diff --git a/sssd.changes b/sssd.changes index 5e3fddd..c30e9f7 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Dec 21 19:29:45 UTC 2022 - Jan Engelhardt + +- Take systemd units off the restart list that have + RefuseManualStart=yes [boo#1206592] +- Add symvers.patch [boo#1206592] + ------------------------------------------------------------------- Sun Dec 11 14:17:23 UTC 2022 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index 654c530..9fc843a 100644 --- a/sssd.spec +++ b/sssd.spec @@ -20,7 +20,7 @@ Name: sssd Version: 2.8.2 Release: 0 Summary: System Security Services Daemon -License: GPL-3.0-or-later and LGPL-3.0-or-later +License: GPL-3.0-or-later AND LGPL-3.0-or-later Group: System/Daemons URL: https://github.com/SSSD/sssd #Git-Clone: https://github.com/SSSD/sssd @@ -29,8 +29,9 @@ Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%v Source3: baselibs.conf Source5: %name.keyring Patch1: krb-noversion.diff -Patch2: harden_sssd-ifp.service.patch -Patch3: harden_sssd-kcm.service.patch +Patch2: harden_sssd-ifp.service.patch +Patch3: harden_sssd-kcm.service.patch +Patch4: symvers.patch BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils @@ -40,6 +41,7 @@ BuildRequires: cyrus-sasl-devel BuildRequires: docbook-xsl-stylesheets BuildRequires: krb5-devel >= 1.12 BuildRequires: libcmocka-devel +BuildRequires: libsubid-devel BuildRequires: libtool BuildRequires: libunistring-devel BuildRequires: libxml2-tools @@ -66,6 +68,7 @@ BuildRequires: pkgconfig(libnfsidmap) BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 BuildRequires: pkgconfig(libpcre2-8) +BuildRequires: pkgconfig(libsemanage) BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(ndr_krb5pac) BuildRequires: pkgconfig(ndr_nbt) @@ -77,11 +80,9 @@ BuildRequires: pkgconfig(talloc) BuildRequires: pkgconfig(tdb) >= 1.1.3 BuildRequires: pkgconfig(tevent) BuildRequires: pkgconfig(uuid) -BuildRequires: pkgconfig(libsemanage) -BuildRequires: libsubid-devel %{?systemd_ordering} Requires: sssd-ldap = %version-%release -Requires(postun): pam-config +Requires(postun):pam-config Provides: libsss_sudo = %version-%release Provides: sssd-client = %version-%release Obsoletes: libsss_sudo < %version-%release @@ -103,7 +104,7 @@ Obsoletes: libsss_sudo < %version-%release %define cifs_idmap_name cifs-idmap-plugin %define cifs_idmap_priority 10 Requires(post): update-alternatives -Requires(postun): update-alternatives +Requires(postun):update-alternatives %description Provides a set of daemons to manage access to remote directories and @@ -199,7 +200,7 @@ and/or PAM modules to leverage SSSD caching. %package tools Summary: Commandline tools for sssd -License: GPL-3.0-or-later and LGPL-3.0-or-later +License: GPL-3.0-or-later AND LGPL-3.0-or-later Group: System/Management Requires: python3-sssd-config = %version Requires: sssd = %version @@ -356,7 +357,7 @@ libsss_nss_idmap can be used by Python applications. %package -n python3-sssd-config Summary: Python API for configuring sssd -License: GPL-3.0-or-later and LGPL-3.0-or-later +License: GPL-3.0-or-later AND LGPL-3.0-or-later Group: Development/Libraries/Python Requires: python3 @@ -426,20 +427,19 @@ ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin %make_build check || : %pre -%global services sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam-priv.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket -%service_add_pre %services +%service_add_pre sssd.service %post /sbin/ldconfig # migrate config variable krb5_kdcip to krb5_server (bnc#851048) /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' %_sysconfdir/sssd/sssd.conf -%service_add_post %services +%service_add_post sssd.service # install SSSD cifs-idmap plugin as an alternative update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority %preun -%service_del_preun %services +%service_del_preun sssd.service %postun /sbin/ldconfig @@ -447,7 +447,7 @@ if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then "%_sbindir/pam-config" -d --sss || : fi # del_postun includes a try-restart -%service_del_postun %services +%service_del_postun sssd.service if [ ! -f "%cifs_idmap_lib" ]; then update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib diff --git a/symvers.patch b/symvers.patch new file mode 100644 index 0000000..a80d511 --- /dev/null +++ b/symvers.patch @@ -0,0 +1,181 @@ +From: Jan Engelhardt +Date: 2022-12-22 00:09:20.375896408 +0100 +References: https://bugzilla.suse.com/show_bug.cgi?id=1206592 + +The theory for this sssd crash is that during rpm upgrading it, +sssd-2.8.2 gets installed, %post runs to restart it, but oh no, +sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls +over its feet when it loads 2.7.4 .so files. Addin symvers like below +should prevent this and pin the modules to another: sssd_be's attempt +to dlopen libsss_ldap.so(-2.7.4) will fail because +libsss_ldap.so(-2.7.4) cannot find a libsss_util.so(-2.7.4), since +the system only has libsss_util.so(-2.8.2) at this point. + +--- + Makefile.am | 47 ++++++++++++++++++++++++++++++++--------------- + 1 file changed, 32 insertions(+), 15 deletions(-) + +Index: sssd-2.8.2/Makefile.am +=================================================================== +--- sssd-2.8.2.orig/Makefile.am ++++ sssd-2.8.2/Makefile.am +@@ -941,7 +941,11 @@ libsss_debug_la_SOURCES = \ + libsss_debug_la_LIBADD = \ + $(SYSLOG_LIBS) + libsss_debug_la_LDFLAGS = \ +- -avoid-version ++ -avoid-version ${symv} ++EXTRA_libsss_debug_la_DEPENDENCIES = x.sym ++symv = -Wl,--version-script=${builddir}/x.sym ++x.sym: ${top_builddir}/config.status ++ echo "V_${PACKAGE_VERSION} { global: *; };" >$@ + + pkglib_LTLIBRARIES += libsss_child.la + libsss_child_la_SOURCES = src/util/child_common.c +@@ -951,7 +955,8 @@ libsss_child_la_LIBADD = \ + $(DHASH_LIBS) \ + libsss_debug.la \ + $(NULL) +-libsss_child_la_LDFLAGS = -avoid-version ++libsss_child_la_LDFLAGS = -avoid-version ${symv} ++EXTRA_libsss_child_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_crypt.la + +@@ -990,7 +995,8 @@ libsss_crypt_la_LIBADD = \ + libsss_debug.la \ + $(NULL) + libsss_crypt_la_LDFLAGS = \ +- -avoid-version ++ -avoid-version ${symv} ++EXTRA_libsss_crypt_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_cert.la + +@@ -1015,8 +1021,9 @@ libsss_cert_la_LIBADD = \ + libsss_debug.la \ + $(NULL) + libsss_cert_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libsss_cert_la_DEPENDENCIES = x.sym + + generate-sbus-code: + $(builddir)/sbus_generate.sh $(abs_srcdir) +@@ -1117,8 +1124,9 @@ libsss_sbus_la_CFLAGS = \ + $(DBUS_CFLAGS) \ + $(NULL) + libsss_sbus_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libsss_sbus_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_sbus_sync.la + libsss_sbus_sync_la_SOURCES = \ +@@ -1153,8 +1161,9 @@ libsss_sbus_sync_la_CFLAGS = \ + $(UNICODE_LIBS) \ + $(NULL) + libsss_sbus_sync_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libsss_sbus_sync_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_iface.la + libsss_iface_la_SOURCES = \ +@@ -1183,8 +1192,9 @@ libsss_iface_la_CFLAGS = \ + $(DBUS_CFLAGS) \ + $(NULL) + libsss_iface_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libsss_iface_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_iface_sync.la + libsss_iface_sync_la_SOURCES = \ +@@ -1211,8 +1221,9 @@ libsss_iface_sync_la_CFLAGS = \ + $(DBUS_CFLAGS) \ + $(NULL) + libsss_iface_sync_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libsss_iface_sync_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_util.la + libsss_util_la_SOURCES = \ +@@ -1303,7 +1314,8 @@ endif + if BUILD_SYSTEMTAP + libsss_util_la_LIBADD += stap_generated_probes.lo + endif +-libsss_util_la_LDFLAGS = -avoid-version ++libsss_util_la_LDFLAGS = -avoid-version ${symv} ++EXTRA_libsss_util_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libsss_semanage.la + libsss_semanage_la_CFLAGS = \ +@@ -1322,7 +1334,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_ + endif + + libsss_semanage_la_LDFLAGS = \ +- -avoid-version ++ -avoid-version ${symv} ++EXTRA_libsss_semanage_la_DEPENDENCIES = x.sym + + SSSD_INTERNAL_LTLIBS = \ + libsss_util.la \ +@@ -1338,7 +1351,7 @@ lib_LTLIBRARIES = libipa_hbac.la \ + $(NULL) + + pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc +-libipa_hbac_la_DEPENDENCIES = src/lib/ipa_hbac/ipa_hbac.exports ++EXTRA_libipa_hbac_la_DEPENDENCIES = src/lib/ipa_hbac/ipa_hbac.exports + libipa_hbac_la_SOURCES = \ + src/lib/ipa_hbac/hbac_evaluator.c \ + src/util/sss_utf8.c +@@ -1664,8 +1677,9 @@ libifp_iface_la_CFLAGS = \ + $(DBUS_CFLAGS) \ + $(NULL) + libifp_iface_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libifp_iface_la_DEPENDENCIES = x.sym + + pkglib_LTLIBRARIES += libifp_iface_sync.la + libifp_iface_sync_la_SOURCES = \ +@@ -1690,8 +1704,9 @@ libifp_iface_sync_la_CFLAGS = \ + $(DBUS_CFLAGS) \ + $(NULL) + libifp_iface_sync_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libifp_iface_sync_la_DEPENDENCIES = x.sym + + sssd_ifp_SOURCES = \ + src/responder/ifp/ifpsrv.c \ +@@ -4196,8 +4211,9 @@ libsss_ldap_common_la_LIBADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) + libsss_ldap_common_la_LDFLAGS = \ +- -avoid-version \ ++ -avoid-version ${symv} \ + $(NULL) ++EXTRA_libsss_ldap_common_la_DEPENDENCIES = x.sym + if BUILD_SYSTEMTAP + libsss_ldap_common_la_LIBADD += stap_generated_probes.lo + endif +@@ -4254,7 +4270,8 @@ libsss_krb5_common_la_LIBADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) + libsss_krb5_common_la_LDFLAGS = \ +- -avoid-version ++ -avoid-version ${symv} ++EXTRA_libsss_krb5_common_la_DEPENDENCIES = x.sym + + libsss_ldap_la_SOURCES = \ + src/providers/ldap/ldap_init.c \