SHA256
1
0
forked from jengelh/sssd

Accepting request 634696 from network:ldap

- Update to new upstream release 2.0.0

OBS-URL: https://build.opensuse.org/request/show/634696
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=90
This commit is contained in:
Dominique Leuenberger 2018-09-26 12:53:01 +00:00 committed by Git OBS Bridge
commit fa91309b3b
10 changed files with 103 additions and 158 deletions

View File

@ -1,45 +0,0 @@
From 06193adc0de042484f672cadd0808c78c5ebb70e Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 15 Jun 2018 22:29:34 +0200
Subject: [PATCH] SUDO: Create the socket with stricter permissions
This patch switches the sudo responder from being created as a public
responder where the permissions are open and not checked by the sssd
deaamon to a private socket. In this case, sssd creates the pipes with
strict permissions (see the umask in the call to create_pipe_fd() in
set_unix_socket()) and additionaly checks the permissions with every read
via the tevent integrations (see accept_fd_handler()).
---
src/responder/sudo/sudosrv.c | 3 ++-
src/sysv/systemd/sssd-sudo.socket.in | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
index ac4258710d3a9b48285522abd23bdd59ba42ad4e..e87a24499c2d82fafaa8e1f9b386e44332394266 100644
--- a/src/responder/sudo/sudosrv.c
+++ b/src/responder/sudo/sudosrv.c
@@ -79,7 +79,8 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
sudo_cmds = get_sudo_cmds();
ret = sss_process_init(mem_ctx, ev, cdb,
sudo_cmds,
- SSS_SUDO_SOCKET_NAME, -1, NULL, -1,
+ NULL, -1, /* No public socket */
+ SSS_SUDO_SOCKET_NAME, -1, /* Private socket only */
CONFDB_SUDO_CONF_ENTRY,
SSS_SUDO_SBUS_SERVICE_NAME,
SSS_SUDO_SBUS_SERVICE_VERSION,
diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in
index c9abb875f0accbaf58d78846020fef74c7473528..96a8b0327ddb4d331c9b2e97ece3453f8f76872d 100644
--- a/src/sysv/systemd/sssd-sudo.socket.in
+++ b/src/sysv/systemd/sssd-sudo.socket.in
@@ -11,6 +11,7 @@ ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo
ListenStream=@pipepath@/sudo
SocketUser=@SSSD_USER@
SocketGroup=@SSSD_USER@
+SocketMode=0600
[Install]
WantedBy=sssd.service
--
2.14.3

View File

@ -1,44 +0,0 @@
From b34fcff0f8bccd7b827686b50c53f45b7e20bb44 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 12 Jun 2018 19:07:52 +0200
Subject: [PATCH] intg: Do not hardcode nsslibdir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This change is needed in order to have make intgcheck-run properly
running on opensuse systems.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Chris Kowalczyk <ckowalczyk@suse.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/tests/intg/Makefile.am | 1 +
src/tests/intg/config.py.m4 | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 9c5338261..4bd427669 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -73,6 +73,7 @@ cwrap-dbus-system.conf: data/cwrap-dbus-system.conf.in Makefile
config.py: config.py.m4
m4 -D "prefix=\`$(prefix)'" \
-D "sysconfdir=\`$(sysconfdir)'" \
+ -D "nsslibdir=\`$(nsslibdir)'" \
-D "dbpath=\`$(dbpath)'" \
-D "pidpath=\`$(pidpath)'" \
-D "logpath=\`$(logpath)'" \
diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4
index 6e011b692..04f78d869 100644
--- a/src/tests/intg/config.py.m4
+++ b/src/tests/intg/config.py.m4
@@ -4,7 +4,7 @@ Build configuration variables.
PREFIX = "prefix"
SYSCONFDIR = "sysconfdir"
-NSS_MODULE_DIR = PREFIX + "/lib"
+NSS_MODULE_DIR = "nsslibdir"
SSSDCONFDIR = SYSCONFDIR + "/sssd"
CONF_PATH = SSSDCONFDIR + "/sssd.conf"
DB_PATH = "dbpath"

View File

@ -1,13 +0,0 @@
diff --git a/Makefile.am b/Makefile.am
index 9539b3c..8e76a03 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -975,6 +975,7 @@ libsss_cert_la_LIBADD = \
$(TALLOC_LIBS) \
$(TEVENT_LIBS) \
libsss_crypt.la \
+ libsss_child.la \
libsss_debug.la \
libsss_certmap.la \
$(NULL)

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:fe5b1fcc5b4359631f7edf25f8940f3155de68e2f4ac7bfeb634687ccabc570c
size 6174144

View File

@ -1,6 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iEYEABECAAYFAlsa2S0ACgkQHsardTLnvCVhKwCgpCRZBHkAyqnRDaPwegBLv4Sh
fYQAoK05cAcmiKBdZWtsLRRZgUOS8X/8
=U4k5
-----END PGP SIGNATURE-----

3
sssd-2.0.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:77569d00dd516e7eba1bfcc2ae562647068d7d16e283e8b3fc4f1e03fc899586
size 6263376

10
sssd-2.0.0.tar.gz.asc Normal file
View File

@ -0,0 +1,10 @@
-----BEGIN PGP SIGNATURE-----
iQEcBAABAgAGBQJbcd4JAAoJEHDBRgYiUL36ZpUH/0R46OWssuYR7gVSoh1UWZdA
Gg/uPN5iSo0hq6mjU/w7inGb5GxTnbj8WQXo8466EUw98NDTTc7NMLScy83bsb1i
MIk4eXxm0c5lsRuIFCS+3qtakZtYyjDk+8v6BqRARFFPE9R4j8Cb1BOUurgoMDTg
IE75AP+QHTxdrPQ/xj4PQcdIZ6qimeztD1IJDrb7hValyMfqs9XHsamXsQwRrfEV
l0U3eUlsX0vegrQwEG8iOQt4v0cr9jMCahgSnvNZotqiyHUr5VLH901OSZzwPly6
8+BAp9mnNZ2lG5pqFEXOsI1kmQ5hnXDFu1OcIedkKHdBRMqNZC3ip0k8ow3fbAk=
=K92m
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,60 @@
-------------------------------------------------------------------
Fri Sep 7 18:52:18 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
- Update to new upstream release 2.0.0
* The Python API for managing users and groups in local domains
(id_provider=local) was removed completely. The local
provider (id_provider=local) and the command line tools to
manage users and groups in the local domains, such as
sss_useradd is not built anymore.
* The LDAP provider had a special-case branch for evaluating
group memberships with the RFC2307bis schema when group
nesting was explicitly disabled. This codepath is removed.
* The "ldap_sudo_include_regexp" option changed its default
value from true to false. Wildcards in the sudoHost LDAP
attribute are no longer evaluated. This was costly to
evaluate on the LDAP server side and at the same time rarely
used.
* The list of PAM services which are allowed to authenticate
using a Smart Card is now configurable using a new option
pam_p11_allowed_services.
-------------------------------------------------------------------
Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com
- Update to upstream release 1.16.3
* New Features:
* kdcinfo files for informing krb5 about discovered KDCs are
now also generated for trusted domains in setups that use
id_provider=ad and IPA masters in a trust relationship with
an AD domain.
* The Kerberlos locator plugin can now process multiple
address if SSSD generates more than one. A
* Bug fixes:
* Fixed information leak due to incorrect permissions on
/var/lib/sss/pipes/sudo [CVE-2018-10852, bsc#1098377]
* Cached password are now stored with a salt. Old ones will be
regenerated on next authentication, and the auth server needs
to be reachable for that.
* The sss_ssh proces leaked file descriptors when converting
more than one X.509 certificate to an SSH public key.
* The PAC responder is now able to process Domain Local in case
the PAC uses SID compression (Windows Server 2012+).
* Address the issue that some versions of OpenSSH would close
the pipe towards sss_ssh_authorizedkeys when the matching key
is found before the rest of the output is read.
* User lookups no longer fail if user's e-mail address
conflicts with another user's fully qualified name.
* The override_shell and override_homedir options are no longer
applied to entries from the files domain.
* The grace logins with an expired password when authenticating
against certain newer versions of the 389DS/RHDS LDAP server
did not work.
- Removed patches that are included upstream now:
0001-SUDO-Create-the-socket-with-stricter-permissions.patch,
0002-intg-Do-not-hardcode-nsslibdir.patch,
0003-Fix-build-for-1-16-2-version.patch
-------------------------------------------------------------------
Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com

View File

@ -1,34 +1,29 @@
pub 1024D/32E7BC25 2007-02-02
uid Jakub Hrozek <jhrozek@redhat.com>
sub 2048g/132DCA21 2007-02-02
pub 2048R/2250BDFA 2018-08-12 Jakub Hrozek <jhrozek@redhat.com>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.19 (GNU/Linux)
Version: SKS 1.1.6
Comment: Hostname: pgp.mit.edu
mQGiBEXDdfURBACLDLdnY7LeLJ7fh3HQWojKuMtJGV3tmTRtt58XnEf/FPJae0MU
XQDAKJM7MDYf0yDNT6Nq6WMQDAIHznFdGRTTSaD97kMeYO11i60FfZ9nM88XJCv0
R+OiWh8d7ChCG6riv/AUeNtg++casIQNB8xK9HKLFBS1e+q3b+rXTS9crwCg7FWX
qZoZrm4lPlBZQltfhzdmvn8D/3CyvgtW5hwr7w+ScQcYnBxdVCtMPSEo541Ealjg
q9Knn4sE9lnGjtG4RCYMT2Sideognk9Ah5nWOGynwta6cluCEqlF6ORJPKpAeqG1
a2zpn3iSPbUiyRF+udta9sbwL0hsJTcPTGzvDZO/XtMoHSSyPi/Xum6R+jwISv7n
TMQpA/0efY/Gy/SZrulBgQqKBMbaW2phvgRThph4n31IYrlSB6tAqN0G7VL6AFcs
iOJZPhu0TNqEOSYE6Mh5/YBwRPnrKMHZYXiKOeUrfjvURVq+l5dTX7KNtbnCrhS+
Rlgq1uin5L7g8QbAKMns32Mo1MxB5aN0YUL5pTbJuWL0Sb2Kb7QhSmFrdWIgSHJv
emVrIDxqaHJvemVrQHJlZGhhdC5jb20+iF8EExECACAFAkXDdfUCGwMGCwkIBwMC
BBUCCAMEFgIDAQIeAQIXgAAKCRAexqt1Mue8JSHBAKCjYF/HshYkJ8pSZTilLO0y
bMWOFwCYlOqF7icGVDFT42W3CoqLfgajCrkCDQRFw3YAEAgAuqo0FxH1XtdOi/qW
6v+tWdqYHLj/f0Voqj1cbpS+cODNTaX1/Xf4Jnv6vm4lOG5gIkqD1e5UCpG5pDJv
MkrpY0lYRr5RGoC29tHZYXfEBVEkdhuU7ZTSQRaoitK5TSwjOj5aKvFSHEjMrCWc
GSUajECQkRHwZb3HK2wqqBWrJjjjPtj+5cQg+sKp7Zp6xU3iZlMoVfdYi/zGenum
Cp5SMm8CZZ5gcsNZhjItkTww5K//N6Kz41oMYyHlgh029JD0LHPgKacP3KeEEDzS
DEx/SSEF4zD/EfLDHehga/n0ZisNmxdxue/BI2Lm7qqGNDtV+qa17pIJ6fPfafbS
AKYatwAECwf/SuMkZN36UDsoOn06qIrYi5JBss3sOfheJEnqUIEO0JCpyb+fqisd
qoTJM0G5gFpCvuZOACpzzVv0WjhlMIyPl/7UuP4KYI6LGqAARqNxsHT7FNxT0Uv6
QR8fGPQqVdFLFBd66EBL9PnOt3RDYwtJlD9cMNUNpzWEXjJ3RCk0lZF2eljpPlu0
Or53OuiommnhmcmjxR5gvMf4pLqURhEZ2U0ylRiTiTIk0YyIASsDnAf0BClFXz4i
4qSD6jJloKorRC7Mu87xi1DG4ML+FYC/2d53I8OqHBRhtNUt/GbcthsHDxFq5iVp
NxwDAX1vr65PWv98pvTMnJmjIDhfgwJMdIhJBBgRAgAJBQJFw3YAAhsMAAoJEB7G
q3Uy57wllOcAoKkHB3lDFWlUNcSLdRCQxfsCCy7zAJ9GLSU2G0HR+hQVMi2ONorE
i/EyTA==
=nO6v
mQENBFtwK6cBCADYyh4mnEJ7DTKIHsONfEYBJM+OTaRG4DeRIyApnEjxxTLugUBUBUQ/lDAI
BPDqoB661AAj0b0G2aI6JHlZaxE+npHtxKzulJHPfLs7IbIi7xdHutT3CKEBSKkKabSwgKWz
wd1B91HXBttAzGKBBPxTE63UeZKSAlpvuO69K9WM5J1qZmkEiwxtJssLoyeZjFiOVK4aRq8F
qm2O8n56Kz0r8TEkb3bNLr1N1Uq3KlAklX3run0uInjjZAw0V3rTBMHBrE/wsjccnBYp5eDE
6Ff8NxhD28BqIPQp6NMjsZPVJODo03HdN+y7p+p/ca3XV8X7hG2eF0SNGkuhb7I1D+KPABEB
AAG0IUpha3ViIEhyb3playA8amhyb3pla0ByZWRoYXQuY29tPokBOAQTAQIAIgUCW3ArpwIb
AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQcMFGBiJQvfop3AgAtSyZmkDq5mZm0aw2
IPboKXLlbaihofsOEewvkc6BjaDNgrSZKwBrdlFv5SVYvue7e/Jl985/bAqbSyM+LWdk77of
/SVfGQJAWya+nmQegP2GQm9FNFdTcOHpUGUJbxEw0uLOo7r1RDnp7GdwmprzF8XMptI5mRWS
pxo3c9oFZ8Y1HI2Uz8jyvMN4DD/X9HGNvxGeLv7D3Jz3oDy3O5kLpqH6rDQOiVSCUdw3mjZc
iqT3QLcT8PZo49/20NqcTgRekWc4mZIuUrqABlzDNzPAr28is2dZ7k0cyOM6p/o7nU6TdDdT
h7fdRfUp4GWVsXng7r6TKIYqMbKjbnsdi85qm7kBDQRbcCunAQgAzsipKSdm6+/T0Lms24vK
2j4xxeBn/CfIAu0HGdeJxUhumSLW5pb8/QjxDp6ooDnxODbagSTYlBb5DQIVu4OkRPspdtPs
qI6ZX92NdeIHbSTAHyj1M7me9TZ/Y1CqcvxYRnjLbI4CH9Kvi5BuMLMk+MirRjDivJgph1Gr
rwL7NwLXMWX1bm/252ytal4Fw4ZN0CnDmwCCu2TxWvwfYxtNZ5XgDW5qY62594+nPoCmZR+F
8UuDlRS2tnKC7nyiWilb4+6iNbKL7yWqZt/l0WChIRAbxBzTR4uxk5Mfe3yhhujEgid3PZwK
OE67YQ5qaYfUOIaWs8nlgf19twL1hfKggwARAQABiQEfBBgBAgAJBQJbcCunAhsMAAoJEHDB
RgYiUL36HYwH/1j8b6ZMymcxe3DLvcXy7PJWJL5Tn2xhHaUlWONcXYY922gDH+qk12SjHDES
sEXGU/4nt9ktoiFeRX4KiFHi84znHBF3PqacriMApCueX/HZHOL45VxoUNEqYK33t8MfPsXc
qaJa2FQznHaSgpMP27DmsJYlANEcMeDEM4jZKYc9L7l7Jz8WlsyYHR8aqfu4NLXXSsUSUNyQ
PfiUH91djow08X65Rwv+sAABDGQH66oPf45UWIwn54K7iigK+s2j60H68mqYymb1CerDrw6b
4K3BCsHqalllAeLCsTqn6nVsHF7V6I99dSG3Ij6DK/AYsuWjrJZ1AMpNHgU63CtybUo=
=uiHO
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -1,7 +1,7 @@
#
# spec file for package sssd
#
# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@
Name: sssd
Version: 1.16.2
Version: 2.0.0
Release: 0
Summary: System Security Services Daemon
License: GPL-3.0+ and LGPL-3.0+
@ -31,9 +31,6 @@ Source3: baselibs.conf
Source4: sssd.service
Source5: %name.keyring
BuildRoot: %_tmppath/%name-%version-build
Patch1: 0001-SUDO-Create-the-socket-with-stricter-permissions.patch
Patch2: 0002-intg-Do-not-hardcode-nsslibdir.patch
Patch3: 0003-Fix-build-for-1-16-2-version.patch
%define servicename sssd
%define sssdstatedir %_localstatedir/lib/sss
@ -62,6 +59,8 @@ BuildRequires: libcmocka-devel
BuildRequires: nss_wrapper
BuildRequires: uid_wrapper
BuildRequires: check-devel
BuildRequires: python
BuildRequires: python-xml
BuildRequires: pkgconfig(augeas) >= 1.0.0
BuildRequires: pkgconfig(collection) >= 0.5.1
BuildRequires: pkgconfig(dbus-1) >= 1.0.0
@ -367,9 +366,6 @@ Security Services Daemon (sssd).
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%build
%if 0%{?suse_version} < 1210
@ -483,7 +479,6 @@ rm -f /var/lib/sss/db/*.ldb
%dir %_mandir/??/
%dir %_mandir/??/man[158]/
%_mandir/??/man1/sss_ssh_*
%_mandir/??/man5/sssd-simple.5*
%_mandir/??/man5/sssd-sudo.5*
%_mandir/??/man8/sssd.8*
%_mandir/??/man5/sss-certmap.5.gz
@ -507,12 +502,15 @@ rm -f /var/lib/sss/db/*.ldb
%_mandir/man8/sssd.8*
%dir %_libdir/%name/
%_libdir/%name/conf/
%_libdir/%name/libifp_iface*
%_libdir/%name/libsss_child*
%_libdir/%name/libsss_cert*
%_libdir/%name/libsss_crypt*
%_libdir/%name/libsss_debug*
%_libdir/%name/libsss_files*
%_libdir/%name/libsss_iface*
%_libdir/%name/libsss_semanage*
%_libdir/%name/libsss_sbus*
%_libdir/%name/libsss_simple*
%_libdir/%name/libsss_util*
%dir %_libdir/%name/modules/
@ -644,16 +642,9 @@ rm -f /var/lib/sss/db/*.ldb
%defattr(-,root,root)
%_sbindir/sss_cache
%_sbindir/sss_debuglevel
%_sbindir/sss_groupadd
%_sbindir/sss_groupdel
%_sbindir/sss_groupmod
%_sbindir/sss_groupshow
%_sbindir/sss_seed
%_sbindir/sss_obfuscate
%_sbindir/sss_override
%_sbindir/sss_useradd
%_sbindir/sss_userdel
%_sbindir/sss_usermod
%dir %_mandir/??/man8/
%_mandir/??/man8/sss_*.8*
%_mandir/man8/sss_*.8*