diff --git a/0001-TOOL-Fix-build-parameter-name-omitted.patch b/0001-TOOL-Fix-build-parameter-name-omitted.patch new file mode 100644 index 0000000..6bda949 --- /dev/null +++ b/0001-TOOL-Fix-build-parameter-name-omitted.patch @@ -0,0 +1,85 @@ +From b927ca4196f828bda6d5db6c6a6d852389bfede0 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 2 Jan 2025 14:09:17 +0100 +Subject: [PATCH] TOOL: Fix build, parameter name omitted + +Signed-off-by: Samuel Cabrero +--- + src/tools/sssctl/sssctl_data.c | 8 ++++---- + src/tools/sssctl/sssctl_logs.c | 6 +++--- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c +index b28556e73..a473e7e14 100644 +--- a/src/tools/sssctl/sssctl_data.c ++++ b/src/tools/sssctl/sssctl_data.c +@@ -125,7 +125,7 @@ static errno_t sssctl_backup(bool force) + } + + errno_t sssctl_client_data_backup(struct sss_cmdline *cmdline, +- struct sss_tool_ctx *) ++ struct sss_tool_ctx *tool_ctx) + { + struct sssctl_data_opts opts = {0}; + errno_t ret; +@@ -184,7 +184,7 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) + } + + errno_t sssctl_client_data_restore(struct sss_cmdline *cmdline, +- struct sss_tool_ctx *) ++ struct sss_tool_ctx *tool_ctx) + { + struct sssctl_data_opts opts = {0}; + errno_t ret; +@@ -206,7 +206,7 @@ errno_t sssctl_client_data_restore(struct sss_cmdline *cmdline, + } + + errno_t sssctl_cache_remove(struct sss_cmdline *cmdline, +- struct sss_tool_ctx *) ++ struct sss_tool_ctx *tool_ctx) + { + struct sssctl_data_opts opts = {0}; + errno_t ret; +@@ -413,7 +413,7 @@ done: + } + + errno_t sssctl_cache_index(struct sss_cmdline *cmdline, +- struct sss_tool_ctx *) ++ struct sss_tool_ctx *tool_ctx) + { + const char *attr = NULL; + const char *action_str = NULL; +diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c +index f8ef9f2c6..8ba18b394 100644 +--- a/src/tools/sssctl/sssctl_logs.c ++++ b/src/tools/sssctl/sssctl_logs.c +@@ -418,7 +418,7 @@ int parse_debug_level(const char *strlevel) + } + + errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, +- struct sss_tool_ctx *) ++ struct sss_tool_ctx *tool_ctx) + { + struct sssctl_logs_opts opts = {0}; + errno_t ret; +@@ -470,7 +470,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, + } + + errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, +- struct sss_tool_ctx *) ++ struct sss_tool_ctx *tool_ctx) + { + const char *file = NULL; + errno_t ret; +@@ -587,7 +587,7 @@ fini: + } + + errno_t sssctl_analyze(struct sss_cmdline *cmdline, +- struct sss_tool_ctx *) ++ struct sss_tool_ctx *tool_ctx) + { + #ifndef BUILD_CHAIN_ID + PRINT("ERROR: Tevent chain ID support missing, log analyzer is unsupported.\n"); +-- +2.47.1 + diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo index 7563c5d..cd6f0fc 100644 --- a/_scmsync.obsinfo +++ b/_scmsync.obsinfo @@ -1,4 +1,4 @@ -mtime: 1727778278 -commit: 3a2bee3ebf6e89af81880d7927649117d782a0ba9f98f06213bb4744f044b7fb +mtime: 1736538796 +commit: e9bed7037d80b1a2f8f6599da3e1d34aee9e5b250cf5642ba8f8e1c6ea438517 url: https://src.opensuse.org/jengelh/sssd revision: master diff --git a/build.specials.obscpio b/build.specials.obscpio index ff1116b..4f9bec8 100644 --- a/build.specials.obscpio +++ b/build.specials.obscpio @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:cf1fe0bc9d0be1744e3756ea8a53562f128fa1e2514582f8a6cf3d9db472fdd3 +oid sha256:c125f3492f8f3631e79acbaf633c871c2e3afe7c0e9ce5e0da888e0ba4cbd104 size 256 diff --git a/harden_sssd-kcm.service.patch b/harden_sssd-kcm.service.patch index 183e0b0..5ff85b4 100644 --- a/harden_sssd-kcm.service.patch +++ b/harden_sssd-kcm.service.patch @@ -1,7 +1,11 @@ -Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in +--- + src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in =================================================================== ---- sssd-2.5.2.orig/src/sysv/systemd/sssd-kcm.service.in -+++ sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in +--- sssd-2.10.0.orig/src/sysv/systemd/sssd-kcm.service.in ++++ sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in @@ -8,6 +8,19 @@ After=sssd-kcm.socket Also=sssd-kcm.socket @@ -20,5 +24,5 @@ Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in +RestrictRealtime=true +# end of automatic additions Environment=DEBUG_LOGGER=--logger=files - ExecStartPre=-@sbindir@/sssd --genconf-section=kcm - ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER} + ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ + ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ diff --git a/sssd-2.10.1.tar.gz b/sssd-2.10.1.tar.gz new file mode 100644 index 0000000..03c5c14 --- /dev/null +++ b/sssd-2.10.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ea6a690047cea1ecd50016aa30946f9348da37b46daa984f34bc72ddb767539f +size 9196848 diff --git a/sssd-2.10.1.tar.gz.asc b/sssd-2.10.1.tar.gz.asc new file mode 100644 index 0000000..f720242 --- /dev/null +++ b/sssd-2.10.1.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmdYSb4ACgkQ09IbKRDP +Z1kRyRAAmkKhCUcBs4h2mDg7uzz7DfYFkHXEiY8EMoVP5Iw6ZsNL/V9fwF9xhj49 +XbnCfxj2zFfVWZd5VYnTpl86Hg3NrxuPehgM+iMAXS6U/55TvRPunCtTiRwoTZ4t +zSgiBaSg3I2hmSN2cnSU8PpilEDCIeSP3uafmGXI1KUxEQltVbp0EeJ5CL5GP3xU +rFgI1pKdTySlw6jZ3vjkAaHwdsJGB0MKtjiBJYtqvHmIzbUdSNN/iE5Wf5xsdtez +KKLUrnKeQFuNyYWpjipJvbs7i9+E5VKFvCfrqFb6vQbp+Rgd98epVjp2VKovNy8p +gZQmgfbi5GCWKuBx+dbaRSFa8hWemEwnBNboV6JKq4+CoPsMkI367utZV5gd58V5 +RHgLsrZfjahAXgG4ytwPhgKDV+sX+sSn4aXIdaSgc+vP7+ykLMxyzyR2GXyG+y11 +WrnovdR0HywHfzvlUnKQmcLUjCkXKVwIMw0oBRa8+YLTD08EeYgu+oXXDpGD0oL1 +YJLLBdr6ycR9Rk/sUqbZgEnzQZPYXazIraUrd71Ry8CaNvqi86Of7sX6SgSQQeg/ +ZPLNcPWPadG/9jpMNJNsXXEZicNJXznQczlXKvRXINOJzknJYwwgH+/55otbzNzq +EjlOmFEn07bGAHCsHTfydlCeYqD9x+WV/X8CReMFjcaaBH4TDms= +=S0c5 +-----END PGP SIGNATURE----- diff --git a/sssd-2.9.5.tar.gz b/sssd-2.9.5.tar.gz deleted file mode 100644 index 09b8ff1..0000000 --- a/sssd-2.9.5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bf955cc26b6d215bbb9083eadb613f78d7b727fb023f39987aec37680ae40ae3 -size 8001964 diff --git a/sssd-2.9.5.tar.gz.asc b/sssd-2.9.5.tar.gz.asc deleted file mode 100644 index 05b00fc..0000000 --- a/sssd-2.9.5.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmZF8CMACgkQ09IbKRDP -Z1lSVQ/9EPVvWUX1z/pHfbvDjRpfD+LDbDceYB4YBh0caYpMVFm/2wHhFIjTYEpf -SmIR+SQp50NkRSK6tE/u+Swu+YUkiCqnEWv2y9wd4Uh2NKiukyiqBC1k2cn9URNu -oRreBM1KIRvTkdoyZwteELJ7vMLVr0UT2iIXZQFIIZX+LM3FNZJ5vFcj5fF0Hz1f -v8zR0VTB7xY/6U+4KikvMyM3fOPeTOJvEtMp4xDWyquRjCADjZasOQcKRQzXp1er -zs/qLcQ8eCODXhKelGqmppVIElW+72f1FNbMpBnlQ7VtFn6pn4sPazO0Hr7eNfZJ -Vc6GXN8zZ/oF5U4x7XSMVqeOHLQoLeb2HxgUzS+1Ig19FHOs6Xoj0dO5l/TOEFav -l61qytYnj3DNZjrMVLsMvOx3qGYK7PmyaWNoIJlLO2GbWKMP/8yBm35Ugd0jybSi -T7VWX+isQHfVhSZ9wD4/yYOBAU3lABORAjXkCWQp/vMR/KiHbfaajCAbl56KiijQ -eKYaq57EH3N+qKd1sqCrPfSw3HSqm3rngG1CsMasBQgLFs2aW+Mwo3UvQ1U/ykED -mOo2D9uhOQluv4AUSpKK6E8EXoPSxDFZI4WX37depO2VGXDO90JNfVamJXjy1+bH -d/RnoZfC7h7Vb1P1bPgGdsAFQBOP0FinbEjehpw0P0U2xAZQWek= -=pY7t ------END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 473f4d7..75f144c 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,44 @@ +------------------------------------------------------------------- +Tue Dec 10 20:17:10 UTC 2024 - Jan Engelhardt + +- Update to release 2.10.1 + * SSSD does not create anymore missing path components of + DIR:/FILE: ccache types while acquiring user's TGT. The + parent directory of requested ccache directory must exist and + the user trying to log in must have rwx access to this + directory. This matches behavior of /usr/bin/kinit. + * The option default_domain_suffix is deprecated. +- Delete 0001-Configuration-make-sure-etc-sssd-and-everything.patch, + 0001-INI-relax-config-files-checks.patch, + 0001-INI-stop-using-libini_config-for-access-check.patch, + 0001-sssd-always-print-path-when-config-object-is-rejecte.patch + (merged) +- Add 0001-TOOL-Fix-build-parameter-name-omitted.patch + +------------------------------------------------------------------- +Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt + +- Update to release 2.10.0 + * The ``sssctl cache-upgrade`` command was removed. SSSD + performs automatic upgrades at startup when needed. + * Support of ``enumeration`` feature (i.e. ability to list all + users/groups using ``getent passwd/group`` without argument) + for AD/IPA providers is deprecated and might be removed in + further releases. + * The new tool ``sss_ssh_knownhosts`` can be used with ssh's + ``KnownHostsCommand`` configuration option to retrieve the + host's public keys from a remote server (FreeIPA, LDAP, + etc.). It replaces ```sss_ssh_knownhostsproxy``. + * The default value for ``ldap_id_use_start_tls`` changed from + false to true for improved security. + * https://github.com/SSSD/sssd/releases/tag/2.10.0 +- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch, + 0001-INI-stop-using-libini_config-for-access-check.patch, + 0001-INI-relax-config-files-checks.patch, + 0001-Configuration-make-sure-etc-sssd-and-everything.patch +- Fix socket activation of responders +- Daemon runs now as unprivileged user 'sssd' + ------------------------------------------------------------------- Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index 354fd6e..97f76b5 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 2.9.5 +Version: 2.10.1 Release: 0 Summary: System Security Services Daemon License: GPL-3.0-or-later AND LGPL-3.0-or-later @@ -28,10 +28,11 @@ Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%v Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source3: baselibs.conf Source5: %name.keyring -Patch1: krb-noversion.diff -Patch2: harden_sssd-ifp.service.patch -Patch3: harden_sssd-kcm.service.patch -Patch4: symvers.patch +Patch1: 0001-TOOL-Fix-build-parameter-name-omitted.patch +Patch11: krb-noversion.diff +Patch12: harden_sssd-ifp.service.patch +Patch13: harden_sssd-kcm.service.patch +Patch14: symvers.patch BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils @@ -48,26 +49,32 @@ BuildRequires: libtool BuildRequires: libunistring-devel BuildRequires: libxml2-tools BuildRequires: libxslt-tools +BuildRequires: libopenssl-3-devel BuildRequires: nscd BuildRequires: nss_wrapper BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pkg-config >= 0.21 +BuildRequires: python3-wheel +BuildRequires: python3-setuptools BuildRequires: systemd-rpm-macros +BuildRequires: sysuser-tools BuildRequires: uid_wrapper BuildRequires: pkgconfig(augeas) >= 1.0.0 BuildRequires: pkgconfig(collection) >= 0.5.1 BuildRequires: pkgconfig(dbus-1) >= 1.0.0 BuildRequires: pkgconfig(dhash) >= 0.4.2 BuildRequires: pkgconfig(glib-2.0) -BuildRequires: pkgconfig(ini_config) >= 1.1.0 +BuildRequires: pkgconfig(ini_config) >= 1.3 BuildRequires: pkgconfig(jansson) -BuildRequires: pkgconfig(ldb) >= 0.9.2 +BuildRequires: pkgconfig(ldb) >= 1.2.0 +BuildRequires: pkgconfig(libcap) BuildRequires: pkgconfig(libcares) -BuildRequires: pkgconfig(libcrypto) +BuildRequires: pkgconfig(libcrypto) >= 1.0.1 %if 0%{?suse_version} >= 1600 BuildRequires: pkgconfig(libcurl) %endif +BuildRequires: pkgconfig(libcap) BuildRequires: pkgconfig(libnfsidmap) BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 @@ -93,7 +100,10 @@ BuildRequires: pkgconfig(uuid) # Package contains just config files, not needed for build. #!BuildIgnore: libldap-data %endif +%sysusers_requires %{?systemd_ordering} +Requires(post): permissions +Requires(verify): permissions Requires: sssd-ldap = %version-%release Requires(postun): pam-config Provides: libsss_sudo = %version-%release @@ -102,14 +112,24 @@ Obsoletes: libsss_sudo < %version-%release Provides: sssd-common = %version-%release Obsoletes: sssd-common < %version-%release +%global sssd_user sssd %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss %define dbpath %sssdstatedir/db %define pipepath %sssdstatedir/pipes %define pubconfpath %sssdstatedir/pubconf %define gpocachepath %sssdstatedir/gpo_cache +%define keytabdir %sssdstatedir/keytabs +%define mcpath %sssdstatedir/mc %define ldbdir %(pkg-config ldb --variable=modulesdir) + +%if 0%{?suse_version} >= 1600 +%define permissions_path %_datadir/permissions/permissions.d/ +%else +%define permissions_path %_sysconfdir/permissions.d/ +%endif + # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko # %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins # * cifs-utils one is the default (priority 20) @@ -122,11 +142,11 @@ Requires(post): update-alternatives Requires(postun): update-alternatives %description -Provides a set of daemons to manage access to remote directories and -authentication mechanisms. It provides an NSS and PAM interface toward -the system and a pluggable backend system to connect to multiple different -account sources. It is also the basis to provide client auditing and policy -services for projects like FreeIPA. +A set of daemons to manage access to remote directories and +authentication mechanisms. sssd provides an NSS and PAM interfaces +toward the system and a pluggable backend system to connect to +multiple different account sources. It is also the basis to provide +client auditing and policy services for projects like FreeIPA. %package ad Summary: The ActiveDirectory backend plugin for sssd @@ -136,9 +156,8 @@ Requires: %name-krb5-common = %version-%release Requires: adcli %description ad -Provides the Active Directory back end that the SSSD can utilize to -fetch identity data from and authenticate against an Active Directory -server. +A back-end provider that the SSSD can utilize to fetch identity data +from, and authenticate with, an Active Directory server. %package dbus Summary: The D-Bus responder of sssd @@ -147,7 +166,7 @@ Group: System/Base Requires: %name = %version %description dbus -Provides the D-Bus responder of sssd, called InfoPipe, which allows +D-Bus responder of sssd, called InfoPipe, which allows information from sssd to be transmitted over the system bus. %package ipa @@ -161,8 +180,8 @@ Obsoletes: %name-ipa-provider < %version-%release Provides: %name-ipa-provider = %version-%release %description ipa -Provides the IPA back end that the SSSD can utilize to fetch identity -data from and authenticate against an IPA server. +A back-end provider that the SSSD can utilize to fetch identity data +from, and authenticate with, an IPA server. %package kcm Summary: SSSD's Kerberos cache manager @@ -181,14 +200,16 @@ Group: System/Daemons Requires: %name-krb5-common = %version-%release %description krb5 -Provides the Kerberos back end that the SSSD can utilize authenticate -against a Kerberos server. +A back-end provider that the SSSD can utilize to authenticate against +a Kerberos server. %package krb5-common Summary: SSSD helpers needed for Kerberos and GSSAPI authentication License: GPL-3.0-or-later Group: System/Daemons Requires: cyrus-sasl-gssapi +Requires(post): permissions +Requires(verify): permissions %description krb5-common Provides helper processes that the LDAP and Kerberos back ends can @@ -201,8 +222,8 @@ Group: System/Daemons Requires: %name-krb5-common = %version-%release %description ldap -Provides the LDAP back end that the SSSD can utilize to fetch -identity data from and authenticate against an LDAP server. +A back-end provider that the SSSD can utilize to fetch identity data +from, and authenticate with, an LDAP server. %package proxy Summary: The proxy backend plugin for sssd @@ -210,8 +231,8 @@ License: GPL-3.0-or-later Group: System/Daemons %description proxy -Provides the proxy back end which can be used to wrap an existing NSS -and/or PAM modules to leverage SSSD caching. +A back-end provider which can be used to wrap existing NSS and/or PAM +modules to leverage SSSD caching. (This can replace nscd.) %package tools Summary: Commandline tools for sssd @@ -221,7 +242,7 @@ Requires: python3-sssd-config = %version-%release Requires: sssd = %version %description tools -The packages contains commandline tools for managing users and groups using +The packages contains command-line tools for managing users and groups using the "local" id provider of the System Security Services Daemon (sssd). %package winbind-idmap @@ -238,7 +259,7 @@ License: LGPL-3.0-or-later Group: System/Libraries %description -n libsss_certmap0 -A utility library for FreeIPA to map certs. +A utility library for FreeIPA to map certificates. %package -n libsss_certmap-devel Summary: Development files for the FreeIPA certmap library @@ -247,7 +268,7 @@ Group: Development/Libraries/C and C++ Requires: libsss_certmap0 = %version %description -n libsss_certmap-devel -A utility library for FreeIPA to map certs. +A utility library for FreeIPA to map certificates. %package -n libipa_hbac0 Summary: FreeIPA HBAC Evaluator library @@ -311,7 +332,6 @@ Requires: libsss_nss_idmap0 = %version %description -n libsss_nss_idmap-devel A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. -%if 0%{?suse_version} < 1600 %package -n libsss_simpleifp0 Summary: The SSSD D-Bus responder helper library License: GPL-3.0-or-later @@ -334,7 +354,6 @@ Requires: libsss_simpleifp0 = %version This subpackage provides the development files for sssd's simpleifp, a library that simplifies the D-Bus API for the SSSD InfoPipe responder. -%endif %package -n libsss_sudo Summary: A library to allow communication between sudo and SSSD @@ -401,27 +420,26 @@ autoreconf -fiv --with-environment-file="%_sysconfdir/sysconfig/sssd" \ --with-initscript=systemd \ --with-syslog=journald \ - --with-pid-path="%_rundir" \ - --enable-nsslibdir="/%_lib" \ + --with-pid-path="%_rundir/sssd" \ --enable-pammoddir="%_pam_moduledir" \ --with-ldb-lib-dir="%ldbdir" \ --with-os=suse \ --disable-ldb-version-check \ --without-python2-bindings \ --without-oidc-child \ + --with-sssd-user="%sssd_user" \ %if 0%{?suse_version} >= 1600 --with-selinux=yes \ --with-subid %else --with-selinux=no \ - --with-semanage=no \ --with-libsifp \ --with-files-provider %endif %make_build all %install -# sss_obfuscate is compatible with both python 2 and 3 +# sss_obfuscate is compatible with both Python 2 and 3 perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate %make_install dbuspolicydir=%_datadir/dbus-1/system.d b="%buildroot" @@ -455,22 +473,44 @@ find "$b" -type f -name "*.la" -print -delete %find_lang %name --all-name # dummy target for cifs-idmap-plugin -mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils -ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin +mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils" +ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin" %python3_fix_shebang %if 0%{?suse_version} > 1600 -%python3_fix_shebang_path %buildroot/%_libexecdir/%name/ +%python3_fix_shebang_path %buildroot/%_libexecdir/%name/sss_analyze %elif 0%{?suse_version} == 1600 # python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204 -sed -i '1s@#!.*python.*@#!%{_bindir}/python3.11@' %{buildroot}/%{_libexecdir}/%{name}/sss_analyze +sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze" %endif +echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf +mkdir -p "$b/%_sysusersdir" +cp -a system-user-sssd.conf "$b/%_sysusersdir/" +%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf +install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf" +# +# Security considerations for capabilities, chown and stuff: +# https://www.openwall.com/lists/oss-security/2024/12/19/1 +# +# should match entry from %%files list +mkdir -p "$b/%permissions_path" +cat >"$b/%permissions_path/sssd" <<-EOF + %_libexecdir/sssd/sssd_pam root:sssd 0750 + +capabilities cap_dac_read_search=p + %_libexecdir/sssd/selinux_child root:sssd 0750 + +capabilities cap_setgid,cap_setuid=p + %_libexecdir/sssd/krb5_child root:sssd 0750 + +capabilities cap_dac_read_search,cap_setgid,cap_setuid=p + %_libexecdir/sssd/ldap_child root:sssd 0750 + +capabilities cap_dac_read_search=p +EOF + %check # sss_config-tests fails %make_build check || : -%pre -%service_add_pre sssd.service +%pre -f random.pre +%service_add_pre sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket %if "%{?_distconfdir}" != "" # Prepare for migration to /usr/etc; save any old .rpmsave for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do @@ -484,38 +524,38 @@ done if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf" fi -%service_add_post sssd.service +%service_add_post sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket + +%_bindir/rm -f %mcpath/passwd %mcpath/group %mcpath/initgroups %mcpath/sid +%tmpfiles_create %name.conf +%set_permissions %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam # install SSSD cifs-idmap plugin as an alternative update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority %preun -%service_del_preun sssd.service +%service_del_preun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket %postun /sbin/ldconfig -if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then +if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then "%_sbindir/pam-config" -d --sss || : fi # del_postun includes a try-restart -%service_del_postun sssd.service +%service_del_postun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket if [ ! -f "%cifs_idmap_lib" ]; then update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib fi -%post -n libsss_certmap0 -p /sbin/ldconfig -%postun -n libsss_certmap0 -p /sbin/ldconfig -%post -n libipa_hbac0 -p /sbin/ldconfig -%postun -n libipa_hbac0 -p /sbin/ldconfig -%post -n libsss_idmap0 -p /sbin/ldconfig -%postun -n libsss_idmap0 -p /sbin/ldconfig -%post -n libsss_nss_idmap0 -p /sbin/ldconfig -%postun -n libsss_nss_idmap0 -p /sbin/ldconfig -%if 0%{?suse_version} < 1600 -%post -n libsss_simpleifp0 -p /sbin/ldconfig -%postun -n libsss_simpleifp0 -p /sbin/ldconfig -%endif +%ldconfig_scriptlets -n libsss_certmap0 +%ldconfig_scriptlets -n libipa_hbac0 +%ldconfig_scriptlets -n libsss_idmap0 +%ldconfig_scriptlets -n libsss_nss_idmap0 +%ldconfig_scriptlets -n libsss_simpleifp0 + +%verifyscript +%verify_permissions -e %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam %triggerun -- %name < %version-%release # sssd takes care of upgrading the database but it doesn't handle downgrades. @@ -550,17 +590,27 @@ fi %postun kcm %service_del_postun sssd-kcm.service sssd-kcm.socket +%pre krb5-common -f random.pre + +%post krb5-common +%set_permissions %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child + +%verifyscript krb5-common +%verify_permissions -e %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child + +%pre proxy -f random.pre + %pretrans # Migrate sssd.service from sssd-common to sssd systemctl is-enabled sssd.service > /dev/null if [ $? -eq 0 ]; then -mkdir -p /run/systemd/rpm/ -touch /run/systemd/rpm/sssd-was-enabled + mkdir -p /run/systemd/rpm/ + touch /run/systemd/rpm/sssd-was-enabled fi systemctl is-active sssd.service > /dev/null if [ $? -eq 0 ]; then -mkdir -p /run/systemd/rpm/ -touch /run/systemd/rpm/sssd-was-active + mkdir -p /run/systemd/rpm/ + touch /run/systemd/rpm/sssd-was-active fi %posttrans @@ -572,20 +622,20 @@ done %endif # Migrate sssd.service from sssd-common to sssd if [ -e /run/systemd/rpm/sssd-was-enabled ]; then -systemctl is-enabled sssd.service > /dev/null -if [ $? -ne 0 ]; then - echo "Migrating sssd.service, was enabled" - systemctl enable sssd.service -fi -rm /run/systemd/rpm/sssd-was-enabled + systemctl is-enabled sssd.service >/dev/null + if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was enabled" + systemctl enable sssd.service + fi + rm /run/systemd/rpm/sssd-was-enabled fi if [ -e /run/systemd/rpm/sssd-was-active ]; then -systemctl is-active sssd.service > /dev/null -if [ $? -ne 0 ]; then - echo "Migrating sssd.service, was active" - systemctl start sssd.service -fi -rm /run/systemd/rpm/sssd-was-active + systemctl is-active sssd.service >/dev/null + if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was active" + systemctl start sssd.service + fi + rm /run/systemd/rpm/sssd-was-active fi %files -f sssd.lang @@ -598,12 +648,17 @@ fi %_unitdir/sssd-pac.socket %_unitdir/sssd-pac.service %_unitdir/sssd-pam.socket -%_unitdir/sssd-pam-priv.socket %_unitdir/sssd-pam.service %_unitdir/sssd-ssh.socket %_unitdir/sssd-ssh.service %_unitdir/sssd-sudo.socket %_unitdir/sssd-sudo.service +%_sysusersdir/*sssd* +%_tmpfilesdir/*sssd* +%permissions_path/sssd +%dir %_datadir/polkit-1 +%attr(0555,root,root) %dir %_datadir/polkit-1/rules.d +%_datadir/polkit-1/rules.d/* %_bindir/sss_ssh_* %_sbindir/sssd %if 0%{?suse_version} < 1600 @@ -647,7 +702,6 @@ fi %_libdir/%name/libsss_files* %endif %_libdir/%name/libsss_iface* -%_libdir/%name/libsss_semanage* %_libdir/%name/libsss_sbus* %_libdir/%name/libsss_simple* %_libdir/%name/libsss_util* @@ -660,32 +714,33 @@ fi %_libexecdir/%name/sssd_autofs %_libexecdir/%name/sssd_be %_libexecdir/%name/sssd_nss -%_libexecdir/%name/sssd_pam +%attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/sssd_pam %_libexecdir/%name/sssd_ssh %_libexecdir/%name/sssd_sudo %_libexecdir/%name/sss_signal %_libexecdir/%name/sssd_check_socket_activated_responders %if 0%{?suse_version} >= 1600 -%_libexecdir/%name/selinux_child +%attr(750,root,%sssd_user) %caps(cap_setgid,cap_setuid=p) %_libexecdir/%name/selinux_child %endif %dir %sssdstatedir -%attr(700,root,root) %dir %dbpath/ -%attr(755,root,root) %dir %pipepath/ -%attr(700,root,root) %dir %pipepath/private/ -%attr(755,root,root) %dir %pubconfpath/ -%attr(755,root,root) %dir %pubconfpath/krb5.include.d -%attr(755,root,root) %dir %gpocachepath/ -%attr(755,root,root) %dir %sssdstatedir/mc/ -%attr(700,root,root) %dir %sssdstatedir/keytabs/ -%attr(750,root,root) %dir %_localstatedir/log/%name/ +%attr(700,%sssd_user,%sssd_user) %dir %dbpath/ +%attr(755,%sssd_user,%sssd_user) %dir %pipepath/ +%attr(700,%sssd_user,%sssd_user) %dir %pipepath/private/ +%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/ +%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/krb5.include.d +%attr(755,%sssd_user,%sssd_user) %dir %gpocachepath/ +%attr(755,%sssd_user,%sssd_user) %dir %mcpath/ +%attr(700,%sssd_user,%sssd_user) %dir %keytabdir/ +%attr(750,%sssd_user,%sssd_user) %dir %_localstatedir/log/%name/ +%attr(775,%sssd_user,%sssd_user) %dir %sssdstatedir/ %if "%{?_distconfdir}" != "" -%dir %_distconfdir/sssd/ -%%dir %_distconfdir/sssd/conf.d -%config(noreplace) %_distconfdir/sssd/sssd.conf +%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/ +%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/conf.d +%attr(640,root,%sssd_user) %_distconfdir/sssd/sssd.conf %else -%dir %_sysconfdir/sssd/ -%%dir %_sysconfdir/sssd/conf.d -%config(noreplace) %_sysconfdir/sssd/sssd.conf +%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/ +%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/conf.d +%ghost %attr(640,root,%sssd_user) %config(noreplace) %_sysconfdir/sssd/sssd.conf %endif %if 0%{?suse_version} > 1500 %_distconfdir/logrotate.d/sssd @@ -704,11 +759,12 @@ fi %else %exclude %_mandir/*/*/sssd-files.5.gz %endif +%attr(775,%sssd_user,%sssd_user) %ghost %dir %_rundir/sssd %doc src/examples/sssd.conf # # sssd-client # -/%_lib/libnss_sss.so.2 +%_libdir/libnss_sss.so.2 %_pam_moduledir/pam_sss.so %_pam_moduledir/pam_sss_gss.so %_libdir/krb5/ @@ -793,8 +849,8 @@ fi %dir %_libdir/%name/ %_libdir/%name/libsss_krb5_common.so %dir %_libexecdir/%name/ -%_libexecdir/%name/krb5_child -%_libexecdir/%name/ldap_child +%attr(750,root,%sssd_user) %caps(cap_dac_read_search,cap_setgid,cap_setuid=p) %_libexecdir/%name/krb5_child +%attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/ldap_child %files ldap %dir %_libdir/%name/ @@ -811,7 +867,7 @@ fi %dir %_libdir/%name/ %_libdir/%name/libsss_proxy.so %dir %_libexecdir/%name/ -%_libexecdir/%name/proxy_child +%attr(750,root,%sssd_user) %_libexecdir/%name/proxy_child %dir %_datadir/%name/ %dir %_datadir/%name/sssd.api.d/ %_datadir/%name/sssd.api.d/sssd-proxy.conf diff --git a/symvers.patch b/symvers.patch index ab19be6..89e9857 100644 --- a/symvers.patch +++ b/symvers.patch @@ -12,14 +12,14 @@ libsss_ldap.so(-2.7.4) cannot find a libsss_util.so(-2.7.4), since the system only has libsss_util.so(-2.8.2) at this point. --- - Makefile.am | 47 ++++++++++++++++++++++++++++++++--------------- - 1 file changed, 32 insertions(+), 15 deletions(-) + Makefile.am | 44 ++++++++++++++++++++++++++++++-------------- + 1 file changed, 30 insertions(+), 14 deletions(-) -Index: sssd-2.9.2/Makefile.am +Index: sssd-2.10.1/Makefile.am =================================================================== ---- sssd-2.9.2.orig/Makefile.am -+++ sssd-2.9.2/Makefile.am -@@ -955,7 +955,11 @@ libsss_debug_la_SOURCES = \ +--- sssd-2.10.1.orig/Makefile.am ++++ sssd-2.10.1/Makefile.am +@@ -971,7 +971,11 @@ libsss_debug_la_SOURCES = \ libsss_debug_la_LIBADD = \ $(SYSLOG_LIBS) libsss_debug_la_LDFLAGS = \ @@ -32,7 +32,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_child.la libsss_child_la_SOURCES = src/util/child_common.c -@@ -965,7 +969,8 @@ libsss_child_la_LIBADD = \ +@@ -981,7 +985,8 @@ libsss_child_la_LIBADD = \ $(DHASH_LIBS) \ libsss_debug.la \ $(NULL) @@ -42,7 +42,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_crypt.la -@@ -1004,7 +1009,8 @@ libsss_crypt_la_LIBADD = \ +@@ -1021,7 +1026,8 @@ libsss_crypt_la_LIBADD = \ libsss_debug.la \ $(NULL) libsss_crypt_la_LDFLAGS = \ @@ -52,7 +52,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_cert.la -@@ -1029,8 +1035,9 @@ libsss_cert_la_LIBADD = \ +@@ -1046,8 +1052,9 @@ libsss_cert_la_LIBADD = \ libsss_debug.la \ $(NULL) libsss_cert_la_LDFLAGS = \ @@ -63,7 +63,7 @@ Index: sssd-2.9.2/Makefile.am generate-sbus-code: $(builddir)/sbus_generate.sh $(abs_srcdir) -@@ -1131,8 +1138,9 @@ libsss_sbus_la_CFLAGS = \ +@@ -1148,8 +1155,9 @@ libsss_sbus_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_sbus_la_LDFLAGS = \ @@ -74,7 +74,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_sbus_sync.la libsss_sbus_sync_la_SOURCES = \ -@@ -1167,8 +1175,9 @@ libsss_sbus_sync_la_CFLAGS = \ +@@ -1184,8 +1192,9 @@ libsss_sbus_sync_la_CFLAGS = \ $(UNICODE_LIBS) \ $(NULL) libsss_sbus_sync_la_LDFLAGS = \ @@ -85,7 +85,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_iface.la libsss_iface_la_SOURCES = \ -@@ -1197,8 +1206,9 @@ libsss_iface_la_CFLAGS = \ +@@ -1214,8 +1223,9 @@ libsss_iface_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_iface_la_LDFLAGS = \ @@ -96,7 +96,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_iface_sync.la libsss_iface_sync_la_SOURCES = \ -@@ -1225,8 +1235,9 @@ libsss_iface_sync_la_CFLAGS = \ +@@ -1242,8 +1252,9 @@ libsss_iface_sync_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_iface_sync_la_LDFLAGS = \ @@ -107,7 +107,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_util.la libsss_util_la_SOURCES = \ -@@ -1322,7 +1333,8 @@ endif +@@ -1338,7 +1349,8 @@ endif if BUILD_PASSKEY libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c endif # BUILD_PASSKEY @@ -115,19 +115,9 @@ Index: sssd-2.9.2/Makefile.am +libsss_util_la_LDFLAGS = -avoid-version ${symv} +EXTRA_libsss_util_la_DEPENDENCIES = x.sym - pkglib_LTLIBRARIES += libsss_semanage.la - libsss_semanage_la_CFLAGS = \ -@@ -1341,7 +1353,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_ - endif - - libsss_semanage_la_LDFLAGS = \ -- -avoid-version -+ -avoid-version ${symv} -+EXTRA_libsss_semanage_la_DEPENDENCIES = x.sym - SSSD_INTERNAL_LTLIBS = \ libsss_util.la \ -@@ -1357,7 +1370,7 @@ lib_LTLIBRARIES = libipa_hbac.la \ +@@ -1354,7 +1366,7 @@ lib_LTLIBRARIES = libipa_hbac.la \ $(NULL) pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc @@ -136,7 +126,7 @@ Index: sssd-2.9.2/Makefile.am libipa_hbac_la_SOURCES = \ src/lib/ipa_hbac/hbac_evaluator.c \ src/util/sss_utf8.c -@@ -1688,8 +1701,9 @@ libifp_iface_la_CFLAGS = \ +@@ -1682,8 +1694,9 @@ libifp_iface_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libifp_iface_la_LDFLAGS = \ @@ -147,7 +137,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libifp_iface_sync.la libifp_iface_sync_la_SOURCES = \ -@@ -1714,8 +1728,9 @@ libifp_iface_sync_la_CFLAGS = \ +@@ -1708,8 +1721,9 @@ libifp_iface_sync_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libifp_iface_sync_la_LDFLAGS = \ @@ -158,7 +148,7 @@ Index: sssd-2.9.2/Makefile.am sssd_ifp_SOURCES = \ src/responder/ifp/ifpsrv.c \ -@@ -4314,8 +4329,9 @@ libsss_ldap_common_la_LIBADD = \ +@@ -4314,8 +4328,9 @@ libsss_ldap_common_la_LIBADD = \ $(SSSD_INTERNAL_LTLIBS) \ $(NULL) libsss_ldap_common_la_LDFLAGS = \ @@ -169,7 +159,7 @@ Index: sssd-2.9.2/Makefile.am if BUILD_SYSTEMTAP libsss_ldap_common_la_LIBADD += stap_generated_probes.lo endif -@@ -4372,7 +4388,8 @@ libsss_krb5_common_la_LIBADD = \ +@@ -4371,7 +4386,8 @@ libsss_krb5_common_la_LIBADD = \ $(SSSD_INTERNAL_LTLIBS) \ $(NULL) libsss_krb5_common_la_LDFLAGS = \