mhurron/sssd
SHA256
1
0
Fork 0
forked from jengelh/sssd
Code Pull Requests Activity

Accepting request 933746 from network:ldap

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/933746
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=112
This commit is contained in:
Dominique Leuenberger 2021-12-02 21:30:00 +00:00 committed by Git OBS Bridge
commit cf3e4ada6d
8 changed files with 120 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
harden_sssd-ifp.service.patch Normal file
View File

@ -0,0 +1,24 @@
Index: sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in
===================================================================
--- sssd-2.5.2.orig/src/sysv/systemd/sssd-ifp.service.in
+++ sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in
@@ -5,6 +5,19 @@ After=sssd.service
BindsTo=sssd.service
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-@environment_file@
Type=dbus

24
harden_sssd-kcm.service.patch Normal file
View File

@ -0,0 +1,24 @@
Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
===================================================================
--- sssd-2.5.2.orig/src/sysv/systemd/sssd-kcm.service.in
+++ sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
@@ -8,6 +8,19 @@ After=sssd-kcm.socket
Also=sssd-kcm.socket
[Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions
Environment=DEBUG_LOGGER=--logger=files
ExecStartPre=-@sbindir@/sssd --genconf-section=kcm
ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER}

3
sssd-2.5.2.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f
size 7579208

11
sssd-2.5.2.tar.gz.asc
View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEEGkHcZ1BfiaMwgotmr/513ehQjhIFAmDsmCgACgkQr/513ehQ
jhJgLAf/WNPCzxImSpydiqCw0utxcDj/zcfufOU5tciVGP2Dg6O6+jf21Tl1IzE0
dNDloUH6iyIOATWryirveaEIBEpz/8H66bOFEuw+eOY5mnMz+xsI879lvno7KsHj
RsJjxSKjLktvOgOb+vYDciRS6Au3AaKCIPP0v5S3LEZtsHlDG6CwoWI7wEN9XN0r
/VYo0HG0TIkY2eIfi6pqcr25JzOqTQH3NUW8VbqFWWC7h1XFEBpiftIvHZLrqblP
CtHbkdRA8j6u5J285H4g/9Oj/7wtlDOXvkobGdM9MwS5jjKg0XBJJ3A6uHZ5GTX5
/ppVxE/WCrZliqxpjP/+BHkaY3DMzA==
=2Ag7
-----END PGP SIGNATURE-----

3
sssd-2.6.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:81d41881d0d1f120717ea80e75daca357e40ccbd0d656eb9f99b5824d59e594d
size 7454377

11
sssd-2.6.1.tar.gz.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEEGkHcZ1BfiaMwgotmr/513ehQjhIFAmGKkxIACgkQr/513ehQ
jhIkZQgAiFmf+DwcwhY5Qirw7NDgm+6Pmn2uDlSiMfE7B5v/8x0PdnYrnXUGP/qq
Y7G6txMYvvMPZU8qW0sGR2RDWQj7BavVx2tdkCwPcBBFAUkfgwrBoJ8du8NucK7i
VF3jS8KlPfSXfqPPb6LD4V3ia2WhplqKh3q9ewNkpolTfdiayvtQcHkYeZEHb2qD
WI9cICkWzUDpzvaGt3ENbIM+h1SLYv9R/mUlXUrNTZsU+14AhCaUu3PlOBbOhQyU
cUT6XrwejhZVQIgPDd1FPOlrf2DIe0OMWd6KWVyvI8ULHnUPQ/s0svj39P3fnWTH
EdetPb/xJWmDcej2+HsUXo2JTC3pIA==
=jbK/
-----END PGP SIGNATURE-----

29
sssd.changes
View File

@ -1,3 +1,32 @@
-------------------------------------------------------------------
Tue Nov 23 16:11:48 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
* harden_sssd-ifp.service.patch
* harden_sssd-kcm.service.patch
-------------------------------------------------------------------
Tue Nov 9 15:35:58 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
- Update to release 2.6.1
* New infopipe method FindByValidCertificate().
* The default value of the "ssh_hash_known_hosts" setting was
changed to false for the sake of consistency with OpenSSH
that does not hash host names by default.
-------------------------------------------------------------------
Fri Oct 15 13:41:13 UTC 2021 - Jan Engelhardt <jengelh@inai.de>
- Update to release 2.6.0
* Support of legacy json format for ccaches was dropped.
* Support of long time deprecated secrets responder was dropped.
* Support of long time deprecated local provider was dropped.
* The sssctl command was vulnerable to shell command injection
via the logs-fetch and cache-expire subcommands,
which was fixed.
* Basic support of user's 'subuid and subgid ranges' for IPA
provider and corresponding plugin for shadow-utils were added.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Jul 12 19:45:37 UTC 2021 - Jan Engelhardt <jengelh@inai.de> Mon Jul 12 19:45:37 UTC 2021 - Jan Engelhardt <jengelh@inai.de>

65
sssd.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package sssd # spec file for package sssd
# #
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2021 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@
Name: sssd Name: sssd
Version: 2.5.2 Version: 2.6.1
Release: 0 Release: 0
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPL-3.0-or-later and LGPL-3.0-or-later License: GPL-3.0-or-later and LGPL-3.0-or-later
@ -29,25 +29,8 @@ Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%v
Source3: baselibs.conf Source3: baselibs.conf
Source5: %name.keyring Source5: %name.keyring
Patch1: krb-noversion.diff Patch1: krb-noversion.diff
Patch2: harden_sssd-ifp.service.patch
%define servicename sssd Patch3: harden_sssd-kcm.service.patch
%define sssdstatedir %_localstatedir/lib/sss
%define dbpath %sssdstatedir/db
%define pipepath %sssdstatedir/pipes
%define pubconfpath %sssdstatedir/pubconf
%define gpocachepath %sssdstatedir/gpo_cache
# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
# /etc/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
# * cifs-utils one is the default (priority 20)
# * installing SSSD should NOT switch to SSSD plugin (priority 10)
%define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin
%define cifs_idmap_lib %_libdir/cifs-utils/cifs_idmap_sss.so
%define cifs_idmap_name cifs-idmap-plugin
%define cifs_idmap_priority 10
Requires(post): update-alternatives
Requires(postun): update-alternatives
BuildRequires: autoconf >= 2.59 BuildRequires: autoconf >= 2.59
BuildRequires: automake BuildRequires: automake
BuildRequires: bind-utils BuildRequires: bind-utils
@ -59,6 +42,7 @@ BuildRequires: krb5-devel >= 1.12
BuildRequires: libcmocka-devel BuildRequires: libcmocka-devel
BuildRequires: libsmbclient-devel BuildRequires: libsmbclient-devel
BuildRequires: libtool BuildRequires: libtool
BuildRequires: libunistring-devel
BuildRequires: libxml2-tools BuildRequires: libxml2-tools
BuildRequires: libxslt-tools BuildRequires: libxslt-tools
BuildRequires: nscd BuildRequires: nscd
@ -81,7 +65,7 @@ BuildRequires: pkgconfig(libcrypto)
BuildRequires: pkgconfig(libnfsidmap) BuildRequires: pkgconfig(libnfsidmap)
BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-3.0) >= 3.0
BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0
BuildRequires: pkgconfig(libpcre) >= 7 BuildRequires: pkgconfig(libpcre2-8)
BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(ndr_krb5pac) BuildRequires: pkgconfig(ndr_krb5pac)
BuildRequires: pkgconfig(ndr_nbt) BuildRequires: pkgconfig(ndr_nbt)
@ -99,6 +83,24 @@ Provides: libsss_sudo = %version-%release
Provides: sssd-client = %version-%release Provides: sssd-client = %version-%release
Obsoletes: libsss_sudo < %version-%release Obsoletes: libsss_sudo < %version-%release
%define servicename sssd
%define sssdstatedir %_localstatedir/lib/sss
%define dbpath %sssdstatedir/db
%define pipepath %sssdstatedir/pipes
%define pubconfpath %sssdstatedir/pubconf
%define gpocachepath %sssdstatedir/gpo_cache
# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
# /etc/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
# * cifs-utils one is the default (priority 20)
# * installing SSSD should NOT switch to SSSD plugin (priority 10)
%define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin
%define cifs_idmap_lib %_libdir/cifs-utils/cifs_idmap_sss.so
%define cifs_idmap_name cifs-idmap-plugin
%define cifs_idmap_priority 10
Requires(post): update-alternatives
Requires(postun): update-alternatives
%description %description
Provides a set of daemons to manage access to remote directories and Provides a set of daemons to manage access to remote directories and
authentication mechanisms. It provides an NSS and PAM interface toward authentication mechanisms. It provides an NSS and PAM interface toward
@ -363,15 +365,11 @@ Security Services Daemon (sssd).
%build %build
export LDB_DIR="$(pkg-config ldb --variable=modulesdir)" export LDB_DIR="$(pkg-config ldb --variable=modulesdir)"
# help configure find nscd # help configure find nscd
export PATH="$PATH:/usr/sbin" export PATH="$PATH:/usr/sbin"
autoreconf -fiv autoreconf -fiv
export CFLAGS="%optflags -fPIE"
export LDFLAGS="-pie"
%configure \ %configure \
--with-crypto=libcrypto \
--with-db-path="%dbpath" \ --with-db-path="%dbpath" \
--with-pipe-path="%pipepath" \ --with-pipe-path="%pipepath" \
--with-pubconf-path="%pubconfpath" \ --with-pubconf-path="%pubconfpath" \
@ -394,16 +392,12 @@ export LDFLAGS="-pie"
%install %install
# sss_obfuscate is compatible with both python 2 and 3 # sss_obfuscate is compatible with both python 2 and 3
sed -i -e 's:%_bindir/python:%_bindir/python3:' src/tools/sss_obfuscate perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
%make_install %make_install
b="%buildroot" b="%buildroot"
#for i in cs cs/man8 nl nl/man8 pt pt/man8 uk uk/man1 uk/man5 uk/man8; do
# mkdir -p "$b/%_mandir/$i"
#done
# Copy some defaults # Copy some defaults
mkdir -p "$b/%_sysconfdir/sssd" "$b/%_sysconfdir/sssd/conf.d" mkdir -pv "$b/%_sysconfdir/sssd" "$b/%_sysconfdir/sssd/conf.d"
install -m600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf" install -m600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"
install -d "$b/%_unitdir" install -d "$b/%_unitdir"
install -d "$b/%_sysconfdir/logrotate.d" install -d "$b/%_sysconfdir/logrotate.d"
@ -415,7 +409,7 @@ find "$b" -type f -name "*.la" -print -delete
%find_lang %name --all-name %find_lang %name --all-name
# dummy target for cifs-idmap-plugin # dummy target for cifs-idmap-plugin
mkdir -p %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils
ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin
%check %check
@ -513,7 +507,6 @@ fi
%_mandir/??/man5/sssd-ad.5* %_mandir/??/man5/sssd-ad.5*
%_mandir/??/man5/sssd-files.5* %_mandir/??/man5/sssd-files.5*
%_mandir/??/man5/sssd-ldap-attributes.5* %_mandir/??/man5/sssd-ldap-attributes.5*
%_mandir/??/man5/sssd-secrets.5*
%_mandir/??/man5/sssd-session-recording.5* %_mandir/??/man5/sssd-session-recording.5*
%_mandir/??/man5/sssd-simple.5* %_mandir/??/man5/sssd-simple.5*
%_mandir/??/man5/sssd-sudo.5* %_mandir/??/man5/sssd-sudo.5*
@ -578,7 +571,6 @@ fi
%_datadir/%name/cfg_rules.ini %_datadir/%name/cfg_rules.ini
%_datadir/%name/sssd.api.conf %_datadir/%name/sssd.api.conf
%dir %_datadir/%name/sssd.api.d/ %dir %_datadir/%name/sssd.api.d/
%_datadir/%name/sssd.api.d/sssd-local.conf
%_datadir/%name/sssd.api.d/sssd-simple.conf %_datadir/%name/sssd.api.d/sssd-simple.conf
%_datadir/%name/sssd.api.d/sssd-files.conf %_datadir/%name/sssd.api.d/sssd-files.conf
# #
@ -591,6 +583,7 @@ fi
%_libdir/%name/modules/sssd_krb5_localauth_plugin.so %_libdir/%name/modules/sssd_krb5_localauth_plugin.so
%_mandir/??/man8/sssd_krb5_locator_plugin.8* %_mandir/??/man8/sssd_krb5_locator_plugin.8*
%_mandir/??/man8/pam_sss.8* %_mandir/??/man8/pam_sss.8*
%_mandir/??/man8/pam_sss_gss.8*
%_mandir/man8/pam_sss.8* %_mandir/man8/pam_sss.8*
%_mandir/man8/pam_sss_gss.8* %_mandir/man8/pam_sss_gss.8*
%_mandir/man8/sssd_krb5_locator_plugin.8* %_mandir/man8/sssd_krb5_locator_plugin.8*
@ -642,7 +635,6 @@ fi
%dir %_libexecdir/sssd/ %dir %_libexecdir/sssd/
%_libexecdir/sssd/sssd_kcm %_libexecdir/sssd/sssd_kcm
%dir %_libdir/sssd/ %dir %_libdir/sssd/
%_libdir/sssd/libsss_secrets.so
%_mandir/man8/sssd-kcm.8* %_mandir/man8/sssd-kcm.8*
%_mandir/??/man8/sssd-kcm.8* %_mandir/??/man8/sssd-kcm.8*
%_datadir/sssd-kcm/ %_datadir/sssd-kcm/
@ -698,6 +690,7 @@ fi
%_mandir/??/man8/sss_*.8* %_mandir/??/man8/sss_*.8*
%_mandir/man8/sssctl.8* %_mandir/man8/sssctl.8*
%_mandir/man8/sss_*.8* %_mandir/man8/sss_*.8*
%python3_sitelib/sssd/
%files winbind-idmap %files winbind-idmap
%_libdir/samba/ %_libdir/samba/