Update to sssd 2.10.0 #3

scabrero · 2024-10-16T18:16:52+02:00

scabrero commented

2024-10-16 18:16:52 +02:00

Lot of changes here, I started to prepare it in the beta phase and everything seems to work fine after the update.

The whitelists for DBus services changes and the new polkit policy are in place, https://bugzilla.suse.com/show_bug.cgi?id=1230051

Still have to ping again in the bug to whitelist the permissions file to set the capabilities:

[ 143s] sssd.x86_64: E: permissions-file-unauthorized (Badness: 10) /etc/permissions.d/sssd (sha256 file digest default filter:c4ff3df95b4534cc7bbd75c3efdd830534f91b9c0281fabed37dc6fba0ec93c3 shell filter:a96143927368c0059a3f3b2ac1bf2368e66f090da7e7d3996e00becf7e9f82d7 xml filter:)
[ 143s] Packaging permissions.d drop-in snippets requires a review and whitelisting by
[ 143s] the SUSE security team. If the package is intended for inclusion in any SUSE
[ 143s] product please open a bug report to request review of the package by the
[ 143s] security team. Please refer to
[ 143s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[ 143s] more information.

But this can be reviewed meanwhile.

Lot of changes here, I started to prepare it in the beta phase and everything seems to work fine after the update. The whitelists for DBus services changes and the new polkit policy are in place, https://bugzilla.suse.com/show_bug.cgi?id=1230051 Still have to ping again in the bug to whitelist the permissions file to set the capabilities: [ 143s] sssd.x86_64: E: permissions-file-unauthorized (Badness: 10) /etc/permissions.d/sssd (sha256 file digest default filter:c4ff3df95b4534cc7bbd75c3efdd830534f91b9c0281fabed37dc6fba0ec93c3 shell filter:a96143927368c0059a3f3b2ac1bf2368e66f090da7e7d3996e00becf7e9f82d7 xml filter:<failed-to-calculate>) [ 143s] Packaging permissions.d drop-in snippets requires a review and whitelisting by [ 143s] the SUSE security team. If the package is intended for inclusion in any SUSE [ 143s] product please open a bug report to request review of the package by the [ 143s] security team. Please refer to [ 143s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 143s] more information. But this can be reviewed meanwhile.

scabrero added 1 commit 2024-10-16 18:16:53 +02:00

Update to sssd 2.10.0 32627c5c2b

Signed-off-by: Samuel Cabrero <scabrero@suse.de>

jengelh commented

2024-10-18 16:15:10 +02:00

conflicted, which is kinda bound to happen if everyone jumps at it right away

scabrero force-pushed sssd-2-10-update from 32627c5c2b to 7cfcf103d1

2024-10-21 14:13:04 +02:00

Compare

scabrero commented

2024-10-21 14:55:16 +02:00

conflicted, which is kinda bound to happen if everyone jumps at it right away

Yes, I will rebase, test, and open a new PR.

> conflicted, which is kinda bound to happen if everyone jumps at it right away Yes, I will rebase, test, and open a new PR.

scabrero closed this pull request

2024-10-21 14:55:16 +02:00

jengelh commented

2024-10-21 15:02:09 +02:00

The unprivileged user thing has so far given me unfavorable user experience.

https://github.com/SSSD/sssd/pull/7660 https://github.com/SSSD/sssd/pull/7649
I think we want to wait for upstream to see how those patches turn out.

The unprivileged user thing has so far given me unfavorable user experience. https://github.com/SSSD/sssd/pull/7660 https://github.com/SSSD/sssd/pull/7649 I think we want to wait for upstream to see how those patches turn out.

scabrero reopened this pull request

2024-10-28 12:18:50 +01:00

scabrero commented

2024-10-28 12:20:50 +01:00

Hi Jan, with these changes it runs under sssd user without problems. I have updated your patch with the upstream accepted version.

Hi Jan, with these changes it runs under `sssd` user without problems. I have updated your patch with the upstream accepted version.

jengelh commented

2024-11-05 18:59:22 +01:00

If you avoid renaming files, the commit diffs can be less cluttered.

 %service_add_post sssd.service
+%service_add_post sssd-autofs.service sssd-autofs.socket
+%service_add_post sssd-nss.service sssd-nss.socket
+%service_add_post sssd-pac.service sssd-pac.socket
+%service_add_post sssd-pam.service sssd-pam.socket
+%service_add_post sssd-ssh.service sssd-ssh.socket
+%service_add_post sssd-sudo.service sssd-sudo.socket

You should not call %service_ more than once; it expands to unnecessary much shell code otherwise.

+%package polkit-rules
+Summary:        Rules for polkit integration for SSSD
+Group:          System/Daemons
+License:        GPL-3.0-or-later
+Requires:       %name = %version-%release
+Requires:       polkit >= 0.106
+BuildArch:      noarch

This does not really need to be in a separate package, does it?

+Requires(pre):  permissions
+Requires(post): permissions

I think we are missing a bunch of Requires(verifyscript):permissions.

+%_bindir/rm -f %mcpath/passwd
+%_bindir/rm -f %mcpath/group
+%_bindir/rm -f %mcpath/initgroups
+%_bindir/rm -f %mcpath/sid
+%_bindir/chown -f %sssd_user:%sssd_user %dbpath/* || true
+%_bindir/chown -f %sssd_user:%sssd_user %_sysconfdir/sssd/sssd.conf || true
+%_bindir/chown -f -R %sssd_user:%sssd_user %_sysconfdir/sssd/conf.d || true
+%_bindir/chown -f %sssd_user:%sssd_user %_localstatedir/log/%name/*.log || true

I do not think this will be necessary, because it's already done by .service units.

+%if 0%{?suse_version} < 1600
 %ldconfig_scriptlets -n libsss_simpleifp0
+%endif

The extra condition is not needed.

If you avoid renaming files, the commit diffs can be less cluttered. ``` %service_add_post sssd.service +%service_add_post sssd-autofs.service sssd-autofs.socket +%service_add_post sssd-nss.service sssd-nss.socket +%service_add_post sssd-pac.service sssd-pac.socket +%service_add_post sssd-pam.service sssd-pam.socket +%service_add_post sssd-ssh.service sssd-ssh.socket +%service_add_post sssd-sudo.service sssd-sudo.socket ``` You should not call %service_ more than once; it expands to unnecessary much shell code otherwise. ``` +%package polkit-rules +Summary: Rules for polkit integration for SSSD +Group: System/Daemons +License: GPL-3.0-or-later +Requires: %name = %version-%release +Requires: polkit >= 0.106 +BuildArch: noarch ``` This does not really need to be in a separate package, does it? ``` +Requires(pre): permissions +Requires(post): permissions ``` I think we are missing a bunch of Requires(verifyscript):permissions. ``` +%_bindir/rm -f %mcpath/passwd +%_bindir/rm -f %mcpath/group +%_bindir/rm -f %mcpath/initgroups +%_bindir/rm -f %mcpath/sid +%_bindir/chown -f %sssd_user:%sssd_user %dbpath/* || true +%_bindir/chown -f %sssd_user:%sssd_user %_sysconfdir/sssd/sssd.conf || true +%_bindir/chown -f -R %sssd_user:%sssd_user %_sysconfdir/sssd/conf.d || true +%_bindir/chown -f %sssd_user:%sssd_user %_localstatedir/log/%name/*.log || true ``` I do not think this will be necessary, because it's already done by .service units. ``` +%if 0%{?suse_version} < 1600 %ldconfig_scriptlets -n libsss_simpleifp0 +%endif ``` The extra condition is not needed.

jengelh commented

2024-11-05 19:17:02 +01:00

+%pre krb5-common
+%sysusers_create_package %name %SOURCE6
+%sysusers_create_package %name-krb5-common %SOURCE6

we should avoid mixing mechanisms from (systemd's) sysusers and (thkukuk's) sysuser-tools if that's possible.

``` +%pre krb5-common +%sysusers_create_package %name %SOURCE6 +%sysusers_create_package %name-krb5-common %SOURCE6 ``` we should avoid mixing mechanisms from (systemd's) sysusers and (thkukuk's) sysuser-tools if that's possible.

jengelh commented

2024-11-05 19:27:55 +01:00

[ 74s] sssd.src: E: unused-rpmlintrc-filter "binary-or-shlib-calls-gethostbyname"

jengelh manually merged commit 6e6893108a into master

2024-11-05 22:19:17 +01:00

Sign in to join this conversation.

No reviewers

No Label

No Milestone

No Assignees

2 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: jengelh/sssd#3