From 7a9befa6936272129afd7622722b7d44d87bdf6afa02bc7b21a6ccfd037903cc Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 11 Dec 2024 10:33:24 +0100 Subject: [PATCH] sssd 2.10.1 --- ...on-make-sure-etc-sssd-and-everything.patch | 76 -------- 0001-INI-relax-config-files-checks.patch | 135 ------------- ...using-libini_config-for-access-check.patch | 182 ------------------ ...t-path-when-config-object-is-rejecte.patch | 75 -------- sssd-2.10.0.tar.gz | 3 - sssd-2.10.0.tar.gz.asc | 16 -- sssd-2.10.1.tar.gz | 3 + sssd-2.10.1.tar.gz.asc | 16 ++ sssd.changes | 16 ++ sssd.spec | 19 +- symvers.patch | 48 ++--- 11 files changed, 61 insertions(+), 528 deletions(-) delete mode 100644 0001-Configuration-make-sure-etc-sssd-and-everything.patch delete mode 100644 0001-INI-relax-config-files-checks.patch delete mode 100644 0001-INI-stop-using-libini_config-for-access-check.patch delete mode 100644 0001-sssd-always-print-path-when-config-object-is-rejecte.patch delete mode 100644 sssd-2.10.0.tar.gz delete mode 100644 sssd-2.10.0.tar.gz.asc create mode 100644 sssd-2.10.1.tar.gz create mode 100644 sssd-2.10.1.tar.gz.asc diff --git a/0001-Configuration-make-sure-etc-sssd-and-everything.patch b/0001-Configuration-make-sure-etc-sssd-and-everything.patch deleted file mode 100644 index 8cf0fe0..0000000 --- a/0001-Configuration-make-sure-etc-sssd-and-everything.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 8db2df4fcbd09badafbc207bd4150b5f1cc2d5fb Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Thu, 24 Oct 2024 15:34:26 +0200 -Subject: [PATCH] Configuration: make sure /etc/sssd and everything -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -beneath is owned by 'sssd' group and readable by group. - -This should allow for reasonable rw-r----- root:sssd - -At some points those chown/chmod can be removed. - -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose -(cherry picked from commit 518db322fdd5a4de41813fbe5bc35fc20392ce67) ---- - contrib/sssd.spec.in | 4 ++-- - src/sysv/systemd/sssd-kcm.service.in | 5 ++--- - src/sysv/systemd/sssd.service.in | 6 ++---- - 3 files changed, 6 insertions(+), 9 deletions(-) - -diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in -index 4fbacb959..83de563f3 100644 ---- a/contrib/sssd.spec.in -+++ b/contrib/sssd.spec.in -@@ -1136,9 +1136,9 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi - %__rm -f %{mcpath}/group - %__rm -f %{mcpath}/initgroups - %__rm -f %{mcpath}/sid -+%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true -+%__chmod -f -R g+r %{_sysconfdir}/sssd || true - %__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true --%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true --%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true - %__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true - %__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true - %__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true -diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in -index 0c839ec5c..ba9e27cd9 100644 ---- a/src/sysv/systemd/sssd-kcm.service.in -+++ b/src/sysv/systemd/sssd-kcm.service.in -@@ -9,9 +9,8 @@ Also=sssd-kcm.socket - - [Service] - Environment=DEBUG_LOGGER=--logger=files --ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ --ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf --ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d -+ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ -+ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ - ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb" - ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log - ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER} -diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in -index 37e0a63f8..a6f79ff8a 100644 ---- a/src/sysv/systemd/sssd.service.in -+++ b/src/sysv/systemd/sssd.service.in -@@ -10,10 +10,8 @@ StartLimitBurst=5 - [Service] - Environment=DEBUG_LOGGER=--logger=files - EnvironmentFile=-@environment_file@ --ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ --ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf --ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d --ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki -+ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ -+ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ - ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb" - ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @gpocachepath@/*" - ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/*.log" --- -2.47.0 - diff --git a/0001-INI-relax-config-files-checks.patch b/0001-INI-relax-config-files-checks.patch deleted file mode 100644 index 69ac630..0000000 --- a/0001-INI-relax-config-files-checks.patch +++ /dev/null @@ -1,135 +0,0 @@ -From 340671f16abb9c26ae97b11c4e2845337e67973e Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 23 Oct 2024 20:59:32 +0200 -Subject: [PATCH] INI: relax config files checks -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Only make sure: - - user is root or sssd - - group is root or sssd - - other can't access it - -Don't make any assumptions wrt user/group read/write-ability. - -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose -(cherry picked from commit 8472777ec472607ea450ddb4c4666017bd0de704) ---- - src/man/sssd.conf.5.xml | 5 ++- - src/util/sss_ini.c | 68 +++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 70 insertions(+), 3 deletions(-) - -diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml -index a074cc674..bf10acb2a 100644 ---- a/src/man/sssd.conf.5.xml -+++ b/src/man/sssd.conf.5.xml -@@ -57,9 +57,8 @@ - readable, and writeable only by 'root'. - - -- sssd.conf must be a regular file that is owned, -- readable, and writeable by the same user as configured to run SSSD -- service. -+ sssd.conf must be a regular file that is -+ accessible only by the user used to run SSSD service or root. - - - -diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c -index e989d8caf..74cf61e0e 100644 ---- a/src/util/sss_ini.c -+++ b/src/util/sss_ini.c -@@ -26,6 +26,7 @@ - #include - #include - #include -+#include - #include - - #include "config.h" -@@ -781,6 +782,71 @@ int sss_ini_open(struct sss_ini *self, - return ret; - } - -+static int access_check_file(const char *filename) -+{ -+ int ret; -+ struct stat st; -+ uid_t uid; -+ gid_t gid; -+ -+ sss_sssd_user_uid_and_gid(&uid, &gid); -+ -+ ret = stat(filename, &st); -+ if (ret != 0) { -+ ret = errno; -+ DEBUG(SSSDBG_CRIT_FAILURE, "stat(%s) failed: %s\n", -+ filename, strerror(ret)); -+ return EINVAL; -+ } -+ -+ if ((st.st_uid != 0) && (st.st_uid != uid)) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected user owner of '%s': %"SPRIuid"\n", -+ filename, st.st_uid); -+ return ERR_INI_INVALID_PERMISSION; -+ } -+ -+ if ((st.st_gid != 0) && (st.st_gid != gid)) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected group owner of '%s': %"SPRIgid"\n", -+ filename, st.st_gid); -+ return ERR_INI_INVALID_PERMISSION; -+ } -+ -+ if ((st.st_mode & (S_IROTH|S_IWOTH|S_IXOTH)) != 0) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected access to '%s' by other users\n", -+ filename); -+ return ERR_INI_INVALID_PERMISSION; -+ } -+ -+ return EOK; -+} -+ -+static int access_check_ini(struct sss_ini *self) -+{ -+ int ret; -+ const char *path; -+ uint32_t i; -+ const char **snippet; -+ struct ref_array *used_snippets; -+ -+ if (self->main_config_exists) { -+ path = ini_config_get_filename(self->file); -+ ret = access_check_file(path); -+ if (ret != EOK) { -+ return ret; -+ } -+ } -+ -+ used_snippets = sss_ini_get_ra_success_list(self); -+ for (i = 0; (snippet = ref_array_get(used_snippets, i, NULL)) != NULL; ++i) { -+ ret = access_check_file(*snippet); -+ if (ret != EOK) { -+ return ret; -+ } -+ } -+ -+ return EOK; -+} -+ - int sss_ini_read_sssd_conf(struct sss_ini *self, - const char *config_file, - const char *config_dir) -@@ -833,5 +899,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, - return ERR_INI_EMPTY_CONFIG; - } - -+ ret = access_check_ini(self); -+ - return ret; - } --- -2.47.0 - diff --git a/0001-INI-stop-using-libini_config-for-access-check.patch b/0001-INI-stop-using-libini_config-for-access-check.patch deleted file mode 100644 index abe0cb0..0000000 --- a/0001-INI-stop-using-libini_config-for-access-check.patch +++ /dev/null @@ -1,182 +0,0 @@ -From 1d19b8ad9415e0a12ed3aaf039d4d0956ef4dbad Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 23 Oct 2024 19:53:09 +0200 -Subject: [PATCH] INI: stop using 'libini_config' for access check -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose ---- - src/util/sss_ini.c | 100 +---------------------------------------------------- - src/util/sss_ini.h | 12 ------ - 2 files changed, 3 insertions(+), 109 deletions(-) - -Index: sssd-2.10.0/src/util/sss_ini.c -=================================================================== ---- sssd-2.10.0.orig/src/util/sss_ini.c -+++ sssd-2.10.0/src/util/sss_ini.c -@@ -147,81 +147,6 @@ static int sss_ini_config_file_from_mem( - &self->file); - } - --/* Check configuration file permissions */ -- --static bool is_running_sssd(void) --{ -- static char exe[1024]; -- int ret; -- const char *s = NULL; -- -- ret = readlink("/proc/self/exe", exe, sizeof(exe) - 1); -- if ((ret > 0) && (ret < 1024)) { -- exe[ret] = 0; -- s = strstr(exe, debug_prg_name); -- if ((s != NULL) && (strlen(s) == strlen(debug_prg_name))) { -- return true; -- } -- } -- -- return false; --} -- --static int sss_ini_access_check(struct sss_ini *self) --{ -- int ret; -- uint32_t flags = INI_ACCESS_CHECK_MODE; -- -- if (!self->main_config_exists) { -- return EOK; -- } -- -- if (is_running_sssd()) { -- flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID; -- } -- -- ret = ini_config_access_check(self->file, -- flags, -- geteuid(), -- getegid(), -- S_IRUSR, /* r**------ */ -- ALLPERMS & ~(S_IWUSR|S_IXUSR)); -- -- return ret; --} -- -- -- --/* Get cstat */ -- --int sss_ini_get_stat(struct sss_ini *self) --{ -- self->cstat = ini_config_get_stat(self->file); -- -- if (!self->cstat) return EIO; -- -- return EOK; --} -- -- -- --/* Get mtime */ -- --int sss_ini_get_mtime(struct sss_ini *self, -- size_t timestr_len, -- char *timestr) --{ -- return snprintf(timestr, timestr_len, "%llu", -- (long long unsigned)self->cstat->st_mtime); --} -- --/* Get file_exists */ -- --bool sss_ini_exists(struct sss_ini *self) --{ -- return self->main_config_exists; --} -- - /* Print ini_config errors */ - - static void sss_ini_config_print_errors(char **error_list) -@@ -289,7 +214,6 @@ static int sss_ini_add_snippets(struct s - uint32_t i = 0; - char *msg = NULL; - struct ini_cfgobj *modified_sssd_config = NULL; -- struct access_check snip_check; - - if (self == NULL || self->sssd_config == NULL || config_dir == NULL) { - return EINVAL; -@@ -297,21 +221,11 @@ static int sss_ini_add_snippets(struct s - - sss_ini_free_ra_messages(self); - -- snip_check.flags = INI_ACCESS_CHECK_MODE; -- -- if (is_running_sssd()) { -- snip_check.flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID; -- } -- snip_check.uid = geteuid(); -- snip_check.gid = getegid(); -- snip_check.mode = S_IRUSR; /* r**------ */ -- snip_check.mask = ALLPERMS & ~(S_IWUSR | S_IXUSR); -- - ret = ini_config_augment(self->sssd_config, - config_dir, - patterns, - sections, -- &snip_check, -+ NULL, - INI_STOP_ON_ANY, - INI_MV1S_OVERWRITE, - INI_PARSE_NOWRAP, -@@ -894,15 +808,7 @@ int sss_ini_read_sssd_conf(struct sss_in - return ERR_INI_OPEN_FAILED; - } - -- if (sss_ini_exists(self)) { -- ret = sss_ini_access_check(self); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Permission check on config file %s failed: %d\n", -- config_file, ret); -- return ERR_INI_INVALID_PERMISSION; -- } -- } else { -+ if (!self->main_config_exists) { - DEBUG(SSSDBG_CONF_SETTINGS, - "File %s does not exist.\n", config_file); - } -@@ -923,7 +829,7 @@ int sss_ini_read_sssd_conf(struct sss_in - return ERR_INI_ADD_SNIPPETS_FAILED; - } - -- if (!sss_ini_exists(self) && -+ if ((!self->main_config_exists) && - (ref_array_len(sss_ini_get_ra_success_list(self)) == 0)) { - return ERR_INI_EMPTY_CONFIG; - } -Index: sssd-2.10.0/src/util/sss_ini.h -=================================================================== ---- sssd-2.10.0.orig/src/util/sss_ini.h -+++ sssd-2.10.0/src/util/sss_ini.h -@@ -81,18 +81,6 @@ int sss_ini_open(struct sss_ini *self, - const char *fallback_cfg); - - /** -- * @brief Check whether sss_ini_open() reported that ini file is -- * not present -- * -- * @param[in] self pointer to sss_ini structure -- * -- * @return -- * - true we are using ini file -- * - false file was not found -- */ --bool sss_ini_exists(struct sss_ini *self); -- --/** - * @brief get Cstat structure of the ini file - */ - int sss_ini_get_stat(struct sss_ini *self); diff --git a/0001-sssd-always-print-path-when-config-object-is-rejecte.patch b/0001-sssd-always-print-path-when-config-object-is-rejecte.patch deleted file mode 100644 index d24c30a..0000000 --- a/0001-sssd-always-print-path-when-config-object-is-rejecte.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 1a743a4123c104a10c694f7ee9d2f0a1e7182513 Mon Sep 17 00:00:00 2001 -From: Jan Engelhardt -Date: Wed, 16 Oct 2024 09:55:50 +0200 -Subject: [PATCH] sssd: always print path when config object is rejected -References: https://github.com/SSSD/sssd/pull/7649 - -Observed: - -``` -Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed. -Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed' -Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed' -``` - -Expected: - -_Well yes, but **which one**_!? - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Justin Stephenson -(cherry picked from commit 2b7915dd84a6b8c3ee26e45357283677fe22f2cb) ---- - src/util/sss_ini.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c -index 7f9824d88..2a611eb8c 100644 ---- a/src/util/sss_ini.c -+++ b/src/util/sss_ini.c -@@ -888,7 +888,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, - ret = sss_ini_open(self, config_file, "[sssd]\n"); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "The sss_ini_open failed %s: %d\n", -+ "sss_ini_open on %s failed: %d\n", - config_file, - ret); - return ERR_INI_OPEN_FAILED; -@@ -898,26 +898,28 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, - ret = sss_ini_access_check(self); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "Permission check on config file failed.\n"); -+ "Permission check on config file %s failed: %d\n", -+ config_file, ret); - return ERR_INI_INVALID_PERMISSION; - } - } else { - DEBUG(SSSDBG_CONF_SETTINGS, -- "File %1$s does not exist.\n", -- (config_file ? config_file : "NULL")); -+ "File %s does not exist.\n", config_file); - } - - ret = sss_ini_parse(self); - if (ret != EOK) { - sss_ini_config_print_errors(self->error_list); -- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n"); -+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration file %s: %d\n", -+ config_file, ret); - return ERR_INI_PARSE_FAILED; - } - - ret = sss_ini_add_snippets(self, config_dir); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, -- "Error while reading configuration directory.\n"); -+ "Error while reading configuration directory %s: %d\n", -+ config_dir, ret); - return ERR_INI_ADD_SNIPPETS_FAILED; - } - --- -2.47.0 - diff --git a/sssd-2.10.0.tar.gz b/sssd-2.10.0.tar.gz deleted file mode 100644 index 38e2605..0000000 --- a/sssd-2.10.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0b1167e8017209ec25b9683e0006947eaa0cfd7a8161bfea120bd8511006db0d -size 9177851 diff --git a/sssd-2.10.0.tar.gz.asc b/sssd-2.10.0.tar.gz.asc deleted file mode 100644 index 3783730..0000000 --- a/sssd-2.10.0.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmcOPUoACgkQ09IbKRDP -Z1myuA//anDvdZcQp0EUia2NsiWt2MFE8esmsEIN6QmEYjUxvEeXI9q4YJQimMi8 -wdt0zqZE1PLrTcroWaeGcgt2+CJWUbVanZtNn3oo7lUVYrLKemrUzavM7dXTaA43 -cdKAFyEO+nHJQ2yBNUt6sRXc3tM0H27yZs0iL+CcYu6YshUTbMnZuwdpz7DqDTN8 -nbG+LWa+U0en5mI3waP8Ionwmdv9AJAuCHQZLlZDpM0+YfGumcIUJdbxU/I8pqP8 -MQaulPv3e+BNwdbUiLlk0cXRjuEfSd0bmMa3MqB4IqMvvjACU0GuSgK3FDhutZJe -HfmzYSo/Zntmr7F/eYLz6zy/GU3VewEilOyRV08oz+EVJRbGyo2t4k6PUYbn+I4V -kJ/maed5jnBzIZGf6o+P1r+3mavJg7k2LDV4s48MsZ4Y5ED4X0c+boT1L5FZbquW -gp99Di0RG4VoWiYOfVfszLzeDWOLbOrKMyA6PTqlmjGYAdV9SBwZP5WEdwXyPovo -D7uual7Eqdd+Y/lt+8O4Wd+Y+a9xI2kwVFo8KYmHc8PhgLpPIKTWbBTEI+0nw3fJ -qqyyA7JWA81bt4WKVuJaeS87S/9F4yn8ps2dzSgHjZ2Tzr7Eu1a3RWLjKYsjKZrT -PPd2d/02rQAZPwLYHN5qM3Xjh0DD7IiXav1QuIPxmUQA9z8ZiuA= -=mJVY ------END PGP SIGNATURE----- diff --git a/sssd-2.10.1.tar.gz b/sssd-2.10.1.tar.gz new file mode 100644 index 0000000..03c5c14 --- /dev/null +++ b/sssd-2.10.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ea6a690047cea1ecd50016aa30946f9348da37b46daa984f34bc72ddb767539f +size 9196848 diff --git a/sssd-2.10.1.tar.gz.asc b/sssd-2.10.1.tar.gz.asc new file mode 100644 index 0000000..f720242 --- /dev/null +++ b/sssd-2.10.1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmdYSb4ACgkQ09IbKRDP +Z1kRyRAAmkKhCUcBs4h2mDg7uzz7DfYFkHXEiY8EMoVP5Iw6ZsNL/V9fwF9xhj49 +XbnCfxj2zFfVWZd5VYnTpl86Hg3NrxuPehgM+iMAXS6U/55TvRPunCtTiRwoTZ4t +zSgiBaSg3I2hmSN2cnSU8PpilEDCIeSP3uafmGXI1KUxEQltVbp0EeJ5CL5GP3xU +rFgI1pKdTySlw6jZ3vjkAaHwdsJGB0MKtjiBJYtqvHmIzbUdSNN/iE5Wf5xsdtez +KKLUrnKeQFuNyYWpjipJvbs7i9+E5VKFvCfrqFb6vQbp+Rgd98epVjp2VKovNy8p +gZQmgfbi5GCWKuBx+dbaRSFa8hWemEwnBNboV6JKq4+CoPsMkI367utZV5gd58V5 +RHgLsrZfjahAXgG4ytwPhgKDV+sX+sSn4aXIdaSgc+vP7+ykLMxyzyR2GXyG+y11 +WrnovdR0HywHfzvlUnKQmcLUjCkXKVwIMw0oBRa8+YLTD08EeYgu+oXXDpGD0oL1 +YJLLBdr6ycR9Rk/sUqbZgEnzQZPYXazIraUrd71Ry8CaNvqi86Of7sX6SgSQQeg/ +ZPLNcPWPadG/9jpMNJNsXXEZicNJXznQczlXKvRXINOJzknJYwwgH+/55otbzNzq +EjlOmFEn07bGAHCsHTfydlCeYqD9x+WV/X8CReMFjcaaBH4TDms= +=S0c5 +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 5b4d1eb..1121950 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Tue Dec 10 20:17:10 UTC 2024 - Jan Engelhardt + +- Update to release 2.10.1 + * SSSD does not create anymore missing path components of + DIR:/FILE: ccache types while acquiring user's TGT. The + parent directory of requested ccache directory must exist and + the user trying to log in must have rwx access to this + directory. This matches behavior of /usr/bin/kinit. + * The option default_domain_suffix is deprecated. +- Delete 0001-Configuration-make-sure-etc-sssd-and-everything.patch, + 0001-INI-relax-config-files-checks.patch, + 0001-INI-stop-using-libini_config-for-access-check.patch, + 0001-sssd-always-print-path-when-config-object-is-rejecte.patch + (merged) + ------------------------------------------------------------------- Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index d360e18..5f59646 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 2.10.0 +Version: 2.10.1 Release: 0 Summary: System Security Services Daemon License: GPL-3.0-or-later AND LGPL-3.0-or-later @@ -28,10 +28,6 @@ Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%v Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source3: baselibs.conf Source5: %name.keyring -Patch3: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch -Patch4: 0001-INI-stop-using-libini_config-for-access-check.patch -Patch5: 0001-INI-relax-config-files-checks.patch -Patch6: 0001-Configuration-make-sure-etc-sssd-and-everything.patch Patch11: krb-noversion.diff Patch12: harden_sssd-ifp.service.patch Patch13: harden_sssd-kcm.service.patch @@ -489,11 +485,11 @@ cat >"$b/etc/permissions.d/sssd" <<-EOF %_libexecdir/sssd/sssd_pam root:sssd 0750 +capabilities cap_dac_read_search=p %_libexecdir/sssd/selinux_child root:sssd 0750 - +capabilities %child_capabilities + +capabilities cap_setgid,cap_setuid=p %_libexecdir/sssd/krb5_child root:sssd 0750 - +capabilities %child_capabilities + +capabilities cap_dac_read_search,cap_setgid,cap_setuid=p %_libexecdir/sssd/ldap_child root:sssd 0750 - +capabilities %child_capabilities + +capabilities cap_dac_read_search=p EOF %check @@ -691,7 +687,6 @@ fi %_libdir/%name/libsss_files* %endif %_libdir/%name/libsss_iface* -%_libdir/%name/libsss_semanage* %_libdir/%name/libsss_sbus* %_libdir/%name/libsss_simple* %_libdir/%name/libsss_util* @@ -710,7 +705,7 @@ fi %_libexecdir/%name/sss_signal %_libexecdir/%name/sssd_check_socket_activated_responders %if 0%{?suse_version} >= 1600 -%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/selinux_child +%attr(750,root,%sssd_user) %caps(cap_setgid,cap_setuid=p) %_libexecdir/%name/selinux_child %endif %dir %sssdstatedir %attr(700,%sssd_user,%sssd_user) %dir %dbpath/ @@ -839,8 +834,8 @@ fi %dir %_libdir/%name/ %_libdir/%name/libsss_krb5_common.so %dir %_libexecdir/%name/ -%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/krb5_child -%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/ldap_child +%attr(750,root,%sssd_user) %caps(cap_dac_read_search,cap_setgid,cap_setuid=p) %_libexecdir/%name/krb5_child +%attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/ldap_child %files ldap %dir %_libdir/%name/ diff --git a/symvers.patch b/symvers.patch index ab19be6..89e9857 100644 --- a/symvers.patch +++ b/symvers.patch @@ -12,14 +12,14 @@ libsss_ldap.so(-2.7.4) cannot find a libsss_util.so(-2.7.4), since the system only has libsss_util.so(-2.8.2) at this point. --- - Makefile.am | 47 ++++++++++++++++++++++++++++++++--------------- - 1 file changed, 32 insertions(+), 15 deletions(-) + Makefile.am | 44 ++++++++++++++++++++++++++++++-------------- + 1 file changed, 30 insertions(+), 14 deletions(-) -Index: sssd-2.9.2/Makefile.am +Index: sssd-2.10.1/Makefile.am =================================================================== ---- sssd-2.9.2.orig/Makefile.am -+++ sssd-2.9.2/Makefile.am -@@ -955,7 +955,11 @@ libsss_debug_la_SOURCES = \ +--- sssd-2.10.1.orig/Makefile.am ++++ sssd-2.10.1/Makefile.am +@@ -971,7 +971,11 @@ libsss_debug_la_SOURCES = \ libsss_debug_la_LIBADD = \ $(SYSLOG_LIBS) libsss_debug_la_LDFLAGS = \ @@ -32,7 +32,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_child.la libsss_child_la_SOURCES = src/util/child_common.c -@@ -965,7 +969,8 @@ libsss_child_la_LIBADD = \ +@@ -981,7 +985,8 @@ libsss_child_la_LIBADD = \ $(DHASH_LIBS) \ libsss_debug.la \ $(NULL) @@ -42,7 +42,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_crypt.la -@@ -1004,7 +1009,8 @@ libsss_crypt_la_LIBADD = \ +@@ -1021,7 +1026,8 @@ libsss_crypt_la_LIBADD = \ libsss_debug.la \ $(NULL) libsss_crypt_la_LDFLAGS = \ @@ -52,7 +52,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_cert.la -@@ -1029,8 +1035,9 @@ libsss_cert_la_LIBADD = \ +@@ -1046,8 +1052,9 @@ libsss_cert_la_LIBADD = \ libsss_debug.la \ $(NULL) libsss_cert_la_LDFLAGS = \ @@ -63,7 +63,7 @@ Index: sssd-2.9.2/Makefile.am generate-sbus-code: $(builddir)/sbus_generate.sh $(abs_srcdir) -@@ -1131,8 +1138,9 @@ libsss_sbus_la_CFLAGS = \ +@@ -1148,8 +1155,9 @@ libsss_sbus_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_sbus_la_LDFLAGS = \ @@ -74,7 +74,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_sbus_sync.la libsss_sbus_sync_la_SOURCES = \ -@@ -1167,8 +1175,9 @@ libsss_sbus_sync_la_CFLAGS = \ +@@ -1184,8 +1192,9 @@ libsss_sbus_sync_la_CFLAGS = \ $(UNICODE_LIBS) \ $(NULL) libsss_sbus_sync_la_LDFLAGS = \ @@ -85,7 +85,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_iface.la libsss_iface_la_SOURCES = \ -@@ -1197,8 +1206,9 @@ libsss_iface_la_CFLAGS = \ +@@ -1214,8 +1223,9 @@ libsss_iface_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_iface_la_LDFLAGS = \ @@ -96,7 +96,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_iface_sync.la libsss_iface_sync_la_SOURCES = \ -@@ -1225,8 +1235,9 @@ libsss_iface_sync_la_CFLAGS = \ +@@ -1242,8 +1252,9 @@ libsss_iface_sync_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_iface_sync_la_LDFLAGS = \ @@ -107,7 +107,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_util.la libsss_util_la_SOURCES = \ -@@ -1322,7 +1333,8 @@ endif +@@ -1338,7 +1349,8 @@ endif if BUILD_PASSKEY libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c endif # BUILD_PASSKEY @@ -115,19 +115,9 @@ Index: sssd-2.9.2/Makefile.am +libsss_util_la_LDFLAGS = -avoid-version ${symv} +EXTRA_libsss_util_la_DEPENDENCIES = x.sym - pkglib_LTLIBRARIES += libsss_semanage.la - libsss_semanage_la_CFLAGS = \ -@@ -1341,7 +1353,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_ - endif - - libsss_semanage_la_LDFLAGS = \ -- -avoid-version -+ -avoid-version ${symv} -+EXTRA_libsss_semanage_la_DEPENDENCIES = x.sym - SSSD_INTERNAL_LTLIBS = \ libsss_util.la \ -@@ -1357,7 +1370,7 @@ lib_LTLIBRARIES = libipa_hbac.la \ +@@ -1354,7 +1366,7 @@ lib_LTLIBRARIES = libipa_hbac.la \ $(NULL) pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc @@ -136,7 +126,7 @@ Index: sssd-2.9.2/Makefile.am libipa_hbac_la_SOURCES = \ src/lib/ipa_hbac/hbac_evaluator.c \ src/util/sss_utf8.c -@@ -1688,8 +1701,9 @@ libifp_iface_la_CFLAGS = \ +@@ -1682,8 +1694,9 @@ libifp_iface_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libifp_iface_la_LDFLAGS = \ @@ -147,7 +137,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libifp_iface_sync.la libifp_iface_sync_la_SOURCES = \ -@@ -1714,8 +1728,9 @@ libifp_iface_sync_la_CFLAGS = \ +@@ -1708,8 +1721,9 @@ libifp_iface_sync_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libifp_iface_sync_la_LDFLAGS = \ @@ -158,7 +148,7 @@ Index: sssd-2.9.2/Makefile.am sssd_ifp_SOURCES = \ src/responder/ifp/ifpsrv.c \ -@@ -4314,8 +4329,9 @@ libsss_ldap_common_la_LIBADD = \ +@@ -4314,8 +4328,9 @@ libsss_ldap_common_la_LIBADD = \ $(SSSD_INTERNAL_LTLIBS) \ $(NULL) libsss_ldap_common_la_LDFLAGS = \ @@ -169,7 +159,7 @@ Index: sssd-2.9.2/Makefile.am if BUILD_SYSTEMTAP libsss_ldap_common_la_LIBADD += stap_generated_probes.lo endif -@@ -4372,7 +4388,8 @@ libsss_krb5_common_la_LIBADD = \ +@@ -4371,7 +4386,8 @@ libsss_krb5_common_la_LIBADD = \ $(SSSD_INTERNAL_LTLIBS) \ $(NULL) libsss_krb5_common_la_LDFLAGS = \