Yesterday, the SSSD team hit a major milestone: we released SSSD 1.5.0. This is probably the largest release we’ve done since 1.0, with over 150 commits. With several new features, particularly related to access-control, we’ve worked closely with our users to ensure that 1.5.0 is the most attuned project to their real-world needs. As I’ve mentioned in the past, SSSD relies on a very stringent code-review process for its development. Nothing makes it into the codebase without the close inspection and testing of one of the other developers. Simo Sorce, one of the original designers and developers of the System Security Services Daemon wrote an excellent blog post on how this review policy has enabled us to write very secure code.
One of the major changes we made to our process in SSSD 1.5.0 is that we started using the Coverity Integrity Manager as part of our continuous-integration environment. By running these scans on the full codebase regularly (twice a day), we were able to keep ahead of common coding mistakes such as resource leaks or missing NULL checks. While this scanning did reveal several legitimate bugs in the SSSD, it also revealed that we had been doing an exceptional job of avoiding serious bugs in the code. For a detailed analysis of our Coverity results, see Simo’s blog post.
So, what have we learned from the SSSD 1.5.0 cycle? First, there is no substitute for feedback from real-world users of your project. By maintaining our relationship with our most vocal users, I think we’ve achieved some truly great things. Secondly, when developing a security product, there’s no such thing as too many eyes on the code, be they other developers, users or automated scanning technologies.
SSSD 1.5.0 release announcement: The SSSD team is proud to announce the latest enhancement release of the System Security Services Daemon. The source tarball is available at https://fedorahosted.org/sssd == Highlights == * Fixed issues with LDAP search filters that needed to be escaped * Add Kerberos FAST support on platforms that support it * Reduced verbosity of PAM_TEXT_INFO messages for cached credentials * Added group support to the simple access provider * Added a Kerberos access provider to honor .k5login * Addressed several thread-safety issues in the sss_client code * Improved support for delayed online Kerberos auth * Significantly reduced time between connecting to the network/VPN and acquiring a TGT * Added feature for automatic Kerberos ticket renewal * Provides the kerberos ticket for long-lived processes or cron jobs even when the user logs out * Added several new features to the LDAP access provider * Support for 'shadow' access control * Support for authorizedService access control * Ability to mix-and-match LDAP access control features * Added an option for a separate password-change LDAP server for those platforms where LDAP referrals are not supported * Added support for manpage translations == Detailed Changelog == Jakub Hrozek (5): * Always use uint32_t for UID/GID numbers * Internal DNS resolver should check /etc/hosts * Allow protocol fallback for SRV queries * Make manual pages translatable * Add Czech translation Jan Zeleny (1): * Option krb5_server is now used to store a list of KDCs instead of krb5_kdcip. Marko Myllynen (1): * Fix a typo in sssd-krb5 man page Moritz Baumann (1): * Fix misused SDAP_SEARCH_BASE Piotr Drąg (1): * Updating pl translation Simo Sorce (6): * sss_client: make code thread-safe * Pass sdap_id_ctx in sdap_id_op functions. * ldap: remove variable that was never assigned nor used * ldap: add checks to determine if USN features are available. * ldap: Use USN entries if available. * Fix wrong test in pam_sss Stephen Gallagher (58): * Write log opening failures to the syslog * Improve versioning for automated builds * Bumping version to 1.5.0 dev * Fix incorrect free of req in krb5_auth.c * Don't clean up groups for which a user has it as primary GID * Handle errors during log reopening better * Properly check the return value from semanage_commit * Add utility function to sanitize LDAP/LDB filters * Add sysdb utility function for sanitizing DN * Sanitize search filters for the sysdb * Sanitize sysdb search filters in the IPA provider * Sanitize sysdb filters in the LDAP provider * Sanitize sysdb DN helpers * Sanitize search filters in memberOf plugin * Sanitize sysdb dn for memberof lookup * Add unit tests for users and groups with odd characters * Sanitize search filters in LDAP provider * Properly document ldap_purge_cache_timeout * Sanitize ldap attributes in the config file * Fix cast warning for pam_sss.c * Fix const cast warning for sysdb_update_members * Fix const cast warning in build_attrs_from_map * Fix const cast issue with sysdb_attrs_users_from_str_list * Fix const cast warning in confdb_create_ldif * Fix const cast warnings in tests * Fix incorrect type comparison * Log startup errors to syslog * Ensure that SSSD shuts down completely before restarting * Fix authentication queue code for proxy auth * Wait for all children to exit * Add signal documentation to sssd(8) * Print correct error messages for dp_err_to_string() * Make default SIGTERM and SIGINT handlers use tevent * Resend SIGTERM if child doesn't terminate * Set up signal handlers before initializing sysdb * Make sure that sss_obfuscate installs as executable * Move sss_* tools into their own subpackage * Remove IPA_ACCESS_TIME define * Add group support to the simple access provider * Fix timeouts for DNS resolver * Reschedule the fd timeout for secondary lookups * Eliminate possible NULL-dereference in pam_check_user_search * Add missing break statement to sss_hash_create * Prevent uninitialized value error in monitor_quit * Fix invalid sizeof in pidfile * Fix segfault for PAM_TEXT_INFO conversations * Fix unchecked return value in sss_krb5_verify_keytab_ex * Fix unsafe return condition in ipa_access_handler * Fix uninitialized value error in set_local_and_remote_host_info * Fix unchecked return value in test_sysdb_attrs_to_list * Fix unchecked return value in set_nonblocking * Start first enumeration immediately * Add sysdb_has_enumerated and sysdb_set_enumerated helper functions * Pass all PAM data to the LDAP access provider * Add authorizedService support * Ensure ID is checked in all domains for PAM * Update the ID cache for any PAM request * Committing new translation updates for release Sumit Bose (79): * Add ldap_deref option * Add some missing ldap_memfree() * Download only enabled IPA HBAC rules * Add netgroups infrastructure to proxy provider * Implement netgroups for proxy provider * Remove all nss requests after a reconnect * Always use talloc_zero() to allocate cmdctx * Fix double free issue * Allow authentication for referrals * Mention ding-libs in BUILD.txt * Fix two return value checks * Store krb5 auth context for other targets * Add infrastructure for Kerberos access provider * Add krb5_get_simple_upn() * Make krb5_setup() public * Add krb5_kuserok() access check to krb5_child * Make handle_child_* request public * Call krb5_child to check access permissions * Add defaultNamingContext to RootDSE attributes * Use (default)namingContext to set empty search bases * Make ldap_search_base a non-mandatory option * Review comments for namingContexts patches * Avoid long long in messages to PAM client use int64_t * Introduce pam_verbosity config option * Add missing error code * Fix offline detection for LDAP auth/chpass * Fix man page * Use a more efficient host search filter * Add SIGUSR2 to reset offline status * fix typo in get_server_status() * Fix a typo on setup_netlink() * Daemonize by default * Run checks before resetting offline state * Fix offline detection in sdap_cli_connect request * Add check_online method to LDAP ID provider * Add a special filter type to handle enumerations * Send authtok_type to krb5_child * Add a renew task to krb5_child * Check authtok type for krb5 auth and chpass * Add krb5_renewable_lifetime option * Add krb5_lifetime option * Add support for server-side pam response messages * krb5_child returns TGT lifetime * Add support for automatic Kerberos ticket renewal * Allow krb5 lifetime values without a unit * Make string_to_shadowpw_days() public * Add new account expired rule to LDAP access provider * Add ldap_chpass_uri config option * Refactor krb5_child to make helpers more flexible * Add support for FAST in krb5 provider * Mark unavailable Kerberos server as PORT_NOT_WORKING * Replace krb5_kdcip by krb5_server in LDAP provider * Fix build issue with older Kerberos library * Remove check_access_time() from IPA access provider * Bye, bye, ipa_timerules * Fix unchecked return value in sdap_get_msg_dn() * Fix unchecked return value in sdap_parse_entry() * Remove unused newauthtok variable in LOCAL_pam_handler * Fix improper NULL check in fo_add_srv_server() * Fix incorrect return value on failure in resolve_get_domain_send() * Fix incorrect return value on failure in check_and_export_options() * Fix uninitialized value error in sdap_account_expired_shadow() * Fix uninitialized value error in setup_test in fail_over-tests.c * Fix improper bit manipulation in pam_sss * Fix possible memory leak in sss_nss_recv_rep() * Fix uninitialized value error in main() in stress-tests.c * Fix possible memory leak in do_pam_conversation * Fix another possible memory leak in sss_nss_recv_rep() * Fix memory leak of library handle in proxy * Fix uninitialized value error in lookup_netgr_step() * Fix possible NULL-dereference in lookup_netgr_step() * Avoid multiple initializations in LDAP provider * Introduce sss_hash_create_ex() * Fixes for automatic ticket renewal * Serialize requests of the same user in the krb5 provider * Update config API files * Add all values of a multi-valued user attribute * Remove unused member of a struct * Fix potential NULL-dereference in krb5_auth_done() Yuri Chornoivan (1): * Updating uk translation