SHA256
1
0
forked from jengelh/sssd

Add note about unprivileged mode security review

This commit is contained in:
Jan Engelhardt 2024-12-20 09:20:44 +01:00
parent 7a9befa693
commit 1507d9a094

View File

@ -120,7 +120,6 @@ Obsoletes: sssd-common < %version-%release
%define keytabdir %sssdstatedir/keytabs %define keytabdir %sssdstatedir/keytabs
%define mcpath %sssdstatedir/mc %define mcpath %sssdstatedir/mc
%define ldbdir %(pkg-config ldb --variable=modulesdir) %define ldbdir %(pkg-config ldb --variable=modulesdir)
%define child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins # %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
@ -480,6 +479,10 @@ mkdir -p "$b/%_sysusersdir" "$b/etc/permissions.d"
cp -a system-user-sssd.conf "$b/%_sysusersdir/" cp -a system-user-sssd.conf "$b/%_sysusersdir/"
%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf %sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf
install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf" install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf"
#
# Security considerations for capabilities, chown and stuff:
# https://www.openwall.com/lists/oss-security/2024/12/19/1
#
# should match entry from %%files list # should match entry from %%files list
cat >"$b/etc/permissions.d/sssd" <<-EOF cat >"$b/etc/permissions.d/sssd" <<-EOF
%_libexecdir/sssd/sssd_pam root:sssd 0750 %_libexecdir/sssd/sssd_pam root:sssd 0750