SHA256
1
0
forked from jengelh/sssd

sssd 2.10.1

This commit is contained in:
Jan Engelhardt 2024-12-11 10:33:24 +01:00
parent 6e6893108a
commit 7a9befa693
11 changed files with 61 additions and 528 deletions

View File

@ -1,76 +0,0 @@
From 8db2df4fcbd09badafbc207bd4150b5f1cc2d5fb Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 24 Oct 2024 15:34:26 +0200
Subject: [PATCH] Configuration: make sure /etc/sssd and everything
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
beneath is owned by 'sssd' group and readable by group.
This should allow for reasonable rw-r----- root:sssd
At some points those chown/chmod can be removed.
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 518db322fdd5a4de41813fbe5bc35fc20392ce67)
---
contrib/sssd.spec.in | 4 ++--
src/sysv/systemd/sssd-kcm.service.in | 5 ++---
src/sysv/systemd/sssd.service.in | 6 ++----
3 files changed, 6 insertions(+), 9 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 4fbacb959..83de563f3 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -1136,9 +1136,9 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi
%__rm -f %{mcpath}/group
%__rm -f %{mcpath}/initgroups
%__rm -f %{mcpath}/sid
+%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true
+%__chmod -f -R g+r %{_sysconfdir}/sssd || true
%__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
-%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true
-%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
%__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
%__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true
%__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true
diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
index 0c839ec5c..ba9e27cd9 100644
--- a/src/sysv/systemd/sssd-kcm.service.in
+++ b/src/sysv/systemd/sssd-kcm.service.in
@@ -9,9 +9,8 @@ Also=sssd-kcm.socket
[Service]
Environment=DEBUG_LOGGER=--logger=files
-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
+ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
+ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@
ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb"
ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log
ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER}
diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
index 37e0a63f8..a6f79ff8a 100644
--- a/src/sysv/systemd/sssd.service.in
+++ b/src/sysv/systemd/sssd.service.in
@@ -10,10 +10,8 @@ StartLimitBurst=5
[Service]
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-@environment_file@
-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki
+ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
+ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@
ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb"
ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @gpocachepath@/*"
ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/*.log"
--
2.47.0

View File

@ -1,135 +0,0 @@
From 340671f16abb9c26ae97b11c4e2845337e67973e Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 23 Oct 2024 20:59:32 +0200
Subject: [PATCH] INI: relax config files checks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Only make sure:
- user is root or sssd
- group is root or sssd
- other can't access it
Don't make any assumptions wrt user/group read/write-ability.
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 8472777ec472607ea450ddb4c4666017bd0de704)
---
src/man/sssd.conf.5.xml | 5 ++-
src/util/sss_ini.c | 68 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 70 insertions(+), 3 deletions(-)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index a074cc674..bf10acb2a 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -57,9 +57,8 @@
readable, and writeable only by 'root'.
</para>
<para condition="with_non_root_user_support">
- <filename>sssd.conf</filename> must be a regular file that is owned,
- readable, and writeable by the same user as configured to run SSSD
- service.
+ <filename>sssd.conf</filename> must be a regular file that is
+ accessible only by the user used to run SSSD service or root.
</para>
</refsect1>
diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
index e989d8caf..74cf61e0e 100644
--- a/src/util/sss_ini.c
+++ b/src/util/sss_ini.c
@@ -26,6 +26,7 @@
#include <unistd.h>
#include <string.h>
#include <errno.h>
+#include <sys/stat.h>
#include <talloc.h>
#include "config.h"
@@ -781,6 +782,71 @@ int sss_ini_open(struct sss_ini *self,
return ret;
}
+static int access_check_file(const char *filename)
+{
+ int ret;
+ struct stat st;
+ uid_t uid;
+ gid_t gid;
+
+ sss_sssd_user_uid_and_gid(&uid, &gid);
+
+ ret = stat(filename, &st);
+ if (ret != 0) {
+ ret = errno;
+ DEBUG(SSSDBG_CRIT_FAILURE, "stat(%s) failed: %s\n",
+ filename, strerror(ret));
+ return EINVAL;
+ }
+
+ if ((st.st_uid != 0) && (st.st_uid != uid)) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected user owner of '%s': %"SPRIuid"\n",
+ filename, st.st_uid);
+ return ERR_INI_INVALID_PERMISSION;
+ }
+
+ if ((st.st_gid != 0) && (st.st_gid != gid)) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected group owner of '%s': %"SPRIgid"\n",
+ filename, st.st_gid);
+ return ERR_INI_INVALID_PERMISSION;
+ }
+
+ if ((st.st_mode & (S_IROTH|S_IWOTH|S_IXOTH)) != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected access to '%s' by other users\n",
+ filename);
+ return ERR_INI_INVALID_PERMISSION;
+ }
+
+ return EOK;
+}
+
+static int access_check_ini(struct sss_ini *self)
+{
+ int ret;
+ const char *path;
+ uint32_t i;
+ const char **snippet;
+ struct ref_array *used_snippets;
+
+ if (self->main_config_exists) {
+ path = ini_config_get_filename(self->file);
+ ret = access_check_file(path);
+ if (ret != EOK) {
+ return ret;
+ }
+ }
+
+ used_snippets = sss_ini_get_ra_success_list(self);
+ for (i = 0; (snippet = ref_array_get(used_snippets, i, NULL)) != NULL; ++i) {
+ ret = access_check_file(*snippet);
+ if (ret != EOK) {
+ return ret;
+ }
+ }
+
+ return EOK;
+}
+
int sss_ini_read_sssd_conf(struct sss_ini *self,
const char *config_file,
const char *config_dir)
@@ -833,5 +899,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
return ERR_INI_EMPTY_CONFIG;
}
+ ret = access_check_ini(self);
+
return ret;
}
--
2.47.0

View File

@ -1,182 +0,0 @@
From 1d19b8ad9415e0a12ed3aaf039d4d0956ef4dbad Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 23 Oct 2024 19:53:09 +0200
Subject: [PATCH] INI: stop using 'libini_config' for access check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/util/sss_ini.c | 100 +----------------------------------------------------
src/util/sss_ini.h | 12 ------
2 files changed, 3 insertions(+), 109 deletions(-)
Index: sssd-2.10.0/src/util/sss_ini.c
===================================================================
--- sssd-2.10.0.orig/src/util/sss_ini.c
+++ sssd-2.10.0/src/util/sss_ini.c
@@ -147,81 +147,6 @@ static int sss_ini_config_file_from_mem(
&self->file);
}
-/* Check configuration file permissions */
-
-static bool is_running_sssd(void)
-{
- static char exe[1024];
- int ret;
- const char *s = NULL;
-
- ret = readlink("/proc/self/exe", exe, sizeof(exe) - 1);
- if ((ret > 0) && (ret < 1024)) {
- exe[ret] = 0;
- s = strstr(exe, debug_prg_name);
- if ((s != NULL) && (strlen(s) == strlen(debug_prg_name))) {
- return true;
- }
- }
-
- return false;
-}
-
-static int sss_ini_access_check(struct sss_ini *self)
-{
- int ret;
- uint32_t flags = INI_ACCESS_CHECK_MODE;
-
- if (!self->main_config_exists) {
- return EOK;
- }
-
- if (is_running_sssd()) {
- flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID;
- }
-
- ret = ini_config_access_check(self->file,
- flags,
- geteuid(),
- getegid(),
- S_IRUSR, /* r**------ */
- ALLPERMS & ~(S_IWUSR|S_IXUSR));
-
- return ret;
-}
-
-
-
-/* Get cstat */
-
-int sss_ini_get_stat(struct sss_ini *self)
-{
- self->cstat = ini_config_get_stat(self->file);
-
- if (!self->cstat) return EIO;
-
- return EOK;
-}
-
-
-
-/* Get mtime */
-
-int sss_ini_get_mtime(struct sss_ini *self,
- size_t timestr_len,
- char *timestr)
-{
- return snprintf(timestr, timestr_len, "%llu",
- (long long unsigned)self->cstat->st_mtime);
-}
-
-/* Get file_exists */
-
-bool sss_ini_exists(struct sss_ini *self)
-{
- return self->main_config_exists;
-}
-
/* Print ini_config errors */
static void sss_ini_config_print_errors(char **error_list)
@@ -289,7 +214,6 @@ static int sss_ini_add_snippets(struct s
uint32_t i = 0;
char *msg = NULL;
struct ini_cfgobj *modified_sssd_config = NULL;
- struct access_check snip_check;
if (self == NULL || self->sssd_config == NULL || config_dir == NULL) {
return EINVAL;
@@ -297,21 +221,11 @@ static int sss_ini_add_snippets(struct s
sss_ini_free_ra_messages(self);
- snip_check.flags = INI_ACCESS_CHECK_MODE;
-
- if (is_running_sssd()) {
- snip_check.flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID;
- }
- snip_check.uid = geteuid();
- snip_check.gid = getegid();
- snip_check.mode = S_IRUSR; /* r**------ */
- snip_check.mask = ALLPERMS & ~(S_IWUSR | S_IXUSR);
-
ret = ini_config_augment(self->sssd_config,
config_dir,
patterns,
sections,
- &snip_check,
+ NULL,
INI_STOP_ON_ANY,
INI_MV1S_OVERWRITE,
INI_PARSE_NOWRAP,
@@ -894,15 +808,7 @@ int sss_ini_read_sssd_conf(struct sss_in
return ERR_INI_OPEN_FAILED;
}
- if (sss_ini_exists(self)) {
- ret = sss_ini_access_check(self);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Permission check on config file %s failed: %d\n",
- config_file, ret);
- return ERR_INI_INVALID_PERMISSION;
- }
- } else {
+ if (!self->main_config_exists) {
DEBUG(SSSDBG_CONF_SETTINGS,
"File %s does not exist.\n", config_file);
}
@@ -923,7 +829,7 @@ int sss_ini_read_sssd_conf(struct sss_in
return ERR_INI_ADD_SNIPPETS_FAILED;
}
- if (!sss_ini_exists(self) &&
+ if ((!self->main_config_exists) &&
(ref_array_len(sss_ini_get_ra_success_list(self)) == 0)) {
return ERR_INI_EMPTY_CONFIG;
}
Index: sssd-2.10.0/src/util/sss_ini.h
===================================================================
--- sssd-2.10.0.orig/src/util/sss_ini.h
+++ sssd-2.10.0/src/util/sss_ini.h
@@ -81,18 +81,6 @@ int sss_ini_open(struct sss_ini *self,
const char *fallback_cfg);
/**
- * @brief Check whether sss_ini_open() reported that ini file is
- * not present
- *
- * @param[in] self pointer to sss_ini structure
- *
- * @return
- * - true we are using ini file
- * - false file was not found
- */
-bool sss_ini_exists(struct sss_ini *self);
-
-/**
* @brief get Cstat structure of the ini file
*/
int sss_ini_get_stat(struct sss_ini *self);

View File

@ -1,75 +0,0 @@
From 1a743a4123c104a10c694f7ee9d2f0a1e7182513 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Wed, 16 Oct 2024 09:55:50 +0200
Subject: [PATCH] sssd: always print path when config object is rejected
References: https://github.com/SSSD/sssd/pull/7649
Observed:
```
Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed'
Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed'
```
Expected:
_Well yes, but **which one**_!?
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
(cherry picked from commit 2b7915dd84a6b8c3ee26e45357283677fe22f2cb)
---
src/util/sss_ini.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
index 7f9824d88..2a611eb8c 100644
--- a/src/util/sss_ini.c
+++ b/src/util/sss_ini.c
@@ -888,7 +888,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
ret = sss_ini_open(self, config_file, "[sssd]\n");
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
- "The sss_ini_open failed %s: %d\n",
+ "sss_ini_open on %s failed: %d\n",
config_file,
ret);
return ERR_INI_OPEN_FAILED;
@@ -898,26 +898,28 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
ret = sss_ini_access_check(self);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
- "Permission check on config file failed.\n");
+ "Permission check on config file %s failed: %d\n",
+ config_file, ret);
return ERR_INI_INVALID_PERMISSION;
}
} else {
DEBUG(SSSDBG_CONF_SETTINGS,
- "File %1$s does not exist.\n",
- (config_file ? config_file : "NULL"));
+ "File %s does not exist.\n", config_file);
}
ret = sss_ini_parse(self);
if (ret != EOK) {
sss_ini_config_print_errors(self->error_list);
- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n");
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration file %s: %d\n",
+ config_file, ret);
return ERR_INI_PARSE_FAILED;
}
ret = sss_ini_add_snippets(self, config_dir);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
- "Error while reading configuration directory.\n");
+ "Error while reading configuration directory %s: %d\n",
+ config_dir, ret);
return ERR_INI_ADD_SNIPPETS_FAILED;
}
--
2.47.0

BIN
sssd-2.10.0.tar.gz (Stored with Git LFS)

Binary file not shown.

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmcOPUoACgkQ09IbKRDP
Z1myuA//anDvdZcQp0EUia2NsiWt2MFE8esmsEIN6QmEYjUxvEeXI9q4YJQimMi8
wdt0zqZE1PLrTcroWaeGcgt2+CJWUbVanZtNn3oo7lUVYrLKemrUzavM7dXTaA43
cdKAFyEO+nHJQ2yBNUt6sRXc3tM0H27yZs0iL+CcYu6YshUTbMnZuwdpz7DqDTN8
nbG+LWa+U0en5mI3waP8Ionwmdv9AJAuCHQZLlZDpM0+YfGumcIUJdbxU/I8pqP8
MQaulPv3e+BNwdbUiLlk0cXRjuEfSd0bmMa3MqB4IqMvvjACU0GuSgK3FDhutZJe
HfmzYSo/Zntmr7F/eYLz6zy/GU3VewEilOyRV08oz+EVJRbGyo2t4k6PUYbn+I4V
kJ/maed5jnBzIZGf6o+P1r+3mavJg7k2LDV4s48MsZ4Y5ED4X0c+boT1L5FZbquW
gp99Di0RG4VoWiYOfVfszLzeDWOLbOrKMyA6PTqlmjGYAdV9SBwZP5WEdwXyPovo
D7uual7Eqdd+Y/lt+8O4Wd+Y+a9xI2kwVFo8KYmHc8PhgLpPIKTWbBTEI+0nw3fJ
qqyyA7JWA81bt4WKVuJaeS87S/9F4yn8ps2dzSgHjZ2Tzr7Eu1a3RWLjKYsjKZrT
PPd2d/02rQAZPwLYHN5qM3Xjh0DD7IiXav1QuIPxmUQA9z8ZiuA=
=mJVY
-----END PGP SIGNATURE-----

BIN
sssd-2.10.1.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

16
sssd-2.10.1.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmdYSb4ACgkQ09IbKRDP
Z1kRyRAAmkKhCUcBs4h2mDg7uzz7DfYFkHXEiY8EMoVP5Iw6ZsNL/V9fwF9xhj49
XbnCfxj2zFfVWZd5VYnTpl86Hg3NrxuPehgM+iMAXS6U/55TvRPunCtTiRwoTZ4t
zSgiBaSg3I2hmSN2cnSU8PpilEDCIeSP3uafmGXI1KUxEQltVbp0EeJ5CL5GP3xU
rFgI1pKdTySlw6jZ3vjkAaHwdsJGB0MKtjiBJYtqvHmIzbUdSNN/iE5Wf5xsdtez
KKLUrnKeQFuNyYWpjipJvbs7i9+E5VKFvCfrqFb6vQbp+Rgd98epVjp2VKovNy8p
gZQmgfbi5GCWKuBx+dbaRSFa8hWemEwnBNboV6JKq4+CoPsMkI367utZV5gd58V5
RHgLsrZfjahAXgG4ytwPhgKDV+sX+sSn4aXIdaSgc+vP7+ykLMxyzyR2GXyG+y11
WrnovdR0HywHfzvlUnKQmcLUjCkXKVwIMw0oBRa8+YLTD08EeYgu+oXXDpGD0oL1
YJLLBdr6ycR9Rk/sUqbZgEnzQZPYXazIraUrd71Ry8CaNvqi86Of7sX6SgSQQeg/
ZPLNcPWPadG/9jpMNJNsXXEZicNJXznQczlXKvRXINOJzknJYwwgH+/55otbzNzq
EjlOmFEn07bGAHCsHTfydlCeYqD9x+WV/X8CReMFjcaaBH4TDms=
=S0c5
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,19 @@
-------------------------------------------------------------------
Tue Dec 10 20:17:10 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
- Update to release 2.10.1
* SSSD does not create anymore missing path components of
DIR:/FILE: ccache types while acquiring user's TGT. The
parent directory of requested ccache directory must exist and
the user trying to log in must have rwx access to this
directory. This matches behavior of /usr/bin/kinit.
* The option default_domain_suffix is deprecated.
- Delete 0001-Configuration-make-sure-etc-sssd-and-everything.patch,
0001-INI-relax-config-files-checks.patch,
0001-INI-stop-using-libini_config-for-access-check.patch,
0001-sssd-always-print-path-when-config-object-is-rejecte.patch
(merged)
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt <jengelh@inai.de> Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt <jengelh@inai.de>

View File

@ -17,7 +17,7 @@
Name: sssd Name: sssd
Version: 2.10.0 Version: 2.10.1
Release: 0 Release: 0
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPL-3.0-or-later AND LGPL-3.0-or-later License: GPL-3.0-or-later AND LGPL-3.0-or-later
@ -28,10 +28,6 @@ Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%v
Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc
Source3: baselibs.conf Source3: baselibs.conf
Source5: %name.keyring Source5: %name.keyring
Patch3: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch
Patch4: 0001-INI-stop-using-libini_config-for-access-check.patch
Patch5: 0001-INI-relax-config-files-checks.patch
Patch6: 0001-Configuration-make-sure-etc-sssd-and-everything.patch
Patch11: krb-noversion.diff Patch11: krb-noversion.diff
Patch12: harden_sssd-ifp.service.patch Patch12: harden_sssd-ifp.service.patch
Patch13: harden_sssd-kcm.service.patch Patch13: harden_sssd-kcm.service.patch
@ -489,11 +485,11 @@ cat >"$b/etc/permissions.d/sssd" <<-EOF
%_libexecdir/sssd/sssd_pam root:sssd 0750 %_libexecdir/sssd/sssd_pam root:sssd 0750
+capabilities cap_dac_read_search=p +capabilities cap_dac_read_search=p
%_libexecdir/sssd/selinux_child root:sssd 0750 %_libexecdir/sssd/selinux_child root:sssd 0750
+capabilities %child_capabilities +capabilities cap_setgid,cap_setuid=p
%_libexecdir/sssd/krb5_child root:sssd 0750 %_libexecdir/sssd/krb5_child root:sssd 0750
+capabilities %child_capabilities +capabilities cap_dac_read_search,cap_setgid,cap_setuid=p
%_libexecdir/sssd/ldap_child root:sssd 0750 %_libexecdir/sssd/ldap_child root:sssd 0750
+capabilities %child_capabilities +capabilities cap_dac_read_search=p
EOF EOF
%check %check
@ -691,7 +687,6 @@ fi
%_libdir/%name/libsss_files* %_libdir/%name/libsss_files*
%endif %endif
%_libdir/%name/libsss_iface* %_libdir/%name/libsss_iface*
%_libdir/%name/libsss_semanage*
%_libdir/%name/libsss_sbus* %_libdir/%name/libsss_sbus*
%_libdir/%name/libsss_simple* %_libdir/%name/libsss_simple*
%_libdir/%name/libsss_util* %_libdir/%name/libsss_util*
@ -710,7 +705,7 @@ fi
%_libexecdir/%name/sss_signal %_libexecdir/%name/sss_signal
%_libexecdir/%name/sssd_check_socket_activated_responders %_libexecdir/%name/sssd_check_socket_activated_responders
%if 0%{?suse_version} >= 1600 %if 0%{?suse_version} >= 1600
%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/selinux_child %attr(750,root,%sssd_user) %caps(cap_setgid,cap_setuid=p) %_libexecdir/%name/selinux_child
%endif %endif
%dir %sssdstatedir %dir %sssdstatedir
%attr(700,%sssd_user,%sssd_user) %dir %dbpath/ %attr(700,%sssd_user,%sssd_user) %dir %dbpath/
@ -839,8 +834,8 @@ fi
%dir %_libdir/%name/ %dir %_libdir/%name/
%_libdir/%name/libsss_krb5_common.so %_libdir/%name/libsss_krb5_common.so
%dir %_libexecdir/%name/ %dir %_libexecdir/%name/
%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/krb5_child %attr(750,root,%sssd_user) %caps(cap_dac_read_search,cap_setgid,cap_setuid=p) %_libexecdir/%name/krb5_child
%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/ldap_child %attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/ldap_child
%files ldap %files ldap
%dir %_libdir/%name/ %dir %_libdir/%name/

View File

@ -12,14 +12,14 @@ libsss_ldap.so(-2.7.4) cannot find a libsss_util.so(-2.7.4), since
the system only has libsss_util.so(-2.8.2) at this point. the system only has libsss_util.so(-2.8.2) at this point.
--- ---
Makefile.am | 47 ++++++++++++++++++++++++++++++++--------------- Makefile.am | 44 ++++++++++++++++++++++++++++++--------------
1 file changed, 32 insertions(+), 15 deletions(-) 1 file changed, 30 insertions(+), 14 deletions(-)
Index: sssd-2.9.2/Makefile.am Index: sssd-2.10.1/Makefile.am
=================================================================== ===================================================================
--- sssd-2.9.2.orig/Makefile.am --- sssd-2.10.1.orig/Makefile.am
+++ sssd-2.9.2/Makefile.am +++ sssd-2.10.1/Makefile.am
@@ -955,7 +955,11 @@ libsss_debug_la_SOURCES = \ @@ -971,7 +971,11 @@ libsss_debug_la_SOURCES = \
libsss_debug_la_LIBADD = \ libsss_debug_la_LIBADD = \
$(SYSLOG_LIBS) $(SYSLOG_LIBS)
libsss_debug_la_LDFLAGS = \ libsss_debug_la_LDFLAGS = \
@ -32,7 +32,7 @@ Index: sssd-2.9.2/Makefile.am
pkglib_LTLIBRARIES += libsss_child.la pkglib_LTLIBRARIES += libsss_child.la
libsss_child_la_SOURCES = src/util/child_common.c libsss_child_la_SOURCES = src/util/child_common.c
@@ -965,7 +969,8 @@ libsss_child_la_LIBADD = \ @@ -981,7 +985,8 @@ libsss_child_la_LIBADD = \
$(DHASH_LIBS) \ $(DHASH_LIBS) \
libsss_debug.la \ libsss_debug.la \
$(NULL) $(NULL)
@ -42,7 +42,7 @@ Index: sssd-2.9.2/Makefile.am
pkglib_LTLIBRARIES += libsss_crypt.la pkglib_LTLIBRARIES += libsss_crypt.la
@@ -1004,7 +1009,8 @@ libsss_crypt_la_LIBADD = \ @@ -1021,7 +1026,8 @@ libsss_crypt_la_LIBADD = \
libsss_debug.la \ libsss_debug.la \
$(NULL) $(NULL)
libsss_crypt_la_LDFLAGS = \ libsss_crypt_la_LDFLAGS = \
@ -52,7 +52,7 @@ Index: sssd-2.9.2/Makefile.am
pkglib_LTLIBRARIES += libsss_cert.la pkglib_LTLIBRARIES += libsss_cert.la
@@ -1029,8 +1035,9 @@ libsss_cert_la_LIBADD = \ @@ -1046,8 +1052,9 @@ libsss_cert_la_LIBADD = \
libsss_debug.la \ libsss_debug.la \
$(NULL) $(NULL)
libsss_cert_la_LDFLAGS = \ libsss_cert_la_LDFLAGS = \
@ -63,7 +63,7 @@ Index: sssd-2.9.2/Makefile.am
generate-sbus-code: generate-sbus-code:
$(builddir)/sbus_generate.sh $(abs_srcdir) $(builddir)/sbus_generate.sh $(abs_srcdir)
@@ -1131,8 +1138,9 @@ libsss_sbus_la_CFLAGS = \ @@ -1148,8 +1155,9 @@ libsss_sbus_la_CFLAGS = \
$(DBUS_CFLAGS) \ $(DBUS_CFLAGS) \
$(NULL) $(NULL)
libsss_sbus_la_LDFLAGS = \ libsss_sbus_la_LDFLAGS = \
@ -74,7 +74,7 @@ Index: sssd-2.9.2/Makefile.am
pkglib_LTLIBRARIES += libsss_sbus_sync.la pkglib_LTLIBRARIES += libsss_sbus_sync.la
libsss_sbus_sync_la_SOURCES = \ libsss_sbus_sync_la_SOURCES = \
@@ -1167,8 +1175,9 @@ libsss_sbus_sync_la_CFLAGS = \ @@ -1184,8 +1192,9 @@ libsss_sbus_sync_la_CFLAGS = \
$(UNICODE_LIBS) \ $(UNICODE_LIBS) \
$(NULL) $(NULL)
libsss_sbus_sync_la_LDFLAGS = \ libsss_sbus_sync_la_LDFLAGS = \
@ -85,7 +85,7 @@ Index: sssd-2.9.2/Makefile.am
pkglib_LTLIBRARIES += libsss_iface.la pkglib_LTLIBRARIES += libsss_iface.la
libsss_iface_la_SOURCES = \ libsss_iface_la_SOURCES = \
@@ -1197,8 +1206,9 @@ libsss_iface_la_CFLAGS = \ @@ -1214,8 +1223,9 @@ libsss_iface_la_CFLAGS = \
$(DBUS_CFLAGS) \ $(DBUS_CFLAGS) \
$(NULL) $(NULL)
libsss_iface_la_LDFLAGS = \ libsss_iface_la_LDFLAGS = \
@ -96,7 +96,7 @@ Index: sssd-2.9.2/Makefile.am
pkglib_LTLIBRARIES += libsss_iface_sync.la pkglib_LTLIBRARIES += libsss_iface_sync.la
libsss_iface_sync_la_SOURCES = \ libsss_iface_sync_la_SOURCES = \
@@ -1225,8 +1235,9 @@ libsss_iface_sync_la_CFLAGS = \ @@ -1242,8 +1252,9 @@ libsss_iface_sync_la_CFLAGS = \
$(DBUS_CFLAGS) \ $(DBUS_CFLAGS) \
$(NULL) $(NULL)
libsss_iface_sync_la_LDFLAGS = \ libsss_iface_sync_la_LDFLAGS = \
@ -107,7 +107,7 @@ Index: sssd-2.9.2/Makefile.am
pkglib_LTLIBRARIES += libsss_util.la pkglib_LTLIBRARIES += libsss_util.la
libsss_util_la_SOURCES = \ libsss_util_la_SOURCES = \
@@ -1322,7 +1333,8 @@ endif @@ -1338,7 +1349,8 @@ endif
if BUILD_PASSKEY if BUILD_PASSKEY
libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c
endif # BUILD_PASSKEY endif # BUILD_PASSKEY
@ -115,19 +115,9 @@ Index: sssd-2.9.2/Makefile.am
+libsss_util_la_LDFLAGS = -avoid-version ${symv} +libsss_util_la_LDFLAGS = -avoid-version ${symv}
+EXTRA_libsss_util_la_DEPENDENCIES = x.sym +EXTRA_libsss_util_la_DEPENDENCIES = x.sym
pkglib_LTLIBRARIES += libsss_semanage.la
libsss_semanage_la_CFLAGS = \
@@ -1341,7 +1353,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_
endif
libsss_semanage_la_LDFLAGS = \
- -avoid-version
+ -avoid-version ${symv}
+EXTRA_libsss_semanage_la_DEPENDENCIES = x.sym
SSSD_INTERNAL_LTLIBS = \ SSSD_INTERNAL_LTLIBS = \
libsss_util.la \ libsss_util.la \
@@ -1357,7 +1370,7 @@ lib_LTLIBRARIES = libipa_hbac.la \ @@ -1354,7 +1366,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
$(NULL) $(NULL)
pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc
@ -136,7 +126,7 @@ Index: sssd-2.9.2/Makefile.am
libipa_hbac_la_SOURCES = \ libipa_hbac_la_SOURCES = \
src/lib/ipa_hbac/hbac_evaluator.c \ src/lib/ipa_hbac/hbac_evaluator.c \
src/util/sss_utf8.c src/util/sss_utf8.c
@@ -1688,8 +1701,9 @@ libifp_iface_la_CFLAGS = \ @@ -1682,8 +1694,9 @@ libifp_iface_la_CFLAGS = \
$(DBUS_CFLAGS) \ $(DBUS_CFLAGS) \
$(NULL) $(NULL)
libifp_iface_la_LDFLAGS = \ libifp_iface_la_LDFLAGS = \
@ -147,7 +137,7 @@ Index: sssd-2.9.2/Makefile.am
pkglib_LTLIBRARIES += libifp_iface_sync.la pkglib_LTLIBRARIES += libifp_iface_sync.la
libifp_iface_sync_la_SOURCES = \ libifp_iface_sync_la_SOURCES = \
@@ -1714,8 +1728,9 @@ libifp_iface_sync_la_CFLAGS = \ @@ -1708,8 +1721,9 @@ libifp_iface_sync_la_CFLAGS = \
$(DBUS_CFLAGS) \ $(DBUS_CFLAGS) \
$(NULL) $(NULL)
libifp_iface_sync_la_LDFLAGS = \ libifp_iface_sync_la_LDFLAGS = \
@ -158,7 +148,7 @@ Index: sssd-2.9.2/Makefile.am
sssd_ifp_SOURCES = \ sssd_ifp_SOURCES = \
src/responder/ifp/ifpsrv.c \ src/responder/ifp/ifpsrv.c \
@@ -4314,8 +4329,9 @@ libsss_ldap_common_la_LIBADD = \ @@ -4314,8 +4328,9 @@ libsss_ldap_common_la_LIBADD = \
$(SSSD_INTERNAL_LTLIBS) \ $(SSSD_INTERNAL_LTLIBS) \
$(NULL) $(NULL)
libsss_ldap_common_la_LDFLAGS = \ libsss_ldap_common_la_LDFLAGS = \
@ -169,7 +159,7 @@ Index: sssd-2.9.2/Makefile.am
if BUILD_SYSTEMTAP if BUILD_SYSTEMTAP
libsss_ldap_common_la_LIBADD += stap_generated_probes.lo libsss_ldap_common_la_LIBADD += stap_generated_probes.lo
endif endif
@@ -4372,7 +4388,8 @@ libsss_krb5_common_la_LIBADD = \ @@ -4371,7 +4386,8 @@ libsss_krb5_common_la_LIBADD = \
$(SSSD_INTERNAL_LTLIBS) \ $(SSSD_INTERNAL_LTLIBS) \
$(NULL) $(NULL)
libsss_krb5_common_la_LDFLAGS = \ libsss_krb5_common_la_LDFLAGS = \