diff --git a/0001-Configuration-make-sure-etc-sssd-and-everything.patch b/0001-Configuration-make-sure-etc-sssd-and-everything.patch new file mode 100644 index 0000000..8cf0fe0 --- /dev/null +++ b/0001-Configuration-make-sure-etc-sssd-and-everything.patch @@ -0,0 +1,76 @@ +From 8db2df4fcbd09badafbc207bd4150b5f1cc2d5fb Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Thu, 24 Oct 2024 15:34:26 +0200 +Subject: [PATCH] Configuration: make sure /etc/sssd and everything +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +beneath is owned by 'sssd' group and readable by group. + +This should allow for reasonable rw-r----- root:sssd + +At some points those chown/chmod can be removed. + +Reviewed-by: Justin Stephenson +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +(cherry picked from commit 518db322fdd5a4de41813fbe5bc35fc20392ce67) +--- + contrib/sssd.spec.in | 4 ++-- + src/sysv/systemd/sssd-kcm.service.in | 5 ++--- + src/sysv/systemd/sssd.service.in | 6 ++---- + 3 files changed, 6 insertions(+), 9 deletions(-) + +diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in +index 4fbacb959..83de563f3 100644 +--- a/contrib/sssd.spec.in ++++ b/contrib/sssd.spec.in +@@ -1136,9 +1136,9 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi + %__rm -f %{mcpath}/group + %__rm -f %{mcpath}/initgroups + %__rm -f %{mcpath}/sid ++%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true ++%__chmod -f -R g+r %{_sysconfdir}/sssd || true + %__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true +-%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true +-%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true + %__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true + %__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true + %__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true +diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in +index 0c839ec5c..ba9e27cd9 100644 +--- a/src/sysv/systemd/sssd-kcm.service.in ++++ b/src/sysv/systemd/sssd-kcm.service.in +@@ -9,9 +9,8 @@ Also=sssd-kcm.socket + + [Service] + Environment=DEBUG_LOGGER=--logger=files +-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ +-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf +-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d ++ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ ++ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ + ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb" + ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log + ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER} +diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in +index 37e0a63f8..a6f79ff8a 100644 +--- a/src/sysv/systemd/sssd.service.in ++++ b/src/sysv/systemd/sssd.service.in +@@ -10,10 +10,8 @@ StartLimitBurst=5 + [Service] + Environment=DEBUG_LOGGER=--logger=files + EnvironmentFile=-@environment_file@ +-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ +-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf +-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d +-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki ++ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ ++ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ + ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb" + ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @gpocachepath@/*" + ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/*.log" +-- +2.47.0 + diff --git a/harden_sssd-kcm.service.patch b/harden_sssd-kcm.service.patch index 6526831..5ff85b4 100644 --- a/harden_sssd-kcm.service.patch +++ b/harden_sssd-kcm.service.patch @@ -24,5 +24,5 @@ Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in +RestrictRealtime=true +# end of automatic additions Environment=DEBUG_LOGGER=--logger=files - ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ - ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf + ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ + ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ diff --git a/sssd.changes b/sssd.changes index 5cf3900..a5b1f81 100644 --- a/sssd.changes +++ b/sssd.changes @@ -15,7 +15,8 @@ Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt * The default value for ``ldap_id_use_start_tls`` changed from false to true for improved security. * https://github.com/SSSD/sssd/releases/tag/2.10.0 -- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch +- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch, + 0001-Configuration-make-sure-etc-sssd-and-everything.patch - Fix socket activation of responders ------------------------------------------------------------------- diff --git a/sssd.spec b/sssd.spec index 8319ec9..3ff1f09 100644 --- a/sssd.spec +++ b/sssd.spec @@ -28,11 +28,12 @@ Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%v Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source3: baselibs.conf Source5: %name.keyring -Patch1: krb-noversion.diff -Patch2: harden_sssd-ifp.service.patch -Patch3: harden_sssd-kcm.service.patch -Patch4: symvers.patch Patch5: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch +Patch6: 0001-Configuration-make-sure-etc-sssd-and-everything.patch +Patch11: krb-noversion.diff +Patch12: harden_sssd-ifp.service.patch +Patch13: harden_sssd-kcm.service.patch +Patch14: symvers.patch BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils