diff --git a/0001-SUDO-Create-the-socket-with-stricter-permissions.patch b/0001-SUDO-Create-the-socket-with-stricter-permissions.patch new file mode 100644 index 0000000..17aa40f --- /dev/null +++ b/0001-SUDO-Create-the-socket-with-stricter-permissions.patch @@ -0,0 +1,45 @@ +From 06193adc0de042484f672cadd0808c78c5ebb70e Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 15 Jun 2018 22:29:34 +0200 +Subject: [PATCH] SUDO: Create the socket with stricter permissions + +This patch switches the sudo responder from being created as a public +responder where the permissions are open and not checked by the sssd +deaamon to a private socket. In this case, sssd creates the pipes with +strict permissions (see the umask in the call to create_pipe_fd() in +set_unix_socket()) and additionaly checks the permissions with every read +via the tevent integrations (see accept_fd_handler()). +--- + src/responder/sudo/sudosrv.c | 3 ++- + src/sysv/systemd/sssd-sudo.socket.in | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c +index ac4258710d3a9b48285522abd23bdd59ba42ad4e..e87a24499c2d82fafaa8e1f9b386e44332394266 100644 +--- a/src/responder/sudo/sudosrv.c ++++ b/src/responder/sudo/sudosrv.c +@@ -79,7 +79,8 @@ int sudo_process_init(TALLOC_CTX *mem_ctx, + sudo_cmds = get_sudo_cmds(); + ret = sss_process_init(mem_ctx, ev, cdb, + sudo_cmds, +- SSS_SUDO_SOCKET_NAME, -1, NULL, -1, ++ NULL, -1, /* No public socket */ ++ SSS_SUDO_SOCKET_NAME, -1, /* Private socket only */ + CONFDB_SUDO_CONF_ENTRY, + SSS_SUDO_SBUS_SERVICE_NAME, + SSS_SUDO_SBUS_SERVICE_VERSION, +diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in +index c9abb875f0accbaf58d78846020fef74c7473528..96a8b0327ddb4d331c9b2e97ece3453f8f76872d 100644 +--- a/src/sysv/systemd/sssd-sudo.socket.in ++++ b/src/sysv/systemd/sssd-sudo.socket.in +@@ -11,6 +11,7 @@ ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo + ListenStream=@pipepath@/sudo + SocketUser=@SSSD_USER@ + SocketGroup=@SSSD_USER@ ++SocketMode=0600 + + [Install] + WantedBy=sssd.service +-- +2.14.3 + diff --git a/0002-intg-Do-not-hardcode-nsslibdir.patch b/0002-intg-Do-not-hardcode-nsslibdir.patch new file mode 100644 index 0000000..08f8543 --- /dev/null +++ b/0002-intg-Do-not-hardcode-nsslibdir.patch @@ -0,0 +1,44 @@ +From b34fcff0f8bccd7b827686b50c53f45b7e20bb44 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Tue, 12 Jun 2018 19:07:52 +0200 +Subject: [PATCH] intg: Do not hardcode nsslibdir +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This change is needed in order to have make intgcheck-run properly +running on opensuse systems. + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Chris Kowalczyk +Reviewed-by: Michal Židek +--- + src/tests/intg/Makefile.am | 1 + + src/tests/intg/config.py.m4 | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am +index 9c5338261..4bd427669 100644 +--- a/src/tests/intg/Makefile.am ++++ b/src/tests/intg/Makefile.am +@@ -73,6 +73,7 @@ cwrap-dbus-system.conf: data/cwrap-dbus-system.conf.in Makefile + config.py: config.py.m4 + m4 -D "prefix=\`$(prefix)'" \ + -D "sysconfdir=\`$(sysconfdir)'" \ ++ -D "nsslibdir=\`$(nsslibdir)'" \ + -D "dbpath=\`$(dbpath)'" \ + -D "pidpath=\`$(pidpath)'" \ + -D "logpath=\`$(logpath)'" \ +diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4 +index 6e011b692..04f78d869 100644 +--- a/src/tests/intg/config.py.m4 ++++ b/src/tests/intg/config.py.m4 +@@ -4,7 +4,7 @@ Build configuration variables. + + PREFIX = "prefix" + SYSCONFDIR = "sysconfdir" +-NSS_MODULE_DIR = PREFIX + "/lib" ++NSS_MODULE_DIR = "nsslibdir" + SSSDCONFDIR = SYSCONFDIR + "/sssd" + CONF_PATH = SSSDCONFDIR + "/sssd.conf" + DB_PATH = "dbpath" diff --git a/0003-Fix-build-for-1-16-2-version.patch b/0003-Fix-build-for-1-16-2-version.patch new file mode 100644 index 0000000..9903e33 --- /dev/null +++ b/0003-Fix-build-for-1-16-2-version.patch @@ -0,0 +1,13 @@ +diff --git a/Makefile.am b/Makefile.am +index 9539b3c..8e76a03 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -975,6 +975,7 @@ libsss_cert_la_LIBADD = \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + libsss_crypt.la \ ++ libsss_child.la \ + libsss_debug.la \ + libsss_certmap.la \ + $(NULL) + diff --git a/sssd-1.16.1.tar.gz b/sssd-1.16.1.tar.gz deleted file mode 100644 index 38f49be..0000000 --- a/sssd-1.16.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2dbf677851afdefcdf57eccaf25d59eb682a2994ad2a2dbf419003930a0b506e -size 5992778 diff --git a/sssd-1.16.1.tar.gz.asc b/sssd-1.16.1.tar.gz.asc deleted file mode 100644 index c85ee70..0000000 --- a/sssd-1.16.1.tar.gz.asc +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iEYEABECAAYFAlqidCAACgkQHsardTLnvCUWWQCg5lP0BwQTXT9KWCE/JWZJdXoZ -zJoAn2ekRH33J6/IH+6OpD/UozWH+50y -=Lfb4 ------END PGP SIGNATURE----- diff --git a/sssd-1.16.2.tar.gz b/sssd-1.16.2.tar.gz new file mode 100644 index 0000000..b93018f --- /dev/null +++ b/sssd-1.16.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:fe5b1fcc5b4359631f7edf25f8940f3155de68e2f4ac7bfeb634687ccabc570c +size 6174144 diff --git a/sssd-1.16.2.tar.gz.asc b/sssd-1.16.2.tar.gz.asc new file mode 100644 index 0000000..7440ddd --- /dev/null +++ b/sssd-1.16.2.tar.gz.asc @@ -0,0 +1,6 @@ +-----BEGIN PGP SIGNATURE----- + +iEYEABECAAYFAlsa2S0ACgkQHsardTLnvCVhKwCgpCRZBHkAyqnRDaPwegBLv4Sh +fYQAoK05cAcmiKBdZWtsLRRZgUOS8X/8 +=U4k5 +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 35bf822..94e109f 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,72 @@ +------------------------------------------------------------------- +Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com + +- Fixed patch name. + +------------------------------------------------------------------- +Wed Jun 20 10:46:34 UTC 2018 - ckowalczyk@suse.com + +- Introduce patches: + * Create sockets with right permissions: + 0001-SUDO-Create-the-socket-with-stricter-permissions.patch + (bsc#1098377, CVE-2018-10852) + * Fix for sssd upstream integration tests + 0002-intg-Do-not-hardcode-nsslibdir.patch + (bsc#1098163) + +------------------------------------------------------------------- +Wed Jun 20 08:38:53 UTC 2018 - varkoly@suse.com + +- Update to new minor upstream release 1.16.2 +New Features: + * The smart card authentication, or in more general certificate + authentication code now supports OpenSSL in addition to previously + supported NSS (#3489). In addition, the SSH responder can now + return public SSH keys derived from the public keys stored in a + X.509 certificate. Please refer to the ssh_use_certificate_keys + option in the man pages. + * The files provider now supports mirroring multiple passwd or + group files. This enhancement can be used to use the SSSD files + provider instead of the nss_altfiles module +Bugfixes: + * A memory handling issue in the nss_ex interface was fixed. This + bug would manifest in IPA environments with a trusted AD domain + as a crash of the ns-slapd process, because a ns-slapd plugin + loads the nss_ex interface (#3715) + * Several fixes for the KCM deamon were merged (see #3687, #3671, #3633) + * The ad_site override is now honored in GPO code as well (#3646) + * Several potential crashes in the NSS responder’s netgroup code + were fixed (#3679, #3731) + * A potential crash in the autofs responder’s code was fixed (#3752) + * The LDAP provider now supports group renaming (#2653) + * The GPO access control code no longer returns an error if one + of the relevant GPO rules contained no SIDs at all (#3680) + * A memory leak in the IPA provider related to resolving external + AD groups was fixed (#3719) + * Setups that used multiple domains where one of the domains had + its ID space limited using the min_id/max_id options did not + resolve requests by ID properly (#3728) + * Overriding IDs or names did not work correctly when the domain + resolution order was set as well (#3595) + * A version mismatch between certain newer Samba versions (e.g. + those shipped in RHEL-7.5) and the Winbind interface provided + by SSSD was fixed. To further prevent issues like this in the + future, the correct interface is now detected at build time (#3741) + * The files provider no longer returns a qualified name in case + domain resolution order is used (#3743) + * A race condition between evaluating IPA group memberships and + AD group memberships in setups with IPA-AD trusts that would + have manifested as randomly losing IPA group memberships assigned + to an AD user was fixed (#3744) + * Setting an SELinux login label was broken in setups where the + domain resolution order was used (#3740) + * SSSD start up issue on systems that use the libldb library + with version 1.4.0 or newer was fixed. +Introduce a patch: + * Fix build of sssd of 1.16.2 version: + 0003-Fix-build-for-1-16-2-version.patch + (back then called fix-build.patch) + ------------------------------------------------------------------- Fri Apr 27 14:43:58 UTC 2018 - ckowalczyk@suse.com diff --git a/sssd.spec b/sssd.spec index 0dfac7a..7adfc7e 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 1.16.1 +Version: 1.16.2 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ @@ -31,6 +31,9 @@ Source3: baselibs.conf Source4: sssd.service Source5: %name.keyring BuildRoot: %_tmppath/%name-%version-build +Patch1: 0001-SUDO-Create-the-socket-with-stricter-permissions.patch +Patch2: 0002-intg-Do-not-hardcode-nsslibdir.patch +Patch3: 0003-Fix-build-for-1-16-2-version.patch %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss @@ -80,6 +83,7 @@ BuildRequires: pkgconfig(talloc) BuildRequires: pkgconfig(tdb) >= 1.1.3 BuildRequires: pkgconfig(tevent) BuildRequires: pkgconfig(ndr_krb5pac) +BuildRequires: p11-kit-devel %{?systemd_requires} Requires: sssd-ldap = %version-%release Requires(postun): pam-config @@ -363,6 +367,9 @@ Security Services Daemon (sssd). %prep %setup -q +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build %if 0%{?suse_version} < 1210 @@ -424,6 +431,8 @@ EOF find "$b" -type f -name "*.la" -delete rm -Rf "$b/%_sysconfdir/dbus-1" "$b/%_datadir/dbus-1" +rm -rf "$b/usr/lib/debug/usr/lib/sssd/p11_child-1.16.2-0.x86_64.debug" + %find_lang %name --all-name @@ -476,17 +485,17 @@ rm -f /var/lib/sss/db/*.ldb %_mandir/??/man1/sss_ssh_* %_mandir/??/man5/sssd-simple.5* %_mandir/??/man5/sssd-sudo.5* -#%_mandir/??/man5/sssd.conf.5* %_mandir/??/man8/sssd.8* %_mandir/??/man5/sss-certmap.5.gz %_mandir/??/man5/sssd-ad.5.gz -%_mandir/??/man5/sssd-files.5.gz %_mandir/??/man5/sssd-secrets.5.gz %_mandir/??/man5/sssd.conf.5.gz %_mandir/??/man8/idmap_sss.8.gz %_mandir/??/man8/sssctl.8.gz %_mandir/??/man8/sssd-kcm.8.gz %_mandir/??/man5/sssd-simple.5* +%_mandir/??/man5/sssd-session-recording.5.gz +%_mandir/??/man5/sssd-systemtap.5.gz %_mandir/man1/sss_ssh_* %_mandir/man8/sssctl.8* %_mandir/man5/sssd-files.5* @@ -512,6 +521,7 @@ rm -f /var/lib/sss/db/*.ldb %dir %_libdir/ldb/ %_libdir/ldb/memberof.so %dir %_libexecdir/%name/ +%_libexecdir/%name/p11_child %_libexecdir/%name/sssd_autofs %_libexecdir/%name/sssd_be %_libexecdir/%name/sssd_nss @@ -538,6 +548,7 @@ rm -f /var/lib/sss/db/*.ldb %dir %_datadir/%name/sssd.api.d/ %_datadir/%name/sssd.api.d/sssd-local.conf %_datadir/%name/sssd.api.d/sssd-simple.conf +%_datadir/%name/sssd.api.d/sssd-files.conf # # sssd-client #