diff --git a/0001-SUDO-Create-the-socket-with-stricter-permissions.patch b/0001-SUDO-Create-the-socket-with-stricter-permissions.patch new file mode 100644 index 0000000..17aa40f --- /dev/null +++ b/0001-SUDO-Create-the-socket-with-stricter-permissions.patch @@ -0,0 +1,45 @@ +From 06193adc0de042484f672cadd0808c78c5ebb70e Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 15 Jun 2018 22:29:34 +0200 +Subject: [PATCH] SUDO: Create the socket with stricter permissions + +This patch switches the sudo responder from being created as a public +responder where the permissions are open and not checked by the sssd +deaamon to a private socket. In this case, sssd creates the pipes with +strict permissions (see the umask in the call to create_pipe_fd() in +set_unix_socket()) and additionaly checks the permissions with every read +via the tevent integrations (see accept_fd_handler()). +--- + src/responder/sudo/sudosrv.c | 3 ++- + src/sysv/systemd/sssd-sudo.socket.in | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c +index ac4258710d3a9b48285522abd23bdd59ba42ad4e..e87a24499c2d82fafaa8e1f9b386e44332394266 100644 +--- a/src/responder/sudo/sudosrv.c ++++ b/src/responder/sudo/sudosrv.c +@@ -79,7 +79,8 @@ int sudo_process_init(TALLOC_CTX *mem_ctx, + sudo_cmds = get_sudo_cmds(); + ret = sss_process_init(mem_ctx, ev, cdb, + sudo_cmds, +- SSS_SUDO_SOCKET_NAME, -1, NULL, -1, ++ NULL, -1, /* No public socket */ ++ SSS_SUDO_SOCKET_NAME, -1, /* Private socket only */ + CONFDB_SUDO_CONF_ENTRY, + SSS_SUDO_SBUS_SERVICE_NAME, + SSS_SUDO_SBUS_SERVICE_VERSION, +diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in +index c9abb875f0accbaf58d78846020fef74c7473528..96a8b0327ddb4d331c9b2e97ece3453f8f76872d 100644 +--- a/src/sysv/systemd/sssd-sudo.socket.in ++++ b/src/sysv/systemd/sssd-sudo.socket.in +@@ -11,6 +11,7 @@ ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo + ListenStream=@pipepath@/sudo + SocketUser=@SSSD_USER@ + SocketGroup=@SSSD_USER@ ++SocketMode=0600 + + [Install] + WantedBy=sssd.service +-- +2.14.3 + diff --git a/0002-intg-Do-not-hardcode-nsslibdir.patch b/0002-intg-Do-not-hardcode-nsslibdir.patch new file mode 100644 index 0000000..08f8543 --- /dev/null +++ b/0002-intg-Do-not-hardcode-nsslibdir.patch @@ -0,0 +1,44 @@ +From b34fcff0f8bccd7b827686b50c53f45b7e20bb44 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= +Date: Tue, 12 Jun 2018 19:07:52 +0200 +Subject: [PATCH] intg: Do not hardcode nsslibdir +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This change is needed in order to have make intgcheck-run properly +running on opensuse systems. + +Signed-off-by: Fabiano Fidêncio +Reviewed-by: Chris Kowalczyk +Reviewed-by: Michal Židek +--- + src/tests/intg/Makefile.am | 1 + + src/tests/intg/config.py.m4 | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am +index 9c5338261..4bd427669 100644 +--- a/src/tests/intg/Makefile.am ++++ b/src/tests/intg/Makefile.am +@@ -73,6 +73,7 @@ cwrap-dbus-system.conf: data/cwrap-dbus-system.conf.in Makefile + config.py: config.py.m4 + m4 -D "prefix=\`$(prefix)'" \ + -D "sysconfdir=\`$(sysconfdir)'" \ ++ -D "nsslibdir=\`$(nsslibdir)'" \ + -D "dbpath=\`$(dbpath)'" \ + -D "pidpath=\`$(pidpath)'" \ + -D "logpath=\`$(logpath)'" \ +diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4 +index 6e011b692..04f78d869 100644 +--- a/src/tests/intg/config.py.m4 ++++ b/src/tests/intg/config.py.m4 +@@ -4,7 +4,7 @@ Build configuration variables. + + PREFIX = "prefix" + SYSCONFDIR = "sysconfdir" +-NSS_MODULE_DIR = PREFIX + "/lib" ++NSS_MODULE_DIR = "nsslibdir" + SSSDCONFDIR = SYSCONFDIR + "/sssd" + CONF_PATH = SSSDCONFDIR + "/sssd.conf" + DB_PATH = "dbpath" diff --git a/sssd.changes b/sssd.changes index 5432c56..286822f 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,4 +1,17 @@ ------------------------------------------------------------------- + +Wed Jun 20 10:46:34 UTC 2018 - ckowalczyk@suse.com + +- Introduce patches: + * Create sockets with right permissions: + 0001-SUDO-Create-the-socket-with-stricter-permissions.patch + (bsc#1098377, CVE-2018-10852) + * Fix for sssd upstream integration tests + 0002-intg-Do-not-hardcode-nsslibdir.patch + (bsc#1098163) + +------------------------------------------------------------------- + Wed Jun 20 08:38:53 UTC 2018 - varkoly@suse.com - Update to new minor upstream release 1.16.2 @@ -48,6 +61,7 @@ Bugfixes: with version 1.4.0 or newer was fixed. ------------------------------------------------------------------- + Fri Apr 27 14:43:58 UTC 2018 - ckowalczyk@suse.com - Update to new minor upstream release 1.16.1 (fate#323340): diff --git a/sssd.spec b/sssd.spec index dca0ea9..f56e2a7 100644 --- a/sssd.spec +++ b/sssd.spec @@ -30,8 +30,10 @@ Source2: http://releases.pagure.org/SSSD/sssd/%name-%version.tar.gz.asc Source3: baselibs.conf Source4: sssd.service Source5: %name.keyring -Patch1: fix-build.patch BuildRoot: %_tmppath/%name-%version-build +Patch1: fix-build.patch +Patch2: 0001-SUDO-Create-the-socket-with-stricter-permissions.patch +Patch3: 0002-intg-Do-not-hardcode-nsslibdir.patch %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss @@ -366,6 +368,8 @@ Security Services Daemon (sssd). %prep %setup -q %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build %if 0%{?suse_version} < 1210