forked from pool/sssd
Accepting request 933746 from network:ldap
OBS-URL: https://build.opensuse.org/request/show/933746 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=112
This commit is contained in:
commit
cf3e4ada6d
24
harden_sssd-ifp.service.patch
Normal file
24
harden_sssd-ifp.service.patch
Normal file
@ -0,0 +1,24 @@
|
||||
Index: sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in
|
||||
===================================================================
|
||||
--- sssd-2.5.2.orig/src/sysv/systemd/sssd-ifp.service.in
|
||||
+++ sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in
|
||||
@@ -5,6 +5,19 @@ After=sssd.service
|
||||
BindsTo=sssd.service
|
||||
|
||||
[Service]
|
||||
+# added automatically, for details please see
|
||||
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
+ProtectSystem=full
|
||||
+ProtectHome=true
|
||||
+PrivateDevices=true
|
||||
+ProtectHostname=true
|
||||
+ProtectClock=true
|
||||
+ProtectKernelTunables=true
|
||||
+ProtectKernelModules=true
|
||||
+ProtectKernelLogs=true
|
||||
+ProtectControlGroups=true
|
||||
+RestrictRealtime=true
|
||||
+# end of automatic additions
|
||||
Environment=DEBUG_LOGGER=--logger=files
|
||||
EnvironmentFile=-@environment_file@
|
||||
Type=dbus
|
24
harden_sssd-kcm.service.patch
Normal file
24
harden_sssd-kcm.service.patch
Normal file
@ -0,0 +1,24 @@
|
||||
Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
|
||||
===================================================================
|
||||
--- sssd-2.5.2.orig/src/sysv/systemd/sssd-kcm.service.in
|
||||
+++ sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
|
||||
@@ -8,6 +8,19 @@ After=sssd-kcm.socket
|
||||
Also=sssd-kcm.socket
|
||||
|
||||
[Service]
|
||||
+# added automatically, for details please see
|
||||
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
|
||||
+ProtectSystem=full
|
||||
+ProtectHome=true
|
||||
+PrivateDevices=true
|
||||
+ProtectHostname=true
|
||||
+ProtectClock=true
|
||||
+ProtectKernelTunables=true
|
||||
+ProtectKernelModules=true
|
||||
+ProtectKernelLogs=true
|
||||
+ProtectControlGroups=true
|
||||
+RestrictRealtime=true
|
||||
+# end of automatic additions
|
||||
Environment=DEBUG_LOGGER=--logger=files
|
||||
ExecStartPre=-@sbindir@/sssd --genconf-section=kcm
|
||||
ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER}
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f
|
||||
size 7579208
|
@ -1,11 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCAAdFiEEGkHcZ1BfiaMwgotmr/513ehQjhIFAmDsmCgACgkQr/513ehQ
|
||||
jhJgLAf/WNPCzxImSpydiqCw0utxcDj/zcfufOU5tciVGP2Dg6O6+jf21Tl1IzE0
|
||||
dNDloUH6iyIOATWryirveaEIBEpz/8H66bOFEuw+eOY5mnMz+xsI879lvno7KsHj
|
||||
RsJjxSKjLktvOgOb+vYDciRS6Au3AaKCIPP0v5S3LEZtsHlDG6CwoWI7wEN9XN0r
|
||||
/VYo0HG0TIkY2eIfi6pqcr25JzOqTQH3NUW8VbqFWWC7h1XFEBpiftIvHZLrqblP
|
||||
CtHbkdRA8j6u5J285H4g/9Oj/7wtlDOXvkobGdM9MwS5jjKg0XBJJ3A6uHZ5GTX5
|
||||
/ppVxE/WCrZliqxpjP/+BHkaY3DMzA==
|
||||
=2Ag7
|
||||
-----END PGP SIGNATURE-----
|
3
sssd-2.6.1.tar.gz
Normal file
3
sssd-2.6.1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:81d41881d0d1f120717ea80e75daca357e40ccbd0d656eb9f99b5824d59e594d
|
||||
size 7454377
|
11
sssd-2.6.1.tar.gz.asc
Normal file
11
sssd-2.6.1.tar.gz.asc
Normal file
@ -0,0 +1,11 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQEzBAABCAAdFiEEGkHcZ1BfiaMwgotmr/513ehQjhIFAmGKkxIACgkQr/513ehQ
|
||||
jhIkZQgAiFmf+DwcwhY5Qirw7NDgm+6Pmn2uDlSiMfE7B5v/8x0PdnYrnXUGP/qq
|
||||
Y7G6txMYvvMPZU8qW0sGR2RDWQj7BavVx2tdkCwPcBBFAUkfgwrBoJ8du8NucK7i
|
||||
VF3jS8KlPfSXfqPPb6LD4V3ia2WhplqKh3q9ewNkpolTfdiayvtQcHkYeZEHb2qD
|
||||
WI9cICkWzUDpzvaGt3ENbIM+h1SLYv9R/mUlXUrNTZsU+14AhCaUu3PlOBbOhQyU
|
||||
cUT6XrwejhZVQIgPDd1FPOlrf2DIe0OMWd6KWVyvI8ULHnUPQ/s0svj39P3fnWTH
|
||||
EdetPb/xJWmDcej2+HsUXo2JTC3pIA==
|
||||
=jbK/
|
||||
-----END PGP SIGNATURE-----
|
29
sssd.changes
29
sssd.changes
@ -1,3 +1,32 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 23 16:11:48 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
||||
|
||||
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
|
||||
* harden_sssd-ifp.service.patch
|
||||
* harden_sssd-kcm.service.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 9 15:35:58 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
|
||||
|
||||
- Update to release 2.6.1
|
||||
* New infopipe method FindByValidCertificate().
|
||||
* The default value of the "ssh_hash_known_hosts" setting was
|
||||
changed to false for the sake of consistency with OpenSSH
|
||||
that does not hash host names by default.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 15 13:41:13 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
|
||||
|
||||
- Update to release 2.6.0
|
||||
* Support of legacy json format for ccaches was dropped.
|
||||
* Support of long time deprecated secrets responder was dropped.
|
||||
* Support of long time deprecated local provider was dropped.
|
||||
* The sssctl command was vulnerable to shell command injection
|
||||
via the logs-fetch and cache-expire subcommands,
|
||||
which was fixed.
|
||||
* Basic support of user's 'subuid and subgid ranges' for IPA
|
||||
provider and corresponding plugin for shadow-utils were added.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 12 19:45:37 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
|
||||
|
||||
|
65
sssd.spec
65
sssd.spec
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package sssd
|
||||
#
|
||||
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2021 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
Name: sssd
|
||||
Version: 2.5.2
|
||||
Version: 2.6.1
|
||||
Release: 0
|
||||
Summary: System Security Services Daemon
|
||||
License: GPL-3.0-or-later and LGPL-3.0-or-later
|
||||
@ -29,25 +29,8 @@ Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%v
|
||||
Source3: baselibs.conf
|
||||
Source5: %name.keyring
|
||||
Patch1: krb-noversion.diff
|
||||
|
||||
%define servicename sssd
|
||||
%define sssdstatedir %_localstatedir/lib/sss
|
||||
%define dbpath %sssdstatedir/db
|
||||
%define pipepath %sssdstatedir/pipes
|
||||
%define pubconfpath %sssdstatedir/pubconf
|
||||
%define gpocachepath %sssdstatedir/gpo_cache
|
||||
|
||||
# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
|
||||
# /etc/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
|
||||
# * cifs-utils one is the default (priority 20)
|
||||
# * installing SSSD should NOT switch to SSSD plugin (priority 10)
|
||||
%define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin
|
||||
%define cifs_idmap_lib %_libdir/cifs-utils/cifs_idmap_sss.so
|
||||
%define cifs_idmap_name cifs-idmap-plugin
|
||||
%define cifs_idmap_priority 10
|
||||
Requires(post): update-alternatives
|
||||
Requires(postun): update-alternatives
|
||||
|
||||
Patch2: harden_sssd-ifp.service.patch
|
||||
Patch3: harden_sssd-kcm.service.patch
|
||||
BuildRequires: autoconf >= 2.59
|
||||
BuildRequires: automake
|
||||
BuildRequires: bind-utils
|
||||
@ -59,6 +42,7 @@ BuildRequires: krb5-devel >= 1.12
|
||||
BuildRequires: libcmocka-devel
|
||||
BuildRequires: libsmbclient-devel
|
||||
BuildRequires: libtool
|
||||
BuildRequires: libunistring-devel
|
||||
BuildRequires: libxml2-tools
|
||||
BuildRequires: libxslt-tools
|
||||
BuildRequires: nscd
|
||||
@ -81,7 +65,7 @@ BuildRequires: pkgconfig(libcrypto)
|
||||
BuildRequires: pkgconfig(libnfsidmap)
|
||||
BuildRequires: pkgconfig(libnl-3.0) >= 3.0
|
||||
BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0
|
||||
BuildRequires: pkgconfig(libpcre) >= 7
|
||||
BuildRequires: pkgconfig(libpcre2-8)
|
||||
BuildRequires: pkgconfig(libsystemd)
|
||||
BuildRequires: pkgconfig(ndr_krb5pac)
|
||||
BuildRequires: pkgconfig(ndr_nbt)
|
||||
@ -99,6 +83,24 @@ Provides: libsss_sudo = %version-%release
|
||||
Provides: sssd-client = %version-%release
|
||||
Obsoletes: libsss_sudo < %version-%release
|
||||
|
||||
%define servicename sssd
|
||||
%define sssdstatedir %_localstatedir/lib/sss
|
||||
%define dbpath %sssdstatedir/db
|
||||
%define pipepath %sssdstatedir/pipes
|
||||
%define pubconfpath %sssdstatedir/pubconf
|
||||
%define gpocachepath %sssdstatedir/gpo_cache
|
||||
|
||||
# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
|
||||
# /etc/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
|
||||
# * cifs-utils one is the default (priority 20)
|
||||
# * installing SSSD should NOT switch to SSSD plugin (priority 10)
|
||||
%define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin
|
||||
%define cifs_idmap_lib %_libdir/cifs-utils/cifs_idmap_sss.so
|
||||
%define cifs_idmap_name cifs-idmap-plugin
|
||||
%define cifs_idmap_priority 10
|
||||
Requires(post): update-alternatives
|
||||
Requires(postun): update-alternatives
|
||||
|
||||
%description
|
||||
Provides a set of daemons to manage access to remote directories and
|
||||
authentication mechanisms. It provides an NSS and PAM interface toward
|
||||
@ -363,15 +365,11 @@ Security Services Daemon (sssd).
|
||||
|
||||
%build
|
||||
export LDB_DIR="$(pkg-config ldb --variable=modulesdir)"
|
||||
|
||||
# help configure find nscd
|
||||
export PATH="$PATH:/usr/sbin"
|
||||
|
||||
autoreconf -fiv
|
||||
export CFLAGS="%optflags -fPIE"
|
||||
export LDFLAGS="-pie"
|
||||
%configure \
|
||||
--with-crypto=libcrypto \
|
||||
--with-db-path="%dbpath" \
|
||||
--with-pipe-path="%pipepath" \
|
||||
--with-pubconf-path="%pubconfpath" \
|
||||
@ -394,16 +392,12 @@ export LDFLAGS="-pie"
|
||||
|
||||
%install
|
||||
# sss_obfuscate is compatible with both python 2 and 3
|
||||
sed -i -e 's:%_bindir/python:%_bindir/python3:' src/tools/sss_obfuscate
|
||||
|
||||
perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
|
||||
%make_install
|
||||
b="%buildroot"
|
||||
|
||||
#for i in cs cs/man8 nl nl/man8 pt pt/man8 uk uk/man1 uk/man5 uk/man8; do
|
||||
# mkdir -p "$b/%_mandir/$i"
|
||||
#done
|
||||
# Copy some defaults
|
||||
mkdir -p "$b/%_sysconfdir/sssd" "$b/%_sysconfdir/sssd/conf.d"
|
||||
mkdir -pv "$b/%_sysconfdir/sssd" "$b/%_sysconfdir/sssd/conf.d"
|
||||
install -m600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"
|
||||
install -d "$b/%_unitdir"
|
||||
install -d "$b/%_sysconfdir/logrotate.d"
|
||||
@ -415,7 +409,7 @@ find "$b" -type f -name "*.la" -print -delete
|
||||
%find_lang %name --all-name
|
||||
|
||||
# dummy target for cifs-idmap-plugin
|
||||
mkdir -p %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils
|
||||
mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils
|
||||
ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin
|
||||
|
||||
%check
|
||||
@ -513,7 +507,6 @@ fi
|
||||
%_mandir/??/man5/sssd-ad.5*
|
||||
%_mandir/??/man5/sssd-files.5*
|
||||
%_mandir/??/man5/sssd-ldap-attributes.5*
|
||||
%_mandir/??/man5/sssd-secrets.5*
|
||||
%_mandir/??/man5/sssd-session-recording.5*
|
||||
%_mandir/??/man5/sssd-simple.5*
|
||||
%_mandir/??/man5/sssd-sudo.5*
|
||||
@ -578,7 +571,6 @@ fi
|
||||
%_datadir/%name/cfg_rules.ini
|
||||
%_datadir/%name/sssd.api.conf
|
||||
%dir %_datadir/%name/sssd.api.d/
|
||||
%_datadir/%name/sssd.api.d/sssd-local.conf
|
||||
%_datadir/%name/sssd.api.d/sssd-simple.conf
|
||||
%_datadir/%name/sssd.api.d/sssd-files.conf
|
||||
#
|
||||
@ -591,6 +583,7 @@ fi
|
||||
%_libdir/%name/modules/sssd_krb5_localauth_plugin.so
|
||||
%_mandir/??/man8/sssd_krb5_locator_plugin.8*
|
||||
%_mandir/??/man8/pam_sss.8*
|
||||
%_mandir/??/man8/pam_sss_gss.8*
|
||||
%_mandir/man8/pam_sss.8*
|
||||
%_mandir/man8/pam_sss_gss.8*
|
||||
%_mandir/man8/sssd_krb5_locator_plugin.8*
|
||||
@ -642,7 +635,6 @@ fi
|
||||
%dir %_libexecdir/sssd/
|
||||
%_libexecdir/sssd/sssd_kcm
|
||||
%dir %_libdir/sssd/
|
||||
%_libdir/sssd/libsss_secrets.so
|
||||
%_mandir/man8/sssd-kcm.8*
|
||||
%_mandir/??/man8/sssd-kcm.8*
|
||||
%_datadir/sssd-kcm/
|
||||
@ -698,6 +690,7 @@ fi
|
||||
%_mandir/??/man8/sss_*.8*
|
||||
%_mandir/man8/sssctl.8*
|
||||
%_mandir/man8/sss_*.8*
|
||||
%python3_sitelib/sssd/
|
||||
|
||||
%files winbind-idmap
|
||||
%_libdir/samba/
|
||||
|
Loading…
Reference in New Issue
Block a user