From d236d87ed89f720f7cdd75ceb8eee5ce72b6fa3d8878dd5e16de8962d581542b Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 16 Oct 2024 17:05:53 +0200 Subject: [PATCH] sssd 2.10.0 (part 2) --- ...t-path-when-config-object-is-rejecte.patch | 88 ++++++++++++++ sssd.changes | 1 + sssd.spec | 115 +++++++++--------- 3 files changed, 146 insertions(+), 58 deletions(-) create mode 100644 0001-sssd-always-print-path-when-config-object-is-rejecte.patch diff --git a/0001-sssd-always-print-path-when-config-object-is-rejecte.patch b/0001-sssd-always-print-path-when-config-object-is-rejecte.patch new file mode 100644 index 0000000..5ea6697 --- /dev/null +++ b/0001-sssd-always-print-path-when-config-object-is-rejecte.patch @@ -0,0 +1,88 @@ +From 338638cd5f374e0699d7b7495a5fa8f25511fa55 Mon Sep 17 00:00:00 2001 +From: Jan Engelhardt +Date: Wed, 16 Oct 2024 09:55:50 +0200 +Subject: [PATCH] sssd: always print path when config object is rejected +References: https://github.com/SSSD/sssd/pull/7649 + +Observed: + +``` +Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed. +Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed' +Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed' +``` + +Expected: + +_Well yes, but **which one**_!? +--- + src/monitor/monitor.c | 4 ++-- + src/util/sss_ini.c | 14 ++++++++------ + 2 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c +index e17b0e416..f67e4446f 100644 +--- a/src/monitor/monitor.c ++++ b/src/monitor/monitor.c +@@ -1931,9 +1931,9 @@ int main(int argc, const char *argv[]) + ret = confdb_read_ini(tmp_ctx, config_file, CONFDB_DEFAULT_CONFIG_DIR, false, + &config); + if (ret != EOK) { +- ERROR("Can't read config: '%s'\n", sss_strerror(ret)); ++ ERROR("Cannot read config %s: '%s'\n", config_file, sss_strerror(ret)); + sss_log(SSS_LOG_ALERT, +- "Failed to read configuration: '%s'", sss_strerror(ret)); ++ "Failed to read configuration %s: '%s'", config_file, sss_strerror(ret)); + ret = 3; + goto out; + } +diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c +index 7f9824d88..2a611eb8c 100644 +--- a/src/util/sss_ini.c ++++ b/src/util/sss_ini.c +@@ -888,7 +888,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, + ret = sss_ini_open(self, config_file, "[sssd]\n"); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "The sss_ini_open failed %s: %d\n", ++ "sss_ini_open on %s failed: %d\n", + config_file, + ret); + return ERR_INI_OPEN_FAILED; +@@ -898,26 +898,28 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, + ret = sss_ini_access_check(self); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "Permission check on config file failed.\n"); ++ "Permission check on config file %s failed: %d\n", ++ config_file, ret); + return ERR_INI_INVALID_PERMISSION; + } + } else { + DEBUG(SSSDBG_CONF_SETTINGS, +- "File %1$s does not exist.\n", +- (config_file ? config_file : "NULL")); ++ "File %s does not exist.\n", config_file); + } + + ret = sss_ini_parse(self); + if (ret != EOK) { + sss_ini_config_print_errors(self->error_list); +- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n"); ++ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration file %s: %d\n", ++ config_file, ret); + return ERR_INI_PARSE_FAILED; + } + + ret = sss_ini_add_snippets(self, config_dir); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, +- "Error while reading configuration directory.\n"); ++ "Error while reading configuration directory %s: %d\n", ++ config_dir, ret); + return ERR_INI_ADD_SNIPPETS_FAILED; + } + +-- +2.47.0 + diff --git a/sssd.changes b/sssd.changes index 9e67996..97bef57 100644 --- a/sssd.changes +++ b/sssd.changes @@ -15,6 +15,7 @@ Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt * The default value for ``ldap_id_use_start_tls`` changed from false to true for improved security. * https://github.com/SSSD/sssd/releases/tag/2.10.0 +- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch ------------------------------------------------------------------- Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index 158b0a0..867b56e 100644 --- a/sssd.spec +++ b/sssd.spec @@ -32,6 +32,7 @@ Patch1: krb-noversion.diff Patch2: harden_sssd-ifp.service.patch Patch3: harden_sssd-kcm.service.patch Patch4: symvers.patch +Patch5: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils @@ -53,7 +54,10 @@ BuildRequires: nss_wrapper BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pkg-config >= 0.21 +BuildRequires: python3-wheel +BuildRequires: python3-setuptools BuildRequires: systemd-rpm-macros +BuildRequires: sysuser-tools BuildRequires: uid_wrapper BuildRequires: pkgconfig(augeas) >= 1.0.0 BuildRequires: pkgconfig(collection) >= 0.5.1 @@ -87,8 +91,6 @@ BuildRequires: pkgconfig(talloc) BuildRequires: pkgconfig(tdb) >= 1.1.3 BuildRequires: pkgconfig(tevent) BuildRequires: pkgconfig(uuid) -BuildRequires: python3-wheel -BuildRequires: python3-setuptools %if 0%{?suse_version} && 0%{?suse_version} < 1600 # samba-client-devel pulls samba-client-libs pulls libldap-2_4-2 wants libldap-data(-2.4); # this conflicts with @@ -96,6 +98,7 @@ BuildRequires: python3-setuptools # Package contains just config files, not needed for build. #!BuildIgnore: libldap-data %endif +%sysusers_requires %{?systemd_ordering} Requires: sssd-ldap = %version-%release Requires(postun): pam-config @@ -125,11 +128,11 @@ Requires(post): update-alternatives Requires(postun): update-alternatives %description -Provides a set of daemons to manage access to remote directories and -authentication mechanisms. It provides an NSS and PAM interface toward -the system and a pluggable backend system to connect to multiple different -account sources. It is also the basis to provide client auditing and policy -services for projects like FreeIPA. +A set of daemons to manage access to remote directories and +authentication mechanisms. sssd provides an NSS and PAM interfaces +toward the system and a pluggable backend system to connect to +multiple different account sources. It is also the basis to provide +client auditing and policy services for projects like FreeIPA. %package ad Summary: The ActiveDirectory backend plugin for sssd @@ -139,9 +142,8 @@ Requires: %name-krb5-common = %version-%release Requires: adcli %description ad -Provides the Active Directory back end that the SSSD can utilize to -fetch identity data from and authenticate against an Active Directory -server. +A back-end provider that the SSSD can utilize to fetch identity data +from, and authenticate with, an Active Directory server. %package dbus Summary: The D-Bus responder of sssd @@ -150,7 +152,7 @@ Group: System/Base Requires: %name = %version %description dbus -Provides the D-Bus responder of sssd, called InfoPipe, which allows +D-Bus responder of sssd, called InfoPipe, which allows information from sssd to be transmitted over the system bus. %package ipa @@ -164,8 +166,8 @@ Obsoletes: %name-ipa-provider < %version-%release Provides: %name-ipa-provider = %version-%release %description ipa -Provides the IPA back end that the SSSD can utilize to fetch identity -data from and authenticate against an IPA server. +A back-end provider that the SSSD can utilize to fetch identity data +from, and authenticate with, an IPA server. %package kcm Summary: SSSD's Kerberos cache manager @@ -184,8 +186,8 @@ Group: System/Daemons Requires: %name-krb5-common = %version-%release %description krb5 -Provides the Kerberos back end that the SSSD can utilize authenticate -against a Kerberos server. +A back-end provider that the SSSD can utilize to authenticate against +a Kerberos server. %package krb5-common Summary: SSSD helpers needed for Kerberos and GSSAPI authentication @@ -204,8 +206,8 @@ Group: System/Daemons Requires: %name-krb5-common = %version-%release %description ldap -Provides the LDAP back end that the SSSD can utilize to fetch -identity data from and authenticate against an LDAP server. +A back-end provider that the SSSD can utilize to fetch identity data +from, and authenticate with, an LDAP server. %package proxy Summary: The proxy backend plugin for sssd @@ -213,8 +215,8 @@ License: GPL-3.0-or-later Group: System/Daemons %description proxy -Provides the proxy back end which can be used to wrap an existing NSS -and/or PAM modules to leverage SSSD caching. +A back-end provider which can be used to wrap existing NSS and/or PAM +modules to leverage SSSD caching. (This can replace nscd.) %package tools Summary: Commandline tools for sssd @@ -224,7 +226,7 @@ Requires: python3-sssd-config = %version-%release Requires: sssd = %version %description tools -The packages contains commandline tools for managing users and groups using +The packages contains command-line tools for managing users and groups using the "local" id provider of the System Security Services Daemon (sssd). %package winbind-idmap @@ -241,7 +243,7 @@ License: LGPL-3.0-or-later Group: System/Libraries %description -n libsss_certmap0 -A utility library for FreeIPA to map certs. +A utility library for FreeIPA to map certificates. %package -n libsss_certmap-devel Summary: Development files for the FreeIPA certmap library @@ -250,7 +252,7 @@ Group: Development/Libraries/C and C++ Requires: libsss_certmap0 = %version %description -n libsss_certmap-devel -A utility library for FreeIPA to map certs. +A utility library for FreeIPA to map certificates. %package -n libipa_hbac0 Summary: FreeIPA HBAC Evaluator library @@ -314,7 +316,6 @@ Requires: libsss_nss_idmap0 = %version %description -n libsss_nss_idmap-devel A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. -%if 0%{?suse_version} < 1600 %package -n libsss_simpleifp0 Summary: The SSSD D-Bus responder helper library License: GPL-3.0-or-later @@ -337,7 +338,6 @@ Requires: libsss_simpleifp0 = %version This subpackage provides the development files for sssd's simpleifp, a library that simplifies the D-Bus API for the SSSD InfoPipe responder. -%endif %package -n libsss_sudo Summary: A library to allow communication between sudo and SSSD @@ -423,7 +423,7 @@ autoreconf -fiv %make_build all %install -# sss_obfuscate is compatible with both python 2 and 3 +# sss_obfuscate is compatible with both Python 2 and 3 perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate %make_install dbuspolicydir=%_datadir/dbus-1/system.d b="%buildroot" @@ -457,21 +457,26 @@ find "$b" -type f -name "*.la" -print -delete %find_lang %name --all-name # dummy target for cifs-idmap-plugin -mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils -ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin +mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils" +ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin" %python3_fix_shebang %if 0%{?suse_version} > 1600 %python3_fix_shebang_path %buildroot/%_libexecdir/%name/ %elif 0%{?suse_version} == 1600 # python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204 -sed -i '1s@#!.*python.*@#!%{_bindir}/python3.11@' %{buildroot}/%{_libexecdir}/%{name}/sss_analyze +sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze" %endif +echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf +mkdir -p "$b/%_sysusersdir" +cp -a system-user-sssd.conf "$b/%_sysusersdir/" +%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf + %check # sss_config-tests fails %make_build check || : -%pre +%pre -f random.pre %service_add_pre sssd.service %if "%{?_distconfdir}" != "" # Prepare for migration to /usr/etc; save any old .rpmsave @@ -496,7 +501,7 @@ update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_li %postun /sbin/ldconfig -if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then +if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then "%_sbindir/pam-config" -d --sss || : fi # del_postun includes a try-restart @@ -506,18 +511,11 @@ if [ ! -f "%cifs_idmap_lib" ]; then update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib fi -%post -n libsss_certmap0 -p /sbin/ldconfig -%postun -n libsss_certmap0 -p /sbin/ldconfig -%post -n libipa_hbac0 -p /sbin/ldconfig -%postun -n libipa_hbac0 -p /sbin/ldconfig -%post -n libsss_idmap0 -p /sbin/ldconfig -%postun -n libsss_idmap0 -p /sbin/ldconfig -%post -n libsss_nss_idmap0 -p /sbin/ldconfig -%postun -n libsss_nss_idmap0 -p /sbin/ldconfig -%if 0%{?suse_version} < 1600 -%post -n libsss_simpleifp0 -p /sbin/ldconfig -%postun -n libsss_simpleifp0 -p /sbin/ldconfig -%endif +%ldconfig_scriptlets -n libsss_certmap0 +%ldconfig_scriptlets -n libipa_hbac0 +%ldconfig_scriptlets -n libsss_idmap0 +%ldconfig_scriptlets -n libsss_nss_idmap0 +%ldconfig_scriptlets -n libsss_simpleifp0 %triggerun -- %name < %version-%release # sssd takes care of upgrading the database but it doesn't handle downgrades. @@ -556,13 +554,13 @@ fi # Migrate sssd.service from sssd-common to sssd systemctl is-enabled sssd.service > /dev/null if [ $? -eq 0 ]; then -mkdir -p /run/systemd/rpm/ -touch /run/systemd/rpm/sssd-was-enabled + mkdir -p /run/systemd/rpm/ + touch /run/systemd/rpm/sssd-was-enabled fi systemctl is-active sssd.service > /dev/null if [ $? -eq 0 ]; then -mkdir -p /run/systemd/rpm/ -touch /run/systemd/rpm/sssd-was-active + mkdir -p /run/systemd/rpm/ + touch /run/systemd/rpm/sssd-was-active fi %posttrans @@ -574,20 +572,20 @@ done %endif # Migrate sssd.service from sssd-common to sssd if [ -e /run/systemd/rpm/sssd-was-enabled ]; then -systemctl is-enabled sssd.service > /dev/null -if [ $? -ne 0 ]; then - echo "Migrating sssd.service, was enabled" - systemctl enable sssd.service -fi -rm /run/systemd/rpm/sssd-was-enabled + systemctl is-enabled sssd.service >/dev/null + if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was enabled" + systemctl enable sssd.service + fi + rm /run/systemd/rpm/sssd-was-enabled fi if [ -e /run/systemd/rpm/sssd-was-active ]; then -systemctl is-active sssd.service > /dev/null -if [ $? -ne 0 ]; then - echo "Migrating sssd.service, was active" - systemctl start sssd.service -fi -rm /run/systemd/rpm/sssd-was-active + systemctl is-active sssd.service >/dev/null + if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was active" + systemctl start sssd.service + fi + rm /run/systemd/rpm/sssd-was-active fi %files -f sssd.lang @@ -605,6 +603,7 @@ fi %_unitdir/sssd-ssh.service %_unitdir/sssd-sudo.socket %_unitdir/sssd-sudo.service +%_sysusersdir/*sssd* %_bindir/sss_ssh_* %_sbindir/sssd %if 0%{?suse_version} < 1600