From bbfc610706148d7eafd1f082ec4b07300c79e838d242838b74a2db2570a50901 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 27 Nov 2024 10:12:37 +0000 Subject: [PATCH] [info=6e6893108add570a0ec8a1cc983e87b11279bc98ee96e4f1af76ab397f1d0074] OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=330 --- ...on-make-sure-etc-sssd-and-everything.patch | 76 ++++++ 0001-INI-relax-config-files-checks.patch | 135 +++++++++ ...using-libini_config-for-access-check.patch | 182 +++++++++++++ ...t-path-when-config-object-is-rejecte.patch | 75 +++++ _scmsync.obsinfo | 8 +- build.specials.obscpio | 2 +- harden_sssd-kcm.service.patch | 14 +- sssd-2.10.0.tar.gz | 3 + sssd-2.10.0.tar.gz.asc | 16 ++ sssd-2.9.5.tar.gz | 3 - sssd-2.9.5.tar.gz.asc | 16 -- sssd.changes | 39 +++ sssd.spec | 257 +++++++++++------- 13 files changed, 697 insertions(+), 129 deletions(-) create mode 100644 0001-Configuration-make-sure-etc-sssd-and-everything.patch create mode 100644 0001-INI-relax-config-files-checks.patch create mode 100644 0001-INI-stop-using-libini_config-for-access-check.patch create mode 100644 0001-sssd-always-print-path-when-config-object-is-rejecte.patch create mode 100644 sssd-2.10.0.tar.gz create mode 100644 sssd-2.10.0.tar.gz.asc delete mode 100644 sssd-2.9.5.tar.gz delete mode 100644 sssd-2.9.5.tar.gz.asc diff --git a/0001-Configuration-make-sure-etc-sssd-and-everything.patch b/0001-Configuration-make-sure-etc-sssd-and-everything.patch new file mode 100644 index 0000000..8cf0fe0 --- /dev/null +++ b/0001-Configuration-make-sure-etc-sssd-and-everything.patch @@ -0,0 +1,76 @@ +From 8db2df4fcbd09badafbc207bd4150b5f1cc2d5fb Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Thu, 24 Oct 2024 15:34:26 +0200 +Subject: [PATCH] Configuration: make sure /etc/sssd and everything +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +beneath is owned by 'sssd' group and readable by group. + +This should allow for reasonable rw-r----- root:sssd + +At some points those chown/chmod can be removed. + +Reviewed-by: Justin Stephenson +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +(cherry picked from commit 518db322fdd5a4de41813fbe5bc35fc20392ce67) +--- + contrib/sssd.spec.in | 4 ++-- + src/sysv/systemd/sssd-kcm.service.in | 5 ++--- + src/sysv/systemd/sssd.service.in | 6 ++---- + 3 files changed, 6 insertions(+), 9 deletions(-) + +diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in +index 4fbacb959..83de563f3 100644 +--- a/contrib/sssd.spec.in ++++ b/contrib/sssd.spec.in +@@ -1136,9 +1136,9 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi + %__rm -f %{mcpath}/group + %__rm -f %{mcpath}/initgroups + %__rm -f %{mcpath}/sid ++%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true ++%__chmod -f -R g+r %{_sysconfdir}/sssd || true + %__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true +-%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true +-%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true + %__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true + %__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true + %__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true +diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in +index 0c839ec5c..ba9e27cd9 100644 +--- a/src/sysv/systemd/sssd-kcm.service.in ++++ b/src/sysv/systemd/sssd-kcm.service.in +@@ -9,9 +9,8 @@ Also=sssd-kcm.socket + + [Service] + Environment=DEBUG_LOGGER=--logger=files +-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ +-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf +-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d ++ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ ++ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ + ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb" + ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log + ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER} +diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in +index 37e0a63f8..a6f79ff8a 100644 +--- a/src/sysv/systemd/sssd.service.in ++++ b/src/sysv/systemd/sssd.service.in +@@ -10,10 +10,8 @@ StartLimitBurst=5 + [Service] + Environment=DEBUG_LOGGER=--logger=files + EnvironmentFile=-@environment_file@ +-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ +-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf +-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d +-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki ++ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ ++ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ + ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb" + ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @gpocachepath@/*" + ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/*.log" +-- +2.47.0 + diff --git a/0001-INI-relax-config-files-checks.patch b/0001-INI-relax-config-files-checks.patch new file mode 100644 index 0000000..69ac630 --- /dev/null +++ b/0001-INI-relax-config-files-checks.patch @@ -0,0 +1,135 @@ +From 340671f16abb9c26ae97b11c4e2845337e67973e Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 23 Oct 2024 20:59:32 +0200 +Subject: [PATCH] INI: relax config files checks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Only make sure: + - user is root or sssd + - group is root or sssd + - other can't access it + +Don't make any assumptions wrt user/group read/write-ability. + +Reviewed-by: Justin Stephenson +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +(cherry picked from commit 8472777ec472607ea450ddb4c4666017bd0de704) +--- + src/man/sssd.conf.5.xml | 5 ++- + src/util/sss_ini.c | 68 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 70 insertions(+), 3 deletions(-) + +diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml +index a074cc674..bf10acb2a 100644 +--- a/src/man/sssd.conf.5.xml ++++ b/src/man/sssd.conf.5.xml +@@ -57,9 +57,8 @@ + readable, and writeable only by 'root'. + + +- sssd.conf must be a regular file that is owned, +- readable, and writeable by the same user as configured to run SSSD +- service. ++ sssd.conf must be a regular file that is ++ accessible only by the user used to run SSSD service or root. + + + +diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c +index e989d8caf..74cf61e0e 100644 +--- a/src/util/sss_ini.c ++++ b/src/util/sss_ini.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + + #include "config.h" +@@ -781,6 +782,71 @@ int sss_ini_open(struct sss_ini *self, + return ret; + } + ++static int access_check_file(const char *filename) ++{ ++ int ret; ++ struct stat st; ++ uid_t uid; ++ gid_t gid; ++ ++ sss_sssd_user_uid_and_gid(&uid, &gid); ++ ++ ret = stat(filename, &st); ++ if (ret != 0) { ++ ret = errno; ++ DEBUG(SSSDBG_CRIT_FAILURE, "stat(%s) failed: %s\n", ++ filename, strerror(ret)); ++ return EINVAL; ++ } ++ ++ if ((st.st_uid != 0) && (st.st_uid != uid)) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected user owner of '%s': %"SPRIuid"\n", ++ filename, st.st_uid); ++ return ERR_INI_INVALID_PERMISSION; ++ } ++ ++ if ((st.st_gid != 0) && (st.st_gid != gid)) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected group owner of '%s': %"SPRIgid"\n", ++ filename, st.st_gid); ++ return ERR_INI_INVALID_PERMISSION; ++ } ++ ++ if ((st.st_mode & (S_IROTH|S_IWOTH|S_IXOTH)) != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected access to '%s' by other users\n", ++ filename); ++ return ERR_INI_INVALID_PERMISSION; ++ } ++ ++ return EOK; ++} ++ ++static int access_check_ini(struct sss_ini *self) ++{ ++ int ret; ++ const char *path; ++ uint32_t i; ++ const char **snippet; ++ struct ref_array *used_snippets; ++ ++ if (self->main_config_exists) { ++ path = ini_config_get_filename(self->file); ++ ret = access_check_file(path); ++ if (ret != EOK) { ++ return ret; ++ } ++ } ++ ++ used_snippets = sss_ini_get_ra_success_list(self); ++ for (i = 0; (snippet = ref_array_get(used_snippets, i, NULL)) != NULL; ++i) { ++ ret = access_check_file(*snippet); ++ if (ret != EOK) { ++ return ret; ++ } ++ } ++ ++ return EOK; ++} ++ + int sss_ini_read_sssd_conf(struct sss_ini *self, + const char *config_file, + const char *config_dir) +@@ -833,5 +899,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, + return ERR_INI_EMPTY_CONFIG; + } + ++ ret = access_check_ini(self); ++ + return ret; + } +-- +2.47.0 + diff --git a/0001-INI-stop-using-libini_config-for-access-check.patch b/0001-INI-stop-using-libini_config-for-access-check.patch new file mode 100644 index 0000000..abe0cb0 --- /dev/null +++ b/0001-INI-stop-using-libini_config-for-access-check.patch @@ -0,0 +1,182 @@ +From 1d19b8ad9415e0a12ed3aaf039d4d0956ef4dbad Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 23 Oct 2024 19:53:09 +0200 +Subject: [PATCH] INI: stop using 'libini_config' for access check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Justin Stephenson +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +--- + src/util/sss_ini.c | 100 +---------------------------------------------------- + src/util/sss_ini.h | 12 ------ + 2 files changed, 3 insertions(+), 109 deletions(-) + +Index: sssd-2.10.0/src/util/sss_ini.c +=================================================================== +--- sssd-2.10.0.orig/src/util/sss_ini.c ++++ sssd-2.10.0/src/util/sss_ini.c +@@ -147,81 +147,6 @@ static int sss_ini_config_file_from_mem( + &self->file); + } + +-/* Check configuration file permissions */ +- +-static bool is_running_sssd(void) +-{ +- static char exe[1024]; +- int ret; +- const char *s = NULL; +- +- ret = readlink("/proc/self/exe", exe, sizeof(exe) - 1); +- if ((ret > 0) && (ret < 1024)) { +- exe[ret] = 0; +- s = strstr(exe, debug_prg_name); +- if ((s != NULL) && (strlen(s) == strlen(debug_prg_name))) { +- return true; +- } +- } +- +- return false; +-} +- +-static int sss_ini_access_check(struct sss_ini *self) +-{ +- int ret; +- uint32_t flags = INI_ACCESS_CHECK_MODE; +- +- if (!self->main_config_exists) { +- return EOK; +- } +- +- if (is_running_sssd()) { +- flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID; +- } +- +- ret = ini_config_access_check(self->file, +- flags, +- geteuid(), +- getegid(), +- S_IRUSR, /* r**------ */ +- ALLPERMS & ~(S_IWUSR|S_IXUSR)); +- +- return ret; +-} +- +- +- +-/* Get cstat */ +- +-int sss_ini_get_stat(struct sss_ini *self) +-{ +- self->cstat = ini_config_get_stat(self->file); +- +- if (!self->cstat) return EIO; +- +- return EOK; +-} +- +- +- +-/* Get mtime */ +- +-int sss_ini_get_mtime(struct sss_ini *self, +- size_t timestr_len, +- char *timestr) +-{ +- return snprintf(timestr, timestr_len, "%llu", +- (long long unsigned)self->cstat->st_mtime); +-} +- +-/* Get file_exists */ +- +-bool sss_ini_exists(struct sss_ini *self) +-{ +- return self->main_config_exists; +-} +- + /* Print ini_config errors */ + + static void sss_ini_config_print_errors(char **error_list) +@@ -289,7 +214,6 @@ static int sss_ini_add_snippets(struct s + uint32_t i = 0; + char *msg = NULL; + struct ini_cfgobj *modified_sssd_config = NULL; +- struct access_check snip_check; + + if (self == NULL || self->sssd_config == NULL || config_dir == NULL) { + return EINVAL; +@@ -297,21 +221,11 @@ static int sss_ini_add_snippets(struct s + + sss_ini_free_ra_messages(self); + +- snip_check.flags = INI_ACCESS_CHECK_MODE; +- +- if (is_running_sssd()) { +- snip_check.flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID; +- } +- snip_check.uid = geteuid(); +- snip_check.gid = getegid(); +- snip_check.mode = S_IRUSR; /* r**------ */ +- snip_check.mask = ALLPERMS & ~(S_IWUSR | S_IXUSR); +- + ret = ini_config_augment(self->sssd_config, + config_dir, + patterns, + sections, +- &snip_check, ++ NULL, + INI_STOP_ON_ANY, + INI_MV1S_OVERWRITE, + INI_PARSE_NOWRAP, +@@ -894,15 +808,7 @@ int sss_ini_read_sssd_conf(struct sss_in + return ERR_INI_OPEN_FAILED; + } + +- if (sss_ini_exists(self)) { +- ret = sss_ini_access_check(self); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Permission check on config file %s failed: %d\n", +- config_file, ret); +- return ERR_INI_INVALID_PERMISSION; +- } +- } else { ++ if (!self->main_config_exists) { + DEBUG(SSSDBG_CONF_SETTINGS, + "File %s does not exist.\n", config_file); + } +@@ -923,7 +829,7 @@ int sss_ini_read_sssd_conf(struct sss_in + return ERR_INI_ADD_SNIPPETS_FAILED; + } + +- if (!sss_ini_exists(self) && ++ if ((!self->main_config_exists) && + (ref_array_len(sss_ini_get_ra_success_list(self)) == 0)) { + return ERR_INI_EMPTY_CONFIG; + } +Index: sssd-2.10.0/src/util/sss_ini.h +=================================================================== +--- sssd-2.10.0.orig/src/util/sss_ini.h ++++ sssd-2.10.0/src/util/sss_ini.h +@@ -81,18 +81,6 @@ int sss_ini_open(struct sss_ini *self, + const char *fallback_cfg); + + /** +- * @brief Check whether sss_ini_open() reported that ini file is +- * not present +- * +- * @param[in] self pointer to sss_ini structure +- * +- * @return +- * - true we are using ini file +- * - false file was not found +- */ +-bool sss_ini_exists(struct sss_ini *self); +- +-/** + * @brief get Cstat structure of the ini file + */ + int sss_ini_get_stat(struct sss_ini *self); diff --git a/0001-sssd-always-print-path-when-config-object-is-rejecte.patch b/0001-sssd-always-print-path-when-config-object-is-rejecte.patch new file mode 100644 index 0000000..d24c30a --- /dev/null +++ b/0001-sssd-always-print-path-when-config-object-is-rejecte.patch @@ -0,0 +1,75 @@ +From 1a743a4123c104a10c694f7ee9d2f0a1e7182513 Mon Sep 17 00:00:00 2001 +From: Jan Engelhardt +Date: Wed, 16 Oct 2024 09:55:50 +0200 +Subject: [PATCH] sssd: always print path when config object is rejected +References: https://github.com/SSSD/sssd/pull/7649 + +Observed: + +``` +Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed. +Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed' +Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed' +``` + +Expected: + +_Well yes, but **which one**_!? + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Justin Stephenson +(cherry picked from commit 2b7915dd84a6b8c3ee26e45357283677fe22f2cb) +--- + src/util/sss_ini.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c +index 7f9824d88..2a611eb8c 100644 +--- a/src/util/sss_ini.c ++++ b/src/util/sss_ini.c +@@ -888,7 +888,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, + ret = sss_ini_open(self, config_file, "[sssd]\n"); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "The sss_ini_open failed %s: %d\n", ++ "sss_ini_open on %s failed: %d\n", + config_file, + ret); + return ERR_INI_OPEN_FAILED; +@@ -898,26 +898,28 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, + ret = sss_ini_access_check(self); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "Permission check on config file failed.\n"); ++ "Permission check on config file %s failed: %d\n", ++ config_file, ret); + return ERR_INI_INVALID_PERMISSION; + } + } else { + DEBUG(SSSDBG_CONF_SETTINGS, +- "File %1$s does not exist.\n", +- (config_file ? config_file : "NULL")); ++ "File %s does not exist.\n", config_file); + } + + ret = sss_ini_parse(self); + if (ret != EOK) { + sss_ini_config_print_errors(self->error_list); +- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n"); ++ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration file %s: %d\n", ++ config_file, ret); + return ERR_INI_PARSE_FAILED; + } + + ret = sss_ini_add_snippets(self, config_dir); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, +- "Error while reading configuration directory.\n"); ++ "Error while reading configuration directory %s: %d\n", ++ config_dir, ret); + return ERR_INI_ADD_SNIPPETS_FAILED; + } + +-- +2.47.0 + diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo index a092931..9d0500b 100644 --- a/_scmsync.obsinfo +++ b/_scmsync.obsinfo @@ -1,4 +1,4 @@ -mtime: 1721222057 -commit: 8faca55b4aa3e3e74cbabb4b015f0b7beb4b2f1dd7b98a27b382d43be057f672 -url: https://src.opensuse.org/pool/sssd -revision: factory +mtime: 1730841300 +commit: 6e6893108add570a0ec8a1cc983e87b11279bc98ee96e4f1af76ab397f1d0074 +url: https://src.opensuse.org/jengelh/sssd +revision: master diff --git a/build.specials.obscpio b/build.specials.obscpio index 3ea1e2e..a63500c 100644 --- a/build.specials.obscpio +++ b/build.specials.obscpio @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:c18d7bdbfefa831e2d93711cb40de6966d0c640e4ec9dccbb61cf299ca5aedaf +oid sha256:b7a95490a831fb30d7292118e7a21e6aa16cf2dbbe3f4d6d804adf9189d0e397 size 256 diff --git a/harden_sssd-kcm.service.patch b/harden_sssd-kcm.service.patch index 183e0b0..5ff85b4 100644 --- a/harden_sssd-kcm.service.patch +++ b/harden_sssd-kcm.service.patch @@ -1,7 +1,11 @@ -Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in +--- + src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in =================================================================== ---- sssd-2.5.2.orig/src/sysv/systemd/sssd-kcm.service.in -+++ sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in +--- sssd-2.10.0.orig/src/sysv/systemd/sssd-kcm.service.in ++++ sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in @@ -8,6 +8,19 @@ After=sssd-kcm.socket Also=sssd-kcm.socket @@ -20,5 +24,5 @@ Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in +RestrictRealtime=true +# end of automatic additions Environment=DEBUG_LOGGER=--logger=files - ExecStartPre=-@sbindir@/sssd --genconf-section=kcm - ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER} + ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ + ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ diff --git a/sssd-2.10.0.tar.gz b/sssd-2.10.0.tar.gz new file mode 100644 index 0000000..38e2605 --- /dev/null +++ b/sssd-2.10.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0b1167e8017209ec25b9683e0006947eaa0cfd7a8161bfea120bd8511006db0d +size 9177851 diff --git a/sssd-2.10.0.tar.gz.asc b/sssd-2.10.0.tar.gz.asc new file mode 100644 index 0000000..3783730 --- /dev/null +++ b/sssd-2.10.0.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmcOPUoACgkQ09IbKRDP +Z1myuA//anDvdZcQp0EUia2NsiWt2MFE8esmsEIN6QmEYjUxvEeXI9q4YJQimMi8 +wdt0zqZE1PLrTcroWaeGcgt2+CJWUbVanZtNn3oo7lUVYrLKemrUzavM7dXTaA43 +cdKAFyEO+nHJQ2yBNUt6sRXc3tM0H27yZs0iL+CcYu6YshUTbMnZuwdpz7DqDTN8 +nbG+LWa+U0en5mI3waP8Ionwmdv9AJAuCHQZLlZDpM0+YfGumcIUJdbxU/I8pqP8 +MQaulPv3e+BNwdbUiLlk0cXRjuEfSd0bmMa3MqB4IqMvvjACU0GuSgK3FDhutZJe +HfmzYSo/Zntmr7F/eYLz6zy/GU3VewEilOyRV08oz+EVJRbGyo2t4k6PUYbn+I4V +kJ/maed5jnBzIZGf6o+P1r+3mavJg7k2LDV4s48MsZ4Y5ED4X0c+boT1L5FZbquW +gp99Di0RG4VoWiYOfVfszLzeDWOLbOrKMyA6PTqlmjGYAdV9SBwZP5WEdwXyPovo +D7uual7Eqdd+Y/lt+8O4Wd+Y+a9xI2kwVFo8KYmHc8PhgLpPIKTWbBTEI+0nw3fJ +qqyyA7JWA81bt4WKVuJaeS87S/9F4yn8ps2dzSgHjZ2Tzr7Eu1a3RWLjKYsjKZrT +PPd2d/02rQAZPwLYHN5qM3Xjh0DD7IiXav1QuIPxmUQA9z8ZiuA= +=mJVY +-----END PGP SIGNATURE----- diff --git a/sssd-2.9.5.tar.gz b/sssd-2.9.5.tar.gz deleted file mode 100644 index 09b8ff1..0000000 --- a/sssd-2.9.5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bf955cc26b6d215bbb9083eadb613f78d7b727fb023f39987aec37680ae40ae3 -size 8001964 diff --git a/sssd-2.9.5.tar.gz.asc b/sssd-2.9.5.tar.gz.asc deleted file mode 100644 index 05b00fc..0000000 --- a/sssd-2.9.5.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmZF8CMACgkQ09IbKRDP -Z1lSVQ/9EPVvWUX1z/pHfbvDjRpfD+LDbDceYB4YBh0caYpMVFm/2wHhFIjTYEpf -SmIR+SQp50NkRSK6tE/u+Swu+YUkiCqnEWv2y9wd4Uh2NKiukyiqBC1k2cn9URNu -oRreBM1KIRvTkdoyZwteELJ7vMLVr0UT2iIXZQFIIZX+LM3FNZJ5vFcj5fF0Hz1f -v8zR0VTB7xY/6U+4KikvMyM3fOPeTOJvEtMp4xDWyquRjCADjZasOQcKRQzXp1er -zs/qLcQ8eCODXhKelGqmppVIElW+72f1FNbMpBnlQ7VtFn6pn4sPazO0Hr7eNfZJ -Vc6GXN8zZ/oF5U4x7XSMVqeOHLQoLeb2HxgUzS+1Ig19FHOs6Xoj0dO5l/TOEFav -l61qytYnj3DNZjrMVLsMvOx3qGYK7PmyaWNoIJlLO2GbWKMP/8yBm35Ugd0jybSi -T7VWX+isQHfVhSZ9wD4/yYOBAU3lABORAjXkCWQp/vMR/KiHbfaajCAbl56KiijQ -eKYaq57EH3N+qKd1sqCrPfSw3HSqm3rngG1CsMasBQgLFs2aW+Mwo3UvQ1U/ykED -mOo2D9uhOQluv4AUSpKK6E8EXoPSxDFZI4WX37depO2VGXDO90JNfVamJXjy1+bH -d/RnoZfC7h7Vb1P1bPgGdsAFQBOP0FinbEjehpw0P0U2xAZQWek= -=pY7t ------END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index ec838e0..5b4d1eb 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,42 @@ +------------------------------------------------------------------- +Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt + +- Update to release 2.10.0 + * The ``sssctl cache-upgrade`` command was removed. SSSD + performs automatic upgrades at startup when needed. + * Support of ``enumeration`` feature (i.e. ability to list all + users/groups using ``getent passwd/group`` without argument) + for AD/IPA providers is deprecated and might be removed in + further releases. + * The new tool ``sss_ssh_knownhosts`` can be used with ssh's + ``KnownHostsCommand`` configuration option to retrieve the + host's public keys from a remote server (FreeIPA, LDAP, + etc.). It replaces ```sss_ssh_knownhostsproxy``. + * The default value for ``ldap_id_use_start_tls`` changed from + false to true for improved security. + * https://github.com/SSSD/sssd/releases/tag/2.10.0 +- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch, + 0001-INI-stop-using-libini_config-for-access-check.patch, + 0001-INI-relax-config-files-checks.patch, + 0001-Configuration-make-sure-etc-sssd-and-everything.patch +- Fix socket activation of responders +- Daemon runs now as unprivileged user 'sssd' + +------------------------------------------------------------------- +Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt + +- Update filelists involving memberof.so and idmap/sss.so to + avoid gobbling up one file into multiple sssd subpackages. + (Between samba-4.20 and 4.21, %ldbdir changes from + /usr/lib64/ldb2/modules/ldb to /usr/lib64/samba/ldb, so now + `%_libdir/samba` is a bit too broad.) + +------------------------------------------------------------------- +Wed Jul 17 09:19:20 UTC 2024 - Samuel Cabrero + +- Fix spec file for openSUSE ALP and SUSE SLFO, where the + python3_fix_shebang_path RPM macro is not available + ------------------------------------------------------------------- Thu Jul 11 09:41:21 UTC 2024 - Samuel Cabrero diff --git a/sssd.spec b/sssd.spec index 41a153c..d360e18 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 2.9.5 +Version: 2.10.0 Release: 0 Summary: System Security Services Daemon License: GPL-3.0-or-later AND LGPL-3.0-or-later @@ -28,10 +28,14 @@ Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%v Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source3: baselibs.conf Source5: %name.keyring -Patch1: krb-noversion.diff -Patch2: harden_sssd-ifp.service.patch -Patch3: harden_sssd-kcm.service.patch -Patch4: symvers.patch +Patch3: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch +Patch4: 0001-INI-stop-using-libini_config-for-access-check.patch +Patch5: 0001-INI-relax-config-files-checks.patch +Patch6: 0001-Configuration-make-sure-etc-sssd-and-everything.patch +Patch11: krb-noversion.diff +Patch12: harden_sssd-ifp.service.patch +Patch13: harden_sssd-kcm.service.patch +Patch14: symvers.patch BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils @@ -53,21 +57,26 @@ BuildRequires: nss_wrapper BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pkg-config >= 0.21 +BuildRequires: python3-wheel +BuildRequires: python3-setuptools BuildRequires: systemd-rpm-macros +BuildRequires: sysuser-tools BuildRequires: uid_wrapper BuildRequires: pkgconfig(augeas) >= 1.0.0 BuildRequires: pkgconfig(collection) >= 0.5.1 BuildRequires: pkgconfig(dbus-1) >= 1.0.0 BuildRequires: pkgconfig(dhash) >= 0.4.2 BuildRequires: pkgconfig(glib-2.0) -BuildRequires: pkgconfig(ini_config) >= 1.1.0 +BuildRequires: pkgconfig(ini_config) >= 1.3 BuildRequires: pkgconfig(jansson) -BuildRequires: pkgconfig(ldb) >= 0.9.2 +BuildRequires: pkgconfig(ldb) >= 1.2.0 +BuildRequires: pkgconfig(libcap) BuildRequires: pkgconfig(libcares) -BuildRequires: pkgconfig(libcrypto) +BuildRequires: pkgconfig(libcrypto) >= 1.0.1 %if 0%{?suse_version} >= 1600 BuildRequires: pkgconfig(libcurl) %endif +BuildRequires: pkgconfig(libcap) BuildRequires: pkgconfig(libnfsidmap) BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 @@ -86,7 +95,17 @@ BuildRequires: pkgconfig(talloc) BuildRequires: pkgconfig(tdb) >= 1.1.3 BuildRequires: pkgconfig(tevent) BuildRequires: pkgconfig(uuid) +%if 0%{?suse_version} && 0%{?suse_version} < 1600 +# samba-client-devel pulls samba-client-libs pulls libldap-2_4-2 wants libldap-data(-2.4); +# this conflicts with +# openldap2-devel pulls libldap2 wants libldap-data(-2.6) +# Package contains just config files, not needed for build. +#!BuildIgnore: libldap-data +%endif +%sysusers_requires %{?systemd_ordering} +Requires(post): permissions +Requires(verify): permissions Requires: sssd-ldap = %version-%release Requires(postun): pam-config Provides: libsss_sudo = %version-%release @@ -95,16 +114,20 @@ Obsoletes: libsss_sudo < %version-%release Provides: sssd-common = %version-%release Obsoletes: sssd-common < %version-%release +%global sssd_user sssd %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss %define dbpath %sssdstatedir/db %define pipepath %sssdstatedir/pipes %define pubconfpath %sssdstatedir/pubconf %define gpocachepath %sssdstatedir/gpo_cache +%define keytabdir %sssdstatedir/keytabs +%define mcpath %sssdstatedir/mc %define ldbdir %(pkg-config ldb --variable=modulesdir) +%define child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko -# %_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins +# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins # * cifs-utils one is the default (priority 20) # * installing SSSD should NOT switch to SSSD plugin (priority 10) %define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin @@ -115,11 +138,11 @@ Requires(post): update-alternatives Requires(postun): update-alternatives %description -Provides a set of daemons to manage access to remote directories and -authentication mechanisms. It provides an NSS and PAM interface toward -the system and a pluggable backend system to connect to multiple different -account sources. It is also the basis to provide client auditing and policy -services for projects like FreeIPA. +A set of daemons to manage access to remote directories and +authentication mechanisms. sssd provides an NSS and PAM interfaces +toward the system and a pluggable backend system to connect to +multiple different account sources. It is also the basis to provide +client auditing and policy services for projects like FreeIPA. %package ad Summary: The ActiveDirectory backend plugin for sssd @@ -129,9 +152,8 @@ Requires: %name-krb5-common = %version-%release Requires: adcli %description ad -Provides the Active Directory back end that the SSSD can utilize to -fetch identity data from and authenticate against an Active Directory -server. +A back-end provider that the SSSD can utilize to fetch identity data +from, and authenticate with, an Active Directory server. %package dbus Summary: The D-Bus responder of sssd @@ -140,7 +162,7 @@ Group: System/Base Requires: %name = %version %description dbus -Provides the D-Bus responder of sssd, called InfoPipe, which allows +D-Bus responder of sssd, called InfoPipe, which allows information from sssd to be transmitted over the system bus. %package ipa @@ -154,8 +176,8 @@ Obsoletes: %name-ipa-provider < %version-%release Provides: %name-ipa-provider = %version-%release %description ipa -Provides the IPA back end that the SSSD can utilize to fetch identity -data from and authenticate against an IPA server. +A back-end provider that the SSSD can utilize to fetch identity data +from, and authenticate with, an IPA server. %package kcm Summary: SSSD's Kerberos cache manager @@ -174,14 +196,16 @@ Group: System/Daemons Requires: %name-krb5-common = %version-%release %description krb5 -Provides the Kerberos back end that the SSSD can utilize authenticate -against a Kerberos server. +A back-end provider that the SSSD can utilize to authenticate against +a Kerberos server. %package krb5-common Summary: SSSD helpers needed for Kerberos and GSSAPI authentication License: GPL-3.0-or-later Group: System/Daemons Requires: cyrus-sasl-gssapi +Requires(post): permissions +Requires(verify): permissions %description krb5-common Provides helper processes that the LDAP and Kerberos back ends can @@ -194,8 +218,8 @@ Group: System/Daemons Requires: %name-krb5-common = %version-%release %description ldap -Provides the LDAP back end that the SSSD can utilize to fetch -identity data from and authenticate against an LDAP server. +A back-end provider that the SSSD can utilize to fetch identity data +from, and authenticate with, an LDAP server. %package proxy Summary: The proxy backend plugin for sssd @@ -203,8 +227,8 @@ License: GPL-3.0-or-later Group: System/Daemons %description proxy -Provides the proxy back end which can be used to wrap an existing NSS -and/or PAM modules to leverage SSSD caching. +A back-end provider which can be used to wrap existing NSS and/or PAM +modules to leverage SSSD caching. (This can replace nscd.) %package tools Summary: Commandline tools for sssd @@ -214,7 +238,7 @@ Requires: python3-sssd-config = %version-%release Requires: sssd = %version %description tools -The packages contains commandline tools for managing users and groups using +The packages contains command-line tools for managing users and groups using the "local" id provider of the System Security Services Daemon (sssd). %package winbind-idmap @@ -231,7 +255,7 @@ License: LGPL-3.0-or-later Group: System/Libraries %description -n libsss_certmap0 -A utility library for FreeIPA to map certs. +A utility library for FreeIPA to map certificates. %package -n libsss_certmap-devel Summary: Development files for the FreeIPA certmap library @@ -240,7 +264,7 @@ Group: Development/Libraries/C and C++ Requires: libsss_certmap0 = %version %description -n libsss_certmap-devel -A utility library for FreeIPA to map certs. +A utility library for FreeIPA to map certificates. %package -n libipa_hbac0 Summary: FreeIPA HBAC Evaluator library @@ -304,7 +328,6 @@ Requires: libsss_nss_idmap0 = %version %description -n libsss_nss_idmap-devel A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. -%if 0%{?suse_version} < 1600 %package -n libsss_simpleifp0 Summary: The SSSD D-Bus responder helper library License: GPL-3.0-or-later @@ -327,7 +350,6 @@ Requires: libsss_simpleifp0 = %version This subpackage provides the development files for sssd's simpleifp, a library that simplifies the D-Bus API for the SSSD InfoPipe responder. -%endif %package -n libsss_sudo Summary: A library to allow communication between sudo and SSSD @@ -394,33 +416,32 @@ autoreconf -fiv --with-environment-file="%_sysconfdir/sysconfig/sssd" \ --with-initscript=systemd \ --with-syslog=journald \ - --with-pid-path="%_rundir" \ - --enable-nsslibdir="/%_lib" \ + --with-pid-path="%_rundir/sssd" \ --enable-pammoddir="%_pam_moduledir" \ --with-ldb-lib-dir="%ldbdir" \ --with-os=suse \ --disable-ldb-version-check \ --without-python2-bindings \ --without-oidc-child \ + --with-sssd-user="%sssd_user" \ %if 0%{?suse_version} >= 1600 --with-selinux=yes \ --with-subid %else --with-selinux=no \ - --with-semanage=no \ --with-libsifp \ --with-files-provider %endif %make_build all %install -# sss_obfuscate is compatible with both python 2 and 3 +# sss_obfuscate is compatible with both Python 2 and 3 perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate %make_install dbuspolicydir=%_datadir/dbus-1/system.d b="%buildroot" # Copy some defaults -%if %{?_distconfdir:1} +%if "%{?_distconfdir}" != "" install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf" install -d -m 0755 "$b/%_distconfdir/sssd/conf.d" %else @@ -448,20 +469,40 @@ find "$b" -type f -name "*.la" -print -delete %find_lang %name --all-name # dummy target for cifs-idmap-plugin -mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils -ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin +mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils" +ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin" %python3_fix_shebang -%if 0%{?suse_version} >= 1600 -%python3_fix_shebang_path %buildroot/%_libexecdir/%name/ +%if 0%{?suse_version} > 1600 +%python3_fix_shebang_path %buildroot/%_libexecdir/%name/sss_analyze +%elif 0%{?suse_version} == 1600 +# python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204 +sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze" %endif +echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf +mkdir -p "$b/%_sysusersdir" "$b/etc/permissions.d" +cp -a system-user-sssd.conf "$b/%_sysusersdir/" +%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf +install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf" +# should match entry from %%files list +cat >"$b/etc/permissions.d/sssd" <<-EOF + %_libexecdir/sssd/sssd_pam root:sssd 0750 + +capabilities cap_dac_read_search=p + %_libexecdir/sssd/selinux_child root:sssd 0750 + +capabilities %child_capabilities + %_libexecdir/sssd/krb5_child root:sssd 0750 + +capabilities %child_capabilities + %_libexecdir/sssd/ldap_child root:sssd 0750 + +capabilities %child_capabilities +EOF + %check # sss_config-tests fails %make_build check || : -%pre -%service_add_pre sssd.service -%if %{?_distconfdir:1} +%pre -f random.pre +%service_add_pre sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket +%if "%{?_distconfdir}" != "" # Prepare for migration to /usr/etc; save any old .rpmsave for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i.rpmsave.old" || : @@ -474,38 +515,38 @@ done if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf" fi -%service_add_post sssd.service +%service_add_post sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket + +%_bindir/rm -f %mcpath/passwd %mcpath/group %mcpath/initgroups %mcpath/sid +%tmpfiles_create %name.conf +%set_permissions %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam # install SSSD cifs-idmap plugin as an alternative update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority %preun -%service_del_preun sssd.service +%service_del_preun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket %postun /sbin/ldconfig -if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then +if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then "%_sbindir/pam-config" -d --sss || : fi # del_postun includes a try-restart -%service_del_postun sssd.service +%service_del_postun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket if [ ! -f "%cifs_idmap_lib" ]; then update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib fi -%post -n libsss_certmap0 -p /sbin/ldconfig -%postun -n libsss_certmap0 -p /sbin/ldconfig -%post -n libipa_hbac0 -p /sbin/ldconfig -%postun -n libipa_hbac0 -p /sbin/ldconfig -%post -n libsss_idmap0 -p /sbin/ldconfig -%postun -n libsss_idmap0 -p /sbin/ldconfig -%post -n libsss_nss_idmap0 -p /sbin/ldconfig -%postun -n libsss_nss_idmap0 -p /sbin/ldconfig -%if 0%{?suse_version} < 1600 -%post -n libsss_simpleifp0 -p /sbin/ldconfig -%postun -n libsss_simpleifp0 -p /sbin/ldconfig -%endif +%ldconfig_scriptlets -n libsss_certmap0 +%ldconfig_scriptlets -n libipa_hbac0 +%ldconfig_scriptlets -n libsss_idmap0 +%ldconfig_scriptlets -n libsss_nss_idmap0 +%ldconfig_scriptlets -n libsss_simpleifp0 + +%verifyscript +%verify_permissions -e %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam %triggerun -- %name < %version-%release # sssd takes care of upgrading the database but it doesn't handle downgrades. @@ -540,21 +581,31 @@ fi %postun kcm %service_del_postun sssd-kcm.service sssd-kcm.socket +%pre krb5-common -f random.pre + +%post krb5-common +%set_permissions %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child + +%verifyscript krb5-common +%verify_permissions -e %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child + +%pre proxy -f random.pre + %pretrans # Migrate sssd.service from sssd-common to sssd systemctl is-enabled sssd.service > /dev/null if [ $? -eq 0 ]; then -mkdir -p /run/systemd/rpm/ -touch /run/systemd/rpm/sssd-was-enabled + mkdir -p /run/systemd/rpm/ + touch /run/systemd/rpm/sssd-was-enabled fi systemctl is-active sssd.service > /dev/null if [ $? -eq 0 ]; then -mkdir -p /run/systemd/rpm/ -touch /run/systemd/rpm/sssd-was-active + mkdir -p /run/systemd/rpm/ + touch /run/systemd/rpm/sssd-was-active fi %posttrans -%if %{?_distconfdir:1} +%if "%{?_distconfdir}" != "" # Migration to /usr/etc, restore just created .rpmsave for i in sssd/sssd.conf logrotate.d/sssd pam.d/sssd-shadowutils ; do test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i" || : @@ -562,20 +613,20 @@ done %endif # Migrate sssd.service from sssd-common to sssd if [ -e /run/systemd/rpm/sssd-was-enabled ]; then -systemctl is-enabled sssd.service > /dev/null -if [ $? -ne 0 ]; then - echo "Migrating sssd.service, was enabled" - systemctl enable sssd.service -fi -rm /run/systemd/rpm/sssd-was-enabled + systemctl is-enabled sssd.service >/dev/null + if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was enabled" + systemctl enable sssd.service + fi + rm /run/systemd/rpm/sssd-was-enabled fi if [ -e /run/systemd/rpm/sssd-was-active ]; then -systemctl is-active sssd.service > /dev/null -if [ $? -ne 0 ]; then - echo "Migrating sssd.service, was active" - systemctl start sssd.service -fi -rm /run/systemd/rpm/sssd-was-active + systemctl is-active sssd.service >/dev/null + if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was active" + systemctl start sssd.service + fi + rm /run/systemd/rpm/sssd-was-active fi %files -f sssd.lang @@ -588,12 +639,15 @@ fi %_unitdir/sssd-pac.socket %_unitdir/sssd-pac.service %_unitdir/sssd-pam.socket -%_unitdir/sssd-pam-priv.socket %_unitdir/sssd-pam.service %_unitdir/sssd-ssh.socket %_unitdir/sssd-ssh.service %_unitdir/sssd-sudo.socket %_unitdir/sssd-sudo.service +%_sysusersdir/*sssd* +%_tmpfilesdir/*sssd* +%_sysconfdir/permissions.d/* +%_datadir/polkit-1/ %_bindir/sss_ssh_* %_sbindir/sssd %if 0%{?suse_version} < 1600 @@ -650,32 +704,33 @@ fi %_libexecdir/%name/sssd_autofs %_libexecdir/%name/sssd_be %_libexecdir/%name/sssd_nss -%_libexecdir/%name/sssd_pam +%attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/sssd_pam %_libexecdir/%name/sssd_ssh %_libexecdir/%name/sssd_sudo %_libexecdir/%name/sss_signal %_libexecdir/%name/sssd_check_socket_activated_responders %if 0%{?suse_version} >= 1600 -%_libexecdir/%name/selinux_child +%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/selinux_child %endif %dir %sssdstatedir -%attr(700,root,root) %dir %dbpath/ -%attr(755,root,root) %dir %pipepath/ -%attr(700,root,root) %dir %pipepath/private/ -%attr(755,root,root) %dir %pubconfpath/ -%attr(755,root,root) %dir %pubconfpath/krb5.include.d -%attr(755,root,root) %dir %gpocachepath/ -%attr(755,root,root) %dir %sssdstatedir/mc/ -%attr(700,root,root) %dir %sssdstatedir/keytabs/ -%attr(750,root,root) %dir %_localstatedir/log/%name/ -%if %{?_distconfdir:1} -%dir %_distconfdir/sssd/ -%%dir %_distconfdir/sssd/conf.d -%config(noreplace) %_distconfdir/sssd/sssd.conf +%attr(700,%sssd_user,%sssd_user) %dir %dbpath/ +%attr(755,%sssd_user,%sssd_user) %dir %pipepath/ +%attr(700,%sssd_user,%sssd_user) %dir %pipepath/private/ +%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/ +%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/krb5.include.d +%attr(755,%sssd_user,%sssd_user) %dir %gpocachepath/ +%attr(755,%sssd_user,%sssd_user) %dir %mcpath/ +%attr(700,%sssd_user,%sssd_user) %dir %keytabdir/ +%attr(750,%sssd_user,%sssd_user) %dir %_localstatedir/log/%name/ +%attr(775,%sssd_user,%sssd_user) %dir %sssdstatedir/ +%if "%{?_distconfdir}" != "" +%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/ +%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/conf.d +%attr(640,root,%sssd_user) %_distconfdir/sssd/sssd.conf %else -%dir %_sysconfdir/sssd/ -%%dir %_sysconfdir/sssd/conf.d -%config(noreplace) %_sysconfdir/sssd/sssd.conf +%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/ +%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/conf.d +%ghost %attr(640,root,%sssd_user) %config(noreplace) %_sysconfdir/sssd/sssd.conf %endif %if 0%{?suse_version} > 1500 %_distconfdir/logrotate.d/sssd @@ -694,11 +749,12 @@ fi %else %exclude %_mandir/*/*/sssd-files.5.gz %endif +%attr(775,%sssd_user,%sssd_user) %ghost %dir %_rundir/sssd %doc src/examples/sssd.conf # # sssd-client # -/%_lib/libnss_sss.so.2 +%_libdir/libnss_sss.so.2 %_pam_moduledir/pam_sss.so %_pam_moduledir/pam_sss_gss.so %_libdir/krb5/ @@ -783,8 +839,8 @@ fi %dir %_libdir/%name/ %_libdir/%name/libsss_krb5_common.so %dir %_libexecdir/%name/ -%_libexecdir/%name/krb5_child -%_libexecdir/%name/ldap_child +%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/krb5_child +%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/ldap_child %files ldap %dir %_libdir/%name/ @@ -801,7 +857,7 @@ fi %dir %_libdir/%name/ %_libdir/%name/libsss_proxy.so %dir %_libexecdir/%name/ -%_libexecdir/%name/proxy_child +%attr(750,root,%sssd_user) %_libexecdir/%name/proxy_child %dir %_datadir/%name/ %dir %_datadir/%name/sssd.api.d/ %_datadir/%name/sssd.api.d/sssd-proxy.conf @@ -822,7 +878,8 @@ fi %python3_sitelib/sssd/ %files winbind-idmap -%_libdir/samba/ +%dir %_libdir/samba/ +%_libdir/samba/idmap/ %_mandir/man8/idmap_sss.8* %files -n libipa_hbac0