Accepting request 619100 from home:ckowalczyk:branches:network:ldap:bsc1098163-cve201810852

- Introduce patches:
  * Create sockets with right permissions:
    0001-SUDO-Create-the-socket-with-stricter-permissions.patch
    (bsc#1098377, CVE-2018-10852)
  * Fix for sssd upstream integration tests
    0002-intg-Do-not-hardcode-nsslibdir.patch
    (bsc#1098163)

OBS-URL: https://build.opensuse.org/request/show/619100
OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=203

0001-SUDO-Create-the-socket-with-stricter-permissions.patch

@@ -0,0 +1,45 @@
+From 06193adc0de042484f672cadd0808c78c5ebb70e Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Fri, 15 Jun 2018 22:29:34 +0200
+Subject: [PATCH] SUDO: Create the socket with stricter permissions
+
+This patch switches the sudo responder from being created as a public
+responder where the permissions are open and not checked by the sssd
+deaamon to a private socket. In this case, sssd creates the pipes with
+strict permissions (see the umask in the call to create_pipe_fd() in
+set_unix_socket()) and additionaly checks the permissions with every read
+via the tevent integrations (see accept_fd_handler()).
+---
+ src/responder/sudo/sudosrv.c         | 3 ++-
+ src/sysv/systemd/sssd-sudo.socket.in | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
+index ac4258710d3a9b48285522abd23bdd59ba42ad4e..e87a24499c2d82fafaa8e1f9b386e44332394266 100644
+--- a/src/responder/sudo/sudosrv.c
++++ b/src/responder/sudo/sudosrv.c
+@@ -79,7 +79,8 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
+     sudo_cmds = get_sudo_cmds();
+     ret = sss_process_init(mem_ctx, ev, cdb,
+                            sudo_cmds,
+-                           SSS_SUDO_SOCKET_NAME, -1, NULL, -1,
++                           NULL, -1,                   /* No public socket */
++                           SSS_SUDO_SOCKET_NAME, -1,   /* Private socket only */
+                            CONFDB_SUDO_CONF_ENTRY,
+                            SSS_SUDO_SBUS_SERVICE_NAME,
+                            SSS_SUDO_SBUS_SERVICE_VERSION,
+diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in
+index c9abb875f0accbaf58d78846020fef74c7473528..96a8b0327ddb4d331c9b2e97ece3453f8f76872d 100644
+--- a/src/sysv/systemd/sssd-sudo.socket.in
++++ b/src/sysv/systemd/sssd-sudo.socket.in
+@@ -11,6 +11,7 @@ ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo
+ ListenStream=@pipepath@/sudo
+ SocketUser=@SSSD_USER@
+ SocketGroup=@SSSD_USER@
++SocketMode=0600
+ 
+ [Install]
+ WantedBy=sssd.service
+-- 
+2.14.3
+

0002-intg-Do-not-hardcode-nsslibdir.patch

@@ -0,0 +1,44 @@
+From b34fcff0f8bccd7b827686b50c53f45b7e20bb44 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
+Date: Tue, 12 Jun 2018 19:07:52 +0200
+Subject: [PATCH] intg: Do not hardcode nsslibdir
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This change is needed in order to have make intgcheck-run properly
+running on opensuse systems.
+
+Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
+Reviewed-by: Chris Kowalczyk <ckowalczyk@suse.com>
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+---
+ src/tests/intg/Makefile.am  | 1 +
+ src/tests/intg/config.py.m4 | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
+index 9c5338261..4bd427669 100644
+--- a/src/tests/intg/Makefile.am
++++ b/src/tests/intg/Makefile.am
+@@ -73,6 +73,7 @@ cwrap-dbus-system.conf: data/cwrap-dbus-system.conf.in Makefile
+ config.py: config.py.m4
+ 	m4 -D "prefix=\`$(prefix)'" \
+ 	   -D "sysconfdir=\`$(sysconfdir)'" \
++	   -D "nsslibdir=\`$(nsslibdir)'" \
+ 	   -D "dbpath=\`$(dbpath)'" \
+ 	   -D "pidpath=\`$(pidpath)'" \
+ 	   -D "logpath=\`$(logpath)'" \
+diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4
+index 6e011b692..04f78d869 100644
+--- a/src/tests/intg/config.py.m4
++++ b/src/tests/intg/config.py.m4
+@@ -4,7 +4,7 @@ Build configuration variables.
+ 
+ PREFIX = "prefix"
+ SYSCONFDIR = "sysconfdir"
+-NSS_MODULE_DIR = PREFIX + "/lib"
++NSS_MODULE_DIR = "nsslibdir"
+ SSSDCONFDIR = SYSCONFDIR + "/sssd"
+ CONF_PATH = SSSDCONFDIR + "/sssd.conf"
+ DB_PATH = "dbpath"

sssd.changes

@@ -1,4 +1,17 @@
 -------------------------------------------------------------------
+
+Wed Jun 20 10:46:34 UTC 2018 - ckowalczyk@suse.com
+
+- Introduce patches:
+  * Create sockets with right permissions:
+    0001-SUDO-Create-the-socket-with-stricter-permissions.patch
+    (bsc#1098377, CVE-2018-10852)
+  * Fix for sssd upstream integration tests
+    0002-intg-Do-not-hardcode-nsslibdir.patch
+    (bsc#1098163) 
+
+-------------------------------------------------------------------
+
 Wed Jun 20 08:38:53 UTC 2018 - varkoly@suse.com
 
 - Update to new minor upstream release 1.16.2
@@ -48,6 +61,7 @@ Bugfixes:
     with version 1.4.0 or newer was fixed.
 
 -------------------------------------------------------------------
+
 Fri Apr 27 14:43:58 UTC 2018 - ckowalczyk@suse.com
 
 - Update to new minor upstream release 1.16.1 (fate#323340):

sssd.spec

@@ -30,8 +30,10 @@ Source2:        http://releases.pagure.org/SSSD/sssd/%name-%version.tar.gz.asc
 Source3:        baselibs.conf
 Source4:        sssd.service
 Source5:        %name.keyring
-Patch1:		fix-build.patch
 BuildRoot:      %_tmppath/%name-%version-build
+Patch1:		fix-build.patch
+Patch2:         0001-SUDO-Create-the-socket-with-stricter-permissions.patch
+Patch3:         0002-intg-Do-not-hardcode-nsslibdir.patch
 
 %define servicename	sssd
 %define sssdstatedir	%_localstatedir/lib/sss
@@ -366,6 +368,8 @@ Security Services Daemon (sssd).
 %prep
 %setup -q
 %patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 %build
 %if 0%{?suse_version} < 1210