From 886fcf0567a235626cfe3350b85588b681623e38435f30e873a2f0ee1b3e20de Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 6 Aug 2021 21:07:18 +0000 Subject: [PATCH 1/5] Drop --with-crypto OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=249 --- sssd.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sssd.spec b/sssd.spec index 34c7e29..5065f17 100644 --- a/sssd.spec +++ b/sssd.spec @@ -81,7 +81,7 @@ BuildRequires: pkgconfig(libcrypto) BuildRequires: pkgconfig(libnfsidmap) BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 -BuildRequires: pkgconfig(libpcre) >= 7 +BuildRequires: pkgconfig(libpcre2-8) BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(ndr_krb5pac) BuildRequires: pkgconfig(ndr_nbt) @@ -371,7 +371,6 @@ autoreconf -fiv export CFLAGS="%optflags -fPIE" export LDFLAGS="-pie" %configure \ - --with-crypto=libcrypto \ --with-db-path="%dbpath" \ --with-pipe-path="%pipepath" \ --with-pubconf-path="%pubconfpath" \ From 33a4c1553fff0a6dfec4c4ee358dd9207654d132558ac76184c40f20ef9dcfce Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sat, 16 Oct 2021 11:07:49 +0000 Subject: [PATCH 2/5] - Update to release 2.6.0 OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=250 --- sssd-2.5.2.tar.gz | 3 --- sssd-2.5.2.tar.gz.asc | 11 -------- sssd-2.6.0.tar.gz | 3 +++ sssd-2.6.0.tar.gz.asc | 11 ++++++++ sssd.changes | 5 ++++ sssd.spec | 60 +++++++++++++++++++------------------------ 6 files changed, 45 insertions(+), 48 deletions(-) delete mode 100644 sssd-2.5.2.tar.gz delete mode 100644 sssd-2.5.2.tar.gz.asc create mode 100644 sssd-2.6.0.tar.gz create mode 100644 sssd-2.6.0.tar.gz.asc diff --git a/sssd-2.5.2.tar.gz b/sssd-2.5.2.tar.gz deleted file mode 100644 index e911dc2..0000000 --- a/sssd-2.5.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f -size 7579208 diff --git a/sssd-2.5.2.tar.gz.asc b/sssd-2.5.2.tar.gz.asc deleted file mode 100644 index 5649c67..0000000 --- a/sssd-2.5.2.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEGkHcZ1BfiaMwgotmr/513ehQjhIFAmDsmCgACgkQr/513ehQ -jhJgLAf/WNPCzxImSpydiqCw0utxcDj/zcfufOU5tciVGP2Dg6O6+jf21Tl1IzE0 -dNDloUH6iyIOATWryirveaEIBEpz/8H66bOFEuw+eOY5mnMz+xsI879lvno7KsHj -RsJjxSKjLktvOgOb+vYDciRS6Au3AaKCIPP0v5S3LEZtsHlDG6CwoWI7wEN9XN0r -/VYo0HG0TIkY2eIfi6pqcr25JzOqTQH3NUW8VbqFWWC7h1XFEBpiftIvHZLrqblP -CtHbkdRA8j6u5J285H4g/9Oj/7wtlDOXvkobGdM9MwS5jjKg0XBJJ3A6uHZ5GTX5 -/ppVxE/WCrZliqxpjP/+BHkaY3DMzA== -=2Ag7 ------END PGP SIGNATURE----- diff --git a/sssd-2.6.0.tar.gz b/sssd-2.6.0.tar.gz new file mode 100644 index 0000000..ce4ab4c --- /dev/null +++ b/sssd-2.6.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:675a37057249083827a86e3d55c9cfc202276b3bd97c135f6030cf74f8bc7de7 +size 7440969 diff --git a/sssd-2.6.0.tar.gz.asc b/sssd-2.6.0.tar.gz.asc new file mode 100644 index 0000000..c1890ab --- /dev/null +++ b/sssd-2.6.0.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEGkHcZ1BfiaMwgotmr/513ehQjhIFAmFn/DAACgkQr/513ehQ +jhJKNAf/fq4klam4kA3IB9qkENdFI9U8M0zlc+0zdF5HLlQDxy6IfxXXQiyr9M9v +yoeyF6VuQOOe2zq3K3ujmx4EV7tQs75F/SB+FFq7AYf898Txxs3Xw5X17kx+Lamu +A+JxePM6joiA4E2bF6Lbi4OL0Dj3GTeckghHyR/yFWZZakwc7kxpw37sNx9xDFDW +XK9bB5rY+ZuGWIBgJ2eIGwf0X7RDWm+0cIXlhRbrnPcHEUKcRsgAcVoisO3YOqw9 +/SY5NxZWilNeN8FxKVBqnToQBDhrplNSBL/5Ttv1dxHNAIkEMXKVuKR9w3XzxWJM +e3Xz16igUaHliuZoSM0/1axpdGWvAw== +=jaIb +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 0dc0835..6dd66a1 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Oct 15 13:41:13 UTC 2021 - Jan Engelhardt + +- Update to release 2.6.0 + ------------------------------------------------------------------- Mon Jul 12 19:45:37 UTC 2021 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index 5065f17..28c4030 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,7 +1,7 @@ # # spec file for package sssd # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: sssd -Version: 2.5.2 +Version: 2.6.0 Release: 0 Summary: System Security Services Daemon License: GPL-3.0-or-later and LGPL-3.0-or-later @@ -29,25 +29,6 @@ Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%v Source3: baselibs.conf Source5: %name.keyring Patch1: krb-noversion.diff - -%define servicename sssd -%define sssdstatedir %_localstatedir/lib/sss -%define dbpath %sssdstatedir/db -%define pipepath %sssdstatedir/pipes -%define pubconfpath %sssdstatedir/pubconf -%define gpocachepath %sssdstatedir/gpo_cache - -# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko -# /etc/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins -# * cifs-utils one is the default (priority 20) -# * installing SSSD should NOT switch to SSSD plugin (priority 10) -%define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin -%define cifs_idmap_lib %_libdir/cifs-utils/cifs_idmap_sss.so -%define cifs_idmap_name cifs-idmap-plugin -%define cifs_idmap_priority 10 -Requires(post): update-alternatives -Requires(postun): update-alternatives - BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils @@ -83,6 +64,7 @@ BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 BuildRequires: pkgconfig(libpcre2-8) BuildRequires: pkgconfig(libsystemd) +BuildRequires: libunistring-devel BuildRequires: pkgconfig(ndr_krb5pac) BuildRequires: pkgconfig(ndr_nbt) BuildRequires: pkgconfig(p11-kit-1) >= 0.23.3 @@ -99,6 +81,24 @@ Provides: libsss_sudo = %version-%release Provides: sssd-client = %version-%release Obsoletes: libsss_sudo < %version-%release +%define servicename sssd +%define sssdstatedir %_localstatedir/lib/sss +%define dbpath %sssdstatedir/db +%define pipepath %sssdstatedir/pipes +%define pubconfpath %sssdstatedir/pubconf +%define gpocachepath %sssdstatedir/gpo_cache + +# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko +# /etc/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins +# * cifs-utils one is the default (priority 20) +# * installing SSSD should NOT switch to SSSD plugin (priority 10) +%define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin +%define cifs_idmap_lib %_libdir/cifs-utils/cifs_idmap_sss.so +%define cifs_idmap_name cifs-idmap-plugin +%define cifs_idmap_priority 10 +Requires(post): update-alternatives +Requires(postun): update-alternatives + %description Provides a set of daemons to manage access to remote directories and authentication mechanisms. It provides an NSS and PAM interface toward @@ -363,13 +363,10 @@ Security Services Daemon (sssd). %build export LDB_DIR="$(pkg-config ldb --variable=modulesdir)" - # help configure find nscd export PATH="$PATH:/usr/sbin" autoreconf -fiv -export CFLAGS="%optflags -fPIE" -export LDFLAGS="-pie" %configure \ --with-db-path="%dbpath" \ --with-pipe-path="%pipepath" \ @@ -393,16 +390,12 @@ export LDFLAGS="-pie" %install # sss_obfuscate is compatible with both python 2 and 3 -sed -i -e 's:%_bindir/python:%_bindir/python3:' src/tools/sss_obfuscate - +perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate %make_install b="%buildroot" -#for i in cs cs/man8 nl nl/man8 pt pt/man8 uk uk/man1 uk/man5 uk/man8; do -# mkdir -p "$b/%_mandir/$i" -#done # Copy some defaults -mkdir -p "$b/%_sysconfdir/sssd" "$b/%_sysconfdir/sssd/conf.d" +mkdir -pv "$b/%_sysconfdir/sssd" "$b/%_sysconfdir/sssd/conf.d" install -m600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf" install -d "$b/%_unitdir" install -d "$b/%_sysconfdir/logrotate.d" @@ -414,7 +407,7 @@ find "$b" -type f -name "*.la" -print -delete %find_lang %name --all-name # dummy target for cifs-idmap-plugin -mkdir -p %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils +mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin %check @@ -512,7 +505,6 @@ fi %_mandir/??/man5/sssd-ad.5* %_mandir/??/man5/sssd-files.5* %_mandir/??/man5/sssd-ldap-attributes.5* -%_mandir/??/man5/sssd-secrets.5* %_mandir/??/man5/sssd-session-recording.5* %_mandir/??/man5/sssd-simple.5* %_mandir/??/man5/sssd-sudo.5* @@ -577,7 +569,6 @@ fi %_datadir/%name/cfg_rules.ini %_datadir/%name/sssd.api.conf %dir %_datadir/%name/sssd.api.d/ -%_datadir/%name/sssd.api.d/sssd-local.conf %_datadir/%name/sssd.api.d/sssd-simple.conf %_datadir/%name/sssd.api.d/sssd-files.conf # @@ -590,6 +581,7 @@ fi %_libdir/%name/modules/sssd_krb5_localauth_plugin.so %_mandir/??/man8/sssd_krb5_locator_plugin.8* %_mandir/??/man8/pam_sss.8* +%_mandir/??/man8/pam_sss_gss.8* %_mandir/man8/pam_sss.8* %_mandir/man8/pam_sss_gss.8* %_mandir/man8/sssd_krb5_locator_plugin.8* @@ -641,7 +633,6 @@ fi %dir %_libexecdir/sssd/ %_libexecdir/sssd/sssd_kcm %dir %_libdir/sssd/ -%_libdir/sssd/libsss_secrets.so %_mandir/man8/sssd-kcm.8* %_mandir/??/man8/sssd-kcm.8* %_datadir/sssd-kcm/ @@ -697,6 +688,7 @@ fi %_mandir/??/man8/sss_*.8* %_mandir/man8/sssctl.8* %_mandir/man8/sss_*.8* +%python3_sitelib/sssd/ %files winbind-idmap %_libdir/samba/ From 6cc34ba5b0dc5a2e67461140ecd5d0cd2f7f54e4005435043c26b6984bb1fb19 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Sat, 16 Oct 2021 11:09:53 +0000 Subject: [PATCH 3/5] sssd-2.6.0 changelog OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=251 --- sssd.changes | 8 ++++++++ sssd.spec | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/sssd.changes b/sssd.changes index 6dd66a1..e90d12d 100644 --- a/sssd.changes +++ b/sssd.changes @@ -2,6 +2,14 @@ Fri Oct 15 13:41:13 UTC 2021 - Jan Engelhardt - Update to release 2.6.0 + * Support of legacy json format for ccaches was dropped. + * Support of long time deprecated secrets responder was dropped. + * Support of long time deprecated local provider was dropped. + * The sssctl command was vulnerable to shell command injection + via the logs-fetch and cache-expire subcommands, + which was fixed. + * Basic support of user's 'subuid and subgid ranges' for IPA + provider and corresponding plugin for shadow-utils were added. ------------------------------------------------------------------- Mon Jul 12 19:45:37 UTC 2021 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index 28c4030..9de40a1 100644 --- a/sssd.spec +++ b/sssd.spec @@ -40,6 +40,7 @@ BuildRequires: krb5-devel >= 1.12 BuildRequires: libcmocka-devel BuildRequires: libsmbclient-devel BuildRequires: libtool +BuildRequires: libunistring-devel BuildRequires: libxml2-tools BuildRequires: libxslt-tools BuildRequires: nscd @@ -64,7 +65,6 @@ BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 BuildRequires: pkgconfig(libpcre2-8) BuildRequires: pkgconfig(libsystemd) -BuildRequires: libunistring-devel BuildRequires: pkgconfig(ndr_krb5pac) BuildRequires: pkgconfig(ndr_nbt) BuildRequires: pkgconfig(p11-kit-1) >= 0.23.3 From 3ee2d1b0f0e6e6f0a534208dfe02c9e9ac42704b8096459df5ffbd16233e0496 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Tue, 9 Nov 2021 16:12:49 +0000 Subject: [PATCH 4/5] - Update to release 2.6.1 OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=252 --- sssd-2.6.0.tar.gz | 3 --- sssd-2.6.0.tar.gz.asc | 11 ----------- sssd-2.6.1.tar.gz | 3 +++ sssd-2.6.1.tar.gz.asc | 11 +++++++++++ sssd.changes | 9 +++++++++ sssd.spec | 2 +- 6 files changed, 24 insertions(+), 15 deletions(-) delete mode 100644 sssd-2.6.0.tar.gz delete mode 100644 sssd-2.6.0.tar.gz.asc create mode 100644 sssd-2.6.1.tar.gz create mode 100644 sssd-2.6.1.tar.gz.asc diff --git a/sssd-2.6.0.tar.gz b/sssd-2.6.0.tar.gz deleted file mode 100644 index ce4ab4c..0000000 --- a/sssd-2.6.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:675a37057249083827a86e3d55c9cfc202276b3bd97c135f6030cf74f8bc7de7 -size 7440969 diff --git a/sssd-2.6.0.tar.gz.asc b/sssd-2.6.0.tar.gz.asc deleted file mode 100644 index c1890ab..0000000 --- a/sssd-2.6.0.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEGkHcZ1BfiaMwgotmr/513ehQjhIFAmFn/DAACgkQr/513ehQ -jhJKNAf/fq4klam4kA3IB9qkENdFI9U8M0zlc+0zdF5HLlQDxy6IfxXXQiyr9M9v -yoeyF6VuQOOe2zq3K3ujmx4EV7tQs75F/SB+FFq7AYf898Txxs3Xw5X17kx+Lamu -A+JxePM6joiA4E2bF6Lbi4OL0Dj3GTeckghHyR/yFWZZakwc7kxpw37sNx9xDFDW -XK9bB5rY+ZuGWIBgJ2eIGwf0X7RDWm+0cIXlhRbrnPcHEUKcRsgAcVoisO3YOqw9 -/SY5NxZWilNeN8FxKVBqnToQBDhrplNSBL/5Ttv1dxHNAIkEMXKVuKR9w3XzxWJM -e3Xz16igUaHliuZoSM0/1axpdGWvAw== -=jaIb ------END PGP SIGNATURE----- diff --git a/sssd-2.6.1.tar.gz b/sssd-2.6.1.tar.gz new file mode 100644 index 0000000..038ed1f --- /dev/null +++ b/sssd-2.6.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:81d41881d0d1f120717ea80e75daca357e40ccbd0d656eb9f99b5824d59e594d +size 7454377 diff --git a/sssd-2.6.1.tar.gz.asc b/sssd-2.6.1.tar.gz.asc new file mode 100644 index 0000000..15050d4 --- /dev/null +++ b/sssd-2.6.1.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEGkHcZ1BfiaMwgotmr/513ehQjhIFAmGKkxIACgkQr/513ehQ +jhIkZQgAiFmf+DwcwhY5Qirw7NDgm+6Pmn2uDlSiMfE7B5v/8x0PdnYrnXUGP/qq +Y7G6txMYvvMPZU8qW0sGR2RDWQj7BavVx2tdkCwPcBBFAUkfgwrBoJ8du8NucK7i +VF3jS8KlPfSXfqPPb6LD4V3ia2WhplqKh3q9ewNkpolTfdiayvtQcHkYeZEHb2qD +WI9cICkWzUDpzvaGt3ENbIM+h1SLYv9R/mUlXUrNTZsU+14AhCaUu3PlOBbOhQyU +cUT6XrwejhZVQIgPDd1FPOlrf2DIe0OMWd6KWVyvI8ULHnUPQ/s0svj39P3fnWTH +EdetPb/xJWmDcej2+HsUXo2JTC3pIA== +=jbK/ +-----END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index e90d12d..d0ecbb7 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Tue Nov 9 15:35:58 UTC 2021 - Jan Engelhardt + +- Update to release 2.6.1 + * New infopipe method FindByValidCertificate(). + * The default value of the "ssh_hash_known_hosts" setting was + changed to false for the sake of consistency with OpenSSH + that does not hash host names by default. + ------------------------------------------------------------------- Fri Oct 15 13:41:13 UTC 2021 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index 9de40a1..d3c46a4 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 2.6.0 +Version: 2.6.1 Release: 0 Summary: System Security Services Daemon License: GPL-3.0-or-later and LGPL-3.0-or-later From 46bf221fbf3684ccfa8202dc7825436083fd97f01383fbd97861e6d88f2d740f Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 25 Nov 2021 12:04:46 +0000 Subject: [PATCH 5/5] Accepting request 933479 from home:jsegitz:branches:systemdhardening:network:ldap Automatic systemd hardening effort by the security team. This has not been tested. For details please see https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort OBS-URL: https://build.opensuse.org/request/show/933479 OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=253 --- harden_sssd-ifp.service.patch | 24 ++++++++++++++++++++++++ harden_sssd-kcm.service.patch | 24 ++++++++++++++++++++++++ sssd.changes | 7 +++++++ sssd.spec | 2 ++ 4 files changed, 57 insertions(+) create mode 100644 harden_sssd-ifp.service.patch create mode 100644 harden_sssd-kcm.service.patch diff --git a/harden_sssd-ifp.service.patch b/harden_sssd-ifp.service.patch new file mode 100644 index 0000000..250a49f --- /dev/null +++ b/harden_sssd-ifp.service.patch @@ -0,0 +1,24 @@ +Index: sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in +=================================================================== +--- sssd-2.5.2.orig/src/sysv/systemd/sssd-ifp.service.in ++++ sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in +@@ -5,6 +5,19 @@ After=sssd.service + BindsTo=sssd.service + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Environment=DEBUG_LOGGER=--logger=files + EnvironmentFile=-@environment_file@ + Type=dbus diff --git a/harden_sssd-kcm.service.patch b/harden_sssd-kcm.service.patch new file mode 100644 index 0000000..183e0b0 --- /dev/null +++ b/harden_sssd-kcm.service.patch @@ -0,0 +1,24 @@ +Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in +=================================================================== +--- sssd-2.5.2.orig/src/sysv/systemd/sssd-kcm.service.in ++++ sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in +@@ -8,6 +8,19 @@ After=sssd-kcm.socket + Also=sssd-kcm.socket + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Environment=DEBUG_LOGGER=--logger=files + ExecStartPre=-@sbindir@/sssd --genconf-section=kcm + ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER} diff --git a/sssd.changes b/sssd.changes index d0ecbb7..c52be41 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Nov 23 16:11:48 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_sssd-ifp.service.patch + * harden_sssd-kcm.service.patch + ------------------------------------------------------------------- Tue Nov 9 15:35:58 UTC 2021 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index d3c46a4..63d8953 100644 --- a/sssd.spec +++ b/sssd.spec @@ -29,6 +29,8 @@ Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%v Source3: baselibs.conf Source5: %name.keyring Patch1: krb-noversion.diff +Patch2: harden_sssd-ifp.service.patch +Patch3: harden_sssd-kcm.service.patch BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils