Accepting request 1044142 from network:ldap

- Take systemd units off the restart list that have RefuseManualStart=yes - Add symvers.patch OBS-URL: https://build.opensuse.org/request/show/1044142 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sssd?expand=0&rev=124
2022-12-24 13:50:50 +00:00 · 2022-12-24 13:50:50 +00:00 · a51fc7b5d7
commit a51fc7b5d7
parent ee8af1c302 c22b04d15b
3 changed files with 202 additions and 14 deletions
--- a/sssd.changes
+++ b/sssd.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Dec 21 19:29:45 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
+
+- Take systemd units off the restart list that have
+  RefuseManualStart=yes [boo#1206592]
+- Add symvers.patch [boo#1206592]
+
 -------------------------------------------------------------------
 Sun Dec 11 14:17:23 UTC 2022 - Jan Engelhardt <jengelh@inai.de>

--- a/sssd.spec
+++ b/sssd.spec
@ -20,7 +20,7 @@ Name:           sssd
 Version:        2.8.2
 Release:        0
 Summary:        System Security Services Daemon
-License:        GPL-3.0-or-later and LGPL-3.0-or-later
+License:        GPL-3.0-or-later AND LGPL-3.0-or-later
 Group:          System/Daemons
 URL:            https://github.com/SSSD/sssd
 #Git-Clone:	https://github.com/SSSD/sssd
@ -29,8 +29,9 @@ Source2:        https://github.com/SSSD/sssd/releases/download/%version/%name-%v
 Source3:        baselibs.conf
 Source5:        %name.keyring
 Patch1:         krb-noversion.diff
-Patch2:	harden_sssd-ifp.service.patch
-Patch3:	harden_sssd-kcm.service.patch
+Patch2:         harden_sssd-ifp.service.patch
+Patch3:         harden_sssd-kcm.service.patch
+Patch4:         symvers.patch
 BuildRequires:  autoconf >= 2.59
 BuildRequires:  automake
 BuildRequires:  bind-utils
@ -40,6 +41,7 @@ BuildRequires:  cyrus-sasl-devel
 BuildRequires:  docbook-xsl-stylesheets
 BuildRequires:  krb5-devel >= 1.12
 BuildRequires:  libcmocka-devel
+BuildRequires:  libsubid-devel
 BuildRequires:  libtool
 BuildRequires:  libunistring-devel
 BuildRequires:  libxml2-tools
@ -66,6 +68,7 @@ BuildRequires:  pkgconfig(libnfsidmap)
 BuildRequires:  pkgconfig(libnl-3.0) >= 3.0
 BuildRequires:  pkgconfig(libnl-route-3.0) >= 3.0
 BuildRequires:  pkgconfig(libpcre2-8)
+BuildRequires:  pkgconfig(libsemanage)
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  pkgconfig(ndr_krb5pac)
 BuildRequires:  pkgconfig(ndr_nbt)
@ -77,11 +80,9 @@ BuildRequires:  pkgconfig(talloc)
 BuildRequires:  pkgconfig(tdb) >= 1.1.3
 BuildRequires:  pkgconfig(tevent)
 BuildRequires:  pkgconfig(uuid)
-BuildRequires:  pkgconfig(libsemanage)
-BuildRequires:  libsubid-devel
 %{?systemd_ordering}
 Requires:       sssd-ldap = %version-%release
-Requires(postun): pam-config
+Requires(postun):pam-config
 Provides:       libsss_sudo = %version-%release
 Provides:       sssd-client = %version-%release
 Obsoletes:      libsss_sudo < %version-%release
@ -103,7 +104,7 @@ Obsoletes:      libsss_sudo < %version-%release
 %define cifs_idmap_name         cifs-idmap-plugin
 %define cifs_idmap_priority     10
 Requires(post): update-alternatives
-Requires(postun): update-alternatives
+Requires(postun):update-alternatives

 %description
 Provides a set of daemons to manage access to remote directories and
@ -199,7 +200,7 @@ and/or PAM modules to leverage SSSD caching.

 %package tools
 Summary:        Commandline tools for sssd
-License:        GPL-3.0-or-later and LGPL-3.0-or-later
+License:        GPL-3.0-or-later AND LGPL-3.0-or-later
 Group:          System/Management
 Requires:       python3-sssd-config = %version
 Requires:       sssd = %version
@ -356,7 +357,7 @@ libsss_nss_idmap can be used by Python applications.

 %package -n python3-sssd-config
 Summary:        Python API for configuring sssd
-License:        GPL-3.0-or-later and LGPL-3.0-or-later
+License:        GPL-3.0-or-later AND LGPL-3.0-or-later
 Group:          Development/Libraries/Python
 Requires:       python3

@ -426,20 +427,19 @@ ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin
 %make_build check || :

 %pre
-%global services sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam-priv.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
-%service_add_pre %services
+%service_add_pre sssd.service

 %post
 /sbin/ldconfig
 # migrate config variable krb5_kdcip to krb5_server (bnc#851048)
 /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' %_sysconfdir/sssd/sssd.conf
-%service_add_post %services
+%service_add_post sssd.service

 # install SSSD cifs-idmap plugin as an alternative
 update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority

 %preun
-%service_del_preun %services
+%service_del_preun sssd.service

 %postun
 /sbin/ldconfig
@ -447,7 +447,7 @@ if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then
 	"%_sbindir/pam-config" -d --sss || :
 fi
 # del_postun includes a try-restart
-%service_del_postun %services
+%service_del_postun sssd.service

 if [ ! -f "%cifs_idmap_lib" ]; then
 	update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
--- a/symvers.patch
+++ b/symvers.patch
@ -0,0 +1,181 @@
+From: Jan Engelhardt <jengelh@inai.de>
+Date: 2022-12-22 00:09:20.375896408 +0100
+References: https://bugzilla.suse.com/show_bug.cgi?id=1206592
+
+The theory for this sssd crash is that during rpm upgrading it,
+sssd-2.8.2 gets installed, %post runs to restart it, but oh no,
+sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls
+over its feet when it loads 2.7.4 .so files. Addin symvers like below
+should prevent this and pin the modules to another: sssd_be's attempt
+to dlopen libsss_ldap.so(-2.7.4) will fail because
+libsss_ldap.so(-2.7.4) cannot find a libsss_util.so(-2.7.4), since
+the system only has libsss_util.so(-2.8.2) at this point.
+
+---
+ Makefile.am |   47 ++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 32 insertions(+), 15 deletions(-)
+
+Index: sssd-2.8.2/Makefile.am
+===================================================================
+--- sssd-2.8.2.orig/Makefile.am
+++ sssd-2.8.2/Makefile.am
+@@ -941,7 +941,11 @@ libsss_debug_la_SOURCES = \
+ libsss_debug_la_LIBADD = \
+     $(SYSLOG_LIBS)
+ libsss_debug_la_LDFLAGS = \
+-    -avoid-version
+    -avoid-version ${symv}
+EXTRA_libsss_debug_la_DEPENDENCIES = x.sym
+symv = -Wl,--version-script=${builddir}/x.sym
+x.sym: ${top_builddir}/config.status
+	echo "V_${PACKAGE_VERSION} { global: *; };" >$@
+ 
+ pkglib_LTLIBRARIES += libsss_child.la
+ libsss_child_la_SOURCES = src/util/child_common.c
+@@ -951,7 +955,8 @@ libsss_child_la_LIBADD = \
+     $(DHASH_LIBS) \
+     libsss_debug.la \
+     $(NULL)
+-libsss_child_la_LDFLAGS = -avoid-version
+libsss_child_la_LDFLAGS = -avoid-version ${symv}
+EXTRA_libsss_child_la_DEPENDENCIES = x.sym
+ 
+ pkglib_LTLIBRARIES += libsss_crypt.la
+ 
+@@ -990,7 +995,8 @@ libsss_crypt_la_LIBADD = \
+     libsss_debug.la \
+     $(NULL)
+ libsss_crypt_la_LDFLAGS = \
+-    -avoid-version
+    -avoid-version ${symv}
+EXTRA_libsss_crypt_la_DEPENDENCIES = x.sym
+ 
+ pkglib_LTLIBRARIES += libsss_cert.la
+ 
+@@ -1015,8 +1021,9 @@ libsss_cert_la_LIBADD = \
+     libsss_debug.la \
+     $(NULL)
+ libsss_cert_la_LDFLAGS = \
+-    -avoid-version \
+    -avoid-version ${symv} \
+     $(NULL)
+EXTRA_libsss_cert_la_DEPENDENCIES = x.sym
+ 
+ generate-sbus-code:
+ 	$(builddir)/sbus_generate.sh $(abs_srcdir)
+@@ -1117,8 +1124,9 @@ libsss_sbus_la_CFLAGS = \
+     $(DBUS_CFLAGS) \
+     $(NULL)
+ libsss_sbus_la_LDFLAGS = \
+-    -avoid-version \
+    -avoid-version ${symv} \
+     $(NULL)
+EXTRA_libsss_sbus_la_DEPENDENCIES = x.sym
+ 
+ pkglib_LTLIBRARIES += libsss_sbus_sync.la
+ libsss_sbus_sync_la_SOURCES = \
+@@ -1153,8 +1161,9 @@ libsss_sbus_sync_la_CFLAGS = \
+     $(UNICODE_LIBS) \
+     $(NULL)
+ libsss_sbus_sync_la_LDFLAGS = \
+-    -avoid-version \
+    -avoid-version ${symv} \
+     $(NULL)
+EXTRA_libsss_sbus_sync_la_DEPENDENCIES = x.sym
+ 
+ pkglib_LTLIBRARIES += libsss_iface.la
+ libsss_iface_la_SOURCES = \
+@@ -1183,8 +1192,9 @@ libsss_iface_la_CFLAGS = \
+     $(DBUS_CFLAGS) \
+     $(NULL)
+ libsss_iface_la_LDFLAGS = \
+-    -avoid-version \
+    -avoid-version ${symv} \
+     $(NULL)
+EXTRA_libsss_iface_la_DEPENDENCIES = x.sym
+ 
+ pkglib_LTLIBRARIES += libsss_iface_sync.la
+ libsss_iface_sync_la_SOURCES = \
+@@ -1211,8 +1221,9 @@ libsss_iface_sync_la_CFLAGS = \
+     $(DBUS_CFLAGS) \
+     $(NULL)
+ libsss_iface_sync_la_LDFLAGS = \
+-    -avoid-version \
+    -avoid-version ${symv} \
+     $(NULL)
+EXTRA_libsss_iface_sync_la_DEPENDENCIES = x.sym
+ 
+ pkglib_LTLIBRARIES += libsss_util.la
+ libsss_util_la_SOURCES = \
+@@ -1303,7 +1314,8 @@ endif
+ if BUILD_SYSTEMTAP
+ libsss_util_la_LIBADD += stap_generated_probes.lo
+ endif
+-libsss_util_la_LDFLAGS = -avoid-version
+libsss_util_la_LDFLAGS = -avoid-version ${symv}
+EXTRA_libsss_util_la_DEPENDENCIES = x.sym
+ 
+ pkglib_LTLIBRARIES += libsss_semanage.la
+ libsss_semanage_la_CFLAGS = \
+@@ -1322,7 +1334,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_
+ endif
+ 
+ libsss_semanage_la_LDFLAGS = \
+-    -avoid-version
+    -avoid-version ${symv}
+EXTRA_libsss_semanage_la_DEPENDENCIES = x.sym
+ 
+ SSSD_INTERNAL_LTLIBS = \
+     libsss_util.la \
+@@ -1338,7 +1351,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
+                   $(NULL)
+ 
+ pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc
+-libipa_hbac_la_DEPENDENCIES = src/lib/ipa_hbac/ipa_hbac.exports
+EXTRA_libipa_hbac_la_DEPENDENCIES = src/lib/ipa_hbac/ipa_hbac.exports
+ libipa_hbac_la_SOURCES = \
+     src/lib/ipa_hbac/hbac_evaluator.c \
+     src/util/sss_utf8.c
+@@ -1664,8 +1677,9 @@ libifp_iface_la_CFLAGS = \
+     $(DBUS_CFLAGS) \
+     $(NULL)
+ libifp_iface_la_LDFLAGS = \
+-    -avoid-version \
+    -avoid-version ${symv} \
+     $(NULL)
+EXTRA_libifp_iface_la_DEPENDENCIES = x.sym
+ 
+ pkglib_LTLIBRARIES += libifp_iface_sync.la
+ libifp_iface_sync_la_SOURCES = \
+@@ -1690,8 +1704,9 @@ libifp_iface_sync_la_CFLAGS = \
+     $(DBUS_CFLAGS) \
+     $(NULL)
+ libifp_iface_sync_la_LDFLAGS = \
+-    -avoid-version \
+    -avoid-version ${symv} \
+     $(NULL)
+EXTRA_libifp_iface_sync_la_DEPENDENCIES = x.sym
+ 
+ sssd_ifp_SOURCES = \
+     src/responder/ifp/ifpsrv.c \
+@@ -4196,8 +4211,9 @@ libsss_ldap_common_la_LIBADD = \
+     $(SSSD_INTERNAL_LTLIBS) \
+     $(NULL)
+ libsss_ldap_common_la_LDFLAGS = \
+-    -avoid-version \
+    -avoid-version ${symv} \
+     $(NULL)
+EXTRA_libsss_ldap_common_la_DEPENDENCIES = x.sym
+ if BUILD_SYSTEMTAP
+ libsss_ldap_common_la_LIBADD += stap_generated_probes.lo
+ endif
+@@ -4254,7 +4270,8 @@ libsss_krb5_common_la_LIBADD = \
+     $(SSSD_INTERNAL_LTLIBS) \
+     $(NULL)
+ libsss_krb5_common_la_LDFLAGS = \
+-    -avoid-version
+    -avoid-version ${symv}
+EXTRA_libsss_krb5_common_la_DEPENDENCIES = x.sym
+ 
+ libsss_ldap_la_SOURCES = \
+     src/providers/ldap/ldap_init.c \