sssd 2.10.1

0001-Configuration-make-sure-etc-sssd-and-everything.patch

@@ -1,76 +0,0 @@
-From 8db2df4fcbd09badafbc207bd4150b5f1cc2d5fb Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Thu, 24 Oct 2024 15:34:26 +0200
-Subject: [PATCH] Configuration: make sure /etc/sssd and everything
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-beneath is owned by 'sssd' group and readable by group.
-
-This should allow for reasonable rw-r----- root:sssd
-
-At some points those chown/chmod can be removed.
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit 518db322fdd5a4de41813fbe5bc35fc20392ce67)
----
- contrib/sssd.spec.in                 | 4 ++--
- src/sysv/systemd/sssd-kcm.service.in | 5 ++---
- src/sysv/systemd/sssd.service.in     | 6 ++----
- 3 files changed, 6 insertions(+), 9 deletions(-)
-
-diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
-index 4fbacb959..83de563f3 100644
---- a/contrib/sssd.spec.in
-+++ b/contrib/sssd.spec.in
-@@ -1136,9 +1136,9 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi
- %__rm -f %{mcpath}/group
- %__rm -f %{mcpath}/initgroups
- %__rm -f %{mcpath}/sid
-+%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true
-+%__chmod -f -R g+r %{_sysconfdir}/sssd || true
- %__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
--%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true
--%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
- %__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
- %__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true
- %__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true
-diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
-index 0c839ec5c..ba9e27cd9 100644
---- a/src/sysv/systemd/sssd-kcm.service.in
-+++ b/src/sysv/systemd/sssd-kcm.service.in
-@@ -9,9 +9,8 @@ Also=sssd-kcm.socket
- 
- [Service]
- Environment=DEBUG_LOGGER=--logger=files
--ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
--ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
--ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
-+ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
-+ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@
- ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb"
- ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log
- ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER}
-diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
-index 37e0a63f8..a6f79ff8a 100644
---- a/src/sysv/systemd/sssd.service.in
-+++ b/src/sysv/systemd/sssd.service.in
-@@ -10,10 +10,8 @@ StartLimitBurst=5
- [Service]
- Environment=DEBUG_LOGGER=--logger=files
- EnvironmentFile=-@environment_file@
--ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
--ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
--ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
--ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki
-+ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
-+ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@
- ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb"
- ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @gpocachepath@/*"
- ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/*.log"
--- 
-2.47.0
-

0001-INI-relax-config-files-checks.patch

@@ -1,135 +0,0 @@
-From 340671f16abb9c26ae97b11c4e2845337e67973e Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Wed, 23 Oct 2024 20:59:32 +0200
-Subject: [PATCH] INI: relax config files checks
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Only make sure:
- - user is root or sssd
- - group is root or sssd
- - other can't access it
-
-Don't make any assumptions wrt user/group read/write-ability.
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
-(cherry picked from commit 8472777ec472607ea450ddb4c4666017bd0de704)
----
- src/man/sssd.conf.5.xml |  5 ++-
- src/util/sss_ini.c      | 68 +++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 70 insertions(+), 3 deletions(-)
-
-diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
-index a074cc674..bf10acb2a 100644
---- a/src/man/sssd.conf.5.xml
-+++ b/src/man/sssd.conf.5.xml
-@@ -57,9 +57,8 @@
-             readable, and writeable only by 'root'.
-         </para>
-         <para condition="with_non_root_user_support">
--            <filename>sssd.conf</filename> must be a regular file that is owned,
--            readable, and writeable by the same user as configured to run SSSD
--            service.
-+            <filename>sssd.conf</filename> must be a regular file that is
-+            accessible only by the user used to run SSSD service or root.
-         </para>
-     </refsect1>
- 
-diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
-index e989d8caf..74cf61e0e 100644
---- a/src/util/sss_ini.c
-+++ b/src/util/sss_ini.c
-@@ -26,6 +26,7 @@
- #include <unistd.h>
- #include <string.h>
- #include <errno.h>
-+#include <sys/stat.h>
- #include <talloc.h>
- 
- #include "config.h"
-@@ -781,6 +782,71 @@ int sss_ini_open(struct sss_ini *self,
-     return ret;
- }
- 
-+static int access_check_file(const char *filename)
-+{
-+    int ret;
-+    struct stat st;
-+    uid_t uid;
-+    gid_t gid;
-+
-+    sss_sssd_user_uid_and_gid(&uid, &gid);
-+
-+    ret = stat(filename, &st);
-+    if (ret != 0) {
-+        ret = errno;
-+        DEBUG(SSSDBG_CRIT_FAILURE, "stat(%s) failed: %s\n",
-+              filename, strerror(ret));
-+        return EINVAL;
-+    }
-+
-+    if ((st.st_uid != 0) && (st.st_uid != uid)) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected user owner of '%s': %"SPRIuid"\n",
-+              filename, st.st_uid);
-+        return ERR_INI_INVALID_PERMISSION;
-+    }
-+
-+    if ((st.st_gid != 0) && (st.st_gid != gid)) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected group owner of '%s': %"SPRIgid"\n",
-+              filename, st.st_gid);
-+        return ERR_INI_INVALID_PERMISSION;
-+    }
-+
-+    if ((st.st_mode & (S_IROTH|S_IWOTH|S_IXOTH)) != 0) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected access to '%s' by other users\n",
-+              filename);
-+        return ERR_INI_INVALID_PERMISSION;
-+    }
-+
-+    return EOK;
-+}
-+
-+static int access_check_ini(struct sss_ini *self)
-+{
-+    int ret;
-+    const char *path;
-+    uint32_t i;
-+    const char **snippet;
-+    struct ref_array *used_snippets;
-+
-+    if (self->main_config_exists) {
-+        path = ini_config_get_filename(self->file);
-+        ret = access_check_file(path);
-+        if (ret != EOK) {
-+            return ret;
-+        }
-+    }
-+
-+    used_snippets = sss_ini_get_ra_success_list(self);
-+    for (i = 0; (snippet = ref_array_get(used_snippets, i, NULL)) != NULL; ++i) {
-+        ret = access_check_file(*snippet);
-+        if (ret != EOK) {
-+            return ret;
-+        }
-+    }
-+
-+    return EOK;
-+}
-+
- int sss_ini_read_sssd_conf(struct sss_ini *self,
-                            const char *config_file,
-                            const char *config_dir)
-@@ -833,5 +899,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
-         return ERR_INI_EMPTY_CONFIG;
-     }
- 
-+    ret = access_check_ini(self);
-+
-     return ret;
- }
--- 
-2.47.0
-

0001-INI-stop-using-libini_config-for-access-check.patch

@@ -1,182 +0,0 @@
-From 1d19b8ad9415e0a12ed3aaf039d4d0956ef4dbad Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Wed, 23 Oct 2024 19:53:09 +0200
-Subject: [PATCH] INI: stop using 'libini_config' for access check
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
-Reviewed-by: Sumit Bose <sbose@redhat.com>
----
- src/util/sss_ini.c |  100 +----------------------------------------------------
- src/util/sss_ini.h |   12 ------
- 2 files changed, 3 insertions(+), 109 deletions(-)
-
-Index: sssd-2.10.0/src/util/sss_ini.c
-===================================================================
---- sssd-2.10.0.orig/src/util/sss_ini.c
-+++ sssd-2.10.0/src/util/sss_ini.c
-@@ -147,81 +147,6 @@ static int sss_ini_config_file_from_mem(
-                                    &self->file);
- }
- 
--/* Check configuration file permissions */
--
--static bool is_running_sssd(void)
--{
--    static char exe[1024];
--    int ret;
--    const char *s = NULL;
--
--    ret = readlink("/proc/self/exe", exe, sizeof(exe) - 1);
--    if ((ret > 0) && (ret < 1024)) {
--        exe[ret] = 0;
--        s = strstr(exe, debug_prg_name);
--        if ((s != NULL) && (strlen(s) == strlen(debug_prg_name))) {
--            return true;
--        }
--    }
--
--    return false;
--}
--
--static int sss_ini_access_check(struct sss_ini *self)
--{
--    int ret;
--    uint32_t flags = INI_ACCESS_CHECK_MODE;
--
--    if (!self->main_config_exists) {
--        return EOK;
--    }
--
--    if (is_running_sssd()) {
--        flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID;
--    }
--
--    ret = ini_config_access_check(self->file,
--                                  flags,
--                                  geteuid(),
--                                  getegid(),
--                                  S_IRUSR, /* r**------ */
--                                  ALLPERMS & ~(S_IWUSR|S_IXUSR));
--
--    return ret;
--}
--
--
--
--/* Get cstat */
--
--int sss_ini_get_stat(struct sss_ini *self)
--{
--    self->cstat = ini_config_get_stat(self->file);
--
--    if (!self->cstat) return EIO;
--
--    return EOK;
--}
--
--
--
--/* Get mtime */
--
--int sss_ini_get_mtime(struct sss_ini *self,
--                      size_t timestr_len,
--                      char *timestr)
--{
--    return snprintf(timestr, timestr_len, "%llu",
--                    (long long unsigned)self->cstat->st_mtime);
--}
--
--/* Get file_exists */
--
--bool sss_ini_exists(struct sss_ini *self)
--{
--    return self->main_config_exists;
--}
--
- /* Print ini_config errors */
- 
- static void sss_ini_config_print_errors(char **error_list)
-@@ -289,7 +214,6 @@ static int sss_ini_add_snippets(struct s
-     uint32_t i = 0;
-     char *msg = NULL;
-     struct ini_cfgobj *modified_sssd_config = NULL;
--    struct access_check snip_check;
- 
-     if (self == NULL || self->sssd_config == NULL || config_dir == NULL) {
-         return EINVAL;
-@@ -297,21 +221,11 @@ static int sss_ini_add_snippets(struct s
- 
-     sss_ini_free_ra_messages(self);
- 
--    snip_check.flags = INI_ACCESS_CHECK_MODE;
--
--    if (is_running_sssd()) {
--        snip_check.flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID;
--    }
--    snip_check.uid = geteuid();
--    snip_check.gid = getegid();
--    snip_check.mode = S_IRUSR; /* r**------ */
--    snip_check.mask = ALLPERMS & ~(S_IWUSR | S_IXUSR);
--
-     ret = ini_config_augment(self->sssd_config,
-                              config_dir,
-                              patterns,
-                              sections,
--                             &snip_check,
-+                             NULL,
-                              INI_STOP_ON_ANY,
-                              INI_MV1S_OVERWRITE,
-                              INI_PARSE_NOWRAP,
-@@ -894,15 +808,7 @@ int sss_ini_read_sssd_conf(struct sss_in
-         return ERR_INI_OPEN_FAILED;
-     }
- 
--    if (sss_ini_exists(self)) {
--        ret = sss_ini_access_check(self);
--        if (ret != EOK) {
--            DEBUG(SSSDBG_CRIT_FAILURE,
--                  "Permission check on config file %s failed: %d\n",
--                  config_file, ret);
--            return ERR_INI_INVALID_PERMISSION;
--        }
--    } else {
-+    if (!self->main_config_exists) {
-         DEBUG(SSSDBG_CONF_SETTINGS,
-               "File %s does not exist.\n", config_file);
-     }
-@@ -923,7 +829,7 @@ int sss_ini_read_sssd_conf(struct sss_in
-         return ERR_INI_ADD_SNIPPETS_FAILED;
-     }
- 
--    if (!sss_ini_exists(self) &&
-+    if ((!self->main_config_exists) &&
-         (ref_array_len(sss_ini_get_ra_success_list(self)) == 0)) {
-         return ERR_INI_EMPTY_CONFIG;
-     }
-Index: sssd-2.10.0/src/util/sss_ini.h
-===================================================================
---- sssd-2.10.0.orig/src/util/sss_ini.h
-+++ sssd-2.10.0/src/util/sss_ini.h
-@@ -81,18 +81,6 @@ int sss_ini_open(struct sss_ini *self,
-                  const char *fallback_cfg);
- 
- /**
-- * @brief Check whether sss_ini_open() reported that ini file is
-- *        not present
-- *
-- * @param[in] self  pointer to sss_ini structure
-- *
-- * @return
-- *   - true   we are using ini file
-- *   - false  file was not found
-- */
--bool sss_ini_exists(struct sss_ini *self);
--
--/**
-  * @brief get Cstat structure of the ini file
-  */
- int sss_ini_get_stat(struct sss_ini *self);

0001-sssd-always-print-path-when-config-object-is-rejecte.patch

@@ -1,75 +0,0 @@
-From 1a743a4123c104a10c694f7ee9d2f0a1e7182513 Mon Sep 17 00:00:00 2001
-From: Jan Engelhardt <jengelh@inai.de>
-Date: Wed, 16 Oct 2024 09:55:50 +0200
-Subject: [PATCH] sssd: always print path when config object is rejected
-References: https://github.com/SSSD/sssd/pull/7649
-
-Observed:
-
-```
-Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
-Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed'
-Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed'
-```
-
-Expected:
-
-_Well yes, but **which one**_!?
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-(cherry picked from commit 2b7915dd84a6b8c3ee26e45357283677fe22f2cb)
----
- src/util/sss_ini.c | 14 ++++++++------
- 1 file changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
-index 7f9824d88..2a611eb8c 100644
---- a/src/util/sss_ini.c
-+++ b/src/util/sss_ini.c
-@@ -888,7 +888,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
-     ret = sss_ini_open(self, config_file, "[sssd]\n");
-     if (ret != EOK) {
-         DEBUG(SSSDBG_CRIT_FAILURE,
--              "The sss_ini_open failed %s: %d\n",
-+              "sss_ini_open on %s failed: %d\n",
-               config_file,
-               ret);
-         return ERR_INI_OPEN_FAILED;
-@@ -898,26 +898,28 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
-         ret = sss_ini_access_check(self);
-         if (ret != EOK) {
-             DEBUG(SSSDBG_CRIT_FAILURE,
--                  "Permission check on config file failed.\n");
-+                  "Permission check on config file %s failed: %d\n",
-+                  config_file, ret);
-             return ERR_INI_INVALID_PERMISSION;
-         }
-     } else {
-         DEBUG(SSSDBG_CONF_SETTINGS,
--              "File %1$s does not exist.\n",
--              (config_file ? config_file : "NULL"));
-+              "File %s does not exist.\n", config_file);
-     }
- 
-     ret = sss_ini_parse(self);
-     if (ret != EOK) {
-         sss_ini_config_print_errors(self->error_list);
--        DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n");
-+        DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration file %s: %d\n",
-+              config_file, ret);
-         return ERR_INI_PARSE_FAILED;
-     }
- 
-     ret = sss_ini_add_snippets(self, config_dir);
-     if (ret != EOK) {
-         DEBUG(SSSDBG_FATAL_FAILURE,
--              "Error while reading configuration directory.\n");
-+              "Error while reading configuration directory %s: %d\n",
-+              config_dir, ret);
-         return ERR_INI_ADD_SNIPPETS_FAILED;
-     }
- 
--- 
-2.47.0
-

sssd-2.10.0.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmcOPUoACgkQ09IbKRDP
-Z1myuA//anDvdZcQp0EUia2NsiWt2MFE8esmsEIN6QmEYjUxvEeXI9q4YJQimMi8
-wdt0zqZE1PLrTcroWaeGcgt2+CJWUbVanZtNn3oo7lUVYrLKemrUzavM7dXTaA43
-cdKAFyEO+nHJQ2yBNUt6sRXc3tM0H27yZs0iL+CcYu6YshUTbMnZuwdpz7DqDTN8
-nbG+LWa+U0en5mI3waP8Ionwmdv9AJAuCHQZLlZDpM0+YfGumcIUJdbxU/I8pqP8
-MQaulPv3e+BNwdbUiLlk0cXRjuEfSd0bmMa3MqB4IqMvvjACU0GuSgK3FDhutZJe
-HfmzYSo/Zntmr7F/eYLz6zy/GU3VewEilOyRV08oz+EVJRbGyo2t4k6PUYbn+I4V
-kJ/maed5jnBzIZGf6o+P1r+3mavJg7k2LDV4s48MsZ4Y5ED4X0c+boT1L5FZbquW
-gp99Di0RG4VoWiYOfVfszLzeDWOLbOrKMyA6PTqlmjGYAdV9SBwZP5WEdwXyPovo
-D7uual7Eqdd+Y/lt+8O4Wd+Y+a9xI2kwVFo8KYmHc8PhgLpPIKTWbBTEI+0nw3fJ
-qqyyA7JWA81bt4WKVuJaeS87S/9F4yn8ps2dzSgHjZ2Tzr7Eu1a3RWLjKYsjKZrT
-PPd2d/02rQAZPwLYHN5qM3Xjh0DD7IiXav1QuIPxmUQA9z8ZiuA=
-=mJVY
------END PGP SIGNATURE-----

sssd-2.10.1.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmdYSb4ACgkQ09IbKRDP
+Z1kRyRAAmkKhCUcBs4h2mDg7uzz7DfYFkHXEiY8EMoVP5Iw6ZsNL/V9fwF9xhj49
+XbnCfxj2zFfVWZd5VYnTpl86Hg3NrxuPehgM+iMAXS6U/55TvRPunCtTiRwoTZ4t
+zSgiBaSg3I2hmSN2cnSU8PpilEDCIeSP3uafmGXI1KUxEQltVbp0EeJ5CL5GP3xU
+rFgI1pKdTySlw6jZ3vjkAaHwdsJGB0MKtjiBJYtqvHmIzbUdSNN/iE5Wf5xsdtez
+KKLUrnKeQFuNyYWpjipJvbs7i9+E5VKFvCfrqFb6vQbp+Rgd98epVjp2VKovNy8p
+gZQmgfbi5GCWKuBx+dbaRSFa8hWemEwnBNboV6JKq4+CoPsMkI367utZV5gd58V5
+RHgLsrZfjahAXgG4ytwPhgKDV+sX+sSn4aXIdaSgc+vP7+ykLMxyzyR2GXyG+y11
+WrnovdR0HywHfzvlUnKQmcLUjCkXKVwIMw0oBRa8+YLTD08EeYgu+oXXDpGD0oL1
+YJLLBdr6ycR9Rk/sUqbZgEnzQZPYXazIraUrd71Ry8CaNvqi86Of7sX6SgSQQeg/
+ZPLNcPWPadG/9jpMNJNsXXEZicNJXznQczlXKvRXINOJzknJYwwgH+/55otbzNzq
+EjlOmFEn07bGAHCsHTfydlCeYqD9x+WV/X8CReMFjcaaBH4TDms=
+=S0c5
+-----END PGP SIGNATURE-----

sssd.changes

@@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Tue Dec 10 20:17:10 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 2.10.1
+  * SSSD does not create anymore missing path components of
+    DIR:/FILE: ccache types while acquiring user's TGT. The
+    parent directory of requested ccache directory must exist and
+    the user trying to log in must have rwx access to this
+    directory. This matches behavior of /usr/bin/kinit.
+  * The option default_domain_suffix is deprecated.
+- Delete 0001-Configuration-make-sure-etc-sssd-and-everything.patch,
+  0001-INI-relax-config-files-checks.patch,
+  0001-INI-stop-using-libini_config-for-access-check.patch,
+  0001-sssd-always-print-path-when-config-object-is-rejecte.patch
+  (merged)
+
 -------------------------------------------------------------------
 Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
 

sssd.spec

@@ -17,7 +17,7 @@
 
 
 Name:           sssd
-Version:        2.10.0
+Version:        2.10.1
 Release:        0
 Summary:        System Security Services Daemon
 License:        GPL-3.0-or-later AND LGPL-3.0-or-later
@@ -28,10 +28,6 @@ Source:         https://github.com/SSSD/sssd/releases/download/%version/%name-%v
 Source2:        https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc
 Source3:        baselibs.conf
 Source5:        %name.keyring
-Patch3:         0001-sssd-always-print-path-when-config-object-is-rejecte.patch
-Patch4:         0001-INI-stop-using-libini_config-for-access-check.patch
-Patch5:         0001-INI-relax-config-files-checks.patch
-Patch6:         0001-Configuration-make-sure-etc-sssd-and-everything.patch
 Patch11:        krb-noversion.diff
 Patch12:        harden_sssd-ifp.service.patch
 Patch13:        harden_sssd-kcm.service.patch
@@ -489,11 +485,11 @@ cat >"$b/etc/permissions.d/sssd" <<-EOF
 	%_libexecdir/sssd/sssd_pam root:sssd 0750
 	 +capabilities cap_dac_read_search=p
 	%_libexecdir/sssd/selinux_child root:sssd 0750
-	 +capabilities %child_capabilities
+	 +capabilities cap_setgid,cap_setuid=p
 	%_libexecdir/sssd/krb5_child root:sssd 0750
-	 +capabilities %child_capabilities
+	 +capabilities cap_dac_read_search,cap_setgid,cap_setuid=p
 	%_libexecdir/sssd/ldap_child root:sssd 0750
-	 +capabilities %child_capabilities
+	 +capabilities cap_dac_read_search=p
 EOF
 
 %check
@@ -691,7 +687,6 @@ fi
 %_libdir/%name/libsss_files*
 %endif
 %_libdir/%name/libsss_iface*
-%_libdir/%name/libsss_semanage*
 %_libdir/%name/libsss_sbus*
 %_libdir/%name/libsss_simple*
 %_libdir/%name/libsss_util*
@@ -710,7 +705,7 @@ fi
 %_libexecdir/%name/sss_signal
 %_libexecdir/%name/sssd_check_socket_activated_responders
 %if 0%{?suse_version} >= 1600
-%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/selinux_child
+%attr(750,root,%sssd_user) %caps(cap_setgid,cap_setuid=p) %_libexecdir/%name/selinux_child
 %endif
 %dir %sssdstatedir
 %attr(700,%sssd_user,%sssd_user) %dir %dbpath/
@@ -839,8 +834,8 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_krb5_common.so
 %dir %_libexecdir/%name/
-%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/krb5_child
-%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/ldap_child
+%attr(750,root,%sssd_user) %caps(cap_dac_read_search,cap_setgid,cap_setuid=p) %_libexecdir/%name/krb5_child
+%attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/ldap_child
 
 %files ldap
 %dir %_libdir/%name/

symvers.patch

@@ -12,14 +12,14 @@ libsss_ldap.so(-2.7.4) cannot find a libsss_util.so(-2.7.4), since
 the system only has libsss_util.so(-2.8.2) at this point.
 
 ---
- Makefile.am |   47 ++++++++++++++++++++++++++++++++---------------
- 1 file changed, 32 insertions(+), 15 deletions(-)
+ Makefile.am |   44 ++++++++++++++++++++++++++++++--------------
+ 1 file changed, 30 insertions(+), 14 deletions(-)
 
-Index: sssd-2.9.2/Makefile.am
+Index: sssd-2.10.1/Makefile.am
 ===================================================================
---- sssd-2.9.2.orig/Makefile.am
-+++ sssd-2.9.2/Makefile.am
-@@ -955,7 +955,11 @@ libsss_debug_la_SOURCES = \
+--- sssd-2.10.1.orig/Makefile.am
++++ sssd-2.10.1/Makefile.am
+@@ -971,7 +971,11 @@ libsss_debug_la_SOURCES = \
  libsss_debug_la_LIBADD = \
      $(SYSLOG_LIBS)
  libsss_debug_la_LDFLAGS = \
@@ -32,7 +32,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_child.la
  libsss_child_la_SOURCES = src/util/child_common.c
-@@ -965,7 +969,8 @@ libsss_child_la_LIBADD = \
+@@ -981,7 +985,8 @@ libsss_child_la_LIBADD = \
      $(DHASH_LIBS) \
      libsss_debug.la \
      $(NULL)
@@ -42,7 +42,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_crypt.la
  
-@@ -1004,7 +1009,8 @@ libsss_crypt_la_LIBADD = \
+@@ -1021,7 +1026,8 @@ libsss_crypt_la_LIBADD = \
      libsss_debug.la \
      $(NULL)
  libsss_crypt_la_LDFLAGS = \
@@ -52,7 +52,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_cert.la
  
-@@ -1029,8 +1035,9 @@ libsss_cert_la_LIBADD = \
+@@ -1046,8 +1052,9 @@ libsss_cert_la_LIBADD = \
      libsss_debug.la \
      $(NULL)
  libsss_cert_la_LDFLAGS = \
@@ -63,7 +63,7 @@ Index: sssd-2.9.2/Makefile.am
  
  generate-sbus-code:
  	$(builddir)/sbus_generate.sh $(abs_srcdir)
-@@ -1131,8 +1138,9 @@ libsss_sbus_la_CFLAGS = \
+@@ -1148,8 +1155,9 @@ libsss_sbus_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libsss_sbus_la_LDFLAGS = \
@@ -74,7 +74,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_sbus_sync.la
  libsss_sbus_sync_la_SOURCES = \
-@@ -1167,8 +1175,9 @@ libsss_sbus_sync_la_CFLAGS = \
+@@ -1184,8 +1192,9 @@ libsss_sbus_sync_la_CFLAGS = \
      $(UNICODE_LIBS) \
      $(NULL)
  libsss_sbus_sync_la_LDFLAGS = \
@@ -85,7 +85,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_iface.la
  libsss_iface_la_SOURCES = \
-@@ -1197,8 +1206,9 @@ libsss_iface_la_CFLAGS = \
+@@ -1214,8 +1223,9 @@ libsss_iface_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libsss_iface_la_LDFLAGS = \
@@ -96,7 +96,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_iface_sync.la
  libsss_iface_sync_la_SOURCES = \
-@@ -1225,8 +1235,9 @@ libsss_iface_sync_la_CFLAGS = \
+@@ -1242,8 +1252,9 @@ libsss_iface_sync_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libsss_iface_sync_la_LDFLAGS = \
@@ -107,7 +107,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_util.la
  libsss_util_la_SOURCES = \
-@@ -1322,7 +1333,8 @@ endif
+@@ -1338,7 +1349,8 @@ endif
  if BUILD_PASSKEY
  libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c
  endif # BUILD_PASSKEY
@@ -115,19 +115,9 @@ Index: sssd-2.9.2/Makefile.am
 +libsss_util_la_LDFLAGS = -avoid-version ${symv}
 +EXTRA_libsss_util_la_DEPENDENCIES = x.sym
  
- pkglib_LTLIBRARIES += libsss_semanage.la
- libsss_semanage_la_CFLAGS = \
-@@ -1341,7 +1353,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_
- endif
- 
- libsss_semanage_la_LDFLAGS = \
--    -avoid-version
-+    -avoid-version ${symv}
-+EXTRA_libsss_semanage_la_DEPENDENCIES = x.sym
- 
  SSSD_INTERNAL_LTLIBS = \
      libsss_util.la \
-@@ -1357,7 +1370,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
+@@ -1354,7 +1366,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
                    $(NULL)
  
  pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc
@@ -136,7 +126,7 @@ Index: sssd-2.9.2/Makefile.am
  libipa_hbac_la_SOURCES = \
      src/lib/ipa_hbac/hbac_evaluator.c \
      src/util/sss_utf8.c
-@@ -1688,8 +1701,9 @@ libifp_iface_la_CFLAGS = \
+@@ -1682,8 +1694,9 @@ libifp_iface_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libifp_iface_la_LDFLAGS = \
@@ -147,7 +137,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libifp_iface_sync.la
  libifp_iface_sync_la_SOURCES = \
-@@ -1714,8 +1728,9 @@ libifp_iface_sync_la_CFLAGS = \
+@@ -1708,8 +1721,9 @@ libifp_iface_sync_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libifp_iface_sync_la_LDFLAGS = \
@@ -158,7 +148,7 @@ Index: sssd-2.9.2/Makefile.am
  
  sssd_ifp_SOURCES = \
      src/responder/ifp/ifpsrv.c \
-@@ -4314,8 +4329,9 @@ libsss_ldap_common_la_LIBADD = \
+@@ -4314,8 +4328,9 @@ libsss_ldap_common_la_LIBADD = \
      $(SSSD_INTERNAL_LTLIBS) \
      $(NULL)
  libsss_ldap_common_la_LDFLAGS = \
@@ -169,7 +159,7 @@ Index: sssd-2.9.2/Makefile.am
  if BUILD_SYSTEMTAP
  libsss_ldap_common_la_LIBADD += stap_generated_probes.lo
  endif
-@@ -4372,7 +4388,8 @@ libsss_krb5_common_la_LIBADD = \
+@@ -4371,7 +4386,8 @@ libsss_krb5_common_la_LIBADD = \
      $(SSSD_INTERNAL_LTLIBS) \
      $(NULL)
  libsss_krb5_common_la_LDFLAGS = \