jengelh/sssd
SHA256
1
0
Fork 1
forked from pool/sssd
Code Pull Requests Activity

[info=64fc4926abddde94cb6c33f85efec71de27adfb4c0ffab87972e4dc00bfef5d1]

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=325
This commit is contained in:
OBS User unknown 2024-11-05 18:20:03 +00:00 committed by Git OBS Bridge
parent f86392c7a5
commit 0f06ed9ea8
6 changed files with 88 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
0001-Configuration-make-sure-etc-sssd-and-everything.patch Normal file
View File

@ -0,0 +1,76 @@
From 8db2df4fcbd09badafbc207bd4150b5f1cc2d5fb Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 24 Oct 2024 15:34:26 +0200
Subject: [PATCH] Configuration: make sure /etc/sssd and everything
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
beneath is owned by 'sssd' group and readable by group.
This should allow for reasonable rw-r----- root:sssd
At some points those chown/chmod can be removed.
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 518db322fdd5a4de41813fbe5bc35fc20392ce67)
---
contrib/sssd.spec.in | 4 ++--
src/sysv/systemd/sssd-kcm.service.in | 5 ++---
src/sysv/systemd/sssd.service.in | 6 ++----
3 files changed, 6 insertions(+), 9 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 4fbacb959..83de563f3 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -1136,9 +1136,9 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi
%__rm -f %{mcpath}/group
%__rm -f %{mcpath}/initgroups
%__rm -f %{mcpath}/sid
+%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true
+%__chmod -f -R g+r %{_sysconfdir}/sssd || true
%__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
-%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true
-%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
%__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
%__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true
%__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true
diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
index 0c839ec5c..ba9e27cd9 100644
--- a/src/sysv/systemd/sssd-kcm.service.in
+++ b/src/sysv/systemd/sssd-kcm.service.in
@@ -9,9 +9,8 @@ Also=sssd-kcm.socket
[Service]
Environment=DEBUG_LOGGER=--logger=files
-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
+ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
+ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@
ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb"
ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log
ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER}
diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
index 37e0a63f8..a6f79ff8a 100644
--- a/src/sysv/systemd/sssd.service.in
+++ b/src/sysv/systemd/sssd.service.in
@@ -10,10 +10,8 @@ StartLimitBurst=5
[Service]
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-@environment_file@
-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki
+ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
+ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@
ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb"
ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @gpocachepath@/*"
ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/*.log"
--
2.47.0

4
_scmsync.obsinfo
View File

@ -1,4 +1,4 @@
mtime: 1730829368
commit: 4c1a7e3419ae2a9fd5571c543bf337898b158276112c19e299f4f385b5bedaf8
mtime: 1730830158
commit: 64fc4926abddde94cb6c33f85efec71de27adfb4c0ffab87972e4dc00bfef5d1
url: https://src.opensuse.org/jengelh/sssd
revision: master

2
build.specials.obscpio
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:333d08feac544fd46469e53065561e077c018a618968d77cc7db859aa36fe6f9
oid sha256:6d021fd2910f1ec57d2b07d070a1e9e786898601585504335bdf7252676b006c
size 256

4
harden_sssd-kcm.service.patch
View File

@ -24,5 +24,5 @@ Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in
+RestrictRealtime=true
+# end of automatic additions
Environment=DEBUG_LOGGER=--logger=files
ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@

3
sssd.changes
View File

@ -15,7 +15,8 @@ Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
* The default value for ``ldap_id_use_start_tls`` changed from
false to true for improved security.
* https://github.com/SSSD/sssd/releases/tag/2.10.0
- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch
- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch,
0001-Configuration-make-sure-etc-sssd-and-everything.patch
- Fix socket activation of responders
-------------------------------------------------------------------

9
sssd.spec
View File

@ -28,11 +28,12 @@ Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%v
Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc
Source3: baselibs.conf
Source5: %name.keyring
Patch1: krb-noversion.diff
Patch2: harden_sssd-ifp.service.patch
Patch3: harden_sssd-kcm.service.patch
Patch4: symvers.patch
Patch5: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch
Patch6: 0001-Configuration-make-sure-etc-sssd-and-everything.patch
Patch11: krb-noversion.diff
Patch12: harden_sssd-ifp.service.patch
Patch13: harden_sssd-kcm.service.patch
Patch14: symvers.patch
BuildRequires: autoconf >= 2.59
BuildRequires: automake
BuildRequires: bind-utils