Accepting request 632454 from home:kbabioch:branches:network:ldap

- Update to upstream release 1.16.3

OBS-URL: https://build.opensuse.org/request/show/632454
OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=206
This commit is contained in:
Jan Engelhardt 2018-08-31 11:12:24 +00:00 committed by Git OBS Bridge
parent a03258dbe5
commit 77a4f94e77
9 changed files with 80 additions and 118 deletions

View File

@ -1,45 +0,0 @@
From 06193adc0de042484f672cadd0808c78c5ebb70e Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 15 Jun 2018 22:29:34 +0200
Subject: [PATCH] SUDO: Create the socket with stricter permissions
This patch switches the sudo responder from being created as a public
responder where the permissions are open and not checked by the sssd
deaamon to a private socket. In this case, sssd creates the pipes with
strict permissions (see the umask in the call to create_pipe_fd() in
set_unix_socket()) and additionaly checks the permissions with every read
via the tevent integrations (see accept_fd_handler()).
---
src/responder/sudo/sudosrv.c | 3 ++-
src/sysv/systemd/sssd-sudo.socket.in | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c
index ac4258710d3a9b48285522abd23bdd59ba42ad4e..e87a24499c2d82fafaa8e1f9b386e44332394266 100644
--- a/src/responder/sudo/sudosrv.c
+++ b/src/responder/sudo/sudosrv.c
@@ -79,7 +79,8 @@ int sudo_process_init(TALLOC_CTX *mem_ctx,
sudo_cmds = get_sudo_cmds();
ret = sss_process_init(mem_ctx, ev, cdb,
sudo_cmds,
- SSS_SUDO_SOCKET_NAME, -1, NULL, -1,
+ NULL, -1, /* No public socket */
+ SSS_SUDO_SOCKET_NAME, -1, /* Private socket only */
CONFDB_SUDO_CONF_ENTRY,
SSS_SUDO_SBUS_SERVICE_NAME,
SSS_SUDO_SBUS_SERVICE_VERSION,
diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in
index c9abb875f0accbaf58d78846020fef74c7473528..96a8b0327ddb4d331c9b2e97ece3453f8f76872d 100644
--- a/src/sysv/systemd/sssd-sudo.socket.in
+++ b/src/sysv/systemd/sssd-sudo.socket.in
@@ -11,6 +11,7 @@ ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo
ListenStream=@pipepath@/sudo
SocketUser=@SSSD_USER@
SocketGroup=@SSSD_USER@
+SocketMode=0600
[Install]
WantedBy=sssd.service
--
2.14.3

View File

@ -1,44 +0,0 @@
From b34fcff0f8bccd7b827686b50c53f45b7e20bb44 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fidencio@redhat.com>
Date: Tue, 12 Jun 2018 19:07:52 +0200
Subject: [PATCH] intg: Do not hardcode nsslibdir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This change is needed in order to have make intgcheck-run properly
running on opensuse systems.
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Chris Kowalczyk <ckowalczyk@suse.com>
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/tests/intg/Makefile.am | 1 +
src/tests/intg/config.py.m4 | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am
index 9c5338261..4bd427669 100644
--- a/src/tests/intg/Makefile.am
+++ b/src/tests/intg/Makefile.am
@@ -73,6 +73,7 @@ cwrap-dbus-system.conf: data/cwrap-dbus-system.conf.in Makefile
config.py: config.py.m4
m4 -D "prefix=\`$(prefix)'" \
-D "sysconfdir=\`$(sysconfdir)'" \
+ -D "nsslibdir=\`$(nsslibdir)'" \
-D "dbpath=\`$(dbpath)'" \
-D "pidpath=\`$(pidpath)'" \
-D "logpath=\`$(logpath)'" \
diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4
index 6e011b692..04f78d869 100644
--- a/src/tests/intg/config.py.m4
+++ b/src/tests/intg/config.py.m4
@@ -4,7 +4,7 @@ Build configuration variables.
PREFIX = "prefix"
SYSCONFDIR = "sysconfdir"
-NSS_MODULE_DIR = PREFIX + "/lib"
+NSS_MODULE_DIR = "nsslibdir"
SSSDCONFDIR = SYSCONFDIR + "/sssd"
CONF_PATH = SSSDCONFDIR + "/sssd.conf"
DB_PATH = "dbpath"

View File

@ -1,13 +0,0 @@
diff --git a/Makefile.am b/Makefile.am
index 9539b3c..8e76a03 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -975,6 +975,7 @@ libsss_cert_la_LIBADD = \
$(TALLOC_LIBS) \
$(TEVENT_LIBS) \
libsss_crypt.la \
+ libsss_child.la \
libsss_debug.la \
libsss_certmap.la \
$(NULL)

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:fe5b1fcc5b4359631f7edf25f8940f3155de68e2f4ac7bfeb634687ccabc570c
size 6174144

View File

@ -1,6 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iEYEABECAAYFAlsa2S0ACgkQHsardTLnvCVhKwCgpCRZBHkAyqnRDaPwegBLv4Sh
fYQAoK05cAcmiKBdZWtsLRRZgUOS8X/8
=U4k5
-----END PGP SIGNATURE-----

3
sssd-1.16.3.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ee5d17a0c663c09819cbab9364085b9e57faeca02406cc30efe14cc0cfc04ec4
size 6217114

10
sssd-1.16.3.tar.gz.asc Normal file
View File

@ -0,0 +1,10 @@
-----BEGIN PGP SIGNATURE-----
iQEcBAABAgAGBQJbcDdwAAoJEHDBRgYiUL36CW0H/2gGY35HxXQNiufErxIMT3/9
8Uq5EqTOYUlmScijvT3J1AXPg5Sw/KP65cBSOaZYNyzzBcr8GwaM19y3/WInFA5z
tWTHfAmVusIvLijmWmfw9qGY6X8386S2g+wbTn7WsMYb0Spt8K2l+OgQDIq7sIx5
iSPfICt/HgESBkC0YEsaVq5S4kQLS6w3pJEclkwoj22jl831FHlVmQ8K2G369/Iz
YycSYK7qXWvs8YSzsihA3zvjGT9v2vZQWamE5gkHlXZEPkJYIR3ant7Ziux4zIrA
n/fuIWZCWu/gR4jtg3vmrcRVLnOo1ukqdrDmE4v/CiJrvS/H4McCZUhiUaXQ9Us=
=Fx4X
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,69 @@
-------------------------------------------------------------------
Fri Aug 31 07:14:39 UTC 2018 - kbabioch@suse.com
- Update to upstream release 1.16.3
New Features
- The kdcinfo files that SSSD uses to inform libkrb5 about which KDCs were
discovered for a Kerberos realm used to be only generated for the joined
domain, not the trusted domains. Starting with this release, the kdcinfo files
are generated automatically also for trusted domains in setups that use
id_provider=ad and IPA masters in a trust relationship with an AD domain.
- The SSSD Kerberos locator plugin which processes the kdcinfo files and
actually tells libkrb5 about the available KDCs can now process multiple
address if SSSD generates more than one. At the moment, this feature is only
used on IPA clients (see below). Please see the sssd_krb5_locator_plugin(8)
manual page for more information about the Kerberos locator plugin.
- On IPA clients, the AD DCs or the AD site which should be used to
authenticate users can now be listed in a subdomain section. Please see the
feature design page or the section “trusted domains configuration” for more
details.
Notable bug fixes
- The permissions on /var/lib/sss/pipes/sudo were set so that anyone could read
anyone elses sudo rules. This was considered an information leak and
assigned CVE-2018-10852 (bsc#1098377)
- The 1.16.2 release was storing the cached passwords without a salt prefix
string. This bug was fixed in this release, but any password hashes generated
by 1.16.2 are incompatible with the hashes generated by 1.16.3. The effect is
that upgrade from 1.16.2 to 1.16.3 should be done when the authentication
server is reachable so that the first authentication after the upgrade fix the
cached password.
- The sss_ssh proces leaked file descriptors when converting more than one x509
certificate to SSH public key
- SSSD, when configured with id_provider=ad was using too expensive LDAP search
to find out whether the required POSIX attributes were replicated to the
Global Catalog. Instead, SSSD now consults the Partial Attribute Set, which
is much more effective
- The PAC responder is now able to process Domain Local in case the PAC uses
SID compression. Typicaly this is the case with Windows Server 2012 and newer
- Some versions of OpenSSH would close the pipe towards sss_ssh_authorizedkeys
when the matching key is found before the rest of the output is read. The
sss_ssh_authorizedkeys helper was not handling this behaviour well and would
exit with SIGPIPE, which also meant the public key authentication failed
- User lookups no longer fail if users e-mail address conflicts with another
users fully qualified name
- The override_shell and override_homedir options are no longer applied to
entries from the files domain.
- Several bugs related to the FleetCommander integration were fixed
- The grace logins with an expired password when authenticating against certain
newer versions of the 389DS/RHDS LDAP server did not work
- Whitespace around netgroup triple separator is now stripped
- The sss_ssh_knownhostproxy utility can now print the host key without
proxying the connection.
- Due to an overly restrictive check, the fast in-memory cache was sometimes
skipped, which caused a high load on the sssd_nss process
Removed patches that are included upstream now:
- 0001-SUDO-Create-the-socket-with-stricter-permissions.patch
- 0002-intg-Do-not-hardcode-nsslibdir.patch
- 0003-Fix-build-for-1-16-2-version.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com

View File

@ -17,7 +17,7 @@
Name: sssd Name: sssd
Version: 1.16.2 Version: 1.16.3
Release: 0 Release: 0
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPL-3.0+ and LGPL-3.0+ License: GPL-3.0+ and LGPL-3.0+
@ -31,9 +31,6 @@ Source3: baselibs.conf
Source4: sssd.service Source4: sssd.service
Source5: %name.keyring Source5: %name.keyring
BuildRoot: %_tmppath/%name-%version-build BuildRoot: %_tmppath/%name-%version-build
Patch1: 0001-SUDO-Create-the-socket-with-stricter-permissions.patch
Patch2: 0002-intg-Do-not-hardcode-nsslibdir.patch
Patch3: 0003-Fix-build-for-1-16-2-version.patch
%define servicename sssd %define servicename sssd
%define sssdstatedir %_localstatedir/lib/sss %define sssdstatedir %_localstatedir/lib/sss
@ -367,9 +364,6 @@ Security Services Daemon (sssd).
%prep %prep
%setup -q %setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%build %build
%if 0%{?suse_version} < 1210 %if 0%{?suse_version} < 1210