Accepting request 620031 from network:ldap

OBS-URL: https://build.opensuse.org/request/show/620031 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=89
2018-07-02 21:28:55 +00:00 · 2018-07-02 21:28:55 +00:00 · 7a3c999c8b
commit 7a3c999c8b
parent 0020974137 a03258dbe5
9 changed files with 194 additions and 12 deletions
--- a/0001-SUDO-Create-the-socket-with-stricter-permissions.patch
+++ b/0001-SUDO-Create-the-socket-with-stricter-permissions.patch
@ -0,0 +1,45 @@
 From 06193adc0de042484f672cadd0808c78c5ebb70e Mon Sep 17 00:00:00 2001
 From: Jakub Hrozek <jhrozek@redhat.com>
 Date: Fri, 15 Jun 2018 22:29:34 +0200
 Subject: [PATCH] SUDO: Create the socket with stricter permissions
 This patch switches the sudo responder from being created as a public
 responder where the permissions are open and not checked by the sssd
 deaamon to a private socket. In this case, sssd creates the pipes with
 strict permissions (see the umask in the call to create_pipe_fd() in
 set_unix_socket()) and additionaly checks the permissions with every read
 via the tevent integrations (see accept_fd_handler()).
 ---
 src/responder/sudo/sudosrv.c         | 3 ++-
 src/sysv/systemd/sssd-sudo.socket.in | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)
 diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
 index ac4258710d3a9b48285522abd23bdd59ba42ad4e..e87a24499c2d82fafaa8e1f9b386e44332394266 100644
 --- a/src/responder/sudo/sudosrv.c
 +++ b/src/responder/sudo/sudosrv.c
@@ -79,7 +79,8 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
     sudo_cmds = get_sudo_cmds();
     ret = sss_process_init(mem_ctx, ev, cdb,
                            sudo_cmds,
 -                           SSS_SUDO_SOCKET_NAME, -1, NULL, -1,
 +                           NULL, -1,                   /* No public socket */
 +                           SSS_SUDO_SOCKET_NAME, -1,   /* Private socket only */
                            CONFDB_SUDO_CONF_ENTRY,
                            SSS_SUDO_SBUS_SERVICE_NAME,
                            SSS_SUDO_SBUS_SERVICE_VERSION,
 diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in
 index c9abb875f0accbaf58d78846020fef74c7473528..96a8b0327ddb4d331c9b2e97ece3453f8f76872d 100644
 --- a/src/sysv/systemd/sssd-sudo.socket.in
 +++ b/src/sysv/systemd/sssd-sudo.socket.in
@@ -11,6 +11,7 @@ ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo
 ListenStream=@pipepath@/sudo
 SocketUser=@SSSD_USER@
 SocketGroup=@SSSD_USER@
 +SocketMode=0600
 [Install]
 WantedBy=sssd.service
 -- 
 2.14.3
--- a/0002-intg-Do-not-hardcode-nsslibdir.patch
+++ b/0002-intg-Do-not-hardcode-nsslibdir.patch
@ -0,0 +1,44 @@
 From b34fcff0f8bccd7b827686b50c53f45b7e20bb44 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
 Date: Tue, 12 Jun 2018 19:07:52 +0200
 Subject: [PATCH] intg: Do not hardcode nsslibdir
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 This change is needed in order to have make intgcheck-run properly
 running on opensuse systems.
 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
 Reviewed-by: Chris Kowalczyk <ckowalczyk@suse.com>
 Reviewed-by: Michal Židek <mzidek@redhat.com>
 ---
 src/tests/intg/Makefile.am  | 1 +
 src/tests/intg/config.py.m4 | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)
 diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
 index 9c5338261..4bd427669 100644
 --- a/src/tests/intg/Makefile.am
 +++ b/src/tests/intg/Makefile.am
@@ -73,6 +73,7 @@ cwrap-dbus-system.conf: data/cwrap-dbus-system.conf.in Makefile
 config.py: config.py.m4
 	m4 -D "prefix=\`$(prefix)'" \
 	   -D "sysconfdir=\`$(sysconfdir)'" \
 +	   -D "nsslibdir=\`$(nsslibdir)'" \
 	   -D "dbpath=\`$(dbpath)'" \
 	   -D "pidpath=\`$(pidpath)'" \
 	   -D "logpath=\`$(logpath)'" \
 diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4
 index 6e011b692..04f78d869 100644
 --- a/src/tests/intg/config.py.m4
 +++ b/src/tests/intg/config.py.m4
@@ -4,7 +4,7 @@ Build configuration variables.
 PREFIX = "prefix"
 SYSCONFDIR = "sysconfdir"
 -NSS_MODULE_DIR = PREFIX + "/lib"
 +NSS_MODULE_DIR = "nsslibdir"
 SSSDCONFDIR = SYSCONFDIR + "/sssd"
 CONF_PATH = SSSDCONFDIR + "/sssd.conf"
 DB_PATH = "dbpath"
--- a/0003-Fix-build-for-1-16-2-version.patch
+++ b/0003-Fix-build-for-1-16-2-version.patch
@ -0,0 +1,13 @@
 diff --git a/Makefile.am b/Makefile.am
 index 9539b3c..8e76a03 100644
 --- a/Makefile.am
 +++ b/Makefile.am
@@ -975,6 +975,7 @@ libsss_cert_la_LIBADD = \
     $(TALLOC_LIBS) \
     $(TEVENT_LIBS) \
     libsss_crypt.la \
 +    libsss_child.la \
     libsss_debug.la \
     libsss_certmap.la \
     $(NULL)
--- a/sssd-1.16.1.tar.gz
+++ b/sssd-1.16.1.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:2dbf677851afdefcdf57eccaf25d59eb682a2994ad2a2dbf419003930a0b506e
 size 5992778
--- a/sssd-1.16.1.tar.gz.asc
+++ b/sssd-1.16.1.tar.gz.asc
@ -1,6 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iEYEABECAAYFAlqidCAACgkQHsardTLnvCUWWQCg5lP0BwQTXT9KWCE/JWZJdXoZ
 zJoAn2ekRH33J6/IH+6OpD/UozWH+50y
 =Lfb4
 -----END PGP SIGNATURE-----
--- a/sssd-1.16.2.tar.gz
+++ b/sssd-1.16.2.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:fe5b1fcc5b4359631f7edf25f8940f3155de68e2f4ac7bfeb634687ccabc570c
 size 6174144
--- a/sssd-1.16.2.tar.gz.asc
+++ b/sssd-1.16.2.tar.gz.asc
@ -0,0 +1,6 @@
 -----BEGIN PGP SIGNATURE-----
 iEYEABECAAYFAlsa2S0ACgkQHsardTLnvCVhKwCgpCRZBHkAyqnRDaPwegBLv4Sh
 fYQAoK05cAcmiKBdZWtsLRRZgUOS8X/8
 =U4k5
 -----END PGP SIGNATURE-----
--- a/sssd.changes
+++ b/sssd.changes
@ -1,3 +1,72 @@
 -------------------------------------------------------------------
 Sun Jul  1 12:44:00 UTC 2018 - ckowalczyk@suse.com
 - Fixed patch name. 
 -------------------------------------------------------------------
 Wed Jun 20 10:46:34 UTC 2018 - ckowalczyk@suse.com
 - Introduce patches:
  * Create sockets with right permissions:
    0001-SUDO-Create-the-socket-with-stricter-permissions.patch
    (bsc#1098377, CVE-2018-10852)
  * Fix for sssd upstream integration tests
    0002-intg-Do-not-hardcode-nsslibdir.patch
    (bsc#1098163) 
 -------------------------------------------------------------------
 Wed Jun 20 08:38:53 UTC 2018 - varkoly@suse.com
 - Update to new minor upstream release 1.16.2
 New Features:
  * The smart card authentication, or in more general certificate
    authentication code now supports OpenSSL in addition to previously
    supported NSS (#3489). In addition, the SSH responder can now
    return public SSH keys derived from the public keys stored in a
    X.509 certificate. Please refer to the ssh_use_certificate_keys
    option in the man pages.
  * The files provider now supports mirroring multiple passwd or
    group files. This enhancement can be used to use the SSSD files
    provider instead of the nss_altfiles module
 Bugfixes:
  * A memory handling issue in the nss_ex interface was fixed. This
    bug would manifest in IPA environments with a trusted AD domain
    as a crash of the ns-slapd process, because a ns-slapd plugin
    loads the nss_ex interface (#3715)
  * Several fixes for the KCM deamon were merged (see #3687, #3671, #3633)
  * The ad_site override is now honored in GPO code as well (#3646)
  * Several potential crashes in the NSS responder’s netgroup code
    were fixed (#3679, #3731)
  * A potential crash in the autofs responder’s code was fixed (#3752)
  * The LDAP provider now supports group renaming (#2653)
  * The GPO access control code no longer returns an error if one
    of the relevant GPO rules contained no SIDs at all (#3680)
  * A memory leak in the IPA provider related to resolving external
    AD groups was fixed (#3719)
  * Setups that used multiple domains where one of the domains had
    its ID space limited using the min_id/max_id options did not
    resolve requests by ID properly (#3728)
  * Overriding IDs or names did not work correctly when the domain
    resolution order was set as well (#3595)
  * A version mismatch between certain newer Samba versions (e.g.
    those shipped in RHEL-7.5) and the Winbind interface provided
    by SSSD was fixed. To further prevent issues like this in the
    future, the correct interface is now detected at build time (#3741)
  * The files provider no longer returns a qualified name in case
    domain resolution order is used (#3743)
  * A race condition between evaluating IPA group memberships and
    AD group memberships in setups with IPA-AD trusts that would
    have manifested as randomly losing IPA group memberships assigned
    to an AD user was fixed (#3744)
  * Setting an SELinux login label was broken in setups where the
    domain resolution order was used (#3740)
  * SSSD start up issue on systems that use the libldb library
    with version 1.4.0 or newer was fixed.
 Introduce a patch:
  * Fix build of sssd of 1.16.2 version:
    0003-Fix-build-for-1-16-2-version.patch
    (back then called fix-build.patch)
 -------------------------------------------------------------------
 Fri Apr 27 14:43:58 UTC 2018 - ckowalczyk@suse.com
--- a/sssd.spec
+++ b/sssd.spec
@ -17,7 +17,7 @@
 Name:           sssd
-Version:        1.16.1
+Version:        1.16.2
 Release:        0
 Summary:        System Security Services Daemon
 License:        GPL-3.0+ and LGPL-3.0+
@ -31,6 +31,9 @@ Source3:        baselibs.conf
 Source4:        sssd.service
 Source5:        %name.keyring
 BuildRoot:      %_tmppath/%name-%version-build
 Patch1:         0001-SUDO-Create-the-socket-with-stricter-permissions.patch
 Patch2:         0002-intg-Do-not-hardcode-nsslibdir.patch
 Patch3:         0003-Fix-build-for-1-16-2-version.patch
 %define servicename	sssd
 %define sssdstatedir	%_localstatedir/lib/sss
@ -80,6 +83,7 @@ BuildRequires:  pkgconfig(talloc)
 BuildRequires:  pkgconfig(tdb) >= 1.1.3
 BuildRequires:  pkgconfig(tevent)
 BuildRequires:  pkgconfig(ndr_krb5pac)
 BuildRequires:  p11-kit-devel
 %{?systemd_requires}
 Requires:       sssd-ldap = %version-%release
 Requires(postun): pam-config
@ -363,6 +367,9 @@ Security Services Daemon (sssd).
 %prep
 %setup -q
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %build
 %if 0%{?suse_version} < 1210
@ -424,6 +431,8 @@ EOF
 find "$b" -type f -name "*.la" -delete
 rm -Rf "$b/%_sysconfdir/dbus-1" "$b/%_datadir/dbus-1"
 rm -rf "$b/usr/lib/debug/usr/lib/sssd/p11_child-1.16.2-0.x86_64.debug"
 %find_lang %name --all-name
@ -476,17 +485,17 @@ rm -f /var/lib/sss/db/*.ldb
 %_mandir/??/man1/sss_ssh_*
 %_mandir/??/man5/sssd-simple.5*
 %_mandir/??/man5/sssd-sudo.5*
 #%_mandir/??/man5/sssd.conf.5*
 %_mandir/??/man8/sssd.8*
 %_mandir/??/man5/sss-certmap.5.gz
 %_mandir/??/man5/sssd-ad.5.gz
 %_mandir/??/man5/sssd-files.5.gz
 %_mandir/??/man5/sssd-secrets.5.gz
 %_mandir/??/man5/sssd.conf.5.gz
 %_mandir/??/man8/idmap_sss.8.gz
 %_mandir/??/man8/sssctl.8.gz
 %_mandir/??/man8/sssd-kcm.8.gz
 %_mandir/??/man5/sssd-simple.5*
 %_mandir/??/man5/sssd-session-recording.5.gz
 %_mandir/??/man5/sssd-systemtap.5.gz
 %_mandir/man1/sss_ssh_*
 %_mandir/man8/sssctl.8*
 %_mandir/man5/sssd-files.5*
@ -512,6 +521,7 @@ rm -f /var/lib/sss/db/*.ldb
 %dir %_libdir/ldb/
 %_libdir/ldb/memberof.so
 %dir %_libexecdir/%name/
 %_libexecdir/%name/p11_child
 %_libexecdir/%name/sssd_autofs
 %_libexecdir/%name/sssd_be
 %_libexecdir/%name/sssd_nss
@ -538,6 +548,7 @@ rm -f /var/lib/sss/db/*.ldb
 %dir %_datadir/%name/sssd.api.d/
 %_datadir/%name/sssd.api.d/sssd-local.conf
 %_datadir/%name/sssd.api.d/sssd-simple.conf
 %_datadir/%name/sssd.api.d/sssd-files.conf
 #
 # sssd-client
 #