forked from jengelh/sssd
Accepting request 632454 from home:kbabioch:branches:network:ldap
- Update to upstream release 1.16.3 OBS-URL: https://build.opensuse.org/request/show/632454 OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=206
This commit is contained in:
parent
a03258dbe5
commit
77a4f94e77
@ -1,45 +0,0 @@
|
|||||||
From 06193adc0de042484f672cadd0808c78c5ebb70e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Fri, 15 Jun 2018 22:29:34 +0200
|
|
||||||
Subject: [PATCH] SUDO: Create the socket with stricter permissions
|
|
||||||
|
|
||||||
This patch switches the sudo responder from being created as a public
|
|
||||||
responder where the permissions are open and not checked by the sssd
|
|
||||||
deaamon to a private socket. In this case, sssd creates the pipes with
|
|
||||||
strict permissions (see the umask in the call to create_pipe_fd() in
|
|
||||||
set_unix_socket()) and additionaly checks the permissions with every read
|
|
||||||
via the tevent integrations (see accept_fd_handler()).
|
|
||||||
---
|
|
||||||
src/responder/sudo/sudosrv.c | 3 ++-
|
|
||||||
src/sysv/systemd/sssd-sudo.socket.in | 1 +
|
|
||||||
2 files changed, 3 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
|
|
||||||
index ac4258710d3a9b48285522abd23bdd59ba42ad4e..e87a24499c2d82fafaa8e1f9b386e44332394266 100644
|
|
||||||
--- a/src/responder/sudo/sudosrv.c
|
|
||||||
+++ b/src/responder/sudo/sudosrv.c
|
|
||||||
@@ -79,7 +79,8 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
|
|
||||||
sudo_cmds = get_sudo_cmds();
|
|
||||||
ret = sss_process_init(mem_ctx, ev, cdb,
|
|
||||||
sudo_cmds,
|
|
||||||
- SSS_SUDO_SOCKET_NAME, -1, NULL, -1,
|
|
||||||
+ NULL, -1, /* No public socket */
|
|
||||||
+ SSS_SUDO_SOCKET_NAME, -1, /* Private socket only */
|
|
||||||
CONFDB_SUDO_CONF_ENTRY,
|
|
||||||
SSS_SUDO_SBUS_SERVICE_NAME,
|
|
||||||
SSS_SUDO_SBUS_SERVICE_VERSION,
|
|
||||||
diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in
|
|
||||||
index c9abb875f0accbaf58d78846020fef74c7473528..96a8b0327ddb4d331c9b2e97ece3453f8f76872d 100644
|
|
||||||
--- a/src/sysv/systemd/sssd-sudo.socket.in
|
|
||||||
+++ b/src/sysv/systemd/sssd-sudo.socket.in
|
|
||||||
@@ -11,6 +11,7 @@ ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo
|
|
||||||
ListenStream=@pipepath@/sudo
|
|
||||||
SocketUser=@SSSD_USER@
|
|
||||||
SocketGroup=@SSSD_USER@
|
|
||||||
+SocketMode=0600
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=sssd.service
|
|
||||||
--
|
|
||||||
2.14.3
|
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
From b34fcff0f8bccd7b827686b50c53f45b7e20bb44 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
|
||||||
Date: Tue, 12 Jun 2018 19:07:52 +0200
|
|
||||||
Subject: [PATCH] intg: Do not hardcode nsslibdir
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
This change is needed in order to have make intgcheck-run properly
|
|
||||||
running on opensuse systems.
|
|
||||||
|
|
||||||
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
||||||
Reviewed-by: Chris Kowalczyk <ckowalczyk@suse.com>
|
|
||||||
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
||||||
---
|
|
||||||
src/tests/intg/Makefile.am | 1 +
|
|
||||||
src/tests/intg/config.py.m4 | 2 +-
|
|
||||||
2 files changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
|
||||||
index 9c5338261..4bd427669 100644
|
|
||||||
--- a/src/tests/intg/Makefile.am
|
|
||||||
+++ b/src/tests/intg/Makefile.am
|
|
||||||
@@ -73,6 +73,7 @@ cwrap-dbus-system.conf: data/cwrap-dbus-system.conf.in Makefile
|
|
||||||
config.py: config.py.m4
|
|
||||||
m4 -D "prefix=\`$(prefix)'" \
|
|
||||||
-D "sysconfdir=\`$(sysconfdir)'" \
|
|
||||||
+ -D "nsslibdir=\`$(nsslibdir)'" \
|
|
||||||
-D "dbpath=\`$(dbpath)'" \
|
|
||||||
-D "pidpath=\`$(pidpath)'" \
|
|
||||||
-D "logpath=\`$(logpath)'" \
|
|
||||||
diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4
|
|
||||||
index 6e011b692..04f78d869 100644
|
|
||||||
--- a/src/tests/intg/config.py.m4
|
|
||||||
+++ b/src/tests/intg/config.py.m4
|
|
||||||
@@ -4,7 +4,7 @@ Build configuration variables.
|
|
||||||
|
|
||||||
PREFIX = "prefix"
|
|
||||||
SYSCONFDIR = "sysconfdir"
|
|
||||||
-NSS_MODULE_DIR = PREFIX + "/lib"
|
|
||||||
+NSS_MODULE_DIR = "nsslibdir"
|
|
||||||
SSSDCONFDIR = SYSCONFDIR + "/sssd"
|
|
||||||
CONF_PATH = SSSDCONFDIR + "/sssd.conf"
|
|
||||||
DB_PATH = "dbpath"
|
|
@ -1,13 +0,0 @@
|
|||||||
diff --git a/Makefile.am b/Makefile.am
|
|
||||||
index 9539b3c..8e76a03 100644
|
|
||||||
--- a/Makefile.am
|
|
||||||
+++ b/Makefile.am
|
|
||||||
@@ -975,6 +975,7 @@ libsss_cert_la_LIBADD = \
|
|
||||||
$(TALLOC_LIBS) \
|
|
||||||
$(TEVENT_LIBS) \
|
|
||||||
libsss_crypt.la \
|
|
||||||
+ libsss_child.la \
|
|
||||||
libsss_debug.la \
|
|
||||||
libsss_certmap.la \
|
|
||||||
$(NULL)
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:fe5b1fcc5b4359631f7edf25f8940f3155de68e2f4ac7bfeb634687ccabc570c
|
|
||||||
size 6174144
|
|
@ -1,6 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iEYEABECAAYFAlsa2S0ACgkQHsardTLnvCVhKwCgpCRZBHkAyqnRDaPwegBLv4Sh
|
|
||||||
fYQAoK05cAcmiKBdZWtsLRRZgUOS8X/8
|
|
||||||
=U4k5
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
sssd-1.16.3.tar.gz
Normal file
3
sssd-1.16.3.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:ee5d17a0c663c09819cbab9364085b9e57faeca02406cc30efe14cc0cfc04ec4
|
||||||
|
size 6217114
|
10
sssd-1.16.3.tar.gz.asc
Normal file
10
sssd-1.16.3.tar.gz.asc
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQEcBAABAgAGBQJbcDdwAAoJEHDBRgYiUL36CW0H/2gGY35HxXQNiufErxIMT3/9
|
||||||
|
8Uq5EqTOYUlmScijvT3J1AXPg5Sw/KP65cBSOaZYNyzzBcr8GwaM19y3/WInFA5z
|
||||||
|
tWTHfAmVusIvLijmWmfw9qGY6X8386S2g+wbTn7WsMYb0Spt8K2l+OgQDIq7sIx5
|
||||||
|
iSPfICt/HgESBkC0YEsaVq5S4kQLS6w3pJEclkwoj22jl831FHlVmQ8K2G369/Iz
|
||||||
|
YycSYK7qXWvs8YSzsihA3zvjGT9v2vZQWamE5gkHlXZEPkJYIR3ant7Ziux4zIrA
|
||||||
|
n/fuIWZCWu/gR4jtg3vmrcRVLnOo1ukqdrDmE4v/CiJrvS/H4McCZUhiUaXQ9Us=
|
||||||
|
=Fx4X
|
||||||
|
-----END PGP SIGNATURE-----
|
66
sssd.changes
66
sssd.changes
@ -1,3 +1,69 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com
|
||||||
|
|
||||||
|
- Update to upstream release 1.16.3
|
||||||
|
|
||||||
|
New Features
|
||||||
|
|
||||||
|
- The kdcinfo files that SSSD uses to inform libkrb5 about which KDCs were
|
||||||
|
discovered for a Kerberos realm used to be only generated for the joined
|
||||||
|
domain, not the trusted domains. Starting with this release, the kdcinfo files
|
||||||
|
are generated automatically also for trusted domains in setups that use
|
||||||
|
id_provider=ad and IPA masters in a trust relationship with an AD domain.
|
||||||
|
|
||||||
|
- The SSSD Kerberos locator plugin which processes the kdcinfo files and
|
||||||
|
actually tells libkrb5 about the available KDCs can now process multiple
|
||||||
|
address if SSSD generates more than one. At the moment, this feature is only
|
||||||
|
used on IPA clients (see below). Please see the sssd_krb5_locator_plugin(8)
|
||||||
|
manual page for more information about the Kerberos locator plugin.
|
||||||
|
|
||||||
|
- On IPA clients, the AD DCs or the AD site which should be used to
|
||||||
|
authenticate users can now be listed in a subdomain section. Please see the
|
||||||
|
feature design page or the section “trusted domains configuration” for more
|
||||||
|
details.
|
||||||
|
|
||||||
|
Notable bug fixes
|
||||||
|
|
||||||
|
- The permissions on /var/lib/sss/pipes/sudo were set so that anyone could read
|
||||||
|
anyone else’s sudo rules. This was considered an information leak and
|
||||||
|
assigned CVE-2018-10852 (bsc#1098377)
|
||||||
|
- The 1.16.2 release was storing the cached passwords without a salt prefix
|
||||||
|
string. This bug was fixed in this release, but any password hashes generated
|
||||||
|
by 1.16.2 are incompatible with the hashes generated by 1.16.3. The effect is
|
||||||
|
that upgrade from 1.16.2 to 1.16.3 should be done when the authentication
|
||||||
|
server is reachable so that the first authentication after the upgrade fix the
|
||||||
|
cached password.
|
||||||
|
- The sss_ssh proces leaked file descriptors when converting more than one x509
|
||||||
|
certificate to SSH public key
|
||||||
|
- SSSD, when configured with id_provider=ad was using too expensive LDAP search
|
||||||
|
to find out whether the required POSIX attributes were replicated to the
|
||||||
|
Global Catalog. Instead, SSSD now consults the Partial Attribute Set, which
|
||||||
|
is much more effective
|
||||||
|
- The PAC responder is now able to process Domain Local in case the PAC uses
|
||||||
|
SID compression. Typicaly this is the case with Windows Server 2012 and newer
|
||||||
|
- Some versions of OpenSSH would close the pipe towards sss_ssh_authorizedkeys
|
||||||
|
when the matching key is found before the rest of the output is read. The
|
||||||
|
sss_ssh_authorizedkeys helper was not handling this behaviour well and would
|
||||||
|
exit with SIGPIPE, which also meant the public key authentication failed
|
||||||
|
- User lookups no longer fail if user’s e-mail address conflicts with another
|
||||||
|
user’s fully qualified name
|
||||||
|
- The override_shell and override_homedir options are no longer applied to
|
||||||
|
entries from the files domain.
|
||||||
|
- Several bugs related to the FleetCommander integration were fixed
|
||||||
|
- The grace logins with an expired password when authenticating against certain
|
||||||
|
newer versions of the 389DS/RHDS LDAP server did not work
|
||||||
|
- Whitespace around netgroup triple separator is now stripped
|
||||||
|
- The sss_ssh_knownhostproxy utility can now print the host key without
|
||||||
|
proxying the connection.
|
||||||
|
- Due to an overly restrictive check, the fast in-memory cache was sometimes
|
||||||
|
skipped, which caused a high load on the sssd_nss process
|
||||||
|
|
||||||
|
Removed patches that are included upstream now:
|
||||||
|
|
||||||
|
- 0001-SUDO-Create-the-socket-with-stricter-permissions.patch
|
||||||
|
- 0002-intg-Do-not-hardcode-nsslibdir.patch
|
||||||
|
- 0003-Fix-build-for-1-16-2-version.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com
|
Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com
|
||||||
|
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
|
|
||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 1.16.2
|
Version: 1.16.3
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
License: GPL-3.0+ and LGPL-3.0+
|
License: GPL-3.0+ and LGPL-3.0+
|
||||||
@ -31,9 +31,6 @@ Source3: baselibs.conf
|
|||||||
Source4: sssd.service
|
Source4: sssd.service
|
||||||
Source5: %name.keyring
|
Source5: %name.keyring
|
||||||
BuildRoot: %_tmppath/%name-%version-build
|
BuildRoot: %_tmppath/%name-%version-build
|
||||||
Patch1: 0001-SUDO-Create-the-socket-with-stricter-permissions.patch
|
|
||||||
Patch2: 0002-intg-Do-not-hardcode-nsslibdir.patch
|
|
||||||
Patch3: 0003-Fix-build-for-1-16-2-version.patch
|
|
||||||
|
|
||||||
%define servicename sssd
|
%define servicename sssd
|
||||||
%define sssdstatedir %_localstatedir/lib/sss
|
%define sssdstatedir %_localstatedir/lib/sss
|
||||||
@ -367,9 +364,6 @@ Security Services Daemon (sssd).
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
%patch1 -p1
|
|
||||||
%patch2 -p1
|
|
||||||
%patch3 -p1
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%if 0%{?suse_version} < 1210
|
%if 0%{?suse_version} < 1210
|
||||||
|
Loading…
Reference in New Issue
Block a user