Unprivileged mode for sssd

This commit is contained in:
Samuel Cabrero 2024-08-30 11:37:19 +02:00 committed by Jan Engelhardt
parent 0823836080
commit 6e6893108a
2 changed files with 69 additions and 24 deletions

View File

@ -20,6 +20,7 @@ Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
0001-INI-relax-config-files-checks.patch, 0001-INI-relax-config-files-checks.patch,
0001-Configuration-make-sure-etc-sssd-and-everything.patch 0001-Configuration-make-sure-etc-sssd-and-everything.patch
- Fix socket activation of responders - Fix socket activation of responders
- Daemon runs now as unprivileged user 'sssd'
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt <jengelh@inai.de> Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt <jengelh@inai.de>

View File

@ -69,13 +69,14 @@ BuildRequires: pkgconfig(dhash) >= 0.4.2
BuildRequires: pkgconfig(glib-2.0) BuildRequires: pkgconfig(glib-2.0)
BuildRequires: pkgconfig(ini_config) >= 1.3 BuildRequires: pkgconfig(ini_config) >= 1.3
BuildRequires: pkgconfig(jansson) BuildRequires: pkgconfig(jansson)
BuildRequires: pkgconfig(ldb) >= 0.9.2 BuildRequires: pkgconfig(ldb) >= 1.2.0
BuildRequires: pkgconfig(libcap) BuildRequires: pkgconfig(libcap)
BuildRequires: pkgconfig(libcares) BuildRequires: pkgconfig(libcares)
BuildRequires: pkgconfig(libcrypto) >= 1.0.1 BuildRequires: pkgconfig(libcrypto) >= 1.0.1
%if 0%{?suse_version} >= 1600 %if 0%{?suse_version} >= 1600
BuildRequires: pkgconfig(libcurl) BuildRequires: pkgconfig(libcurl)
%endif %endif
BuildRequires: pkgconfig(libcap)
BuildRequires: pkgconfig(libnfsidmap) BuildRequires: pkgconfig(libnfsidmap)
BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-3.0) >= 3.0
BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0
@ -103,6 +104,8 @@ BuildRequires: pkgconfig(uuid)
%endif %endif
%sysusers_requires %sysusers_requires
%{?systemd_ordering} %{?systemd_ordering}
Requires(post): permissions
Requires(verify): permissions
Requires: sssd-ldap = %version-%release Requires: sssd-ldap = %version-%release
Requires(postun): pam-config Requires(postun): pam-config
Provides: libsss_sudo = %version-%release Provides: libsss_sudo = %version-%release
@ -111,13 +114,17 @@ Obsoletes: libsss_sudo < %version-%release
Provides: sssd-common = %version-%release Provides: sssd-common = %version-%release
Obsoletes: sssd-common < %version-%release Obsoletes: sssd-common < %version-%release
%global sssd_user sssd
%define servicename sssd %define servicename sssd
%define sssdstatedir %_localstatedir/lib/sss %define sssdstatedir %_localstatedir/lib/sss
%define dbpath %sssdstatedir/db %define dbpath %sssdstatedir/db
%define pipepath %sssdstatedir/pipes %define pipepath %sssdstatedir/pipes
%define pubconfpath %sssdstatedir/pubconf %define pubconfpath %sssdstatedir/pubconf
%define gpocachepath %sssdstatedir/gpo_cache %define gpocachepath %sssdstatedir/gpo_cache
%define keytabdir %sssdstatedir/keytabs
%define mcpath %sssdstatedir/mc
%define ldbdir %(pkg-config ldb --variable=modulesdir) %define ldbdir %(pkg-config ldb --variable=modulesdir)
%define child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins # %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
@ -197,6 +204,8 @@ Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
License: GPL-3.0-or-later License: GPL-3.0-or-later
Group: System/Daemons Group: System/Daemons
Requires: cyrus-sasl-gssapi Requires: cyrus-sasl-gssapi
Requires(post): permissions
Requires(verify): permissions
%description krb5-common %description krb5-common
Provides helper processes that the LDAP and Kerberos back ends can Provides helper processes that the LDAP and Kerberos back ends can
@ -407,13 +416,14 @@ autoreconf -fiv
--with-environment-file="%_sysconfdir/sysconfig/sssd" \ --with-environment-file="%_sysconfdir/sysconfig/sssd" \
--with-initscript=systemd \ --with-initscript=systemd \
--with-syslog=journald \ --with-syslog=journald \
--with-pid-path="%_rundir" \ --with-pid-path="%_rundir/sssd" \
--enable-pammoddir="%_pam_moduledir" \ --enable-pammoddir="%_pam_moduledir" \
--with-ldb-lib-dir="%ldbdir" \ --with-ldb-lib-dir="%ldbdir" \
--with-os=suse \ --with-os=suse \
--disable-ldb-version-check \ --disable-ldb-version-check \
--without-python2-bindings \ --without-python2-bindings \
--without-oidc-child \ --without-oidc-child \
--with-sssd-user="%sssd_user" \
%if 0%{?suse_version} >= 1600 %if 0%{?suse_version} >= 1600
--with-selinux=yes \ --with-selinux=yes \
--with-subid --with-subid
@ -463,16 +473,28 @@ mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils"
ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin" ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin"
%python3_fix_shebang %python3_fix_shebang
%if 0%{?suse_version} > 1600 %if 0%{?suse_version} > 1600
%python3_fix_shebang_path %buildroot/%_libexecdir/%name/ %python3_fix_shebang_path %buildroot/%_libexecdir/%name/sss_analyze
%elif 0%{?suse_version} == 1600 %elif 0%{?suse_version} == 1600
# python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204 # python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204
sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze" sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze"
%endif %endif
echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf
mkdir -p "$b/%_sysusersdir" mkdir -p "$b/%_sysusersdir" "$b/etc/permissions.d"
cp -a system-user-sssd.conf "$b/%_sysusersdir/" cp -a system-user-sssd.conf "$b/%_sysusersdir/"
%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf %sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf
install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf"
# should match entry from %%files list
cat >"$b/etc/permissions.d/sssd" <<-EOF
%_libexecdir/sssd/sssd_pam root:sssd 0750
+capabilities cap_dac_read_search=p
%_libexecdir/sssd/selinux_child root:sssd 0750
+capabilities %child_capabilities
%_libexecdir/sssd/krb5_child root:sssd 0750
+capabilities %child_capabilities
%_libexecdir/sssd/ldap_child root:sssd 0750
+capabilities %child_capabilities
EOF
%check %check
# sss_config-tests fails # sss_config-tests fails
@ -495,6 +517,10 @@ if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then
fi fi
%service_add_post sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket %service_add_post sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
%_bindir/rm -f %mcpath/passwd %mcpath/group %mcpath/initgroups %mcpath/sid
%tmpfiles_create %name.conf
%set_permissions %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam
# install SSSD cifs-idmap plugin as an alternative # install SSSD cifs-idmap plugin as an alternative
update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority
@ -519,6 +545,9 @@ fi
%ldconfig_scriptlets -n libsss_nss_idmap0 %ldconfig_scriptlets -n libsss_nss_idmap0
%ldconfig_scriptlets -n libsss_simpleifp0 %ldconfig_scriptlets -n libsss_simpleifp0
%verifyscript
%verify_permissions -e %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam
%triggerun -- %name < %version-%release %triggerun -- %name < %version-%release
# sssd takes care of upgrading the database but it doesn't handle downgrades. # sssd takes care of upgrading the database but it doesn't handle downgrades.
# Clear caches when downgrading the package, which may have an # Clear caches when downgrading the package, which may have an
@ -552,6 +581,16 @@ fi
%postun kcm %postun kcm
%service_del_postun sssd-kcm.service sssd-kcm.socket %service_del_postun sssd-kcm.service sssd-kcm.socket
%pre krb5-common -f random.pre
%post krb5-common
%set_permissions %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child
%verifyscript krb5-common
%verify_permissions -e %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child
%pre proxy -f random.pre
%pretrans %pretrans
# Migrate sssd.service from sssd-common to sssd # Migrate sssd.service from sssd-common to sssd
systemctl is-enabled sssd.service > /dev/null systemctl is-enabled sssd.service > /dev/null
@ -606,6 +645,9 @@ fi
%_unitdir/sssd-sudo.socket %_unitdir/sssd-sudo.socket
%_unitdir/sssd-sudo.service %_unitdir/sssd-sudo.service
%_sysusersdir/*sssd* %_sysusersdir/*sssd*
%_tmpfilesdir/*sssd*
%_sysconfdir/permissions.d/*
%_datadir/polkit-1/
%_bindir/sss_ssh_* %_bindir/sss_ssh_*
%_sbindir/sssd %_sbindir/sssd
%if 0%{?suse_version} < 1600 %if 0%{?suse_version} < 1600
@ -662,32 +704,33 @@ fi
%_libexecdir/%name/sssd_autofs %_libexecdir/%name/sssd_autofs
%_libexecdir/%name/sssd_be %_libexecdir/%name/sssd_be
%_libexecdir/%name/sssd_nss %_libexecdir/%name/sssd_nss
%_libexecdir/%name/sssd_pam %attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/sssd_pam
%_libexecdir/%name/sssd_ssh %_libexecdir/%name/sssd_ssh
%_libexecdir/%name/sssd_sudo %_libexecdir/%name/sssd_sudo
%_libexecdir/%name/sss_signal %_libexecdir/%name/sss_signal
%_libexecdir/%name/sssd_check_socket_activated_responders %_libexecdir/%name/sssd_check_socket_activated_responders
%if 0%{?suse_version} >= 1600 %if 0%{?suse_version} >= 1600
%_libexecdir/%name/selinux_child %attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/selinux_child
%endif %endif
%dir %sssdstatedir %dir %sssdstatedir
%attr(700,root,root) %dir %dbpath/ %attr(700,%sssd_user,%sssd_user) %dir %dbpath/
%attr(755,root,root) %dir %pipepath/ %attr(755,%sssd_user,%sssd_user) %dir %pipepath/
%attr(700,root,root) %dir %pipepath/private/ %attr(700,%sssd_user,%sssd_user) %dir %pipepath/private/
%attr(755,root,root) %dir %pubconfpath/ %attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/
%attr(755,root,root) %dir %pubconfpath/krb5.include.d %attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/krb5.include.d
%attr(755,root,root) %dir %gpocachepath/ %attr(755,%sssd_user,%sssd_user) %dir %gpocachepath/
%attr(755,root,root) %dir %sssdstatedir/mc/ %attr(755,%sssd_user,%sssd_user) %dir %mcpath/
%attr(700,root,root) %dir %sssdstatedir/keytabs/ %attr(700,%sssd_user,%sssd_user) %dir %keytabdir/
%attr(750,root,root) %dir %_localstatedir/log/%name/ %attr(750,%sssd_user,%sssd_user) %dir %_localstatedir/log/%name/
%attr(775,%sssd_user,%sssd_user) %dir %sssdstatedir/
%if "%{?_distconfdir}" != "" %if "%{?_distconfdir}" != ""
%dir %_distconfdir/sssd/ %attr(750,root,%sssd_user) %dir %_distconfdir/sssd/
%%dir %_distconfdir/sssd/conf.d %attr(750,root,%sssd_user) %dir %_distconfdir/sssd/conf.d
%config(noreplace) %_distconfdir/sssd/sssd.conf %attr(640,root,%sssd_user) %_distconfdir/sssd/sssd.conf
%else %else
%dir %_sysconfdir/sssd/ %attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/
%%dir %_sysconfdir/sssd/conf.d %attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/conf.d
%config(noreplace) %_sysconfdir/sssd/sssd.conf %ghost %attr(640,root,%sssd_user) %config(noreplace) %_sysconfdir/sssd/sssd.conf
%endif %endif
%if 0%{?suse_version} > 1500 %if 0%{?suse_version} > 1500
%_distconfdir/logrotate.d/sssd %_distconfdir/logrotate.d/sssd
@ -706,6 +749,7 @@ fi
%else %else
%exclude %_mandir/*/*/sssd-files.5.gz %exclude %_mandir/*/*/sssd-files.5.gz
%endif %endif
%attr(775,%sssd_user,%sssd_user) %ghost %dir %_rundir/sssd
%doc src/examples/sssd.conf %doc src/examples/sssd.conf
# #
# sssd-client # sssd-client
@ -795,8 +839,8 @@ fi
%dir %_libdir/%name/ %dir %_libdir/%name/
%_libdir/%name/libsss_krb5_common.so %_libdir/%name/libsss_krb5_common.so
%dir %_libexecdir/%name/ %dir %_libexecdir/%name/
%_libexecdir/%name/krb5_child %attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/krb5_child
%_libexecdir/%name/ldap_child %attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/ldap_child
%files ldap %files ldap
%dir %_libdir/%name/ %dir %_libdir/%name/
@ -813,7 +857,7 @@ fi
%dir %_libdir/%name/ %dir %_libdir/%name/
%_libdir/%name/libsss_proxy.so %_libdir/%name/libsss_proxy.so
%dir %_libexecdir/%name/ %dir %_libexecdir/%name/
%_libexecdir/%name/proxy_child %attr(750,root,%sssd_user) %_libexecdir/%name/proxy_child
%dir %_datadir/%name/ %dir %_datadir/%name/
%dir %_datadir/%name/sssd.api.d/ %dir %_datadir/%name/sssd.api.d/
%_datadir/%name/sssd.api.d/sssd-proxy.conf %_datadir/%name/sssd.api.d/sssd-proxy.conf