Accepting request 632454 from home:kbabioch:branches:network:ldap

- Update to upstream release 1.16.3

OBS-URL: https://build.opensuse.org/request/show/632454
OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=206

0001-SUDO-Create-the-socket-with-stricter-permissions.patch

@@ -1,45 +0,0 @@
-From 06193adc0de042484f672cadd0808c78c5ebb70e Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Fri, 15 Jun 2018 22:29:34 +0200
-Subject: [PATCH] SUDO: Create the socket with stricter permissions
-
-This patch switches the sudo responder from being created as a public
-responder where the permissions are open and not checked by the sssd
-deaamon to a private socket. In this case, sssd creates the pipes with
-strict permissions (see the umask in the call to create_pipe_fd() in
-set_unix_socket()) and additionaly checks the permissions with every read
-via the tevent integrations (see accept_fd_handler()).
----
- src/responder/sudo/sudosrv.c         | 3 ++-
- src/sysv/systemd/sssd-sudo.socket.in | 1 +
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
-index ac4258710d3a9b48285522abd23bdd59ba42ad4e..e87a24499c2d82fafaa8e1f9b386e44332394266 100644
---- a/src/responder/sudo/sudosrv.c
-+++ b/src/responder/sudo/sudosrv.c
-@@ -79,7 +79,8 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
-     sudo_cmds = get_sudo_cmds();
-     ret = sss_process_init(mem_ctx, ev, cdb,
-                            sudo_cmds,
--                           SSS_SUDO_SOCKET_NAME, -1, NULL, -1,
-+                           NULL, -1,                   /* No public socket */
-+                           SSS_SUDO_SOCKET_NAME, -1,   /* Private socket only */
-                            CONFDB_SUDO_CONF_ENTRY,
-                            SSS_SUDO_SBUS_SERVICE_NAME,
-                            SSS_SUDO_SBUS_SERVICE_VERSION,
-diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in
-index c9abb875f0accbaf58d78846020fef74c7473528..96a8b0327ddb4d331c9b2e97ece3453f8f76872d 100644
---- a/src/sysv/systemd/sssd-sudo.socket.in
-+++ b/src/sysv/systemd/sssd-sudo.socket.in
-@@ -11,6 +11,7 @@ ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo
- ListenStream=@pipepath@/sudo
- SocketUser=@SSSD_USER@
- SocketGroup=@SSSD_USER@
-+SocketMode=0600
- 
- [Install]
- WantedBy=sssd.service
--- 
-2.14.3
-

0002-intg-Do-not-hardcode-nsslibdir.patch

@@ -1,44 +0,0 @@
-From b34fcff0f8bccd7b827686b50c53f45b7e20bb44 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
-Date: Tue, 12 Jun 2018 19:07:52 +0200
-Subject: [PATCH] intg: Do not hardcode nsslibdir
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This change is needed in order to have make intgcheck-run properly
-running on opensuse systems.
-
-Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
-Reviewed-by: Chris Kowalczyk <ckowalczyk@suse.com>
-Reviewed-by: Michal Židek <mzidek@redhat.com>
----
- src/tests/intg/Makefile.am  | 1 +
- src/tests/intg/config.py.m4 | 2 +-
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
-index 9c5338261..4bd427669 100644
---- a/src/tests/intg/Makefile.am
-+++ b/src/tests/intg/Makefile.am
-@@ -73,6 +73,7 @@ cwrap-dbus-system.conf: data/cwrap-dbus-system.conf.in Makefile
- config.py: config.py.m4
- 	m4 -D "prefix=\`$(prefix)'" \
- 	   -D "sysconfdir=\`$(sysconfdir)'" \
-+	   -D "nsslibdir=\`$(nsslibdir)'" \
- 	   -D "dbpath=\`$(dbpath)'" \
- 	   -D "pidpath=\`$(pidpath)'" \
- 	   -D "logpath=\`$(logpath)'" \
-diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4
-index 6e011b692..04f78d869 100644
---- a/src/tests/intg/config.py.m4
-+++ b/src/tests/intg/config.py.m4
-@@ -4,7 +4,7 @@ Build configuration variables.
- 
- PREFIX = "prefix"
- SYSCONFDIR = "sysconfdir"
--NSS_MODULE_DIR = PREFIX + "/lib"
-+NSS_MODULE_DIR = "nsslibdir"
- SSSDCONFDIR = SYSCONFDIR + "/sssd"
- CONF_PATH = SSSDCONFDIR + "/sssd.conf"
- DB_PATH = "dbpath"

0003-Fix-build-for-1-16-2-version.patch

@@ -1,13 +0,0 @@
-diff --git a/Makefile.am b/Makefile.am
-index 9539b3c..8e76a03 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -975,6 +975,7 @@ libsss_cert_la_LIBADD = \
-     $(TALLOC_LIBS) \
-     $(TEVENT_LIBS) \
-     libsss_crypt.la \
-+    libsss_child.la \
-     libsss_debug.la \
-     libsss_certmap.la \
-     $(NULL)
-

sssd-1.16.2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fe5b1fcc5b4359631f7edf25f8940f3155de68e2f4ac7bfeb634687ccabc570c
-size 6174144

sssd-1.16.2.tar.gz.asc

@@ -1,6 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iEYEABECAAYFAlsa2S0ACgkQHsardTLnvCVhKwCgpCRZBHkAyqnRDaPwegBLv4Sh
-fYQAoK05cAcmiKBdZWtsLRRZgUOS8X/8
-=U4k5
------END PGP SIGNATURE-----

sssd-1.16.3.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ee5d17a0c663c09819cbab9364085b9e57faeca02406cc30efe14cc0cfc04ec4
+size 6217114

sssd-1.16.3.tar.gz.asc

@@ -0,0 +1,10 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEcBAABAgAGBQJbcDdwAAoJEHDBRgYiUL36CW0H/2gGY35HxXQNiufErxIMT3/9
+8Uq5EqTOYUlmScijvT3J1AXPg5Sw/KP65cBSOaZYNyzzBcr8GwaM19y3/WInFA5z
+tWTHfAmVusIvLijmWmfw9qGY6X8386S2g+wbTn7WsMYb0Spt8K2l+OgQDIq7sIx5
+iSPfICt/HgESBkC0YEsaVq5S4kQLS6w3pJEclkwoj22jl831FHlVmQ8K2G369/Iz
+YycSYK7qXWvs8YSzsihA3zvjGT9v2vZQWamE5gkHlXZEPkJYIR3ant7Ziux4zIrA
+n/fuIWZCWu/gR4jtg3vmrcRVLnOo1ukqdrDmE4v/CiJrvS/H4McCZUhiUaXQ9Us=
+=Fx4X
+-----END PGP SIGNATURE-----

sssd.changes

@@ -1,3 +1,69 @@
+-------------------------------------------------------------------
+Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com
+
+- Update to upstream release 1.16.3
+
+New Features
+
+- The kdcinfo files that SSSD uses to inform libkrb5 about which KDCs were
+  discovered for a Kerberos realm used to be only generated for the joined
+  domain, not the trusted domains. Starting with this release, the kdcinfo files
+  are generated automatically also for trusted domains in setups that use
+  id_provider=ad and IPA masters in a trust relationship with an AD domain.
+
+- The SSSD Kerberos locator plugin which processes the kdcinfo files and
+  actually tells libkrb5 about the available KDCs can now process multiple
+  address if SSSD generates more than one. At the moment, this feature is only
+  used on IPA clients (see below). Please see the sssd_krb5_locator_plugin(8)
+  manual page for more information about the Kerberos locator plugin.
+
+- On IPA clients, the AD DCs or the AD site which should be used to
+  authenticate users can now be listed in a subdomain section. Please see the
+  feature design page or the section “trusted domains configuration” for more
+  details.
+
+Notable bug fixes
+
+- The permissions on /var/lib/sss/pipes/sudo were set so that anyone could read
+  anyone else’s sudo rules. This was considered an information leak and
+  assigned CVE-2018-10852 (bsc#1098377)
+- The 1.16.2 release was storing the cached passwords without a salt prefix
+  string. This bug was fixed in this release, but any password hashes generated
+  by 1.16.2 are incompatible with the hashes generated by 1.16.3. The effect is
+  that upgrade from 1.16.2 to 1.16.3 should be done when the authentication
+  server is reachable so that the first authentication after the upgrade fix the
+  cached password.
+- The sss_ssh proces leaked file descriptors when converting more than one x509
+  certificate to SSH public key
+- SSSD, when configured with id_provider=ad was using too expensive LDAP search
+  to find out whether the required POSIX attributes were replicated to the
+  Global Catalog. Instead, SSSD now consults the Partial Attribute Set, which
+  is much more effective
+- The PAC responder is now able to process Domain Local in case the PAC uses
+  SID compression. Typicaly this is the case with Windows Server 2012 and newer
+- Some versions of OpenSSH would close the pipe towards sss_ssh_authorizedkeys
+  when the matching key is found before the rest of the output is read. The
+  sss_ssh_authorizedkeys helper was not handling this behaviour well and would
+  exit with SIGPIPE, which also meant the public key authentication failed
+- User lookups no longer fail if user’s e-mail address conflicts with another
+  user’s fully qualified name
+- The override_shell and override_homedir options are no longer applied to
+  entries from the files domain.
+- Several bugs related to the FleetCommander integration were fixed
+- The grace logins with an expired password when authenticating against certain
+  newer versions of the 389DS/RHDS LDAP server did not work
+- Whitespace around netgroup triple separator is now stripped
+- The sss_ssh_knownhostproxy utility can now print the host key without
+  proxying the connection.
+- Due to an overly restrictive check, the fast in-memory cache was sometimes
+  skipped, which caused a high load on the sssd_nss process
+ 
+Removed patches that are included upstream now:
+
+- 0001-SUDO-Create-the-socket-with-stricter-permissions.patch
+- 0002-intg-Do-not-hardcode-nsslibdir.patch
+- 0003-Fix-build-for-1-16-2-version.patch
+
 -------------------------------------------------------------------
 Sun Jul  1 12:44:00 UTC 2018 - ckowalczyk@suse.com
 

sssd.spec

@@ -17,7 +17,7 @@
 
 
 Name:           sssd
-Version:        1.16.2
+Version:        1.16.3
 Release:        0
 Summary:        System Security Services Daemon
 License:        GPL-3.0+ and LGPL-3.0+
@@ -31,9 +31,6 @@ Source3:        baselibs.conf
 Source4:        sssd.service
 Source5:        %name.keyring
 BuildRoot:      %_tmppath/%name-%version-build
-Patch1:         0001-SUDO-Create-the-socket-with-stricter-permissions.patch
-Patch2:         0002-intg-Do-not-hardcode-nsslibdir.patch
-Patch3:         0003-Fix-build-for-1-16-2-version.patch
 
 %define servicename	sssd
 %define sssdstatedir	%_localstatedir/lib/sss
@@ -367,9 +364,6 @@ Security Services Daemon (sssd).
 
 %prep
 %setup -q
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
 
 %build
 %if 0%{?suse_version} < 1210