From 3a117daca5cbd4589559ca0130173cde7d9ea73ba13cd0e575b6b806bd348491 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Wed, 16 Oct 2024 16:29:57 +0000 Subject: [PATCH 01/14] [info=03cfa0ca67c32d9aa59b740572efe4b06c350b3529fdc9dd7d46e7501d8cd398] OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=322 --- .gitattributes | 23 + .gitignore | 1 + _scmsync.obsinfo | 4 + baselibs.conf | 6 + build.specials.obscpio | 3 + harden_sssd-ifp.service.patch | 24 + harden_sssd-kcm.service.patch | 28 + krb-noversion.diff | 20 + sssd-2.10.0.tar.gz | 3 + sssd-2.10.0.tar.gz.asc | 16 + sssd-2.9.5.tar.gz | 3 + sssd-2.9.5.tar.gz.asc | 16 + sssd.changes | 2133 +++++++++++++++++++++++++++++++++ sssd.keyring | 75 ++ sssd.spec | 903 ++++++++++++++ symvers.patch | 181 +++ 16 files changed, 3439 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _scmsync.obsinfo create mode 100644 baselibs.conf create mode 100644 build.specials.obscpio create mode 100644 harden_sssd-ifp.service.patch create mode 100644 harden_sssd-kcm.service.patch create mode 100644 krb-noversion.diff create mode 100644 sssd-2.10.0.tar.gz create mode 100644 sssd-2.10.0.tar.gz.asc create mode 100644 sssd-2.9.5.tar.gz create mode 100644 sssd-2.9.5.tar.gz.asc create mode 100644 sssd.changes create mode 100644 sssd.keyring create mode 100644 sssd.spec create mode 100644 symvers.patch diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo new file mode 100644 index 0000000..f012edb --- /dev/null +++ b/_scmsync.obsinfo @@ -0,0 +1,4 @@ +mtime: 1728999204 +commit: 03cfa0ca67c32d9aa59b740572efe4b06c350b3529fdc9dd7d46e7501d8cd398 +url: https://src.opensuse.org/jengelh/sssd +revision: master diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..d35a1bc --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,6 @@ +sssd + supplements "packageand(sssd:pam-)" + supplements "packageand(sssd:glibc-)" + -/usr/lib(64)?/* + obsoletes "sssd-common- < " + provides "sssd-common- = " diff --git a/build.specials.obscpio b/build.specials.obscpio new file mode 100644 index 0000000..5e5e765 --- /dev/null +++ b/build.specials.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7109a449ccc8eb4902df46ec34f884b03ad903a916ee172b319361ee93e47ad7 +size 256 diff --git a/harden_sssd-ifp.service.patch b/harden_sssd-ifp.service.patch new file mode 100644 index 0000000..250a49f --- /dev/null +++ b/harden_sssd-ifp.service.patch @@ -0,0 +1,24 @@ +Index: sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in +=================================================================== +--- sssd-2.5.2.orig/src/sysv/systemd/sssd-ifp.service.in ++++ sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in +@@ -5,6 +5,19 @@ After=sssd.service + BindsTo=sssd.service + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Environment=DEBUG_LOGGER=--logger=files + EnvironmentFile=-@environment_file@ + Type=dbus diff --git a/harden_sssd-kcm.service.patch b/harden_sssd-kcm.service.patch new file mode 100644 index 0000000..6526831 --- /dev/null +++ b/harden_sssd-kcm.service.patch @@ -0,0 +1,28 @@ +--- + src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in +=================================================================== +--- sssd-2.10.0.orig/src/sysv/systemd/sssd-kcm.service.in ++++ sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in +@@ -8,6 +8,19 @@ After=sssd-kcm.socket + Also=sssd-kcm.socket + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Environment=DEBUG_LOGGER=--logger=files + ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ + ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf diff --git a/krb-noversion.diff b/krb-noversion.diff new file mode 100644 index 0000000..3dea2c2 --- /dev/null +++ b/krb-noversion.diff @@ -0,0 +1,20 @@ +From: Jan Engelhardt +Date: 2019-02-15 17:20:47.842813210 +0100 + +Remove versions checks that need updating every iteration. +--- + src/external/pac_responder.m4 | 1 + + 1 file changed, 1 insertion(+) + +Index: sssd-2.0.0/src/external/pac_responder.m4 +=================================================================== +--- sssd-2.0.0.orig/src/external/pac_responder.m4 ++++ sssd-2.0.0/src/external/pac_responder.m4 +@@ -11,6 +11,7 @@ then + AC_MSG_CHECKING(for supported MIT krb5 version) + KRB5_VERSION="`$KRB5_CONFIG --version`" + case $KRB5_VERSION in ++ *|\ + Kerberos\ 5\ release\ 1.9* | \ + Kerberos\ 5\ release\ 1.10* | \ + Kerberos\ 5\ release\ 1.11* | \ diff --git a/sssd-2.10.0.tar.gz b/sssd-2.10.0.tar.gz new file mode 100644 index 0000000..38e2605 --- /dev/null +++ b/sssd-2.10.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0b1167e8017209ec25b9683e0006947eaa0cfd7a8161bfea120bd8511006db0d +size 9177851 diff --git a/sssd-2.10.0.tar.gz.asc b/sssd-2.10.0.tar.gz.asc new file mode 100644 index 0000000..3783730 --- /dev/null +++ b/sssd-2.10.0.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmcOPUoACgkQ09IbKRDP +Z1myuA//anDvdZcQp0EUia2NsiWt2MFE8esmsEIN6QmEYjUxvEeXI9q4YJQimMi8 +wdt0zqZE1PLrTcroWaeGcgt2+CJWUbVanZtNn3oo7lUVYrLKemrUzavM7dXTaA43 +cdKAFyEO+nHJQ2yBNUt6sRXc3tM0H27yZs0iL+CcYu6YshUTbMnZuwdpz7DqDTN8 +nbG+LWa+U0en5mI3waP8Ionwmdv9AJAuCHQZLlZDpM0+YfGumcIUJdbxU/I8pqP8 +MQaulPv3e+BNwdbUiLlk0cXRjuEfSd0bmMa3MqB4IqMvvjACU0GuSgK3FDhutZJe +HfmzYSo/Zntmr7F/eYLz6zy/GU3VewEilOyRV08oz+EVJRbGyo2t4k6PUYbn+I4V +kJ/maed5jnBzIZGf6o+P1r+3mavJg7k2LDV4s48MsZ4Y5ED4X0c+boT1L5FZbquW +gp99Di0RG4VoWiYOfVfszLzeDWOLbOrKMyA6PTqlmjGYAdV9SBwZP5WEdwXyPovo +D7uual7Eqdd+Y/lt+8O4Wd+Y+a9xI2kwVFo8KYmHc8PhgLpPIKTWbBTEI+0nw3fJ +qqyyA7JWA81bt4WKVuJaeS87S/9F4yn8ps2dzSgHjZ2Tzr7Eu1a3RWLjKYsjKZrT +PPd2d/02rQAZPwLYHN5qM3Xjh0DD7IiXav1QuIPxmUQA9z8ZiuA= +=mJVY +-----END PGP SIGNATURE----- diff --git a/sssd-2.9.5.tar.gz b/sssd-2.9.5.tar.gz new file mode 100644 index 0000000..09b8ff1 --- /dev/null +++ b/sssd-2.9.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bf955cc26b6d215bbb9083eadb613f78d7b727fb023f39987aec37680ae40ae3 +size 8001964 diff --git a/sssd-2.9.5.tar.gz.asc b/sssd-2.9.5.tar.gz.asc new file mode 100644 index 0000000..05b00fc --- /dev/null +++ b/sssd-2.9.5.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmZF8CMACgkQ09IbKRDP +Z1lSVQ/9EPVvWUX1z/pHfbvDjRpfD+LDbDceYB4YBh0caYpMVFm/2wHhFIjTYEpf +SmIR+SQp50NkRSK6tE/u+Swu+YUkiCqnEWv2y9wd4Uh2NKiukyiqBC1k2cn9URNu +oRreBM1KIRvTkdoyZwteELJ7vMLVr0UT2iIXZQFIIZX+LM3FNZJ5vFcj5fF0Hz1f +v8zR0VTB7xY/6U+4KikvMyM3fOPeTOJvEtMp4xDWyquRjCADjZasOQcKRQzXp1er +zs/qLcQ8eCODXhKelGqmppVIElW+72f1FNbMpBnlQ7VtFn6pn4sPazO0Hr7eNfZJ +Vc6GXN8zZ/oF5U4x7XSMVqeOHLQoLeb2HxgUzS+1Ig19FHOs6Xoj0dO5l/TOEFav +l61qytYnj3DNZjrMVLsMvOx3qGYK7PmyaWNoIJlLO2GbWKMP/8yBm35Ugd0jybSi +T7VWX+isQHfVhSZ9wD4/yYOBAU3lABORAjXkCWQp/vMR/KiHbfaajCAbl56KiijQ +eKYaq57EH3N+qKd1sqCrPfSw3HSqm3rngG1CsMasBQgLFs2aW+Mwo3UvQ1U/ykED +mOo2D9uhOQluv4AUSpKK6E8EXoPSxDFZI4WX37depO2VGXDO90JNfVamJXjy1+bH +d/RnoZfC7h7Vb1P1bPgGdsAFQBOP0FinbEjehpw0P0U2xAZQWek= +=pY7t +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes new file mode 100644 index 0000000..9e67996 --- /dev/null +++ b/sssd.changes @@ -0,0 +1,2133 @@ +------------------------------------------------------------------- +Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt + +- Update to release 2.10.0 + * The ``sssctl cache-upgrade`` command was removed. SSSD + performs automatic upgrades at startup when needed. + * Support of ``enumeration`` feature (i.e. ability to list all + users/groups using ``getent passwd/group`` without argument) + for AD/IPA providers is deprecated and might be removed in + further releases. + * The new tool ``sss_ssh_knownhosts`` can be used with ssh's + ``KnownHostsCommand`` configuration option to retrieve the + host's public keys from a remote server (FreeIPA, LDAP, + etc.). It replaces ```sss_ssh_knownhostsproxy``. + * The default value for ``ldap_id_use_start_tls`` changed from + false to true for improved security. + * https://github.com/SSSD/sssd/releases/tag/2.10.0 + +------------------------------------------------------------------- +Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt + +- Update filelists involving memberof.so and idmap/sss.so to + avoid gobbling up one file into multiple sssd subpackages. + (Between samba-4.20 and 4.21, %ldbdir changes from + /usr/lib64/ldb2/modules/ldb to /usr/lib64/samba/ldb, so now + `%_libdir/samba` is a bit too broad.) + +------------------------------------------------------------------- +Wed Jul 17 09:19:20 UTC 2024 - Samuel Cabrero + +- Fix spec file for openSUSE ALP and SUSE SLFO, where the + python3_fix_shebang_path RPM macro is not available + +------------------------------------------------------------------- +Thu Jul 11 09:41:21 UTC 2024 - Samuel Cabrero + +- Revert the change dropping the default configuration file. If + /usr/etc exists will be installed there, otherwise in /etc. + (bsc#1226157); + +------------------------------------------------------------------- +Thu May 16 12:13:02 UTC 2024 - Jan Engelhardt + +- Update to release 2.9.5 + * Added failover_primary_timout configuration option. This can + be used to configure how often SSSD tries to reconnect to a + primary server after a successful connection to a backup + server. This was previously hardcoded to 31 seconds which is + kept as the default value. + +------------------------------------------------------------------- +Fri Mar 8 12:49:59 UTC 2024 - pgajdos@suse.com + +- remove dependency on /usr/bin/python3 using + %python3_fix_shebang_path macro, [bsc#1212476] + +------------------------------------------------------------------- +Fri Jan 12 14:02:10 UTC 2024 - Jan Engelhardt + +- Update to release 2.9.4 + * Fixes a crash when PAM passkey processing incorrectly handles + non-passkey data. + * Fixed group membership handling when members are coming from + different forest domains and using ldap token groups is + prohibited. + * Files provider was erroneously taking into consideration + ``local_auth_policy`` config option, thus breaking smartcard + authentication of local user in setups that did not explicitly + specify this option. This is now fixed. + +------------------------------------------------------------------- +Tue Nov 21 09:43:57 UTC 2023 - Samuel Cabrero + +- Adapt spec file for SLE 15 SP6/Leap 15.6; (jsc#PED-6714); + * Remove package sssd-common, merged into sssd + * Continue building deprecated files provider and infopipe + responder + * Disable selinux and semanage + * Provide rcsssd shortcut + +------------------------------------------------------------------- +Fri Nov 17 14:52:30 UTC 2023 - Samuel Cabrero + +- Fix spec file for Leap + +------------------------------------------------------------------- +Fri Nov 17 12:30:33 UTC 2023 - Samuel Cabrero + +- /usr/etc migration, restore /etc/sssd/sssd.conf.rpmsave after + update (bsc#1216865) +- Do not install the KRB5 IDP plugin, it is useless without the + OIDC child +- Drop no longer valid --without-secrets configure switch + +------------------------------------------------------------------- +Mon Nov 13 12:48:09 UTC 2023 - Jan Engelhardt + +- Update to release 2.9.3 + * The proxy provider is now able to handle certificate mapping + and matching rules and users handled by the proxy provider can + be configured for local Smartcard authentication. Besides the + mapping rule local Smartcard authentication should be enabled + with the `local_auth_policy` option in the backend and with + `pam_cert_auth` in the PAM responder. + +------------------------------------------------------------------- +Thu Nov 2 16:09:55 UTC 2023 - Jan Engelhardt + +- Offer the sssd.conf template as %doc (for examples, do actually + see the "Examples" section of the sssd.conf(5) manpage) + +------------------------------------------------------------------- +Tue Oct 31 15:20:37 UTC 2023 - Samuel Cabrero + +- Update dependencies to require the same subpackages version and + release +- Fix /usr/etc migration fragment in wrong "%pre kcm" instead of + "%pre" +- Move sss_analyze to sssd-tools package + +------------------------------------------------------------------- +Tue Oct 31 11:04:57 UTC 2023 - Jan Engelhardt + +- Default config is unworkable, just stop installing it altogether + [boo#1216739] + +------------------------------------------------------------------- +Thu Sep 7 12:07:10 UTC 2023 - Jan Engelhardt + +- Update to release 2.9.2 + * sssctl cert-show and cert-show cert-eval-rule can now be run as + non-root user. + * New option local_auth_policy is added to control which offline + authentication methods will be enabled by SSSD. + * Fix sssd entering failed state under heavy load by adding + watchdog to monitor sbus_call_DBus_Hello_send(); (bsc#1213283); + Drop SLE patch 0001-sssd-watchdog.patch + +------------------------------------------------------------------- +Fri Jun 23 14:49:30 UTC 2023 - Jan Engelhardt + +- Update to relese 2.9.1 + * A regression was fixed that prevented autofs lookups to + function correctly when cache_first is set to True. + * A regression where SSSD failed to properly watch for changes + in ``/etc/resolv.conf`` when it was a symbolic link or was a + relative path, was fixed. + * ldap password policy: return failure if there are no grace logins + left; (bsc#1214434); Drop SLE patch + 0006-ldap-return-failure-if-there-are-no-grace-logins-lef.patch + +------------------------------------------------------------------- +Fri May 5 10:47:41 UTC 2023 - Jan Engelhardt + +- Update to release 2.9 + * The sss_simpleifp library is deprecated (and for openSUSE, + already removed) + * The "Files provider" (i.e. id_provider = files) is deprecated + (and for openSUSE, already removed) + * SSSD will no longer warn about changed defaults when using + ldap_schema = rfc2307 and default autofs mapping. + * New passkey functionality, which will allow the use of FIDO2 + compliant devices to authenticate a centrally managed user + locally. + * Add support for ldapi:// URLs to allow connections to local + LDAP servers. + * NSS IDMAP has two new methods: getsidbyusername and + getsidbygroupname. + +------------------------------------------------------------------- +Thu Jan 26 15:23:54 UTC 2023 - Callum Farmer + +- Move dbus-1 system.d file to /usr (bsc#1207586) + +------------------------------------------------------------------- +Tue Jan 3 12:01:41 UTC 2023 - Stefan Schubert + +- Migration of PAM settings to /usr/lib/pam.d. + +------------------------------------------------------------------- +Wed Dec 21 19:29:45 UTC 2022 - Jan Engelhardt + +- Take systemd units off the restart list that have + RefuseManualStart=yes [boo#1206592] +- Add symvers.patch [boo#1206592] [bsc#1182058] [bsc#1196166] + +------------------------------------------------------------------- +Sun Dec 11 14:17:23 UTC 2022 - Jan Engelhardt + +- Update to release 2.8.2 + * New mapping template for serial number, subject key id, SID, + certificate hashes and DN components are added to + libsss_certmap. + +------------------------------------------------------------------- +Fri Nov 4 12:28:27 UTC 2022 - Jan Engelhardt + +- Update to release 2.8.1 + * A regression when running sss_cache when no SSSD domain is + enabled would produce a syslog critical message was fixed. + +------------------------------------------------------------------- +Fri Oct 7 12:05:29 UTC 2022 - Jan Engelhardt + +- Update to release 2.8.0 + * Introduced the dbus function + org.freedesktop.sssd.infopipe.Users.ListByAttr(attr, value, + limit) listing upto limit users matching the filter + attr=value. + * sssctl is now able to create, list and delete indexes on the + local caches. Indexes are useful for the new D-Bus + ListByAttr() function. + * sssctl is now able to read and set each component's debug + level independently. + * A number of new configuration options are available, + cf. https://sssd.io/release-notes/sssd-2.8.0.html . + * Fix sdap_access_host No matching host rule found; + (bsc#1202559); Drop SLE patch + 0001-Fix-sdap_access_host-No-matching-host-rule-found.patch + * Accept krb5 1.20 for building the PAC plugin; Drop SLE patch + 0004-BUILD-Accept-krb5-1.20-for-building-the-PAC-plugin.patch + +------------------------------------------------------------------- +Thu Sep 1 13:45:36 UTC 2022 - Stefan Schubert + +- Migration to /usr/etc: Saving user changed configuration files + in /etc and restoring them while an RPM update. + +------------------------------------------------------------------- +Fri Aug 26 20:54:33 UTC 2022 - Jan Engelhardt + +- Update to release 2.7.4 + * Lock-free client support will be only built if libc provides + pthread_key_create() and pthread_once(). For glibc this means + version 2.34+. + +------------------------------------------------------------------- +Mon Jul 4 12:11:11 UTC 2022 - Jan Engelhardt + +- Update to release 2.7.3 + * All SSSD client libraries (nss, pam, etc) won't serialize + requests anymore by default, i.e. requests from multiple + threads can be executed in parallel. Old behavior + (serialization) can be enabled by setting environment + variable "SSS_LOCKFREE" to "NO". + +------------------------------------------------------------------- +Tue Jun 21 10:19:54 UTC 2022 - Stefan Schubert + +- Removed %config flag for files in /usr directory. + +------------------------------------------------------------------- +Tue Jun 21 06:43:27 UTC 2022 - Stefan Schubert + +- Moved logrotate files from user-specific directory /etc/logrotate.d + to vendor-specific directory /usr/etc/logrotate.d. + +------------------------------------------------------------------- +Wed Jun 15 11:28:35 UTC 2022 - Samuel Cabrero + +- Use pam rpm macros to avoid hardcoding the directory names; + (bsc#1191047); +- Do not take ownership of %_pam_confdir directory, it is owned by + pam package + +------------------------------------------------------------------- +Mon Jun 13 14:48:28 UTC 2022 - Jan Engelhardt + +- Update to release 2.7.2 + * A sssd-2.7.1 regression preventing successful authentication of + IPA users was fixed. + * Default value of pac_check changed to check_upn, + check_upn_dns_info_ex (for AD and IPA provider). + +------------------------------------------------------------------- +Thu Jun 2 15:24:57 UTC 2022 - Jan Engelhardt + +- Update to release 2.7.1 + * SSSD can now handle multi-valued RDNs if a unique name must + be determined with the help of the RDN. + * A regression in pam_sss_gss module causing a failure if + KRB5CCNAME environment variable was not set was fixed. + * New option `implicit_pac_responder` to control if the PAC + responder is started for the IPA and AD providers; the + default is true. + * New option `krb5_check_pac` to control the PAC validation + behavior. + * Multiple `crl_file` arguments can be used in the + `certificate_verification` option. + +------------------------------------------------------------------- +Mon May 16 21:49:38 UTC 2022 - Jan Engelhardt + +- Enable subid_sss + +------------------------------------------------------------------- +Thu Apr 14 22:43:03 UTC 2022 - Jan Engelhardt + +- Update to release 2.7.0 + * Better default for IPA/AD re_expression. Tunning for group + names containing '@' is no longer needed. + * A new debug level is added to show statistical and + performance data. + * Added support for anonymous PKINIT to get FAST credentials. + * SSSD now correctly falls back to UPN search if the user was + not found even with `cache_first = true`. + * Add 'ldap_ignore_unreadable_references' parameter to skip + unreadable objects referenced by 'member' attributte; + (bsc#1190775); (gh#SSSD/sssd#4893); Drop SLE patch + 0001-ldap-ignore-unreadable-references.patch + +------------------------------------------------------------------- +Mon Feb 21 14:50:38 UTC 2022 - Callum Farmer + +- Enable selinux support +- Update Supplements to new format + +------------------------------------------------------------------- +Wed Feb 9 13:17:30 UTC 2022 - Samuel Cabrero + +- Remove caches only when performing a package downgrade. The sssd + daemon takes care of upgrading the database format when necessary + (bsc#1195552) + +------------------------------------------------------------------- +Tue Jan 25 11:32:10 UTC 2022 - Jan Engelhardt + +- Update to release 2.6.3 + * A regression introduced in sssd-2.6.2 in the IPA provider + that prevented users from login was fixed. Access control + always denied access because the selinux_child returned an + unexpected reply. + * A critical regression that prevented authentication of users + via AD and IPA providers was fixed. LDAP port was reused for + Kerberos communication and this provider would send + incomprehensible information to this port. + * When authenticating AD users, backtrace was triggered even + though everything was working correctly. This was caused by a + search in the global catalog. Servers from the global catalog + are filtered out of the list before writing the KDC info + file. With this fix, SSSD does not attempt to write to the + KDC info file when performing a GC lookup. + +------------------------------------------------------------------- +Mon Jan 17 17:27:40 UTC 2022 - Jan Engelhardt + +- Upgrade LDB_DIR shell variable to %ldbdir macro. + +------------------------------------------------------------------- +Tue Jan 11 18:04:46 UTC 2022 - Samuel Cabrero + +- Remove libsmbclient-devel BuildRequires in favor of + pkgconfig(smbclient) + +------------------------------------------------------------------- +Thu Dec 23 14:52:55 UTC 2021 - Jan Engelhardt + +- Update to release 2.6.2 + * Quick log out and log in did not correctly refresh user's + initgroups in no_session PAM schema due to lingering systemd + processes. + +------------------------------------------------------------------- +Tue Nov 23 16:11:48 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_sssd-ifp.service.patch + * harden_sssd-kcm.service.patch + +------------------------------------------------------------------- +Tue Nov 9 15:35:58 UTC 2021 - Jan Engelhardt + +- Update to release 2.6.1 + * New infopipe method FindByValidCertificate(). + * The default value of the "ssh_hash_known_hosts" setting was + changed to false for the sake of consistency with OpenSSH + that does not hash host names by default. + +------------------------------------------------------------------- +Fri Oct 15 13:41:13 UTC 2021 - Jan Engelhardt + +- Update to release 2.6.0 + * Support of legacy json format for ccaches was dropped. + * Support of long time deprecated secrets responder was dropped. + * Support of long time deprecated local provider was dropped. + * The sssctl command was vulnerable to shell command injection + via the logs-fetch and cache-expire subcommands, + which was fixed; (CVE-2021-3621); (bsc#1189492); Drop SLE patch + 0002-TOOLS-replace-system-with-execvp-to-avoid-execution-.patch + * Basic support of user's 'subuid and subgid ranges' for IPA + provider and corresponding plugin for shadow-utils were added. + +------------------------------------------------------------------- +Mon Jul 12 19:45:37 UTC 2021 - Jan Engelhardt + +- Update to release 2.5.2; (jsc#SLE-17763); + * originalADgidNumber attribute in the SSSD cache is now indexed. + * Add new config option fallback_to_nss. + +------------------------------------------------------------------- +Tue Jun 8 16:35:25 UTC 2021 - Jan Engelhardt + +- Update to release 2.5.1 + * auto_private_groups option can be set centrally through ID + range setting in IPA (see ipa idrange commands family). This + feature requires SSSD update on both client and server. This + feature also requires freeipa 4.9.4 and newer. + * Fix getsidbyname issues with IPA users with a user-private-group. + * Default value of ldap_sudo_random_offset changed to 0 + (disabled). This makes sure that sudo rules are available as + soon as possible after SSSD start in default configuration. + +------------------------------------------------------------------- +Mon May 10 13:58:04 UTC 2021 - Jan Engelhardt + +- Update to release 2.5.0 + * Added support for automatic renewal of renewable TGTs that + are stored in KCM ccache. This can be enabled by setting + tgt_renewal = true. See the sssd-kcm man page for more + details. This feature requires MIT Kerberos + krb5-1.19-0.beta2.3 or higher. + * Backround sudo periodic tasks (smart and full refresh) periods are + now extended by a random offset to spread the load on the server in + environments with many clients. + * Completing a sudo full refresh now postpones the smart refresh by + ldap_sudo_smart_refresh_interval value. This ensure that the smart + refresh is not run too soon after a successful full refresh. + * If debug_backtrace_enabled is set to true then on any error all prior + debug messages (to some limit) are printed even if debug_level is set + to low value. + * Besides trusted domains known by the forest root, trusted domains known + by the local domain are used as well. + * New configuration option offline_timeout_random_offset to control random + factor in backend probing interval when SSSD is in offline mode. + * ad_gpo_implicit_deny is now respected even if there are no + applicable GPOs present. + * During the IPA subdomains request a failure in reading a single specific + configuration option is not considered fatal and the request will + continue. + * Unknown IPA id-range types are not considered as an error + +------------------------------------------------------------------- +Tue Apr 6 12:08:29 UTC 2021 - Samuel Cabrero + +- Move sssctl command from sssd to sssd-tools package; (bsc#1184289); + +------------------------------------------------------------------- +Thu Apr 1 15:08:14 UTC 2021 - jeffm@suse.com + +- Add missing /var/lib/sss/pubconf/krb5.include.d directory (bsc#1184285). + +------------------------------------------------------------------- +Tue Feb 23 12:43:38 UTC 2021 - Aurelien Aptel + +- Make cifs-idmap plugin (cifs_idmap_sss.so) use update-alternatives + mechanism to be able to switch between cifs-utils and sssd; + (bsc#1182682). + +------------------------------------------------------------------- +Fri Feb 19 17:30:58 UTC 2021 - Jan Engelhardt + +- Update to release 2.4.2 + * Default value of "user" config option was fixed into + accordance with man page, i.e. default is "root". + * pam_sss_gss now support authentication indicators to further + harden the authentication. + +------------------------------------------------------------------- +Fri Feb 12 15:55:37 UTC 2021 - Dominique Leuenberger + +- Pass --with-pid-path=%{_rundir} to configure: adjust rundir + according the distro settings, i.e. /run on modern systems. + Eliminates a systemd warning like this one in the journal: + Feb 12 12:33:32 zeus systemd[1]: /usr/lib/systemd/system/sssd.service:13: + PIDFile= references a path below legacy directory /var/run/, + updating /var/run/sssd.pid → /run/sssd.pid; please update the unit file accordingly. + +------------------------------------------------------------------- +Fri Feb 5 12:56:44 UTC 2021 - Jan Engelhardt + +- Update to release 2.4.1 + * New PAM module pam_sss_gss for authentication using GSSAPI. + * case_sensitive=Preserving can now be set for trusted domains + with AD and IPA providers. + * krb5_use_subdomain_realm=True can now be used when sub-domain + user principal names have upnSuffixes which are not known in + the parent domain. SSSD will try to send the Kerberos request + directly to a KDC of the sub-domain. + * SYSLOG_IDENTIFIER was renamed to SSSD_PRG_NAME in journald + output, to avoid issues with PID parsing in rsyslog + (BSD-style forwarder) output. + * Added pam_gssapi_check_upn to enforce authentication only + with principal that can be associated with target user. + * Added pam_gssapi_services to list PAM services that can + authenticate using GSSAPI. + * Create timestamp attribute in cache objects if missing; + (bsc#1182637); + +------------------------------------------------------------------- +Mon Oct 12 13:10:26 UTC 2020 - Jan Engelhardt + +- Update to release 2.4.0 + * Session recording can now exclude specific users or groups + when scope is set to all (see exclude_users and + exclude_groups options). + * Active Directory provider now sends CLDAP pings over UDP + protocol to Domain Controllers in parallel to determine site + and forest to speed up server discovery. + +------------------------------------------------------------------- +Mon Aug 10 12:55:05 UTC 2020 - Jan Engelhardt + +- Build sssd's KCM. + +------------------------------------------------------------------- +Fri Jul 24 16:57:58 UTC 2020 - Jan Engelhardt + +- Update to release 2.3.1 + * Domains can be now explicitly enabled or disabled using + enable option in domain section. This can be especially used + in configuration snippets. + * New configuration options memcache_size_passwd, + memcache_size_group, memcache_size_initgroups that can be + used to control memory cache size. + * Fixed several regressions in GPO processing introduced in + sssd-2.3.0 + * Fixed regression in PAM responder: failures in cache only + lookups are no longer considered fatal. + * Fixed regression in proxy provider: pwfield=x is now default + value only for sssd-shadowutils target. + * Rotate child debug file descriptors on SIGHUP (bsc#1080156) +- sssd-wbclient is obsolete and no longer shipped + +------------------------------------------------------------------- +Tue May 19 11:32:22 UTC 2020 - Jan Engelhardt + +- Update to release 2.3.0 + * SSSD can now handle hosts and networks nsswitch databases + (see resolve_provider option). + * By default, authentication request only refresh user's + initgroups if it is expired or there is not active user's + session (see pam_initgroups_scheme option). + * OpenSSL is used as default crypto provider, NSS is deprecated. + * The AD provider now defaults to GSS-SPNEGO SASL mechanism + (see ldap_sasl_mech option). + * The AD provider can now be configured to use only ldaps port + (see ad_use_ldaps option). + * SSSD now accepts host entries from GPO's security filter. + * New debug level (0x10000) added for low level LDB messages + only (see sssd.conf man page). + * Update samba secrets after changing machine password; (jsc#SLE-11503); + * Delete linked local user overrides when deleting a user + (bsc#1133168) +- Drop sssd-gpo_host_security_filter-2.2.2.patch, + 0001-Resolve-computer-lookup-failure-when-sam-cn.patch, + 0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch (merged) +- Drop 0001-Fix-build-failure-against-samba-4.12.0rc1.patch + (unapplicable) + +------------------------------------------------------------------- +Tue Mar 24 10:49:17 UTC 2020 - Jan Engelhardt + +- Update to 2.2.3 + * New features: + * allow_missing_name now treats empty strings the same as + missing names. + * "soft_ocsp" and "soft_crl" options have been added to make + the checks for revoked certificates more flexible if the + system is offline. + * Smart card authentication in polkit is now allowed by default. + * Handling of FreeIPA users and groups containing ‘@’ sign now works. + * Issue when autofs was unable to mount shares was fixed. + * SSSD was unable to hande ldap_uri containing URIs with + different port numbers, which has been rectified. + * Fix domain offline after first boot when resolv.conf is a symlink + (bsc#1136139) +- Add 0001-Fix-build-failure-against-samba-4.12.0rc1.patch + +------------------------------------------------------------------- +Mon Mar 16 16:44:23 UTC 2020 - Samuel Cabrero + +- Fix dynamic DNS updates not using FQDN (bsc#1160587); Add + 0001-AD-use-getaddrinfo-with-AI_CANONNAME-to-find-the-FQD.patch + +------------------------------------------------------------------- +Sun Jan 19 23:54:34 UTC 2020 - Stefan Brüns + +- Remove leftover python2 build dependencies +- Remove python3-devel BuildRequires in favor of pkgconfig(python3) + +------------------------------------------------------------------- +Mon Jan 13 14:40:11 UTC 2020 - David Mulder + +- SSSD GPO host entries are ignored if computer cn does not + match its samaccountname, add + 0001-Resolve-computer-lookup-failure-when-sam-cn.patch; + (jsc#SLE-9298); (bsc#1160688) + +------------------------------------------------------------------- +Thu Jan 02 17:17:00 UTC 2020 - David Mulder + +- SSSD should accept host entries from GPO's security filter, add + sssd-gpo_host_security_filter-2.2.2.patch; (jsc#SLE-9298) + +------------------------------------------------------------------- +Fri Nov 22 13:31:54 UTC 2019 - Samuel Cabrero + +- Install infopipe dbus service (bsc#1106598) +- Add systemd service unit files to manage socket or bus activated responders. +- All responders except infopipe are also managed by a socket unit file. +- Add missing post and postun hooks for libsss_certmap0 package. + +------------------------------------------------------------------- +Thu Nov 21 12:56:28 UTC 2019 - Jan Engelhardt + +- Update to release 2.2.2 + * New options were added which allow sssd-kcm to handle bigger + data. See manual pages for max_ccaches, max_uid_caches and + max_ccache_size. + * SSSD can now automatically refresh cached user data from + subdomains in IPA/AD trust. + * Fixed issue with SSSD hanging when connecting to + non-responsive server with ldaps://. + * SSSD is now restarted by systemd after crashes. + +------------------------------------------------------------------- +Tue Jun 18 08:00:46 UTC 2019 - Jan Engelhardt + +- Update to new upstream release 2.2.0 + * The Kerberos provider can now include more KDC addresses or + host names when writing data for the Kerberos locator plugin. + * The 2FA prompting can now be configured. + * The LDAP authentication provider now allows to use a + different method of changing LDAP passwords using a modify + operation in addition to the default extended operation. + * The "auto_private_groups" configuration option now takes a + new value hybrid. + * A new option "ad_gpo_ignore_unreadable" was added. + * The "cached_auth_timeout" parameter is now inherited by + trusted domains. + * The "ldap_sasl_mech" option now accepts another mechanism + "GSS-SPNEGO" in addition to "GSSAPI". + * The sssctl tool has two new commands, "cert-show" and + "cert-map". + * Added an option to skip GPOs that have groupPolicyContainers, + unreadable by SSSD (bsc#1124194) (CVE-2018-16838) + * Fix fallback_homedir returning '/' for empty home directories + (CVE-2019-3811) (bsc#1121759) + +------------------------------------------------------------------- +Fri Apr 26 10:59:25 UTC 2019 - Samuel Cabrero + +- Create directory to download and cache GPOs (bsc#1132879) + +------------------------------------------------------------------- +Sat Mar 16 11:50:58 UTC 2019 - Jan Engelhardt + +- Update to new upstream release 2.1.0 + * Any provider can now match and map certificates to user + identities. + * pam_sss can now be configured to only perform Smart Card + authentication or return an error if this is not possible. + * pam_sss can also prompt the user to insert a Smart Card if, + during an authentication it is not available. + * A new configuration option ad_gpo_implicit_deny was added. + This option (when set to True) can be used to deny access to + users even if there is not applicable GPO. + * The dynamic DNS update can now batch DNS updates to include + all address family updates in a single transaction. + * Fix sss_cache spurious error messages when invoked from shadow-utils; + (bsc#1185017); + * Fix building with newer samba versions (bsc#1137876) + * Fix memory leak in nss netgroup enumeration (bsc#1139247); + +------------------------------------------------------------------- +Wed Feb 20 16:01:52 UTC 2019 - Samuel Cabrero + +- Install systemd service unit file created from source's template + (bsc#1120852); (bsc#1185185); +- Install logrotate configuration (bsc#1004220) +- Set journald as system logger + +------------------------------------------------------------------- +Fri Feb 15 17:36:22 UTC 2019 - Jan Engelhardt + +- Add krb-noversion.diff so sssd_pac builds even with newer krb. + +------------------------------------------------------------------- +Mon Oct 1 13:34:56 UTC 2018 - ckowalczyk@suse.com + +- Add dependency to adcli for sssd-ad + (SLE15: fate#326619, bsc#1109849) + (SLE12SP4: fate#326620, bsc#1110121) + +------------------------------------------------------------------- +Fri Sep 7 18:52:18 UTC 2018 - Jan Engelhardt + +- Update to new upstream release 2.0.0 + * The Python API for managing users and groups in local domains + (id_provider=local) was removed completely. The local + provider (id_provider=local) and the command line tools to + manage users and groups in the local domains, such as + sss_useradd is not built anymore. + * The LDAP provider had a special-case branch for evaluating + group memberships with the RFC2307bis schema when group + nesting was explicitly disabled. This codepath is removed. + * The "ldap_sudo_include_regexp" option changed its default + value from true to false. Wildcards in the sudoHost LDAP + attribute are no longer evaluated. This was costly to + evaluate on the LDAP server side and at the same time rarely + used. + * The list of PAM services which are allowed to authenticate + using a Smart Card is now configurable using a new option + pam_p11_allowed_services. + * Allow defaults sudoRole without sudoUser attribute (bsc#1135247) + +------------------------------------------------------------------- +Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com + +- Update to upstream release 1.16.3 + * New Features: + * kdcinfo files for informing krb5 about discovered KDCs are + now also generated for trusted domains in setups that use + id_provider=ad and IPA masters in a trust relationship with + an AD domain. + * The Kerberlos locator plugin can now process multiple + address if SSSD generates more than one. A + * Bug fixes: + * Fixed information leak due to incorrect permissions on + /var/lib/sss/pipes/sudo [CVE-2018-10852, bsc#1098377] + * Cached password are now stored with a salt. Old ones will be + regenerated on next authentication, and the auth server needs + to be reachable for that. + * The sss_ssh proces leaked file descriptors when converting + more than one X.509 certificate to an SSH public key. + * The PAC responder is now able to process Domain Local in case + the PAC uses SID compression (Windows Server 2012+). + * Address the issue that some versions of OpenSSH would close + the pipe towards sss_ssh_authorizedkeys when the matching key + is found before the rest of the output is read. + * User lookups no longer fail if user's e-mail address + conflicts with another user's fully qualified name. + * The override_shell and override_homedir options are no longer + applied to entries from the files domain. + * The grace logins with an expired password when authenticating + against certain newer versions of the 389DS/RHDS LDAP server + did not work. + * Fix login not possible when email address is duplicated in ldap + attributes (bsc#1149597) + * Strip whitespaces in netgroup triples (bsc#1087320) +- Removed patches that are included upstream now: + 0001-SUDO-Create-the-socket-with-stricter-permissions.patch, + 0002-intg-Do-not-hardcode-nsslibdir.patch, + 0003-Fix-build-for-1-16-2-version.patch + +------------------------------------------------------------------- +Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com + +- Fixed patch name. + +------------------------------------------------------------------- +Wed Jun 20 10:46:34 UTC 2018 - ckowalczyk@suse.com + +- Introduce patches: + * Create sockets with right permissions: + 0001-SUDO-Create-the-socket-with-stricter-permissions.patch + (bsc#1098377, CVE-2018-10852) + * Fix for sssd upstream integration tests + 0002-intg-Do-not-hardcode-nsslibdir.patch + (bsc#1098163) + +------------------------------------------------------------------- +Wed Jun 20 08:38:53 UTC 2018 - varkoly@suse.com + +- Update to new minor upstream release 1.16.2 +New Features: + * The smart card authentication, or in more general certificate + authentication code now supports OpenSSL in addition to previously + supported NSS (#3489). In addition, the SSH responder can now + return public SSH keys derived from the public keys stored in a + X.509 certificate. Please refer to the ssh_use_certificate_keys + option in the man pages. + * The files provider now supports mirroring multiple passwd or + group files. This enhancement can be used to use the SSSD files + provider instead of the nss_altfiles module +Bugfixes: + * A memory handling issue in the nss_ex interface was fixed. This + bug would manifest in IPA environments with a trusted AD domain + as a crash of the ns-slapd process, because a ns-slapd plugin + loads the nss_ex interface (#3715) + * Several fixes for the KCM deamon were merged (see #3687, #3671, #3633) + * The ad_site override is now honored in GPO code as well (#3646) + * Several potential crashes in the NSS responder’s netgroup code + were fixed (#3679, #3731) + * A potential crash in the autofs responder’s code was fixed (#3752) + * The LDAP provider now supports group renaming (#2653) + * The GPO access control code no longer returns an error if one + of the relevant GPO rules contained no SIDs at all (#3680) + * A memory leak in the IPA provider related to resolving external + AD groups was fixed (#3719) + * Setups that used multiple domains where one of the domains had + its ID space limited using the min_id/max_id options did not + resolve requests by ID properly (#3728) + * Overriding IDs or names did not work correctly when the domain + resolution order was set as well (#3595) + * A version mismatch between certain newer Samba versions (e.g. + those shipped in RHEL-7.5) and the Winbind interface provided + by SSSD was fixed. To further prevent issues like this in the + future, the correct interface is now detected at build time (#3741) + * The files provider no longer returns a qualified name in case + domain resolution order is used (#3743) + * A race condition between evaluating IPA group memberships and + AD group memberships in setups with IPA-AD trusts that would + have manifested as randomly losing IPA group memberships assigned + to an AD user was fixed (#3744) + * Setting an SELinux login label was broken in setups where the + domain resolution order was used (#3740) + * SSSD start up issue on systems that use the libldb library + with version 1.4.0 or newer was fixed. + * Update winbind idmap plugin to support interface version 6 + (jsc#SLE-9819) + * Add a netgroup counter to struct nss_enum_index (bsc#1132657) + * Fix sssd not starting in foreground mode (bsc#1125277) +Introduce a patch: + * Fix build of sssd of 1.16.2 version: + 0003-Fix-build-for-1-16-2-version.patch + (back then called fix-build.patch) + +------------------------------------------------------------------- +Fri Apr 27 14:43:58 UTC 2018 - ckowalczyk@suse.com + +- Update to new minor upstream release 1.16.1 (fate#323340): + +New Features: + * A new option auto_private_groups was added. If this option is + enabled, SSSD will automatically create user private groups based + on user’s UID number. The GID number is ignored in this case. + * The SSSD smart card integration now supports a special type of PAM + conversation implemented by GDM which allows the user to select + the appropriate smrt card certificate in GDM. + * A new API for accessing user and group information was added. + This API is similar to the tradiional Name Service Switch API, but + allows the consumer to talk to SSSD directly as well as to + fine-tune the query with e.g. how cache should be evaluated. + * The sssctl command line tool gained a new command access-report, + which can generate who can access the client machine. Currently + only generating the report on an IPA client based on HBAC rules + is supported. + * The hostid provider was moved from the IPA specific code to + the generic LDAP code. This allows SSH host keys to be access by + the generic LDAP provider as well. See the ldap_host_* options in + the sssd-ldap manual page for more details. + * Setting the memcache_timeout option to 0 disabled creating + the memory cache files altogether. This can be useful in cases + there is a bug in the memory cache that needs working around. + +------------------------------------------------------------------- +Tue Apr 24 13:09:35 UTC 2018 - ckowalczyk@suse.com + +- Updated sssd.spec: + The IPA provider depends on AD provider's PAC executable, hence + introducing the package dependency. (bsc#1021441, bsc#1062124) + +------------------------------------------------------------------- +Tue Feb 27 09:24:46 UTC 2018 - hguo@suse.com + +- Remove package descriptions for the python 2 packages that are + no longer distributed: + * python-ipa_hbac + * python-sss-murmur + * python-sss_nss_idmap + * python-sssd-config +- Correct python version dependency of tools package. (bsc#1082108) + +------------------------------------------------------------------- +Mon Dec 4 10:03:59 UTC 2017 - hguo@suse.com + +- Correct dependency of sss_obfuscate command line program. + +------------------------------------------------------------------- +Fri Dec 1 14:35:08 UTC 2017 - hguo@suse.com + +- In an ongoing effort to reduce dependency on python version 2, + the following python libraries are no longer built. Nevertheless + their python3 counterparts remain in place: + * python-ipa_hbac + * python-sss-murmur + * python-sss_nss_idmap + * python-sssd-config + +------------------------------------------------------------------- +Mon Oct 23 16:31:54 UTC 2017 - michael@stroeder.com + +- Update to new upstream release 1.16.0 + +Security fixes + * This release fixes CVE-2017-12173: Unsanitized input when searching in + local cache database. SSSD stores its cached data in an LDAP like local + database file using libldb. To lookup cached data LDAP search filters + like (objectClass=user)(name=user_name) are used. However, in + sysdb_search_user_by_upn_res(), the input was not sanitized and + allowed to manipulate the search filter for cache lookups. This would + allow a logged in user to discover the password hash of a different user. + +New Features + * SSSD now supports session recording configuration through tlog. This + feature enables recording of everything specific users see or type + during their sessions on a text terminal. For more information, see + the sssd-session-recording(5) manual page. + * SSSD can act as a client agent to deliver + Fleet Commander + policies defined on an IPA server. Fleet Commander provides a + configuration management interface that is controlled centrally and + that covers desktop, applications and network configuration. + * Several new systemtap probes + were added into various locations in SSSD code to assist in + troubleshooting and analyzing performance related issues. Please see the + sssd-systemtap(5) manual page for more information. + * A new LDAP provide access control mechanism that allows to restrict + access based on PAM's rhost data field was added. For more details, + please consult the sssd-ldap(5) manual page, in particular the + options ldap_user_authorized_rhost and the rhost value of + ldap_access_filter. + +------------------------------------------------------------------- +Tue Jul 25 15:46:23 UTC 2017 - michael@stroeder.com + +- Update to new upstream release 1.15.3 (KCM disabled) + +New Features + * In a setup where an IPA domain trusts an Active Directory domain, + it is now possible to define the domain resolution order + (see http://www.freeipa.org/page/Releases/4.5.0#AD_User_Short_Names). + * Design page - Shortnames in trusted domains + * SSSD ships with a new service called KCM. This service acts as a + storage for Kerberos tickets when "libkrb5" is configured to use + "KCM:" in "krb5.conf". + * Design page - KCM server for SSSD + * NOTE: There are several known issues in the "KCM" responder that + will be handled in the next release. + * Support for user and group resolution through the D-Bus interface and + authentication and/or authorization through the PAM interface even + for setups without UIDs or Windows SIDs present on the LDAP directory + side. This enhancement allows SSSD to be used together with apache + modules to provide + identities for applications + * Design page - Support for non-POSIX users and groups + * SSSD ships a new public library called "libsss_certmap" that allows + a flexible and configurable way of mapping a certificate to a user + identity. + * Design page - Matching and Mapping Certificates + * The Kerberos locator plugin can be disabled using an environment variable + "SSSD_KRB5_LOCATOR_DISABLE". Please refer to the + "sssd_krb5_locator_plugin" manual page for mode details. + * The "sssctl" command line tool supports a new command "user-checks" + that enables the administrator to check whether a certain user should be + allowed or denied access to a certain PAM service. + * The "secrets" responder now forwards requests to a proxy Custodia + back end over a secure channel. + +------------------------------------------------------------------- +Thu Mar 16 13:32:12 UTC 2017 - hguo@suse.com + +- Introduce mandatory runtime requirement "cyrus-sasl-gssapi" to + krb5-common sub-package. Address bsc#1024836. + +------------------------------------------------------------------- +Wed Mar 15 22:18:03 UTC 2017 - michael@stroeder.com + +- Update to new upstream release 1.15.2 + * It is now possible to configure certain parameters of a + trusted domain in a configuration file sub-section. + * Several issues related to socket-activating the NSS service, + especially if SSSD was configured to use a non-privileged + userm were fixed. The NSS service now does not change the + ownership of its log files to avoid triggering a name-service + lookup while the NSS service is not running yet. + Additionally, the NSS service is started before any other + service to make sure username resolution works and the other + service can resolve the SSSD user correctly. + * A new option "cache_first" allows the administrator to change + the way multiple domains are searched. When this option is + enabled, SSSD will first try to "pin" the requested name or + ID to a domain by searching the entries that are already + cached and contact the domain that contains the cached entry + first. Previously, SSSD would check the cache and the remote + server for each domain. This option brings performance + benefit for setups that use multiple domains (even + auto-discovered trusted domains), especially for ID lookups + that would previously iterate over all domains. Please note + that this option must be enabled with care as the + administrator must ensure that the ID space of domains does + not overlap. + * The SSSD D-Bus interface gained two new methods: + "FindByNameAndCertificate" and "ListByCertificate". These + methods will be used primarily by IPA and + `mod_lookup_identity + to + correctly match multple users who use the same certificate + for Smart Card login. + * A bug where SSSD did not properly sanitize a username with a + newline character in it was fixed. + +------------------------------------------------------------------- +Sat Mar 11 22:34:41 UTC 2017 - jengelh@inai.de + +- Switch *all* URLs after fedorahosted.org retirement + +------------------------------------------------------------------- +Sat Mar 4 19:57:33 UTC 2017 - michael@stroeder.com + +- Updated project URL +- Update to new upstream release 1.15.1 + * Several issues related to starting the SSSD services on-demand via + socket activation were fixed. In particular, it is no longer possible + to have a service started both by sssd and socket-activated. Another + bug which might have caused the responder to start before SSSD started + and cause issues especially on system startup was fixed. + * A new 'files' provider was added. This provider mirrors the contents + of '/etc/passwd' and '/etc/shadow' into the SSSD database. The purpose + of this new provider is to make it possible to use SSSD's interfaces, + such as the D-Bus interface for local users and enable leveraging the + in-memory fast cache for local users as well, as a replacement for `nscd`. + In future, we intend to extend the D-Bus interface to also provide setting + and retrieving additional custom attributes for the files users. + * SSSD now autogenerates a fallback configuration that enables the + files domain if no SSSD configuration exists. This allows distributions + to enable the 'sssd' service when the SSSD package is installed. Please + note that SSSD must be build with the configuration option + '--enable-files-domain' for this functionality to be enabled. + * Support for public-key authentication with Kerberos (PKINIT) was + added. This support will enable users who authenticate with a Smart Card + to obtain a Kerberos ticket during authentication. + +------------------------------------------------------------------- +Sat Feb 18 08:35:13 CET 2017 - kukuk@suse.de + +- Remove obsolete insserv call + +------------------------------------------------------------------- +Wed Feb 8 19:58:55 UTC 2017 - luizluca@gmail.com + +- Added /etc/sssd/conf.d/ for configuration snippets + +------------------------------------------------------------------- +Wed Jan 25 19:25:09 UTC 2017 - michael@stroeder.com + +- Removed 0001-krb5-1.15-build-fix.patch obsoleted by upstream update +- Update to new upstream release 1.15.0 + * SSSD now allows the responders to be activated by the systemd service + manager and exit when idle. This means the services line in sssd.conf is + optional and the responders can be started on-demand, simplifying the sssd + configuration. Please note that this change is backwards-compatible and + the responders listed explicitly in sssd.conf's services line are managed + by sssd in the same manner as in previous releases. Please refer to man + sssd.conf(5) for more information + * The sudo provider is no longer disabled for configurations that do not + explicitly include the sudo responder in the services list. In order to + disable the sudo-related back end code that executes the periodic LDAP + queries, set the sudo_provider to none explicitly + * The watchdog signal handler no longer uses signal-unsafe functions. This + bug was causing a deadlock in case the watchdog was about to kill a + stuck process + * A bug that prevented TLS to be set up correctly on systems where libldap + links with GnuTLS was fixed + * The functionality to alter SSSD configuration through the D-Bus interface + provided by the IFP responder was removed. This functionality was not used to + the best of our knowledge, had no tests and prevented the InfoPipe responder + from running as a non-privileged user. + * A bug that prevented statically-linked applications from using libnss_sss + was fixed by removing dependency on -lpthreads from the libnss_sss library + (please see https://sourceware.org/bugzilla/show_bug.cgi?id=20500 for + an example on why linking with -lpthread from an NSS modules is problematic) + * Previously, SSSD did not ignore GPOs that were missing the + gPCFunctionalityVersion attribute and failed the whole GPO + processing. Starting with this version, the GPOs without the + gPCFunctionalityVersion are skipped. + +------------------------------------------------------------------- +Mon Dec 12 13:36:18 UTC 2016 - dimstar@opensuse.org + +- BuildRequire pkgconfig(libsystemd) instead of + pkgconfig(libsystemd-login): the latter has been deprecated since + systemd 209 and finally removed with systemd 230. + +------------------------------------------------------------------- +Wed Dec 7 10:39:30 UTC 2016 - jengelh@inai.de + +- Add 0001-krb5-1.15-build-fix.patch to unlock building + against future KRB versions. + +------------------------------------------------------------------- +Wed Oct 19 22:21:30 UTC 2016 - michael@stroeder.com + +- Update to new upstream release 1.14.2 + * Several more regressions caused by cache refactoring to use qualified + names internally were fixed, including a regression that prevented the + krb5_map_user option from working correctly. + * A regression when logging in with a smart card using the GDM login manager + was fixed + * SSSD now removes the internal timestamp on startup cache when the + persistent cache is removed. This enables admins to follow their existing + workflow of just removing the persistent cache and start from a fresh slate + * Several fixes to the sssd-secrets responder are present in this release + * A bug in the autofs responder that prevented automounter maps from being + returned when sssd_be was offline was fixed + * A similar bug in the NSS responder that prevented netgroups from being + returned when sssd_be was offline was fixed + * Disabling the netlink integration can now be done with a new option + disable_netlink. Previously, the netlink integration could be disabled with + a sssd command line switch, which is being deprecated in this release. + * The internal watchdog no longer kills sssd processes in case time shifts + during sssd runtime + * The fail over code is able to cope with concurrent SRV resolution + requests better in this release + * The proxy provider gained a new option proxy_max_children that allows the + administrator to control the maximum number of child helper processes that + authenticate users with auth_provider=proxy + * The InfoPipe D-Bus responder exports the UUIDs of user and group objects + through a uniqueID property + +------------------------------------------------------------------- +Fri Aug 19 18:38:35 UTC 2016 - michael@stroeder.com + +- Update to new upstream release 1.14.1 + * The IPA provider now supports logins with enterprise principals (also + known as additional UPN suffixes). This functionality also enabled Active + Directory users from trusted AD domains who use an additional UPN suffix + to log in. Please note that this feature requires a recent IPA server. + * When a user name is overriden in an IPA domain, resolving a group these + users are a member of now returns the overriden user names + * Users can be looked up by and log in with their e-mail address as an + identifier. In order to do so, an attribute that represents the user's + e-mail address is fetched by default. This attribute can by customized + by setting the ldap_user_email configuration option. + * A new ad_enabled_domains option was added. This option lets the + administrator select domains that SSSD should attempt to reach in the + AD forest SSSD is joined to. This option is useful for deployments where + not all domains are reachable on the network level, yet the administrator + needs to access some trusted domains and therefore disabling the subdomains + provider completely is not desirable. + * The sssctl tool has two new commands active-server and servers that + allow the administrator to observe the server that SSSD is bound to and + the servers that SSSD autodiscovered + * SSSD used to fail to start when an attribute name is present in both + the default SSSD attribute map and the custom ldap_user_extra_attrs map + * GPO policy procesing no longer fails if the gPCMachineExtensionNames + attribute only contains whitespaces + * Several commits fix regressions related to switching all user and group + names to fully qualified format, such as running initgroups for a user + who is only a member of a primary group + * Several patches fix regressions caused by splitting the database into + two ldb files, such as when user attributes change without increasing + the modifyTimestamp attribute value + * systemd unit files are now shipped for the sssd-secrets responder, + allowing the responder to be socket-activated. To do so, administrators + should enable the sssd-secrets.socket and sssd-secrets.service systemd + units. + * The sssd binary has a new switch --disable-netlink that lets sssd skip + messages from the kernel's netlink interface. + * A crash when entries with special characters such as '(' were requested + was fixed + * The ldap_rfc_2307_fallback_to_local_users option was broken in the + previous version. This release fixes the functionality. + +------------------------------------------------------------------- +Fri Jul 8 10:46:59 UTC 2016 - jengelh@inai.de + +- Update to new upstream release 1.14.0 +* The AD provider is now able to look up users from Active + Directory domains by certificate. This change enables logins for + Active Directory users with the help of a smart card. +* The sss_override tool is now able to add certificates as local + overrides in the SSSD cache. Please note that the certificate + overrides are stored in the local cache, so removing the cache + also removes all the certificates! +* Invalid certificates are skipped instead of aborting the whole + operation when logging in with a smart card using SSH. +* This version allows several OCSP-related options such as the OCSP + responder to be configured during smart card authentication. +* SSSD is now able to determine the name of the user who logs in + from the inserted smart card without having to type in the + username. Note that this functionality must be enabled with the + allow_missing_name pam_sss option. +* The sss_cache command line tool is now able to invalidate SUDO + rules with its new -r/-R switches. Note that the sudo rules ar + not refreshed with the sss_cache tool immediately. +* A new command line tool called sssctl was added. This tool + allows to observe the status of SSSD. +* A new option local_negative_timeout was added. This option + allows the admin to specify the time during which lookups for + users that are not handled by SSSD but are present on the + system (typically in /etc/passwd and /etc/group) and prevents + repeated lookups of local users on the remote server during + initgroups operation. +* An ID-mapping plugin for the winbind deamon was added. With + this plugin, it's possible for winbind to use the same + ID-mapping scheme as SSSD uses, producing consistent ID values. +- Remove 0001-build-detect-endianness-at-configure-time.patch + (included upstream) + +------------------------------------------------------------------- +Mon Apr 18 12:24:29 UTC 2016 - hguo@suse.com + +- Enable PAC responder. + PAC is an extension element returned by domain controller, to speed + up resolution of authorisation data such as group memberships. + +------------------------------------------------------------------- +Thu Apr 14 17:20:11 UTC 2016 - michael@stroeder.com + +- Update to new upstream release 1.13.4 + * The IPA sudo provider was reimplemented. The new version reads the + data from IPA's LDAP tree (as opposed to the compat tree populated by + the slapi-nis plugin that was used previously). The benefit is that + deployments which don't require the compat tree for other purposes, + such as support for non-SSSD clients can disable those autogenerated + LDAP trees to conserve resources that slapi-nis otherwise requires. There + should be no visible changes to the end user. + * SSSD now has the ability to renew the machine credentials (keytabs) + when the ad provider is used. Please note that a recent version of + the adcli (0.8 or newer) package is required for this feature to work. + * The automatic ID mapping feature was improved so that the administrator + is no longer required to manually set the range size in case a RID in + the AD domain is larger than the default range size + * A potential infinite loop in the NFS ID mapping plugin that was + resulting in an excessive memory usage was fixed + * Clients that are pinned to a particular AD site using the ad_site + option no longer communicate with DCs outside that site during service + discovery. + * The IPA identity provider is now able to resolve external + (typically coming from a trusted AD forest) group members during + get-group-information requests. Please note that resolving external + group memberships for AD users during the initgroup requests used to + work even prior to this update. This feature is mostly useful for cases + where an IPA client is using the compat tree to resolve AD trust users. + * The IPA ID views feature now works correctly even for deployments + without a trust relationship. Previously, the subdomains IPA provider + failed to read the views data if no master domain record was created + on the IPA server during trust establishment. + * A race condition in the client libraries between the SSSD closing + the socket as idle and the client application using the socket was + fixed. This bug manifested with a Broken Pipe error message on the + client. + * SSSD is now able to resolve users with the same usernames in different + OUs of an AD domain + * The smartcard authentication now works properly with gnome-screensaver + +------------------------------------------------------------------- +Wed Feb 10 16:38:37 UTC 2016 - mpluskal@suse.com + +- Enable internal testsuite + +------------------------------------------------------------------- +Wed Dec 16 14:08:01 UTC 2015 - jengelh@inai.de + +- Update to new maintenance release 1.13.3 +* A bug that prevented user lookups and logins after migration from + winsync to IPA-AD trusts was fixed. +* A bug that prevented the ignore_group_members option from working + correctly in AD provider setups that use a dedicated primary + group (as opposed to a user-private group) was fixed. +* Offline detection and offline login timeouts were improved for AD + users logging in from a domain trusted by an IPA server. +* The AD provider supports setting up autofs_provider=ad . + +------------------------------------------------------------------- +Fri Nov 20 10:39:56 UTC 2015 - jengelh@inai.de + +- Update to new upstream release 1.13.2 +* Initial support for Smart Card authentication was added. +* The PAM prompting was enhanced so that when Two-Factor + Authentication is used, both factors (password and token) can be + entered separately on separate prompts. +* This release supports authenticating againt a KDC proxy. + +------------------------------------------------------------------- +Wed Sep 30 11:44:21 UTC 2015 - michael@stroeder.com + +- Update to new upstream release 1.13.1 +* Initial support for Smart Card authentication was added. The + feature can be activated with the new pam_cert_auth option. +* The PAM prompting was enhanced so that when Two-Factor + Authentication is used, both factors (password and token) can + be entered separately on separate prompts. At the same time, + only the long-term password is cached, so offline access would + still work using the long term password. +* A new command line tool sss_override is present in this + release. The tools allows to override attributes on the SSSD + side. It's helpful in environment where e.g. some hosts need to + have a different view of POSIX attributes than others. Please + note that the overrides are stored in the cache as well, so + removing the cache will also remove the overrides. +* Several enhancements to the dynamic DNS update code. Notably, + clients that update multiple interfaces work better with this + release. +* This release supports authenticating againt a KDC proxy +* The fail over code was enhanced so that if a trusted domain is + not reachable, only that domain will be marked as inactive but + the backed would stay in online mode. + +------------------------------------------------------------------- +Thu Aug 20 08:34:44 UTC 2015 - jengelh@inai.de + +- Update to new upstream release 1.13 +* Support for separate prompts when using two-factor authentication +* Added support for one-way trusts between an IPA and Active + Directory environment. (Depends on IPA 4.2) +* The fast memory cache now also supports the initgroups operation. +* The PAM responder is now capable of caching authentication for + configurable period, which might reduce server load in cases + where accounts authenticate very frequently. + Refer to the "cached_auth_timeout" option in sssd.conf(5). +* The Active Directory provider has changed the default value of + the "ad_gpo_access_control" option from permissive to enforcing. + As a consequence, the GPO access control now affects all clients + that set access_provider to ad. In order to restore the previous + behaviour, set ad_gpo_access_control to permissive or use a + different access_provider type. +* Group Policy objects defined in a different AD domain that the + computer object is defined in are now supported. +* Credential caching and Offline authentication are also available + when using two-factor authentication +* The Python bindings are now built for both Python2 and Python3. +* The LDAP bind timeout, StartTLS timeout and password change + timeout are now configurable using the ldap_opt_timeout option. + +------------------------------------------------------------------- +Wed Aug 12 18:20:25 UTC 2015 - jengelh@inai.de + +- Kill unused libsss_sudo-devel solvable. + +------------------------------------------------------------------- +Tue Aug 11 07:41:07 UTC 2015 - hguo@suse.com + +- Obsolete/provide libsss_sudo in sssd main package. + Sudo capability is an integral feature in SSSD and the library + is not supposed to be used separately. + +------------------------------------------------------------------- +Thu Jun 25 16:44:49 UTC 2015 - crrodriguez@opensuse.org + +- sssd.service: add Before= and Wants=nss-user-lookup.target + correct fix for bsc#926961 + +------------------------------------------------------------------- +Sun Jun 14 17:44:20 UTC 2015 - michael@stroeder.com + +- Update to new upstream release 1.12.5 +* The background refresh tasks now supports refreshing users and + groups as well. See the "refresh_expired_interval" parameter in + the sssd.conf manpage. +* A new option subdomain_inherit was added. +* When an expired account attempts to log in, a configurable + error message can be displayed with sufficient pam_verbosity + setting. See the "pam_account_expired_message" option. +* OpenLDAP ppolicy can be honored even when an alternate login + method (such as SSH key) is used. See the "ldap_access_order" + option. +* A new option :krb5_map_user" was added, allowing the admin to + map UNIX usernames to Kerberos principals. +* BUG FIXES: +* Fixed AD-specific bugs that resulted in the incorrect set of + groups being displayed after the initgroups operation. +* Fixes related to the IPA ID views feature. Setups using this + should update sssd on both IPA servers and clients. +* The AD provider now handles binary GUIDs correctly. +* A bug that prevented the `ignore_group_members` parameter to be + used with the AD provider was fixed. +* The failover code now reads and honors TTL value for SRV + queries as well. +* Race condition between setting the timeout in the back ends and + reading it in the front end during initgroup operation was + fixed. This bug affected applications that perform the + initgroups(3) operation in multiple processes simultaneously. +* Setups that only want to use the domain SSSD is connected to, + but not the autodiscovered trusted domains by setting + `subdomains_provider=none` now work correctly as long as the + domain SID is set manually in the config file. +* In case only "allow" rules are used, the simple access provider + is now able to skip unresolvable groups. +* The GPO access control code now handles situations where user + and computer objects were in different domains. + +------------------------------------------------------------------- +Thu Feb 19 10:51:22 UTC 2015 - hguo@suse.com + +- Update to new upstream release 1.12.4 (Changelog highlights following) +* This is mostly a bug fixing release with only minor enhancements + visible to the end user. +* Contains many fixes and enhancements related to the ID views + functionality of FreeIPA servers. +* Several fixes related to retrieving AD group membership in an + IPA-AD trust scenario. +* Fixes a bug where the GPO access control previously didn't work + at all if debugging was enabled in smb.conf. +* SSSD can now be pinned to a particular AD site instead of + autodiscovering the site. +* A regression that caused setting the SELinux context for IPA users + to fail, was fixed. +* Fixed a potential crash caused by a double-free error when an SSSD + service was killed by the monitor process. + +------------------------------------------------------------------- +Mon Feb 16 10:09:18 UTC 2015 - howard@localhost + +- A minor rpmspec cleanup to get rid of five rpmlint warnings +* Remove mentioning of system-wide dbus configuration file from comments. +* Remove traditional init script. +* Remove compatibility for producing packages on older OpenSUSE releases. + +------------------------------------------------------------------- +Thu Jan 8 22:23:42 UTC 2015 - jengelh@inai.de + +- Update to new upstream release 1.12.3 +* SSSD now allows the IPA client to move from one ID view to + another after SSSD restart. +* It is possible to apply ID views to IPA domains as well. + Previous SSSD versions only allowed views to be applied to AD + trusted domains. +* Overriding SSH public keys is supported in this release. +* Move semanage related functions to a separate library. + +------------------------------------------------------------------- +Thu Jan 1 22:01:02 UTC 2015 - meissner@suse.com + +- build with PIE + +------------------------------------------------------------------- +Mon Nov 10 00:37:00 UTC 2014 - Led + +- fix bashism in postun script + +------------------------------------------------------------------- +Thu Oct 30 12:22:06 UTC 2014 - jengelh@inai.de + +- Update to new upstream release 1.12.2 (bugfix release, bnc#900159) +* Fixed a regression where the IPA provider did not fetch User + Private Groups correctly +* An important bug in the GPO access control which resulted in a + wrong principal being used, was fixed. +* Several new options are available for deployments that need to + restrict a certain PAM service from connecting to a certain SSSD + domain. For more details, see the description of + pam_trusted_users and pam_public_domains options in the + sssd.conf(5) man page and the domains option in the pam_sss(8) + man page. +* When SSSD is acting as an IPA client in setup with trusted AD + domains, it is able to return group members or full group + memberships for users from trusted AD domains. +* Support for the "views" feature of IPA. +- Remove 0001-build-call-AC_BUILD_AUX_DIR-before-anything-else.patch + (merged upstream) + +------------------------------------------------------------------- +Sat Oct 11 13:36:48 UTC 2014 - jengelh@inai.de + +- Add 0001-build-call-AC_BUILD_AUX_DIR-before-anything-else.patch + to workaround bad autoconf invocation + +------------------------------------------------------------------- +Sat Oct 11 00:16:15 UTC 2014 - crrodriguez@opensuse.org + +- 0001-build-detect-endianness-at-configure-time.patch + Correct defective endianness test. + +------------------------------------------------------------------- +Mon Oct 6 13:25:23 UTC 2014 - jengelh@inai.de + +- Update to new upstream release 1.12.1 +* The GPO access control was further enhanced to allow the access + control decisions while offline and map the Windows logon + rights onto Linux PAM services. +* The SSSD now ships a plugin for the rpc.idmapd daemon, + sss_rpcidmapd(5). +* A MIT Kerberos localauth plugin was added to SSSD. This plugin + helps translating principals to user names in IPA-AD trust + scenarios, allowing the krb5.conf configuration to be less + complex. +* A libwbclient plugin implementation is now part of the SSSD. + The main purpose is to map Active Directory users and groups + identified by their SID to POSIX users and groups for the + file-server use-case. +* Active Directory users ca nnow use their User Logon Name to log + in. +* The sss_cache tool was enhanced to allow invalidating the SSH + host keys. +* Groups without full POSIX information can now be used to enroll + group membership (CVE-2014-0249). +* Detection of transition from offline to online state was + improved, resulting in fewer timeouts when SSSD is offline. +* The Active Directory provider now correctly detects Windows + Server 2012 R2. Previous versions would fall back to the slower + non-AD path with 2012 R2. +* Several other bugs related to deployments where SSSD is acting + as an AD client were fixed. + +------------------------------------------------------------------- +Fri Aug 22 15:44:14 UTC 2014 - lchiquitto@suse.com + +- The utility sss_obfuscate uses the Python module pysss, so add a + dependency on python-sssd-config to sssd-tools (bnc#890242) + +------------------------------------------------------------------- +Sun Aug 10 12:20:50 UTC 2014 - jengelh@inai.de + +- Update to new upstream release 1.12.0 +* A new responder, called InfoPipe was added. This responder + provides a public D-Bus interface accessible over the system bus. + In this release, methods for retrieving user attributes and list + of groups were added as well as objects representing SSSD domains + and processes. (The next 1.12.x releases will publish objects + representing users and groups, too.) +* SSSD provides an ID-mapping plugin for cifs-utils so that Windows + SIDs can be mapped onto POSIX IDs and/or names without requiring + Winbind and using the same code as the SSSD uses for identity + information. +* First phase of Group Policy-based access control for the AD + provider was added. At the moment, the gpo-ldap component that + downloads the list of GPOs that apply for the specific client has + been implemented as well as the gpo-smb component that retrieves + the group policy files and determines the access control check + results based on those files. Future improvements will focus on + storing the GPO policies as local files and mapping the Windows + logon rights onto Linux PAM services. +* Added a new library called sss_sifp that provides a simple + synchronous API for communication with our new InfoPipe responder + over the system bus. +- Remove 0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch + (merged upstream) +- Provide "rcsssd" in systemd environments +- Ensure sssd is always startable by removing /var/lib/sss/db/*.ldb + on package installation so as to avoid potentially cache + format incompatibility which would cause sssd to exit + +------------------------------------------------------------------- +Thu Jun 12 14:18:30 UTC 2014 - ckornacker@suse.com + +- fix %postun to not erroneously remove sss pam module + +------------------------------------------------------------------- +Tue May 27 16:56:42 UTC 2014 - crrodriguez@opensuse.org + +- Switch to libnl-3 so we can get rid of libnl-1. + +------------------------------------------------------------------- +Sat May 24 14:36:43 UTC 2014 - jengelh@inai.de + +- Redo 0001-build-detect-endianness-at-configure-time.patch to be -p1 +- Add 0001-BUILD-Link-libsss_ldap_common.so-to-libsss_idmap.so.patch + to resolve runtime loading problems + (http://lists.opensuse.org/opensuse-factory/2014-05/msg00181.html ) + +------------------------------------------------------------------- +Tue May 13 11:11:59 UTC 2014 - varkoly@suse.com + +- bnc#877457 - 78 Configuration file /usr/lib/systemd/system/sssd.service is marked executable. + Please remove executable permission bits. + +------------------------------------------------------------------- +Tue May 6 14:01:29 UTC 2014 - ddiss@suse.com + +- Detect endianness at configure time, for use by Samba's byteorder.h header; + (bnc#876544). + + 0001-build-detect-endianness-at-configure-time.patch + +------------------------------------------------------------------- +Tue Apr 29 10:00:57 UTC 2014 - varkoly@suse.com + +- Update to new upstream release 1.11.5.1 + * sssd crashes after upgrade from 1.11.4 to 1.11.5 when using a samba4 domain + * SSSD pam module accepts usernames with leading spaces + * [RFE] Expose the list of trusted domains to IPA + * If both IPA and LDAP are set up with enumeration on, two enum tasks are running + * sssd.conf man pages don't list a configuration option. + * Make SSSD compilable on systems with non-standard paths to krb5 includes + * [freebsd] pam_sss: add ignore_unknown_user option + * MAN: Remove misleading memberof example from ldap_access_filter example + * not retrieving homedirs of AD users with posix attributes + * Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes + * Check IPA idranges before saving them to the cache + * Evaluate usage of sudo LDAP provider together with the AD provider + * Setting int option to 0 yields the default value + * ipa-server-mode: Use lower-case user name component in home dir path + * SSSD Does not cache SELinux map from FreeIPA correctly + * IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in + * sssd fails to handle expired passwords when OTP is used + * Add another Kerberos error code to trigger IPA password migration + * Double OK when starting the service + * SSSD should create the SELinux mapping file with format expected by pam_selinux + * Valgrind: Invalid read of int while processing netgroup + * other subdomains are unavailable when joined to a subdomain in the ad forest + * Error during password change + * configure time variables not expanded when running ./configure + * RHEL7 IPA selinuxusermap hbac rule not always matching + +------------------------------------------------------------------- +Fri Mar 7 15:18:34 UTC 2014 - jengelh@inai.de + +- Update to new upstream release 1.11.4 +* The simple access provider supports specifying users and groups + using their NetBIOS domain name (such as DOMAIN\username) +* Support for enumerating users and groups from trusted AD domains + was added to the AD provider +* The Active Directory site discovery was made more robust for + configurations which use multiple trusted domains +* Several bugs in the LDAP provider that affected setups which + mapped Windows SIDs to POSIX IDs were fixed +* The SSSD is now able to use One Time Password (OTP) + authentication configured on an IPA server. + +------------------------------------------------------------------- +Fri Dec 20 21:54:58 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 1.11.3 +* The AD provider is able to resolve group memberships for groups + with Global and Universal scope +* The initgroups (get groups for user) operation for users from + trusted AD domains was made more reliable by reading the required + tokenGroups attribute from LDAP instead of Global Catalog +* A new option ad_enable_gc was added to the AD provider. This + option allows the administrator to force SSSD to talk to LDAP + port only and never try the Global Catalog +* The AD provider is now able to leverage the tokenGroups attribute + even when POSIX attributes are used, providing better performance + during logins. +* A memory leak in the NSS responder that affected long-lived + clients that requested netgroup data was fixed +- Remove sssd-ldflags.diff (merged upstream) + +------------------------------------------------------------------- +Thu Nov 28 16:51:39 UTC 2013 - ckornacker@suse.com + +- Migrate deprecated krb5_kdcip variable to krb5_server (bnc#851048) + +------------------------------------------------------------------- +Fri Nov 1 22:12:03 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 1.11.2 +* A new option ad_access_filter was added. This option allows the + administrator to easily configure LDAP search filter that the users + logging in must match in order to be granted access. +* The Kerberos provider will no longer try to create public + directories when evaluating the krb5_ccachedir option. +- Remove 0005-implicit-decl.diff (merged upstream) + +------------------------------------------------------------------- +Tue Sep 3 21:12:37 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 1.11.0 +* The sudo integration was made more robust. SSSD is now able to + gracefully handle situations where it is not able to resolve the + client host name or sudo rules have multiple name attributes. +* Several nested group membership bugs were fixed +* The PAC responder was made more robust and efficient, modifying + existing cache entries instead of always recreating them. +* The Kerberos provider now supports the new KEYRING ccache type. +- Remove sssd-no-ldb-check.diff, now implemented through a + configure argument --disable-ldb-version-check + +------------------------------------------------------------------- +Sun Jun 16 16:11:42 UTC 2013 - jengelh@inai.de + +- Explicitly formulate SASL BuildRequires + +------------------------------------------------------------------- +Thu May 2 09:20:49 UTC 2013 - jengelh@inai.de + +- Update to new upstream release 1.9.5 +* Includes a fix for CVE-2013-0287: A simple access provider flaw + prevents intended ACL use when SSSD is configured as an Active + Directory client. +* Fixed spurious password expiration warning that was printed on + login with the Kerberos back end. +* A new option ldap_rfc2307_fallback_to_local_users was added. If + this option is set to true, SSSD is be able to resolve local + group members of LDAP groups. +* Fixed an indexing bug that prevented the contents of autofs maps + from being returned to the automounter deamon in case the map + contained a large number of entries. +* Several fixes for safer handling of Kerberos credential caches + for cases where the ccache is set to be stored in a DIR: type. +- Remove Provide-a-be_get_account_info_send-function.patch, + Add-unit-tests-for-simple-access-test-by-groups.patch, + Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch, + Resolve-GIDs-in-the-simple-access-provider.patch + (CVE-2013-0287 material is in upstream), + sssd-sysdb-binary-attrs.diff (merged upstream) + +------------------------------------------------------------------- +Fri Apr 5 16:35:07 UTC 2013 - jengelh@inai.de + +- Implement signature verification + +------------------------------------------------------------------- +Wed Mar 20 10:05:00 UTC 2013 - rhafer@suse.com + +- Fixed security issue: CVE-2013-0287 (bnc#809153): + When SSSD is configured as an Active Directory client by using + the new Active Directory provider or equivalent configuration + of the LDAP provider, the Simple Access Provider does not + handle access control correctly. If any groups are specified + with the simple_deny_groups option, the group members are + permitted access. New patches: + * Provide-a-be_get_account_info_send-function.patch + * Add-unit-tests-for-simple-access-test-by-groups.patch + * Do-not-compile-main-in-DP-if-UNIT_TESTING-is-defined.patch + * Resolve-GIDs-in-the-simple-access-provider.patch + +------------------------------------------------------------------- +Tue Feb 26 08:29:43 UTC 2013 - jengelh@inai.de + +- Resolve user retrieval problems when encountering binary data + in LDAP attributes (bnc#806078), + added sssd-sysdb-binary-attrs.diff +- Added sssd-no-ldb-check.diff so that SSSD continues to start + even after an LDB update. + +------------------------------------------------------------------- +Fri Feb 8 10:31:52 UTC 2013 - rhafer@suse.com + +- fix package name in baselibs.conf (bnc#796423) + +------------------------------------------------------------------- +Thu Jan 31 16:34:47 UTC 2013 - rhafer@suse.com + +- update to 1.9.4 (bnc#801036): + * A security bug assigned CVE-2013-0219 was fixed - TOCTOU race + conditions when creating or removing home directories for users + in local domain + * A security bug assigned CVE-2013-0220 was fixed - out-of-bounds + reads in autofs and ssh responder + * The sssd_pam responder processes pending requests after + reconnect + * A serious memory leak in the NSS responder was fixed + * Requests that were processing group entries with DNs pointing + out of any configured search bases were not terminated + correctly, causing long timeouts + * Kerberos tickets are correctly renewed even after SSSD daemon + restart + * Multiple fixes related to SUDO integration, in particular + fixing functionality when the sssd back end process was + changing its online/offline status + * The pwd_exp_warning option was fixed to function as documented + in the manual page +- refreshed sssd-ldflags.diff to apply cleanly + +------------------------------------------------------------------- +Mon Dec 10 09:55:35 UTC 2012 - rhafer@suse.com + +- Removed left-over "Requires" for no longer existing sssd-client + subpackage. +- New patch: sssd-ldflags.diff to fix link failures due to erroneous + LDFLAGS usage + +------------------------------------------------------------------- +Thu Dec 6 10:38:59 UTC 2012 - rhafer@suse.com + +- Switch back to using libcrypto instead of mozilla-nss as it seems + to be supported upstream again, cf. + https://lists.fedorahosted.org/pipermail/sssd-devel/2012-June/010202.html +- Cleanup PAM configuration after uninstalling sssd (bnc#788328) + +------------------------------------------------------------------- +Thu Dec 6 09:05:29 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 1.9.3 +* Many fixes related to deployments where the SSSD is running as + a client of IPA server with trust relation established with an + Active Directory server +* Multiple fixes related to correct reporting of group + memberships, especially in setups that use nested groups +* Fixed a bug that prevented upgrade from the 1.8 series if the + cache contained nested groups before the upgrade +* Restarting the responders is more robust for cases where the + machine is under heavy load during back end restart +* The default_shell option can now be also set per-domain in + addition to global setting. + +------------------------------------------------------------------- +Sat Nov 10 00:27:06 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 1.9.2 +* Users or groups from trusted domains can be retrieved by UID or + GID as well +* Several fixes that mitigate file descriptor leak during logins +* SSH host keys are also removed from the cache after being + removed from the server +* Fix intermittent crash in responders if the responder was + shutting down while requests were still pending +* Catch an error condition that might have caused a tight loop in + the sssd_nss process while refreshing expired enumeration request +* Fixed memory hierarchy of subdomains discovery requests that + caused use-after-free access bugs +* The krb5_child and ldap_child processes can print libkrb5 tracing + information in the debug logs + +------------------------------------------------------------------- +Wed Jun 27 12:32:05 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 1.8.93 (1.9.0~beta3) +* Add native support for autofs to the IPA provider +* Support for id mapping when connecting to Active Directory +* Support for handling very large (> 1500 users) groups in + Active Directory +* Add a new fast in-memory cache to speed up lookups of cached data + on repeated requests +* Add support for the Kerberos DIR cache for storing multiple TGTs + automatically +* Add a new PAC responder for dealing with cross-realm Kerberos + trusts +* Terminate idle connections to the NSS and PAM responders + +------------------------------------------------------------------- +Thu May 10 04:22:47 UTC 2012 - jengelh@inai.de + +- Update to new upstream release 1.8.3 +* LDAP: Handle situations where the RootDSE is not available + anonymously +* LDAP: Fix regression for users using non-standard LDAP attributes + for user information +- Switch from openssl to mozilla-nss, as this is the officially + supported crypto integration + +------------------------------------------------------------------- +Fri Apr 13 13:03:44 PDT 2012 - ben.kevan@gmail.com + +- Fix build error on SLES 11 builds + +------------------------------------------------------------------- +Mon Apr 9 21:45:45 PDT 2012 - ben.kevan@gmail.com + +- Add suse_version condition for glib over libunistring for + SLES 11 SP2. +- Update to new upstream release 1.8.2 +* Fix for GSSAPI binds when the keytab contains unrelated + principals +* Workarounds added for LDAP servers with unreadable RootDSE + +------------------------------------------------------------------- +Wed Apr 4 16:13:33 PDT 2012 - ben.kevan@gmail.com + +- Update to new upstream release 1.8.1 +* Resolve issue where we could enter an infinite loop trying to + connect to an auth server + +------------------------------------------------------------------- + +Sun Mar 11 18:36:44 UTC 2012 - jengelh@medozas.de + +- Update to new upstream release 1.8.0 +* Support for the service map in NSS +* Support for setting default SELinux user context from FreeIPA +* Support for retrieving SSH user and host keys from LDAP +* Support for caching autofs LDAP requests +* Support for caching SUDO rules +* Include the IPA AutoFS provider +* Fixed several memory-corruption bugs +* Fixed a regression in the proxy provider + +------------------------------------------------------------------- +Wed Oct 19 13:56:57 UTC 2011 - rhafer@suse.de + +- Fixed systemd related packaging issues (bnc#724157) +- fixed build on older openSUSE releases + +------------------------------------------------------------------- +Mon Sep 19 17:07:24 UTC 2011 - jengelh@medozas.de + +- Resolve "have choice for libnl-devel: + libnl-1_1-devel libnl3-devel" + +------------------------------------------------------------------- +Tue Aug 2 08:46:53 UTC 2011 - rhafer@suse.de + +- Fixed typos in configure args +- Cherry-picked password policy fixes from 1.5 branch (bnc#705768) +- switched to fd-leak fix cherry-picked from 1.5 branch +- Add /usr/sbin to the search path to make configure find nscd + (bnc#709747) + +------------------------------------------------------------------- +Fri Jul 29 10:39:51 UTC 2011 - jengelh@medozas.de + +- Add patches to fix an fd leak in sssd_pam + +------------------------------------------------------------------- +Thu Jul 28 10:03:32 UTC 2011 - jengelh@medozas.de + +- Update to new upstream release 1.5.11 +* Support for overriding home directory, shell and primary GID + locally +* Properly honor TTL values from SRV record lookups +* Support non-POSIX groups in nested group chains (for RFC2307bis + LDAP servers) +* Properly escape IPv6 addresses in the failover code +* Do not crash if inotify fails (e.g. resource exhaustion) +- Remove redundant %clean section; delete .la files more + efficiently + +------------------------------------------------------------------- +Tue Jun 7 08:59:04 UTC 2011 - rhafer@suse.de + +- Update to 1.5.8: + * Support for the LDAP paging control + * Support for multiple DNS servers for name resolution + * Fixes for several group membership bugs + * Fixes for rare crash bugs + +------------------------------------------------------------------- +Wed May 4 09:22:20 UTC 2011 - rhafer@suse.de + +- Update to 1.5.7 + * A flaw was found in the handling of cached passwords when + kerberos renewal tickets is enabled. Due to a bug, the cached + password was overwritten with a (moderately) predictable + filename, which could allow a user to authenticate as someone + else if they knew the name of the cache file (bnc#691135, + CVE-2011-1758) +- Changes in 1.5.6: + * Fixed a serious memory leak in the memberOf plugin + * Fixed a regression with the negative cache that caused it to be + essentially nonfunctional + * Fixed an issue where the user's full name would sometimes be + removed from the cache + * Fixed an issue with password changes in the kerberos provider + not working with kpasswd + +------------------------------------------------------------------- +Thu Apr 14 11:31:38 UTC 2011 - rhafer@suse.de + +- Update to 1.5.5 + * Fixes for several crash bugs + * LDAP group lookups will no longer abort if there is a + zero-length member attribute + * Add automatic fallback to 'cn' if the 'gecos' attribute does not + exist + +------------------------------------------------------------------- +Wed Mar 30 09:47:23 UTC 2011 - rhafer@suse.de + +- Should build in SLE-11-SP1 now + +------------------------------------------------------------------- +Tue Mar 29 13:23:57 UTC 2011 - rhafer@suse.de + +- Updated to 1.5.4 + * Fixes for Active Directory when not all users and groups have + POSIX attributes + * Fixes for handling users and groups that have name aliases + (aliases are ignored) + * Fix group memberships after initgroups in the IPA provider + +------------------------------------------------------------------- +Thu Mar 24 15:42:02 UTC 2011 - rhafer@suse.de + +- Updated to 1.5.3 + * Support for libldb >= 1.0.0 + * Proper detection of manpage translations + * Changes between 1.5.1 and 1.5.2 + * Fixes for support of FreeIPA v2 + * Fixes for failover if DNS entries change + * Improved sss_obfuscate tool with better interactive mode + * Fix several crash bugs + * Don't attempt to use START_TLS over SSL. Some LDAP servers + can't handle this + * Delete users from the local cache if initgroups calls return + 'no such user' (previously only worked for getpwnam/getpwuid) + * Use new Transifex.net translations + * Better support for automatic TGT renewal (now survives + restart) + * Netgroup fixes + +------------------------------------------------------------------- +Tue Mar 8 13:22:58 UTC 2011 - rhafer@suse.de + +- Updated to 1.5.1 + * Vast performance improvements when enumerate = true + * All PAM actions will now perform a forced initgroups lookup + instead of just a user information lookup This guarantees that + all group information is available to other providers, such as + the simple provider. + * For backwards-compatibility, DNS lookups will also fall back to + trying the SSSD domain name as a DNS discovery domain. + * Support for more password expiration policies in LDAP + - 389 Directory Server + - FreeIPA + - ActiveDirectory + * Support for ldap_tls_{cert,key,cipher_suite} config options + * Assorted bugfixes + +------------------------------------------------------------------- +Wed Jan 19 09:32:35 UTC 2011 - rhafer@suse.de + +- /var/lib/sss/pubconf was missing (bnc#665442) + +------------------------------------------------------------------- +Tue Jan 18 09:08:35 UTC 2011 - rhafer@suse.de + +- It was possible to make sssd hang forever inside a loop in the + PAM responder by sending a carefully crafted packet to sssd. + This could be exploited by a local attacker to crash sssd and + prevent other legitimate users from logging into the system. + (bnc#660481, CVE-2010-4341) + +------------------------------------------------------------------- +Sun Dec 19 13:37:32 UTC 2010 - aj@suse.de + +- Own /etc/systemd directories to fix build. + +------------------------------------------------------------------- +Thu Nov 25 16:30:40 UTC 2010 - rhafer@novell.com + +- install systemd service file + +------------------------------------------------------------------- +Tue Nov 16 11:06:02 UTC 2010 - rhafer@novell.com + +- Updated to 1.4.1 + * Add support for netgroups to the LDAP and proxy providers + * Fixes a minor bug with UIDs/GIDs >= 2^31 + * Fixes a segfault in the kerberos provider + * Fixes a segfault in the NSS responder if a data provider crashes + * Correctly use sdap_netgroup_search_base + * the utility libraries libpath_utils1, libpath_utils-devel, + libref_array1 and libref_array-devel moved to their own + separate upstream project (ding-libs) + * Performance improvements made to group processing of RFC2307 + LDAP servers + * Fixed nested group issues with RFC2307bis LDAP servers without + a memberOf plugin + * Manpage reviewed and updated + +------------------------------------------------------------------- +Mon Sep 13 12:23:47 UTC 2010 - coolo@novell.com + +- remove hard coded python version + +------------------------------------------------------------------- +Fri Sep 3 13:17:48 UTC 2010 - rhafer@novell.com + +- No dependencies on %{release} + +------------------------------------------------------------------- +Mon Aug 30 12:57:47 UTC 2010 - rhafer@novell.com + +- Updated to 1.3.1 + * Fixes to the HBAC backend for obsolete or removed HBAC entries + * Improvements to log messages around TLS and GSSAPI for LDAP + * Support for building in environments using --as-needed LDFLAGS + * Vast performance improvement for initgroups on RFC2307 LDAP servers + * Long-running SSSD clients (e.g. GDM) will now reconnect properly to the + daemon if SSSD is restarted + * Rewrote the internal LDB cache API. As a synchronous API it is now faster + to access and easier to work with + * Eugene Indenbom contributed a sizeable amount of code to the LDAP provider + - We now handle failover situations much more reliably than we did + previously + - We also will now monitor the GSSAPI kerberos ticket and automatically + renew it when appropriate, instead of waiting for a connection to fail + * Support for netlink now allows us to more quickly detect situations + where we may have come online + * New option "dns_discovery_domain" allows better configuration for + using SRV records for failover +- New subpackages: libpath_utils1, libpath_utils-devel, libref_array1 + and libref_array-devel + +------------------------------------------------------------------- +Wed Mar 31 14:02:43 UTC 2010 - rhafer@novell.com + +- Package pam- and nss-Modules as baselibs +- cleaned up file list and dependencies +- fixed init script dependencies + +------------------------------------------------------------------- +Wed Mar 31 07:57:25 UTC 2010 - rhafer@novell.com + +- Updated to 1.1.0 + * Support for IPv6 + * Support for LDAP referrals + * Offline failed login counter + * Fix for the long-standing cache cleanup performance issues + * libini_config, libcollection, libdhash, libref_array and + libpath_utils are now built as shared libraries for general + consumption (libref_array and libpath_utils are currently not + packaged, as no component in sssd links against them) + * Users get feedback from PAM if they authenticated offline + * Native local backend now has a utility to show nested memberships + (sss_groupshow) + * New "simple" access provider for easy restriction of users +- Backported libcrypto support from master to avoid Mozilla NSS + dependency +- Backported password policy improvments for LDAP provider from + master + +------------------------------------------------------------------- +Mon Mar 8 14:06:29 UTC 2010 - rhafer@novell.com + +- use logfiles for debug messages by default + +------------------------------------------------------------------- +Fri Mar 5 12:57:25 UTC 2010 - rhafer@novell.com + +- subpackages for commandline tools, ipa-provider plugin and + python API + +------------------------------------------------------------------- +Fri Feb 26 14:48:50 UTC 2010 - rhafer@novell.com + +- Updated to 1.0.5. Highlights: + * Removed some dead code (libreplace + * Clarify licenses throughout the code + +------------------------------------------------------------------- +Thu Feb 4 17:04:01 UTC 2010 - rhafer@novell.com + +- Updated to 1.0.4 + +------------------------------------------------------------------- +Thu Oct 8 15:10:47 UTC 2009 - rhafer@novell.com + +- Update to 0.6.0 + +------------------------------------------------------------------- +Fri Sep 4 08:59:21 UTC 2009 - rhafer@novell.com + +- fix LDAP filter for initgroups() with rfc2307bis setups + +------------------------------------------------------------------- +Tue Sep 1 08:58:37 UTC 2009 - rhafer@novell.com + +- initial package submission + diff --git a/sssd.keyring b/sssd.keyring new file mode 100644 index 0000000..5cd9c37 --- /dev/null +++ b/sssd.keyring @@ -0,0 +1,75 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGI9m7YBEACjfmpZrW6wpmz+QRfnx1UuOABpTmsBi6ElTqx+ZzLU2R3N4KLl +PDycp6Pm5PqnLRLoC0TzHh1MjpVWiCfrnlTm6yD2Y6A37c6/elFjiZlbY93zUJi9 +mE3OXyxe3RQHVjEYiQZ+DCcgQe5r2mFL8prK2OBIIoJJK2t46EjcjsJJkOIgT9H0 +7FaLWfT2MHhO0mg6EqwqOsSKI392sVhJ0GTDULiI1ZlRULZwn3oWdXglO5O9KAhu +jSAIrKuX6QsIxXfVDG1wmOR99yyuiXpJhlKbgdw3Y37IcHRD9DLbqCnp//3WkW9W +k5Mn/bYK1TIed92U4CWNqz557lGnQxwPyyaNkJW9L1kNWO6P9Kl8RgxuX0689Zb0 +sqooxTK//O+BBOso1iSRsdyqo2KSIBF06Fe9x5i+jwX2N3hHbzODfT0rHOokPj5p +jT/o6NFQ0lMqYQJxQA7/71Dk/6EkkxE3kHTkFNHBii1pt0msyQij8URmTTN39V1f +n+HlxDOrzDSccrs5x0b+cT5wuB1tSp9JhkmmAk5rb8vsHL+iPRM4ZDIOJNm/Qlg6 +pQ+V4FEamntO9undQro0hSShEq69JDbBhT+fmHcAH2a03buTdyu3aqok3OSdxMj/ +aprl84eFxE3cwlCXzsu0qf8ue9UjFWynmwsDQgR4EMMbVDwInd/rrV+wOwARAQAB +tElTU1NEIFByb2plY3QgKGh0dHBzOi8vc3NzZC5pbykgPHNzc2QtbWFpbnRhaW5l +cnNAbGlzdHMuZmVkb3JhcHJvamVjdC5vcmc+iQJOBBMBCAA4FiEEwTzQf/stsUCO +RXo809IbKRDPZ1kFAmI9m7YCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ +09IbKRDPZ1nmShAAlEZD+l7OSTb8uOQDj9wHXjkJbrz2vp3vfHiUo69NIssEQRUE +WRpygejjCsc3XlS8XivWwLIqrDOczenyCVVNSSWfaQpBc2ZR+XXBKMpxa1PlFduQ +wax2cbPXVdo47t3gVWAzicO0zxeAQVEZHUKyoWmaKtuFdN1ZJpNCvFJcr6yEFY5k +vQy5Caf6G1oDS9XYsx4YZZT0YhMo3d/8awJLJuVfnqsC/mTOaC7Khms31c2SC+50 ++i+gE9HOVkLqanYkQcmdWIMN/oOljAd3zCFBNw5cXXuNmjp32URcm4khLKuxgV12 +RetW63SAMydavCp8jMpjuE1pBo6s+/ZcvHe0IhS5fcAbXnIuxqhB2FfeJVg3Udx8 +u+zZjwtndUZ9NCETomHa77Beq3h/0A/hiEmNl6xAYttNRvF/bbNg9k3o6lZydDYM +zhdmGh+VfZhuyyGJXWsrK0ZzJ0zXjorIKPlCi32cMrOPlYd94N4aWZaHC+uDZSMW +Xwjl79Tt92psOIiQwSSm1vaRvXV9w3HzyZtOIlK+Nc7T6qTOIHGgCuQI5zXNorNb +sdmzOR+ZrnYBk/E6hiaU8b4hQS2HJyr9YqERi2LjB9VICC+KHhsjba/hxIoVZR/v +Hg+WM/NBpOoaiScxLaqWNuoxY84SNJCgupWlCmBEDxWG+Q0ku/xgyRARCt2JATME +EAEIAB0WIQQaQdxnUF+JozCCi2av/nXd6FCOEgUCYj2dVAAKCRCv/nXd6FCOEihw +CACcbB3JuIeSGZbtVOvepRSjoaWRzC97V7Lj2lz9nIc610W0WfzHCePi+I9leuup +R/eV3Hhhx04QU9Zisc0CWVUC4mpgqzSgB1o4DYu1vPVPXZdfZkGVGtSiW+5rfjZo +iqGBGX8JalieI0wNYHQz660f21w08niecpnpFyadZh8/8oH3or0xvtCbPXOM+YH3 +CpsBGS0aP2sf+uhvbGHoEygmLqr5rkkkC8XmEa8GxFFFpYVc1nzys7zVFoMWZ9Ta +UnyNwyo1JZHgVEbyCL3lK8OS9xXoPyOAqFT6Ux+Odj36hqamAsGAHL9O/DoEaUKI +fuGGvRb6Dlebrt3KDTiXbR9DiHUEEBYKAB0WIQQoeTnfBirYxTh2pTXC17mKk07s +FwUCYj2umAAKCRDC17mKk07sFyBsAQCAL84Bwe4BA8DEhGYhrl9Eb38LQ2hbNeJX +nLtjKqQlnwEA0BC1FR+bBm5NunMYbKtKcMLIAHtzSBbBrNqQzTO8XguJAjMEEAEI +AB0WIQSTAgGqtC3RlHIQt4ONcyY1GnJiEQUCYj28PgAKCRCNcyY1GnJiEZHdD/95 +sK4SFrSb1fJYcvk6OQMW2hW7VCohuqDOYWob2Tm7RWP9CxJ7I3PilEUizbp76AoX +V6UvXiBtY2q6omXMv2qBeEja7OWd3HWl0SXA5XLyRSF7hwirP2CqQZM8+zSyiYKf +TNw3rWTJjjarUnv6GYdoH55jEfk7sCIrbp5xEzvWu+9w/5pnIsSsFhYwJOD5ic+h +or3LHRN5Jn+jm6ec6H4Ums5zA4rnvTdxfcHKx1sX1KDez2d0k1BYONHGh5tTJSrx +3F5xxOqXHzPt7obiVOCYbE3NU2LswcHz2XNpdoXTyO/LLmvRVvoG1O6LGRrw5Tkg +lnres9gWMccHna4AnDGpXtXzyhlMlzIY5LNrROsg462tIWJcIopSmRct+IQxnOyW +te7k4BAVA/vO6FGnzfLPdH6Lwnos5OMfBew2j2b8yddM8qkBQxR7NUVhYMei7jLh +MiN1FTwtrtuAeMUddbIo/lZYMqUlNyl7Kiwqxse7EFGUvZwq5qhlaKfMZ48qVSYM +QQb6NILl9t5f/UrAkOSrgTF3uWQbcAOMQWusfDuBmHOolFVPTujQP7N5Asob9Nw0 ++oL2zY0MuG41xAf1tej25i8iYctJuB2L1uJULhw3i3iswPSuTJIKtYpKoES81jxG +Tit45gyS7XYpYdvAnYPTOPwF3sezy3uwmsob3geYR4h1BBAWCgAdFiEEf4f7DbyL +UMrqkdmCWuS5aYPSAzAFAmJDI/4ACgkQWuS5aYPSAzCznAD8DpzDOP5ILp2FbUGh +ROWM5T6cOppAOXDX2VN8hViDDmsA/24jLp5ga8cUwy7QVHduC9f8LLwN3O7q7XYz +BdBNnRMCuQINBGI9m7YBEACyE5/YORGMmYqKksDPFZNUW7unejUW7XTuLSMXrI9m +u8sFXT8tqPQJetYxaKiZqXxiS652u1XnLZf3ps4t6OINHSuT61Xw1Z6Svhn+o+Wz +Tmnfneahk1Czjlzs59qv3YXwLKffws7H5vGuOTnesgTyWJJG1A0wpehcZsI+rUzC +6mDwip1rSxocuFET6HK2eMpAo1B4V7XLC6srh3HzCNr5AB5UkjMWAuQqjUrqIt6O +dfPO9mqYf/w+CoI2HhVebwDjIXtoO5nVjPUncb0lUEsVWiA9C3xWi/pk2pd3nfkW +s+P0iJNYut+CQwGaHV8+gmwSLUUw/fraMASY5FVxLdSHKZ402Q6aSyuk93k7UQ7i +VIuZpOdjWASWgkATM5KEQHRVrt2enurn6oYBY2tSjzXmbTiCaaCG0p8CBtDvCIxT +Pz4Y0uaWcbIHLz3k0Tr4+zko/PEdh7qLCO83BJPf7/bVxGBMynxkAKXXgBlfjlFt +q7KMpbiM+qndP3SJpjlb0AnI7nCV1KvEeW+oIO+uQ2PwAlyFyV0pf8IYOeI0SN/R +3QSKL8CjlzSIwraUoCk79h3hJgBPG9D4ASwxeSPmriY9tbhNtsVUCT9YZgfxrJg8 +bzZvObeng+2IknKbxDzs/hnkNQ7uWx2GGeq7BYZ1eTwctWsw3V8VejiPByJEjQve +PQARAQABiQI2BBgBCAAgFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmI9m7YCGwwA +CgkQ09IbKRDPZ1mbeA//YYPvboEUjp/qqXK8XEgcEL33M+uWJJQucuhtBEjfwAlQ +m29NqO6I3n9cbuINXRtNMUawk86LMouEkhexqUmSg7NNDu1Nqp32yHn8MMJjOPsy +u6AZQinQoT8UKnUMqvmqMFJiotvDb2j2aP9yL0PjCiEeyYkk3bl2oGSdMD4A4o4D +0PUpLWt+w+3YbG58iBazPD/FwiGhe8TO7EAm3I7dYZ4ErALdmT6ptCW90IG9AHfK +CZTvaMB0NX/IksfJ9DEwMgsF0Hwlx5dmTin9ufFKfhKFcwV5aDXlEsYDMqT2o7z9 +l/7UTNXnk6VG/QXFhRjBDPtQNkgZoze1VV5itGmBsVE+c9lRtr+6YPJ04CDDv9dX +DI0eGdPxVmfDTR2tHOt+LOYIw4umsID3/qQzYluoUx5Cpud45qaBRjq7/iE+KJgS +IqxgBTXkV39C8T4gXrDRRjlBsOcIc7P6yUVqyClExynQ1BAJSEueO95CtxXV2btK +xSkZ2CyhVtjRxW5TOfQdvrFPueoxC17syQTslM/mKk6DBRHJrullqPLbSieKEJyc +SMkza3BVIhi0hdPfVfBRnSYe8jRFmBIR+cXnyAOkDkPqWK7q/icGVDpJPuunteH3 +1vXu/KcDrL7GVRj2LD136Xla1sgGUEbYmLfIHvYmqh1DXJQvnoAyUFKaBWEpSBg= +=E0Gq +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sssd.spec b/sssd.spec new file mode 100644 index 0000000..158b0a0 --- /dev/null +++ b/sssd.spec @@ -0,0 +1,903 @@ +# +# spec file for package sssd +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: sssd +Version: 2.10.0 +Release: 0 +Summary: System Security Services Daemon +License: GPL-3.0-or-later AND LGPL-3.0-or-later +Group: System/Daemons +URL: https://github.com/SSSD/sssd +#Git-Clone: https://github.com/SSSD/sssd +Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz +Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc +Source3: baselibs.conf +Source5: %name.keyring +Patch1: krb-noversion.diff +Patch2: harden_sssd-ifp.service.patch +Patch3: harden_sssd-kcm.service.patch +Patch4: symvers.patch +BuildRequires: autoconf >= 2.59 +BuildRequires: automake +BuildRequires: bind-utils +BuildRequires: check-devel +BuildRequires: cifs-utils-devel +BuildRequires: cyrus-sasl-devel +BuildRequires: docbook-xsl-stylesheets +BuildRequires: krb5-devel >= 1.12 +BuildRequires: libcmocka-devel +%if 0%{?suse_version} >= 1600 +BuildRequires: libsubid-devel +%endif +BuildRequires: libtool +BuildRequires: libunistring-devel +BuildRequires: libxml2-tools +BuildRequires: libxslt-tools +BuildRequires: nscd +BuildRequires: nss_wrapper +BuildRequires: openldap2-devel +BuildRequires: pam-devel +BuildRequires: pkg-config >= 0.21 +BuildRequires: systemd-rpm-macros +BuildRequires: uid_wrapper +BuildRequires: pkgconfig(augeas) >= 1.0.0 +BuildRequires: pkgconfig(collection) >= 0.5.1 +BuildRequires: pkgconfig(dbus-1) >= 1.0.0 +BuildRequires: pkgconfig(dhash) >= 0.4.2 +BuildRequires: pkgconfig(glib-2.0) +BuildRequires: pkgconfig(ini_config) >= 1.3 +BuildRequires: pkgconfig(jansson) +BuildRequires: pkgconfig(ldb) >= 0.9.2 +BuildRequires: pkgconfig(libcap) +BuildRequires: pkgconfig(libcares) +BuildRequires: pkgconfig(libcrypto) >= 1.0.1 +%if 0%{?suse_version} >= 1600 +BuildRequires: pkgconfig(libcurl) +%endif +BuildRequires: pkgconfig(libnfsidmap) +BuildRequires: pkgconfig(libnl-3.0) >= 3.0 +BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 +BuildRequires: pkgconfig(libpcre2-8) +%if 0%{?suse_version} >= 1600 +BuildRequires: pkgconfig(libsemanage) +%endif +BuildRequires: pkgconfig(libsystemd) +BuildRequires: pkgconfig(ndr_krb5pac) +BuildRequires: pkgconfig(ndr_nbt) +BuildRequires: pkgconfig(p11-kit-1) >= 0.23.3 +BuildRequires: pkgconfig(popt) +BuildRequires: pkgconfig(python3) +BuildRequires: pkgconfig(smbclient) +BuildRequires: pkgconfig(talloc) +BuildRequires: pkgconfig(tdb) >= 1.1.3 +BuildRequires: pkgconfig(tevent) +BuildRequires: pkgconfig(uuid) +BuildRequires: python3-wheel +BuildRequires: python3-setuptools +%if 0%{?suse_version} && 0%{?suse_version} < 1600 +# samba-client-devel pulls samba-client-libs pulls libldap-2_4-2 wants libldap-data(-2.4); +# this conflicts with +# openldap2-devel pulls libldap2 wants libldap-data(-2.6) +# Package contains just config files, not needed for build. +#!BuildIgnore: libldap-data +%endif +%{?systemd_ordering} +Requires: sssd-ldap = %version-%release +Requires(postun): pam-config +Provides: libsss_sudo = %version-%release +Provides: sssd-client = %version-%release +Obsoletes: libsss_sudo < %version-%release +Provides: sssd-common = %version-%release +Obsoletes: sssd-common < %version-%release + +%define servicename sssd +%define sssdstatedir %_localstatedir/lib/sss +%define dbpath %sssdstatedir/db +%define pipepath %sssdstatedir/pipes +%define pubconfpath %sssdstatedir/pubconf +%define gpocachepath %sssdstatedir/gpo_cache +%define ldbdir %(pkg-config ldb --variable=modulesdir) + +# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko +# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins +# * cifs-utils one is the default (priority 20) +# * installing SSSD should NOT switch to SSSD plugin (priority 10) +%define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin +%define cifs_idmap_lib %_libdir/cifs-utils/cifs_idmap_sss.so +%define cifs_idmap_name cifs-idmap-plugin +%define cifs_idmap_priority 10 +Requires(post): update-alternatives +Requires(postun): update-alternatives + +%description +Provides a set of daemons to manage access to remote directories and +authentication mechanisms. It provides an NSS and PAM interface toward +the system and a pluggable backend system to connect to multiple different +account sources. It is also the basis to provide client auditing and policy +services for projects like FreeIPA. + +%package ad +Summary: The ActiveDirectory backend plugin for sssd +License: GPL-3.0-or-later +Group: System/Daemons +Requires: %name-krb5-common = %version-%release +Requires: adcli + +%description ad +Provides the Active Directory back end that the SSSD can utilize to +fetch identity data from and authenticate against an Active Directory +server. + +%package dbus +Summary: The D-Bus responder of sssd +License: GPL-3.0-or-later +Group: System/Base +Requires: %name = %version + +%description dbus +Provides the D-Bus responder of sssd, called InfoPipe, which allows +information from sssd to be transmitted over the system bus. + +%package ipa +Summary: FreeIPA backend plugin for sssd +License: GPL-3.0-or-later +Group: System/Daemons +Requires: %name = %version +Requires: %name-ad = %version-%release +Requires: %name-krb5-common = %version-%release +Obsoletes: %name-ipa-provider < %version-%release +Provides: %name-ipa-provider = %version-%release + +%description ipa +Provides the IPA back end that the SSSD can utilize to fetch identity +data from and authenticate against an IPA server. + +%package kcm +Summary: SSSD's Kerberos cache manager +License: GPL-3.0-or-later +Group: System/Daemons +Requires: sssd = %version-%release + +%description kcm +KCM is a process that stores, tracks and manages Kerberos credential +caches. + +%package krb5 +Summary: The Kerberos authentication backend plugin for sssd +License: GPL-3.0-or-later +Group: System/Daemons +Requires: %name-krb5-common = %version-%release + +%description krb5 +Provides the Kerberos back end that the SSSD can utilize authenticate +against a Kerberos server. + +%package krb5-common +Summary: SSSD helpers needed for Kerberos and GSSAPI authentication +License: GPL-3.0-or-later +Group: System/Daemons +Requires: cyrus-sasl-gssapi + +%description krb5-common +Provides helper processes that the LDAP and Kerberos back ends can +use for Kerberos user or host authentication. + +%package ldap +Summary: The LDAP backend plugin for sssd +License: GPL-3.0-or-later +Group: System/Daemons +Requires: %name-krb5-common = %version-%release + +%description ldap +Provides the LDAP back end that the SSSD can utilize to fetch +identity data from and authenticate against an LDAP server. + +%package proxy +Summary: The proxy backend plugin for sssd +License: GPL-3.0-or-later +Group: System/Daemons + +%description proxy +Provides the proxy back end which can be used to wrap an existing NSS +and/or PAM modules to leverage SSSD caching. + +%package tools +Summary: Commandline tools for sssd +License: GPL-3.0-or-later AND LGPL-3.0-or-later +Group: System/Management +Requires: python3-sssd-config = %version-%release +Requires: sssd = %version + +%description tools +The packages contains commandline tools for managing users and groups using +the "local" id provider of the System Security Services Daemon (sssd). + +%package winbind-idmap +Summary: The sss idmap backend for Winbind +Group: System/Libraries + +%description winbind-idmap +The idmap_sss module provides a way for Winbind to call SSSD to map +UIDs/GIDs and SIDs. + +%package -n libsss_certmap0 +Summary: FreeIPA ID mapping library +License: LGPL-3.0-or-later +Group: System/Libraries + +%description -n libsss_certmap0 +A utility library for FreeIPA to map certs. + +%package -n libsss_certmap-devel +Summary: Development files for the FreeIPA certmap library +License: LGPL-3.0-or-later +Group: Development/Libraries/C and C++ +Requires: libsss_certmap0 = %version + +%description -n libsss_certmap-devel +A utility library for FreeIPA to map certs. + +%package -n libipa_hbac0 +Summary: FreeIPA HBAC Evaluator library +License: LGPL-3.0-or-later +Group: System/Libraries + +%description -n libipa_hbac0 +Utility library to validate FreeIPA HBAC rules for authorization +requests. + +%package -n libipa_hbac-devel +Summary: Development files for the FreeIPA HBAC Evaluator library +License: LGPL-3.0-or-later +Group: Development/Libraries/C and C++ +Requires: libipa_hbac0 = %version + +%description -n libipa_hbac-devel +Utility library to validate FreeIPA HBAC rules for authorization +requests. + +%package -n libnfsidmap-sss +Summary: Library to allow communication between libnfsidmap and SSSD +License: GPL-3.0-or-later +Group: System/Libraries +Supplements: (nfsidmap and sssd-client) + +%description -n libnfsidmap-sss +A utility library to allow communication between libnfsidmap and SSSD. + +%package -n libsss_idmap0 +Summary: FreeIPA ID mapping library +License: LGPL-3.0-or-later +Group: System/Libraries + +%description -n libsss_idmap0 +A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. + +%package -n libsss_idmap-devel +Summary: Development files for the FreeIPA idmap library +License: LGPL-3.0-or-later +Group: Development/Libraries/C and C++ +Requires: libsss_idmap0 = %version + +%description -n libsss_idmap-devel +A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. + +%package -n libsss_nss_idmap0 +Summary: FreeIPA ID mapping library +License: LGPL-3.0-or-later +Group: System/Libraries + +%description -n libsss_nss_idmap0 +A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. + +%package -n libsss_nss_idmap-devel +Summary: Development files for the FreeIPA idmap library +License: LGPL-3.0-or-later +Group: Development/Libraries/C and C++ +Requires: libsss_nss_idmap0 = %version + +%description -n libsss_nss_idmap-devel +A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. + +%if 0%{?suse_version} < 1600 +%package -n libsss_simpleifp0 +Summary: The SSSD D-Bus responder helper library +License: GPL-3.0-or-later +Group: System/Libraries +# Even though sssd has obsoleted simpleifp, the plan here is to retain ABI +# compatibility with the existing SUSE 15.x product line. ...at least, until +# sssd completely removes SIFP from source. + +%description -n libsss_simpleifp0 +This subpackage provides a library that simplifies the D-Bus API for +the SSSD InfoPipe responder. + +%package -n libsss_simpleifp-devel +Summary: Development files for the SSSD D-Bus responder helper library +License: GPL-3.0-or-later +Group: Development/Libraries/C and C++ +Requires: libsss_simpleifp0 = %version + +%description -n libsss_simpleifp-devel +This subpackage provides the development files for sssd's simpleifp, +a library that simplifies the D-Bus API for the SSSD InfoPipe +responder. +%endif + +%package -n libsss_sudo +Summary: A library to allow communication between sudo and SSSD +License: LGPL-3.0-or-later +Group: System/Libraries +Supplements: (sudo and sssd-client) + +%description -n libsss_sudo +A utility library to allow communication between sudo and SSSD. + +%package -n python3-ipa_hbac +Summary: Python bindings for the FreeIPA HBAC Evaluator library +License: LGPL-3.0-or-later +Group: Development/Libraries/Python +Requires: python3 + +%description -n python3-ipa_hbac +The python-ipa_hbac package contains the bindings so that libipa_hbac +can be used by Python applications. + +%package -n python3-sss-murmur +Summary: Python3 bindings for SSSD Murmur hash function +License: LGPL-3.0-or-later +Group: Development/Libraries/Python +Requires: python3 + +%description -n python3-sss-murmur +This subpackage provides the python3 module for calculating the +Murmur hash version 3. + +%package -n python3-sss_nss_idmap +Summary: Python bindings for libsss_nss_idmap +License: LGPL-3.0-or-later +Group: Development/Libraries/Python +Requires: python3 + +%description -n python3-sss_nss_idmap +The libsss_nss_idmap-python contains the bindings so that +libsss_nss_idmap can be used by Python applications. + +%package -n python3-sssd-config +Summary: Python API for configuring sssd +License: GPL-3.0-or-later AND LGPL-3.0-or-later +Group: Development/Libraries/Python +Requires: python3 + +%description -n python3-sssd-config +Provide python module to access and manage configuration of the System +Security Services Daemon (sssd). + +%prep +%autosetup -p1 + +%build +# help configure find nscd +export PATH="$PATH:/usr/sbin" + +autoreconf -fiv +%configure \ + --with-db-path="%dbpath" \ + --with-pipe-path="%pipepath" \ + --with-pubconf-path="%pubconfpath" \ + --with-gpo-cache-path="%gpocachepath" \ + --with-environment-file="%_sysconfdir/sysconfig/sssd" \ + --with-initscript=systemd \ + --with-syslog=journald \ + --with-pid-path="%_rundir" \ + --enable-nsslibdir="/%_lib" \ + --enable-pammoddir="%_pam_moduledir" \ + --with-ldb-lib-dir="%ldbdir" \ + --with-os=suse \ + --disable-ldb-version-check \ + --without-python2-bindings \ + --without-oidc-child \ +%if 0%{?suse_version} >= 1600 + --with-selinux=yes \ + --with-subid +%else + --with-selinux=no \ + --with-libsifp \ + --with-files-provider +%endif +%make_build all + +%install +# sss_obfuscate is compatible with both python 2 and 3 +perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate +%make_install dbuspolicydir=%_datadir/dbus-1/system.d +b="%buildroot" + +# Copy some defaults +%if "%{?_distconfdir}" != "" +install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf" +install -d -m 0755 "$b/%_distconfdir/sssd/conf.d" +%else +install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf" +install -d -m 0755 "$b/%_sysconfdir/sssd/conf.d" +%endif +install -d "$b/%_unitdir" +%if 0%{?suse_version} > 1500 +install -d "$b/%_distconfdir/logrotate.d" +install -m644 src/examples/logrotate "$b/%_distconfdir/logrotate.d/sssd" +install -d "$b/%_pam_vendordir" +mv "$b/%_pam_confdir/sssd-shadowutils" "$b/%_pam_vendordir" +%else +install -d "$b/%_sysconfdir/logrotate.d" +install -m644 src/examples/logrotate "$b/%_sysconfdir/logrotate.d/sssd" +%endif + +rm -Rfv "$b/%_initddir" +%if 0%{?suse_version} < 1600 +ln -s service "$b/%_sbindir/rcsssd" +%endif + +mkdir -pv "$b/%sssdstatedir/mc" +find "$b" -type f -name "*.la" -print -delete +%find_lang %name --all-name + +# dummy target for cifs-idmap-plugin +mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils +ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin +%python3_fix_shebang +%if 0%{?suse_version} > 1600 +%python3_fix_shebang_path %buildroot/%_libexecdir/%name/ +%elif 0%{?suse_version} == 1600 +# python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204 +sed -i '1s@#!.*python.*@#!%{_bindir}/python3.11@' %{buildroot}/%{_libexecdir}/%{name}/sss_analyze +%endif + +%check +# sss_config-tests fails +%make_build check || : + +%pre +%service_add_pre sssd.service +%if "%{?_distconfdir}" != "" +# Prepare for migration to /usr/etc; save any old .rpmsave +for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do + test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i.rpmsave.old" || : +done +%endif + +%post +/sbin/ldconfig +# migrate config variable krb5_kdcip to krb5_server (bnc#851048) +if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then + /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf" +fi +%service_add_post sssd.service + +# install SSSD cifs-idmap plugin as an alternative +update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority + +%preun +%service_del_preun sssd.service + +%postun +/sbin/ldconfig +if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then + "%_sbindir/pam-config" -d --sss || : +fi +# del_postun includes a try-restart +%service_del_postun sssd.service + +if [ ! -f "%cifs_idmap_lib" ]; then + update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib +fi + +%post -n libsss_certmap0 -p /sbin/ldconfig +%postun -n libsss_certmap0 -p /sbin/ldconfig +%post -n libipa_hbac0 -p /sbin/ldconfig +%postun -n libipa_hbac0 -p /sbin/ldconfig +%post -n libsss_idmap0 -p /sbin/ldconfig +%postun -n libsss_idmap0 -p /sbin/ldconfig +%post -n libsss_nss_idmap0 -p /sbin/ldconfig +%postun -n libsss_nss_idmap0 -p /sbin/ldconfig +%if 0%{?suse_version} < 1600 +%post -n libsss_simpleifp0 -p /sbin/ldconfig +%postun -n libsss_simpleifp0 -p /sbin/ldconfig +%endif + +%triggerun -- %name < %version-%release +# sssd takes care of upgrading the database but it doesn't handle downgrades. +# Clear caches when downgrading the package, which may have an +# incompatible format afterwards preventing the daemon from startup. +if [ "$1" = "1" ] && [ "$2" = "2" ]; then + echo "Package downgrade detected, removing cache files which may have an incompatible format." + rm -f /var/lib/sss/db/*.ldb +fi + +%pre dbus +%service_add_pre sssd-ifp.service + +%post dbus +%service_add_post sssd-ifp.service + +%preun dbus +%service_del_preun sssd-ifp.service + +%postun dbus +%service_del_postun sssd-ifp.service + +%pre kcm +%service_add_pre sssd-kcm.service sssd-kcm.socket + +%post kcm +%service_add_post sssd-kcm.service sssd-kcm.socket + +%preun kcm +%service_del_preun sssd-kcm.service sssd-kcm.socket + +%postun kcm +%service_del_postun sssd-kcm.service sssd-kcm.socket + +%pretrans +# Migrate sssd.service from sssd-common to sssd +systemctl is-enabled sssd.service > /dev/null +if [ $? -eq 0 ]; then +mkdir -p /run/systemd/rpm/ +touch /run/systemd/rpm/sssd-was-enabled +fi +systemctl is-active sssd.service > /dev/null +if [ $? -eq 0 ]; then +mkdir -p /run/systemd/rpm/ +touch /run/systemd/rpm/sssd-was-active +fi + +%posttrans +%if "%{?_distconfdir}" != "" +# Migration to /usr/etc, restore just created .rpmsave +for i in sssd/sssd.conf logrotate.d/sssd pam.d/sssd-shadowutils ; do + test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i" || : +done +%endif +# Migrate sssd.service from sssd-common to sssd +if [ -e /run/systemd/rpm/sssd-was-enabled ]; then +systemctl is-enabled sssd.service > /dev/null +if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was enabled" + systemctl enable sssd.service +fi +rm /run/systemd/rpm/sssd-was-enabled +fi +if [ -e /run/systemd/rpm/sssd-was-active ]; then +systemctl is-active sssd.service > /dev/null +if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was active" + systemctl start sssd.service +fi +rm /run/systemd/rpm/sssd-was-active +fi + +%files -f sssd.lang +%license COPYING +%_unitdir/sssd.service +%_unitdir/sssd-autofs.socket +%_unitdir/sssd-autofs.service +%_unitdir/sssd-nss.socket +%_unitdir/sssd-nss.service +%_unitdir/sssd-pac.socket +%_unitdir/sssd-pac.service +%_unitdir/sssd-pam.socket +%_unitdir/sssd-pam.service +%_unitdir/sssd-ssh.socket +%_unitdir/sssd-ssh.service +%_unitdir/sssd-sudo.socket +%_unitdir/sssd-sudo.service +%_bindir/sss_ssh_* +%_sbindir/sssd +%if 0%{?suse_version} < 1600 +%_sbindir/rcsssd +%endif +%dir %_mandir/??/ +%dir %_mandir/??/man[158]/ +%_mandir/??/man1/sss_ssh_* +%_mandir/??/man5/sss-certmap.5* +%_mandir/??/man5/sssd-ad.5* +%if 0%{?suse_version} < 1600 +%_mandir/??/man5/sssd-files.5* +%endif +%_mandir/??/man5/sssd-ldap-attributes.5* +%_mandir/??/man5/sssd-session-recording.5* +%_mandir/??/man5/sssd-simple.5* +%_mandir/??/man5/sssd-sudo.5* +%_mandir/??/man5/sssd-systemtap.5* +%_mandir/??/man5/sssd.conf.5* +%_mandir/??/man8/idmap_sss.8* +%_mandir/??/man8/sssd.8* +%_mandir/man1/sss_ssh_* +%_mandir/man5/sss-certmap.5* +%if 0%{?suse_version} < 1600 +%_mandir/man5/sssd-files.5* +%endif +%_mandir/man5/sssd-ldap-attributes.5* +%_mandir/man5/sssd-session-recording.5* +%_mandir/man5/sssd-simple.5* +%_mandir/man5/sssd-sudo.5* +%_mandir/man5/sssd.conf.5* +%_mandir/man8/sssd.8* +%dir %_libdir/%name/ +%_libdir/%name/conf/ +%_libdir/%name/libifp_iface* +%_libdir/%name/libsss_child* +%_libdir/%name/libsss_cert* +%_libdir/%name/libsss_crypt* +%_libdir/%name/libsss_debug* +%if 0%{?suse_version} < 1600 +%_libdir/%name/libsss_files* +%endif +%_libdir/%name/libsss_iface* +%_libdir/%name/libsss_semanage* +%_libdir/%name/libsss_sbus* +%_libdir/%name/libsss_simple* +%_libdir/%name/libsss_util* +%dir %_libdir/%name/modules/ +%_libdir/%name/modules/libsss_autofs.so +%_libdir/libsss_sudo.so +%ldbdir/ +%dir %_libexecdir/%name/ +%_libexecdir/%name/p11_child +%_libexecdir/%name/sssd_autofs +%_libexecdir/%name/sssd_be +%_libexecdir/%name/sssd_nss +%_libexecdir/%name/sssd_pam +%_libexecdir/%name/sssd_ssh +%_libexecdir/%name/sssd_sudo +%_libexecdir/%name/sss_signal +%_libexecdir/%name/sssd_check_socket_activated_responders +%if 0%{?suse_version} >= 1600 +%_libexecdir/%name/selinux_child +%endif +%dir %sssdstatedir +%attr(700,root,root) %dir %dbpath/ +%attr(755,root,root) %dir %pipepath/ +%attr(700,root,root) %dir %pipepath/private/ +%attr(755,root,root) %dir %pubconfpath/ +%attr(755,root,root) %dir %pubconfpath/krb5.include.d +%attr(755,root,root) %dir %gpocachepath/ +%attr(755,root,root) %dir %sssdstatedir/mc/ +%attr(700,root,root) %dir %sssdstatedir/keytabs/ +%attr(750,root,root) %dir %_localstatedir/log/%name/ +%if "%{?_distconfdir}" != "" +%dir %_distconfdir/sssd/ +%%dir %_distconfdir/sssd/conf.d +%config(noreplace) %_distconfdir/sssd/sssd.conf +%else +%dir %_sysconfdir/sssd/ +%%dir %_sysconfdir/sssd/conf.d +%config(noreplace) %_sysconfdir/sssd/sssd.conf +%endif +%if 0%{?suse_version} > 1500 +%_distconfdir/logrotate.d/sssd +%_pam_vendordir/sssd-shadowutils +%else +%config(noreplace) %_sysconfdir/logrotate.d/sssd +%config(noreplace) %_pam_confdir/sssd-shadowutils +%endif +%dir %_datadir/%name/ +%_datadir/%name/cfg_rules.ini +%_datadir/%name/sssd.api.conf +%dir %_datadir/%name/sssd.api.d/ +%_datadir/%name/sssd.api.d/sssd-simple.conf +%if 0%{?suse_version} < 1600 +%_datadir/%name/sssd.api.d/sssd-files.conf +%else +%exclude %_mandir/*/*/sssd-files.5.gz +%endif +%doc src/examples/sssd.conf +# +# sssd-client +# +/%_lib/libnss_sss.so.2 +%_pam_moduledir/pam_sss.so +%_pam_moduledir/pam_sss_gss.so +%_libdir/krb5/ +%_libdir/%name/modules/sssd_krb5_localauth_plugin.so +%exclude %_libdir/%name/modules/sssd_krb5_idp_plugin.so +%if 0%{?suse_version} >= 1600 +%_libdir/libsubid_sss.so +%endif +%_mandir/??/man8/sssd_krb5_locator_plugin.8* +%_mandir/??/man8/pam_sss.8* +%_mandir/??/man8/pam_sss_gss.8* +%_mandir/man8/pam_sss.8* +%_mandir/man8/pam_sss_gss.8* +%_mandir/man8/sssd_krb5_localauth_plugin.8* +%_mandir/??/man8/sssd_krb5_localauth_plugin.8* +%_mandir/man8/sssd_krb5_locator_plugin.8* +# cifs idmap plugin +%dir %_sysconfdir/cifs-utils +%cifs_idmap_plugin +%dir %_libdir/cifs-utils +%cifs_idmap_lib +%ghost %_sysconfdir/alternatives/%cifs_idmap_name + +%files ad +%dir %_libdir/%name/ +%_libdir/%name/libsss_ad.so +%dir %_libexecdir/%name/ +%_libexecdir/%name/sssd_pac +%_libexecdir/%name/gpo_child +%dir %_datadir/%name/ +%dir %_datadir/%name/sssd.api.d/ +%_datadir/%name/sssd.api.d/sssd-ad.conf +%_mandir/man5/sssd-ad.5* +%dir %_mandir/??/ +%dir %_mandir/??/man5/ + +%files dbus +%dir %_libexecdir/sssd/ +%_libexecdir/sssd/sssd_ifp +%dir %_libdir/sssd/ +%_mandir/man5/sssd-ifp.5* +%dir %_mandir/??/ +%dir %_mandir/??/man5/ +%_mandir/??/man5/sssd-ifp.5* +%_unitdir/sssd-ifp.service +%_datadir/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf +%_datadir/dbus-1/system-services/org.freedesktop.sssd.infopipe.service + +%files ipa +%dir %_libdir/%name/ +%_libdir/%name/libsss_ipa* +%dir %_datadir/%name/ +%dir %_datadir/%name/sssd.api.d +%_datadir/%name/sssd.api.d/sssd-ipa.conf +%_mandir/man5/sssd-ipa.5* +%dir %_mandir/??/ +%dir %_mandir/??/man5/ +%_mandir/??/man5/sssd-ipa.5* + +%files kcm +%dir %_libexecdir/sssd/ +%_libexecdir/sssd/sssd_kcm +%dir %_libdir/sssd/ +%_mandir/man8/sssd-kcm.8* +%_mandir/??/man8/sssd-kcm.8* +%_datadir/sssd-kcm/ +%_unitdir/sssd-kcm.* + +%files krb5 +%dir %_libdir/%name/ +%_libdir/%name/libsss_krb5.so +%dir %_datadir/%name/ +%exclude %_datadir/%name/krb5-snippets/ +%dir %_datadir/%name/sssd.api.d/ +%_datadir/%name/sssd.api.d/sssd-krb5.conf +%dir %_mandir/??/ +%dir %_mandir/??/man5/ +%_mandir/man5/sssd-krb5.5* +%_mandir/??/man5/sssd-krb5.5* + +%files krb5-common +%dir %_libdir/%name/ +%_libdir/%name/libsss_krb5_common.so +%dir %_libexecdir/%name/ +%_libexecdir/%name/krb5_child +%_libexecdir/%name/ldap_child + +%files ldap +%dir %_libdir/%name/ +%_libdir/%name/libsss_ldap* +%dir %_datadir/%name/ +%dir %_datadir/%name/sssd.api.d/ +%_datadir/%name/sssd.api.d/sssd-ldap.conf +%_mandir/man5/sssd-ldap.5* +%dir %_mandir/??/ +%dir %_mandir/??/man5/ +%_mandir/??/man5/sssd-ldap.5* + +%files proxy +%dir %_libdir/%name/ +%_libdir/%name/libsss_proxy.so +%dir %_libexecdir/%name/ +%_libexecdir/%name/proxy_child +%dir %_datadir/%name/ +%dir %_datadir/%name/sssd.api.d/ +%_datadir/%name/sssd.api.d/sssd-proxy.conf + +%files tools +%_sbindir/sssctl +%_sbindir/sss_cache +%_sbindir/sss_debuglevel +%_sbindir/sss_seed +%_sbindir/sss_obfuscate +%_sbindir/sss_override +%_libexecdir/%name/sss_analyze +%dir %_mandir/??/man8/ +%_mandir/??/man8/sssctl.8* +%_mandir/??/man8/sss_*.8* +%_mandir/man8/sssctl.8* +%_mandir/man8/sss_*.8* +%python3_sitelib/sssd/ + +%files winbind-idmap +%dir %_libdir/samba/ +%_libdir/samba/idmap/ +%_mandir/man8/idmap_sss.8* + +%files -n libipa_hbac0 +%_libdir/libipa_hbac.so.0* + +%files -n libipa_hbac-devel +%_includedir/ipa_hbac.h +%_libdir/libipa_hbac.so +%_libdir/pkgconfig/ipa_hbac.pc + +%files -n libsss_certmap0 +%_libdir/libsss_certmap.so.0* + +%files -n libsss_certmap-devel +%_includedir/sss_certmap.h +%_libdir/libsss_certmap.so +%_libdir/pkgconfig/sss_certmap.pc + +%files -n libnfsidmap-sss +%_libdir/libnfsidmap/ +%_mandir/man5/sss_rpcidmapd.5* +%dir %_mandir/??/man5/ +%_mandir/??/man5/sss_rpcidmapd.5* + +%files -n libsss_idmap0 +%_libdir/libsss_idmap.so.0* + +%files -n libsss_idmap-devel +%_includedir/sss_idmap.h +%_libdir/libsss_idmap.so +%_libdir/pkgconfig/sss_idmap.pc + +%files -n libsss_nss_idmap0 +%_libdir/libsss_nss_idmap.so.0* + +%files -n libsss_nss_idmap-devel +%_includedir/sss_nss_idmap.h +%_libdir/libsss_nss_idmap.so +%_libdir/pkgconfig/sss_nss_idmap.pc + +%if 0%{?suse_version} < 1600 +%files -n libsss_simpleifp0 +%_libdir/libsss_simpleifp.so.0* + +%files -n libsss_simpleifp-devel +%_includedir/sss_sifp*.h +%_libdir/libsss_simpleifp.so +%_libdir/pkgconfig/sss_simpleifp.pc +%endif + +%files -n python3-ipa_hbac +%dir %python3_sitearch +%python3_sitearch/pyhbac.so + +%files -n python3-sss-murmur +%python3_sitearch/pysss_murmur.so + +%files -n python3-sss_nss_idmap +%dir %python3_sitearch +%python3_sitearch/pysss_nss_idmap.so + +%files -n python3-sssd-config +%python3_sitearch/pysss.so +%python3_sitelib/SSSDConfig* + +%changelog diff --git a/symvers.patch b/symvers.patch new file mode 100644 index 0000000..ab19be6 --- /dev/null +++ b/symvers.patch @@ -0,0 +1,181 @@ +From: Jan Engelhardt +Date: 2022-12-22 00:09:20.375896408 +0100 +References: https://bugzilla.suse.com/show_bug.cgi?id=1206592 + +The theory for this sssd crash is that during rpm upgrading it, +sssd-2.8.2 gets installed, %post runs to restart it, but oh no, +sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls +over its feet when it loads 2.7.4 .so files. Addin symvers like below +should prevent this and pin the modules to another: sssd_be's attempt +to dlopen libsss_ldap.so(-2.7.4) will fail because +libsss_ldap.so(-2.7.4) cannot find a libsss_util.so(-2.7.4), since +the system only has libsss_util.so(-2.8.2) at this point. + +--- + Makefile.am | 47 ++++++++++++++++++++++++++++++++--------------- + 1 file changed, 32 insertions(+), 15 deletions(-) + +Index: sssd-2.9.2/Makefile.am +=================================================================== +--- sssd-2.9.2.orig/Makefile.am ++++ sssd-2.9.2/Makefile.am +@@ -955,7 +955,11 @@ libsss_debug_la_SOURCES = \ + libsss_debug_la_LIBADD = \ + $(SYSLOG_LIBS) + libsss_debug_la_LDFLAGS = \ +- -avoid-version ++ -avoid-version ${symv} ++EXTRA_libsss_debug_la_DEPENDENCIES = x.sym ++symv = -Wl,--version-script=${builddir}/x.sym ++x.sym: ${top_builddir}/config.status ++ echo "V_${PACKAGE_VERSION} { global: *; };" >$@ + + pkglib_LTLIBRARIES += libsss_child.la + libsss_child_la_SOURCES = src/util/child_common.c +@@ -965,7 +969,8 @@ libsss_child_la_LIBADD = \ + $(DHASH_LIBS) \ + libsss_debug.la \ + $(NULL) +-libsss_child_la_LDFLAGS = -avoid-version ++libsss_child_la_LDFLAGS = -avoid-version ${symv} ++EXTRA_libsss_child_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_crypt.la + +@@ -1004,7 +1009,8 @@ libsss_crypt_la_LIBADD = \ + libsss_debug.la \ + $(NULL) + libsss_crypt_la_LDFLAGS = \ +- -avoid-version ++ -avoid-version ${symv} ++EXTRA_libsss_crypt_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_cert.la + +@@ -1029,8 +1035,9 @@ libsss_cert_la_LIBADD = \ + libsss_debug.la \ + $(NULL) + libsss_cert_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libsss_cert_la_DEPENDENCIES = x.sym + + generate-sbus-code: + $(builddir)/sbus_generate.sh $(abs_srcdir) +@@ -1131,8 +1138,9 @@ libsss_sbus_la_CFLAGS = \ + $(DBUS_CFLAGS) \ + $(NULL) + libsss_sbus_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libsss_sbus_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_sbus_sync.la + libsss_sbus_sync_la_SOURCES = \ +@@ -1167,8 +1175,9 @@ libsss_sbus_sync_la_CFLAGS = \ + $(UNICODE_LIBS) \ + $(NULL) + libsss_sbus_sync_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libsss_sbus_sync_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_iface.la + libsss_iface_la_SOURCES = \ +@@ -1197,8 +1206,9 @@ libsss_iface_la_CFLAGS = \ + $(DBUS_CFLAGS) \ + $(NULL) + libsss_iface_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libsss_iface_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_iface_sync.la + libsss_iface_sync_la_SOURCES = \ +@@ -1225,8 +1235,9 @@ libsss_iface_sync_la_CFLAGS = \ + $(DBUS_CFLAGS) \ + $(NULL) + libsss_iface_sync_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libsss_iface_sync_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_util.la + libsss_util_la_SOURCES = \ +@@ -1322,7 +1333,8 @@ endif + if BUILD_PASSKEY + libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c + endif # BUILD_PASSKEY +-libsss_util_la_LDFLAGS = -avoid-version ++libsss_util_la_LDFLAGS = -avoid-version ${symv} ++EXTRA_libsss_util_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_semanage.la + libsss_semanage_la_CFLAGS = \ +@@ -1341,7 +1353,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_ + endif + + libsss_semanage_la_LDFLAGS = \ +- -avoid-version ++ -avoid-version ${symv} ++EXTRA_libsss_semanage_la_DEPENDENCIES = x.sym + + SSSD_INTERNAL_LTLIBS = \ + libsss_util.la \ +@@ -1357,7 +1370,7 @@ lib_LTLIBRARIES = libipa_hbac.la \ + $(NULL) + + pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc +-libipa_hbac_la_DEPENDENCIES = src/lib/ipa_hbac/ipa_hbac.exports ++EXTRA_libipa_hbac_la_DEPENDENCIES = src/lib/ipa_hbac/ipa_hbac.exports + libipa_hbac_la_SOURCES = \ + src/lib/ipa_hbac/hbac_evaluator.c \ + src/util/sss_utf8.c +@@ -1688,8 +1701,9 @@ libifp_iface_la_CFLAGS = \ + $(DBUS_CFLAGS) \ + $(NULL) + libifp_iface_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libifp_iface_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libifp_iface_sync.la + libifp_iface_sync_la_SOURCES = \ +@@ -1714,8 +1728,9 @@ libifp_iface_sync_la_CFLAGS = \ + $(DBUS_CFLAGS) \ + $(NULL) + libifp_iface_sync_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libifp_iface_sync_la_DEPENDENCIES = x.sym + + sssd_ifp_SOURCES = \ + src/responder/ifp/ifpsrv.c \ +@@ -4314,8 +4329,9 @@ libsss_ldap_common_la_LIBADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) + libsss_ldap_common_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libsss_ldap_common_la_DEPENDENCIES = x.sym + if BUILD_SYSTEMTAP + libsss_ldap_common_la_LIBADD += stap_generated_probes.lo + endif +@@ -4372,7 +4388,8 @@ libsss_krb5_common_la_LIBADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) + libsss_krb5_common_la_LDFLAGS = \ +- -avoid-version ++ -avoid-version ${symv} ++EXTRA_libsss_krb5_common_la_DEPENDENCIES = x.sym + + libsss_ldap_la_SOURCES = \ + src/providers/ldap/ldap_init.c \ From bdd89bc6f386c8e3925d835c86e608874442e90ba5033ad797685df8154edcff Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Wed, 16 Oct 2024 16:33:51 +0000 Subject: [PATCH 02/14] [info=d236d87ed89f720f7cdd75ceb8eee5ce72b6fa3d8878dd5e16de8962d581542b] OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=323 --- ...t-path-when-config-object-is-rejecte.patch | 88 ++++++++++++++ _scmsync.obsinfo | 4 +- build.specials.obscpio | 2 +- sssd.changes | 1 + sssd.spec | 115 +++++++++--------- 5 files changed, 149 insertions(+), 61 deletions(-) create mode 100644 0001-sssd-always-print-path-when-config-object-is-rejecte.patch diff --git a/0001-sssd-always-print-path-when-config-object-is-rejecte.patch b/0001-sssd-always-print-path-when-config-object-is-rejecte.patch new file mode 100644 index 0000000..5ea6697 --- /dev/null +++ b/0001-sssd-always-print-path-when-config-object-is-rejecte.patch @@ -0,0 +1,88 @@ +From 338638cd5f374e0699d7b7495a5fa8f25511fa55 Mon Sep 17 00:00:00 2001 +From: Jan Engelhardt +Date: Wed, 16 Oct 2024 09:55:50 +0200 +Subject: [PATCH] sssd: always print path when config object is rejected +References: https://github.com/SSSD/sssd/pull/7649 + +Observed: + +``` +Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed. +Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed' +Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed' +``` + +Expected: + +_Well yes, but **which one**_!? +--- + src/monitor/monitor.c | 4 ++-- + src/util/sss_ini.c | 14 ++++++++------ + 2 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c +index e17b0e416..f67e4446f 100644 +--- a/src/monitor/monitor.c ++++ b/src/monitor/monitor.c +@@ -1931,9 +1931,9 @@ int main(int argc, const char *argv[]) + ret = confdb_read_ini(tmp_ctx, config_file, CONFDB_DEFAULT_CONFIG_DIR, false, + &config); + if (ret != EOK) { +- ERROR("Can't read config: '%s'\n", sss_strerror(ret)); ++ ERROR("Cannot read config %s: '%s'\n", config_file, sss_strerror(ret)); + sss_log(SSS_LOG_ALERT, +- "Failed to read configuration: '%s'", sss_strerror(ret)); ++ "Failed to read configuration %s: '%s'", config_file, sss_strerror(ret)); + ret = 3; + goto out; + } +diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c +index 7f9824d88..2a611eb8c 100644 +--- a/src/util/sss_ini.c ++++ b/src/util/sss_ini.c +@@ -888,7 +888,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, + ret = sss_ini_open(self, config_file, "[sssd]\n"); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "The sss_ini_open failed %s: %d\n", ++ "sss_ini_open on %s failed: %d\n", + config_file, + ret); + return ERR_INI_OPEN_FAILED; +@@ -898,26 +898,28 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, + ret = sss_ini_access_check(self); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "Permission check on config file failed.\n"); ++ "Permission check on config file %s failed: %d\n", ++ config_file, ret); + return ERR_INI_INVALID_PERMISSION; + } + } else { + DEBUG(SSSDBG_CONF_SETTINGS, +- "File %1$s does not exist.\n", +- (config_file ? config_file : "NULL")); ++ "File %s does not exist.\n", config_file); + } + + ret = sss_ini_parse(self); + if (ret != EOK) { + sss_ini_config_print_errors(self->error_list); +- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n"); ++ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration file %s: %d\n", ++ config_file, ret); + return ERR_INI_PARSE_FAILED; + } + + ret = sss_ini_add_snippets(self, config_dir); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, +- "Error while reading configuration directory.\n"); ++ "Error while reading configuration directory %s: %d\n", ++ config_dir, ret); + return ERR_INI_ADD_SNIPPETS_FAILED; + } + +-- +2.47.0 + diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo index f012edb..bd5778a 100644 --- a/_scmsync.obsinfo +++ b/_scmsync.obsinfo @@ -1,4 +1,4 @@ -mtime: 1728999204 -commit: 03cfa0ca67c32d9aa59b740572efe4b06c350b3529fdc9dd7d46e7501d8cd398 +mtime: 1729091153 +commit: d236d87ed89f720f7cdd75ceb8eee5ce72b6fa3d8878dd5e16de8962d581542b url: https://src.opensuse.org/jengelh/sssd revision: master diff --git a/build.specials.obscpio b/build.specials.obscpio index 5e5e765..bd55e98 100644 --- a/build.specials.obscpio +++ b/build.specials.obscpio @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:7109a449ccc8eb4902df46ec34f884b03ad903a916ee172b319361ee93e47ad7 +oid sha256:1da59a4ad285c59a1bec0b5e555055c02222acfff55369b16ea336a7bb124c5b size 256 diff --git a/sssd.changes b/sssd.changes index 9e67996..97bef57 100644 --- a/sssd.changes +++ b/sssd.changes @@ -15,6 +15,7 @@ Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt * The default value for ``ldap_id_use_start_tls`` changed from false to true for improved security. * https://github.com/SSSD/sssd/releases/tag/2.10.0 +- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch ------------------------------------------------------------------- Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index 158b0a0..867b56e 100644 --- a/sssd.spec +++ b/sssd.spec @@ -32,6 +32,7 @@ Patch1: krb-noversion.diff Patch2: harden_sssd-ifp.service.patch Patch3: harden_sssd-kcm.service.patch Patch4: symvers.patch +Patch5: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils @@ -53,7 +54,10 @@ BuildRequires: nss_wrapper BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pkg-config >= 0.21 +BuildRequires: python3-wheel +BuildRequires: python3-setuptools BuildRequires: systemd-rpm-macros +BuildRequires: sysuser-tools BuildRequires: uid_wrapper BuildRequires: pkgconfig(augeas) >= 1.0.0 BuildRequires: pkgconfig(collection) >= 0.5.1 @@ -87,8 +91,6 @@ BuildRequires: pkgconfig(talloc) BuildRequires: pkgconfig(tdb) >= 1.1.3 BuildRequires: pkgconfig(tevent) BuildRequires: pkgconfig(uuid) -BuildRequires: python3-wheel -BuildRequires: python3-setuptools %if 0%{?suse_version} && 0%{?suse_version} < 1600 # samba-client-devel pulls samba-client-libs pulls libldap-2_4-2 wants libldap-data(-2.4); # this conflicts with @@ -96,6 +98,7 @@ BuildRequires: python3-setuptools # Package contains just config files, not needed for build. #!BuildIgnore: libldap-data %endif +%sysusers_requires %{?systemd_ordering} Requires: sssd-ldap = %version-%release Requires(postun): pam-config @@ -125,11 +128,11 @@ Requires(post): update-alternatives Requires(postun): update-alternatives %description -Provides a set of daemons to manage access to remote directories and -authentication mechanisms. It provides an NSS and PAM interface toward -the system and a pluggable backend system to connect to multiple different -account sources. It is also the basis to provide client auditing and policy -services for projects like FreeIPA. +A set of daemons to manage access to remote directories and +authentication mechanisms. sssd provides an NSS and PAM interfaces +toward the system and a pluggable backend system to connect to +multiple different account sources. It is also the basis to provide +client auditing and policy services for projects like FreeIPA. %package ad Summary: The ActiveDirectory backend plugin for sssd @@ -139,9 +142,8 @@ Requires: %name-krb5-common = %version-%release Requires: adcli %description ad -Provides the Active Directory back end that the SSSD can utilize to -fetch identity data from and authenticate against an Active Directory -server. +A back-end provider that the SSSD can utilize to fetch identity data +from, and authenticate with, an Active Directory server. %package dbus Summary: The D-Bus responder of sssd @@ -150,7 +152,7 @@ Group: System/Base Requires: %name = %version %description dbus -Provides the D-Bus responder of sssd, called InfoPipe, which allows +D-Bus responder of sssd, called InfoPipe, which allows information from sssd to be transmitted over the system bus. %package ipa @@ -164,8 +166,8 @@ Obsoletes: %name-ipa-provider < %version-%release Provides: %name-ipa-provider = %version-%release %description ipa -Provides the IPA back end that the SSSD can utilize to fetch identity -data from and authenticate against an IPA server. +A back-end provider that the SSSD can utilize to fetch identity data +from, and authenticate with, an IPA server. %package kcm Summary: SSSD's Kerberos cache manager @@ -184,8 +186,8 @@ Group: System/Daemons Requires: %name-krb5-common = %version-%release %description krb5 -Provides the Kerberos back end that the SSSD can utilize authenticate -against a Kerberos server. +A back-end provider that the SSSD can utilize to authenticate against +a Kerberos server. %package krb5-common Summary: SSSD helpers needed for Kerberos and GSSAPI authentication @@ -204,8 +206,8 @@ Group: System/Daemons Requires: %name-krb5-common = %version-%release %description ldap -Provides the LDAP back end that the SSSD can utilize to fetch -identity data from and authenticate against an LDAP server. +A back-end provider that the SSSD can utilize to fetch identity data +from, and authenticate with, an LDAP server. %package proxy Summary: The proxy backend plugin for sssd @@ -213,8 +215,8 @@ License: GPL-3.0-or-later Group: System/Daemons %description proxy -Provides the proxy back end which can be used to wrap an existing NSS -and/or PAM modules to leverage SSSD caching. +A back-end provider which can be used to wrap existing NSS and/or PAM +modules to leverage SSSD caching. (This can replace nscd.) %package tools Summary: Commandline tools for sssd @@ -224,7 +226,7 @@ Requires: python3-sssd-config = %version-%release Requires: sssd = %version %description tools -The packages contains commandline tools for managing users and groups using +The packages contains command-line tools for managing users and groups using the "local" id provider of the System Security Services Daemon (sssd). %package winbind-idmap @@ -241,7 +243,7 @@ License: LGPL-3.0-or-later Group: System/Libraries %description -n libsss_certmap0 -A utility library for FreeIPA to map certs. +A utility library for FreeIPA to map certificates. %package -n libsss_certmap-devel Summary: Development files for the FreeIPA certmap library @@ -250,7 +252,7 @@ Group: Development/Libraries/C and C++ Requires: libsss_certmap0 = %version %description -n libsss_certmap-devel -A utility library for FreeIPA to map certs. +A utility library for FreeIPA to map certificates. %package -n libipa_hbac0 Summary: FreeIPA HBAC Evaluator library @@ -314,7 +316,6 @@ Requires: libsss_nss_idmap0 = %version %description -n libsss_nss_idmap-devel A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. -%if 0%{?suse_version} < 1600 %package -n libsss_simpleifp0 Summary: The SSSD D-Bus responder helper library License: GPL-3.0-or-later @@ -337,7 +338,6 @@ Requires: libsss_simpleifp0 = %version This subpackage provides the development files for sssd's simpleifp, a library that simplifies the D-Bus API for the SSSD InfoPipe responder. -%endif %package -n libsss_sudo Summary: A library to allow communication between sudo and SSSD @@ -423,7 +423,7 @@ autoreconf -fiv %make_build all %install -# sss_obfuscate is compatible with both python 2 and 3 +# sss_obfuscate is compatible with both Python 2 and 3 perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate %make_install dbuspolicydir=%_datadir/dbus-1/system.d b="%buildroot" @@ -457,21 +457,26 @@ find "$b" -type f -name "*.la" -print -delete %find_lang %name --all-name # dummy target for cifs-idmap-plugin -mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils -ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin +mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils" +ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin" %python3_fix_shebang %if 0%{?suse_version} > 1600 %python3_fix_shebang_path %buildroot/%_libexecdir/%name/ %elif 0%{?suse_version} == 1600 # python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204 -sed -i '1s@#!.*python.*@#!%{_bindir}/python3.11@' %{buildroot}/%{_libexecdir}/%{name}/sss_analyze +sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze" %endif +echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf +mkdir -p "$b/%_sysusersdir" +cp -a system-user-sssd.conf "$b/%_sysusersdir/" +%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf + %check # sss_config-tests fails %make_build check || : -%pre +%pre -f random.pre %service_add_pre sssd.service %if "%{?_distconfdir}" != "" # Prepare for migration to /usr/etc; save any old .rpmsave @@ -496,7 +501,7 @@ update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_li %postun /sbin/ldconfig -if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then +if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then "%_sbindir/pam-config" -d --sss || : fi # del_postun includes a try-restart @@ -506,18 +511,11 @@ if [ ! -f "%cifs_idmap_lib" ]; then update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib fi -%post -n libsss_certmap0 -p /sbin/ldconfig -%postun -n libsss_certmap0 -p /sbin/ldconfig -%post -n libipa_hbac0 -p /sbin/ldconfig -%postun -n libipa_hbac0 -p /sbin/ldconfig -%post -n libsss_idmap0 -p /sbin/ldconfig -%postun -n libsss_idmap0 -p /sbin/ldconfig -%post -n libsss_nss_idmap0 -p /sbin/ldconfig -%postun -n libsss_nss_idmap0 -p /sbin/ldconfig -%if 0%{?suse_version} < 1600 -%post -n libsss_simpleifp0 -p /sbin/ldconfig -%postun -n libsss_simpleifp0 -p /sbin/ldconfig -%endif +%ldconfig_scriptlets -n libsss_certmap0 +%ldconfig_scriptlets -n libipa_hbac0 +%ldconfig_scriptlets -n libsss_idmap0 +%ldconfig_scriptlets -n libsss_nss_idmap0 +%ldconfig_scriptlets -n libsss_simpleifp0 %triggerun -- %name < %version-%release # sssd takes care of upgrading the database but it doesn't handle downgrades. @@ -556,13 +554,13 @@ fi # Migrate sssd.service from sssd-common to sssd systemctl is-enabled sssd.service > /dev/null if [ $? -eq 0 ]; then -mkdir -p /run/systemd/rpm/ -touch /run/systemd/rpm/sssd-was-enabled + mkdir -p /run/systemd/rpm/ + touch /run/systemd/rpm/sssd-was-enabled fi systemctl is-active sssd.service > /dev/null if [ $? -eq 0 ]; then -mkdir -p /run/systemd/rpm/ -touch /run/systemd/rpm/sssd-was-active + mkdir -p /run/systemd/rpm/ + touch /run/systemd/rpm/sssd-was-active fi %posttrans @@ -574,20 +572,20 @@ done %endif # Migrate sssd.service from sssd-common to sssd if [ -e /run/systemd/rpm/sssd-was-enabled ]; then -systemctl is-enabled sssd.service > /dev/null -if [ $? -ne 0 ]; then - echo "Migrating sssd.service, was enabled" - systemctl enable sssd.service -fi -rm /run/systemd/rpm/sssd-was-enabled + systemctl is-enabled sssd.service >/dev/null + if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was enabled" + systemctl enable sssd.service + fi + rm /run/systemd/rpm/sssd-was-enabled fi if [ -e /run/systemd/rpm/sssd-was-active ]; then -systemctl is-active sssd.service > /dev/null -if [ $? -ne 0 ]; then - echo "Migrating sssd.service, was active" - systemctl start sssd.service -fi -rm /run/systemd/rpm/sssd-was-active + systemctl is-active sssd.service >/dev/null + if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was active" + systemctl start sssd.service + fi + rm /run/systemd/rpm/sssd-was-active fi %files -f sssd.lang @@ -605,6 +603,7 @@ fi %_unitdir/sssd-ssh.service %_unitdir/sssd-sudo.socket %_unitdir/sssd-sudo.service +%_sysusersdir/*sssd* %_bindir/sss_ssh_* %_sbindir/sssd %if 0%{?suse_version} < 1600 From f86392c7a52cf82badddc79f6c041f14be1effe939e2fddc3f1c088a6630407d Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Tue, 5 Nov 2024 18:00:20 +0000 Subject: [PATCH 03/14] [info=4c1a7e3419ae2a9fd5571c543bf337898b158276112c19e299f4f385b5bedaf8] OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=324 --- ...t-path-when-config-object-is-rejecte.patch | 29 +++++-------------- _scmsync.obsinfo | 4 +-- build.specials.obscpio | 2 +- sssd.changes | 1 + sssd.spec | 8 ++--- 5 files changed, 16 insertions(+), 28 deletions(-) diff --git a/0001-sssd-always-print-path-when-config-object-is-rejecte.patch b/0001-sssd-always-print-path-when-config-object-is-rejecte.patch index 5ea6697..d24c30a 100644 --- a/0001-sssd-always-print-path-when-config-object-is-rejecte.patch +++ b/0001-sssd-always-print-path-when-config-object-is-rejecte.patch @@ -1,4 +1,4 @@ -From 338638cd5f374e0699d7b7495a5fa8f25511fa55 Mon Sep 17 00:00:00 2001 +From 1a743a4123c104a10c694f7ee9d2f0a1e7182513 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 16 Oct 2024 09:55:50 +0200 Subject: [PATCH] sssd: always print path when config object is rejected @@ -15,27 +15,14 @@ Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership an Expected: _Well yes, but **which one**_!? ---- - src/monitor/monitor.c | 4 ++-- - src/util/sss_ini.c | 14 ++++++++------ - 2 files changed, 10 insertions(+), 8 deletions(-) -diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c -index e17b0e416..f67e4446f 100644 ---- a/src/monitor/monitor.c -+++ b/src/monitor/monitor.c -@@ -1931,9 +1931,9 @@ int main(int argc, const char *argv[]) - ret = confdb_read_ini(tmp_ctx, config_file, CONFDB_DEFAULT_CONFIG_DIR, false, - &config); - if (ret != EOK) { -- ERROR("Can't read config: '%s'\n", sss_strerror(ret)); -+ ERROR("Cannot read config %s: '%s'\n", config_file, sss_strerror(ret)); - sss_log(SSS_LOG_ALERT, -- "Failed to read configuration: '%s'", sss_strerror(ret)); -+ "Failed to read configuration %s: '%s'", config_file, sss_strerror(ret)); - ret = 3; - goto out; - } +Reviewed-by: Alexey Tikhonov +Reviewed-by: Justin Stephenson +(cherry picked from commit 2b7915dd84a6b8c3ee26e45357283677fe22f2cb) +--- + src/util/sss_ini.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c index 7f9824d88..2a611eb8c 100644 --- a/src/util/sss_ini.c diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo index bd5778a..478eb9d 100644 --- a/_scmsync.obsinfo +++ b/_scmsync.obsinfo @@ -1,4 +1,4 @@ -mtime: 1729091153 -commit: d236d87ed89f720f7cdd75ceb8eee5ce72b6fa3d8878dd5e16de8962d581542b +mtime: 1730829368 +commit: 4c1a7e3419ae2a9fd5571c543bf337898b158276112c19e299f4f385b5bedaf8 url: https://src.opensuse.org/jengelh/sssd revision: master diff --git a/build.specials.obscpio b/build.specials.obscpio index bd55e98..0f4b81f 100644 --- a/build.specials.obscpio +++ b/build.specials.obscpio @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:1da59a4ad285c59a1bec0b5e555055c02222acfff55369b16ea336a7bb124c5b +oid sha256:333d08feac544fd46469e53065561e077c018a618968d77cc7db859aa36fe6f9 size 256 diff --git a/sssd.changes b/sssd.changes index 97bef57..5cf3900 100644 --- a/sssd.changes +++ b/sssd.changes @@ -16,6 +16,7 @@ Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt false to true for improved security. * https://github.com/SSSD/sssd/releases/tag/2.10.0 - Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch +- Fix socket activation of responders ------------------------------------------------------------------- Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index 867b56e..8319ec9 100644 --- a/sssd.spec +++ b/sssd.spec @@ -477,7 +477,7 @@ cp -a system-user-sssd.conf "$b/%_sysusersdir/" %make_build check || : %pre -f random.pre -%service_add_pre sssd.service +%service_add_pre sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket %if "%{?_distconfdir}" != "" # Prepare for migration to /usr/etc; save any old .rpmsave for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do @@ -491,13 +491,13 @@ done if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf" fi -%service_add_post sssd.service +%service_add_post sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket # install SSSD cifs-idmap plugin as an alternative update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority %preun -%service_del_preun sssd.service +%service_del_preun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket %postun /sbin/ldconfig @@ -505,7 +505,7 @@ if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then "%_sbindir/pam-config" -d --sss || : fi # del_postun includes a try-restart -%service_del_postun sssd.service +%service_del_postun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket if [ ! -f "%cifs_idmap_lib" ]; then update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib From 0f06ed9ea8d48812e52ebfd59c52117ddb8e57573d86d89a18747194db0ac2df Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Tue, 5 Nov 2024 18:20:03 +0000 Subject: [PATCH 04/14] [info=64fc4926abddde94cb6c33f85efec71de27adfb4c0ffab87972e4dc00bfef5d1] OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=325 --- ...on-make-sure-etc-sssd-and-everything.patch | 76 +++++++++++++++++++ _scmsync.obsinfo | 4 +- build.specials.obscpio | 2 +- harden_sssd-kcm.service.patch | 4 +- sssd.changes | 3 +- sssd.spec | 9 ++- 6 files changed, 88 insertions(+), 10 deletions(-) create mode 100644 0001-Configuration-make-sure-etc-sssd-and-everything.patch diff --git a/0001-Configuration-make-sure-etc-sssd-and-everything.patch b/0001-Configuration-make-sure-etc-sssd-and-everything.patch new file mode 100644 index 0000000..8cf0fe0 --- /dev/null +++ b/0001-Configuration-make-sure-etc-sssd-and-everything.patch @@ -0,0 +1,76 @@ +From 8db2df4fcbd09badafbc207bd4150b5f1cc2d5fb Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Thu, 24 Oct 2024 15:34:26 +0200 +Subject: [PATCH] Configuration: make sure /etc/sssd and everything +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +beneath is owned by 'sssd' group and readable by group. + +This should allow for reasonable rw-r----- root:sssd + +At some points those chown/chmod can be removed. + +Reviewed-by: Justin Stephenson +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +(cherry picked from commit 518db322fdd5a4de41813fbe5bc35fc20392ce67) +--- + contrib/sssd.spec.in | 4 ++-- + src/sysv/systemd/sssd-kcm.service.in | 5 ++--- + src/sysv/systemd/sssd.service.in | 6 ++---- + 3 files changed, 6 insertions(+), 9 deletions(-) + +diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in +index 4fbacb959..83de563f3 100644 +--- a/contrib/sssd.spec.in ++++ b/contrib/sssd.spec.in +@@ -1136,9 +1136,9 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi + %__rm -f %{mcpath}/group + %__rm -f %{mcpath}/initgroups + %__rm -f %{mcpath}/sid ++%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true ++%__chmod -f -R g+r %{_sysconfdir}/sssd || true + %__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true +-%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true +-%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true + %__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true + %__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true + %__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true +diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in +index 0c839ec5c..ba9e27cd9 100644 +--- a/src/sysv/systemd/sssd-kcm.service.in ++++ b/src/sysv/systemd/sssd-kcm.service.in +@@ -9,9 +9,8 @@ Also=sssd-kcm.socket + + [Service] + Environment=DEBUG_LOGGER=--logger=files +-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ +-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf +-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d ++ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ ++ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ + ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb" + ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log + ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER} +diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in +index 37e0a63f8..a6f79ff8a 100644 +--- a/src/sysv/systemd/sssd.service.in ++++ b/src/sysv/systemd/sssd.service.in +@@ -10,10 +10,8 @@ StartLimitBurst=5 + [Service] + Environment=DEBUG_LOGGER=--logger=files + EnvironmentFile=-@environment_file@ +-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ +-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf +-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d +-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki ++ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ ++ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ + ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb" + ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @gpocachepath@/*" + ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/*.log" +-- +2.47.0 + diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo index 478eb9d..6e48e23 100644 --- a/_scmsync.obsinfo +++ b/_scmsync.obsinfo @@ -1,4 +1,4 @@ -mtime: 1730829368 -commit: 4c1a7e3419ae2a9fd5571c543bf337898b158276112c19e299f4f385b5bedaf8 +mtime: 1730830158 +commit: 64fc4926abddde94cb6c33f85efec71de27adfb4c0ffab87972e4dc00bfef5d1 url: https://src.opensuse.org/jengelh/sssd revision: master diff --git a/build.specials.obscpio b/build.specials.obscpio index 0f4b81f..ee7318c 100644 --- a/build.specials.obscpio +++ b/build.specials.obscpio @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:333d08feac544fd46469e53065561e077c018a618968d77cc7db859aa36fe6f9 +oid sha256:6d021fd2910f1ec57d2b07d070a1e9e786898601585504335bdf7252676b006c size 256 diff --git a/harden_sssd-kcm.service.patch b/harden_sssd-kcm.service.patch index 6526831..5ff85b4 100644 --- a/harden_sssd-kcm.service.patch +++ b/harden_sssd-kcm.service.patch @@ -24,5 +24,5 @@ Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in +RestrictRealtime=true +# end of automatic additions Environment=DEBUG_LOGGER=--logger=files - ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ - ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf + ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ + ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ diff --git a/sssd.changes b/sssd.changes index 5cf3900..a5b1f81 100644 --- a/sssd.changes +++ b/sssd.changes @@ -15,7 +15,8 @@ Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt * The default value for ``ldap_id_use_start_tls`` changed from false to true for improved security. * https://github.com/SSSD/sssd/releases/tag/2.10.0 -- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch +- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch, + 0001-Configuration-make-sure-etc-sssd-and-everything.patch - Fix socket activation of responders ------------------------------------------------------------------- diff --git a/sssd.spec b/sssd.spec index 8319ec9..3ff1f09 100644 --- a/sssd.spec +++ b/sssd.spec @@ -28,11 +28,12 @@ Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%v Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source3: baselibs.conf Source5: %name.keyring -Patch1: krb-noversion.diff -Patch2: harden_sssd-ifp.service.patch -Patch3: harden_sssd-kcm.service.patch -Patch4: symvers.patch Patch5: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch +Patch6: 0001-Configuration-make-sure-etc-sssd-and-everything.patch +Patch11: krb-noversion.diff +Patch12: harden_sssd-ifp.service.patch +Patch13: harden_sssd-kcm.service.patch +Patch14: symvers.patch BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils From 3709f0e766605e5a9fb31bd03ea518eb0d7e965118f107930eccbafabfa0b914 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Tue, 5 Nov 2024 19:42:35 +0000 Subject: [PATCH 05/14] [info=066c89155b2a5ef4e5f760515c1e3c2b976cc40e9d509583f3f58f219f61cbb9] OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=326 --- 0001-INI-relax-config-files-checks.patch | 135 +++++++++++++ ...using-libini_config-for-access-check.patch | 182 ++++++++++++++++++ _scmsync.obsinfo | 4 +- build.specials.obscpio | 2 +- sssd.changes | 2 + sssd.spec | 4 +- 6 files changed, 325 insertions(+), 4 deletions(-) create mode 100644 0001-INI-relax-config-files-checks.patch create mode 100644 0001-INI-stop-using-libini_config-for-access-check.patch diff --git a/0001-INI-relax-config-files-checks.patch b/0001-INI-relax-config-files-checks.patch new file mode 100644 index 0000000..69ac630 --- /dev/null +++ b/0001-INI-relax-config-files-checks.patch @@ -0,0 +1,135 @@ +From 340671f16abb9c26ae97b11c4e2845337e67973e Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 23 Oct 2024 20:59:32 +0200 +Subject: [PATCH] INI: relax config files checks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Only make sure: + - user is root or sssd + - group is root or sssd + - other can't access it + +Don't make any assumptions wrt user/group read/write-ability. + +Reviewed-by: Justin Stephenson +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +(cherry picked from commit 8472777ec472607ea450ddb4c4666017bd0de704) +--- + src/man/sssd.conf.5.xml | 5 ++- + src/util/sss_ini.c | 68 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 70 insertions(+), 3 deletions(-) + +diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml +index a074cc674..bf10acb2a 100644 +--- a/src/man/sssd.conf.5.xml ++++ b/src/man/sssd.conf.5.xml +@@ -57,9 +57,8 @@ + readable, and writeable only by 'root'. + + +- sssd.conf must be a regular file that is owned, +- readable, and writeable by the same user as configured to run SSSD +- service. ++ sssd.conf must be a regular file that is ++ accessible only by the user used to run SSSD service or root. + + + +diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c +index e989d8caf..74cf61e0e 100644 +--- a/src/util/sss_ini.c ++++ b/src/util/sss_ini.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + + #include "config.h" +@@ -781,6 +782,71 @@ int sss_ini_open(struct sss_ini *self, + return ret; + } + ++static int access_check_file(const char *filename) ++{ ++ int ret; ++ struct stat st; ++ uid_t uid; ++ gid_t gid; ++ ++ sss_sssd_user_uid_and_gid(&uid, &gid); ++ ++ ret = stat(filename, &st); ++ if (ret != 0) { ++ ret = errno; ++ DEBUG(SSSDBG_CRIT_FAILURE, "stat(%s) failed: %s\n", ++ filename, strerror(ret)); ++ return EINVAL; ++ } ++ ++ if ((st.st_uid != 0) && (st.st_uid != uid)) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected user owner of '%s': %"SPRIuid"\n", ++ filename, st.st_uid); ++ return ERR_INI_INVALID_PERMISSION; ++ } ++ ++ if ((st.st_gid != 0) && (st.st_gid != gid)) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected group owner of '%s': %"SPRIgid"\n", ++ filename, st.st_gid); ++ return ERR_INI_INVALID_PERMISSION; ++ } ++ ++ if ((st.st_mode & (S_IROTH|S_IWOTH|S_IXOTH)) != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected access to '%s' by other users\n", ++ filename); ++ return ERR_INI_INVALID_PERMISSION; ++ } ++ ++ return EOK; ++} ++ ++static int access_check_ini(struct sss_ini *self) ++{ ++ int ret; ++ const char *path; ++ uint32_t i; ++ const char **snippet; ++ struct ref_array *used_snippets; ++ ++ if (self->main_config_exists) { ++ path = ini_config_get_filename(self->file); ++ ret = access_check_file(path); ++ if (ret != EOK) { ++ return ret; ++ } ++ } ++ ++ used_snippets = sss_ini_get_ra_success_list(self); ++ for (i = 0; (snippet = ref_array_get(used_snippets, i, NULL)) != NULL; ++i) { ++ ret = access_check_file(*snippet); ++ if (ret != EOK) { ++ return ret; ++ } ++ } ++ ++ return EOK; ++} ++ + int sss_ini_read_sssd_conf(struct sss_ini *self, + const char *config_file, + const char *config_dir) +@@ -833,5 +899,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, + return ERR_INI_EMPTY_CONFIG; + } + ++ ret = access_check_ini(self); ++ + return ret; + } +-- +2.47.0 + diff --git a/0001-INI-stop-using-libini_config-for-access-check.patch b/0001-INI-stop-using-libini_config-for-access-check.patch new file mode 100644 index 0000000..abe0cb0 --- /dev/null +++ b/0001-INI-stop-using-libini_config-for-access-check.patch @@ -0,0 +1,182 @@ +From 1d19b8ad9415e0a12ed3aaf039d4d0956ef4dbad Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 23 Oct 2024 19:53:09 +0200 +Subject: [PATCH] INI: stop using 'libini_config' for access check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Justin Stephenson +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +--- + src/util/sss_ini.c | 100 +---------------------------------------------------- + src/util/sss_ini.h | 12 ------ + 2 files changed, 3 insertions(+), 109 deletions(-) + +Index: sssd-2.10.0/src/util/sss_ini.c +=================================================================== +--- sssd-2.10.0.orig/src/util/sss_ini.c ++++ sssd-2.10.0/src/util/sss_ini.c +@@ -147,81 +147,6 @@ static int sss_ini_config_file_from_mem( + &self->file); + } + +-/* Check configuration file permissions */ +- +-static bool is_running_sssd(void) +-{ +- static char exe[1024]; +- int ret; +- const char *s = NULL; +- +- ret = readlink("/proc/self/exe", exe, sizeof(exe) - 1); +- if ((ret > 0) && (ret < 1024)) { +- exe[ret] = 0; +- s = strstr(exe, debug_prg_name); +- if ((s != NULL) && (strlen(s) == strlen(debug_prg_name))) { +- return true; +- } +- } +- +- return false; +-} +- +-static int sss_ini_access_check(struct sss_ini *self) +-{ +- int ret; +- uint32_t flags = INI_ACCESS_CHECK_MODE; +- +- if (!self->main_config_exists) { +- return EOK; +- } +- +- if (is_running_sssd()) { +- flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID; +- } +- +- ret = ini_config_access_check(self->file, +- flags, +- geteuid(), +- getegid(), +- S_IRUSR, /* r**------ */ +- ALLPERMS & ~(S_IWUSR|S_IXUSR)); +- +- return ret; +-} +- +- +- +-/* Get cstat */ +- +-int sss_ini_get_stat(struct sss_ini *self) +-{ +- self->cstat = ini_config_get_stat(self->file); +- +- if (!self->cstat) return EIO; +- +- return EOK; +-} +- +- +- +-/* Get mtime */ +- +-int sss_ini_get_mtime(struct sss_ini *self, +- size_t timestr_len, +- char *timestr) +-{ +- return snprintf(timestr, timestr_len, "%llu", +- (long long unsigned)self->cstat->st_mtime); +-} +- +-/* Get file_exists */ +- +-bool sss_ini_exists(struct sss_ini *self) +-{ +- return self->main_config_exists; +-} +- + /* Print ini_config errors */ + + static void sss_ini_config_print_errors(char **error_list) +@@ -289,7 +214,6 @@ static int sss_ini_add_snippets(struct s + uint32_t i = 0; + char *msg = NULL; + struct ini_cfgobj *modified_sssd_config = NULL; +- struct access_check snip_check; + + if (self == NULL || self->sssd_config == NULL || config_dir == NULL) { + return EINVAL; +@@ -297,21 +221,11 @@ static int sss_ini_add_snippets(struct s + + sss_ini_free_ra_messages(self); + +- snip_check.flags = INI_ACCESS_CHECK_MODE; +- +- if (is_running_sssd()) { +- snip_check.flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID; +- } +- snip_check.uid = geteuid(); +- snip_check.gid = getegid(); +- snip_check.mode = S_IRUSR; /* r**------ */ +- snip_check.mask = ALLPERMS & ~(S_IWUSR | S_IXUSR); +- + ret = ini_config_augment(self->sssd_config, + config_dir, + patterns, + sections, +- &snip_check, ++ NULL, + INI_STOP_ON_ANY, + INI_MV1S_OVERWRITE, + INI_PARSE_NOWRAP, +@@ -894,15 +808,7 @@ int sss_ini_read_sssd_conf(struct sss_in + return ERR_INI_OPEN_FAILED; + } + +- if (sss_ini_exists(self)) { +- ret = sss_ini_access_check(self); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Permission check on config file %s failed: %d\n", +- config_file, ret); +- return ERR_INI_INVALID_PERMISSION; +- } +- } else { ++ if (!self->main_config_exists) { + DEBUG(SSSDBG_CONF_SETTINGS, + "File %s does not exist.\n", config_file); + } +@@ -923,7 +829,7 @@ int sss_ini_read_sssd_conf(struct sss_in + return ERR_INI_ADD_SNIPPETS_FAILED; + } + +- if (!sss_ini_exists(self) && ++ if ((!self->main_config_exists) && + (ref_array_len(sss_ini_get_ra_success_list(self)) == 0)) { + return ERR_INI_EMPTY_CONFIG; + } +Index: sssd-2.10.0/src/util/sss_ini.h +=================================================================== +--- sssd-2.10.0.orig/src/util/sss_ini.h ++++ sssd-2.10.0/src/util/sss_ini.h +@@ -81,18 +81,6 @@ int sss_ini_open(struct sss_ini *self, + const char *fallback_cfg); + + /** +- * @brief Check whether sss_ini_open() reported that ini file is +- * not present +- * +- * @param[in] self pointer to sss_ini structure +- * +- * @return +- * - true we are using ini file +- * - false file was not found +- */ +-bool sss_ini_exists(struct sss_ini *self); +- +-/** + * @brief get Cstat structure of the ini file + */ + int sss_ini_get_stat(struct sss_ini *self); diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo index 6e48e23..e973148 100644 --- a/_scmsync.obsinfo +++ b/_scmsync.obsinfo @@ -1,4 +1,4 @@ -mtime: 1730830158 -commit: 64fc4926abddde94cb6c33f85efec71de27adfb4c0ffab87972e4dc00bfef5d1 +mtime: 1730835719 +commit: 066c89155b2a5ef4e5f760515c1e3c2b976cc40e9d509583f3f58f219f61cbb9 url: https://src.opensuse.org/jengelh/sssd revision: master diff --git a/build.specials.obscpio b/build.specials.obscpio index ee7318c..9b40a25 100644 --- a/build.specials.obscpio +++ b/build.specials.obscpio @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:6d021fd2910f1ec57d2b07d070a1e9e786898601585504335bdf7252676b006c +oid sha256:d4abd01cdc9015f4004bdae30fd260d31cf7d59740bc9cca417bf93c5edaeabb size 256 diff --git a/sssd.changes b/sssd.changes index a5b1f81..f1b1dc8 100644 --- a/sssd.changes +++ b/sssd.changes @@ -16,6 +16,8 @@ Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt false to true for improved security. * https://github.com/SSSD/sssd/releases/tag/2.10.0 - Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch, + 0001-INI-stop-using-libini_config-for-access-check.patch, + 0001-INI-relax-config-files-checks.patch, 0001-Configuration-make-sure-etc-sssd-and-everything.patch - Fix socket activation of responders diff --git a/sssd.spec b/sssd.spec index 3ff1f09..356aa33 100644 --- a/sssd.spec +++ b/sssd.spec @@ -28,7 +28,9 @@ Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%v Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source3: baselibs.conf Source5: %name.keyring -Patch5: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch +Patch3: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch +Patch4: 0001-INI-stop-using-libini_config-for-access-check.patch +Patch5: 0001-INI-relax-config-files-checks.patch Patch6: 0001-Configuration-make-sure-etc-sssd-and-everything.patch Patch11: krb-noversion.diff Patch12: harden_sssd-ifp.service.patch From 55c982ab5730f42466707b266f63b5f98cdaf27d3fbcda9cef9fdd91d9040fe8 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Tue, 5 Nov 2024 21:03:40 +0000 Subject: [PATCH 06/14] [info=0823836080bc76a2066070591bd0d13645c7446aa3ca664b9eb5b179699ab1b2] OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=327 --- _scmsync.obsinfo | 4 ++-- build.specials.obscpio | 2 +- sssd.spec | 3 +-- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo index e973148..1e67192 100644 --- a/_scmsync.obsinfo +++ b/_scmsync.obsinfo @@ -1,4 +1,4 @@ -mtime: 1730835719 -commit: 066c89155b2a5ef4e5f760515c1e3c2b976cc40e9d509583f3f58f219f61cbb9 +mtime: 1730838890 +commit: 0823836080bc76a2066070591bd0d13645c7446aa3ca664b9eb5b179699ab1b2 url: https://src.opensuse.org/jengelh/sssd revision: master diff --git a/build.specials.obscpio b/build.specials.obscpio index 9b40a25..64bc85d 100644 --- a/build.specials.obscpio +++ b/build.specials.obscpio @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:d4abd01cdc9015f4004bdae30fd260d31cf7d59740bc9cca417bf93c5edaeabb +oid sha256:9774109f37a692836b9c9414932d884506d508481ed4b1fc98299176d80876fd size 256 diff --git a/sssd.spec b/sssd.spec index 356aa33..a02ec95 100644 --- a/sssd.spec +++ b/sssd.spec @@ -408,7 +408,6 @@ autoreconf -fiv --with-initscript=systemd \ --with-syslog=journald \ --with-pid-path="%_rundir" \ - --enable-nsslibdir="/%_lib" \ --enable-pammoddir="%_pam_moduledir" \ --with-ldb-lib-dir="%ldbdir" \ --with-os=suse \ @@ -711,7 +710,7 @@ fi # # sssd-client # -/%_lib/libnss_sss.so.2 +%_libdir/libnss_sss.so.2 %_pam_moduledir/pam_sss.so %_pam_moduledir/pam_sss_gss.so %_libdir/krb5/ From 4565465470335abe930b05be87abd23fa495e6605ce375e0c6757b6805600606 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Tue, 5 Nov 2024 21:15:20 +0000 Subject: [PATCH 07/14] [info=6e6893108add570a0ec8a1cc983e87b11279bc98ee96e4f1af76ab397f1d0074] OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=328 --- _scmsync.obsinfo | 4 +- build.specials.obscpio | 2 +- sssd.changes | 1 + sssd.spec | 92 +++++++++++++++++++++++++++++++----------- 4 files changed, 72 insertions(+), 27 deletions(-) diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo index 1e67192..9d0500b 100644 --- a/_scmsync.obsinfo +++ b/_scmsync.obsinfo @@ -1,4 +1,4 @@ -mtime: 1730838890 -commit: 0823836080bc76a2066070591bd0d13645c7446aa3ca664b9eb5b179699ab1b2 +mtime: 1730841300 +commit: 6e6893108add570a0ec8a1cc983e87b11279bc98ee96e4f1af76ab397f1d0074 url: https://src.opensuse.org/jengelh/sssd revision: master diff --git a/build.specials.obscpio b/build.specials.obscpio index 64bc85d..a02cbff 100644 --- a/build.specials.obscpio +++ b/build.specials.obscpio @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:9774109f37a692836b9c9414932d884506d508481ed4b1fc98299176d80876fd +oid sha256:45cd1621350925e1ff05dca141f73a7fefb05743b16ab567b40f479349faf97c size 256 diff --git a/sssd.changes b/sssd.changes index f1b1dc8..5b4d1eb 100644 --- a/sssd.changes +++ b/sssd.changes @@ -20,6 +20,7 @@ Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt 0001-INI-relax-config-files-checks.patch, 0001-Configuration-make-sure-etc-sssd-and-everything.patch - Fix socket activation of responders +- Daemon runs now as unprivileged user 'sssd' ------------------------------------------------------------------- Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index a02ec95..d360e18 100644 --- a/sssd.spec +++ b/sssd.spec @@ -69,13 +69,14 @@ BuildRequires: pkgconfig(dhash) >= 0.4.2 BuildRequires: pkgconfig(glib-2.0) BuildRequires: pkgconfig(ini_config) >= 1.3 BuildRequires: pkgconfig(jansson) -BuildRequires: pkgconfig(ldb) >= 0.9.2 +BuildRequires: pkgconfig(ldb) >= 1.2.0 BuildRequires: pkgconfig(libcap) BuildRequires: pkgconfig(libcares) BuildRequires: pkgconfig(libcrypto) >= 1.0.1 %if 0%{?suse_version} >= 1600 BuildRequires: pkgconfig(libcurl) %endif +BuildRequires: pkgconfig(libcap) BuildRequires: pkgconfig(libnfsidmap) BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 @@ -103,6 +104,8 @@ BuildRequires: pkgconfig(uuid) %endif %sysusers_requires %{?systemd_ordering} +Requires(post): permissions +Requires(verify): permissions Requires: sssd-ldap = %version-%release Requires(postun): pam-config Provides: libsss_sudo = %version-%release @@ -111,13 +114,17 @@ Obsoletes: libsss_sudo < %version-%release Provides: sssd-common = %version-%release Obsoletes: sssd-common < %version-%release +%global sssd_user sssd %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss %define dbpath %sssdstatedir/db %define pipepath %sssdstatedir/pipes %define pubconfpath %sssdstatedir/pubconf %define gpocachepath %sssdstatedir/gpo_cache +%define keytabdir %sssdstatedir/keytabs +%define mcpath %sssdstatedir/mc %define ldbdir %(pkg-config ldb --variable=modulesdir) +%define child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko # %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins @@ -197,6 +204,8 @@ Summary: SSSD helpers needed for Kerberos and GSSAPI authentication License: GPL-3.0-or-later Group: System/Daemons Requires: cyrus-sasl-gssapi +Requires(post): permissions +Requires(verify): permissions %description krb5-common Provides helper processes that the LDAP and Kerberos back ends can @@ -407,13 +416,14 @@ autoreconf -fiv --with-environment-file="%_sysconfdir/sysconfig/sssd" \ --with-initscript=systemd \ --with-syslog=journald \ - --with-pid-path="%_rundir" \ + --with-pid-path="%_rundir/sssd" \ --enable-pammoddir="%_pam_moduledir" \ --with-ldb-lib-dir="%ldbdir" \ --with-os=suse \ --disable-ldb-version-check \ --without-python2-bindings \ --without-oidc-child \ + --with-sssd-user="%sssd_user" \ %if 0%{?suse_version} >= 1600 --with-selinux=yes \ --with-subid @@ -463,16 +473,28 @@ mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils" ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin" %python3_fix_shebang %if 0%{?suse_version} > 1600 -%python3_fix_shebang_path %buildroot/%_libexecdir/%name/ +%python3_fix_shebang_path %buildroot/%_libexecdir/%name/sss_analyze %elif 0%{?suse_version} == 1600 # python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204 sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze" %endif echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf -mkdir -p "$b/%_sysusersdir" +mkdir -p "$b/%_sysusersdir" "$b/etc/permissions.d" cp -a system-user-sssd.conf "$b/%_sysusersdir/" %sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf +install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf" +# should match entry from %%files list +cat >"$b/etc/permissions.d/sssd" <<-EOF + %_libexecdir/sssd/sssd_pam root:sssd 0750 + +capabilities cap_dac_read_search=p + %_libexecdir/sssd/selinux_child root:sssd 0750 + +capabilities %child_capabilities + %_libexecdir/sssd/krb5_child root:sssd 0750 + +capabilities %child_capabilities + %_libexecdir/sssd/ldap_child root:sssd 0750 + +capabilities %child_capabilities +EOF %check # sss_config-tests fails @@ -495,6 +517,10 @@ if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then fi %service_add_post sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket +%_bindir/rm -f %mcpath/passwd %mcpath/group %mcpath/initgroups %mcpath/sid +%tmpfiles_create %name.conf +%set_permissions %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam + # install SSSD cifs-idmap plugin as an alternative update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority @@ -519,6 +545,9 @@ fi %ldconfig_scriptlets -n libsss_nss_idmap0 %ldconfig_scriptlets -n libsss_simpleifp0 +%verifyscript +%verify_permissions -e %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam + %triggerun -- %name < %version-%release # sssd takes care of upgrading the database but it doesn't handle downgrades. # Clear caches when downgrading the package, which may have an @@ -552,6 +581,16 @@ fi %postun kcm %service_del_postun sssd-kcm.service sssd-kcm.socket +%pre krb5-common -f random.pre + +%post krb5-common +%set_permissions %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child + +%verifyscript krb5-common +%verify_permissions -e %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child + +%pre proxy -f random.pre + %pretrans # Migrate sssd.service from sssd-common to sssd systemctl is-enabled sssd.service > /dev/null @@ -606,6 +645,9 @@ fi %_unitdir/sssd-sudo.socket %_unitdir/sssd-sudo.service %_sysusersdir/*sssd* +%_tmpfilesdir/*sssd* +%_sysconfdir/permissions.d/* +%_datadir/polkit-1/ %_bindir/sss_ssh_* %_sbindir/sssd %if 0%{?suse_version} < 1600 @@ -662,32 +704,33 @@ fi %_libexecdir/%name/sssd_autofs %_libexecdir/%name/sssd_be %_libexecdir/%name/sssd_nss -%_libexecdir/%name/sssd_pam +%attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/sssd_pam %_libexecdir/%name/sssd_ssh %_libexecdir/%name/sssd_sudo %_libexecdir/%name/sss_signal %_libexecdir/%name/sssd_check_socket_activated_responders %if 0%{?suse_version} >= 1600 -%_libexecdir/%name/selinux_child +%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/selinux_child %endif %dir %sssdstatedir -%attr(700,root,root) %dir %dbpath/ -%attr(755,root,root) %dir %pipepath/ -%attr(700,root,root) %dir %pipepath/private/ -%attr(755,root,root) %dir %pubconfpath/ -%attr(755,root,root) %dir %pubconfpath/krb5.include.d -%attr(755,root,root) %dir %gpocachepath/ -%attr(755,root,root) %dir %sssdstatedir/mc/ -%attr(700,root,root) %dir %sssdstatedir/keytabs/ -%attr(750,root,root) %dir %_localstatedir/log/%name/ +%attr(700,%sssd_user,%sssd_user) %dir %dbpath/ +%attr(755,%sssd_user,%sssd_user) %dir %pipepath/ +%attr(700,%sssd_user,%sssd_user) %dir %pipepath/private/ +%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/ +%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/krb5.include.d +%attr(755,%sssd_user,%sssd_user) %dir %gpocachepath/ +%attr(755,%sssd_user,%sssd_user) %dir %mcpath/ +%attr(700,%sssd_user,%sssd_user) %dir %keytabdir/ +%attr(750,%sssd_user,%sssd_user) %dir %_localstatedir/log/%name/ +%attr(775,%sssd_user,%sssd_user) %dir %sssdstatedir/ %if "%{?_distconfdir}" != "" -%dir %_distconfdir/sssd/ -%%dir %_distconfdir/sssd/conf.d -%config(noreplace) %_distconfdir/sssd/sssd.conf +%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/ +%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/conf.d +%attr(640,root,%sssd_user) %_distconfdir/sssd/sssd.conf %else -%dir %_sysconfdir/sssd/ -%%dir %_sysconfdir/sssd/conf.d -%config(noreplace) %_sysconfdir/sssd/sssd.conf +%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/ +%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/conf.d +%ghost %attr(640,root,%sssd_user) %config(noreplace) %_sysconfdir/sssd/sssd.conf %endif %if 0%{?suse_version} > 1500 %_distconfdir/logrotate.d/sssd @@ -706,6 +749,7 @@ fi %else %exclude %_mandir/*/*/sssd-files.5.gz %endif +%attr(775,%sssd_user,%sssd_user) %ghost %dir %_rundir/sssd %doc src/examples/sssd.conf # # sssd-client @@ -795,8 +839,8 @@ fi %dir %_libdir/%name/ %_libdir/%name/libsss_krb5_common.so %dir %_libexecdir/%name/ -%_libexecdir/%name/krb5_child -%_libexecdir/%name/ldap_child +%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/krb5_child +%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/ldap_child %files ldap %dir %_libdir/%name/ @@ -813,7 +857,7 @@ fi %dir %_libdir/%name/ %_libdir/%name/libsss_proxy.so %dir %_libexecdir/%name/ -%_libexecdir/%name/proxy_child +%attr(750,root,%sssd_user) %_libexecdir/%name/proxy_child %dir %_datadir/%name/ %dir %_datadir/%name/sssd.api.d/ %_datadir/%name/sssd.api.d/sssd-proxy.conf From be0ba00c3bb550b376b1de783a1265a8f80a2ab18a335eb50af141041088911d Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Mon, 25 Nov 2024 09:06:26 +0000 Subject: [PATCH 08/14] [info=8faca55b4aa3e3e74cbabb4b015f0b7beb4b2f1dd7b98a27b382d43be057f672] OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=329 --- ...on-make-sure-etc-sssd-and-everything.patch | 76 ------ 0001-INI-relax-config-files-checks.patch | 135 --------- ...using-libini_config-for-access-check.patch | 182 ------------- ...t-path-when-config-object-is-rejecte.patch | 75 ----- _scmsync.obsinfo | 8 +- build.specials.obscpio | 2 +- harden_sssd-kcm.service.patch | 14 +- sssd-2.10.0.tar.gz | 3 - sssd-2.10.0.tar.gz.asc | 16 -- sssd.changes | 39 --- sssd.spec | 257 +++++++----------- 11 files changed, 110 insertions(+), 697 deletions(-) delete mode 100644 0001-Configuration-make-sure-etc-sssd-and-everything.patch delete mode 100644 0001-INI-relax-config-files-checks.patch delete mode 100644 0001-INI-stop-using-libini_config-for-access-check.patch delete mode 100644 0001-sssd-always-print-path-when-config-object-is-rejecte.patch delete mode 100644 sssd-2.10.0.tar.gz delete mode 100644 sssd-2.10.0.tar.gz.asc diff --git a/0001-Configuration-make-sure-etc-sssd-and-everything.patch b/0001-Configuration-make-sure-etc-sssd-and-everything.patch deleted file mode 100644 index 8cf0fe0..0000000 --- a/0001-Configuration-make-sure-etc-sssd-and-everything.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 8db2df4fcbd09badafbc207bd4150b5f1cc2d5fb Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Thu, 24 Oct 2024 15:34:26 +0200 -Subject: [PATCH] Configuration: make sure /etc/sssd and everything -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -beneath is owned by 'sssd' group and readable by group. - -This should allow for reasonable rw-r----- root:sssd - -At some points those chown/chmod can be removed. - -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose -(cherry picked from commit 518db322fdd5a4de41813fbe5bc35fc20392ce67) ---- - contrib/sssd.spec.in | 4 ++-- - src/sysv/systemd/sssd-kcm.service.in | 5 ++--- - src/sysv/systemd/sssd.service.in | 6 ++---- - 3 files changed, 6 insertions(+), 9 deletions(-) - -diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in -index 4fbacb959..83de563f3 100644 ---- a/contrib/sssd.spec.in -+++ b/contrib/sssd.spec.in -@@ -1136,9 +1136,9 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi - %__rm -f %{mcpath}/group - %__rm -f %{mcpath}/initgroups - %__rm -f %{mcpath}/sid -+%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true -+%__chmod -f -R g+r %{_sysconfdir}/sssd || true - %__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true --%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true --%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true - %__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true - %__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true - %__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true -diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in -index 0c839ec5c..ba9e27cd9 100644 ---- a/src/sysv/systemd/sssd-kcm.service.in -+++ b/src/sysv/systemd/sssd-kcm.service.in -@@ -9,9 +9,8 @@ Also=sssd-kcm.socket - - [Service] - Environment=DEBUG_LOGGER=--logger=files --ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ --ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf --ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d -+ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ -+ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ - ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb" - ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log - ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER} -diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in -index 37e0a63f8..a6f79ff8a 100644 ---- a/src/sysv/systemd/sssd.service.in -+++ b/src/sysv/systemd/sssd.service.in -@@ -10,10 +10,8 @@ StartLimitBurst=5 - [Service] - Environment=DEBUG_LOGGER=--logger=files - EnvironmentFile=-@environment_file@ --ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ --ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf --ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d --ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki -+ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ -+ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ - ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb" - ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @gpocachepath@/*" - ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/*.log" --- -2.47.0 - diff --git a/0001-INI-relax-config-files-checks.patch b/0001-INI-relax-config-files-checks.patch deleted file mode 100644 index 69ac630..0000000 --- a/0001-INI-relax-config-files-checks.patch +++ /dev/null @@ -1,135 +0,0 @@ -From 340671f16abb9c26ae97b11c4e2845337e67973e Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 23 Oct 2024 20:59:32 +0200 -Subject: [PATCH] INI: relax config files checks -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Only make sure: - - user is root or sssd - - group is root or sssd - - other can't access it - -Don't make any assumptions wrt user/group read/write-ability. - -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose -(cherry picked from commit 8472777ec472607ea450ddb4c4666017bd0de704) ---- - src/man/sssd.conf.5.xml | 5 ++- - src/util/sss_ini.c | 68 +++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 70 insertions(+), 3 deletions(-) - -diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml -index a074cc674..bf10acb2a 100644 ---- a/src/man/sssd.conf.5.xml -+++ b/src/man/sssd.conf.5.xml -@@ -57,9 +57,8 @@ - readable, and writeable only by 'root'. - - -- sssd.conf must be a regular file that is owned, -- readable, and writeable by the same user as configured to run SSSD -- service. -+ sssd.conf must be a regular file that is -+ accessible only by the user used to run SSSD service or root. - - - -diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c -index e989d8caf..74cf61e0e 100644 ---- a/src/util/sss_ini.c -+++ b/src/util/sss_ini.c -@@ -26,6 +26,7 @@ - #include - #include - #include -+#include - #include - - #include "config.h" -@@ -781,6 +782,71 @@ int sss_ini_open(struct sss_ini *self, - return ret; - } - -+static int access_check_file(const char *filename) -+{ -+ int ret; -+ struct stat st; -+ uid_t uid; -+ gid_t gid; -+ -+ sss_sssd_user_uid_and_gid(&uid, &gid); -+ -+ ret = stat(filename, &st); -+ if (ret != 0) { -+ ret = errno; -+ DEBUG(SSSDBG_CRIT_FAILURE, "stat(%s) failed: %s\n", -+ filename, strerror(ret)); -+ return EINVAL; -+ } -+ -+ if ((st.st_uid != 0) && (st.st_uid != uid)) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected user owner of '%s': %"SPRIuid"\n", -+ filename, st.st_uid); -+ return ERR_INI_INVALID_PERMISSION; -+ } -+ -+ if ((st.st_gid != 0) && (st.st_gid != gid)) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected group owner of '%s': %"SPRIgid"\n", -+ filename, st.st_gid); -+ return ERR_INI_INVALID_PERMISSION; -+ } -+ -+ if ((st.st_mode & (S_IROTH|S_IWOTH|S_IXOTH)) != 0) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected access to '%s' by other users\n", -+ filename); -+ return ERR_INI_INVALID_PERMISSION; -+ } -+ -+ return EOK; -+} -+ -+static int access_check_ini(struct sss_ini *self) -+{ -+ int ret; -+ const char *path; -+ uint32_t i; -+ const char **snippet; -+ struct ref_array *used_snippets; -+ -+ if (self->main_config_exists) { -+ path = ini_config_get_filename(self->file); -+ ret = access_check_file(path); -+ if (ret != EOK) { -+ return ret; -+ } -+ } -+ -+ used_snippets = sss_ini_get_ra_success_list(self); -+ for (i = 0; (snippet = ref_array_get(used_snippets, i, NULL)) != NULL; ++i) { -+ ret = access_check_file(*snippet); -+ if (ret != EOK) { -+ return ret; -+ } -+ } -+ -+ return EOK; -+} -+ - int sss_ini_read_sssd_conf(struct sss_ini *self, - const char *config_file, - const char *config_dir) -@@ -833,5 +899,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, - return ERR_INI_EMPTY_CONFIG; - } - -+ ret = access_check_ini(self); -+ - return ret; - } --- -2.47.0 - diff --git a/0001-INI-stop-using-libini_config-for-access-check.patch b/0001-INI-stop-using-libini_config-for-access-check.patch deleted file mode 100644 index abe0cb0..0000000 --- a/0001-INI-stop-using-libini_config-for-access-check.patch +++ /dev/null @@ -1,182 +0,0 @@ -From 1d19b8ad9415e0a12ed3aaf039d4d0956ef4dbad Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 23 Oct 2024 19:53:09 +0200 -Subject: [PATCH] INI: stop using 'libini_config' for access check -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose ---- - src/util/sss_ini.c | 100 +---------------------------------------------------- - src/util/sss_ini.h | 12 ------ - 2 files changed, 3 insertions(+), 109 deletions(-) - -Index: sssd-2.10.0/src/util/sss_ini.c -=================================================================== ---- sssd-2.10.0.orig/src/util/sss_ini.c -+++ sssd-2.10.0/src/util/sss_ini.c -@@ -147,81 +147,6 @@ static int sss_ini_config_file_from_mem( - &self->file); - } - --/* Check configuration file permissions */ -- --static bool is_running_sssd(void) --{ -- static char exe[1024]; -- int ret; -- const char *s = NULL; -- -- ret = readlink("/proc/self/exe", exe, sizeof(exe) - 1); -- if ((ret > 0) && (ret < 1024)) { -- exe[ret] = 0; -- s = strstr(exe, debug_prg_name); -- if ((s != NULL) && (strlen(s) == strlen(debug_prg_name))) { -- return true; -- } -- } -- -- return false; --} -- --static int sss_ini_access_check(struct sss_ini *self) --{ -- int ret; -- uint32_t flags = INI_ACCESS_CHECK_MODE; -- -- if (!self->main_config_exists) { -- return EOK; -- } -- -- if (is_running_sssd()) { -- flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID; -- } -- -- ret = ini_config_access_check(self->file, -- flags, -- geteuid(), -- getegid(), -- S_IRUSR, /* r**------ */ -- ALLPERMS & ~(S_IWUSR|S_IXUSR)); -- -- return ret; --} -- -- -- --/* Get cstat */ -- --int sss_ini_get_stat(struct sss_ini *self) --{ -- self->cstat = ini_config_get_stat(self->file); -- -- if (!self->cstat) return EIO; -- -- return EOK; --} -- -- -- --/* Get mtime */ -- --int sss_ini_get_mtime(struct sss_ini *self, -- size_t timestr_len, -- char *timestr) --{ -- return snprintf(timestr, timestr_len, "%llu", -- (long long unsigned)self->cstat->st_mtime); --} -- --/* Get file_exists */ -- --bool sss_ini_exists(struct sss_ini *self) --{ -- return self->main_config_exists; --} -- - /* Print ini_config errors */ - - static void sss_ini_config_print_errors(char **error_list) -@@ -289,7 +214,6 @@ static int sss_ini_add_snippets(struct s - uint32_t i = 0; - char *msg = NULL; - struct ini_cfgobj *modified_sssd_config = NULL; -- struct access_check snip_check; - - if (self == NULL || self->sssd_config == NULL || config_dir == NULL) { - return EINVAL; -@@ -297,21 +221,11 @@ static int sss_ini_add_snippets(struct s - - sss_ini_free_ra_messages(self); - -- snip_check.flags = INI_ACCESS_CHECK_MODE; -- -- if (is_running_sssd()) { -- snip_check.flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID; -- } -- snip_check.uid = geteuid(); -- snip_check.gid = getegid(); -- snip_check.mode = S_IRUSR; /* r**------ */ -- snip_check.mask = ALLPERMS & ~(S_IWUSR | S_IXUSR); -- - ret = ini_config_augment(self->sssd_config, - config_dir, - patterns, - sections, -- &snip_check, -+ NULL, - INI_STOP_ON_ANY, - INI_MV1S_OVERWRITE, - INI_PARSE_NOWRAP, -@@ -894,15 +808,7 @@ int sss_ini_read_sssd_conf(struct sss_in - return ERR_INI_OPEN_FAILED; - } - -- if (sss_ini_exists(self)) { -- ret = sss_ini_access_check(self); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Permission check on config file %s failed: %d\n", -- config_file, ret); -- return ERR_INI_INVALID_PERMISSION; -- } -- } else { -+ if (!self->main_config_exists) { - DEBUG(SSSDBG_CONF_SETTINGS, - "File %s does not exist.\n", config_file); - } -@@ -923,7 +829,7 @@ int sss_ini_read_sssd_conf(struct sss_in - return ERR_INI_ADD_SNIPPETS_FAILED; - } - -- if (!sss_ini_exists(self) && -+ if ((!self->main_config_exists) && - (ref_array_len(sss_ini_get_ra_success_list(self)) == 0)) { - return ERR_INI_EMPTY_CONFIG; - } -Index: sssd-2.10.0/src/util/sss_ini.h -=================================================================== ---- sssd-2.10.0.orig/src/util/sss_ini.h -+++ sssd-2.10.0/src/util/sss_ini.h -@@ -81,18 +81,6 @@ int sss_ini_open(struct sss_ini *self, - const char *fallback_cfg); - - /** -- * @brief Check whether sss_ini_open() reported that ini file is -- * not present -- * -- * @param[in] self pointer to sss_ini structure -- * -- * @return -- * - true we are using ini file -- * - false file was not found -- */ --bool sss_ini_exists(struct sss_ini *self); -- --/** - * @brief get Cstat structure of the ini file - */ - int sss_ini_get_stat(struct sss_ini *self); diff --git a/0001-sssd-always-print-path-when-config-object-is-rejecte.patch b/0001-sssd-always-print-path-when-config-object-is-rejecte.patch deleted file mode 100644 index d24c30a..0000000 --- a/0001-sssd-always-print-path-when-config-object-is-rejecte.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 1a743a4123c104a10c694f7ee9d2f0a1e7182513 Mon Sep 17 00:00:00 2001 -From: Jan Engelhardt -Date: Wed, 16 Oct 2024 09:55:50 +0200 -Subject: [PATCH] sssd: always print path when config object is rejected -References: https://github.com/SSSD/sssd/pull/7649 - -Observed: - -``` -Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed. -Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed' -Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed' -``` - -Expected: - -_Well yes, but **which one**_!? - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Justin Stephenson -(cherry picked from commit 2b7915dd84a6b8c3ee26e45357283677fe22f2cb) ---- - src/util/sss_ini.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c -index 7f9824d88..2a611eb8c 100644 ---- a/src/util/sss_ini.c -+++ b/src/util/sss_ini.c -@@ -888,7 +888,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, - ret = sss_ini_open(self, config_file, "[sssd]\n"); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "The sss_ini_open failed %s: %d\n", -+ "sss_ini_open on %s failed: %d\n", - config_file, - ret); - return ERR_INI_OPEN_FAILED; -@@ -898,26 +898,28 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, - ret = sss_ini_access_check(self); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "Permission check on config file failed.\n"); -+ "Permission check on config file %s failed: %d\n", -+ config_file, ret); - return ERR_INI_INVALID_PERMISSION; - } - } else { - DEBUG(SSSDBG_CONF_SETTINGS, -- "File %1$s does not exist.\n", -- (config_file ? config_file : "NULL")); -+ "File %s does not exist.\n", config_file); - } - - ret = sss_ini_parse(self); - if (ret != EOK) { - sss_ini_config_print_errors(self->error_list); -- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n"); -+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration file %s: %d\n", -+ config_file, ret); - return ERR_INI_PARSE_FAILED; - } - - ret = sss_ini_add_snippets(self, config_dir); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, -- "Error while reading configuration directory.\n"); -+ "Error while reading configuration directory %s: %d\n", -+ config_dir, ret); - return ERR_INI_ADD_SNIPPETS_FAILED; - } - --- -2.47.0 - diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo index 9d0500b..a092931 100644 --- a/_scmsync.obsinfo +++ b/_scmsync.obsinfo @@ -1,4 +1,4 @@ -mtime: 1730841300 -commit: 6e6893108add570a0ec8a1cc983e87b11279bc98ee96e4f1af76ab397f1d0074 -url: https://src.opensuse.org/jengelh/sssd -revision: master +mtime: 1721222057 +commit: 8faca55b4aa3e3e74cbabb4b015f0b7beb4b2f1dd7b98a27b382d43be057f672 +url: https://src.opensuse.org/pool/sssd +revision: factory diff --git a/build.specials.obscpio b/build.specials.obscpio index a02cbff..3ea1e2e 100644 --- a/build.specials.obscpio +++ b/build.specials.obscpio @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:45cd1621350925e1ff05dca141f73a7fefb05743b16ab567b40f479349faf97c +oid sha256:c18d7bdbfefa831e2d93711cb40de6966d0c640e4ec9dccbb61cf299ca5aedaf size 256 diff --git a/harden_sssd-kcm.service.patch b/harden_sssd-kcm.service.patch index 5ff85b4..183e0b0 100644 --- a/harden_sssd-kcm.service.patch +++ b/harden_sssd-kcm.service.patch @@ -1,11 +1,7 @@ ---- - src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in +Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in =================================================================== ---- sssd-2.10.0.orig/src/sysv/systemd/sssd-kcm.service.in -+++ sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in +--- sssd-2.5.2.orig/src/sysv/systemd/sssd-kcm.service.in ++++ sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in @@ -8,6 +8,19 @@ After=sssd-kcm.socket Also=sssd-kcm.socket @@ -24,5 +20,5 @@ Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in +RestrictRealtime=true +# end of automatic additions Environment=DEBUG_LOGGER=--logger=files - ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ - ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ + ExecStartPre=-@sbindir@/sssd --genconf-section=kcm + ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER} diff --git a/sssd-2.10.0.tar.gz b/sssd-2.10.0.tar.gz deleted file mode 100644 index 38e2605..0000000 --- a/sssd-2.10.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0b1167e8017209ec25b9683e0006947eaa0cfd7a8161bfea120bd8511006db0d -size 9177851 diff --git a/sssd-2.10.0.tar.gz.asc b/sssd-2.10.0.tar.gz.asc deleted file mode 100644 index 3783730..0000000 --- a/sssd-2.10.0.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmcOPUoACgkQ09IbKRDP -Z1myuA//anDvdZcQp0EUia2NsiWt2MFE8esmsEIN6QmEYjUxvEeXI9q4YJQimMi8 -wdt0zqZE1PLrTcroWaeGcgt2+CJWUbVanZtNn3oo7lUVYrLKemrUzavM7dXTaA43 -cdKAFyEO+nHJQ2yBNUt6sRXc3tM0H27yZs0iL+CcYu6YshUTbMnZuwdpz7DqDTN8 -nbG+LWa+U0en5mI3waP8Ionwmdv9AJAuCHQZLlZDpM0+YfGumcIUJdbxU/I8pqP8 -MQaulPv3e+BNwdbUiLlk0cXRjuEfSd0bmMa3MqB4IqMvvjACU0GuSgK3FDhutZJe -HfmzYSo/Zntmr7F/eYLz6zy/GU3VewEilOyRV08oz+EVJRbGyo2t4k6PUYbn+I4V -kJ/maed5jnBzIZGf6o+P1r+3mavJg7k2LDV4s48MsZ4Y5ED4X0c+boT1L5FZbquW -gp99Di0RG4VoWiYOfVfszLzeDWOLbOrKMyA6PTqlmjGYAdV9SBwZP5WEdwXyPovo -D7uual7Eqdd+Y/lt+8O4Wd+Y+a9xI2kwVFo8KYmHc8PhgLpPIKTWbBTEI+0nw3fJ -qqyyA7JWA81bt4WKVuJaeS87S/9F4yn8ps2dzSgHjZ2Tzr7Eu1a3RWLjKYsjKZrT -PPd2d/02rQAZPwLYHN5qM3Xjh0DD7IiXav1QuIPxmUQA9z8ZiuA= -=mJVY ------END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 5b4d1eb..ec838e0 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,42 +1,3 @@ -------------------------------------------------------------------- -Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt - -- Update to release 2.10.0 - * The ``sssctl cache-upgrade`` command was removed. SSSD - performs automatic upgrades at startup when needed. - * Support of ``enumeration`` feature (i.e. ability to list all - users/groups using ``getent passwd/group`` without argument) - for AD/IPA providers is deprecated and might be removed in - further releases. - * The new tool ``sss_ssh_knownhosts`` can be used with ssh's - ``KnownHostsCommand`` configuration option to retrieve the - host's public keys from a remote server (FreeIPA, LDAP, - etc.). It replaces ```sss_ssh_knownhostsproxy``. - * The default value for ``ldap_id_use_start_tls`` changed from - false to true for improved security. - * https://github.com/SSSD/sssd/releases/tag/2.10.0 -- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch, - 0001-INI-stop-using-libini_config-for-access-check.patch, - 0001-INI-relax-config-files-checks.patch, - 0001-Configuration-make-sure-etc-sssd-and-everything.patch -- Fix socket activation of responders -- Daemon runs now as unprivileged user 'sssd' - -------------------------------------------------------------------- -Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt - -- Update filelists involving memberof.so and idmap/sss.so to - avoid gobbling up one file into multiple sssd subpackages. - (Between samba-4.20 and 4.21, %ldbdir changes from - /usr/lib64/ldb2/modules/ldb to /usr/lib64/samba/ldb, so now - `%_libdir/samba` is a bit too broad.) - -------------------------------------------------------------------- -Wed Jul 17 09:19:20 UTC 2024 - Samuel Cabrero - -- Fix spec file for openSUSE ALP and SUSE SLFO, where the - python3_fix_shebang_path RPM macro is not available - ------------------------------------------------------------------- Thu Jul 11 09:41:21 UTC 2024 - Samuel Cabrero diff --git a/sssd.spec b/sssd.spec index d360e18..41a153c 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 2.10.0 +Version: 2.9.5 Release: 0 Summary: System Security Services Daemon License: GPL-3.0-or-later AND LGPL-3.0-or-later @@ -28,14 +28,10 @@ Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%v Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source3: baselibs.conf Source5: %name.keyring -Patch3: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch -Patch4: 0001-INI-stop-using-libini_config-for-access-check.patch -Patch5: 0001-INI-relax-config-files-checks.patch -Patch6: 0001-Configuration-make-sure-etc-sssd-and-everything.patch -Patch11: krb-noversion.diff -Patch12: harden_sssd-ifp.service.patch -Patch13: harden_sssd-kcm.service.patch -Patch14: symvers.patch +Patch1: krb-noversion.diff +Patch2: harden_sssd-ifp.service.patch +Patch3: harden_sssd-kcm.service.patch +Patch4: symvers.patch BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils @@ -57,26 +53,21 @@ BuildRequires: nss_wrapper BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pkg-config >= 0.21 -BuildRequires: python3-wheel -BuildRequires: python3-setuptools BuildRequires: systemd-rpm-macros -BuildRequires: sysuser-tools BuildRequires: uid_wrapper BuildRequires: pkgconfig(augeas) >= 1.0.0 BuildRequires: pkgconfig(collection) >= 0.5.1 BuildRequires: pkgconfig(dbus-1) >= 1.0.0 BuildRequires: pkgconfig(dhash) >= 0.4.2 BuildRequires: pkgconfig(glib-2.0) -BuildRequires: pkgconfig(ini_config) >= 1.3 +BuildRequires: pkgconfig(ini_config) >= 1.1.0 BuildRequires: pkgconfig(jansson) -BuildRequires: pkgconfig(ldb) >= 1.2.0 -BuildRequires: pkgconfig(libcap) +BuildRequires: pkgconfig(ldb) >= 0.9.2 BuildRequires: pkgconfig(libcares) -BuildRequires: pkgconfig(libcrypto) >= 1.0.1 +BuildRequires: pkgconfig(libcrypto) %if 0%{?suse_version} >= 1600 BuildRequires: pkgconfig(libcurl) %endif -BuildRequires: pkgconfig(libcap) BuildRequires: pkgconfig(libnfsidmap) BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 @@ -95,17 +86,7 @@ BuildRequires: pkgconfig(talloc) BuildRequires: pkgconfig(tdb) >= 1.1.3 BuildRequires: pkgconfig(tevent) BuildRequires: pkgconfig(uuid) -%if 0%{?suse_version} && 0%{?suse_version} < 1600 -# samba-client-devel pulls samba-client-libs pulls libldap-2_4-2 wants libldap-data(-2.4); -# this conflicts with -# openldap2-devel pulls libldap2 wants libldap-data(-2.6) -# Package contains just config files, not needed for build. -#!BuildIgnore: libldap-data -%endif -%sysusers_requires %{?systemd_ordering} -Requires(post): permissions -Requires(verify): permissions Requires: sssd-ldap = %version-%release Requires(postun): pam-config Provides: libsss_sudo = %version-%release @@ -114,20 +95,16 @@ Obsoletes: libsss_sudo < %version-%release Provides: sssd-common = %version-%release Obsoletes: sssd-common < %version-%release -%global sssd_user sssd %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss %define dbpath %sssdstatedir/db %define pipepath %sssdstatedir/pipes %define pubconfpath %sssdstatedir/pubconf %define gpocachepath %sssdstatedir/gpo_cache -%define keytabdir %sssdstatedir/keytabs -%define mcpath %sssdstatedir/mc %define ldbdir %(pkg-config ldb --variable=modulesdir) -%define child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko -# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins +# %_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins # * cifs-utils one is the default (priority 20) # * installing SSSD should NOT switch to SSSD plugin (priority 10) %define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin @@ -138,11 +115,11 @@ Requires(post): update-alternatives Requires(postun): update-alternatives %description -A set of daemons to manage access to remote directories and -authentication mechanisms. sssd provides an NSS and PAM interfaces -toward the system and a pluggable backend system to connect to -multiple different account sources. It is also the basis to provide -client auditing and policy services for projects like FreeIPA. +Provides a set of daemons to manage access to remote directories and +authentication mechanisms. It provides an NSS and PAM interface toward +the system and a pluggable backend system to connect to multiple different +account sources. It is also the basis to provide client auditing and policy +services for projects like FreeIPA. %package ad Summary: The ActiveDirectory backend plugin for sssd @@ -152,8 +129,9 @@ Requires: %name-krb5-common = %version-%release Requires: adcli %description ad -A back-end provider that the SSSD can utilize to fetch identity data -from, and authenticate with, an Active Directory server. +Provides the Active Directory back end that the SSSD can utilize to +fetch identity data from and authenticate against an Active Directory +server. %package dbus Summary: The D-Bus responder of sssd @@ -162,7 +140,7 @@ Group: System/Base Requires: %name = %version %description dbus -D-Bus responder of sssd, called InfoPipe, which allows +Provides the D-Bus responder of sssd, called InfoPipe, which allows information from sssd to be transmitted over the system bus. %package ipa @@ -176,8 +154,8 @@ Obsoletes: %name-ipa-provider < %version-%release Provides: %name-ipa-provider = %version-%release %description ipa -A back-end provider that the SSSD can utilize to fetch identity data -from, and authenticate with, an IPA server. +Provides the IPA back end that the SSSD can utilize to fetch identity +data from and authenticate against an IPA server. %package kcm Summary: SSSD's Kerberos cache manager @@ -196,16 +174,14 @@ Group: System/Daemons Requires: %name-krb5-common = %version-%release %description krb5 -A back-end provider that the SSSD can utilize to authenticate against -a Kerberos server. +Provides the Kerberos back end that the SSSD can utilize authenticate +against a Kerberos server. %package krb5-common Summary: SSSD helpers needed for Kerberos and GSSAPI authentication License: GPL-3.0-or-later Group: System/Daemons Requires: cyrus-sasl-gssapi -Requires(post): permissions -Requires(verify): permissions %description krb5-common Provides helper processes that the LDAP and Kerberos back ends can @@ -218,8 +194,8 @@ Group: System/Daemons Requires: %name-krb5-common = %version-%release %description ldap -A back-end provider that the SSSD can utilize to fetch identity data -from, and authenticate with, an LDAP server. +Provides the LDAP back end that the SSSD can utilize to fetch +identity data from and authenticate against an LDAP server. %package proxy Summary: The proxy backend plugin for sssd @@ -227,8 +203,8 @@ License: GPL-3.0-or-later Group: System/Daemons %description proxy -A back-end provider which can be used to wrap existing NSS and/or PAM -modules to leverage SSSD caching. (This can replace nscd.) +Provides the proxy back end which can be used to wrap an existing NSS +and/or PAM modules to leverage SSSD caching. %package tools Summary: Commandline tools for sssd @@ -238,7 +214,7 @@ Requires: python3-sssd-config = %version-%release Requires: sssd = %version %description tools -The packages contains command-line tools for managing users and groups using +The packages contains commandline tools for managing users and groups using the "local" id provider of the System Security Services Daemon (sssd). %package winbind-idmap @@ -255,7 +231,7 @@ License: LGPL-3.0-or-later Group: System/Libraries %description -n libsss_certmap0 -A utility library for FreeIPA to map certificates. +A utility library for FreeIPA to map certs. %package -n libsss_certmap-devel Summary: Development files for the FreeIPA certmap library @@ -264,7 +240,7 @@ Group: Development/Libraries/C and C++ Requires: libsss_certmap0 = %version %description -n libsss_certmap-devel -A utility library for FreeIPA to map certificates. +A utility library for FreeIPA to map certs. %package -n libipa_hbac0 Summary: FreeIPA HBAC Evaluator library @@ -328,6 +304,7 @@ Requires: libsss_nss_idmap0 = %version %description -n libsss_nss_idmap-devel A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. +%if 0%{?suse_version} < 1600 %package -n libsss_simpleifp0 Summary: The SSSD D-Bus responder helper library License: GPL-3.0-or-later @@ -350,6 +327,7 @@ Requires: libsss_simpleifp0 = %version This subpackage provides the development files for sssd's simpleifp, a library that simplifies the D-Bus API for the SSSD InfoPipe responder. +%endif %package -n libsss_sudo Summary: A library to allow communication between sudo and SSSD @@ -416,32 +394,33 @@ autoreconf -fiv --with-environment-file="%_sysconfdir/sysconfig/sssd" \ --with-initscript=systemd \ --with-syslog=journald \ - --with-pid-path="%_rundir/sssd" \ + --with-pid-path="%_rundir" \ + --enable-nsslibdir="/%_lib" \ --enable-pammoddir="%_pam_moduledir" \ --with-ldb-lib-dir="%ldbdir" \ --with-os=suse \ --disable-ldb-version-check \ --without-python2-bindings \ --without-oidc-child \ - --with-sssd-user="%sssd_user" \ %if 0%{?suse_version} >= 1600 --with-selinux=yes \ --with-subid %else --with-selinux=no \ + --with-semanage=no \ --with-libsifp \ --with-files-provider %endif %make_build all %install -# sss_obfuscate is compatible with both Python 2 and 3 +# sss_obfuscate is compatible with both python 2 and 3 perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate %make_install dbuspolicydir=%_datadir/dbus-1/system.d b="%buildroot" # Copy some defaults -%if "%{?_distconfdir}" != "" +%if %{?_distconfdir:1} install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf" install -d -m 0755 "$b/%_distconfdir/sssd/conf.d" %else @@ -469,40 +448,20 @@ find "$b" -type f -name "*.la" -print -delete %find_lang %name --all-name # dummy target for cifs-idmap-plugin -mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils" -ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin" +mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils +ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin %python3_fix_shebang -%if 0%{?suse_version} > 1600 -%python3_fix_shebang_path %buildroot/%_libexecdir/%name/sss_analyze -%elif 0%{?suse_version} == 1600 -# python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204 -sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze" +%if 0%{?suse_version} >= 1600 +%python3_fix_shebang_path %buildroot/%_libexecdir/%name/ %endif -echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf -mkdir -p "$b/%_sysusersdir" "$b/etc/permissions.d" -cp -a system-user-sssd.conf "$b/%_sysusersdir/" -%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf -install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf" -# should match entry from %%files list -cat >"$b/etc/permissions.d/sssd" <<-EOF - %_libexecdir/sssd/sssd_pam root:sssd 0750 - +capabilities cap_dac_read_search=p - %_libexecdir/sssd/selinux_child root:sssd 0750 - +capabilities %child_capabilities - %_libexecdir/sssd/krb5_child root:sssd 0750 - +capabilities %child_capabilities - %_libexecdir/sssd/ldap_child root:sssd 0750 - +capabilities %child_capabilities -EOF - %check # sss_config-tests fails %make_build check || : -%pre -f random.pre -%service_add_pre sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket -%if "%{?_distconfdir}" != "" +%pre +%service_add_pre sssd.service +%if %{?_distconfdir:1} # Prepare for migration to /usr/etc; save any old .rpmsave for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i.rpmsave.old" || : @@ -515,38 +474,38 @@ done if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf" fi -%service_add_post sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket - -%_bindir/rm -f %mcpath/passwd %mcpath/group %mcpath/initgroups %mcpath/sid -%tmpfiles_create %name.conf -%set_permissions %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam +%service_add_post sssd.service # install SSSD cifs-idmap plugin as an alternative update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority %preun -%service_del_preun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket +%service_del_preun sssd.service %postun /sbin/ldconfig -if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then +if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then "%_sbindir/pam-config" -d --sss || : fi # del_postun includes a try-restart -%service_del_postun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket +%service_del_postun sssd.service if [ ! -f "%cifs_idmap_lib" ]; then update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib fi -%ldconfig_scriptlets -n libsss_certmap0 -%ldconfig_scriptlets -n libipa_hbac0 -%ldconfig_scriptlets -n libsss_idmap0 -%ldconfig_scriptlets -n libsss_nss_idmap0 -%ldconfig_scriptlets -n libsss_simpleifp0 - -%verifyscript -%verify_permissions -e %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam +%post -n libsss_certmap0 -p /sbin/ldconfig +%postun -n libsss_certmap0 -p /sbin/ldconfig +%post -n libipa_hbac0 -p /sbin/ldconfig +%postun -n libipa_hbac0 -p /sbin/ldconfig +%post -n libsss_idmap0 -p /sbin/ldconfig +%postun -n libsss_idmap0 -p /sbin/ldconfig +%post -n libsss_nss_idmap0 -p /sbin/ldconfig +%postun -n libsss_nss_idmap0 -p /sbin/ldconfig +%if 0%{?suse_version} < 1600 +%post -n libsss_simpleifp0 -p /sbin/ldconfig +%postun -n libsss_simpleifp0 -p /sbin/ldconfig +%endif %triggerun -- %name < %version-%release # sssd takes care of upgrading the database but it doesn't handle downgrades. @@ -581,31 +540,21 @@ fi %postun kcm %service_del_postun sssd-kcm.service sssd-kcm.socket -%pre krb5-common -f random.pre - -%post krb5-common -%set_permissions %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child - -%verifyscript krb5-common -%verify_permissions -e %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child - -%pre proxy -f random.pre - %pretrans # Migrate sssd.service from sssd-common to sssd systemctl is-enabled sssd.service > /dev/null if [ $? -eq 0 ]; then - mkdir -p /run/systemd/rpm/ - touch /run/systemd/rpm/sssd-was-enabled +mkdir -p /run/systemd/rpm/ +touch /run/systemd/rpm/sssd-was-enabled fi systemctl is-active sssd.service > /dev/null if [ $? -eq 0 ]; then - mkdir -p /run/systemd/rpm/ - touch /run/systemd/rpm/sssd-was-active +mkdir -p /run/systemd/rpm/ +touch /run/systemd/rpm/sssd-was-active fi %posttrans -%if "%{?_distconfdir}" != "" +%if %{?_distconfdir:1} # Migration to /usr/etc, restore just created .rpmsave for i in sssd/sssd.conf logrotate.d/sssd pam.d/sssd-shadowutils ; do test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i" || : @@ -613,20 +562,20 @@ done %endif # Migrate sssd.service from sssd-common to sssd if [ -e /run/systemd/rpm/sssd-was-enabled ]; then - systemctl is-enabled sssd.service >/dev/null - if [ $? -ne 0 ]; then - echo "Migrating sssd.service, was enabled" - systemctl enable sssd.service - fi - rm /run/systemd/rpm/sssd-was-enabled +systemctl is-enabled sssd.service > /dev/null +if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was enabled" + systemctl enable sssd.service +fi +rm /run/systemd/rpm/sssd-was-enabled fi if [ -e /run/systemd/rpm/sssd-was-active ]; then - systemctl is-active sssd.service >/dev/null - if [ $? -ne 0 ]; then - echo "Migrating sssd.service, was active" - systemctl start sssd.service - fi - rm /run/systemd/rpm/sssd-was-active +systemctl is-active sssd.service > /dev/null +if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was active" + systemctl start sssd.service +fi +rm /run/systemd/rpm/sssd-was-active fi %files -f sssd.lang @@ -639,15 +588,12 @@ fi %_unitdir/sssd-pac.socket %_unitdir/sssd-pac.service %_unitdir/sssd-pam.socket +%_unitdir/sssd-pam-priv.socket %_unitdir/sssd-pam.service %_unitdir/sssd-ssh.socket %_unitdir/sssd-ssh.service %_unitdir/sssd-sudo.socket %_unitdir/sssd-sudo.service -%_sysusersdir/*sssd* -%_tmpfilesdir/*sssd* -%_sysconfdir/permissions.d/* -%_datadir/polkit-1/ %_bindir/sss_ssh_* %_sbindir/sssd %if 0%{?suse_version} < 1600 @@ -704,33 +650,32 @@ fi %_libexecdir/%name/sssd_autofs %_libexecdir/%name/sssd_be %_libexecdir/%name/sssd_nss -%attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/sssd_pam +%_libexecdir/%name/sssd_pam %_libexecdir/%name/sssd_ssh %_libexecdir/%name/sssd_sudo %_libexecdir/%name/sss_signal %_libexecdir/%name/sssd_check_socket_activated_responders %if 0%{?suse_version} >= 1600 -%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/selinux_child +%_libexecdir/%name/selinux_child %endif %dir %sssdstatedir -%attr(700,%sssd_user,%sssd_user) %dir %dbpath/ -%attr(755,%sssd_user,%sssd_user) %dir %pipepath/ -%attr(700,%sssd_user,%sssd_user) %dir %pipepath/private/ -%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/ -%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/krb5.include.d -%attr(755,%sssd_user,%sssd_user) %dir %gpocachepath/ -%attr(755,%sssd_user,%sssd_user) %dir %mcpath/ -%attr(700,%sssd_user,%sssd_user) %dir %keytabdir/ -%attr(750,%sssd_user,%sssd_user) %dir %_localstatedir/log/%name/ -%attr(775,%sssd_user,%sssd_user) %dir %sssdstatedir/ -%if "%{?_distconfdir}" != "" -%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/ -%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/conf.d -%attr(640,root,%sssd_user) %_distconfdir/sssd/sssd.conf +%attr(700,root,root) %dir %dbpath/ +%attr(755,root,root) %dir %pipepath/ +%attr(700,root,root) %dir %pipepath/private/ +%attr(755,root,root) %dir %pubconfpath/ +%attr(755,root,root) %dir %pubconfpath/krb5.include.d +%attr(755,root,root) %dir %gpocachepath/ +%attr(755,root,root) %dir %sssdstatedir/mc/ +%attr(700,root,root) %dir %sssdstatedir/keytabs/ +%attr(750,root,root) %dir %_localstatedir/log/%name/ +%if %{?_distconfdir:1} +%dir %_distconfdir/sssd/ +%%dir %_distconfdir/sssd/conf.d +%config(noreplace) %_distconfdir/sssd/sssd.conf %else -%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/ -%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/conf.d -%ghost %attr(640,root,%sssd_user) %config(noreplace) %_sysconfdir/sssd/sssd.conf +%dir %_sysconfdir/sssd/ +%%dir %_sysconfdir/sssd/conf.d +%config(noreplace) %_sysconfdir/sssd/sssd.conf %endif %if 0%{?suse_version} > 1500 %_distconfdir/logrotate.d/sssd @@ -749,12 +694,11 @@ fi %else %exclude %_mandir/*/*/sssd-files.5.gz %endif -%attr(775,%sssd_user,%sssd_user) %ghost %dir %_rundir/sssd %doc src/examples/sssd.conf # # sssd-client # -%_libdir/libnss_sss.so.2 +/%_lib/libnss_sss.so.2 %_pam_moduledir/pam_sss.so %_pam_moduledir/pam_sss_gss.so %_libdir/krb5/ @@ -839,8 +783,8 @@ fi %dir %_libdir/%name/ %_libdir/%name/libsss_krb5_common.so %dir %_libexecdir/%name/ -%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/krb5_child -%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/ldap_child +%_libexecdir/%name/krb5_child +%_libexecdir/%name/ldap_child %files ldap %dir %_libdir/%name/ @@ -857,7 +801,7 @@ fi %dir %_libdir/%name/ %_libdir/%name/libsss_proxy.so %dir %_libexecdir/%name/ -%attr(750,root,%sssd_user) %_libexecdir/%name/proxy_child +%_libexecdir/%name/proxy_child %dir %_datadir/%name/ %dir %_datadir/%name/sssd.api.d/ %_datadir/%name/sssd.api.d/sssd-proxy.conf @@ -878,8 +822,7 @@ fi %python3_sitelib/sssd/ %files winbind-idmap -%dir %_libdir/samba/ -%_libdir/samba/idmap/ +%_libdir/samba/ %_mandir/man8/idmap_sss.8* %files -n libipa_hbac0 From bbfc610706148d7eafd1f082ec4b07300c79e838d242838b74a2db2570a50901 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 27 Nov 2024 10:12:37 +0000 Subject: [PATCH 09/14] [info=6e6893108add570a0ec8a1cc983e87b11279bc98ee96e4f1af76ab397f1d0074] OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=330 --- ...on-make-sure-etc-sssd-and-everything.patch | 76 ++++++ 0001-INI-relax-config-files-checks.patch | 135 +++++++++ ...using-libini_config-for-access-check.patch | 182 +++++++++++++ ...t-path-when-config-object-is-rejecte.patch | 75 +++++ _scmsync.obsinfo | 8 +- build.specials.obscpio | 2 +- harden_sssd-kcm.service.patch | 14 +- sssd-2.10.0.tar.gz | 3 + sssd-2.10.0.tar.gz.asc | 16 ++ sssd-2.9.5.tar.gz | 3 - sssd-2.9.5.tar.gz.asc | 16 -- sssd.changes | 39 +++ sssd.spec | 257 +++++++++++------- 13 files changed, 697 insertions(+), 129 deletions(-) create mode 100644 0001-Configuration-make-sure-etc-sssd-and-everything.patch create mode 100644 0001-INI-relax-config-files-checks.patch create mode 100644 0001-INI-stop-using-libini_config-for-access-check.patch create mode 100644 0001-sssd-always-print-path-when-config-object-is-rejecte.patch create mode 100644 sssd-2.10.0.tar.gz create mode 100644 sssd-2.10.0.tar.gz.asc delete mode 100644 sssd-2.9.5.tar.gz delete mode 100644 sssd-2.9.5.tar.gz.asc diff --git a/0001-Configuration-make-sure-etc-sssd-and-everything.patch b/0001-Configuration-make-sure-etc-sssd-and-everything.patch new file mode 100644 index 0000000..8cf0fe0 --- /dev/null +++ b/0001-Configuration-make-sure-etc-sssd-and-everything.patch @@ -0,0 +1,76 @@ +From 8db2df4fcbd09badafbc207bd4150b5f1cc2d5fb Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Thu, 24 Oct 2024 15:34:26 +0200 +Subject: [PATCH] Configuration: make sure /etc/sssd and everything +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +beneath is owned by 'sssd' group and readable by group. + +This should allow for reasonable rw-r----- root:sssd + +At some points those chown/chmod can be removed. + +Reviewed-by: Justin Stephenson +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +(cherry picked from commit 518db322fdd5a4de41813fbe5bc35fc20392ce67) +--- + contrib/sssd.spec.in | 4 ++-- + src/sysv/systemd/sssd-kcm.service.in | 5 ++--- + src/sysv/systemd/sssd.service.in | 6 ++---- + 3 files changed, 6 insertions(+), 9 deletions(-) + +diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in +index 4fbacb959..83de563f3 100644 +--- a/contrib/sssd.spec.in ++++ b/contrib/sssd.spec.in +@@ -1136,9 +1136,9 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi + %__rm -f %{mcpath}/group + %__rm -f %{mcpath}/initgroups + %__rm -f %{mcpath}/sid ++%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true ++%__chmod -f -R g+r %{_sysconfdir}/sssd || true + %__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true +-%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true +-%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true + %__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true + %__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true + %__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true +diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in +index 0c839ec5c..ba9e27cd9 100644 +--- a/src/sysv/systemd/sssd-kcm.service.in ++++ b/src/sysv/systemd/sssd-kcm.service.in +@@ -9,9 +9,8 @@ Also=sssd-kcm.socket + + [Service] + Environment=DEBUG_LOGGER=--logger=files +-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ +-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf +-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d ++ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ ++ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ + ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb" + ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log + ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER} +diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in +index 37e0a63f8..a6f79ff8a 100644 +--- a/src/sysv/systemd/sssd.service.in ++++ b/src/sysv/systemd/sssd.service.in +@@ -10,10 +10,8 @@ StartLimitBurst=5 + [Service] + Environment=DEBUG_LOGGER=--logger=files + EnvironmentFile=-@environment_file@ +-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ +-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf +-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d +-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki ++ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ ++ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ + ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb" + ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @gpocachepath@/*" + ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/*.log" +-- +2.47.0 + diff --git a/0001-INI-relax-config-files-checks.patch b/0001-INI-relax-config-files-checks.patch new file mode 100644 index 0000000..69ac630 --- /dev/null +++ b/0001-INI-relax-config-files-checks.patch @@ -0,0 +1,135 @@ +From 340671f16abb9c26ae97b11c4e2845337e67973e Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 23 Oct 2024 20:59:32 +0200 +Subject: [PATCH] INI: relax config files checks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Only make sure: + - user is root or sssd + - group is root or sssd + - other can't access it + +Don't make any assumptions wrt user/group read/write-ability. + +Reviewed-by: Justin Stephenson +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +(cherry picked from commit 8472777ec472607ea450ddb4c4666017bd0de704) +--- + src/man/sssd.conf.5.xml | 5 ++- + src/util/sss_ini.c | 68 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 70 insertions(+), 3 deletions(-) + +diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml +index a074cc674..bf10acb2a 100644 +--- a/src/man/sssd.conf.5.xml ++++ b/src/man/sssd.conf.5.xml +@@ -57,9 +57,8 @@ + readable, and writeable only by 'root'. + + +- sssd.conf must be a regular file that is owned, +- readable, and writeable by the same user as configured to run SSSD +- service. ++ sssd.conf must be a regular file that is ++ accessible only by the user used to run SSSD service or root. + + + +diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c +index e989d8caf..74cf61e0e 100644 +--- a/src/util/sss_ini.c ++++ b/src/util/sss_ini.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + + #include "config.h" +@@ -781,6 +782,71 @@ int sss_ini_open(struct sss_ini *self, + return ret; + } + ++static int access_check_file(const char *filename) ++{ ++ int ret; ++ struct stat st; ++ uid_t uid; ++ gid_t gid; ++ ++ sss_sssd_user_uid_and_gid(&uid, &gid); ++ ++ ret = stat(filename, &st); ++ if (ret != 0) { ++ ret = errno; ++ DEBUG(SSSDBG_CRIT_FAILURE, "stat(%s) failed: %s\n", ++ filename, strerror(ret)); ++ return EINVAL; ++ } ++ ++ if ((st.st_uid != 0) && (st.st_uid != uid)) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected user owner of '%s': %"SPRIuid"\n", ++ filename, st.st_uid); ++ return ERR_INI_INVALID_PERMISSION; ++ } ++ ++ if ((st.st_gid != 0) && (st.st_gid != gid)) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected group owner of '%s': %"SPRIgid"\n", ++ filename, st.st_gid); ++ return ERR_INI_INVALID_PERMISSION; ++ } ++ ++ if ((st.st_mode & (S_IROTH|S_IWOTH|S_IXOTH)) != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected access to '%s' by other users\n", ++ filename); ++ return ERR_INI_INVALID_PERMISSION; ++ } ++ ++ return EOK; ++} ++ ++static int access_check_ini(struct sss_ini *self) ++{ ++ int ret; ++ const char *path; ++ uint32_t i; ++ const char **snippet; ++ struct ref_array *used_snippets; ++ ++ if (self->main_config_exists) { ++ path = ini_config_get_filename(self->file); ++ ret = access_check_file(path); ++ if (ret != EOK) { ++ return ret; ++ } ++ } ++ ++ used_snippets = sss_ini_get_ra_success_list(self); ++ for (i = 0; (snippet = ref_array_get(used_snippets, i, NULL)) != NULL; ++i) { ++ ret = access_check_file(*snippet); ++ if (ret != EOK) { ++ return ret; ++ } ++ } ++ ++ return EOK; ++} ++ + int sss_ini_read_sssd_conf(struct sss_ini *self, + const char *config_file, + const char *config_dir) +@@ -833,5 +899,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, + return ERR_INI_EMPTY_CONFIG; + } + ++ ret = access_check_ini(self); ++ + return ret; + } +-- +2.47.0 + diff --git a/0001-INI-stop-using-libini_config-for-access-check.patch b/0001-INI-stop-using-libini_config-for-access-check.patch new file mode 100644 index 0000000..abe0cb0 --- /dev/null +++ b/0001-INI-stop-using-libini_config-for-access-check.patch @@ -0,0 +1,182 @@ +From 1d19b8ad9415e0a12ed3aaf039d4d0956ef4dbad Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 23 Oct 2024 19:53:09 +0200 +Subject: [PATCH] INI: stop using 'libini_config' for access check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Justin Stephenson +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +--- + src/util/sss_ini.c | 100 +---------------------------------------------------- + src/util/sss_ini.h | 12 ------ + 2 files changed, 3 insertions(+), 109 deletions(-) + +Index: sssd-2.10.0/src/util/sss_ini.c +=================================================================== +--- sssd-2.10.0.orig/src/util/sss_ini.c ++++ sssd-2.10.0/src/util/sss_ini.c +@@ -147,81 +147,6 @@ static int sss_ini_config_file_from_mem( + &self->file); + } + +-/* Check configuration file permissions */ +- +-static bool is_running_sssd(void) +-{ +- static char exe[1024]; +- int ret; +- const char *s = NULL; +- +- ret = readlink("/proc/self/exe", exe, sizeof(exe) - 1); +- if ((ret > 0) && (ret < 1024)) { +- exe[ret] = 0; +- s = strstr(exe, debug_prg_name); +- if ((s != NULL) && (strlen(s) == strlen(debug_prg_name))) { +- return true; +- } +- } +- +- return false; +-} +- +-static int sss_ini_access_check(struct sss_ini *self) +-{ +- int ret; +- uint32_t flags = INI_ACCESS_CHECK_MODE; +- +- if (!self->main_config_exists) { +- return EOK; +- } +- +- if (is_running_sssd()) { +- flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID; +- } +- +- ret = ini_config_access_check(self->file, +- flags, +- geteuid(), +- getegid(), +- S_IRUSR, /* r**------ */ +- ALLPERMS & ~(S_IWUSR|S_IXUSR)); +- +- return ret; +-} +- +- +- +-/* Get cstat */ +- +-int sss_ini_get_stat(struct sss_ini *self) +-{ +- self->cstat = ini_config_get_stat(self->file); +- +- if (!self->cstat) return EIO; +- +- return EOK; +-} +- +- +- +-/* Get mtime */ +- +-int sss_ini_get_mtime(struct sss_ini *self, +- size_t timestr_len, +- char *timestr) +-{ +- return snprintf(timestr, timestr_len, "%llu", +- (long long unsigned)self->cstat->st_mtime); +-} +- +-/* Get file_exists */ +- +-bool sss_ini_exists(struct sss_ini *self) +-{ +- return self->main_config_exists; +-} +- + /* Print ini_config errors */ + + static void sss_ini_config_print_errors(char **error_list) +@@ -289,7 +214,6 @@ static int sss_ini_add_snippets(struct s + uint32_t i = 0; + char *msg = NULL; + struct ini_cfgobj *modified_sssd_config = NULL; +- struct access_check snip_check; + + if (self == NULL || self->sssd_config == NULL || config_dir == NULL) { + return EINVAL; +@@ -297,21 +221,11 @@ static int sss_ini_add_snippets(struct s + + sss_ini_free_ra_messages(self); + +- snip_check.flags = INI_ACCESS_CHECK_MODE; +- +- if (is_running_sssd()) { +- snip_check.flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID; +- } +- snip_check.uid = geteuid(); +- snip_check.gid = getegid(); +- snip_check.mode = S_IRUSR; /* r**------ */ +- snip_check.mask = ALLPERMS & ~(S_IWUSR | S_IXUSR); +- + ret = ini_config_augment(self->sssd_config, + config_dir, + patterns, + sections, +- &snip_check, ++ NULL, + INI_STOP_ON_ANY, + INI_MV1S_OVERWRITE, + INI_PARSE_NOWRAP, +@@ -894,15 +808,7 @@ int sss_ini_read_sssd_conf(struct sss_in + return ERR_INI_OPEN_FAILED; + } + +- if (sss_ini_exists(self)) { +- ret = sss_ini_access_check(self); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Permission check on config file %s failed: %d\n", +- config_file, ret); +- return ERR_INI_INVALID_PERMISSION; +- } +- } else { ++ if (!self->main_config_exists) { + DEBUG(SSSDBG_CONF_SETTINGS, + "File %s does not exist.\n", config_file); + } +@@ -923,7 +829,7 @@ int sss_ini_read_sssd_conf(struct sss_in + return ERR_INI_ADD_SNIPPETS_FAILED; + } + +- if (!sss_ini_exists(self) && ++ if ((!self->main_config_exists) && + (ref_array_len(sss_ini_get_ra_success_list(self)) == 0)) { + return ERR_INI_EMPTY_CONFIG; + } +Index: sssd-2.10.0/src/util/sss_ini.h +=================================================================== +--- sssd-2.10.0.orig/src/util/sss_ini.h ++++ sssd-2.10.0/src/util/sss_ini.h +@@ -81,18 +81,6 @@ int sss_ini_open(struct sss_ini *self, + const char *fallback_cfg); + + /** +- * @brief Check whether sss_ini_open() reported that ini file is +- * not present +- * +- * @param[in] self pointer to sss_ini structure +- * +- * @return +- * - true we are using ini file +- * - false file was not found +- */ +-bool sss_ini_exists(struct sss_ini *self); +- +-/** + * @brief get Cstat structure of the ini file + */ + int sss_ini_get_stat(struct sss_ini *self); diff --git a/0001-sssd-always-print-path-when-config-object-is-rejecte.patch b/0001-sssd-always-print-path-when-config-object-is-rejecte.patch new file mode 100644 index 0000000..d24c30a --- /dev/null +++ b/0001-sssd-always-print-path-when-config-object-is-rejecte.patch @@ -0,0 +1,75 @@ +From 1a743a4123c104a10c694f7ee9d2f0a1e7182513 Mon Sep 17 00:00:00 2001 +From: Jan Engelhardt +Date: Wed, 16 Oct 2024 09:55:50 +0200 +Subject: [PATCH] sssd: always print path when config object is rejected +References: https://github.com/SSSD/sssd/pull/7649 + +Observed: + +``` +Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed. +Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed' +Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed' +``` + +Expected: + +_Well yes, but **which one**_!? + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Justin Stephenson +(cherry picked from commit 2b7915dd84a6b8c3ee26e45357283677fe22f2cb) +--- + src/util/sss_ini.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c +index 7f9824d88..2a611eb8c 100644 +--- a/src/util/sss_ini.c ++++ b/src/util/sss_ini.c +@@ -888,7 +888,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, + ret = sss_ini_open(self, config_file, "[sssd]\n"); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "The sss_ini_open failed %s: %d\n", ++ "sss_ini_open on %s failed: %d\n", + config_file, + ret); + return ERR_INI_OPEN_FAILED; +@@ -898,26 +898,28 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, + ret = sss_ini_access_check(self); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "Permission check on config file failed.\n"); ++ "Permission check on config file %s failed: %d\n", ++ config_file, ret); + return ERR_INI_INVALID_PERMISSION; + } + } else { + DEBUG(SSSDBG_CONF_SETTINGS, +- "File %1$s does not exist.\n", +- (config_file ? config_file : "NULL")); ++ "File %s does not exist.\n", config_file); + } + + ret = sss_ini_parse(self); + if (ret != EOK) { + sss_ini_config_print_errors(self->error_list); +- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n"); ++ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration file %s: %d\n", ++ config_file, ret); + return ERR_INI_PARSE_FAILED; + } + + ret = sss_ini_add_snippets(self, config_dir); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, +- "Error while reading configuration directory.\n"); ++ "Error while reading configuration directory %s: %d\n", ++ config_dir, ret); + return ERR_INI_ADD_SNIPPETS_FAILED; + } + +-- +2.47.0 + diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo index a092931..9d0500b 100644 --- a/_scmsync.obsinfo +++ b/_scmsync.obsinfo @@ -1,4 +1,4 @@ -mtime: 1721222057 -commit: 8faca55b4aa3e3e74cbabb4b015f0b7beb4b2f1dd7b98a27b382d43be057f672 -url: https://src.opensuse.org/pool/sssd -revision: factory +mtime: 1730841300 +commit: 6e6893108add570a0ec8a1cc983e87b11279bc98ee96e4f1af76ab397f1d0074 +url: https://src.opensuse.org/jengelh/sssd +revision: master diff --git a/build.specials.obscpio b/build.specials.obscpio index 3ea1e2e..a63500c 100644 --- a/build.specials.obscpio +++ b/build.specials.obscpio @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:c18d7bdbfefa831e2d93711cb40de6966d0c640e4ec9dccbb61cf299ca5aedaf +oid sha256:b7a95490a831fb30d7292118e7a21e6aa16cf2dbbe3f4d6d804adf9189d0e397 size 256 diff --git a/harden_sssd-kcm.service.patch b/harden_sssd-kcm.service.patch index 183e0b0..5ff85b4 100644 --- a/harden_sssd-kcm.service.patch +++ b/harden_sssd-kcm.service.patch @@ -1,7 +1,11 @@ -Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in +--- + src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in =================================================================== ---- sssd-2.5.2.orig/src/sysv/systemd/sssd-kcm.service.in -+++ sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in +--- sssd-2.10.0.orig/src/sysv/systemd/sssd-kcm.service.in ++++ sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in @@ -8,6 +8,19 @@ After=sssd-kcm.socket Also=sssd-kcm.socket @@ -20,5 +24,5 @@ Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in +RestrictRealtime=true +# end of automatic additions Environment=DEBUG_LOGGER=--logger=files - ExecStartPre=-@sbindir@/sssd --genconf-section=kcm - ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER} + ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ + ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ diff --git a/sssd-2.10.0.tar.gz b/sssd-2.10.0.tar.gz new file mode 100644 index 0000000..38e2605 --- /dev/null +++ b/sssd-2.10.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0b1167e8017209ec25b9683e0006947eaa0cfd7a8161bfea120bd8511006db0d +size 9177851 diff --git a/sssd-2.10.0.tar.gz.asc b/sssd-2.10.0.tar.gz.asc new file mode 100644 index 0000000..3783730 --- /dev/null +++ b/sssd-2.10.0.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmcOPUoACgkQ09IbKRDP +Z1myuA//anDvdZcQp0EUia2NsiWt2MFE8esmsEIN6QmEYjUxvEeXI9q4YJQimMi8 +wdt0zqZE1PLrTcroWaeGcgt2+CJWUbVanZtNn3oo7lUVYrLKemrUzavM7dXTaA43 +cdKAFyEO+nHJQ2yBNUt6sRXc3tM0H27yZs0iL+CcYu6YshUTbMnZuwdpz7DqDTN8 +nbG+LWa+U0en5mI3waP8Ionwmdv9AJAuCHQZLlZDpM0+YfGumcIUJdbxU/I8pqP8 +MQaulPv3e+BNwdbUiLlk0cXRjuEfSd0bmMa3MqB4IqMvvjACU0GuSgK3FDhutZJe +HfmzYSo/Zntmr7F/eYLz6zy/GU3VewEilOyRV08oz+EVJRbGyo2t4k6PUYbn+I4V +kJ/maed5jnBzIZGf6o+P1r+3mavJg7k2LDV4s48MsZ4Y5ED4X0c+boT1L5FZbquW +gp99Di0RG4VoWiYOfVfszLzeDWOLbOrKMyA6PTqlmjGYAdV9SBwZP5WEdwXyPovo +D7uual7Eqdd+Y/lt+8O4Wd+Y+a9xI2kwVFo8KYmHc8PhgLpPIKTWbBTEI+0nw3fJ +qqyyA7JWA81bt4WKVuJaeS87S/9F4yn8ps2dzSgHjZ2Tzr7Eu1a3RWLjKYsjKZrT +PPd2d/02rQAZPwLYHN5qM3Xjh0DD7IiXav1QuIPxmUQA9z8ZiuA= +=mJVY +-----END PGP SIGNATURE----- diff --git a/sssd-2.9.5.tar.gz b/sssd-2.9.5.tar.gz deleted file mode 100644 index 09b8ff1..0000000 --- a/sssd-2.9.5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bf955cc26b6d215bbb9083eadb613f78d7b727fb023f39987aec37680ae40ae3 -size 8001964 diff --git a/sssd-2.9.5.tar.gz.asc b/sssd-2.9.5.tar.gz.asc deleted file mode 100644 index 05b00fc..0000000 --- a/sssd-2.9.5.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmZF8CMACgkQ09IbKRDP -Z1lSVQ/9EPVvWUX1z/pHfbvDjRpfD+LDbDceYB4YBh0caYpMVFm/2wHhFIjTYEpf -SmIR+SQp50NkRSK6tE/u+Swu+YUkiCqnEWv2y9wd4Uh2NKiukyiqBC1k2cn9URNu -oRreBM1KIRvTkdoyZwteELJ7vMLVr0UT2iIXZQFIIZX+LM3FNZJ5vFcj5fF0Hz1f -v8zR0VTB7xY/6U+4KikvMyM3fOPeTOJvEtMp4xDWyquRjCADjZasOQcKRQzXp1er -zs/qLcQ8eCODXhKelGqmppVIElW+72f1FNbMpBnlQ7VtFn6pn4sPazO0Hr7eNfZJ -Vc6GXN8zZ/oF5U4x7XSMVqeOHLQoLeb2HxgUzS+1Ig19FHOs6Xoj0dO5l/TOEFav -l61qytYnj3DNZjrMVLsMvOx3qGYK7PmyaWNoIJlLO2GbWKMP/8yBm35Ugd0jybSi -T7VWX+isQHfVhSZ9wD4/yYOBAU3lABORAjXkCWQp/vMR/KiHbfaajCAbl56KiijQ -eKYaq57EH3N+qKd1sqCrPfSw3HSqm3rngG1CsMasBQgLFs2aW+Mwo3UvQ1U/ykED -mOo2D9uhOQluv4AUSpKK6E8EXoPSxDFZI4WX37depO2VGXDO90JNfVamJXjy1+bH -d/RnoZfC7h7Vb1P1bPgGdsAFQBOP0FinbEjehpw0P0U2xAZQWek= -=pY7t ------END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index ec838e0..5b4d1eb 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,42 @@ +------------------------------------------------------------------- +Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt + +- Update to release 2.10.0 + * The ``sssctl cache-upgrade`` command was removed. SSSD + performs automatic upgrades at startup when needed. + * Support of ``enumeration`` feature (i.e. ability to list all + users/groups using ``getent passwd/group`` without argument) + for AD/IPA providers is deprecated and might be removed in + further releases. + * The new tool ``sss_ssh_knownhosts`` can be used with ssh's + ``KnownHostsCommand`` configuration option to retrieve the + host's public keys from a remote server (FreeIPA, LDAP, + etc.). It replaces ```sss_ssh_knownhostsproxy``. + * The default value for ``ldap_id_use_start_tls`` changed from + false to true for improved security. + * https://github.com/SSSD/sssd/releases/tag/2.10.0 +- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch, + 0001-INI-stop-using-libini_config-for-access-check.patch, + 0001-INI-relax-config-files-checks.patch, + 0001-Configuration-make-sure-etc-sssd-and-everything.patch +- Fix socket activation of responders +- Daemon runs now as unprivileged user 'sssd' + +------------------------------------------------------------------- +Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt + +- Update filelists involving memberof.so and idmap/sss.so to + avoid gobbling up one file into multiple sssd subpackages. + (Between samba-4.20 and 4.21, %ldbdir changes from + /usr/lib64/ldb2/modules/ldb to /usr/lib64/samba/ldb, so now + `%_libdir/samba` is a bit too broad.) + +------------------------------------------------------------------- +Wed Jul 17 09:19:20 UTC 2024 - Samuel Cabrero + +- Fix spec file for openSUSE ALP and SUSE SLFO, where the + python3_fix_shebang_path RPM macro is not available + ------------------------------------------------------------------- Thu Jul 11 09:41:21 UTC 2024 - Samuel Cabrero diff --git a/sssd.spec b/sssd.spec index 41a153c..d360e18 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 2.9.5 +Version: 2.10.0 Release: 0 Summary: System Security Services Daemon License: GPL-3.0-or-later AND LGPL-3.0-or-later @@ -28,10 +28,14 @@ Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%v Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source3: baselibs.conf Source5: %name.keyring -Patch1: krb-noversion.diff -Patch2: harden_sssd-ifp.service.patch -Patch3: harden_sssd-kcm.service.patch -Patch4: symvers.patch +Patch3: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch +Patch4: 0001-INI-stop-using-libini_config-for-access-check.patch +Patch5: 0001-INI-relax-config-files-checks.patch +Patch6: 0001-Configuration-make-sure-etc-sssd-and-everything.patch +Patch11: krb-noversion.diff +Patch12: harden_sssd-ifp.service.patch +Patch13: harden_sssd-kcm.service.patch +Patch14: symvers.patch BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils @@ -53,21 +57,26 @@ BuildRequires: nss_wrapper BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pkg-config >= 0.21 +BuildRequires: python3-wheel +BuildRequires: python3-setuptools BuildRequires: systemd-rpm-macros +BuildRequires: sysuser-tools BuildRequires: uid_wrapper BuildRequires: pkgconfig(augeas) >= 1.0.0 BuildRequires: pkgconfig(collection) >= 0.5.1 BuildRequires: pkgconfig(dbus-1) >= 1.0.0 BuildRequires: pkgconfig(dhash) >= 0.4.2 BuildRequires: pkgconfig(glib-2.0) -BuildRequires: pkgconfig(ini_config) >= 1.1.0 +BuildRequires: pkgconfig(ini_config) >= 1.3 BuildRequires: pkgconfig(jansson) -BuildRequires: pkgconfig(ldb) >= 0.9.2 +BuildRequires: pkgconfig(ldb) >= 1.2.0 +BuildRequires: pkgconfig(libcap) BuildRequires: pkgconfig(libcares) -BuildRequires: pkgconfig(libcrypto) +BuildRequires: pkgconfig(libcrypto) >= 1.0.1 %if 0%{?suse_version} >= 1600 BuildRequires: pkgconfig(libcurl) %endif +BuildRequires: pkgconfig(libcap) BuildRequires: pkgconfig(libnfsidmap) BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 @@ -86,7 +95,17 @@ BuildRequires: pkgconfig(talloc) BuildRequires: pkgconfig(tdb) >= 1.1.3 BuildRequires: pkgconfig(tevent) BuildRequires: pkgconfig(uuid) +%if 0%{?suse_version} && 0%{?suse_version} < 1600 +# samba-client-devel pulls samba-client-libs pulls libldap-2_4-2 wants libldap-data(-2.4); +# this conflicts with +# openldap2-devel pulls libldap2 wants libldap-data(-2.6) +# Package contains just config files, not needed for build. +#!BuildIgnore: libldap-data +%endif +%sysusers_requires %{?systemd_ordering} +Requires(post): permissions +Requires(verify): permissions Requires: sssd-ldap = %version-%release Requires(postun): pam-config Provides: libsss_sudo = %version-%release @@ -95,16 +114,20 @@ Obsoletes: libsss_sudo < %version-%release Provides: sssd-common = %version-%release Obsoletes: sssd-common < %version-%release +%global sssd_user sssd %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss %define dbpath %sssdstatedir/db %define pipepath %sssdstatedir/pipes %define pubconfpath %sssdstatedir/pubconf %define gpocachepath %sssdstatedir/gpo_cache +%define keytabdir %sssdstatedir/keytabs +%define mcpath %sssdstatedir/mc %define ldbdir %(pkg-config ldb --variable=modulesdir) +%define child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko -# %_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins +# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins # * cifs-utils one is the default (priority 20) # * installing SSSD should NOT switch to SSSD plugin (priority 10) %define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin @@ -115,11 +138,11 @@ Requires(post): update-alternatives Requires(postun): update-alternatives %description -Provides a set of daemons to manage access to remote directories and -authentication mechanisms. It provides an NSS and PAM interface toward -the system and a pluggable backend system to connect to multiple different -account sources. It is also the basis to provide client auditing and policy -services for projects like FreeIPA. +A set of daemons to manage access to remote directories and +authentication mechanisms. sssd provides an NSS and PAM interfaces +toward the system and a pluggable backend system to connect to +multiple different account sources. It is also the basis to provide +client auditing and policy services for projects like FreeIPA. %package ad Summary: The ActiveDirectory backend plugin for sssd @@ -129,9 +152,8 @@ Requires: %name-krb5-common = %version-%release Requires: adcli %description ad -Provides the Active Directory back end that the SSSD can utilize to -fetch identity data from and authenticate against an Active Directory -server. +A back-end provider that the SSSD can utilize to fetch identity data +from, and authenticate with, an Active Directory server. %package dbus Summary: The D-Bus responder of sssd @@ -140,7 +162,7 @@ Group: System/Base Requires: %name = %version %description dbus -Provides the D-Bus responder of sssd, called InfoPipe, which allows +D-Bus responder of sssd, called InfoPipe, which allows information from sssd to be transmitted over the system bus. %package ipa @@ -154,8 +176,8 @@ Obsoletes: %name-ipa-provider < %version-%release Provides: %name-ipa-provider = %version-%release %description ipa -Provides the IPA back end that the SSSD can utilize to fetch identity -data from and authenticate against an IPA server. +A back-end provider that the SSSD can utilize to fetch identity data +from, and authenticate with, an IPA server. %package kcm Summary: SSSD's Kerberos cache manager @@ -174,14 +196,16 @@ Group: System/Daemons Requires: %name-krb5-common = %version-%release %description krb5 -Provides the Kerberos back end that the SSSD can utilize authenticate -against a Kerberos server. +A back-end provider that the SSSD can utilize to authenticate against +a Kerberos server. %package krb5-common Summary: SSSD helpers needed for Kerberos and GSSAPI authentication License: GPL-3.0-or-later Group: System/Daemons Requires: cyrus-sasl-gssapi +Requires(post): permissions +Requires(verify): permissions %description krb5-common Provides helper processes that the LDAP and Kerberos back ends can @@ -194,8 +218,8 @@ Group: System/Daemons Requires: %name-krb5-common = %version-%release %description ldap -Provides the LDAP back end that the SSSD can utilize to fetch -identity data from and authenticate against an LDAP server. +A back-end provider that the SSSD can utilize to fetch identity data +from, and authenticate with, an LDAP server. %package proxy Summary: The proxy backend plugin for sssd @@ -203,8 +227,8 @@ License: GPL-3.0-or-later Group: System/Daemons %description proxy -Provides the proxy back end which can be used to wrap an existing NSS -and/or PAM modules to leverage SSSD caching. +A back-end provider which can be used to wrap existing NSS and/or PAM +modules to leverage SSSD caching. (This can replace nscd.) %package tools Summary: Commandline tools for sssd @@ -214,7 +238,7 @@ Requires: python3-sssd-config = %version-%release Requires: sssd = %version %description tools -The packages contains commandline tools for managing users and groups using +The packages contains command-line tools for managing users and groups using the "local" id provider of the System Security Services Daemon (sssd). %package winbind-idmap @@ -231,7 +255,7 @@ License: LGPL-3.0-or-later Group: System/Libraries %description -n libsss_certmap0 -A utility library for FreeIPA to map certs. +A utility library for FreeIPA to map certificates. %package -n libsss_certmap-devel Summary: Development files for the FreeIPA certmap library @@ -240,7 +264,7 @@ Group: Development/Libraries/C and C++ Requires: libsss_certmap0 = %version %description -n libsss_certmap-devel -A utility library for FreeIPA to map certs. +A utility library for FreeIPA to map certificates. %package -n libipa_hbac0 Summary: FreeIPA HBAC Evaluator library @@ -304,7 +328,6 @@ Requires: libsss_nss_idmap0 = %version %description -n libsss_nss_idmap-devel A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. -%if 0%{?suse_version} < 1600 %package -n libsss_simpleifp0 Summary: The SSSD D-Bus responder helper library License: GPL-3.0-or-later @@ -327,7 +350,6 @@ Requires: libsss_simpleifp0 = %version This subpackage provides the development files for sssd's simpleifp, a library that simplifies the D-Bus API for the SSSD InfoPipe responder. -%endif %package -n libsss_sudo Summary: A library to allow communication between sudo and SSSD @@ -394,33 +416,32 @@ autoreconf -fiv --with-environment-file="%_sysconfdir/sysconfig/sssd" \ --with-initscript=systemd \ --with-syslog=journald \ - --with-pid-path="%_rundir" \ - --enable-nsslibdir="/%_lib" \ + --with-pid-path="%_rundir/sssd" \ --enable-pammoddir="%_pam_moduledir" \ --with-ldb-lib-dir="%ldbdir" \ --with-os=suse \ --disable-ldb-version-check \ --without-python2-bindings \ --without-oidc-child \ + --with-sssd-user="%sssd_user" \ %if 0%{?suse_version} >= 1600 --with-selinux=yes \ --with-subid %else --with-selinux=no \ - --with-semanage=no \ --with-libsifp \ --with-files-provider %endif %make_build all %install -# sss_obfuscate is compatible with both python 2 and 3 +# sss_obfuscate is compatible with both Python 2 and 3 perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate %make_install dbuspolicydir=%_datadir/dbus-1/system.d b="%buildroot" # Copy some defaults -%if %{?_distconfdir:1} +%if "%{?_distconfdir}" != "" install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf" install -d -m 0755 "$b/%_distconfdir/sssd/conf.d" %else @@ -448,20 +469,40 @@ find "$b" -type f -name "*.la" -print -delete %find_lang %name --all-name # dummy target for cifs-idmap-plugin -mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils -ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin +mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils" +ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin" %python3_fix_shebang -%if 0%{?suse_version} >= 1600 -%python3_fix_shebang_path %buildroot/%_libexecdir/%name/ +%if 0%{?suse_version} > 1600 +%python3_fix_shebang_path %buildroot/%_libexecdir/%name/sss_analyze +%elif 0%{?suse_version} == 1600 +# python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204 +sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze" %endif +echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf +mkdir -p "$b/%_sysusersdir" "$b/etc/permissions.d" +cp -a system-user-sssd.conf "$b/%_sysusersdir/" +%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf +install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf" +# should match entry from %%files list +cat >"$b/etc/permissions.d/sssd" <<-EOF + %_libexecdir/sssd/sssd_pam root:sssd 0750 + +capabilities cap_dac_read_search=p + %_libexecdir/sssd/selinux_child root:sssd 0750 + +capabilities %child_capabilities + %_libexecdir/sssd/krb5_child root:sssd 0750 + +capabilities %child_capabilities + %_libexecdir/sssd/ldap_child root:sssd 0750 + +capabilities %child_capabilities +EOF + %check # sss_config-tests fails %make_build check || : -%pre -%service_add_pre sssd.service -%if %{?_distconfdir:1} +%pre -f random.pre +%service_add_pre sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket +%if "%{?_distconfdir}" != "" # Prepare for migration to /usr/etc; save any old .rpmsave for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i.rpmsave.old" || : @@ -474,38 +515,38 @@ done if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf" fi -%service_add_post sssd.service +%service_add_post sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket + +%_bindir/rm -f %mcpath/passwd %mcpath/group %mcpath/initgroups %mcpath/sid +%tmpfiles_create %name.conf +%set_permissions %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam # install SSSD cifs-idmap plugin as an alternative update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority %preun -%service_del_preun sssd.service +%service_del_preun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket %postun /sbin/ldconfig -if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then +if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then "%_sbindir/pam-config" -d --sss || : fi # del_postun includes a try-restart -%service_del_postun sssd.service +%service_del_postun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket if [ ! -f "%cifs_idmap_lib" ]; then update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib fi -%post -n libsss_certmap0 -p /sbin/ldconfig -%postun -n libsss_certmap0 -p /sbin/ldconfig -%post -n libipa_hbac0 -p /sbin/ldconfig -%postun -n libipa_hbac0 -p /sbin/ldconfig -%post -n libsss_idmap0 -p /sbin/ldconfig -%postun -n libsss_idmap0 -p /sbin/ldconfig -%post -n libsss_nss_idmap0 -p /sbin/ldconfig -%postun -n libsss_nss_idmap0 -p /sbin/ldconfig -%if 0%{?suse_version} < 1600 -%post -n libsss_simpleifp0 -p /sbin/ldconfig -%postun -n libsss_simpleifp0 -p /sbin/ldconfig -%endif +%ldconfig_scriptlets -n libsss_certmap0 +%ldconfig_scriptlets -n libipa_hbac0 +%ldconfig_scriptlets -n libsss_idmap0 +%ldconfig_scriptlets -n libsss_nss_idmap0 +%ldconfig_scriptlets -n libsss_simpleifp0 + +%verifyscript +%verify_permissions -e %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam %triggerun -- %name < %version-%release # sssd takes care of upgrading the database but it doesn't handle downgrades. @@ -540,21 +581,31 @@ fi %postun kcm %service_del_postun sssd-kcm.service sssd-kcm.socket +%pre krb5-common -f random.pre + +%post krb5-common +%set_permissions %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child + +%verifyscript krb5-common +%verify_permissions -e %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child + +%pre proxy -f random.pre + %pretrans # Migrate sssd.service from sssd-common to sssd systemctl is-enabled sssd.service > /dev/null if [ $? -eq 0 ]; then -mkdir -p /run/systemd/rpm/ -touch /run/systemd/rpm/sssd-was-enabled + mkdir -p /run/systemd/rpm/ + touch /run/systemd/rpm/sssd-was-enabled fi systemctl is-active sssd.service > /dev/null if [ $? -eq 0 ]; then -mkdir -p /run/systemd/rpm/ -touch /run/systemd/rpm/sssd-was-active + mkdir -p /run/systemd/rpm/ + touch /run/systemd/rpm/sssd-was-active fi %posttrans -%if %{?_distconfdir:1} +%if "%{?_distconfdir}" != "" # Migration to /usr/etc, restore just created .rpmsave for i in sssd/sssd.conf logrotate.d/sssd pam.d/sssd-shadowutils ; do test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i" || : @@ -562,20 +613,20 @@ done %endif # Migrate sssd.service from sssd-common to sssd if [ -e /run/systemd/rpm/sssd-was-enabled ]; then -systemctl is-enabled sssd.service > /dev/null -if [ $? -ne 0 ]; then - echo "Migrating sssd.service, was enabled" - systemctl enable sssd.service -fi -rm /run/systemd/rpm/sssd-was-enabled + systemctl is-enabled sssd.service >/dev/null + if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was enabled" + systemctl enable sssd.service + fi + rm /run/systemd/rpm/sssd-was-enabled fi if [ -e /run/systemd/rpm/sssd-was-active ]; then -systemctl is-active sssd.service > /dev/null -if [ $? -ne 0 ]; then - echo "Migrating sssd.service, was active" - systemctl start sssd.service -fi -rm /run/systemd/rpm/sssd-was-active + systemctl is-active sssd.service >/dev/null + if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was active" + systemctl start sssd.service + fi + rm /run/systemd/rpm/sssd-was-active fi %files -f sssd.lang @@ -588,12 +639,15 @@ fi %_unitdir/sssd-pac.socket %_unitdir/sssd-pac.service %_unitdir/sssd-pam.socket -%_unitdir/sssd-pam-priv.socket %_unitdir/sssd-pam.service %_unitdir/sssd-ssh.socket %_unitdir/sssd-ssh.service %_unitdir/sssd-sudo.socket %_unitdir/sssd-sudo.service +%_sysusersdir/*sssd* +%_tmpfilesdir/*sssd* +%_sysconfdir/permissions.d/* +%_datadir/polkit-1/ %_bindir/sss_ssh_* %_sbindir/sssd %if 0%{?suse_version} < 1600 @@ -650,32 +704,33 @@ fi %_libexecdir/%name/sssd_autofs %_libexecdir/%name/sssd_be %_libexecdir/%name/sssd_nss -%_libexecdir/%name/sssd_pam +%attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/sssd_pam %_libexecdir/%name/sssd_ssh %_libexecdir/%name/sssd_sudo %_libexecdir/%name/sss_signal %_libexecdir/%name/sssd_check_socket_activated_responders %if 0%{?suse_version} >= 1600 -%_libexecdir/%name/selinux_child +%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/selinux_child %endif %dir %sssdstatedir -%attr(700,root,root) %dir %dbpath/ -%attr(755,root,root) %dir %pipepath/ -%attr(700,root,root) %dir %pipepath/private/ -%attr(755,root,root) %dir %pubconfpath/ -%attr(755,root,root) %dir %pubconfpath/krb5.include.d -%attr(755,root,root) %dir %gpocachepath/ -%attr(755,root,root) %dir %sssdstatedir/mc/ -%attr(700,root,root) %dir %sssdstatedir/keytabs/ -%attr(750,root,root) %dir %_localstatedir/log/%name/ -%if %{?_distconfdir:1} -%dir %_distconfdir/sssd/ -%%dir %_distconfdir/sssd/conf.d -%config(noreplace) %_distconfdir/sssd/sssd.conf +%attr(700,%sssd_user,%sssd_user) %dir %dbpath/ +%attr(755,%sssd_user,%sssd_user) %dir %pipepath/ +%attr(700,%sssd_user,%sssd_user) %dir %pipepath/private/ +%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/ +%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/krb5.include.d +%attr(755,%sssd_user,%sssd_user) %dir %gpocachepath/ +%attr(755,%sssd_user,%sssd_user) %dir %mcpath/ +%attr(700,%sssd_user,%sssd_user) %dir %keytabdir/ +%attr(750,%sssd_user,%sssd_user) %dir %_localstatedir/log/%name/ +%attr(775,%sssd_user,%sssd_user) %dir %sssdstatedir/ +%if "%{?_distconfdir}" != "" +%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/ +%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/conf.d +%attr(640,root,%sssd_user) %_distconfdir/sssd/sssd.conf %else -%dir %_sysconfdir/sssd/ -%%dir %_sysconfdir/sssd/conf.d -%config(noreplace) %_sysconfdir/sssd/sssd.conf +%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/ +%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/conf.d +%ghost %attr(640,root,%sssd_user) %config(noreplace) %_sysconfdir/sssd/sssd.conf %endif %if 0%{?suse_version} > 1500 %_distconfdir/logrotate.d/sssd @@ -694,11 +749,12 @@ fi %else %exclude %_mandir/*/*/sssd-files.5.gz %endif +%attr(775,%sssd_user,%sssd_user) %ghost %dir %_rundir/sssd %doc src/examples/sssd.conf # # sssd-client # -/%_lib/libnss_sss.so.2 +%_libdir/libnss_sss.so.2 %_pam_moduledir/pam_sss.so %_pam_moduledir/pam_sss_gss.so %_libdir/krb5/ @@ -783,8 +839,8 @@ fi %dir %_libdir/%name/ %_libdir/%name/libsss_krb5_common.so %dir %_libexecdir/%name/ -%_libexecdir/%name/krb5_child -%_libexecdir/%name/ldap_child +%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/krb5_child +%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/ldap_child %files ldap %dir %_libdir/%name/ @@ -801,7 +857,7 @@ fi %dir %_libdir/%name/ %_libdir/%name/libsss_proxy.so %dir %_libexecdir/%name/ -%_libexecdir/%name/proxy_child +%attr(750,root,%sssd_user) %_libexecdir/%name/proxy_child %dir %_datadir/%name/ %dir %_datadir/%name/sssd.api.d/ %_datadir/%name/sssd.api.d/sssd-proxy.conf @@ -822,7 +878,8 @@ fi %python3_sitelib/sssd/ %files winbind-idmap -%_libdir/samba/ +%dir %_libdir/samba/ +%_libdir/samba/idmap/ %_mandir/man8/idmap_sss.8* %files -n libipa_hbac0 From b3c6ba7ae59ac0995b0621bb7a084e343747642ce434d005677f5dfb8fa5ea8c Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Wed, 11 Dec 2024 09:35:15 +0000 Subject: [PATCH 10/14] [info=7a9befa6936272129afd7622722b7d44d87bdf6afa02bc7b21a6ccfd037903cc] OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=331 --- ...on-make-sure-etc-sssd-and-everything.patch | 76 -------- 0001-INI-relax-config-files-checks.patch | 135 ------------- ...using-libini_config-for-access-check.patch | 182 ------------------ ...t-path-when-config-object-is-rejecte.patch | 75 -------- _scmsync.obsinfo | 4 +- build.specials.obscpio | 2 +- sssd-2.10.0.tar.gz | 3 - sssd-2.10.0.tar.gz.asc | 16 -- sssd-2.10.1.tar.gz | 3 + sssd-2.10.1.tar.gz.asc | 16 ++ sssd.changes | 16 ++ sssd.spec | 19 +- symvers.patch | 48 ++--- 13 files changed, 64 insertions(+), 531 deletions(-) delete mode 100644 0001-Configuration-make-sure-etc-sssd-and-everything.patch delete mode 100644 0001-INI-relax-config-files-checks.patch delete mode 100644 0001-INI-stop-using-libini_config-for-access-check.patch delete mode 100644 0001-sssd-always-print-path-when-config-object-is-rejecte.patch delete mode 100644 sssd-2.10.0.tar.gz delete mode 100644 sssd-2.10.0.tar.gz.asc create mode 100644 sssd-2.10.1.tar.gz create mode 100644 sssd-2.10.1.tar.gz.asc diff --git a/0001-Configuration-make-sure-etc-sssd-and-everything.patch b/0001-Configuration-make-sure-etc-sssd-and-everything.patch deleted file mode 100644 index 8cf0fe0..0000000 --- a/0001-Configuration-make-sure-etc-sssd-and-everything.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 8db2df4fcbd09badafbc207bd4150b5f1cc2d5fb Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Thu, 24 Oct 2024 15:34:26 +0200 -Subject: [PATCH] Configuration: make sure /etc/sssd and everything -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -beneath is owned by 'sssd' group and readable by group. - -This should allow for reasonable rw-r----- root:sssd - -At some points those chown/chmod can be removed. - -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose -(cherry picked from commit 518db322fdd5a4de41813fbe5bc35fc20392ce67) ---- - contrib/sssd.spec.in | 4 ++-- - src/sysv/systemd/sssd-kcm.service.in | 5 ++--- - src/sysv/systemd/sssd.service.in | 6 ++---- - 3 files changed, 6 insertions(+), 9 deletions(-) - -diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in -index 4fbacb959..83de563f3 100644 ---- a/contrib/sssd.spec.in -+++ b/contrib/sssd.spec.in -@@ -1136,9 +1136,9 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi - %__rm -f %{mcpath}/group - %__rm -f %{mcpath}/initgroups - %__rm -f %{mcpath}/sid -+%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true -+%__chmod -f -R g+r %{_sysconfdir}/sssd || true - %__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true --%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true --%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true - %__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true - %__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true - %__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true -diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in -index 0c839ec5c..ba9e27cd9 100644 ---- a/src/sysv/systemd/sssd-kcm.service.in -+++ b/src/sysv/systemd/sssd-kcm.service.in -@@ -9,9 +9,8 @@ Also=sssd-kcm.socket - - [Service] - Environment=DEBUG_LOGGER=--logger=files --ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ --ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf --ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d -+ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ -+ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ - ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb" - ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log - ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER} -diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in -index 37e0a63f8..a6f79ff8a 100644 ---- a/src/sysv/systemd/sssd.service.in -+++ b/src/sysv/systemd/sssd.service.in -@@ -10,10 +10,8 @@ StartLimitBurst=5 - [Service] - Environment=DEBUG_LOGGER=--logger=files - EnvironmentFile=-@environment_file@ --ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ --ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf --ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d --ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki -+ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ -+ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ - ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb" - ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @gpocachepath@/*" - ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/*.log" --- -2.47.0 - diff --git a/0001-INI-relax-config-files-checks.patch b/0001-INI-relax-config-files-checks.patch deleted file mode 100644 index 69ac630..0000000 --- a/0001-INI-relax-config-files-checks.patch +++ /dev/null @@ -1,135 +0,0 @@ -From 340671f16abb9c26ae97b11c4e2845337e67973e Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 23 Oct 2024 20:59:32 +0200 -Subject: [PATCH] INI: relax config files checks -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Only make sure: - - user is root or sssd - - group is root or sssd - - other can't access it - -Don't make any assumptions wrt user/group read/write-ability. - -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose -(cherry picked from commit 8472777ec472607ea450ddb4c4666017bd0de704) ---- - src/man/sssd.conf.5.xml | 5 ++- - src/util/sss_ini.c | 68 +++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 70 insertions(+), 3 deletions(-) - -diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml -index a074cc674..bf10acb2a 100644 ---- a/src/man/sssd.conf.5.xml -+++ b/src/man/sssd.conf.5.xml -@@ -57,9 +57,8 @@ - readable, and writeable only by 'root'. - - -- sssd.conf must be a regular file that is owned, -- readable, and writeable by the same user as configured to run SSSD -- service. -+ sssd.conf must be a regular file that is -+ accessible only by the user used to run SSSD service or root. - - - -diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c -index e989d8caf..74cf61e0e 100644 ---- a/src/util/sss_ini.c -+++ b/src/util/sss_ini.c -@@ -26,6 +26,7 @@ - #include - #include - #include -+#include - #include - - #include "config.h" -@@ -781,6 +782,71 @@ int sss_ini_open(struct sss_ini *self, - return ret; - } - -+static int access_check_file(const char *filename) -+{ -+ int ret; -+ struct stat st; -+ uid_t uid; -+ gid_t gid; -+ -+ sss_sssd_user_uid_and_gid(&uid, &gid); -+ -+ ret = stat(filename, &st); -+ if (ret != 0) { -+ ret = errno; -+ DEBUG(SSSDBG_CRIT_FAILURE, "stat(%s) failed: %s\n", -+ filename, strerror(ret)); -+ return EINVAL; -+ } -+ -+ if ((st.st_uid != 0) && (st.st_uid != uid)) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected user owner of '%s': %"SPRIuid"\n", -+ filename, st.st_uid); -+ return ERR_INI_INVALID_PERMISSION; -+ } -+ -+ if ((st.st_gid != 0) && (st.st_gid != gid)) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected group owner of '%s': %"SPRIgid"\n", -+ filename, st.st_gid); -+ return ERR_INI_INVALID_PERMISSION; -+ } -+ -+ if ((st.st_mode & (S_IROTH|S_IWOTH|S_IXOTH)) != 0) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected access to '%s' by other users\n", -+ filename); -+ return ERR_INI_INVALID_PERMISSION; -+ } -+ -+ return EOK; -+} -+ -+static int access_check_ini(struct sss_ini *self) -+{ -+ int ret; -+ const char *path; -+ uint32_t i; -+ const char **snippet; -+ struct ref_array *used_snippets; -+ -+ if (self->main_config_exists) { -+ path = ini_config_get_filename(self->file); -+ ret = access_check_file(path); -+ if (ret != EOK) { -+ return ret; -+ } -+ } -+ -+ used_snippets = sss_ini_get_ra_success_list(self); -+ for (i = 0; (snippet = ref_array_get(used_snippets, i, NULL)) != NULL; ++i) { -+ ret = access_check_file(*snippet); -+ if (ret != EOK) { -+ return ret; -+ } -+ } -+ -+ return EOK; -+} -+ - int sss_ini_read_sssd_conf(struct sss_ini *self, - const char *config_file, - const char *config_dir) -@@ -833,5 +899,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, - return ERR_INI_EMPTY_CONFIG; - } - -+ ret = access_check_ini(self); -+ - return ret; - } --- -2.47.0 - diff --git a/0001-INI-stop-using-libini_config-for-access-check.patch b/0001-INI-stop-using-libini_config-for-access-check.patch deleted file mode 100644 index abe0cb0..0000000 --- a/0001-INI-stop-using-libini_config-for-access-check.patch +++ /dev/null @@ -1,182 +0,0 @@ -From 1d19b8ad9415e0a12ed3aaf039d4d0956ef4dbad Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 23 Oct 2024 19:53:09 +0200 -Subject: [PATCH] INI: stop using 'libini_config' for access check -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose ---- - src/util/sss_ini.c | 100 +---------------------------------------------------- - src/util/sss_ini.h | 12 ------ - 2 files changed, 3 insertions(+), 109 deletions(-) - -Index: sssd-2.10.0/src/util/sss_ini.c -=================================================================== ---- sssd-2.10.0.orig/src/util/sss_ini.c -+++ sssd-2.10.0/src/util/sss_ini.c -@@ -147,81 +147,6 @@ static int sss_ini_config_file_from_mem( - &self->file); - } - --/* Check configuration file permissions */ -- --static bool is_running_sssd(void) --{ -- static char exe[1024]; -- int ret; -- const char *s = NULL; -- -- ret = readlink("/proc/self/exe", exe, sizeof(exe) - 1); -- if ((ret > 0) && (ret < 1024)) { -- exe[ret] = 0; -- s = strstr(exe, debug_prg_name); -- if ((s != NULL) && (strlen(s) == strlen(debug_prg_name))) { -- return true; -- } -- } -- -- return false; --} -- --static int sss_ini_access_check(struct sss_ini *self) --{ -- int ret; -- uint32_t flags = INI_ACCESS_CHECK_MODE; -- -- if (!self->main_config_exists) { -- return EOK; -- } -- -- if (is_running_sssd()) { -- flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID; -- } -- -- ret = ini_config_access_check(self->file, -- flags, -- geteuid(), -- getegid(), -- S_IRUSR, /* r**------ */ -- ALLPERMS & ~(S_IWUSR|S_IXUSR)); -- -- return ret; --} -- -- -- --/* Get cstat */ -- --int sss_ini_get_stat(struct sss_ini *self) --{ -- self->cstat = ini_config_get_stat(self->file); -- -- if (!self->cstat) return EIO; -- -- return EOK; --} -- -- -- --/* Get mtime */ -- --int sss_ini_get_mtime(struct sss_ini *self, -- size_t timestr_len, -- char *timestr) --{ -- return snprintf(timestr, timestr_len, "%llu", -- (long long unsigned)self->cstat->st_mtime); --} -- --/* Get file_exists */ -- --bool sss_ini_exists(struct sss_ini *self) --{ -- return self->main_config_exists; --} -- - /* Print ini_config errors */ - - static void sss_ini_config_print_errors(char **error_list) -@@ -289,7 +214,6 @@ static int sss_ini_add_snippets(struct s - uint32_t i = 0; - char *msg = NULL; - struct ini_cfgobj *modified_sssd_config = NULL; -- struct access_check snip_check; - - if (self == NULL || self->sssd_config == NULL || config_dir == NULL) { - return EINVAL; -@@ -297,21 +221,11 @@ static int sss_ini_add_snippets(struct s - - sss_ini_free_ra_messages(self); - -- snip_check.flags = INI_ACCESS_CHECK_MODE; -- -- if (is_running_sssd()) { -- snip_check.flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID; -- } -- snip_check.uid = geteuid(); -- snip_check.gid = getegid(); -- snip_check.mode = S_IRUSR; /* r**------ */ -- snip_check.mask = ALLPERMS & ~(S_IWUSR | S_IXUSR); -- - ret = ini_config_augment(self->sssd_config, - config_dir, - patterns, - sections, -- &snip_check, -+ NULL, - INI_STOP_ON_ANY, - INI_MV1S_OVERWRITE, - INI_PARSE_NOWRAP, -@@ -894,15 +808,7 @@ int sss_ini_read_sssd_conf(struct sss_in - return ERR_INI_OPEN_FAILED; - } - -- if (sss_ini_exists(self)) { -- ret = sss_ini_access_check(self); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Permission check on config file %s failed: %d\n", -- config_file, ret); -- return ERR_INI_INVALID_PERMISSION; -- } -- } else { -+ if (!self->main_config_exists) { - DEBUG(SSSDBG_CONF_SETTINGS, - "File %s does not exist.\n", config_file); - } -@@ -923,7 +829,7 @@ int sss_ini_read_sssd_conf(struct sss_in - return ERR_INI_ADD_SNIPPETS_FAILED; - } - -- if (!sss_ini_exists(self) && -+ if ((!self->main_config_exists) && - (ref_array_len(sss_ini_get_ra_success_list(self)) == 0)) { - return ERR_INI_EMPTY_CONFIG; - } -Index: sssd-2.10.0/src/util/sss_ini.h -=================================================================== ---- sssd-2.10.0.orig/src/util/sss_ini.h -+++ sssd-2.10.0/src/util/sss_ini.h -@@ -81,18 +81,6 @@ int sss_ini_open(struct sss_ini *self, - const char *fallback_cfg); - - /** -- * @brief Check whether sss_ini_open() reported that ini file is -- * not present -- * -- * @param[in] self pointer to sss_ini structure -- * -- * @return -- * - true we are using ini file -- * - false file was not found -- */ --bool sss_ini_exists(struct sss_ini *self); -- --/** - * @brief get Cstat structure of the ini file - */ - int sss_ini_get_stat(struct sss_ini *self); diff --git a/0001-sssd-always-print-path-when-config-object-is-rejecte.patch b/0001-sssd-always-print-path-when-config-object-is-rejecte.patch deleted file mode 100644 index d24c30a..0000000 --- a/0001-sssd-always-print-path-when-config-object-is-rejecte.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 1a743a4123c104a10c694f7ee9d2f0a1e7182513 Mon Sep 17 00:00:00 2001 -From: Jan Engelhardt -Date: Wed, 16 Oct 2024 09:55:50 +0200 -Subject: [PATCH] sssd: always print path when config object is rejected -References: https://github.com/SSSD/sssd/pull/7649 - -Observed: - -``` -Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed. -Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed' -Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed' -``` - -Expected: - -_Well yes, but **which one**_!? - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Justin Stephenson -(cherry picked from commit 2b7915dd84a6b8c3ee26e45357283677fe22f2cb) ---- - src/util/sss_ini.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c -index 7f9824d88..2a611eb8c 100644 ---- a/src/util/sss_ini.c -+++ b/src/util/sss_ini.c -@@ -888,7 +888,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, - ret = sss_ini_open(self, config_file, "[sssd]\n"); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "The sss_ini_open failed %s: %d\n", -+ "sss_ini_open on %s failed: %d\n", - config_file, - ret); - return ERR_INI_OPEN_FAILED; -@@ -898,26 +898,28 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, - ret = sss_ini_access_check(self); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "Permission check on config file failed.\n"); -+ "Permission check on config file %s failed: %d\n", -+ config_file, ret); - return ERR_INI_INVALID_PERMISSION; - } - } else { - DEBUG(SSSDBG_CONF_SETTINGS, -- "File %1$s does not exist.\n", -- (config_file ? config_file : "NULL")); -+ "File %s does not exist.\n", config_file); - } - - ret = sss_ini_parse(self); - if (ret != EOK) { - sss_ini_config_print_errors(self->error_list); -- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n"); -+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration file %s: %d\n", -+ config_file, ret); - return ERR_INI_PARSE_FAILED; - } - - ret = sss_ini_add_snippets(self, config_dir); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, -- "Error while reading configuration directory.\n"); -+ "Error while reading configuration directory %s: %d\n", -+ config_dir, ret); - return ERR_INI_ADD_SNIPPETS_FAILED; - } - --- -2.47.0 - diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo index 9d0500b..e670dc7 100644 --- a/_scmsync.obsinfo +++ b/_scmsync.obsinfo @@ -1,4 +1,4 @@ -mtime: 1730841300 -commit: 6e6893108add570a0ec8a1cc983e87b11279bc98ee96e4f1af76ab397f1d0074 +mtime: 1733909604 +commit: 7a9befa6936272129afd7622722b7d44d87bdf6afa02bc7b21a6ccfd037903cc url: https://src.opensuse.org/jengelh/sssd revision: master diff --git a/build.specials.obscpio b/build.specials.obscpio index a63500c..0f121bc 100644 --- a/build.specials.obscpio +++ b/build.specials.obscpio @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:b7a95490a831fb30d7292118e7a21e6aa16cf2dbbe3f4d6d804adf9189d0e397 +oid sha256:0f64dc33371d73cda0723d180821fa83b5cdad37b17fb4a9c2be8f8b473ea876 size 256 diff --git a/sssd-2.10.0.tar.gz b/sssd-2.10.0.tar.gz deleted file mode 100644 index 38e2605..0000000 --- a/sssd-2.10.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0b1167e8017209ec25b9683e0006947eaa0cfd7a8161bfea120bd8511006db0d -size 9177851 diff --git a/sssd-2.10.0.tar.gz.asc b/sssd-2.10.0.tar.gz.asc deleted file mode 100644 index 3783730..0000000 --- a/sssd-2.10.0.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmcOPUoACgkQ09IbKRDP -Z1myuA//anDvdZcQp0EUia2NsiWt2MFE8esmsEIN6QmEYjUxvEeXI9q4YJQimMi8 -wdt0zqZE1PLrTcroWaeGcgt2+CJWUbVanZtNn3oo7lUVYrLKemrUzavM7dXTaA43 -cdKAFyEO+nHJQ2yBNUt6sRXc3tM0H27yZs0iL+CcYu6YshUTbMnZuwdpz7DqDTN8 -nbG+LWa+U0en5mI3waP8Ionwmdv9AJAuCHQZLlZDpM0+YfGumcIUJdbxU/I8pqP8 -MQaulPv3e+BNwdbUiLlk0cXRjuEfSd0bmMa3MqB4IqMvvjACU0GuSgK3FDhutZJe -HfmzYSo/Zntmr7F/eYLz6zy/GU3VewEilOyRV08oz+EVJRbGyo2t4k6PUYbn+I4V -kJ/maed5jnBzIZGf6o+P1r+3mavJg7k2LDV4s48MsZ4Y5ED4X0c+boT1L5FZbquW -gp99Di0RG4VoWiYOfVfszLzeDWOLbOrKMyA6PTqlmjGYAdV9SBwZP5WEdwXyPovo -D7uual7Eqdd+Y/lt+8O4Wd+Y+a9xI2kwVFo8KYmHc8PhgLpPIKTWbBTEI+0nw3fJ -qqyyA7JWA81bt4WKVuJaeS87S/9F4yn8ps2dzSgHjZ2Tzr7Eu1a3RWLjKYsjKZrT -PPd2d/02rQAZPwLYHN5qM3Xjh0DD7IiXav1QuIPxmUQA9z8ZiuA= -=mJVY ------END PGP SIGNATURE----- diff --git a/sssd-2.10.1.tar.gz b/sssd-2.10.1.tar.gz new file mode 100644 index 0000000..03c5c14 --- /dev/null +++ b/sssd-2.10.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ea6a690047cea1ecd50016aa30946f9348da37b46daa984f34bc72ddb767539f +size 9196848 diff --git a/sssd-2.10.1.tar.gz.asc b/sssd-2.10.1.tar.gz.asc new file mode 100644 index 0000000..f720242 --- /dev/null +++ b/sssd-2.10.1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmdYSb4ACgkQ09IbKRDP +Z1kRyRAAmkKhCUcBs4h2mDg7uzz7DfYFkHXEiY8EMoVP5Iw6ZsNL/V9fwF9xhj49 +XbnCfxj2zFfVWZd5VYnTpl86Hg3NrxuPehgM+iMAXS6U/55TvRPunCtTiRwoTZ4t +zSgiBaSg3I2hmSN2cnSU8PpilEDCIeSP3uafmGXI1KUxEQltVbp0EeJ5CL5GP3xU +rFgI1pKdTySlw6jZ3vjkAaHwdsJGB0MKtjiBJYtqvHmIzbUdSNN/iE5Wf5xsdtez +KKLUrnKeQFuNyYWpjipJvbs7i9+E5VKFvCfrqFb6vQbp+Rgd98epVjp2VKovNy8p +gZQmgfbi5GCWKuBx+dbaRSFa8hWemEwnBNboV6JKq4+CoPsMkI367utZV5gd58V5 +RHgLsrZfjahAXgG4ytwPhgKDV+sX+sSn4aXIdaSgc+vP7+ykLMxyzyR2GXyG+y11 +WrnovdR0HywHfzvlUnKQmcLUjCkXKVwIMw0oBRa8+YLTD08EeYgu+oXXDpGD0oL1 +YJLLBdr6ycR9Rk/sUqbZgEnzQZPYXazIraUrd71Ry8CaNvqi86Of7sX6SgSQQeg/ +ZPLNcPWPadG/9jpMNJNsXXEZicNJXznQczlXKvRXINOJzknJYwwgH+/55otbzNzq +EjlOmFEn07bGAHCsHTfydlCeYqD9x+WV/X8CReMFjcaaBH4TDms= +=S0c5 +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 5b4d1eb..1121950 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Tue Dec 10 20:17:10 UTC 2024 - Jan Engelhardt + +- Update to release 2.10.1 + * SSSD does not create anymore missing path components of + DIR:/FILE: ccache types while acquiring user's TGT. The + parent directory of requested ccache directory must exist and + the user trying to log in must have rwx access to this + directory. This matches behavior of /usr/bin/kinit. + * The option default_domain_suffix is deprecated. +- Delete 0001-Configuration-make-sure-etc-sssd-and-everything.patch, + 0001-INI-relax-config-files-checks.patch, + 0001-INI-stop-using-libini_config-for-access-check.patch, + 0001-sssd-always-print-path-when-config-object-is-rejecte.patch + (merged) + ------------------------------------------------------------------- Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index d360e18..5f59646 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 2.10.0 +Version: 2.10.1 Release: 0 Summary: System Security Services Daemon License: GPL-3.0-or-later AND LGPL-3.0-or-later @@ -28,10 +28,6 @@ Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%v Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source3: baselibs.conf Source5: %name.keyring -Patch3: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch -Patch4: 0001-INI-stop-using-libini_config-for-access-check.patch -Patch5: 0001-INI-relax-config-files-checks.patch -Patch6: 0001-Configuration-make-sure-etc-sssd-and-everything.patch Patch11: krb-noversion.diff Patch12: harden_sssd-ifp.service.patch Patch13: harden_sssd-kcm.service.patch @@ -489,11 +485,11 @@ cat >"$b/etc/permissions.d/sssd" <<-EOF %_libexecdir/sssd/sssd_pam root:sssd 0750 +capabilities cap_dac_read_search=p %_libexecdir/sssd/selinux_child root:sssd 0750 - +capabilities %child_capabilities + +capabilities cap_setgid,cap_setuid=p %_libexecdir/sssd/krb5_child root:sssd 0750 - +capabilities %child_capabilities + +capabilities cap_dac_read_search,cap_setgid,cap_setuid=p %_libexecdir/sssd/ldap_child root:sssd 0750 - +capabilities %child_capabilities + +capabilities cap_dac_read_search=p EOF %check @@ -691,7 +687,6 @@ fi %_libdir/%name/libsss_files* %endif %_libdir/%name/libsss_iface* -%_libdir/%name/libsss_semanage* %_libdir/%name/libsss_sbus* %_libdir/%name/libsss_simple* %_libdir/%name/libsss_util* @@ -710,7 +705,7 @@ fi %_libexecdir/%name/sss_signal %_libexecdir/%name/sssd_check_socket_activated_responders %if 0%{?suse_version} >= 1600 -%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/selinux_child +%attr(750,root,%sssd_user) %caps(cap_setgid,cap_setuid=p) %_libexecdir/%name/selinux_child %endif %dir %sssdstatedir %attr(700,%sssd_user,%sssd_user) %dir %dbpath/ @@ -839,8 +834,8 @@ fi %dir %_libdir/%name/ %_libdir/%name/libsss_krb5_common.so %dir %_libexecdir/%name/ -%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/krb5_child -%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/ldap_child +%attr(750,root,%sssd_user) %caps(cap_dac_read_search,cap_setgid,cap_setuid=p) %_libexecdir/%name/krb5_child +%attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/ldap_child %files ldap %dir %_libdir/%name/ diff --git a/symvers.patch b/symvers.patch index ab19be6..89e9857 100644 --- a/symvers.patch +++ b/symvers.patch @@ -12,14 +12,14 @@ libsss_ldap.so(-2.7.4) cannot find a libsss_util.so(-2.7.4), since the system only has libsss_util.so(-2.8.2) at this point. --- - Makefile.am | 47 ++++++++++++++++++++++++++++++++--------------- - 1 file changed, 32 insertions(+), 15 deletions(-) + Makefile.am | 44 ++++++++++++++++++++++++++++++-------------- + 1 file changed, 30 insertions(+), 14 deletions(-) -Index: sssd-2.9.2/Makefile.am +Index: sssd-2.10.1/Makefile.am =================================================================== ---- sssd-2.9.2.orig/Makefile.am -+++ sssd-2.9.2/Makefile.am -@@ -955,7 +955,11 @@ libsss_debug_la_SOURCES = \ +--- sssd-2.10.1.orig/Makefile.am ++++ sssd-2.10.1/Makefile.am +@@ -971,7 +971,11 @@ libsss_debug_la_SOURCES = \ libsss_debug_la_LIBADD = \ $(SYSLOG_LIBS) libsss_debug_la_LDFLAGS = \ @@ -32,7 +32,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_child.la libsss_child_la_SOURCES = src/util/child_common.c -@@ -965,7 +969,8 @@ libsss_child_la_LIBADD = \ +@@ -981,7 +985,8 @@ libsss_child_la_LIBADD = \ $(DHASH_LIBS) \ libsss_debug.la \ $(NULL) @@ -42,7 +42,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_crypt.la -@@ -1004,7 +1009,8 @@ libsss_crypt_la_LIBADD = \ +@@ -1021,7 +1026,8 @@ libsss_crypt_la_LIBADD = \ libsss_debug.la \ $(NULL) libsss_crypt_la_LDFLAGS = \ @@ -52,7 +52,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_cert.la -@@ -1029,8 +1035,9 @@ libsss_cert_la_LIBADD = \ +@@ -1046,8 +1052,9 @@ libsss_cert_la_LIBADD = \ libsss_debug.la \ $(NULL) libsss_cert_la_LDFLAGS = \ @@ -63,7 +63,7 @@ Index: sssd-2.9.2/Makefile.am generate-sbus-code: $(builddir)/sbus_generate.sh $(abs_srcdir) -@@ -1131,8 +1138,9 @@ libsss_sbus_la_CFLAGS = \ +@@ -1148,8 +1155,9 @@ libsss_sbus_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_sbus_la_LDFLAGS = \ @@ -74,7 +74,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_sbus_sync.la libsss_sbus_sync_la_SOURCES = \ -@@ -1167,8 +1175,9 @@ libsss_sbus_sync_la_CFLAGS = \ +@@ -1184,8 +1192,9 @@ libsss_sbus_sync_la_CFLAGS = \ $(UNICODE_LIBS) \ $(NULL) libsss_sbus_sync_la_LDFLAGS = \ @@ -85,7 +85,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_iface.la libsss_iface_la_SOURCES = \ -@@ -1197,8 +1206,9 @@ libsss_iface_la_CFLAGS = \ +@@ -1214,8 +1223,9 @@ libsss_iface_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_iface_la_LDFLAGS = \ @@ -96,7 +96,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_iface_sync.la libsss_iface_sync_la_SOURCES = \ -@@ -1225,8 +1235,9 @@ libsss_iface_sync_la_CFLAGS = \ +@@ -1242,8 +1252,9 @@ libsss_iface_sync_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_iface_sync_la_LDFLAGS = \ @@ -107,7 +107,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_util.la libsss_util_la_SOURCES = \ -@@ -1322,7 +1333,8 @@ endif +@@ -1338,7 +1349,8 @@ endif if BUILD_PASSKEY libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c endif # BUILD_PASSKEY @@ -115,19 +115,9 @@ Index: sssd-2.9.2/Makefile.am +libsss_util_la_LDFLAGS = -avoid-version ${symv} +EXTRA_libsss_util_la_DEPENDENCIES = x.sym - pkglib_LTLIBRARIES += libsss_semanage.la - libsss_semanage_la_CFLAGS = \ -@@ -1341,7 +1353,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_ - endif - - libsss_semanage_la_LDFLAGS = \ -- -avoid-version -+ -avoid-version ${symv} -+EXTRA_libsss_semanage_la_DEPENDENCIES = x.sym - SSSD_INTERNAL_LTLIBS = \ libsss_util.la \ -@@ -1357,7 +1370,7 @@ lib_LTLIBRARIES = libipa_hbac.la \ +@@ -1354,7 +1366,7 @@ lib_LTLIBRARIES = libipa_hbac.la \ $(NULL) pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc @@ -136,7 +126,7 @@ Index: sssd-2.9.2/Makefile.am libipa_hbac_la_SOURCES = \ src/lib/ipa_hbac/hbac_evaluator.c \ src/util/sss_utf8.c -@@ -1688,8 +1701,9 @@ libifp_iface_la_CFLAGS = \ +@@ -1682,8 +1694,9 @@ libifp_iface_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libifp_iface_la_LDFLAGS = \ @@ -147,7 +137,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libifp_iface_sync.la libifp_iface_sync_la_SOURCES = \ -@@ -1714,8 +1728,9 @@ libifp_iface_sync_la_CFLAGS = \ +@@ -1708,8 +1721,9 @@ libifp_iface_sync_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libifp_iface_sync_la_LDFLAGS = \ @@ -158,7 +148,7 @@ Index: sssd-2.9.2/Makefile.am sssd_ifp_SOURCES = \ src/responder/ifp/ifpsrv.c \ -@@ -4314,8 +4329,9 @@ libsss_ldap_common_la_LIBADD = \ +@@ -4314,8 +4328,9 @@ libsss_ldap_common_la_LIBADD = \ $(SSSD_INTERNAL_LTLIBS) \ $(NULL) libsss_ldap_common_la_LDFLAGS = \ @@ -169,7 +159,7 @@ Index: sssd-2.9.2/Makefile.am if BUILD_SYSTEMTAP libsss_ldap_common_la_LIBADD += stap_generated_probes.lo endif -@@ -4372,7 +4388,8 @@ libsss_krb5_common_la_LIBADD = \ +@@ -4371,7 +4386,8 @@ libsss_krb5_common_la_LIBADD = \ $(SSSD_INTERNAL_LTLIBS) \ $(NULL) libsss_krb5_common_la_LDFLAGS = \ From 1d71044539fcd924ac404bfd3f9069f0cfe2483c27db61c8ac5f2f56b966b2f0 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Fri, 20 Dec 2024 08:21:11 +0000 Subject: [PATCH 11/14] [info=1507d9a0944d5e4561b50f5711c11410c6102db2357375f84d4e99c977e11c66] OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=332 --- _scmsync.obsinfo | 4 ++-- build.specials.obscpio | 2 +- sssd.spec | 5 ++++- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo index e670dc7..7cc2a89 100644 --- a/_scmsync.obsinfo +++ b/_scmsync.obsinfo @@ -1,4 +1,4 @@ -mtime: 1733909604 -commit: 7a9befa6936272129afd7622722b7d44d87bdf6afa02bc7b21a6ccfd037903cc +mtime: 1734682844 +commit: 1507d9a0944d5e4561b50f5711c11410c6102db2357375f84d4e99c977e11c66 url: https://src.opensuse.org/jengelh/sssd revision: master diff --git a/build.specials.obscpio b/build.specials.obscpio index 0f121bc..43937e3 100644 --- a/build.specials.obscpio +++ b/build.specials.obscpio @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:0f64dc33371d73cda0723d180821fa83b5cdad37b17fb4a9c2be8f8b473ea876 +oid sha256:5cef82fe2efad31ced57e8be6a100bc78b17ba52373d3567d44c87746a418e28 size 256 diff --git a/sssd.spec b/sssd.spec index 5f59646..a79967b 100644 --- a/sssd.spec +++ b/sssd.spec @@ -120,7 +120,6 @@ Obsoletes: sssd-common < %version-%release %define keytabdir %sssdstatedir/keytabs %define mcpath %sssdstatedir/mc %define ldbdir %(pkg-config ldb --variable=modulesdir) -%define child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko # %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins @@ -480,6 +479,10 @@ mkdir -p "$b/%_sysusersdir" "$b/etc/permissions.d" cp -a system-user-sssd.conf "$b/%_sysusersdir/" %sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf" +# +# Security considerations for capabilities, chown and stuff: +# https://www.openwall.com/lists/oss-security/2024/12/19/1 +# # should match entry from %%files list cat >"$b/etc/permissions.d/sssd" <<-EOF %_libexecdir/sssd/sssd_pam root:sssd 0750 From 86e7668f301f63da40b99120f569c731360d987db7df1c400f9e4cce7f278b64 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Thu, 2 Jan 2025 17:58:20 +0000 Subject: [PATCH 12/14] [info=cd05c14a49b9600916b3ace67564befd817f17fbbae208a2197db413e82a7560] OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=333 --- ...OOL-Fix-build-parameter-name-omitted.patch | 85 +++++++++++++++++++ _scmsync.obsinfo | 4 +- build.specials.obscpio | 2 +- sssd.spec | 16 +++- 4 files changed, 101 insertions(+), 6 deletions(-) create mode 100644 0001-TOOL-Fix-build-parameter-name-omitted.patch diff --git a/0001-TOOL-Fix-build-parameter-name-omitted.patch b/0001-TOOL-Fix-build-parameter-name-omitted.patch new file mode 100644 index 0000000..6bda949 --- /dev/null +++ b/0001-TOOL-Fix-build-parameter-name-omitted.patch @@ -0,0 +1,85 @@ +From b927ca4196f828bda6d5db6c6a6d852389bfede0 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 2 Jan 2025 14:09:17 +0100 +Subject: [PATCH] TOOL: Fix build, parameter name omitted + +Signed-off-by: Samuel Cabrero +--- + src/tools/sssctl/sssctl_data.c | 8 ++++---- + src/tools/sssctl/sssctl_logs.c | 6 +++--- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c +index b28556e73..a473e7e14 100644 +--- a/src/tools/sssctl/sssctl_data.c ++++ b/src/tools/sssctl/sssctl_data.c +@@ -125,7 +125,7 @@ static errno_t sssctl_backup(bool force) + } + + errno_t sssctl_client_data_backup(struct sss_cmdline *cmdline, +- struct sss_tool_ctx *) ++ struct sss_tool_ctx *tool_ctx) + { + struct sssctl_data_opts opts = {0}; + errno_t ret; +@@ -184,7 +184,7 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) + } + + errno_t sssctl_client_data_restore(struct sss_cmdline *cmdline, +- struct sss_tool_ctx *) ++ struct sss_tool_ctx *tool_ctx) + { + struct sssctl_data_opts opts = {0}; + errno_t ret; +@@ -206,7 +206,7 @@ errno_t sssctl_client_data_restore(struct sss_cmdline *cmdline, + } + + errno_t sssctl_cache_remove(struct sss_cmdline *cmdline, +- struct sss_tool_ctx *) ++ struct sss_tool_ctx *tool_ctx) + { + struct sssctl_data_opts opts = {0}; + errno_t ret; +@@ -413,7 +413,7 @@ done: + } + + errno_t sssctl_cache_index(struct sss_cmdline *cmdline, +- struct sss_tool_ctx *) ++ struct sss_tool_ctx *tool_ctx) + { + const char *attr = NULL; + const char *action_str = NULL; +diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c +index f8ef9f2c6..8ba18b394 100644 +--- a/src/tools/sssctl/sssctl_logs.c ++++ b/src/tools/sssctl/sssctl_logs.c +@@ -418,7 +418,7 @@ int parse_debug_level(const char *strlevel) + } + + errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, +- struct sss_tool_ctx *) ++ struct sss_tool_ctx *tool_ctx) + { + struct sssctl_logs_opts opts = {0}; + errno_t ret; +@@ -470,7 +470,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, + } + + errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, +- struct sss_tool_ctx *) ++ struct sss_tool_ctx *tool_ctx) + { + const char *file = NULL; + errno_t ret; +@@ -587,7 +587,7 @@ fini: + } + + errno_t sssctl_analyze(struct sss_cmdline *cmdline, +- struct sss_tool_ctx *) ++ struct sss_tool_ctx *tool_ctx) + { + #ifndef BUILD_CHAIN_ID + PRINT("ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"); +-- +2.47.1 + diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo index 7cc2a89..9487338 100644 --- a/_scmsync.obsinfo +++ b/_scmsync.obsinfo @@ -1,4 +1,4 @@ -mtime: 1734682844 -commit: 1507d9a0944d5e4561b50f5711c11410c6102db2357375f84d4e99c977e11c66 +mtime: 1735824824 +commit: cd05c14a49b9600916b3ace67564befd817f17fbbae208a2197db413e82a7560 url: https://src.opensuse.org/jengelh/sssd revision: master diff --git a/build.specials.obscpio b/build.specials.obscpio index 43937e3..8f5594f 100644 --- a/build.specials.obscpio +++ b/build.specials.obscpio @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:5cef82fe2efad31ced57e8be6a100bc78b17ba52373d3567d44c87746a418e28 +oid sha256:ad06894f2980a38b30ed36cd59bf7d6590c73c717b8f9f5dd63797ab1bf63284 size 256 diff --git a/sssd.spec b/sssd.spec index a79967b..724de9e 100644 --- a/sssd.spec +++ b/sssd.spec @@ -28,6 +28,7 @@ Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%v Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source3: baselibs.conf Source5: %name.keyring +Patch1: 0001-TOOL-Fix-build-parameter-name-omitted.patch Patch11: krb-noversion.diff Patch12: harden_sssd-ifp.service.patch Patch13: harden_sssd-kcm.service.patch @@ -48,6 +49,7 @@ BuildRequires: libtool BuildRequires: libunistring-devel BuildRequires: libxml2-tools BuildRequires: libxslt-tools +BuildRequires: libopenssl-3-devel BuildRequires: nscd BuildRequires: nss_wrapper BuildRequires: openldap2-devel @@ -121,6 +123,13 @@ Obsoletes: sssd-common < %version-%release %define mcpath %sssdstatedir/mc %define ldbdir %(pkg-config ldb --variable=modulesdir) + +%if 0%{?suse_version} >= 1600 +%define permissions_path %_datadir/permissions/permissions.d/ +%else +%define permissions_path %_sysconfdir/permissions.d/ +%endif + # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko # %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins # * cifs-utils one is the default (priority 20) @@ -475,7 +484,7 @@ sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analy %endif echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf -mkdir -p "$b/%_sysusersdir" "$b/etc/permissions.d" +mkdir -p "$b/%_sysusersdir" cp -a system-user-sssd.conf "$b/%_sysusersdir/" %sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf" @@ -484,7 +493,8 @@ install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.con # https://www.openwall.com/lists/oss-security/2024/12/19/1 # # should match entry from %%files list -cat >"$b/etc/permissions.d/sssd" <<-EOF +mkdir -p "$b/%permissions_path" +cat >"$b/%permissions_path/sssd" <<-EOF %_libexecdir/sssd/sssd_pam root:sssd 0750 +capabilities cap_dac_read_search=p %_libexecdir/sssd/selinux_child root:sssd 0750 @@ -645,7 +655,7 @@ fi %_unitdir/sssd-sudo.service %_sysusersdir/*sssd* %_tmpfilesdir/*sssd* -%_sysconfdir/permissions.d/* +%permissions_path/sssd %_datadir/polkit-1/ %_bindir/sss_ssh_* %_sbindir/sssd From 27948d90b8c9f087b3c7c52429244e574f67422ff0512c94b9b0da1f681272d1 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Thu, 9 Jan 2025 17:30:57 +0000 Subject: [PATCH 13/14] [info=090bf5ef3094f02956c446012780493e69a1b75e976ce71b74cea81b1eb77897] OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=334 --- _scmsync.obsinfo | 4 ++-- build.specials.obscpio | 2 +- sssd.changes | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo index 9487338..e1d81fa 100644 --- a/_scmsync.obsinfo +++ b/_scmsync.obsinfo @@ -1,4 +1,4 @@ -mtime: 1735824824 -commit: cd05c14a49b9600916b3ace67564befd817f17fbbae208a2197db413e82a7560 +mtime: 1736443840 +commit: 090bf5ef3094f02956c446012780493e69a1b75e976ce71b74cea81b1eb77897 url: https://src.opensuse.org/jengelh/sssd revision: master diff --git a/build.specials.obscpio b/build.specials.obscpio index 8f5594f..be7023d 100644 --- a/build.specials.obscpio +++ b/build.specials.obscpio @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:ad06894f2980a38b30ed36cd59bf7d6590c73c717b8f9f5dd63797ab1bf63284 +oid sha256:5a7c3a800bd9262e07b20e98aad996e878a93b8ca29e5ba2d442812c4b66df8c size 256 diff --git a/sssd.changes b/sssd.changes index 1121950..75f144c 100644 --- a/sssd.changes +++ b/sssd.changes @@ -13,6 +13,7 @@ Tue Dec 10 20:17:10 UTC 2024 - Jan Engelhardt 0001-INI-stop-using-libini_config-for-access-check.patch, 0001-sssd-always-print-path-when-config-object-is-rejecte.patch (merged) +- Add 0001-TOOL-Fix-build-parameter-name-omitted.patch ------------------------------------------------------------------- Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt From dcf4f635d5c3bd74cc2263fdee54a383fc6e010306591e64ddfb1fddbed70145 Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Fri, 10 Jan 2025 19:53:36 +0000 Subject: [PATCH 14/14] [info=e9bed7037d80b1a2f8f6599da3e1d34aee9e5b250cf5642ba8f8e1c6ea438517] OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=335 --- _scmsync.obsinfo | 4 ++-- build.specials.obscpio | 2 +- sssd.spec | 4 +++- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo index e1d81fa..cd6f0fc 100644 --- a/_scmsync.obsinfo +++ b/_scmsync.obsinfo @@ -1,4 +1,4 @@ -mtime: 1736443840 -commit: 090bf5ef3094f02956c446012780493e69a1b75e976ce71b74cea81b1eb77897 +mtime: 1736538796 +commit: e9bed7037d80b1a2f8f6599da3e1d34aee9e5b250cf5642ba8f8e1c6ea438517 url: https://src.opensuse.org/jengelh/sssd revision: master diff --git a/build.specials.obscpio b/build.specials.obscpio index be7023d..4f9bec8 100644 --- a/build.specials.obscpio +++ b/build.specials.obscpio @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:5a7c3a800bd9262e07b20e98aad996e878a93b8ca29e5ba2d442812c4b66df8c +oid sha256:c125f3492f8f3631e79acbaf633c871c2e3afe7c0e9ce5e0da888e0ba4cbd104 size 256 diff --git a/sssd.spec b/sssd.spec index 724de9e..97f76b5 100644 --- a/sssd.spec +++ b/sssd.spec @@ -656,7 +656,9 @@ fi %_sysusersdir/*sssd* %_tmpfilesdir/*sssd* %permissions_path/sssd -%_datadir/polkit-1/ +%dir %_datadir/polkit-1 +%attr(0555,root,root) %dir %_datadir/polkit-1/rules.d +%_datadir/polkit-1/rules.d/* %_bindir/sss_ssh_* %_sbindir/sssd %if 0%{?suse_version} < 1600