forked from jengelh/sssd
Accepting request 620031 from network:ldap
OBS-URL: https://build.opensuse.org/request/show/620031 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=89
This commit is contained in:
commit
7a3c999c8b
45
0001-SUDO-Create-the-socket-with-stricter-permissions.patch
Normal file
45
0001-SUDO-Create-the-socket-with-stricter-permissions.patch
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
From 06193adc0de042484f672cadd0808c78c5ebb70e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Fri, 15 Jun 2018 22:29:34 +0200
|
||||||
|
Subject: [PATCH] SUDO: Create the socket with stricter permissions
|
||||||
|
|
||||||
|
This patch switches the sudo responder from being created as a public
|
||||||
|
responder where the permissions are open and not checked by the sssd
|
||||||
|
deaamon to a private socket. In this case, sssd creates the pipes with
|
||||||
|
strict permissions (see the umask in the call to create_pipe_fd() in
|
||||||
|
set_unix_socket()) and additionaly checks the permissions with every read
|
||||||
|
via the tevent integrations (see accept_fd_handler()).
|
||||||
|
---
|
||||||
|
src/responder/sudo/sudosrv.c | 3 ++-
|
||||||
|
src/sysv/systemd/sssd-sudo.socket.in | 1 +
|
||||||
|
2 files changed, 3 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
|
||||||
|
index ac4258710d3a9b48285522abd23bdd59ba42ad4e..e87a24499c2d82fafaa8e1f9b386e44332394266 100644
|
||||||
|
--- a/src/responder/sudo/sudosrv.c
|
||||||
|
+++ b/src/responder/sudo/sudosrv.c
|
||||||
|
@@ -79,7 +79,8 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
|
||||||
|
sudo_cmds = get_sudo_cmds();
|
||||||
|
ret = sss_process_init(mem_ctx, ev, cdb,
|
||||||
|
sudo_cmds,
|
||||||
|
- SSS_SUDO_SOCKET_NAME, -1, NULL, -1,
|
||||||
|
+ NULL, -1, /* No public socket */
|
||||||
|
+ SSS_SUDO_SOCKET_NAME, -1, /* Private socket only */
|
||||||
|
CONFDB_SUDO_CONF_ENTRY,
|
||||||
|
SSS_SUDO_SBUS_SERVICE_NAME,
|
||||||
|
SSS_SUDO_SBUS_SERVICE_VERSION,
|
||||||
|
diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in
|
||||||
|
index c9abb875f0accbaf58d78846020fef74c7473528..96a8b0327ddb4d331c9b2e97ece3453f8f76872d 100644
|
||||||
|
--- a/src/sysv/systemd/sssd-sudo.socket.in
|
||||||
|
+++ b/src/sysv/systemd/sssd-sudo.socket.in
|
||||||
|
@@ -11,6 +11,7 @@ ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo
|
||||||
|
ListenStream=@pipepath@/sudo
|
||||||
|
SocketUser=@SSSD_USER@
|
||||||
|
SocketGroup=@SSSD_USER@
|
||||||
|
+SocketMode=0600
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=sssd.service
|
||||||
|
--
|
||||||
|
2.14.3
|
||||||
|
|
44
0002-intg-Do-not-hardcode-nsslibdir.patch
Normal file
44
0002-intg-Do-not-hardcode-nsslibdir.patch
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
From b34fcff0f8bccd7b827686b50c53f45b7e20bb44 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
|
||||||
|
Date: Tue, 12 Jun 2018 19:07:52 +0200
|
||||||
|
Subject: [PATCH] intg: Do not hardcode nsslibdir
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
This change is needed in order to have make intgcheck-run properly
|
||||||
|
running on opensuse systems.
|
||||||
|
|
||||||
|
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
|
||||||
|
Reviewed-by: Chris Kowalczyk <ckowalczyk@suse.com>
|
||||||
|
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||||
|
---
|
||||||
|
src/tests/intg/Makefile.am | 1 +
|
||||||
|
src/tests/intg/config.py.m4 | 2 +-
|
||||||
|
2 files changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
|
||||||
|
index 9c5338261..4bd427669 100644
|
||||||
|
--- a/src/tests/intg/Makefile.am
|
||||||
|
+++ b/src/tests/intg/Makefile.am
|
||||||
|
@@ -73,6 +73,7 @@ cwrap-dbus-system.conf: data/cwrap-dbus-system.conf.in Makefile
|
||||||
|
config.py: config.py.m4
|
||||||
|
m4 -D "prefix=\`$(prefix)'" \
|
||||||
|
-D "sysconfdir=\`$(sysconfdir)'" \
|
||||||
|
+ -D "nsslibdir=\`$(nsslibdir)'" \
|
||||||
|
-D "dbpath=\`$(dbpath)'" \
|
||||||
|
-D "pidpath=\`$(pidpath)'" \
|
||||||
|
-D "logpath=\`$(logpath)'" \
|
||||||
|
diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4
|
||||||
|
index 6e011b692..04f78d869 100644
|
||||||
|
--- a/src/tests/intg/config.py.m4
|
||||||
|
+++ b/src/tests/intg/config.py.m4
|
||||||
|
@@ -4,7 +4,7 @@ Build configuration variables.
|
||||||
|
|
||||||
|
PREFIX = "prefix"
|
||||||
|
SYSCONFDIR = "sysconfdir"
|
||||||
|
-NSS_MODULE_DIR = PREFIX + "/lib"
|
||||||
|
+NSS_MODULE_DIR = "nsslibdir"
|
||||||
|
SSSDCONFDIR = SYSCONFDIR + "/sssd"
|
||||||
|
CONF_PATH = SSSDCONFDIR + "/sssd.conf"
|
||||||
|
DB_PATH = "dbpath"
|
13
0003-Fix-build-for-1-16-2-version.patch
Normal file
13
0003-Fix-build-for-1-16-2-version.patch
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
diff --git a/Makefile.am b/Makefile.am
|
||||||
|
index 9539b3c..8e76a03 100644
|
||||||
|
--- a/Makefile.am
|
||||||
|
+++ b/Makefile.am
|
||||||
|
@@ -975,6 +975,7 @@ libsss_cert_la_LIBADD = \
|
||||||
|
$(TALLOC_LIBS) \
|
||||||
|
$(TEVENT_LIBS) \
|
||||||
|
libsss_crypt.la \
|
||||||
|
+ libsss_child.la \
|
||||||
|
libsss_debug.la \
|
||||||
|
libsss_certmap.la \
|
||||||
|
$(NULL)
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:2dbf677851afdefcdf57eccaf25d59eb682a2994ad2a2dbf419003930a0b506e
|
|
||||||
size 5992778
|
|
@ -1,6 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iEYEABECAAYFAlqidCAACgkQHsardTLnvCUWWQCg5lP0BwQTXT9KWCE/JWZJdXoZ
|
|
||||||
zJoAn2ekRH33J6/IH+6OpD/UozWH+50y
|
|
||||||
=Lfb4
|
|
||||||
-----END PGP SIGNATURE-----
|
|
3
sssd-1.16.2.tar.gz
Normal file
3
sssd-1.16.2.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:fe5b1fcc5b4359631f7edf25f8940f3155de68e2f4ac7bfeb634687ccabc570c
|
||||||
|
size 6174144
|
6
sssd-1.16.2.tar.gz.asc
Normal file
6
sssd-1.16.2.tar.gz.asc
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iEYEABECAAYFAlsa2S0ACgkQHsardTLnvCVhKwCgpCRZBHkAyqnRDaPwegBLv4Sh
|
||||||
|
fYQAoK05cAcmiKBdZWtsLRRZgUOS8X/8
|
||||||
|
=U4k5
|
||||||
|
-----END PGP SIGNATURE-----
|
69
sssd.changes
69
sssd.changes
@ -1,3 +1,72 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com
|
||||||
|
|
||||||
|
- Fixed patch name.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jun 20 10:46:34 UTC 2018 - ckowalczyk@suse.com
|
||||||
|
|
||||||
|
- Introduce patches:
|
||||||
|
* Create sockets with right permissions:
|
||||||
|
0001-SUDO-Create-the-socket-with-stricter-permissions.patch
|
||||||
|
(bsc#1098377, CVE-2018-10852)
|
||||||
|
* Fix for sssd upstream integration tests
|
||||||
|
0002-intg-Do-not-hardcode-nsslibdir.patch
|
||||||
|
(bsc#1098163)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jun 20 08:38:53 UTC 2018 - varkoly@suse.com
|
||||||
|
|
||||||
|
- Update to new minor upstream release 1.16.2
|
||||||
|
New Features:
|
||||||
|
* The smart card authentication, or in more general certificate
|
||||||
|
authentication code now supports OpenSSL in addition to previously
|
||||||
|
supported NSS (#3489). In addition, the SSH responder can now
|
||||||
|
return public SSH keys derived from the public keys stored in a
|
||||||
|
X.509 certificate. Please refer to the ssh_use_certificate_keys
|
||||||
|
option in the man pages.
|
||||||
|
* The files provider now supports mirroring multiple passwd or
|
||||||
|
group files. This enhancement can be used to use the SSSD files
|
||||||
|
provider instead of the nss_altfiles module
|
||||||
|
Bugfixes:
|
||||||
|
* A memory handling issue in the nss_ex interface was fixed. This
|
||||||
|
bug would manifest in IPA environments with a trusted AD domain
|
||||||
|
as a crash of the ns-slapd process, because a ns-slapd plugin
|
||||||
|
loads the nss_ex interface (#3715)
|
||||||
|
* Several fixes for the KCM deamon were merged (see #3687, #3671, #3633)
|
||||||
|
* The ad_site override is now honored in GPO code as well (#3646)
|
||||||
|
* Several potential crashes in the NSS responder’s netgroup code
|
||||||
|
were fixed (#3679, #3731)
|
||||||
|
* A potential crash in the autofs responder’s code was fixed (#3752)
|
||||||
|
* The LDAP provider now supports group renaming (#2653)
|
||||||
|
* The GPO access control code no longer returns an error if one
|
||||||
|
of the relevant GPO rules contained no SIDs at all (#3680)
|
||||||
|
* A memory leak in the IPA provider related to resolving external
|
||||||
|
AD groups was fixed (#3719)
|
||||||
|
* Setups that used multiple domains where one of the domains had
|
||||||
|
its ID space limited using the min_id/max_id options did not
|
||||||
|
resolve requests by ID properly (#3728)
|
||||||
|
* Overriding IDs or names did not work correctly when the domain
|
||||||
|
resolution order was set as well (#3595)
|
||||||
|
* A version mismatch between certain newer Samba versions (e.g.
|
||||||
|
those shipped in RHEL-7.5) and the Winbind interface provided
|
||||||
|
by SSSD was fixed. To further prevent issues like this in the
|
||||||
|
future, the correct interface is now detected at build time (#3741)
|
||||||
|
* The files provider no longer returns a qualified name in case
|
||||||
|
domain resolution order is used (#3743)
|
||||||
|
* A race condition between evaluating IPA group memberships and
|
||||||
|
AD group memberships in setups with IPA-AD trusts that would
|
||||||
|
have manifested as randomly losing IPA group memberships assigned
|
||||||
|
to an AD user was fixed (#3744)
|
||||||
|
* Setting an SELinux login label was broken in setups where the
|
||||||
|
domain resolution order was used (#3740)
|
||||||
|
* SSSD start up issue on systems that use the libldb library
|
||||||
|
with version 1.4.0 or newer was fixed.
|
||||||
|
Introduce a patch:
|
||||||
|
* Fix build of sssd of 1.16.2 version:
|
||||||
|
0003-Fix-build-for-1-16-2-version.patch
|
||||||
|
(back then called fix-build.patch)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Apr 27 14:43:58 UTC 2018 - ckowalczyk@suse.com
|
Fri Apr 27 14:43:58 UTC 2018 - ckowalczyk@suse.com
|
||||||
|
|
||||||
|
17
sssd.spec
17
sssd.spec
@ -17,7 +17,7 @@
|
|||||||
|
|
||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 1.16.1
|
Version: 1.16.2
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
License: GPL-3.0+ and LGPL-3.0+
|
License: GPL-3.0+ and LGPL-3.0+
|
||||||
@ -31,6 +31,9 @@ Source3: baselibs.conf
|
|||||||
Source4: sssd.service
|
Source4: sssd.service
|
||||||
Source5: %name.keyring
|
Source5: %name.keyring
|
||||||
BuildRoot: %_tmppath/%name-%version-build
|
BuildRoot: %_tmppath/%name-%version-build
|
||||||
|
Patch1: 0001-SUDO-Create-the-socket-with-stricter-permissions.patch
|
||||||
|
Patch2: 0002-intg-Do-not-hardcode-nsslibdir.patch
|
||||||
|
Patch3: 0003-Fix-build-for-1-16-2-version.patch
|
||||||
|
|
||||||
%define servicename sssd
|
%define servicename sssd
|
||||||
%define sssdstatedir %_localstatedir/lib/sss
|
%define sssdstatedir %_localstatedir/lib/sss
|
||||||
@ -80,6 +83,7 @@ BuildRequires: pkgconfig(talloc)
|
|||||||
BuildRequires: pkgconfig(tdb) >= 1.1.3
|
BuildRequires: pkgconfig(tdb) >= 1.1.3
|
||||||
BuildRequires: pkgconfig(tevent)
|
BuildRequires: pkgconfig(tevent)
|
||||||
BuildRequires: pkgconfig(ndr_krb5pac)
|
BuildRequires: pkgconfig(ndr_krb5pac)
|
||||||
|
BuildRequires: p11-kit-devel
|
||||||
%{?systemd_requires}
|
%{?systemd_requires}
|
||||||
Requires: sssd-ldap = %version-%release
|
Requires: sssd-ldap = %version-%release
|
||||||
Requires(postun): pam-config
|
Requires(postun): pam-config
|
||||||
@ -363,6 +367,9 @@ Security Services Daemon (sssd).
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
|
%patch3 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%if 0%{?suse_version} < 1210
|
%if 0%{?suse_version} < 1210
|
||||||
@ -424,6 +431,8 @@ EOF
|
|||||||
find "$b" -type f -name "*.la" -delete
|
find "$b" -type f -name "*.la" -delete
|
||||||
|
|
||||||
rm -Rf "$b/%_sysconfdir/dbus-1" "$b/%_datadir/dbus-1"
|
rm -Rf "$b/%_sysconfdir/dbus-1" "$b/%_datadir/dbus-1"
|
||||||
|
rm -rf "$b/usr/lib/debug/usr/lib/sssd/p11_child-1.16.2-0.x86_64.debug"
|
||||||
|
|
||||||
|
|
||||||
%find_lang %name --all-name
|
%find_lang %name --all-name
|
||||||
|
|
||||||
@ -476,17 +485,17 @@ rm -f /var/lib/sss/db/*.ldb
|
|||||||
%_mandir/??/man1/sss_ssh_*
|
%_mandir/??/man1/sss_ssh_*
|
||||||
%_mandir/??/man5/sssd-simple.5*
|
%_mandir/??/man5/sssd-simple.5*
|
||||||
%_mandir/??/man5/sssd-sudo.5*
|
%_mandir/??/man5/sssd-sudo.5*
|
||||||
#%_mandir/??/man5/sssd.conf.5*
|
|
||||||
%_mandir/??/man8/sssd.8*
|
%_mandir/??/man8/sssd.8*
|
||||||
%_mandir/??/man5/sss-certmap.5.gz
|
%_mandir/??/man5/sss-certmap.5.gz
|
||||||
%_mandir/??/man5/sssd-ad.5.gz
|
%_mandir/??/man5/sssd-ad.5.gz
|
||||||
%_mandir/??/man5/sssd-files.5.gz
|
|
||||||
%_mandir/??/man5/sssd-secrets.5.gz
|
%_mandir/??/man5/sssd-secrets.5.gz
|
||||||
%_mandir/??/man5/sssd.conf.5.gz
|
%_mandir/??/man5/sssd.conf.5.gz
|
||||||
%_mandir/??/man8/idmap_sss.8.gz
|
%_mandir/??/man8/idmap_sss.8.gz
|
||||||
%_mandir/??/man8/sssctl.8.gz
|
%_mandir/??/man8/sssctl.8.gz
|
||||||
%_mandir/??/man8/sssd-kcm.8.gz
|
%_mandir/??/man8/sssd-kcm.8.gz
|
||||||
%_mandir/??/man5/sssd-simple.5*
|
%_mandir/??/man5/sssd-simple.5*
|
||||||
|
%_mandir/??/man5/sssd-session-recording.5.gz
|
||||||
|
%_mandir/??/man5/sssd-systemtap.5.gz
|
||||||
%_mandir/man1/sss_ssh_*
|
%_mandir/man1/sss_ssh_*
|
||||||
%_mandir/man8/sssctl.8*
|
%_mandir/man8/sssctl.8*
|
||||||
%_mandir/man5/sssd-files.5*
|
%_mandir/man5/sssd-files.5*
|
||||||
@ -512,6 +521,7 @@ rm -f /var/lib/sss/db/*.ldb
|
|||||||
%dir %_libdir/ldb/
|
%dir %_libdir/ldb/
|
||||||
%_libdir/ldb/memberof.so
|
%_libdir/ldb/memberof.so
|
||||||
%dir %_libexecdir/%name/
|
%dir %_libexecdir/%name/
|
||||||
|
%_libexecdir/%name/p11_child
|
||||||
%_libexecdir/%name/sssd_autofs
|
%_libexecdir/%name/sssd_autofs
|
||||||
%_libexecdir/%name/sssd_be
|
%_libexecdir/%name/sssd_be
|
||||||
%_libexecdir/%name/sssd_nss
|
%_libexecdir/%name/sssd_nss
|
||||||
@ -538,6 +548,7 @@ rm -f /var/lib/sss/db/*.ldb
|
|||||||
%dir %_datadir/%name/sssd.api.d/
|
%dir %_datadir/%name/sssd.api.d/
|
||||||
%_datadir/%name/sssd.api.d/sssd-local.conf
|
%_datadir/%name/sssd.api.d/sssd-local.conf
|
||||||
%_datadir/%name/sssd.api.d/sssd-simple.conf
|
%_datadir/%name/sssd.api.d/sssd-simple.conf
|
||||||
|
%_datadir/%name/sssd.api.d/sssd-files.conf
|
||||||
#
|
#
|
||||||
# sssd-client
|
# sssd-client
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user