forked from pool/sssd
Accepting request 632454 from home:kbabioch:branches:network:ldap
- Update to upstream release 1.16.3 OBS-URL: https://build.opensuse.org/request/show/632454 OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=206
This commit is contained in:
parent
a03258dbe5
commit
77a4f94e77
@ -1,45 +0,0 @@
|
||||
From 06193adc0de042484f672cadd0808c78c5ebb70e Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||
Date: Fri, 15 Jun 2018 22:29:34 +0200
|
||||
Subject: [PATCH] SUDO: Create the socket with stricter permissions
|
||||
|
||||
This patch switches the sudo responder from being created as a public
|
||||
responder where the permissions are open and not checked by the sssd
|
||||
deaamon to a private socket. In this case, sssd creates the pipes with
|
||||
strict permissions (see the umask in the call to create_pipe_fd() in
|
||||
set_unix_socket()) and additionaly checks the permissions with every read
|
||||
via the tevent integrations (see accept_fd_handler()).
|
||||
---
|
||||
src/responder/sudo/sudosrv.c | 3 ++-
|
||||
src/sysv/systemd/sssd-sudo.socket.in | 1 +
|
||||
2 files changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
|
||||
index ac4258710d3a9b48285522abd23bdd59ba42ad4e..e87a24499c2d82fafaa8e1f9b386e44332394266 100644
|
||||
--- a/src/responder/sudo/sudosrv.c
|
||||
+++ b/src/responder/sudo/sudosrv.c
|
||||
@@ -79,7 +79,8 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
|
||||
sudo_cmds = get_sudo_cmds();
|
||||
ret = sss_process_init(mem_ctx, ev, cdb,
|
||||
sudo_cmds,
|
||||
- SSS_SUDO_SOCKET_NAME, -1, NULL, -1,
|
||||
+ NULL, -1, /* No public socket */
|
||||
+ SSS_SUDO_SOCKET_NAME, -1, /* Private socket only */
|
||||
CONFDB_SUDO_CONF_ENTRY,
|
||||
SSS_SUDO_SBUS_SERVICE_NAME,
|
||||
SSS_SUDO_SBUS_SERVICE_VERSION,
|
||||
diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in
|
||||
index c9abb875f0accbaf58d78846020fef74c7473528..96a8b0327ddb4d331c9b2e97ece3453f8f76872d 100644
|
||||
--- a/src/sysv/systemd/sssd-sudo.socket.in
|
||||
+++ b/src/sysv/systemd/sssd-sudo.socket.in
|
||||
@@ -11,6 +11,7 @@ ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo
|
||||
ListenStream=@pipepath@/sudo
|
||||
SocketUser=@SSSD_USER@
|
||||
SocketGroup=@SSSD_USER@
|
||||
+SocketMode=0600
|
||||
|
||||
[Install]
|
||||
WantedBy=sssd.service
|
||||
--
|
||||
2.14.3
|
||||
|
@ -1,44 +0,0 @@
|
||||
From b34fcff0f8bccd7b827686b50c53f45b7e20bb44 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||
Date: Tue, 12 Jun 2018 19:07:52 +0200
|
||||
Subject: [PATCH] intg: Do not hardcode nsslibdir
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This change is needed in order to have make intgcheck-run properly
|
||||
running on opensuse systems.
|
||||
|
||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||
Reviewed-by: Chris Kowalczyk <ckowalczyk@suse.com>
|
||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||
---
|
||||
src/tests/intg/Makefile.am | 1 +
|
||||
src/tests/intg/config.py.m4 | 2 +-
|
||||
2 files changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
||||
index 9c5338261..4bd427669 100644
|
||||
--- a/src/tests/intg/Makefile.am
|
||||
+++ b/src/tests/intg/Makefile.am
|
||||
@@ -73,6 +73,7 @@ cwrap-dbus-system.conf: data/cwrap-dbus-system.conf.in Makefile
|
||||
config.py: config.py.m4
|
||||
m4 -D "prefix=\`$(prefix)'" \
|
||||
-D "sysconfdir=\`$(sysconfdir)'" \
|
||||
+ -D "nsslibdir=\`$(nsslibdir)'" \
|
||||
-D "dbpath=\`$(dbpath)'" \
|
||||
-D "pidpath=\`$(pidpath)'" \
|
||||
-D "logpath=\`$(logpath)'" \
|
||||
diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4
|
||||
index 6e011b692..04f78d869 100644
|
||||
--- a/src/tests/intg/config.py.m4
|
||||
+++ b/src/tests/intg/config.py.m4
|
||||
@@ -4,7 +4,7 @@ Build configuration variables.
|
||||
|
||||
PREFIX = "prefix"
|
||||
SYSCONFDIR = "sysconfdir"
|
||||
-NSS_MODULE_DIR = PREFIX + "/lib"
|
||||
+NSS_MODULE_DIR = "nsslibdir"
|
||||
SSSDCONFDIR = SYSCONFDIR + "/sssd"
|
||||
CONF_PATH = SSSDCONFDIR + "/sssd.conf"
|
||||
DB_PATH = "dbpath"
|
@ -1,13 +0,0 @@
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 9539b3c..8e76a03 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -975,6 +975,7 @@ libsss_cert_la_LIBADD = \
|
||||
$(TALLOC_LIBS) \
|
||||
$(TEVENT_LIBS) \
|
||||
libsss_crypt.la \
|
||||
+ libsss_child.la \
|
||||
libsss_debug.la \
|
||||
libsss_certmap.la \
|
||||
$(NULL)
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:fe5b1fcc5b4359631f7edf25f8940f3155de68e2f4ac7bfeb634687ccabc570c
|
||||
size 6174144
|
@ -1,6 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iEYEABECAAYFAlsa2S0ACgkQHsardTLnvCVhKwCgpCRZBHkAyqnRDaPwegBLv4Sh
|
||||
fYQAoK05cAcmiKBdZWtsLRRZgUOS8X/8
|
||||
=U4k5
|
||||
-----END PGP SIGNATURE-----
|
3
sssd-1.16.3.tar.gz
Normal file
3
sssd-1.16.3.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:ee5d17a0c663c09819cbab9364085b9e57faeca02406cc30efe14cc0cfc04ec4
|
||||
size 6217114
|
10
sssd-1.16.3.tar.gz.asc
Normal file
10
sssd-1.16.3.tar.gz.asc
Normal file
@ -0,0 +1,10 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEcBAABAgAGBQJbcDdwAAoJEHDBRgYiUL36CW0H/2gGY35HxXQNiufErxIMT3/9
|
||||
8Uq5EqTOYUlmScijvT3J1AXPg5Sw/KP65cBSOaZYNyzzBcr8GwaM19y3/WInFA5z
|
||||
tWTHfAmVusIvLijmWmfw9qGY6X8386S2g+wbTn7WsMYb0Spt8K2l+OgQDIq7sIx5
|
||||
iSPfICt/HgESBkC0YEsaVq5S4kQLS6w3pJEclkwoj22jl831FHlVmQ8K2G369/Iz
|
||||
YycSYK7qXWvs8YSzsihA3zvjGT9v2vZQWamE5gkHlXZEPkJYIR3ant7Ziux4zIrA
|
||||
n/fuIWZCWu/gR4jtg3vmrcRVLnOo1ukqdrDmE4v/CiJrvS/H4McCZUhiUaXQ9Us=
|
||||
=Fx4X
|
||||
-----END PGP SIGNATURE-----
|
66
sssd.changes
66
sssd.changes
@ -1,3 +1,69 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com
|
||||
|
||||
- Update to upstream release 1.16.3
|
||||
|
||||
New Features
|
||||
|
||||
- The kdcinfo files that SSSD uses to inform libkrb5 about which KDCs were
|
||||
discovered for a Kerberos realm used to be only generated for the joined
|
||||
domain, not the trusted domains. Starting with this release, the kdcinfo files
|
||||
are generated automatically also for trusted domains in setups that use
|
||||
id_provider=ad and IPA masters in a trust relationship with an AD domain.
|
||||
|
||||
- The SSSD Kerberos locator plugin which processes the kdcinfo files and
|
||||
actually tells libkrb5 about the available KDCs can now process multiple
|
||||
address if SSSD generates more than one. At the moment, this feature is only
|
||||
used on IPA clients (see below). Please see the sssd_krb5_locator_plugin(8)
|
||||
manual page for more information about the Kerberos locator plugin.
|
||||
|
||||
- On IPA clients, the AD DCs or the AD site which should be used to
|
||||
authenticate users can now be listed in a subdomain section. Please see the
|
||||
feature design page or the section “trusted domains configuration” for more
|
||||
details.
|
||||
|
||||
Notable bug fixes
|
||||
|
||||
- The permissions on /var/lib/sss/pipes/sudo were set so that anyone could read
|
||||
anyone else’s sudo rules. This was considered an information leak and
|
||||
assigned CVE-2018-10852 (bsc#1098377)
|
||||
- The 1.16.2 release was storing the cached passwords without a salt prefix
|
||||
string. This bug was fixed in this release, but any password hashes generated
|
||||
by 1.16.2 are incompatible with the hashes generated by 1.16.3. The effect is
|
||||
that upgrade from 1.16.2 to 1.16.3 should be done when the authentication
|
||||
server is reachable so that the first authentication after the upgrade fix the
|
||||
cached password.
|
||||
- The sss_ssh proces leaked file descriptors when converting more than one x509
|
||||
certificate to SSH public key
|
||||
- SSSD, when configured with id_provider=ad was using too expensive LDAP search
|
||||
to find out whether the required POSIX attributes were replicated to the
|
||||
Global Catalog. Instead, SSSD now consults the Partial Attribute Set, which
|
||||
is much more effective
|
||||
- The PAC responder is now able to process Domain Local in case the PAC uses
|
||||
SID compression. Typicaly this is the case with Windows Server 2012 and newer
|
||||
- Some versions of OpenSSH would close the pipe towards sss_ssh_authorizedkeys
|
||||
when the matching key is found before the rest of the output is read. The
|
||||
sss_ssh_authorizedkeys helper was not handling this behaviour well and would
|
||||
exit with SIGPIPE, which also meant the public key authentication failed
|
||||
- User lookups no longer fail if user’s e-mail address conflicts with another
|
||||
user’s fully qualified name
|
||||
- The override_shell and override_homedir options are no longer applied to
|
||||
entries from the files domain.
|
||||
- Several bugs related to the FleetCommander integration were fixed
|
||||
- The grace logins with an expired password when authenticating against certain
|
||||
newer versions of the 389DS/RHDS LDAP server did not work
|
||||
- Whitespace around netgroup triple separator is now stripped
|
||||
- The sss_ssh_knownhostproxy utility can now print the host key without
|
||||
proxying the connection.
|
||||
- Due to an overly restrictive check, the fast in-memory cache was sometimes
|
||||
skipped, which caused a high load on the sssd_nss process
|
||||
|
||||
Removed patches that are included upstream now:
|
||||
|
||||
- 0001-SUDO-Create-the-socket-with-stricter-permissions.patch
|
||||
- 0002-intg-Do-not-hardcode-nsslibdir.patch
|
||||
- 0003-Fix-build-for-1-16-2-version.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com
|
||||
|
||||
|
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
Name: sssd
|
||||
Version: 1.16.2
|
||||
Version: 1.16.3
|
||||
Release: 0
|
||||
Summary: System Security Services Daemon
|
||||
License: GPL-3.0+ and LGPL-3.0+
|
||||
@ -31,9 +31,6 @@ Source3: baselibs.conf
|
||||
Source4: sssd.service
|
||||
Source5: %name.keyring
|
||||
BuildRoot: %_tmppath/%name-%version-build
|
||||
Patch1: 0001-SUDO-Create-the-socket-with-stricter-permissions.patch
|
||||
Patch2: 0002-intg-Do-not-hardcode-nsslibdir.patch
|
||||
Patch3: 0003-Fix-build-for-1-16-2-version.patch
|
||||
|
||||
%define servicename sssd
|
||||
%define sssdstatedir %_localstatedir/lib/sss
|
||||
@ -367,9 +364,6 @@ Security Services Daemon (sssd).
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
|
||||
%build
|
||||
%if 0%{?suse_version} < 1210
|
||||
|
Loading…
Reference in New Issue
Block a user