/Base
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: autoconf, automake, libtool
-BuildRequires: openssl-devel, pam-devel
+BuildRequires: openssl-devel, openssl-static, pam-devel
BuildRequires: cyrus-sasl-devel >= 2.1
BuildRequires: openldap-devel >= 2.0.27
BuildRequires: krb5-devel >= 1.4
@@ -63,6 +67,9 @@ cp nss_ldap-%{version}/snprintf.h pam_ld
pushd nss_ldap-%{version}
%patch8 -p1 -b .soname
%patch17 -p1 -b .res_init
+#%patch21 -p1 -b .checkcase
+%patch22 -p1 -b .ent_internal
+%patch24 -p1 -b .cloexec
autoreconf -f -i
popd
@@ -76,6 +83,7 @@ pushd pam_ldap-%{pam_ldap_version}
%patch16 -p1 -b .referral-passwd2
%patch19 -p1 -b .broken-sasl-rebind
%patch20 -p1 -b .nsrole
+%patch23 -p1 -b .releaseconfig
autoreconf -f -i
popd
@@ -190,6 +198,34 @@ fi
%doc pam_ldap-%{pam_ldap_version}/ns-pwd-policy.schema
%changelog
+* Tue Jul 28 2009 Nalin Dahyabhai <nalin at redhat.com> 264-6
+- set close-on-exec on the dummy socket created in the child atfork() (#512856)
+
+* Wed Jul 22 2009 Nalin Dahyabhai <nalin at redhat.com> 264-5
+- fix some minor leaks in pam_ldap, part of upstream #326,#333
+
+* Tue Jul 7 2009 Nalin Dahyabhai <nalin at redhat.com> - 264-4
+- add proposed patch for upstream #322: crashing in oneshot mode
+
+* Mon Jul 6 2009 Nalin Dahyabhai <nalin at redhat.com>
+- add but don't apply proposed patch for upstream #399: depending on the
+ server to enforce the expected case-sensitivity opens up corner cases
+
+* Fri Jun 19 2009 Kedar Sovani <kedars at marvell.com> - 264-3
+- BuildRequires: openssl-static
+
+* Fri Jun 19 2009 Nalin Dahyabhai <nalin at redhat.com>
+- revert most of the previous round of changes: splitting pam_ldap off
+ won't be helpful in the long term if it, too, is eventually going to conflict
+ with the nss-ldapd package
+
+* Mon Apr 6 2009 Nalin Dahyabhai <nalin at redhat.com> - 264/184-100
+- split pam_ldap off into a separate binary package
+- require /%{_lib}/security/pam_ldap.so to pull in pam_ldap on upgrades
+- require our configuration file to come from somewhere
+- remove some cruft
+- move the %%postun that fixes up pam configs to the pam_ldap package
+
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 264-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
More information about the fedora-extras-commits
mailing list