Add note about unprivileged mode security review

0001-Configuration-make-sure-etc-sssd-and-everything.patch is
added ahead of the stack because it is an upstream-accepted patch.
harden_sssd-kcm.service.patch then needs a refresh for reasons of
fuzz 2.

harden_sssd-kcm.service.patch

@@ -1,7 +1,11 @@
-Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
+---
+ src/sysv/systemd/sssd-kcm.service.in |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in
 ===================================================================
---- sssd-2.5.2.orig/src/sysv/systemd/sssd-kcm.service.in
-+++ sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
+--- sssd-2.10.0.orig/src/sysv/systemd/sssd-kcm.service.in
++++ sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in
 @@ -8,6 +8,19 @@ After=sssd-kcm.socket
  Also=sssd-kcm.socket
  
@@ -20,5 +24,5 @@ Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
 +RestrictRealtime=true
 +# end of automatic additions 
  Environment=DEBUG_LOGGER=--logger=files
- ExecStartPre=-@sbindir@/sssd --genconf-section=kcm
- ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER}
+ ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
+ ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@

sssd-2.10.1.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmdYSb4ACgkQ09IbKRDP
+Z1kRyRAAmkKhCUcBs4h2mDg7uzz7DfYFkHXEiY8EMoVP5Iw6ZsNL/V9fwF9xhj49
+XbnCfxj2zFfVWZd5VYnTpl86Hg3NrxuPehgM+iMAXS6U/55TvRPunCtTiRwoTZ4t
+zSgiBaSg3I2hmSN2cnSU8PpilEDCIeSP3uafmGXI1KUxEQltVbp0EeJ5CL5GP3xU
+rFgI1pKdTySlw6jZ3vjkAaHwdsJGB0MKtjiBJYtqvHmIzbUdSNN/iE5Wf5xsdtez
+KKLUrnKeQFuNyYWpjipJvbs7i9+E5VKFvCfrqFb6vQbp+Rgd98epVjp2VKovNy8p
+gZQmgfbi5GCWKuBx+dbaRSFa8hWemEwnBNboV6JKq4+CoPsMkI367utZV5gd58V5
+RHgLsrZfjahAXgG4ytwPhgKDV+sX+sSn4aXIdaSgc+vP7+ykLMxyzyR2GXyG+y11
+WrnovdR0HywHfzvlUnKQmcLUjCkXKVwIMw0oBRa8+YLTD08EeYgu+oXXDpGD0oL1
+YJLLBdr6ycR9Rk/sUqbZgEnzQZPYXazIraUrd71Ry8CaNvqi86Of7sX6SgSQQeg/
+ZPLNcPWPadG/9jpMNJNsXXEZicNJXznQczlXKvRXINOJzknJYwwgH+/55otbzNzq
+EjlOmFEn07bGAHCsHTfydlCeYqD9x+WV/X8CReMFjcaaBH4TDms=
+=S0c5
+-----END PGP SIGNATURE-----

sssd-2.9.5.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmZF8CMACgkQ09IbKRDP
-Z1lSVQ/9EPVvWUX1z/pHfbvDjRpfD+LDbDceYB4YBh0caYpMVFm/2wHhFIjTYEpf
-SmIR+SQp50NkRSK6tE/u+Swu+YUkiCqnEWv2y9wd4Uh2NKiukyiqBC1k2cn9URNu
-oRreBM1KIRvTkdoyZwteELJ7vMLVr0UT2iIXZQFIIZX+LM3FNZJ5vFcj5fF0Hz1f
-v8zR0VTB7xY/6U+4KikvMyM3fOPeTOJvEtMp4xDWyquRjCADjZasOQcKRQzXp1er
-zs/qLcQ8eCODXhKelGqmppVIElW+72f1FNbMpBnlQ7VtFn6pn4sPazO0Hr7eNfZJ
-Vc6GXN8zZ/oF5U4x7XSMVqeOHLQoLeb2HxgUzS+1Ig19FHOs6Xoj0dO5l/TOEFav
-l61qytYnj3DNZjrMVLsMvOx3qGYK7PmyaWNoIJlLO2GbWKMP/8yBm35Ugd0jybSi
-T7VWX+isQHfVhSZ9wD4/yYOBAU3lABORAjXkCWQp/vMR/KiHbfaajCAbl56KiijQ
-eKYaq57EH3N+qKd1sqCrPfSw3HSqm3rngG1CsMasBQgLFs2aW+Mwo3UvQ1U/ykED
-mOo2D9uhOQluv4AUSpKK6E8EXoPSxDFZI4WX37depO2VGXDO90JNfVamJXjy1+bH
-d/RnoZfC7h7Vb1P1bPgGdsAFQBOP0FinbEjehpw0P0U2xAZQWek=
-=pY7t
------END PGP SIGNATURE-----

sssd.changes

@@ -1,3 +1,65 @@
+-------------------------------------------------------------------
+Tue Dec 10 20:17:10 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 2.10.1
+  * SSSD does not create anymore missing path components of
+    DIR:/FILE: ccache types while acquiring user's TGT. The
+    parent directory of requested ccache directory must exist and
+    the user trying to log in must have rwx access to this
+    directory. This matches behavior of /usr/bin/kinit.
+  * The option default_domain_suffix is deprecated.
+- Delete 0001-Configuration-make-sure-etc-sssd-and-everything.patch,
+  0001-INI-relax-config-files-checks.patch,
+  0001-INI-stop-using-libini_config-for-access-check.patch,
+  0001-sssd-always-print-path-when-config-object-is-rejecte.patch
+  (merged)
+
+-------------------------------------------------------------------
+Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 2.10.0
+  * The ``sssctl cache-upgrade`` command was removed. SSSD
+    performs automatic upgrades at startup when needed.
+  * Support of ``enumeration`` feature (i.e. ability to list all
+    users/groups using ``getent passwd/group`` without argument)
+    for AD/IPA providers is deprecated and might be removed in
+    further releases.
+  * The new tool ``sss_ssh_knownhosts`` can be used with ssh's
+    ``KnownHostsCommand`` configuration option to retrieve the
+    host's public keys from a remote server (FreeIPA, LDAP,
+    etc.). It replaces ```sss_ssh_knownhostsproxy``.
+  * The default value for ``ldap_id_use_start_tls`` changed from
+    false to true for improved security.
+  * https://github.com/SSSD/sssd/releases/tag/2.10.0
+- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch,
+  0001-INI-stop-using-libini_config-for-access-check.patch,
+  0001-INI-relax-config-files-checks.patch,
+  0001-Configuration-make-sure-etc-sssd-and-everything.patch
+- Fix socket activation of responders
+- Daemon runs now as unprivileged user 'sssd'
+
+-------------------------------------------------------------------
+Tue Oct  1 10:15:07 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
+
+- Update filelists involving memberof.so and idmap/sss.so to
+  avoid gobbling up one file into multiple sssd subpackages.
+  (Between samba-4.20 and 4.21, %ldbdir changes from
+  /usr/lib64/ldb2/modules/ldb to /usr/lib64/samba/ldb, so now
+  `%_libdir/samba` is a bit too broad.)
+
+-------------------------------------------------------------------
+Wed Jul 17 09:19:20 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
+
+- Fix spec file for openSUSE ALP and SUSE SLFO, where the
+  python3_fix_shebang_path RPM macro is not available
+
+-------------------------------------------------------------------
+Thu Jul 11 09:41:21 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
+
+- Revert the change dropping the default configuration file. If
+  /usr/etc exists will be installed there, otherwise in /etc.
+  (bsc#1226157);
+
 -------------------------------------------------------------------
 Thu May 16 12:13:02 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
 

sssd.spec

@@ -17,7 +17,7 @@
 
 
 Name:           sssd
-Version:        2.9.5
+Version:        2.10.1
 Release:        0
 Summary:        System Security Services Daemon
 License:        GPL-3.0-or-later AND LGPL-3.0-or-later
@@ -28,10 +28,10 @@ Source:         https://github.com/SSSD/sssd/releases/download/%version/%name-%v
 Source2:        https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc
 Source3:        baselibs.conf
 Source5:        %name.keyring
-Patch1:         krb-noversion.diff
-Patch2:         harden_sssd-ifp.service.patch
-Patch3:         harden_sssd-kcm.service.patch
-Patch4:         symvers.patch
+Patch11:        krb-noversion.diff
+Patch12:        harden_sssd-ifp.service.patch
+Patch13:        harden_sssd-kcm.service.patch
+Patch14:        symvers.patch
 BuildRequires:  autoconf >= 2.59
 BuildRequires:  automake
 BuildRequires:  bind-utils
@@ -53,21 +53,26 @@ BuildRequires:  nss_wrapper
 BuildRequires:  openldap2-devel
 BuildRequires:  pam-devel
 BuildRequires:  pkg-config >= 0.21
+BuildRequires:  python3-wheel
+BuildRequires:  python3-setuptools
 BuildRequires:  systemd-rpm-macros
+BuildRequires:  sysuser-tools
 BuildRequires:  uid_wrapper
 BuildRequires:  pkgconfig(augeas) >= 1.0.0
 BuildRequires:  pkgconfig(collection) >= 0.5.1
 BuildRequires:  pkgconfig(dbus-1) >= 1.0.0
 BuildRequires:  pkgconfig(dhash) >= 0.4.2
 BuildRequires:  pkgconfig(glib-2.0)
-BuildRequires:  pkgconfig(ini_config) >= 1.1.0
+BuildRequires:  pkgconfig(ini_config) >= 1.3
 BuildRequires:  pkgconfig(jansson)
-BuildRequires:  pkgconfig(ldb) >= 0.9.2
+BuildRequires:  pkgconfig(ldb) >= 1.2.0
+BuildRequires:  pkgconfig(libcap)
 BuildRequires:  pkgconfig(libcares)
-BuildRequires:  pkgconfig(libcrypto)
+BuildRequires:  pkgconfig(libcrypto) >= 1.0.1
 %if 0%{?suse_version} >= 1600
 BuildRequires:  pkgconfig(libcurl)
 %endif
+BuildRequires:  pkgconfig(libcap)
 BuildRequires:  pkgconfig(libnfsidmap)
 BuildRequires:  pkgconfig(libnl-3.0) >= 3.0
 BuildRequires:  pkgconfig(libnl-route-3.0) >= 3.0
@@ -86,7 +91,17 @@ BuildRequires:  pkgconfig(talloc)
 BuildRequires:  pkgconfig(tdb) >= 1.1.3
 BuildRequires:  pkgconfig(tevent)
 BuildRequires:  pkgconfig(uuid)
+%if 0%{?suse_version} && 0%{?suse_version} < 1600
+# samba-client-devel pulls samba-client-libs pulls libldap-2_4-2 wants libldap-data(-2.4);
+# this conflicts with
+# openldap2-devel pulls libldap2 wants libldap-data(-2.6)
+# Package contains just config files, not needed for build.
+#!BuildIgnore: libldap-data
+%endif
+%sysusers_requires
 %{?systemd_ordering}
+Requires(post): permissions
+Requires(verify): permissions
 Requires:       sssd-ldap = %version-%release
 Requires(postun): pam-config
 Provides:       libsss_sudo = %version-%release
@@ -95,16 +110,19 @@ Obsoletes:      libsss_sudo < %version-%release
 Provides:       sssd-common = %version-%release
 Obsoletes:      sssd-common < %version-%release
 
+%global sssd_user sssd
 %define servicename	sssd
 %define sssdstatedir	%_localstatedir/lib/sss
 %define dbpath		%sssdstatedir/db
 %define pipepath	%sssdstatedir/pipes
 %define pubconfpath	%sssdstatedir/pubconf
 %define gpocachepath	%sssdstatedir/gpo_cache
+%define keytabdir	%sssdstatedir/keytabs
+%define mcpath		%sssdstatedir/mc
 %define ldbdir %(pkg-config ldb --variable=modulesdir)
 
 # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
-# %_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
+# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
 # * cifs-utils one is the default (priority 20)
 # * installing SSSD should NOT switch to SSSD plugin (priority 10)
 %define cifs_idmap_plugin       %_sysconfdir/cifs-utils/idmap-plugin
@@ -115,11 +133,11 @@ Requires(post): update-alternatives
 Requires(postun): update-alternatives
 
 %description
-Provides a set of daemons to manage access to remote directories and
-authentication mechanisms. It provides an NSS and PAM interface toward
-the system and a pluggable backend system to connect to multiple different
-account sources. It is also the basis to provide client auditing and policy
-services for projects like FreeIPA.
+A set of daemons to manage access to remote directories and
+authentication mechanisms. sssd provides an NSS and PAM interfaces
+toward the system and a pluggable backend system to connect to
+multiple different account sources. It is also the basis to provide
+client auditing and policy services for projects like FreeIPA.
 
 %package ad
 Summary:        The ActiveDirectory backend plugin for sssd
@@ -129,9 +147,8 @@ Requires:       %name-krb5-common = %version-%release
 Requires:       adcli
 
 %description ad
-Provides the Active Directory back end that the SSSD can utilize to
-fetch identity data from and authenticate against an Active Directory
-server.
+A back-end provider that the SSSD can utilize to fetch identity data
+from, and authenticate with, an Active Directory server.
 
 %package dbus
 Summary:        The D-Bus responder of sssd
@@ -140,7 +157,7 @@ Group:          System/Base
 Requires:       %name = %version
 
 %description dbus
-Provides the D-Bus responder of sssd, called InfoPipe, which allows
+D-Bus responder of sssd, called InfoPipe, which allows
 information from sssd to be transmitted over the system bus.
 
 %package ipa
@@ -154,8 +171,8 @@ Obsoletes:      %name-ipa-provider < %version-%release
 Provides:       %name-ipa-provider = %version-%release
 
 %description ipa
-Provides the IPA back end that the SSSD can utilize to fetch identity
-data from and authenticate against an IPA server.
+A back-end provider that the SSSD can utilize to fetch identity data
+from, and authenticate with, an IPA server.
 
 %package kcm
 Summary:        SSSD's Kerberos cache manager
@@ -174,14 +191,16 @@ Group:          System/Daemons
 Requires:       %name-krb5-common = %version-%release
 
 %description krb5
-Provides the Kerberos back end that the SSSD can utilize authenticate
-against a Kerberos server.
+A back-end provider that the SSSD can utilize to authenticate against
+a Kerberos server.
 
 %package krb5-common
 Summary:        SSSD helpers needed for Kerberos and GSSAPI authentication
 License:        GPL-3.0-or-later
 Group:          System/Daemons
 Requires:       cyrus-sasl-gssapi
+Requires(post): permissions
+Requires(verify): permissions
 
 %description krb5-common
 Provides helper processes that the LDAP and Kerberos back ends can
@@ -194,8 +213,8 @@ Group:          System/Daemons
 Requires:       %name-krb5-common = %version-%release
 
 %description ldap
-Provides the LDAP back end that the SSSD can utilize to fetch
-identity data from and authenticate against an LDAP server.
+A back-end provider that the SSSD can utilize to fetch identity data
+from, and authenticate with, an LDAP server.
 
 %package proxy
 Summary:        The proxy backend plugin for sssd
@@ -203,8 +222,8 @@ License:        GPL-3.0-or-later
 Group:          System/Daemons
 
 %description proxy
-Provides the proxy back end which can be used to wrap an existing NSS
-and/or PAM modules to leverage SSSD caching.
+A back-end provider which can be used to wrap existing NSS and/or PAM
+modules to leverage SSSD caching. (This can replace nscd.)
 
 %package tools
 Summary:        Commandline tools for sssd
@@ -214,7 +233,7 @@ Requires:       python3-sssd-config = %version-%release
 Requires:       sssd = %version
 
 %description tools
-The packages contains commandline tools for managing users and groups using
+The packages contains command-line tools for managing users and groups using
 the "local" id provider of the System Security Services Daemon (sssd).
 
 %package winbind-idmap
@@ -231,7 +250,7 @@ License:        LGPL-3.0-or-later
 Group:          System/Libraries
 
 %description -n libsss_certmap0
-A utility library for FreeIPA to map certs.
+A utility library for FreeIPA to map certificates.
 
 %package -n libsss_certmap-devel
 Summary:        Development files for the FreeIPA certmap library
@@ -240,7 +259,7 @@ Group:          Development/Libraries/C and C++
 Requires:       libsss_certmap0 = %version
 
 %description -n libsss_certmap-devel
-A utility library for FreeIPA to map certs.
+A utility library for FreeIPA to map certificates.
 
 %package -n libipa_hbac0
 Summary:        FreeIPA HBAC Evaluator library
@@ -304,7 +323,6 @@ Requires:       libsss_nss_idmap0 = %version
 %description -n libsss_nss_idmap-devel
 A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs.
 
-%if 0%{?suse_version} < 1600
 %package -n libsss_simpleifp0
 Summary:        The SSSD D-Bus responder helper library
 License:        GPL-3.0-or-later
@@ -327,7 +345,6 @@ Requires:       libsss_simpleifp0 = %version
 This subpackage provides the development files for sssd's simpleifp,
 a library that simplifies the D-Bus API for the SSSD InfoPipe
 responder.
-%endif
 
 %package -n libsss_sudo
 Summary:        A library to allow communication between sudo and SSSD
@@ -394,32 +411,38 @@ autoreconf -fiv
 	--with-environment-file="%_sysconfdir/sysconfig/sssd" \
 	--with-initscript=systemd \
 	--with-syslog=journald \
-	--with-pid-path="%_rundir" \
-	--enable-nsslibdir="/%_lib" \
+	--with-pid-path="%_rundir/sssd" \
 	--enable-pammoddir="%_pam_moduledir" \
 	--with-ldb-lib-dir="%ldbdir" \
 	--with-os=suse \
 	--disable-ldb-version-check \
 	--without-python2-bindings \
 	--without-oidc-child \
+	--with-sssd-user="%sssd_user" \
 %if 0%{?suse_version} >= 1600
 	--with-selinux=yes \
 	--with-subid
 %else
 	--with-selinux=no \
-	--with-semanage=no \
 	--with-libsifp \
 	--with-files-provider
 %endif
 %make_build all
 
 %install
-# sss_obfuscate is compatible with both python 2 and 3
+# sss_obfuscate is compatible with both Python 2 and 3
 perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
 %make_install dbuspolicydir=%_datadir/dbus-1/system.d
 b="%buildroot"
 
 # Copy some defaults
+%if "%{?_distconfdir}" != ""
+install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf"
+install -d -m 0755 "$b/%_distconfdir/sssd/conf.d"
+%else
+install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"
+install -d -m 0755 "$b/%_sysconfdir/sssd/conf.d"
+%endif
 install -d "$b/%_unitdir"
 %if 0%{?suse_version} > 1500
 install -d "$b/%_distconfdir/logrotate.d"
@@ -441,23 +464,49 @@ find "$b" -type f -name "*.la" -print -delete
 %find_lang %name --all-name
 
 # dummy target for cifs-idmap-plugin
-mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils
-ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin
+mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils"
+ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin"
 %python3_fix_shebang
-%if %{suse_version} >= 1600
-%python3_fix_shebang_path %{buildroot}/%{_libexecdir}/%{name}/
+%if 0%{?suse_version} > 1600
+%python3_fix_shebang_path %buildroot/%_libexecdir/%name/sss_analyze
+%elif 0%{?suse_version} == 1600
+# python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204
+sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze"
 %endif
 
+echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf
+mkdir -p "$b/%_sysusersdir" "$b/etc/permissions.d"
+cp -a system-user-sssd.conf "$b/%_sysusersdir/"
+%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf
+install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf"
+#
+# Security considerations for capabilities, chown and stuff:
+# https://www.openwall.com/lists/oss-security/2024/12/19/1
+#
+# should match entry from %%files list
+cat >"$b/etc/permissions.d/sssd" <<-EOF
+	%_libexecdir/sssd/sssd_pam root:sssd 0750
+	 +capabilities cap_dac_read_search=p
+	%_libexecdir/sssd/selinux_child root:sssd 0750
+	 +capabilities cap_setgid,cap_setuid=p
+	%_libexecdir/sssd/krb5_child root:sssd 0750
+	 +capabilities cap_dac_read_search,cap_setgid,cap_setuid=p
+	%_libexecdir/sssd/ldap_child root:sssd 0750
+	 +capabilities cap_dac_read_search=p
+EOF
+
 %check
 # sss_config-tests fails
 %make_build check || :
 
-%pre
-%service_add_pre sssd.service
+%pre -f random.pre
+%service_add_pre sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
+%if "%{?_distconfdir}" != ""
 # Prepare for migration to /usr/etc; save any old .rpmsave
 for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do
-	test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
+	test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i.rpmsave.old" || :
 done
+%endif
 
 %post
 /sbin/ldconfig
@@ -465,38 +514,38 @@ done
 if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then
 	/bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf"
 fi
-%service_add_post sssd.service
+%service_add_post sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
+
+%_bindir/rm -f %mcpath/passwd %mcpath/group %mcpath/initgroups %mcpath/sid
+%tmpfiles_create %name.conf
+%set_permissions %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam
 
 # install SSSD cifs-idmap plugin as an alternative
 update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority
 
 %preun
-%service_del_preun sssd.service
+%service_del_preun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
 
 %postun
 /sbin/ldconfig
-if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then
+if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then
 	"%_sbindir/pam-config" -d --sss || :
 fi
 # del_postun includes a try-restart
-%service_del_postun sssd.service
+%service_del_postun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
 
 if [ ! -f "%cifs_idmap_lib" ]; then
 	update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
 fi
 
-%post   -n libsss_certmap0 -p /sbin/ldconfig
-%postun -n libsss_certmap0 -p /sbin/ldconfig
-%post   -n libipa_hbac0 -p /sbin/ldconfig
-%postun -n libipa_hbac0 -p /sbin/ldconfig
-%post   -n libsss_idmap0 -p /sbin/ldconfig
-%postun -n libsss_idmap0 -p /sbin/ldconfig
-%post   -n libsss_nss_idmap0 -p /sbin/ldconfig
-%postun -n libsss_nss_idmap0 -p /sbin/ldconfig
-%if 0%{?suse_version} < 1600
-%post   -n libsss_simpleifp0 -p /sbin/ldconfig
-%postun -n libsss_simpleifp0 -p /sbin/ldconfig
-%endif
+%ldconfig_scriptlets -n libsss_certmap0
+%ldconfig_scriptlets -n libipa_hbac0
+%ldconfig_scriptlets -n libsss_idmap0
+%ldconfig_scriptlets -n libsss_nss_idmap0
+%ldconfig_scriptlets -n libsss_simpleifp0
+
+%verifyscript
+%verify_permissions -e %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam
 
 %triggerun -- %name < %version-%release
 # sssd takes care of upgrading the database but it doesn't handle downgrades.
@@ -531,40 +580,52 @@ fi
 %postun kcm
 %service_del_postun sssd-kcm.service sssd-kcm.socket
 
+%pre krb5-common -f random.pre
+
+%post krb5-common
+%set_permissions %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child
+
+%verifyscript krb5-common
+%verify_permissions -e %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child
+
+%pre proxy -f random.pre
+
 %pretrans
 # Migrate sssd.service from sssd-common to sssd
 systemctl is-enabled sssd.service > /dev/null
 if [ $? -eq 0 ]; then
-mkdir -p /run/systemd/rpm/
-touch /run/systemd/rpm/sssd-was-enabled
+	mkdir -p /run/systemd/rpm/
+	touch /run/systemd/rpm/sssd-was-enabled
 fi
 systemctl is-active sssd.service > /dev/null
 if [ $? -eq 0 ]; then
-mkdir -p /run/systemd/rpm/
-touch /run/systemd/rpm/sssd-was-active
+	mkdir -p /run/systemd/rpm/
+	touch /run/systemd/rpm/sssd-was-active
 fi
 
 %posttrans
+%if "%{?_distconfdir}" != ""
 # Migration to /usr/etc, restore just created .rpmsave
 for i in sssd/sssd.conf logrotate.d/sssd pam.d/sssd-shadowutils ; do
-	test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
+	test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i" || :
 done
+%endif
 # Migrate sssd.service from sssd-common to sssd
 if [ -e /run/systemd/rpm/sssd-was-enabled ]; then
-systemctl is-enabled sssd.service > /dev/null
-if [ $? -ne 0 ]; then
-    echo "Migrating sssd.service, was enabled"
-    systemctl enable sssd.service
-fi
-rm /run/systemd/rpm/sssd-was-enabled
+	systemctl is-enabled sssd.service >/dev/null
+	if [ $? -ne 0 ]; then
+		echo "Migrating sssd.service, was enabled"
+		systemctl enable sssd.service
+	fi
+	rm /run/systemd/rpm/sssd-was-enabled
 fi
 if [ -e /run/systemd/rpm/sssd-was-active ]; then
-systemctl is-active sssd.service > /dev/null
-if [ $? -ne 0 ]; then
-    echo "Migrating sssd.service, was active"
-    systemctl start sssd.service
-fi
-rm /run/systemd/rpm/sssd-was-active
+	systemctl is-active sssd.service >/dev/null
+	if [ $? -ne 0 ]; then
+		echo "Migrating sssd.service, was active"
+		systemctl start sssd.service
+	fi
+	rm /run/systemd/rpm/sssd-was-active
 fi
 
 %files -f sssd.lang
@@ -577,12 +638,15 @@ fi
 %_unitdir/sssd-pac.socket
 %_unitdir/sssd-pac.service
 %_unitdir/sssd-pam.socket
-%_unitdir/sssd-pam-priv.socket
 %_unitdir/sssd-pam.service
 %_unitdir/sssd-ssh.socket
 %_unitdir/sssd-ssh.service
 %_unitdir/sssd-sudo.socket
 %_unitdir/sssd-sudo.service
+%_sysusersdir/*sssd*
+%_tmpfilesdir/*sssd*
+%_sysconfdir/permissions.d/*
+%_datadir/polkit-1/
 %_bindir/sss_ssh_*
 %_sbindir/sssd
 %if 0%{?suse_version} < 1600
@@ -626,7 +690,6 @@ fi
 %_libdir/%name/libsss_files*
 %endif
 %_libdir/%name/libsss_iface*
-%_libdir/%name/libsss_semanage*
 %_libdir/%name/libsss_sbus*
 %_libdir/%name/libsss_simple*
 %_libdir/%name/libsss_util*
@@ -639,24 +702,34 @@ fi
 %_libexecdir/%name/sssd_autofs
 %_libexecdir/%name/sssd_be
 %_libexecdir/%name/sssd_nss
-%_libexecdir/%name/sssd_pam
+%attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/sssd_pam
 %_libexecdir/%name/sssd_ssh
 %_libexecdir/%name/sssd_sudo
 %_libexecdir/%name/sss_signal
 %_libexecdir/%name/sssd_check_socket_activated_responders
 %if 0%{?suse_version} >= 1600
-%_libexecdir/%name/selinux_child
+%attr(750,root,%sssd_user) %caps(cap_setgid,cap_setuid=p) %_libexecdir/%name/selinux_child
 %endif
 %dir %sssdstatedir
-%attr(700,root,root) %dir %dbpath/
-%attr(755,root,root) %dir %pipepath/
-%attr(700,root,root) %dir %pipepath/private/
-%attr(755,root,root) %dir %pubconfpath/
-%attr(755,root,root) %dir %pubconfpath/krb5.include.d
-%attr(755,root,root) %dir %gpocachepath/
-%attr(755,root,root) %dir %sssdstatedir/mc/
-%attr(700,root,root) %dir %sssdstatedir/keytabs/
-%attr(750,root,root) %dir %_localstatedir/log/%name/
+%attr(700,%sssd_user,%sssd_user) %dir %dbpath/
+%attr(755,%sssd_user,%sssd_user) %dir %pipepath/
+%attr(700,%sssd_user,%sssd_user) %dir %pipepath/private/
+%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/
+%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/krb5.include.d
+%attr(755,%sssd_user,%sssd_user) %dir %gpocachepath/
+%attr(755,%sssd_user,%sssd_user) %dir %mcpath/
+%attr(700,%sssd_user,%sssd_user) %dir %keytabdir/
+%attr(750,%sssd_user,%sssd_user) %dir %_localstatedir/log/%name/
+%attr(775,%sssd_user,%sssd_user) %dir %sssdstatedir/
+%if "%{?_distconfdir}" != ""
+%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/
+%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/conf.d
+%attr(640,root,%sssd_user) %_distconfdir/sssd/sssd.conf
+%else
+%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/
+%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/conf.d
+%ghost %attr(640,root,%sssd_user) %config(noreplace) %_sysconfdir/sssd/sssd.conf
+%endif
 %if 0%{?suse_version} > 1500
 %_distconfdir/logrotate.d/sssd
 %_pam_vendordir/sssd-shadowutils
@@ -674,11 +747,12 @@ fi
 %else
 %exclude %_mandir/*/*/sssd-files.5.gz
 %endif
+%attr(775,%sssd_user,%sssd_user) %ghost %dir %_rundir/sssd
 %doc src/examples/sssd.conf
 #
 # sssd-client
 #
-/%_lib/libnss_sss.so.2
+%_libdir/libnss_sss.so.2
 %_pam_moduledir/pam_sss.so
 %_pam_moduledir/pam_sss_gss.so
 %_libdir/krb5/
@@ -763,8 +837,8 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_krb5_common.so
 %dir %_libexecdir/%name/
-%_libexecdir/%name/krb5_child
-%_libexecdir/%name/ldap_child
+%attr(750,root,%sssd_user) %caps(cap_dac_read_search,cap_setgid,cap_setuid=p) %_libexecdir/%name/krb5_child
+%attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/ldap_child
 
 %files ldap
 %dir %_libdir/%name/
@@ -781,7 +855,7 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_proxy.so
 %dir %_libexecdir/%name/
-%_libexecdir/%name/proxy_child
+%attr(750,root,%sssd_user) %_libexecdir/%name/proxy_child
 %dir %_datadir/%name/
 %dir %_datadir/%name/sssd.api.d/
 %_datadir/%name/sssd.api.d/sssd-proxy.conf
@@ -802,7 +876,8 @@ fi
 %python3_sitelib/sssd/
 
 %files winbind-idmap
-%_libdir/samba/
+%dir %_libdir/samba/
+%_libdir/samba/idmap/
 %_mandir/man8/idmap_sss.8*
 
 %files -n libipa_hbac0

symvers.patch

@@ -12,14 +12,14 @@ libsss_ldap.so(-2.7.4) cannot find a libsss_util.so(-2.7.4), since
 the system only has libsss_util.so(-2.8.2) at this point.
 
 ---
- Makefile.am |   47 ++++++++++++++++++++++++++++++++---------------
- 1 file changed, 32 insertions(+), 15 deletions(-)
+ Makefile.am |   44 ++++++++++++++++++++++++++++++--------------
+ 1 file changed, 30 insertions(+), 14 deletions(-)
 
-Index: sssd-2.9.2/Makefile.am
+Index: sssd-2.10.1/Makefile.am
 ===================================================================
---- sssd-2.9.2.orig/Makefile.am
-+++ sssd-2.9.2/Makefile.am
-@@ -955,7 +955,11 @@ libsss_debug_la_SOURCES = \
+--- sssd-2.10.1.orig/Makefile.am
++++ sssd-2.10.1/Makefile.am
+@@ -971,7 +971,11 @@ libsss_debug_la_SOURCES = \
  libsss_debug_la_LIBADD = \
      $(SYSLOG_LIBS)
  libsss_debug_la_LDFLAGS = \
@@ -32,7 +32,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_child.la
  libsss_child_la_SOURCES = src/util/child_common.c
-@@ -965,7 +969,8 @@ libsss_child_la_LIBADD = \
+@@ -981,7 +985,8 @@ libsss_child_la_LIBADD = \
      $(DHASH_LIBS) \
      libsss_debug.la \
      $(NULL)
@@ -42,7 +42,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_crypt.la
  
-@@ -1004,7 +1009,8 @@ libsss_crypt_la_LIBADD = \
+@@ -1021,7 +1026,8 @@ libsss_crypt_la_LIBADD = \
      libsss_debug.la \
      $(NULL)
  libsss_crypt_la_LDFLAGS = \
@@ -52,7 +52,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_cert.la
  
-@@ -1029,8 +1035,9 @@ libsss_cert_la_LIBADD = \
+@@ -1046,8 +1052,9 @@ libsss_cert_la_LIBADD = \
      libsss_debug.la \
      $(NULL)
  libsss_cert_la_LDFLAGS = \
@@ -63,7 +63,7 @@ Index: sssd-2.9.2/Makefile.am
  
  generate-sbus-code:
  	$(builddir)/sbus_generate.sh $(abs_srcdir)
-@@ -1131,8 +1138,9 @@ libsss_sbus_la_CFLAGS = \
+@@ -1148,8 +1155,9 @@ libsss_sbus_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libsss_sbus_la_LDFLAGS = \
@@ -74,7 +74,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_sbus_sync.la
  libsss_sbus_sync_la_SOURCES = \
-@@ -1167,8 +1175,9 @@ libsss_sbus_sync_la_CFLAGS = \
+@@ -1184,8 +1192,9 @@ libsss_sbus_sync_la_CFLAGS = \
      $(UNICODE_LIBS) \
      $(NULL)
  libsss_sbus_sync_la_LDFLAGS = \
@@ -85,7 +85,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_iface.la
  libsss_iface_la_SOURCES = \
-@@ -1197,8 +1206,9 @@ libsss_iface_la_CFLAGS = \
+@@ -1214,8 +1223,9 @@ libsss_iface_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libsss_iface_la_LDFLAGS = \
@@ -96,7 +96,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_iface_sync.la
  libsss_iface_sync_la_SOURCES = \
-@@ -1225,8 +1235,9 @@ libsss_iface_sync_la_CFLAGS = \
+@@ -1242,8 +1252,9 @@ libsss_iface_sync_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libsss_iface_sync_la_LDFLAGS = \
@@ -107,7 +107,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_util.la
  libsss_util_la_SOURCES = \
-@@ -1322,7 +1333,8 @@ endif
+@@ -1338,7 +1349,8 @@ endif
  if BUILD_PASSKEY
  libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c
  endif # BUILD_PASSKEY
@@ -115,19 +115,9 @@ Index: sssd-2.9.2/Makefile.am
 +libsss_util_la_LDFLAGS = -avoid-version ${symv}
 +EXTRA_libsss_util_la_DEPENDENCIES = x.sym
  
- pkglib_LTLIBRARIES += libsss_semanage.la
- libsss_semanage_la_CFLAGS = \
-@@ -1341,7 +1353,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_
- endif
- 
- libsss_semanage_la_LDFLAGS = \
--    -avoid-version
-+    -avoid-version ${symv}
-+EXTRA_libsss_semanage_la_DEPENDENCIES = x.sym
- 
  SSSD_INTERNAL_LTLIBS = \
      libsss_util.la \
-@@ -1357,7 +1370,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
+@@ -1354,7 +1366,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
                    $(NULL)
  
  pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc
@@ -136,7 +126,7 @@ Index: sssd-2.9.2/Makefile.am
  libipa_hbac_la_SOURCES = \
      src/lib/ipa_hbac/hbac_evaluator.c \
      src/util/sss_utf8.c
-@@ -1688,8 +1701,9 @@ libifp_iface_la_CFLAGS = \
+@@ -1682,8 +1694,9 @@ libifp_iface_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libifp_iface_la_LDFLAGS = \
@@ -147,7 +137,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libifp_iface_sync.la
  libifp_iface_sync_la_SOURCES = \
-@@ -1714,8 +1728,9 @@ libifp_iface_sync_la_CFLAGS = \
+@@ -1708,8 +1721,9 @@ libifp_iface_sync_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libifp_iface_sync_la_LDFLAGS = \
@@ -158,7 +148,7 @@ Index: sssd-2.9.2/Makefile.am
  
  sssd_ifp_SOURCES = \
      src/responder/ifp/ifpsrv.c \
-@@ -4314,8 +4329,9 @@ libsss_ldap_common_la_LIBADD = \
+@@ -4314,8 +4328,9 @@ libsss_ldap_common_la_LIBADD = \
      $(SSSD_INTERNAL_LTLIBS) \
      $(NULL)
  libsss_ldap_common_la_LDFLAGS = \
@@ -169,7 +159,7 @@ Index: sssd-2.9.2/Makefile.am
  if BUILD_SYSTEMTAP
  libsss_ldap_common_la_LIBADD += stap_generated_probes.lo
  endif
-@@ -4372,7 +4388,8 @@ libsss_krb5_common_la_LIBADD = \
+@@ -4371,7 +4386,8 @@ libsss_krb5_common_la_LIBADD = \
      $(SSSD_INTERNAL_LTLIBS) \
      $(NULL)
  libsss_krb5_common_la_LDFLAGS = \