Accepting request 1296905 from network:ldap

- Update to release 2.11.1

OBS-URL: https://build.opensuse.org/request/show/1296905
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=144

0001-Configuration-make-sure-etc-sssd-and-everything.patch

@@ -1,76 +0,0 @@
-From 8db2df4fcbd09badafbc207bd4150b5f1cc2d5fb Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Thu, 24 Oct 2024 15:34:26 +0200
-Subject: [PATCH] Configuration: make sure /etc/sssd and everything
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-beneath is owned by 'sssd' group and readable by group.
-
-This should allow for reasonable rw-r----- root:sssd
-
-At some points those chown/chmod can be removed.
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit 518db322fdd5a4de41813fbe5bc35fc20392ce67)
----
- contrib/sssd.spec.in                 | 4 ++--
- src/sysv/systemd/sssd-kcm.service.in | 5 ++---
- src/sysv/systemd/sssd.service.in     | 6 ++----
- 3 files changed, 6 insertions(+), 9 deletions(-)
-
-diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
-index 4fbacb959..83de563f3 100644
---- a/contrib/sssd.spec.in
-+++ b/contrib/sssd.spec.in
-@@ -1136,9 +1136,9 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi
- %__rm -f %{mcpath}/group
- %__rm -f %{mcpath}/initgroups
- %__rm -f %{mcpath}/sid
-+%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true
-+%__chmod -f -R g+r %{_sysconfdir}/sssd || true
- %__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
--%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true
--%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
- %__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
- %__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true
- %__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true
-diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
-index 0c839ec5c..ba9e27cd9 100644
---- a/src/sysv/systemd/sssd-kcm.service.in
-+++ b/src/sysv/systemd/sssd-kcm.service.in
-@@ -9,9 +9,8 @@ Also=sssd-kcm.socket
- 
- [Service]
- Environment=DEBUG_LOGGER=--logger=files
--ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
--ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
--ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
-+ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
-+ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@
- ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb"
- ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log
- ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER}
-diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
-index 37e0a63f8..a6f79ff8a 100644
---- a/src/sysv/systemd/sssd.service.in
-+++ b/src/sysv/systemd/sssd.service.in
-@@ -10,10 +10,8 @@ StartLimitBurst=5
- [Service]
- Environment=DEBUG_LOGGER=--logger=files
- EnvironmentFile=-@environment_file@
--ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
--ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
--ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
--ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki
-+ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
-+ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@
- ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb"
- ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @gpocachepath@/*"
- ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/*.log"
--- 
-2.47.0
-

0001-INI-relax-config-files-checks.patch

@@ -1,135 +0,0 @@
-From 340671f16abb9c26ae97b11c4e2845337e67973e Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Wed, 23 Oct 2024 20:59:32 +0200
-Subject: [PATCH] INI: relax config files checks
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Only make sure:
- - user is root or sssd
- - group is root or sssd
- - other can't access it
-
-Don't make any assumptions wrt user/group read/write-ability.
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit 8472777ec472607ea450ddb4c4666017bd0de704)
----
- src/man/sssd.conf.5.xml |  5 ++-
- src/util/sss_ini.c      | 68 +++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 70 insertions(+), 3 deletions(-)
-
-diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
-index a074cc674..bf10acb2a 100644
---- a/src/man/sssd.conf.5.xml
-+++ b/src/man/sssd.conf.5.xml
-@@ -57,9 +57,8 @@
-             readable, and writeable only by 'root'.
-         </para>
-         <para condition="with_non_root_user_support">
--            <filename>sssd.conf</filename> must be a regular file that is owned,
--            readable, and writeable by the same user as configured to run SSSD
--            service.
-+            <filename>sssd.conf</filename> must be a regular file that is
-+            accessible only by the user used to run SSSD service or root.
-         </para>
-     </refsect1>
- 
-diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
-index e989d8caf..74cf61e0e 100644
---- a/src/util/sss_ini.c
-+++ b/src/util/sss_ini.c
-@@ -26,6 +26,7 @@
- #include <unistd.h>
- #include <string.h>
- #include <errno.h>
-+#include <sys/stat.h>
- #include <talloc.h>
- 
- #include "config.h"
-@@ -781,6 +782,71 @@ int sss_ini_open(struct sss_ini *self,
-     return ret;
- }
- 
-+static int access_check_file(const char *filename)
-+{
-+    int ret;
-+    struct stat st;
-+    uid_t uid;
-+    gid_t gid;
-+
-+    sss_sssd_user_uid_and_gid(&uid, &gid);
-+
-+    ret = stat(filename, &st);
-+    if (ret != 0) {
-+        ret = errno;
-+        DEBUG(SSSDBG_CRIT_FAILURE, "stat(%s) failed: %s\n",
-+              filename, strerror(ret));
-+        return EINVAL;
-+    }
-+
-+    if ((st.st_uid != 0) && (st.st_uid != uid)) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected user owner of '%s': %"SPRIuid"\n",
-+              filename, st.st_uid);
-+        return ERR_INI_INVALID_PERMISSION;
-+    }
-+
-+    if ((st.st_gid != 0) && (st.st_gid != gid)) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected group owner of '%s': %"SPRIgid"\n",
-+              filename, st.st_gid);
-+        return ERR_INI_INVALID_PERMISSION;
-+    }
-+
-+    if ((st.st_mode & (S_IROTH|S_IWOTH|S_IXOTH)) != 0) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected access to '%s' by other users\n",
-+              filename);
-+        return ERR_INI_INVALID_PERMISSION;
-+    }
-+
-+    return EOK;
-+}
-+
-+static int access_check_ini(struct sss_ini *self)
-+{
-+    int ret;
-+    const char *path;
-+    uint32_t i;
-+    const char **snippet;
-+    struct ref_array *used_snippets;
-+
-+    if (self->main_config_exists) {
-+        path = ini_config_get_filename(self->file);
-+        ret = access_check_file(path);
-+        if (ret != EOK) {
-+            return ret;
-+        }
-+    }
-+
-+    used_snippets = sss_ini_get_ra_success_list(self);
-+    for (i = 0; (snippet = ref_array_get(used_snippets, i, NULL)) != NULL; ++i) {
-+        ret = access_check_file(*snippet);
-+        if (ret != EOK) {
-+            return ret;
-+        }
-+    }
-+
-+    return EOK;
-+}
-+
- int sss_ini_read_sssd_conf(struct sss_ini *self,
-                            const char *config_file,
-                            const char *config_dir)
-@@ -833,5 +899,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
-         return ERR_INI_EMPTY_CONFIG;
-     }
- 
-+    ret = access_check_ini(self);
-+
-     return ret;
- }
--- 
-2.47.0
-

0001-INI-stop-using-libini_config-for-access-check.patch

@@ -1,182 +0,0 @@
-From 1d19b8ad9415e0a12ed3aaf039d4d0956ef4dbad Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Wed, 23 Oct 2024 19:53:09 +0200
-Subject: [PATCH] INI: stop using 'libini_config' for access check
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
----
- src/util/sss_ini.c |  100 +----------------------------------------------------
- src/util/sss_ini.h |   12 ------
- 2 files changed, 3 insertions(+), 109 deletions(-)
-
-Index: sssd-2.10.0/src/util/sss_ini.c
-===================================================================
---- sssd-2.10.0.orig/src/util/sss_ini.c
-+++ sssd-2.10.0/src/util/sss_ini.c
-@@ -147,81 +147,6 @@ static int sss_ini_config_file_from_mem(
-                                    &self->file);
- }
- 
--/* Check configuration file permissions */
--
--static bool is_running_sssd(void)
--{
--    static char exe[1024];
--    int ret;
--    const char *s = NULL;
--
--    ret = readlink("/proc/self/exe", exe, sizeof(exe) - 1);
--    if ((ret > 0) && (ret < 1024)) {
--        exe[ret] = 0;
--        s = strstr(exe, debug_prg_name);
--        if ((s != NULL) && (strlen(s) == strlen(debug_prg_name))) {
--            return true;
--        }
--    }
--
--    return false;
--}
--
--static int sss_ini_access_check(struct sss_ini *self)
--{
--    int ret;
--    uint32_t flags = INI_ACCESS_CHECK_MODE;
--
--    if (!self->main_config_exists) {
--        return EOK;
--    }
--
--    if (is_running_sssd()) {
--        flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID;
--    }
--
--    ret = ini_config_access_check(self->file,
--                                  flags,
--                                  geteuid(),
--                                  getegid(),
--                                  S_IRUSR, /* r**------ */
--                                  ALLPERMS & ~(S_IWUSR|S_IXUSR));
--
--    return ret;
--}
--
--
--
--/* Get cstat */
--
--int sss_ini_get_stat(struct sss_ini *self)
--{
--    self->cstat = ini_config_get_stat(self->file);
--
--    if (!self->cstat) return EIO;
--
--    return EOK;
--}
--
--
--
--/* Get mtime */
--
--int sss_ini_get_mtime(struct sss_ini *self,
--                      size_t timestr_len,
--                      char *timestr)
--{
--    return snprintf(timestr, timestr_len, "%llu",
--                    (long long unsigned)self->cstat->st_mtime);
--}
--
--/* Get file_exists */
--
--bool sss_ini_exists(struct sss_ini *self)
--{
--    return self->main_config_exists;
--}
--
- /* Print ini_config errors */
- 
- static void sss_ini_config_print_errors(char **error_list)
-@@ -289,7 +214,6 @@ static int sss_ini_add_snippets(struct s
-     uint32_t i = 0;
-     char *msg = NULL;
-     struct ini_cfgobj *modified_sssd_config = NULL;
--    struct access_check snip_check;
- 
-     if (self == NULL || self->sssd_config == NULL || config_dir == NULL) {
-         return EINVAL;
-@@ -297,21 +221,11 @@ static int sss_ini_add_snippets(struct s
- 
-     sss_ini_free_ra_messages(self);
- 
--    snip_check.flags = INI_ACCESS_CHECK_MODE;
--
--    if (is_running_sssd()) {
--        snip_check.flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID;
--    }
--    snip_check.uid = geteuid();
--    snip_check.gid = getegid();
--    snip_check.mode = S_IRUSR; /* r**------ */
--    snip_check.mask = ALLPERMS & ~(S_IWUSR | S_IXUSR);
--
-     ret = ini_config_augment(self->sssd_config,
-                              config_dir,
-                              patterns,
-                              sections,
--                             &snip_check,
-+                             NULL,
-                              INI_STOP_ON_ANY,
-                              INI_MV1S_OVERWRITE,
-                              INI_PARSE_NOWRAP,
-@@ -894,15 +808,7 @@ int sss_ini_read_sssd_conf(struct sss_in
-         return ERR_INI_OPEN_FAILED;
-     }
- 
--    if (sss_ini_exists(self)) {
--        ret = sss_ini_access_check(self);
--        if (ret != EOK) {
--            DEBUG(SSSDBG_CRIT_FAILURE,
--                  "Permission check on config file %s failed: %d\n",
--                  config_file, ret);
--            return ERR_INI_INVALID_PERMISSION;
--        }
--    } else {
-+    if (!self->main_config_exists) {
-         DEBUG(SSSDBG_CONF_SETTINGS,
-               "File %s does not exist.\n", config_file);
-     }
-@@ -923,7 +829,7 @@ int sss_ini_read_sssd_conf(struct sss_in
-         return ERR_INI_ADD_SNIPPETS_FAILED;
-     }
- 
--    if (!sss_ini_exists(self) &&
-+    if ((!self->main_config_exists) &&
-         (ref_array_len(sss_ini_get_ra_success_list(self)) == 0)) {
-         return ERR_INI_EMPTY_CONFIG;
-     }
-Index: sssd-2.10.0/src/util/sss_ini.h
-===================================================================
---- sssd-2.10.0.orig/src/util/sss_ini.h
-+++ sssd-2.10.0/src/util/sss_ini.h
-@@ -81,18 +81,6 @@ int sss_ini_open(struct sss_ini *self,
-                  const char *fallback_cfg);
- 
- /**
-- * @brief Check whether sss_ini_open() reported that ini file is
-- *        not present
-- *
-- * @param[in] self  pointer to sss_ini structure
-- *
-- * @return
-- *   - true   we are using ini file
-- *   - false  file was not found
-- */
--bool sss_ini_exists(struct sss_ini *self);
--
--/**
-  * @brief get Cstat structure of the ini file
-  */
- int sss_ini_get_stat(struct sss_ini *self);

0001-TOOL-Fix-build-parameter-name-omitted.patch

@@ -0,0 +1,85 @@
+From b927ca4196f828bda6d5db6c6a6d852389bfede0 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Thu, 2 Jan 2025 14:09:17 +0100
+Subject: [PATCH] TOOL: Fix build, parameter name omitted
+
+Signed-off-by: Samuel Cabrero <scabrero@suse.de>
+---
+ src/tools/sssctl/sssctl_data.c | 8 ++++----
+ src/tools/sssctl/sssctl_logs.c | 6 +++---
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
+index b28556e73..a473e7e14 100644
+--- a/src/tools/sssctl/sssctl_data.c
++++ b/src/tools/sssctl/sssctl_data.c
+@@ -125,7 +125,7 @@ static errno_t sssctl_backup(bool force)
+ }
+ 
+ errno_t sssctl_client_data_backup(struct sss_cmdline *cmdline,
+-                                  struct sss_tool_ctx *)
++                                  struct sss_tool_ctx *tool_ctx)
+ {
+     struct sssctl_data_opts opts = {0};
+     errno_t ret;
+@@ -184,7 +184,7 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
+ }
+ 
+ errno_t sssctl_client_data_restore(struct sss_cmdline *cmdline,
+-                                   struct sss_tool_ctx *)
++                                   struct sss_tool_ctx *tool_ctx)
+ {
+     struct sssctl_data_opts opts = {0};
+     errno_t ret;
+@@ -206,7 +206,7 @@ errno_t sssctl_client_data_restore(struct sss_cmdline *cmdline,
+ }
+ 
+ errno_t sssctl_cache_remove(struct sss_cmdline *cmdline,
+-                            struct sss_tool_ctx *)
++                            struct sss_tool_ctx *tool_ctx)
+ {
+     struct sssctl_data_opts opts = {0};
+     errno_t ret;
+@@ -413,7 +413,7 @@ done:
+ }
+ 
+ errno_t sssctl_cache_index(struct sss_cmdline *cmdline,
+-                           struct sss_tool_ctx *)
++                           struct sss_tool_ctx *tool_ctx)
+ {
+     const char *attr = NULL;
+     const char *action_str = NULL;
+diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
+index f8ef9f2c6..8ba18b394 100644
+--- a/src/tools/sssctl/sssctl_logs.c
++++ b/src/tools/sssctl/sssctl_logs.c
+@@ -418,7 +418,7 @@ int parse_debug_level(const char *strlevel)
+ }
+ 
+ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
+-                           struct sss_tool_ctx *)
++                           struct sss_tool_ctx *tool_ctx)
+ {
+     struct sssctl_logs_opts opts = {0};
+     errno_t ret;
+@@ -470,7 +470,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
+ }
+ 
+ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
+-                          struct sss_tool_ctx *)
++                          struct sss_tool_ctx *tool_ctx)
+ {
+     const char *file = NULL;
+     errno_t ret;
+@@ -587,7 +587,7 @@ fini:
+ }
+ 
+ errno_t sssctl_analyze(struct sss_cmdline *cmdline,
+-                       struct sss_tool_ctx *)
++                       struct sss_tool_ctx *tool_ctx)
+ {
+ #ifndef BUILD_CHAIN_ID
+     PRINT("ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n");
+-- 
+2.47.1
+

0001-sssd-always-print-path-when-config-object-is-rejecte.patch

@@ -1,75 +0,0 @@
-From 1a743a4123c104a10c694f7ee9d2f0a1e7182513 Mon Sep 17 00:00:00 2001
-From: Jan Engelhardt <jengelh@inai.de>
-Date: Wed, 16 Oct 2024 09:55:50 +0200
-Subject: [PATCH] sssd: always print path when config object is rejected
-References: https://github.com/SSSD/sssd/pull/7649
-
-Observed:
-
-```
-Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
-Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed'
-Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed'
-```
-
-Expected:
-
-_Well yes, but **which one**_!?
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-(cherry picked from commit 2b7915dd84a6b8c3ee26e45357283677fe22f2cb)
----
- src/util/sss_ini.c | 14 ++++++++------
- 1 file changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
-index 7f9824d88..2a611eb8c 100644
---- a/src/util/sss_ini.c
-+++ b/src/util/sss_ini.c
-@@ -888,7 +888,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
-     ret = sss_ini_open(self, config_file, "[sssd]\n");
-     if (ret != EOK) {
-         DEBUG(SSSDBG_CRIT_FAILURE,
--              "The sss_ini_open failed %s: %d\n",
-+              "sss_ini_open on %s failed: %d\n",
-               config_file,
-               ret);
-         return ERR_INI_OPEN_FAILED;
-@@ -898,26 +898,28 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
-         ret = sss_ini_access_check(self);
-         if (ret != EOK) {
-             DEBUG(SSSDBG_CRIT_FAILURE,
--                  "Permission check on config file failed.\n");
-+                  "Permission check on config file %s failed: %d\n",
-+                  config_file, ret);
-             return ERR_INI_INVALID_PERMISSION;
-         }
-     } else {
-         DEBUG(SSSDBG_CONF_SETTINGS,
--              "File %1$s does not exist.\n",
--              (config_file ? config_file : "NULL"));
-+              "File %s does not exist.\n", config_file);
-     }
- 
-     ret = sss_ini_parse(self);
-     if (ret != EOK) {
-         sss_ini_config_print_errors(self->error_list);
--        DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n");
-+        DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration file %s: %d\n",
-+              config_file, ret);
-         return ERR_INI_PARSE_FAILED;
-     }
- 
-     ret = sss_ini_add_snippets(self, config_dir);
-     if (ret != EOK) {
-         DEBUG(SSSDBG_FATAL_FAILURE,
--              "Error while reading configuration directory.\n");
-+              "Error while reading configuration directory %s: %d\n",
-+              config_dir, ret);
-         return ERR_INI_ADD_SNIPPETS_FAILED;
-     }
- 
--- 
-2.47.0
-

_scmsync.obsinfo

@@ -1,4 +1,4 @@
-mtime: 1727778278
-commit: 3a2bee3ebf6e89af81880d7927649117d782a0ba9f98f06213bb4744f044b7fb
+mtime: 1753994117
+commit: 0e0d1361c8452d81d3f95f3e2e6ee1170e16356d1e2c4145af472ea204b6b873
 url: https://src.opensuse.org/jengelh/sssd
 revision: master

harden_sssd-kcm.service.patch

@@ -2,10 +2,10 @@
  src/sysv/systemd/sssd-kcm.service.in |   13 +++++++++++++
  1 file changed, 13 insertions(+)
 
-Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in
+Index: sssd-2.10.2/src/sysv/systemd/sssd-kcm.service.in
 ===================================================================
---- sssd-2.10.0.orig/src/sysv/systemd/sssd-kcm.service.in
-+++ sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in
+--- sssd-2.10.2.orig/src/sysv/systemd/sssd-kcm.service.in
++++ sssd-2.10.2/src/sysv/systemd/sssd-kcm.service.in
 @@ -8,6 +8,19 @@ After=sssd-kcm.socket
  Also=sssd-kcm.socket
  
@@ -24,5 +24,5 @@ Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in
 +RestrictRealtime=true
 +# end of automatic additions 
  Environment=DEBUG_LOGGER=--logger=files
- ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
- ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@
+ # '-H' is used with @sssdconfdir@ to support use case where /etc/sssd is a symlink.
+ # '-H' only allows following a command line argument itself, everything else encountered due to '-R' isn't followed.

logrotate.patch

@@ -0,0 +1,48 @@
+From: Jan Engelhardt <ej@inai.de>
+Date: 2025-07-18 11:02:24.078457348 +0200
+References: https://bugzilla.suse.com/show_bug.cgi?id=1246537
+References: https://github.com/SSSD/sssd/issues/8041
+
+---
+ src/examples/logrotate.in            |    3 +--
+ src/sysv/systemd/sssd-kcm.service.in |    1 +
+ src/sysv/systemd/sssd.service.in     |    1 +
+ 3 files changed, 3 insertions(+), 2 deletions(-)
+
+Index: sssd-2.11.1/src/examples/logrotate.in
+===================================================================
+--- sssd-2.11.1.orig/src/examples/logrotate.in
++++ sssd-2.11.1/src/examples/logrotate.in
+@@ -8,7 +8,6 @@
+     delaycompress
+     su @SSSD_USER@ @SSSD_USER@
+     postrotate
+-        /bin/kill -HUP `cat @pidpath@/sssd.pid 2>/dev/null` 2> /dev/null || true
+-        /bin/pkill -HUP sssd_kcm 2> /dev/null || true
++        /usr/bin/systemctl try-reload-or-restart sssd sssd_kcm
+     endscript
+ }
+Index: sssd-2.11.1/src/sysv/systemd/sssd-kcm.service.in
+===================================================================
+--- sssd-2.11.1.orig/src/sysv/systemd/sssd-kcm.service.in
++++ sssd-2.11.1/src/sysv/systemd/sssd-kcm.service.in
+@@ -32,6 +32,7 @@ ExecStartPre=+-/bin/chmod -f g+x @sssdco
+ ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb"
+ ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log*"
+ ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER}
++ExecReload=kill -HUP $MAINPID
+ CapabilityBoundingSet= CAP_DAC_READ_SEARCH CAP_SETGID CAP_SETUID
+ SecureBits=noroot noroot-locked
+ User=@SSSD_USER@
+Index: sssd-2.11.1/src/sysv/systemd/sssd.service.in
+===================================================================
+--- sssd-2.11.1.orig/src/sysv/systemd/sssd.service.in
++++ sssd-2.11.1/src/sysv/systemd/sssd.service.in
+@@ -21,6 +21,7 @@ ExecStartPre=+-/bin/sh -c "/bin/chown -f
+ ExecStartPre=+-/bin/chown -f -R -h @SSSD_USER@:@SSSD_USER@ @gpocachepath@
+ ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @logpath@/*.log*"
+ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
++ExecReload=kill -HUP $MAINPID
+ Type=notify
+ NotifyAccess=main
+ Restart=on-abnormal

sssd-2.10.0.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmcOPUoACgkQ09IbKRDP
-Z1myuA//anDvdZcQp0EUia2NsiWt2MFE8esmsEIN6QmEYjUxvEeXI9q4YJQimMi8
-wdt0zqZE1PLrTcroWaeGcgt2+CJWUbVanZtNn3oo7lUVYrLKemrUzavM7dXTaA43
-cdKAFyEO+nHJQ2yBNUt6sRXc3tM0H27yZs0iL+CcYu6YshUTbMnZuwdpz7DqDTN8
-nbG+LWa+U0en5mI3waP8Ionwmdv9AJAuCHQZLlZDpM0+YfGumcIUJdbxU/I8pqP8
-MQaulPv3e+BNwdbUiLlk0cXRjuEfSd0bmMa3MqB4IqMvvjACU0GuSgK3FDhutZJe
-HfmzYSo/Zntmr7F/eYLz6zy/GU3VewEilOyRV08oz+EVJRbGyo2t4k6PUYbn+I4V
-kJ/maed5jnBzIZGf6o+P1r+3mavJg7k2LDV4s48MsZ4Y5ED4X0c+boT1L5FZbquW
-gp99Di0RG4VoWiYOfVfszLzeDWOLbOrKMyA6PTqlmjGYAdV9SBwZP5WEdwXyPovo
-D7uual7Eqdd+Y/lt+8O4Wd+Y+a9xI2kwVFo8KYmHc8PhgLpPIKTWbBTEI+0nw3fJ
-qqyyA7JWA81bt4WKVuJaeS87S/9F4yn8ps2dzSgHjZ2Tzr7Eu1a3RWLjKYsjKZrT
-PPd2d/02rQAZPwLYHN5qM3Xjh0DD7IiXav1QuIPxmUQA9z8ZiuA=
-=mJVY
------END PGP SIGNATURE-----

sssd-2.11.1.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmiLT74ACgkQ09IbKRDP
+Z1nIIQ/+NjryrInjiH9LmBZKa5wgYE8d49aHxtOc4pySV3CFhVMM0cUT0rO1umy3
++4xlvxDs/7OYdZkJapotcpf8CJDyLttxsA4/0gfBDGoCRsRLAXxnoZ9K7+0PgV5j
+2DbB6+0Ay0JJ9IYjJwoIMbSKiWm2/KuqLBicNoaxvYK/OJc/K+3AkPIyqVmOItl8
+23UOMuMn6NRBJP6m0R+LUEJQ4rW6cej1lc+mqsPYlerHY8BmRFzRcFjVqhsgUpQj
+hCTJwq5iUpbhiyDIpYzGeS5Jr0bxAVeAZbo4YcN2GQVawOjLQYOP7UPWFm80JLbQ
+GEvQHHo2YDBxcZEma6Z614/8aQI6nVzc/DMq3ffPb4E5snMJ+/v9LCGN1jjmCPWo
+TSiYZrt33zeJrmsmnImWT4ejErkt7dLV9qOQS6BTjHGtgNgl4qrbiFLSZZk2oJp6
+1eJERF/uqBmBYJ2Bq7Fq0Gp4u90TK6kgLV8pkz71Tl+BUPjoD8H9b6VMrwY0jiux
+FfE9ZjWDDAlaLqRlbpd6lVHiQfkgCUflw7o5E+jSL96S4X+6e1aCcL3vdkLxFSCa
+PCQggDD+Ng2HvNsqQ8Z1eA0k2wNuYUNLKab2eUcc4siIKmoMsPQkgmLUBINiPMyR
+GR6ZQ6xdiQkBFBC+JplQM5AsVddJ7UZ2DCzUzFkriyqua58Cuyo=
+=DoFI
+-----END PGP SIGNATURE-----

sssd-rpmlintrc

@@ -0,0 +1,2 @@
+# See https://github.com/SSSD/sssd/pull/7794 for details
+addFilter("E: missing-call-to-setgroups-before-setuid")

sssd.changes

@@ -1,3 +1,81 @@
+-------------------------------------------------------------------
+Thu Jul 31 16:15:46 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 2.11.1
+  * Fixed AD users in external groups not being cleared once the
+    cache expires.
+  * Fixed `cache_credentials=true` not having any effect.
+  * Fixed socket activation not having an effect for sssd_pam.
+
+-------------------------------------------------------------------
+Fri Jul 18 09:03:19 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Add logrotate.patch [boo#1246537]
+
+-------------------------------------------------------------------
+Wed Jun 11 14:53:26 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
+
+- Install file in krb5.conf.d to include sssd krb5 config snippets;
+  (bsc#1244325);
+
+-------------------------------------------------------------------
+Thu Jun  5 12:14:03 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 2.11
+  * The deprecated tool `sss_ssh_knownhostsproxy` was finally
+    removed.
+  * Support for `id_provider = files` was removed.
+  * SSSD doesn't create any more missing path components of
+    DIR:/FILE: ccache types while acquiring user's TGT.
+  * New generic id and auth provider for Identity Providers (IdPs)
+    for Keycloak/EntraID. [Not enabled in openSUSE for now.]
+
+-------------------------------------------------------------------
+Tue Mar 11 21:35:32 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Run mkdir/rm with verbose mode for the build log
+
+-------------------------------------------------------------------
+Thu Jan 30 14:24:04 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 2.10.2
+  * If the ssh responder is not running, sss_ssh_knownhosts will
+    not fail (but it will not return the keys).
+  * SSSD is now capable of handling multiple services associated
+    with the same port.
+  * sssd_pam, being a privileged binary, now clears the
+    environment and does not allow configuration of the
+    PR_SET_DUMPABLE flag as a precaution.
+
+-------------------------------------------------------------------
+Wed Jan 22 09:21:43 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Drop build dependency on ncsd, which has been deprecated
+  (boo#1239262).
+
+-------------------------------------------------------------------
+Tue Jan 21 16:33:00 UTC 2025 - Samuel Cabrero <scabrero@suse.de>
+
+- Migrate away from update-alternatives, replaced by package
+  conflicts; (bsc#1235789); (bsc#1216739);
+
+-------------------------------------------------------------------
+Tue Dec 10 20:17:10 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 2.10.1
+  * SSSD does not create anymore missing path components of
+    DIR:/FILE: ccache types while acquiring user's TGT. The
+    parent directory of requested ccache directory must exist and
+    the user trying to log in must have rwx access to this
+    directory. This matches behavior of /usr/bin/kinit.
+  * The option default_domain_suffix is deprecated.
+- Delete 0001-Configuration-make-sure-etc-sssd-and-everything.patch,
+  0001-INI-relax-config-files-checks.patch,
+  0001-INI-stop-using-libini_config-for-access-check.patch,
+  0001-sssd-always-print-path-when-config-object-is-rejecte.patch
+  (merged)
+- Add 0001-TOOL-Fix-build-parameter-name-omitted.patch
+
 -------------------------------------------------------------------
 Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
 
@@ -20,6 +98,7 @@ Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
   0001-INI-relax-config-files-checks.patch,
   0001-Configuration-make-sure-etc-sssd-and-everything.patch
 - Fix socket activation of responders
+- Daemon runs now as unprivileged user 'sssd'
 
 -------------------------------------------------------------------
 Tue Oct  1 10:15:07 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
@@ -1850,7 +1929,6 @@ Wed Apr  4 16:13:33 PDT 2012 - ben.kevan@gmail.com
   connect to an auth server
 
 -------------------------------------------------------------------
-
 Sun Mar 11 18:36:44 UTC 2012 - jengelh@medozas.de
 
 - Update to new upstream release 1.8.0

sssd.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package sssd
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           sssd
-Version:        2.10.0
+Version:        2.11.1
 Release:        0
 Summary:        System Security Services Daemon
 License:        GPL-3.0-or-later AND LGPL-3.0-or-later
@@ -28,14 +28,13 @@ Source:         https://github.com/SSSD/sssd/releases/download/%version/%name-%v
 Source2:        https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc
 Source3:        baselibs.conf
 Source5:        %name.keyring
-Patch3:         0001-sssd-always-print-path-when-config-object-is-rejecte.patch
-Patch4:         0001-INI-stop-using-libini_config-for-access-check.patch
-Patch5:         0001-INI-relax-config-files-checks.patch
-Patch6:         0001-Configuration-make-sure-etc-sssd-and-everything.patch
+Source6:        %name-rpmlintrc
+Patch1:         0001-TOOL-Fix-build-parameter-name-omitted.patch
 Patch11:        krb-noversion.diff
 Patch12:        harden_sssd-ifp.service.patch
 Patch13:        harden_sssd-kcm.service.patch
 Patch14:        symvers.patch
+Patch15:        logrotate.patch
 BuildRequires:  autoconf >= 2.59
 BuildRequires:  automake
 BuildRequires:  bind-utils
@@ -52,7 +51,7 @@ BuildRequires:  libtool
 BuildRequires:  libunistring-devel
 BuildRequires:  libxml2-tools
 BuildRequires:  libxslt-tools
-BuildRequires:  nscd
+BuildRequires:  libopenssl-3-devel
 BuildRequires:  nss_wrapper
 BuildRequires:  openldap2-devel
 BuildRequires:  pam-devel
@@ -69,13 +68,14 @@ BuildRequires:  pkgconfig(dhash) >= 0.4.2
 BuildRequires:  pkgconfig(glib-2.0)
 BuildRequires:  pkgconfig(ini_config) >= 1.3
 BuildRequires:  pkgconfig(jansson)
-BuildRequires:  pkgconfig(ldb) >= 0.9.2
+BuildRequires:  pkgconfig(ldb) >= 1.2.0
 BuildRequires:  pkgconfig(libcap)
 BuildRequires:  pkgconfig(libcares)
 BuildRequires:  pkgconfig(libcrypto) >= 1.0.1
 %if 0%{?suse_version} >= 1600
 BuildRequires:  pkgconfig(libcurl)
 %endif
+BuildRequires:  pkgconfig(libcap)
 BuildRequires:  pkgconfig(libnfsidmap)
 BuildRequires:  pkgconfig(libnl-3.0) >= 3.0
 BuildRequires:  pkgconfig(libnl-route-3.0) >= 3.0
@@ -90,6 +90,7 @@ BuildRequires:  pkgconfig(p11-kit-1) >= 0.23.3
 BuildRequires:  pkgconfig(popt)
 BuildRequires:  pkgconfig(python3)
 BuildRequires:  pkgconfig(smbclient)
+BuildRequires:  pkgconfig(systemd)
 BuildRequires:  pkgconfig(talloc)
 BuildRequires:  pkgconfig(tdb) >= 1.1.3
 BuildRequires:  pkgconfig(tevent)
@@ -103,6 +104,8 @@ BuildRequires:  pkgconfig(uuid)
 %endif
 %sysusers_requires
 %{?systemd_ordering}
+Requires(post): permissions
+Requires(verify): permissions
 Requires:       sssd-ldap = %version-%release
 Requires(postun): pam-config
 Provides:       libsss_sudo = %version-%release
@@ -111,24 +114,26 @@ Obsoletes:      libsss_sudo < %version-%release
 Provides:       sssd-common = %version-%release
 Obsoletes:      sssd-common < %version-%release
 
+%global sssd_user sssd
 %define servicename	sssd
 %define sssdstatedir	%_localstatedir/lib/sss
 %define dbpath		%sssdstatedir/db
 %define pipepath	%sssdstatedir/pipes
 %define pubconfpath	%sssdstatedir/pubconf
 %define gpocachepath	%sssdstatedir/gpo_cache
+%define keytabdir	%sssdstatedir/keytabs
+%define mcpath		%sssdstatedir/mc
 %define ldbdir %(pkg-config ldb --variable=modulesdir)
 
-# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
-# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
-# * cifs-utils one is the default (priority 20)
-# * installing SSSD should NOT switch to SSSD plugin (priority 10)
+
+%if 0%{?suse_version} >= 1600
+%define permissions_path %_datadir/permissions/permissions.d/
+%else
+%define permissions_path %_sysconfdir/permissions.d/
+%endif
+
 %define cifs_idmap_plugin       %_sysconfdir/cifs-utils/idmap-plugin
 %define cifs_idmap_lib          %_libdir/cifs-utils/cifs_idmap_sss.so
-%define cifs_idmap_name         cifs-idmap-plugin
-%define cifs_idmap_priority     10
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
 
 %description
 A set of daemons to manage access to remote directories and
@@ -197,6 +202,8 @@ Summary:        SSSD helpers needed for Kerberos and GSSAPI authentication
 License:        GPL-3.0-or-later
 Group:          System/Daemons
 Requires:       cyrus-sasl-gssapi
+Requires(post): permissions
+Requires(verify): permissions
 
 %description krb5-common
 Provides helper processes that the LDAP and Kerberos back ends can
@@ -240,6 +247,23 @@ Group:          System/Libraries
 The idmap_sss module provides a way for Winbind to call SSSD to map
 UIDs/GIDs and SIDs.
 
+%package cifs-idmap-plugin
+Summary:        The sssd idmap plugin for cifs.idmap
+Group:          System/Libraries
+# Conflict as per https://bugzilla.suse.com/1235789
+Provides:       cifs-idmap-plugin
+Conflicts:      cifs-idmap-plugin
+
+%description cifs-idmap-plugin
+The cifs.idmap(8) userspace helper relies on a plugin to handle the
+ID mapping. This package contains the ID mapping plugin that will use
+sssd.
+
+In SUSE systems, only one such plugin can be installed at a time
+(either the one from sssd, or from cifs-utils).
+Without the plugin, file objects in a mounted share have UID/GID of
+the original mounting process.
+
 %package -n libsss_certmap0
 Summary:        FreeIPA ID mapping library
 License:        LGPL-3.0-or-later
@@ -395,9 +419,6 @@ Security Services Daemon (sssd).
 %autosetup -p1
 
 %build
-# help configure find nscd
-export PATH="$PATH:/usr/sbin"
-
 autoreconf -fiv
 %configure \
 	--with-db-path="%dbpath" \
@@ -407,20 +428,20 @@ autoreconf -fiv
 	--with-environment-file="%_sysconfdir/sysconfig/sssd" \
 	--with-initscript=systemd \
 	--with-syslog=journald \
-	--with-pid-path="%_rundir" \
+	--with-pid-path="%_rundir/sssd" \
 	--enable-pammoddir="%_pam_moduledir" \
 	--with-ldb-lib-dir="%ldbdir" \
 	--with-os=suse \
 	--disable-ldb-version-check \
 	--without-python2-bindings \
 	--without-oidc-child \
+	--with-sssd-user="%sssd_user" \
 %if 0%{?suse_version} >= 1600
 	--with-selinux=yes \
 	--with-subid
 %else
 	--with-selinux=no \
-	--with-libsifp \
-	--with-files-provider
+	--with-libsifp
 %endif
 %make_build all
 
@@ -432,26 +453,26 @@ b="%buildroot"
 
 # Copy some defaults
 %if "%{?_distconfdir}" != ""
-install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf"
-install -d -m 0755 "$b/%_distconfdir/sssd/conf.d"
+install -Dpvm 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf"
+install -dvm 0755 "$b/%_distconfdir/sssd/conf.d"
 %else
-install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"
-install -d -m 0755 "$b/%_sysconfdir/sssd/conf.d"
+install -Dpm 0600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"
+install -dvm 0755 "$b/%_sysconfdir/sssd/conf.d"
 %endif
-install -d "$b/%_unitdir"
+install -dv "$b/%_unitdir"
 %if 0%{?suse_version} > 1500
-install -d "$b/%_distconfdir/logrotate.d"
-install -m644 src/examples/logrotate "$b/%_distconfdir/logrotate.d/sssd"
-install -d "$b/%_pam_vendordir"
+install -dv "$b/%_distconfdir/logrotate.d"
+install -vm644 src/examples/logrotate "$b/%_distconfdir/logrotate.d/sssd"
+install -dv "$b/%_pam_vendordir"
 mv "$b/%_pam_confdir/sssd-shadowutils" "$b/%_pam_vendordir"
 %else
-install -d "$b/%_sysconfdir/logrotate.d"
-install -m644 src/examples/logrotate "$b/%_sysconfdir/logrotate.d/sssd"
+install -dv "$b/%_sysconfdir/logrotate.d"
+install -vm644 src/examples/logrotate "$b/%_sysconfdir/logrotate.d/sssd"
 %endif
 
 rm -Rfv "$b/%_initddir"
 %if 0%{?suse_version} < 1600
-ln -s service "$b/%_sbindir/rcsssd"
+ln -sv service "$b/%_sbindir/rcsssd"
 %endif
 
 mkdir -pv "$b/%sssdstatedir/mc"
@@ -459,20 +480,42 @@ find "$b" -type f -name "*.la" -print -delete
 %find_lang %name --all-name
 
 # dummy target for cifs-idmap-plugin
-mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils"
-ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin"
+mkdir -pv %buildroot/%_sysconfdir/cifs-utils
+ln -sfv %cifs_idmap_lib %buildroot/%cifs_idmap_plugin
+
 %python3_fix_shebang
 %if 0%{?suse_version} > 1600
-%python3_fix_shebang_path %buildroot/%_libexecdir/%name/
+%python3_fix_shebang_path %buildroot/%_libexecdir/%name/sss_analyze
 %elif 0%{?suse_version} == 1600
 # python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204
 sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze"
 %endif
 
 echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf
-mkdir -p "$b/%_sysusersdir"
-cp -a system-user-sssd.conf "$b/%_sysusersdir/"
+mkdir -pv "$b/%_sysusersdir"
+cp -av system-user-sssd.conf "$b/%_sysusersdir/"
 %sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf
+install -Dpvm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf"
+#
+# Security considerations for capabilities, chown and stuff:
+# https://www.openwall.com/lists/oss-security/2024/12/19/1
+#
+# should match entry from %%files list
+mkdir -pv "$b/%permissions_path"
+cat >"$b/%permissions_path/sssd" <<-EOF
+	%_libexecdir/sssd/sssd_pam root:sssd 0750
+	 +capabilities cap_dac_read_search=p
+	%_libexecdir/sssd/selinux_child root:sssd 0750
+	 +capabilities cap_setgid,cap_setuid=p
+	%_libexecdir/sssd/krb5_child root:sssd 0750
+	 +capabilities cap_dac_read_search,cap_setgid,cap_setuid=p
+	%_libexecdir/sssd/ldap_child root:sssd 0750
+	 +capabilities cap_dac_read_search=p
+EOF
+
+mkdir -pv "$b/%_sysconfdir/krb5.conf.d"
+ln -sv %_datadir/%name/krb5-snippets/enable_sssd_conf_dir \
+       "$b/%_sysconfdir/krb5.conf.d/enable_sssd_conf_dir"
 
 %check
 # sss_config-tests fails
@@ -495,8 +538,9 @@ if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then
 fi
 %service_add_post sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
 
-# install SSSD cifs-idmap plugin as an alternative
-update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority
+%_bindir/rm -f %mcpath/passwd %mcpath/group %mcpath/initgroups %mcpath/sid
+%tmpfiles_create %name.conf
+%set_permissions %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam
 
 %preun
 %service_del_preun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
@@ -509,9 +553,6 @@ fi
 # del_postun includes a try-restart
 %service_del_postun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
 
-if [ ! -f "%cifs_idmap_lib" ]; then
-	update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
-fi
 
 %ldconfig_scriptlets -n libsss_certmap0
 %ldconfig_scriptlets -n libipa_hbac0
@@ -519,6 +560,9 @@ fi
 %ldconfig_scriptlets -n libsss_nss_idmap0
 %ldconfig_scriptlets -n libsss_simpleifp0
 
+%verifyscript
+%verify_permissions -e %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam
+
 %triggerun -- %name < %version-%release
 # sssd takes care of upgrading the database but it doesn't handle downgrades.
 # Clear caches when downgrading the package, which may have an
@@ -552,6 +596,16 @@ fi
 %postun kcm
 %service_del_postun sssd-kcm.service sssd-kcm.socket
 
+%pre krb5-common -f random.pre
+
+%post krb5-common
+%set_permissions %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child
+
+%verifyscript krb5-common
+%verify_permissions -e %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child
+
+%pre proxy -f random.pre
+
 %pretrans
 # Migrate sssd.service from sssd-common to sssd
 systemctl is-enabled sssd.service > /dev/null
@@ -606,6 +660,11 @@ fi
 %_unitdir/sssd-sudo.socket
 %_unitdir/sssd-sudo.service
 %_sysusersdir/*sssd*
+%_tmpfilesdir/*sssd*
+%permissions_path/sssd
+%dir %_datadir/polkit-1
+%attr(0555,root,root) %dir %_datadir/polkit-1/rules.d
+%_datadir/polkit-1/rules.d/*
 %_bindir/sss_ssh_*
 %_sbindir/sssd
 %if 0%{?suse_version} < 1600
@@ -616,12 +675,8 @@ fi
 %_mandir/??/man1/sss_ssh_*
 %_mandir/??/man5/sss-certmap.5*
 %_mandir/??/man5/sssd-ad.5*
-%if 0%{?suse_version} < 1600
-%_mandir/??/man5/sssd-files.5*
-%endif
 %_mandir/??/man5/sssd-ldap-attributes.5*
 %_mandir/??/man5/sssd-session-recording.5*
-%_mandir/??/man5/sssd-simple.5*
 %_mandir/??/man5/sssd-sudo.5*
 %_mandir/??/man5/sssd-systemtap.5*
 %_mandir/??/man5/sssd.conf.5*
@@ -629,9 +684,6 @@ fi
 %_mandir/??/man8/sssd.8*
 %_mandir/man1/sss_ssh_*
 %_mandir/man5/sss-certmap.5*
-%if 0%{?suse_version} < 1600
-%_mandir/man5/sssd-files.5*
-%endif
 %_mandir/man5/sssd-ldap-attributes.5*
 %_mandir/man5/sssd-session-recording.5*
 %_mandir/man5/sssd-simple.5*
@@ -645,11 +697,7 @@ fi
 %_libdir/%name/libsss_cert*
 %_libdir/%name/libsss_crypt*
 %_libdir/%name/libsss_debug*
-%if 0%{?suse_version} < 1600
-%_libdir/%name/libsss_files*
-%endif
 %_libdir/%name/libsss_iface*
-%_libdir/%name/libsss_semanage*
 %_libdir/%name/libsss_sbus*
 %_libdir/%name/libsss_simple*
 %_libdir/%name/libsss_util*
@@ -662,32 +710,32 @@ fi
 %_libexecdir/%name/sssd_autofs
 %_libexecdir/%name/sssd_be
 %_libexecdir/%name/sssd_nss
-%_libexecdir/%name/sssd_pam
+%attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/sssd_pam
 %_libexecdir/%name/sssd_ssh
 %_libexecdir/%name/sssd_sudo
 %_libexecdir/%name/sss_signal
 %_libexecdir/%name/sssd_check_socket_activated_responders
 %if 0%{?suse_version} >= 1600
-%_libexecdir/%name/selinux_child
+%attr(750,root,%sssd_user) %caps(cap_setgid,cap_setuid=p) %_libexecdir/%name/selinux_child
 %endif
 %dir %sssdstatedir
-%attr(700,root,root) %dir %dbpath/
-%attr(755,root,root) %dir %pipepath/
-%attr(700,root,root) %dir %pipepath/private/
-%attr(755,root,root) %dir %pubconfpath/
-%attr(755,root,root) %dir %pubconfpath/krb5.include.d
-%attr(755,root,root) %dir %gpocachepath/
-%attr(755,root,root) %dir %sssdstatedir/mc/
-%attr(700,root,root) %dir %sssdstatedir/keytabs/
-%attr(750,root,root) %dir %_localstatedir/log/%name/
+%attr(700,%sssd_user,%sssd_user) %dir %dbpath/
+%attr(755,%sssd_user,%sssd_user) %dir %pipepath/
+%attr(700,%sssd_user,%sssd_user) %dir %pipepath/private/
+%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/
+%attr(755,%sssd_user,%sssd_user) %dir %gpocachepath/
+%attr(755,%sssd_user,%sssd_user) %dir %mcpath/
+%attr(700,%sssd_user,%sssd_user) %dir %keytabdir/
+%attr(750,%sssd_user,%sssd_user) %dir %_localstatedir/log/%name/
+%attr(775,%sssd_user,%sssd_user) %dir %sssdstatedir/
 %if "%{?_distconfdir}" != ""
-%dir %_distconfdir/sssd/
-%%dir %_distconfdir/sssd/conf.d
-%config(noreplace) %_distconfdir/sssd/sssd.conf
+%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/
+%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/conf.d
+%attr(640,root,%sssd_user) %_distconfdir/sssd/sssd.conf
 %else
-%dir %_sysconfdir/sssd/
-%%dir %_sysconfdir/sssd/conf.d
-%config(noreplace) %_sysconfdir/sssd/sssd.conf
+%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/
+%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/conf.d
+%ghost %attr(640,root,%sssd_user) %config(noreplace) %_sysconfdir/sssd/sssd.conf
 %endif
 %if 0%{?suse_version} > 1500
 %_distconfdir/logrotate.d/sssd
@@ -701,21 +749,16 @@ fi
 %_datadir/%name/sssd.api.conf
 %dir %_datadir/%name/sssd.api.d/
 %_datadir/%name/sssd.api.d/sssd-simple.conf
-%if 0%{?suse_version} < 1600
-%_datadir/%name/sssd.api.d/sssd-files.conf
-%else
-%exclude %_mandir/*/*/sssd-files.5.gz
-%endif
+%attr(775,%sssd_user,%sssd_user) %ghost %dir %_rundir/sssd
 %doc src/examples/sssd.conf
 #
-# sssd-client
+# %%files sssd-client
 #
 %_libdir/libnss_sss.so.2
 %_pam_moduledir/pam_sss.so
 %_pam_moduledir/pam_sss_gss.so
 %_libdir/krb5/
 %_libdir/%name/modules/sssd_krb5_localauth_plugin.so
-%exclude %_libdir/%name/modules/sssd_krb5_idp_plugin.so
 %if 0%{?suse_version} >= 1600
 %_libdir/libsubid_sss.so
 %endif
@@ -727,12 +770,12 @@ fi
 %_mandir/man8/sssd_krb5_localauth_plugin.8*
 %_mandir/??/man8/sssd_krb5_localauth_plugin.8*
 %_mandir/man8/sssd_krb5_locator_plugin.8*
-# cifs idmap plugin
-%dir %_sysconfdir/cifs-utils
-%cifs_idmap_plugin
-%dir %_libdir/cifs-utils
-%cifs_idmap_lib
-%ghost %_sysconfdir/alternatives/%cifs_idmap_name
+#
+# %%files sssd-idp
+#
+%exclude %_libdir/sssd/libsss_idp.so
+%exclude %_libdir/%name/modules/sssd_krb5_idp_plugin.so
+%exclude %_mandir/man5/sssd-idp*
 
 %files ad
 %dir %_libdir/%name/
@@ -783,7 +826,6 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_krb5.so
 %dir %_datadir/%name/
-%exclude %_datadir/%name/krb5-snippets/
 %dir %_datadir/%name/sssd.api.d/
 %_datadir/%name/sssd.api.d/sssd-krb5.conf
 %dir %_mandir/??/
@@ -792,11 +834,16 @@ fi
 %_mandir/??/man5/sssd-krb5.5*
 
 %files krb5-common
+%attr(755,root,root) %dir %pubconfpath/krb5.include.d
+%config(noreplace,missingok) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir
 %dir %_libdir/%name/
 %_libdir/%name/libsss_krb5_common.so
 %dir %_libexecdir/%name/
-%_libexecdir/%name/krb5_child
-%_libexecdir/%name/ldap_child
+%attr(750,root,%sssd_user) %caps(cap_dac_read_search,cap_setgid,cap_setuid=p) %_libexecdir/%name/krb5_child
+%attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/ldap_child
+%dir %{_datadir}/sssd/krb5-snippets
+%_datadir/%name/krb5-snippets/enable_sssd_conf_dir
+%_datadir/%name/krb5-snippets/sssd_enable_idp
 
 %files ldap
 %dir %_libdir/%name/
@@ -813,7 +860,7 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_proxy.so
 %dir %_libexecdir/%name/
-%_libexecdir/%name/proxy_child
+%attr(750,root,%sssd_user) %_libexecdir/%name/proxy_child
 %dir %_datadir/%name/
 %dir %_datadir/%name/sssd.api.d/
 %_datadir/%name/sssd.api.d/sssd-proxy.conf
@@ -838,6 +885,12 @@ fi
 %_libdir/samba/idmap/
 %_mandir/man8/idmap_sss.8*
 
+%files cifs-idmap-plugin
+%dir %_sysconfdir/cifs-utils
+%cifs_idmap_plugin
+%dir %_libdir/cifs-utils
+%cifs_idmap_lib
+
 %files -n libipa_hbac0
 %_libdir/libipa_hbac.so.0*
 
@@ -876,16 +929,6 @@ fi
 %_libdir/libsss_nss_idmap.so
 %_libdir/pkgconfig/sss_nss_idmap.pc
 
-%if 0%{?suse_version} < 1600
-%files -n libsss_simpleifp0
-%_libdir/libsss_simpleifp.so.0*
-
-%files -n libsss_simpleifp-devel
-%_includedir/sss_sifp*.h
-%_libdir/libsss_simpleifp.so
-%_libdir/pkgconfig/sss_simpleifp.pc
-%endif
-
 %files -n python3-ipa_hbac
 %dir %python3_sitearch
 %python3_sitearch/pyhbac.so

symvers.patch

@@ -12,14 +12,14 @@ libsss_ldap.so(-2.7.4) cannot find a libsss_util.so(-2.7.4), since
 the system only has libsss_util.so(-2.8.2) at this point.
 
 ---
- Makefile.am |   47 ++++++++++++++++++++++++++++++++---------------
- 1 file changed, 32 insertions(+), 15 deletions(-)
+ Makefile.am |   44 ++++++++++++++++++++++++++++++--------------
+ 1 file changed, 30 insertions(+), 14 deletions(-)
 
-Index: sssd-2.9.2/Makefile.am
+Index: sssd-2.10.1/Makefile.am
 ===================================================================
---- sssd-2.9.2.orig/Makefile.am
-+++ sssd-2.9.2/Makefile.am
-@@ -955,7 +955,11 @@ libsss_debug_la_SOURCES = \
+--- sssd-2.10.1.orig/Makefile.am
++++ sssd-2.10.1/Makefile.am
+@@ -971,7 +971,11 @@ libsss_debug_la_SOURCES = \
  libsss_debug_la_LIBADD = \
      $(SYSLOG_LIBS)
  libsss_debug_la_LDFLAGS = \
@@ -32,7 +32,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_child.la
  libsss_child_la_SOURCES = src/util/child_common.c
-@@ -965,7 +969,8 @@ libsss_child_la_LIBADD = \
+@@ -981,7 +985,8 @@ libsss_child_la_LIBADD = \
      $(DHASH_LIBS) \
      libsss_debug.la \
      $(NULL)
@@ -42,7 +42,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_crypt.la
  
-@@ -1004,7 +1009,8 @@ libsss_crypt_la_LIBADD = \
+@@ -1021,7 +1026,8 @@ libsss_crypt_la_LIBADD = \
      libsss_debug.la \
      $(NULL)
  libsss_crypt_la_LDFLAGS = \
@@ -52,7 +52,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_cert.la
  
-@@ -1029,8 +1035,9 @@ libsss_cert_la_LIBADD = \
+@@ -1046,8 +1052,9 @@ libsss_cert_la_LIBADD = \
      libsss_debug.la \
      $(NULL)
  libsss_cert_la_LDFLAGS = \
@@ -63,7 +63,7 @@ Index: sssd-2.9.2/Makefile.am
  
  generate-sbus-code:
  	$(builddir)/sbus_generate.sh $(abs_srcdir)
-@@ -1131,8 +1138,9 @@ libsss_sbus_la_CFLAGS = \
+@@ -1148,8 +1155,9 @@ libsss_sbus_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libsss_sbus_la_LDFLAGS = \
@@ -74,7 +74,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_sbus_sync.la
  libsss_sbus_sync_la_SOURCES = \
-@@ -1167,8 +1175,9 @@ libsss_sbus_sync_la_CFLAGS = \
+@@ -1184,8 +1192,9 @@ libsss_sbus_sync_la_CFLAGS = \
      $(UNICODE_LIBS) \
      $(NULL)
  libsss_sbus_sync_la_LDFLAGS = \
@@ -85,7 +85,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_iface.la
  libsss_iface_la_SOURCES = \
-@@ -1197,8 +1206,9 @@ libsss_iface_la_CFLAGS = \
+@@ -1214,8 +1223,9 @@ libsss_iface_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libsss_iface_la_LDFLAGS = \
@@ -96,7 +96,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_iface_sync.la
  libsss_iface_sync_la_SOURCES = \
-@@ -1225,8 +1235,9 @@ libsss_iface_sync_la_CFLAGS = \
+@@ -1242,8 +1252,9 @@ libsss_iface_sync_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libsss_iface_sync_la_LDFLAGS = \
@@ -107,7 +107,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_util.la
  libsss_util_la_SOURCES = \
-@@ -1322,7 +1333,8 @@ endif
+@@ -1338,7 +1349,8 @@ endif
  if BUILD_PASSKEY
  libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c
  endif # BUILD_PASSKEY
@@ -115,19 +115,9 @@ Index: sssd-2.9.2/Makefile.am
 +libsss_util_la_LDFLAGS = -avoid-version ${symv}
 +EXTRA_libsss_util_la_DEPENDENCIES = x.sym
  
- pkglib_LTLIBRARIES += libsss_semanage.la
- libsss_semanage_la_CFLAGS = \
-@@ -1341,7 +1353,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_
- endif
- 
- libsss_semanage_la_LDFLAGS = \
--    -avoid-version
-+    -avoid-version ${symv}
-+EXTRA_libsss_semanage_la_DEPENDENCIES = x.sym
- 
  SSSD_INTERNAL_LTLIBS = \
      libsss_util.la \
-@@ -1357,7 +1370,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
+@@ -1354,7 +1366,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
                    $(NULL)
  
  pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc
@@ -136,7 +126,7 @@ Index: sssd-2.9.2/Makefile.am
  libipa_hbac_la_SOURCES = \
      src/lib/ipa_hbac/hbac_evaluator.c \
      src/util/sss_utf8.c
-@@ -1688,8 +1701,9 @@ libifp_iface_la_CFLAGS = \
+@@ -1682,8 +1694,9 @@ libifp_iface_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libifp_iface_la_LDFLAGS = \
@@ -147,7 +137,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libifp_iface_sync.la
  libifp_iface_sync_la_SOURCES = \
-@@ -1714,8 +1728,9 @@ libifp_iface_sync_la_CFLAGS = \
+@@ -1708,8 +1721,9 @@ libifp_iface_sync_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libifp_iface_sync_la_LDFLAGS = \
@@ -158,7 +148,7 @@ Index: sssd-2.9.2/Makefile.am
  
  sssd_ifp_SOURCES = \
      src/responder/ifp/ifpsrv.c \
-@@ -4314,8 +4329,9 @@ libsss_ldap_common_la_LIBADD = \
+@@ -4314,8 +4328,9 @@ libsss_ldap_common_la_LIBADD = \
      $(SSSD_INTERNAL_LTLIBS) \
      $(NULL)
  libsss_ldap_common_la_LDFLAGS = \
@@ -169,7 +159,7 @@ Index: sssd-2.9.2/Makefile.am
  if BUILD_SYSTEMTAP
  libsss_ldap_common_la_LIBADD += stap_generated_probes.lo
  endif
-@@ -4372,7 +4388,8 @@ libsss_krb5_common_la_LIBADD = \
+@@ -4371,7 +4386,8 @@ libsss_krb5_common_la_LIBADD = \
      $(SSSD_INTERNAL_LTLIBS) \
      $(NULL)
  libsss_krb5_common_la_LDFLAGS = \