pool/sssd
SHA256
3
0
Fork 4
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[info=6e6893108add570a0ec8a1cc983e87b11279bc98ee96e4f1af76ab397f1d0074]

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=330
This commit is contained in:
Jan Engelhardt 2024-11-27 10:12:37 +00:00 committed by Git OBS Bridge
parent be0ba00c3b
commit bbfc610706
13 changed files with 697 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
0001-Configuration-make-sure-etc-sssd-and-everything.patch Normal file
View File

@ -0,0 +1,76 @@
From 8db2df4fcbd09badafbc207bd4150b5f1cc2d5fb Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 24 Oct 2024 15:34:26 +0200
Subject: [PATCH] Configuration: make sure /etc/sssd and everything
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
beneath is owned by 'sssd' group and readable by group.
This should allow for reasonable rw-r----- root:sssd
At some points those chown/chmod can be removed.
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 518db322fdd5a4de41813fbe5bc35fc20392ce67)
---
contrib/sssd.spec.in | 4 ++--
src/sysv/systemd/sssd-kcm.service.in | 5 ++---
src/sysv/systemd/sssd.service.in | 6 ++----
3 files changed, 6 insertions(+), 9 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 4fbacb959..83de563f3 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -1136,9 +1136,9 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi
%__rm -f %{mcpath}/group
%__rm -f %{mcpath}/initgroups
%__rm -f %{mcpath}/sid
+%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true
+%__chmod -f -R g+r %{_sysconfdir}/sssd || true
%__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
-%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true
-%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
%__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
%__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true
%__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true
diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
index 0c839ec5c..ba9e27cd9 100644
--- a/src/sysv/systemd/sssd-kcm.service.in
+++ b/src/sysv/systemd/sssd-kcm.service.in
@@ -9,9 +9,8 @@ Also=sssd-kcm.socket
[Service]
Environment=DEBUG_LOGGER=--logger=files
-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
+ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
+ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@
ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb"
ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log
ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER}
diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
index 37e0a63f8..a6f79ff8a 100644
--- a/src/sysv/systemd/sssd.service.in
+++ b/src/sysv/systemd/sssd.service.in
@@ -10,10 +10,8 @@ StartLimitBurst=5
[Service]
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-@environment_file@
-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki
+ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
+ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@
ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb"
ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @gpocachepath@/*"
ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/*.log"
--
2.47.0

135
0001-INI-relax-config-files-checks.patch Normal file
View File

@ -0,0 +1,135 @@
From 340671f16abb9c26ae97b11c4e2845337e67973e Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 23 Oct 2024 20:59:32 +0200
Subject: [PATCH] INI: relax config files checks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Only make sure:
- user is root or sssd
- group is root or sssd
- other can't access it
Don't make any assumptions wrt user/group read/write-ability.
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 8472777ec472607ea450ddb4c4666017bd0de704)
---
src/man/sssd.conf.5.xml | 5 ++-
src/util/sss_ini.c | 68 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 70 insertions(+), 3 deletions(-)
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index a074cc674..bf10acb2a 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -57,9 +57,8 @@
readable, and writeable only by 'root'.
</para>
<para condition="with_non_root_user_support">
- <filename>sssd.conf</filename> must be a regular file that is owned,
- readable, and writeable by the same user as configured to run SSSD
- service.
+ <filename>sssd.conf</filename> must be a regular file that is
+ accessible only by the user used to run SSSD service or root.
</para>
</refsect1>
diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
index e989d8caf..74cf61e0e 100644
--- a/src/util/sss_ini.c
+++ b/src/util/sss_ini.c
@@ -26,6 +26,7 @@
#include <unistd.h>
#include <string.h>
#include <errno.h>
+#include <sys/stat.h>
#include <talloc.h>
#include "config.h"
@@ -781,6 +782,71 @@ int sss_ini_open(struct sss_ini *self,
return ret;
}
+static int access_check_file(const char *filename)
+{
+ int ret;
+ struct stat st;
+ uid_t uid;
+ gid_t gid;
+
+ sss_sssd_user_uid_and_gid(&uid, &gid);
+
+ ret = stat(filename, &st);
+ if (ret != 0) {
+ ret = errno;
+ DEBUG(SSSDBG_CRIT_FAILURE, "stat(%s) failed: %s\n",
+ filename, strerror(ret));
+ return EINVAL;
+ }
+
+ if ((st.st_uid != 0) && (st.st_uid != uid)) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected user owner of '%s': %"SPRIuid"\n",
+ filename, st.st_uid);
+ return ERR_INI_INVALID_PERMISSION;
+ }
+
+ if ((st.st_gid != 0) && (st.st_gid != gid)) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected group owner of '%s': %"SPRIgid"\n",
+ filename, st.st_gid);
+ return ERR_INI_INVALID_PERMISSION;
+ }
+
+ if ((st.st_mode & (S_IROTH|S_IWOTH|S_IXOTH)) != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected access to '%s' by other users\n",
+ filename);
+ return ERR_INI_INVALID_PERMISSION;
+ }
+
+ return EOK;
+}
+
+static int access_check_ini(struct sss_ini *self)
+{
+ int ret;
+ const char *path;
+ uint32_t i;
+ const char **snippet;
+ struct ref_array *used_snippets;
+
+ if (self->main_config_exists) {
+ path = ini_config_get_filename(self->file);
+ ret = access_check_file(path);
+ if (ret != EOK) {
+ return ret;
+ }
+ }
+
+ used_snippets = sss_ini_get_ra_success_list(self);
+ for (i = 0; (snippet = ref_array_get(used_snippets, i, NULL)) != NULL; ++i) {
+ ret = access_check_file(*snippet);
+ if (ret != EOK) {
+ return ret;
+ }
+ }
+
+ return EOK;
+}
+
int sss_ini_read_sssd_conf(struct sss_ini *self,
const char *config_file,
const char *config_dir)
@@ -833,5 +899,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
return ERR_INI_EMPTY_CONFIG;
}
+ ret = access_check_ini(self);
+
return ret;
}
--
2.47.0

182
0001-INI-stop-using-libini_config-for-access-check.patch Normal file
View File

@ -0,0 +1,182 @@
From 1d19b8ad9415e0a12ed3aaf039d4d0956ef4dbad Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Wed, 23 Oct 2024 19:53:09 +0200
Subject: [PATCH] INI: stop using 'libini_config' for access check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
src/util/sss_ini.c | 100 +----------------------------------------------------
src/util/sss_ini.h | 12 ------
2 files changed, 3 insertions(+), 109 deletions(-)
Index: sssd-2.10.0/src/util/sss_ini.c
===================================================================
--- sssd-2.10.0.orig/src/util/sss_ini.c
+++ sssd-2.10.0/src/util/sss_ini.c
@@ -147,81 +147,6 @@ static int sss_ini_config_file_from_mem(
&self->file);
}
-/* Check configuration file permissions */
-
-static bool is_running_sssd(void)
-{
- static char exe[1024];
- int ret;
- const char *s = NULL;
-
- ret = readlink("/proc/self/exe", exe, sizeof(exe) - 1);
- if ((ret > 0) && (ret < 1024)) {
- exe[ret] = 0;
- s = strstr(exe, debug_prg_name);
- if ((s != NULL) && (strlen(s) == strlen(debug_prg_name))) {
- return true;
- }
- }
-
- return false;
-}
-
-static int sss_ini_access_check(struct sss_ini *self)
-{
- int ret;
- uint32_t flags = INI_ACCESS_CHECK_MODE;
-
- if (!self->main_config_exists) {
- return EOK;
- }
-
- if (is_running_sssd()) {
- flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID;
- }
-
- ret = ini_config_access_check(self->file,
- flags,
- geteuid(),
- getegid(),
- S_IRUSR, /* r**------ */
- ALLPERMS & ~(S_IWUSR|S_IXUSR));
-
- return ret;
-}
-
-
-
-/* Get cstat */
-
-int sss_ini_get_stat(struct sss_ini *self)
-{
- self->cstat = ini_config_get_stat(self->file);
-
- if (!self->cstat) return EIO;
-
- return EOK;
-}
-
-
-
-/* Get mtime */
-
-int sss_ini_get_mtime(struct sss_ini *self,
- size_t timestr_len,
- char *timestr)
-{
- return snprintf(timestr, timestr_len, "%llu",
- (long long unsigned)self->cstat->st_mtime);
-}
-
-/* Get file_exists */
-
-bool sss_ini_exists(struct sss_ini *self)
-{
- return self->main_config_exists;
-}
-
/* Print ini_config errors */
static void sss_ini_config_print_errors(char **error_list)
@@ -289,7 +214,6 @@ static int sss_ini_add_snippets(struct s
uint32_t i = 0;
char *msg = NULL;
struct ini_cfgobj *modified_sssd_config = NULL;
- struct access_check snip_check;
if (self == NULL || self->sssd_config == NULL || config_dir == NULL) {
return EINVAL;
@@ -297,21 +221,11 @@ static int sss_ini_add_snippets(struct s
sss_ini_free_ra_messages(self);
- snip_check.flags = INI_ACCESS_CHECK_MODE;
-
- if (is_running_sssd()) {
- snip_check.flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID;
- }
- snip_check.uid = geteuid();
- snip_check.gid = getegid();
- snip_check.mode = S_IRUSR; /* r**------ */
- snip_check.mask = ALLPERMS & ~(S_IWUSR | S_IXUSR);
-
ret = ini_config_augment(self->sssd_config,
config_dir,
patterns,
sections,
- &snip_check,
+ NULL,
INI_STOP_ON_ANY,
INI_MV1S_OVERWRITE,
INI_PARSE_NOWRAP,
@@ -894,15 +808,7 @@ int sss_ini_read_sssd_conf(struct sss_in
return ERR_INI_OPEN_FAILED;
}
- if (sss_ini_exists(self)) {
- ret = sss_ini_access_check(self);
- if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Permission check on config file %s failed: %d\n",
- config_file, ret);
- return ERR_INI_INVALID_PERMISSION;
- }
- } else {
+ if (!self->main_config_exists) {
DEBUG(SSSDBG_CONF_SETTINGS,
"File %s does not exist.\n", config_file);
}
@@ -923,7 +829,7 @@ int sss_ini_read_sssd_conf(struct sss_in
return ERR_INI_ADD_SNIPPETS_FAILED;
}
- if (!sss_ini_exists(self) &&
+ if ((!self->main_config_exists) &&
(ref_array_len(sss_ini_get_ra_success_list(self)) == 0)) {
return ERR_INI_EMPTY_CONFIG;
}
Index: sssd-2.10.0/src/util/sss_ini.h
===================================================================
--- sssd-2.10.0.orig/src/util/sss_ini.h
+++ sssd-2.10.0/src/util/sss_ini.h
@@ -81,18 +81,6 @@ int sss_ini_open(struct sss_ini *self,
const char *fallback_cfg);
/**
- * @brief Check whether sss_ini_open() reported that ini file is
- * not present
- *
- * @param[in] self pointer to sss_ini structure
- *
- * @return
- * - true we are using ini file
- * - false file was not found
- */
-bool sss_ini_exists(struct sss_ini *self);
-
-/**
* @brief get Cstat structure of the ini file
*/
int sss_ini_get_stat(struct sss_ini *self);

75
0001-sssd-always-print-path-when-config-object-is-rejecte.patch Normal file
View File

@ -0,0 +1,75 @@
From 1a743a4123c104a10c694f7ee9d2f0a1e7182513 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Wed, 16 Oct 2024 09:55:50 +0200
Subject: [PATCH] sssd: always print path when config object is rejected
References: https://github.com/SSSD/sssd/pull/7649
Observed:
```
Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed'
Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed'
```
Expected:
_Well yes, but **which one**_!?
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
(cherry picked from commit 2b7915dd84a6b8c3ee26e45357283677fe22f2cb)
---
src/util/sss_ini.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
index 7f9824d88..2a611eb8c 100644
--- a/src/util/sss_ini.c
+++ b/src/util/sss_ini.c
@@ -888,7 +888,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
ret = sss_ini_open(self, config_file, "[sssd]\n");
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
- "The sss_ini_open failed %s: %d\n",
+ "sss_ini_open on %s failed: %d\n",
config_file,
ret);
return ERR_INI_OPEN_FAILED;
@@ -898,26 +898,28 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
ret = sss_ini_access_check(self);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
- "Permission check on config file failed.\n");
+ "Permission check on config file %s failed: %d\n",
+ config_file, ret);
return ERR_INI_INVALID_PERMISSION;
}
} else {
DEBUG(SSSDBG_CONF_SETTINGS,
- "File %1$s does not exist.\n",
- (config_file ? config_file : "NULL"));
+ "File %s does not exist.\n", config_file);
}
ret = sss_ini_parse(self);
if (ret != EOK) {
sss_ini_config_print_errors(self->error_list);
- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n");
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration file %s: %d\n",
+ config_file, ret);
return ERR_INI_PARSE_FAILED;
}
ret = sss_ini_add_snippets(self, config_dir);
if (ret != EOK) {
DEBUG(SSSDBG_FATAL_FAILURE,
- "Error while reading configuration directory.\n");
+ "Error while reading configuration directory %s: %d\n",
+ config_dir, ret);
return ERR_INI_ADD_SNIPPETS_FAILED;
}
--
2.47.0

8
_scmsync.obsinfo
View File

@ -1,4 +1,4 @@
mtime: 1721222057 mtime: 1730841300
commit: 8faca55b4aa3e3e74cbabb4b015f0b7beb4b2f1dd7b98a27b382d43be057f672 commit: 6e6893108add570a0ec8a1cc983e87b11279bc98ee96e4f1af76ab397f1d0074
url: https://src.opensuse.org/pool/sssd url: https://src.opensuse.org/jengelh/sssd
revision: factory revision: master

2
build.specials.obscpio
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1 version https://git-lfs.github.com/spec/v1
oid sha256:c18d7bdbfefa831e2d93711cb40de6966d0c640e4ec9dccbb61cf299ca5aedaf oid sha256:b7a95490a831fb30d7292118e7a21e6aa16cf2dbbe3f4d6d804adf9189d0e397
size 256 size 256

14
harden_sssd-kcm.service.patch
View File

@ -1,7 +1,11 @@
Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in ---
src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++
1 file changed, 13 insertions(+)
Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in
=================================================================== ===================================================================
--- sssd-2.5.2.orig/src/sysv/systemd/sssd-kcm.service.in --- sssd-2.10.0.orig/src/sysv/systemd/sssd-kcm.service.in
+++ sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in +++ sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in
@@ -8,6 +8,19 @@ After=sssd-kcm.socket @@ -8,6 +8,19 @@ After=sssd-kcm.socket
Also=sssd-kcm.socket Also=sssd-kcm.socket
@ -20,5 +24,5 @@ Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
+RestrictRealtime=true +RestrictRealtime=true
+# end of automatic additions +# end of automatic additions
Environment=DEBUG_LOGGER=--logger=files Environment=DEBUG_LOGGER=--logger=files
ExecStartPre=-@sbindir@/sssd --genconf-section=kcm ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER} ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@

BIN
sssd-2.10.0.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
sssd-2.10.0.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmcOPUoACgkQ09IbKRDP
Z1myuA//anDvdZcQp0EUia2NsiWt2MFE8esmsEIN6QmEYjUxvEeXI9q4YJQimMi8
wdt0zqZE1PLrTcroWaeGcgt2+CJWUbVanZtNn3oo7lUVYrLKemrUzavM7dXTaA43
cdKAFyEO+nHJQ2yBNUt6sRXc3tM0H27yZs0iL+CcYu6YshUTbMnZuwdpz7DqDTN8
nbG+LWa+U0en5mI3waP8Ionwmdv9AJAuCHQZLlZDpM0+YfGumcIUJdbxU/I8pqP8
MQaulPv3e+BNwdbUiLlk0cXRjuEfSd0bmMa3MqB4IqMvvjACU0GuSgK3FDhutZJe
HfmzYSo/Zntmr7F/eYLz6zy/GU3VewEilOyRV08oz+EVJRbGyo2t4k6PUYbn+I4V
kJ/maed5jnBzIZGf6o+P1r+3mavJg7k2LDV4s48MsZ4Y5ED4X0c+boT1L5FZbquW
gp99Di0RG4VoWiYOfVfszLzeDWOLbOrKMyA6PTqlmjGYAdV9SBwZP5WEdwXyPovo
D7uual7Eqdd+Y/lt+8O4Wd+Y+a9xI2kwVFo8KYmHc8PhgLpPIKTWbBTEI+0nw3fJ
qqyyA7JWA81bt4WKVuJaeS87S/9F4yn8ps2dzSgHjZ2Tzr7Eu1a3RWLjKYsjKZrT
PPd2d/02rQAZPwLYHN5qM3Xjh0DD7IiXav1QuIPxmUQA9z8ZiuA=
=mJVY
-----END PGP SIGNATURE-----

BIN
sssd-2.9.5.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

16
sssd-2.9.5.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmZF8CMACgkQ09IbKRDP
Z1lSVQ/9EPVvWUX1z/pHfbvDjRpfD+LDbDceYB4YBh0caYpMVFm/2wHhFIjTYEpf
SmIR+SQp50NkRSK6tE/u+Swu+YUkiCqnEWv2y9wd4Uh2NKiukyiqBC1k2cn9URNu
oRreBM1KIRvTkdoyZwteELJ7vMLVr0UT2iIXZQFIIZX+LM3FNZJ5vFcj5fF0Hz1f
v8zR0VTB7xY/6U+4KikvMyM3fOPeTOJvEtMp4xDWyquRjCADjZasOQcKRQzXp1er
zs/qLcQ8eCODXhKelGqmppVIElW+72f1FNbMpBnlQ7VtFn6pn4sPazO0Hr7eNfZJ
Vc6GXN8zZ/oF5U4x7XSMVqeOHLQoLeb2HxgUzS+1Ig19FHOs6Xoj0dO5l/TOEFav
l61qytYnj3DNZjrMVLsMvOx3qGYK7PmyaWNoIJlLO2GbWKMP/8yBm35Ugd0jybSi
T7VWX+isQHfVhSZ9wD4/yYOBAU3lABORAjXkCWQp/vMR/KiHbfaajCAbl56KiijQ
eKYaq57EH3N+qKd1sqCrPfSw3HSqm3rngG1CsMasBQgLFs2aW+Mwo3UvQ1U/ykED
mOo2D9uhOQluv4AUSpKK6E8EXoPSxDFZI4WX37depO2VGXDO90JNfVamJXjy1+bH
d/RnoZfC7h7Vb1P1bPgGdsAFQBOP0FinbEjehpw0P0U2xAZQWek=
=pY7t
-----END PGP SIGNATURE-----

39
sssd.changes
View File

@ -1,3 +1,42 @@
-------------------------------------------------------------------
Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
- Update to release 2.10.0
* The ``sssctl cache-upgrade`` command was removed. SSSD
performs automatic upgrades at startup when needed.
* Support of ``enumeration`` feature (i.e. ability to list all
users/groups using ``getent passwd/group`` without argument)
for AD/IPA providers is deprecated and might be removed in
further releases.
* The new tool ``sss_ssh_knownhosts`` can be used with ssh's
``KnownHostsCommand`` configuration option to retrieve the
host's public keys from a remote server (FreeIPA, LDAP,
etc.). It replaces ```sss_ssh_knownhostsproxy``.
* The default value for ``ldap_id_use_start_tls`` changed from
false to true for improved security.
* https://github.com/SSSD/sssd/releases/tag/2.10.0
- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch,
0001-INI-stop-using-libini_config-for-access-check.patch,
0001-INI-relax-config-files-checks.patch,
0001-Configuration-make-sure-etc-sssd-and-everything.patch
- Fix socket activation of responders
- Daemon runs now as unprivileged user 'sssd'
-------------------------------------------------------------------
Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
- Update filelists involving memberof.so and idmap/sss.so to
avoid gobbling up one file into multiple sssd subpackages.
(Between samba-4.20 and 4.21, %ldbdir changes from
/usr/lib64/ldb2/modules/ldb to /usr/lib64/samba/ldb, so now
`%_libdir/samba` is a bit too broad.)
-------------------------------------------------------------------
Wed Jul 17 09:19:20 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
- Fix spec file for openSUSE ALP and SUSE SLFO, where the
python3_fix_shebang_path RPM macro is not available
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Jul 11 09:41:21 UTC 2024 - Samuel Cabrero <scabrero@suse.de> Thu Jul 11 09:41:21 UTC 2024 - Samuel Cabrero <scabrero@suse.de>

257
sssd.spec
View File

@ -17,7 +17,7 @@
Name: sssd Name: sssd
Version: 2.9.5 Version: 2.10.0
Release: 0 Release: 0
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPL-3.0-or-later AND LGPL-3.0-or-later License: GPL-3.0-or-later AND LGPL-3.0-or-later
@ -28,10 +28,14 @@ Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%v
Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc
Source3: baselibs.conf Source3: baselibs.conf
Source5: %name.keyring Source5: %name.keyring
Patch1: krb-noversion.diff Patch3: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch
Patch2: harden_sssd-ifp.service.patch Patch4: 0001-INI-stop-using-libini_config-for-access-check.patch
Patch3: harden_sssd-kcm.service.patch Patch5: 0001-INI-relax-config-files-checks.patch
Patch4: symvers.patch Patch6: 0001-Configuration-make-sure-etc-sssd-and-everything.patch
Patch11: krb-noversion.diff
Patch12: harden_sssd-ifp.service.patch
Patch13: harden_sssd-kcm.service.patch
Patch14: symvers.patch
BuildRequires: autoconf >= 2.59 BuildRequires: autoconf >= 2.59
BuildRequires: automake BuildRequires: automake
BuildRequires: bind-utils BuildRequires: bind-utils
@ -53,21 +57,26 @@ BuildRequires: nss_wrapper
BuildRequires: openldap2-devel BuildRequires: openldap2-devel
BuildRequires: pam-devel BuildRequires: pam-devel
BuildRequires: pkg-config >= 0.21 BuildRequires: pkg-config >= 0.21
BuildRequires: python3-wheel
BuildRequires: python3-setuptools
BuildRequires: systemd-rpm-macros BuildRequires: systemd-rpm-macros
BuildRequires: sysuser-tools
BuildRequires: uid_wrapper BuildRequires: uid_wrapper
BuildRequires: pkgconfig(augeas) >= 1.0.0 BuildRequires: pkgconfig(augeas) >= 1.0.0
BuildRequires: pkgconfig(collection) >= 0.5.1 BuildRequires: pkgconfig(collection) >= 0.5.1
BuildRequires: pkgconfig(dbus-1) >= 1.0.0 BuildRequires: pkgconfig(dbus-1) >= 1.0.0
BuildRequires: pkgconfig(dhash) >= 0.4.2 BuildRequires: pkgconfig(dhash) >= 0.4.2
BuildRequires: pkgconfig(glib-2.0) BuildRequires: pkgconfig(glib-2.0)
BuildRequires: pkgconfig(ini_config) >= 1.1.0 BuildRequires: pkgconfig(ini_config) >= 1.3
BuildRequires: pkgconfig(jansson) BuildRequires: pkgconfig(jansson)
BuildRequires: pkgconfig(ldb) >= 0.9.2 BuildRequires: pkgconfig(ldb) >= 1.2.0
BuildRequires: pkgconfig(libcap)
BuildRequires: pkgconfig(libcares) BuildRequires: pkgconfig(libcares)
BuildRequires: pkgconfig(libcrypto) BuildRequires: pkgconfig(libcrypto) >= 1.0.1
%if 0%{?suse_version} >= 1600 %if 0%{?suse_version} >= 1600
BuildRequires: pkgconfig(libcurl) BuildRequires: pkgconfig(libcurl)
%endif %endif
BuildRequires: pkgconfig(libcap)
BuildRequires: pkgconfig(libnfsidmap) BuildRequires: pkgconfig(libnfsidmap)
BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-3.0) >= 3.0
BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0
@ -86,7 +95,17 @@ BuildRequires: pkgconfig(talloc)
BuildRequires: pkgconfig(tdb) >= 1.1.3 BuildRequires: pkgconfig(tdb) >= 1.1.3
BuildRequires: pkgconfig(tevent) BuildRequires: pkgconfig(tevent)
BuildRequires: pkgconfig(uuid) BuildRequires: pkgconfig(uuid)
%if 0%{?suse_version} && 0%{?suse_version} < 1600
# samba-client-devel pulls samba-client-libs pulls libldap-2_4-2 wants libldap-data(-2.4);
# this conflicts with
# openldap2-devel pulls libldap2 wants libldap-data(-2.6)
# Package contains just config files, not needed for build.
#!BuildIgnore: libldap-data
%endif
%sysusers_requires
%{?systemd_ordering} %{?systemd_ordering}
Requires(post): permissions
Requires(verify): permissions
Requires: sssd-ldap = %version-%release Requires: sssd-ldap = %version-%release
Requires(postun): pam-config Requires(postun): pam-config
Provides: libsss_sudo = %version-%release Provides: libsss_sudo = %version-%release
@ -95,16 +114,20 @@ Obsoletes: libsss_sudo < %version-%release
Provides: sssd-common = %version-%release Provides: sssd-common = %version-%release
Obsoletes: sssd-common < %version-%release Obsoletes: sssd-common < %version-%release
%global sssd_user sssd
%define servicename sssd %define servicename sssd
%define sssdstatedir %_localstatedir/lib/sss %define sssdstatedir %_localstatedir/lib/sss
%define dbpath %sssdstatedir/db %define dbpath %sssdstatedir/db
%define pipepath %sssdstatedir/pipes %define pipepath %sssdstatedir/pipes
%define pubconfpath %sssdstatedir/pubconf %define pubconfpath %sssdstatedir/pubconf
%define gpocachepath %sssdstatedir/gpo_cache %define gpocachepath %sssdstatedir/gpo_cache
%define keytabdir %sssdstatedir/keytabs
%define mcpath %sssdstatedir/mc
%define ldbdir %(pkg-config ldb --variable=modulesdir) %define ldbdir %(pkg-config ldb --variable=modulesdir)
%define child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
# %_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins # %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
# * cifs-utils one is the default (priority 20) # * cifs-utils one is the default (priority 20)
# * installing SSSD should NOT switch to SSSD plugin (priority 10) # * installing SSSD should NOT switch to SSSD plugin (priority 10)
%define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin %define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin
@ -115,11 +138,11 @@ Requires(post): update-alternatives
Requires(postun): update-alternatives Requires(postun): update-alternatives
%description %description
Provides a set of daemons to manage access to remote directories and A set of daemons to manage access to remote directories and
authentication mechanisms. It provides an NSS and PAM interface toward authentication mechanisms. sssd provides an NSS and PAM interfaces
the system and a pluggable backend system to connect to multiple different toward the system and a pluggable backend system to connect to
account sources. It is also the basis to provide client auditing and policy multiple different account sources. It is also the basis to provide
services for projects like FreeIPA. client auditing and policy services for projects like FreeIPA.
%package ad %package ad
Summary: The ActiveDirectory backend plugin for sssd Summary: The ActiveDirectory backend plugin for sssd
@ -129,9 +152,8 @@ Requires: %name-krb5-common = %version-%release
Requires: adcli Requires: adcli
%description ad %description ad
Provides the Active Directory back end that the SSSD can utilize to A back-end provider that the SSSD can utilize to fetch identity data
fetch identity data from and authenticate against an Active Directory from, and authenticate with, an Active Directory server.
server.
%package dbus %package dbus
Summary: The D-Bus responder of sssd Summary: The D-Bus responder of sssd
@ -140,7 +162,7 @@ Group: System/Base
Requires: %name = %version Requires: %name = %version
%description dbus %description dbus
Provides the D-Bus responder of sssd, called InfoPipe, which allows D-Bus responder of sssd, called InfoPipe, which allows
information from sssd to be transmitted over the system bus. information from sssd to be transmitted over the system bus.
%package ipa %package ipa
@ -154,8 +176,8 @@ Obsoletes: %name-ipa-provider < %version-%release
Provides: %name-ipa-provider = %version-%release Provides: %name-ipa-provider = %version-%release
%description ipa %description ipa
Provides the IPA back end that the SSSD can utilize to fetch identity A back-end provider that the SSSD can utilize to fetch identity data
data from and authenticate against an IPA server. from, and authenticate with, an IPA server.
%package kcm %package kcm
Summary: SSSD's Kerberos cache manager Summary: SSSD's Kerberos cache manager
@ -174,14 +196,16 @@ Group: System/Daemons
Requires: %name-krb5-common = %version-%release Requires: %name-krb5-common = %version-%release
%description krb5 %description krb5
Provides the Kerberos back end that the SSSD can utilize authenticate A back-end provider that the SSSD can utilize to authenticate against
against a Kerberos server. a Kerberos server.
%package krb5-common %package krb5-common
Summary: SSSD helpers needed for Kerberos and GSSAPI authentication Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
License: GPL-3.0-or-later License: GPL-3.0-or-later
Group: System/Daemons Group: System/Daemons
Requires: cyrus-sasl-gssapi Requires: cyrus-sasl-gssapi
Requires(post): permissions
Requires(verify): permissions
%description krb5-common %description krb5-common
Provides helper processes that the LDAP and Kerberos back ends can Provides helper processes that the LDAP and Kerberos back ends can
@ -194,8 +218,8 @@ Group: System/Daemons
Requires: %name-krb5-common = %version-%release Requires: %name-krb5-common = %version-%release
%description ldap %description ldap
Provides the LDAP back end that the SSSD can utilize to fetch A back-end provider that the SSSD can utilize to fetch identity data
identity data from and authenticate against an LDAP server. from, and authenticate with, an LDAP server.
%package proxy %package proxy
Summary: The proxy backend plugin for sssd Summary: The proxy backend plugin for sssd
@ -203,8 +227,8 @@ License: GPL-3.0-or-later
Group: System/Daemons Group: System/Daemons
%description proxy %description proxy
Provides the proxy back end which can be used to wrap an existing NSS A back-end provider which can be used to wrap existing NSS and/or PAM
and/or PAM modules to leverage SSSD caching. modules to leverage SSSD caching. (This can replace nscd.)
%package tools %package tools
Summary: Commandline tools for sssd Summary: Commandline tools for sssd
@ -214,7 +238,7 @@ Requires: python3-sssd-config = %version-%release
Requires: sssd = %version Requires: sssd = %version
%description tools %description tools
The packages contains commandline tools for managing users and groups using The packages contains command-line tools for managing users and groups using
the "local" id provider of the System Security Services Daemon (sssd). the "local" id provider of the System Security Services Daemon (sssd).
%package winbind-idmap %package winbind-idmap
@ -231,7 +255,7 @@ License: LGPL-3.0-or-later
Group: System/Libraries Group: System/Libraries
%description -n libsss_certmap0 %description -n libsss_certmap0
A utility library for FreeIPA to map certs. A utility library for FreeIPA to map certificates.
%package -n libsss_certmap-devel %package -n libsss_certmap-devel
Summary: Development files for the FreeIPA certmap library Summary: Development files for the FreeIPA certmap library
@ -240,7 +264,7 @@ Group: Development/Libraries/C and C++
Requires: libsss_certmap0 = %version Requires: libsss_certmap0 = %version
%description -n libsss_certmap-devel %description -n libsss_certmap-devel
A utility library for FreeIPA to map certs. A utility library for FreeIPA to map certificates.
%package -n libipa_hbac0 %package -n libipa_hbac0
Summary: FreeIPA HBAC Evaluator library Summary: FreeIPA HBAC Evaluator library
@ -304,7 +328,6 @@ Requires: libsss_nss_idmap0 = %version
%description -n libsss_nss_idmap-devel %description -n libsss_nss_idmap-devel
A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs.
%if 0%{?suse_version} < 1600
%package -n libsss_simpleifp0 %package -n libsss_simpleifp0
Summary: The SSSD D-Bus responder helper library Summary: The SSSD D-Bus responder helper library
License: GPL-3.0-or-later License: GPL-3.0-or-later
@ -327,7 +350,6 @@ Requires: libsss_simpleifp0 = %version
This subpackage provides the development files for sssd's simpleifp, This subpackage provides the development files for sssd's simpleifp,
a library that simplifies the D-Bus API for the SSSD InfoPipe a library that simplifies the D-Bus API for the SSSD InfoPipe
responder. responder.
%endif
%package -n libsss_sudo %package -n libsss_sudo
Summary: A library to allow communication between sudo and SSSD Summary: A library to allow communication between sudo and SSSD
@ -394,33 +416,32 @@ autoreconf -fiv
--with-environment-file="%_sysconfdir/sysconfig/sssd" \ --with-environment-file="%_sysconfdir/sysconfig/sssd" \
--with-initscript=systemd \ --with-initscript=systemd \
--with-syslog=journald \ --with-syslog=journald \
--with-pid-path="%_rundir" \ --with-pid-path="%_rundir/sssd" \
--enable-nsslibdir="/%_lib" \
--enable-pammoddir="%_pam_moduledir" \ --enable-pammoddir="%_pam_moduledir" \
--with-ldb-lib-dir="%ldbdir" \ --with-ldb-lib-dir="%ldbdir" \
--with-os=suse \ --with-os=suse \
--disable-ldb-version-check \ --disable-ldb-version-check \
--without-python2-bindings \ --without-python2-bindings \
--without-oidc-child \ --without-oidc-child \
--with-sssd-user="%sssd_user" \
%if 0%{?suse_version} >= 1600 %if 0%{?suse_version} >= 1600
--with-selinux=yes \ --with-selinux=yes \
--with-subid --with-subid
%else %else
--with-selinux=no \ --with-selinux=no \
--with-semanage=no \
--with-libsifp \ --with-libsifp \
--with-files-provider --with-files-provider
%endif %endif
%make_build all %make_build all
%install %install
# sss_obfuscate is compatible with both python 2 and 3 # sss_obfuscate is compatible with both Python 2 and 3
perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
%make_install dbuspolicydir=%_datadir/dbus-1/system.d %make_install dbuspolicydir=%_datadir/dbus-1/system.d
b="%buildroot" b="%buildroot"
# Copy some defaults # Copy some defaults
%if %{?_distconfdir:1} %if "%{?_distconfdir}" != ""
install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf" install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf"
install -d -m 0755 "$b/%_distconfdir/sssd/conf.d" install -d -m 0755 "$b/%_distconfdir/sssd/conf.d"
%else %else
@ -448,20 +469,40 @@ find "$b" -type f -name "*.la" -print -delete
%find_lang %name --all-name %find_lang %name --all-name
# dummy target for cifs-idmap-plugin # dummy target for cifs-idmap-plugin
mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils"
ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin"
%python3_fix_shebang %python3_fix_shebang
%if 0%{?suse_version} >= 1600 %if 0%{?suse_version} > 1600
%python3_fix_shebang_path %buildroot/%_libexecdir/%name/ %python3_fix_shebang_path %buildroot/%_libexecdir/%name/sss_analyze
%elif 0%{?suse_version} == 1600
# python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204
sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze"
%endif %endif
echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf
mkdir -p "$b/%_sysusersdir" "$b/etc/permissions.d"
cp -a system-user-sssd.conf "$b/%_sysusersdir/"
%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf
install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf"
# should match entry from %%files list
cat >"$b/etc/permissions.d/sssd" <<-EOF
%_libexecdir/sssd/sssd_pam root:sssd 0750
+capabilities cap_dac_read_search=p
%_libexecdir/sssd/selinux_child root:sssd 0750
+capabilities %child_capabilities
%_libexecdir/sssd/krb5_child root:sssd 0750
+capabilities %child_capabilities
%_libexecdir/sssd/ldap_child root:sssd 0750
+capabilities %child_capabilities
EOF
%check %check
# sss_config-tests fails # sss_config-tests fails
%make_build check || : %make_build check || :
%pre %pre -f random.pre
%service_add_pre sssd.service %service_add_pre sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
%if %{?_distconfdir:1} %if "%{?_distconfdir}" != ""
# Prepare for migration to /usr/etc; save any old .rpmsave # Prepare for migration to /usr/etc; save any old .rpmsave
for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do
test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i.rpmsave.old" || : test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i.rpmsave.old" || :
@ -474,38 +515,38 @@ done
if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then
/bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf" /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf"
fi fi
%service_add_post sssd.service %service_add_post sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
%_bindir/rm -f %mcpath/passwd %mcpath/group %mcpath/initgroups %mcpath/sid
%tmpfiles_create %name.conf
%set_permissions %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam
# install SSSD cifs-idmap plugin as an alternative # install SSSD cifs-idmap plugin as an alternative
update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority
%preun %preun
%service_del_preun sssd.service %service_del_preun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
%postun %postun
/sbin/ldconfig /sbin/ldconfig
if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then
"%_sbindir/pam-config" -d --sss || : "%_sbindir/pam-config" -d --sss || :
fi fi
# del_postun includes a try-restart # del_postun includes a try-restart
%service_del_postun sssd.service %service_del_postun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
if [ ! -f "%cifs_idmap_lib" ]; then if [ ! -f "%cifs_idmap_lib" ]; then
update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
fi fi
%post -n libsss_certmap0 -p /sbin/ldconfig %ldconfig_scriptlets -n libsss_certmap0
%postun -n libsss_certmap0 -p /sbin/ldconfig %ldconfig_scriptlets -n libipa_hbac0
%post -n libipa_hbac0 -p /sbin/ldconfig %ldconfig_scriptlets -n libsss_idmap0
%postun -n libipa_hbac0 -p /sbin/ldconfig %ldconfig_scriptlets -n libsss_nss_idmap0
%post -n libsss_idmap0 -p /sbin/ldconfig %ldconfig_scriptlets -n libsss_simpleifp0
%postun -n libsss_idmap0 -p /sbin/ldconfig
%post -n libsss_nss_idmap0 -p /sbin/ldconfig %verifyscript
%postun -n libsss_nss_idmap0 -p /sbin/ldconfig %verify_permissions -e %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam
%if 0%{?suse_version} < 1600
%post -n libsss_simpleifp0 -p /sbin/ldconfig
%postun -n libsss_simpleifp0 -p /sbin/ldconfig
%endif
%triggerun -- %name < %version-%release %triggerun -- %name < %version-%release
# sssd takes care of upgrading the database but it doesn't handle downgrades. # sssd takes care of upgrading the database but it doesn't handle downgrades.
@ -540,21 +581,31 @@ fi
%postun kcm %postun kcm
%service_del_postun sssd-kcm.service sssd-kcm.socket %service_del_postun sssd-kcm.service sssd-kcm.socket
%pre krb5-common -f random.pre
%post krb5-common
%set_permissions %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child
%verifyscript krb5-common
%verify_permissions -e %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child
%pre proxy -f random.pre
%pretrans %pretrans
# Migrate sssd.service from sssd-common to sssd # Migrate sssd.service from sssd-common to sssd
systemctl is-enabled sssd.service > /dev/null systemctl is-enabled sssd.service > /dev/null
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
mkdir -p /run/systemd/rpm/ mkdir -p /run/systemd/rpm/
touch /run/systemd/rpm/sssd-was-enabled touch /run/systemd/rpm/sssd-was-enabled
fi fi
systemctl is-active sssd.service > /dev/null systemctl is-active sssd.service > /dev/null
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
mkdir -p /run/systemd/rpm/ mkdir -p /run/systemd/rpm/
touch /run/systemd/rpm/sssd-was-active touch /run/systemd/rpm/sssd-was-active
fi fi
%posttrans %posttrans
%if %{?_distconfdir:1} %if "%{?_distconfdir}" != ""
# Migration to /usr/etc, restore just created .rpmsave # Migration to /usr/etc, restore just created .rpmsave
for i in sssd/sssd.conf logrotate.d/sssd pam.d/sssd-shadowutils ; do for i in sssd/sssd.conf logrotate.d/sssd pam.d/sssd-shadowutils ; do
test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i" || : test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i" || :
@ -562,20 +613,20 @@ done
%endif %endif
# Migrate sssd.service from sssd-common to sssd # Migrate sssd.service from sssd-common to sssd
if [ -e /run/systemd/rpm/sssd-was-enabled ]; then if [ -e /run/systemd/rpm/sssd-was-enabled ]; then
systemctl is-enabled sssd.service > /dev/null systemctl is-enabled sssd.service >/dev/null
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "Migrating sssd.service, was enabled" echo "Migrating sssd.service, was enabled"
systemctl enable sssd.service systemctl enable sssd.service
fi fi
rm /run/systemd/rpm/sssd-was-enabled rm /run/systemd/rpm/sssd-was-enabled
fi fi
if [ -e /run/systemd/rpm/sssd-was-active ]; then if [ -e /run/systemd/rpm/sssd-was-active ]; then
systemctl is-active sssd.service > /dev/null systemctl is-active sssd.service >/dev/null
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo "Migrating sssd.service, was active" echo "Migrating sssd.service, was active"
systemctl start sssd.service systemctl start sssd.service
fi fi
rm /run/systemd/rpm/sssd-was-active rm /run/systemd/rpm/sssd-was-active
fi fi
%files -f sssd.lang %files -f sssd.lang
@ -588,12 +639,15 @@ fi
%_unitdir/sssd-pac.socket %_unitdir/sssd-pac.socket
%_unitdir/sssd-pac.service %_unitdir/sssd-pac.service
%_unitdir/sssd-pam.socket %_unitdir/sssd-pam.socket
%_unitdir/sssd-pam-priv.socket
%_unitdir/sssd-pam.service %_unitdir/sssd-pam.service
%_unitdir/sssd-ssh.socket %_unitdir/sssd-ssh.socket
%_unitdir/sssd-ssh.service %_unitdir/sssd-ssh.service
%_unitdir/sssd-sudo.socket %_unitdir/sssd-sudo.socket
%_unitdir/sssd-sudo.service %_unitdir/sssd-sudo.service
%_sysusersdir/*sssd*
%_tmpfilesdir/*sssd*
%_sysconfdir/permissions.d/*
%_datadir/polkit-1/
%_bindir/sss_ssh_* %_bindir/sss_ssh_*
%_sbindir/sssd %_sbindir/sssd
%if 0%{?suse_version} < 1600 %if 0%{?suse_version} < 1600
@ -650,32 +704,33 @@ fi
%_libexecdir/%name/sssd_autofs %_libexecdir/%name/sssd_autofs
%_libexecdir/%name/sssd_be %_libexecdir/%name/sssd_be
%_libexecdir/%name/sssd_nss %_libexecdir/%name/sssd_nss
%_libexecdir/%name/sssd_pam %attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/sssd_pam
%_libexecdir/%name/sssd_ssh %_libexecdir/%name/sssd_ssh
%_libexecdir/%name/sssd_sudo %_libexecdir/%name/sssd_sudo
%_libexecdir/%name/sss_signal %_libexecdir/%name/sss_signal
%_libexecdir/%name/sssd_check_socket_activated_responders %_libexecdir/%name/sssd_check_socket_activated_responders
%if 0%{?suse_version} >= 1600 %if 0%{?suse_version} >= 1600
%_libexecdir/%name/selinux_child %attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/selinux_child
%endif %endif
%dir %sssdstatedir %dir %sssdstatedir
%attr(700,root,root) %dir %dbpath/ %attr(700,%sssd_user,%sssd_user) %dir %dbpath/
%attr(755,root,root) %dir %pipepath/ %attr(755,%sssd_user,%sssd_user) %dir %pipepath/
%attr(700,root,root) %dir %pipepath/private/ %attr(700,%sssd_user,%sssd_user) %dir %pipepath/private/
%attr(755,root,root) %dir %pubconfpath/ %attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/
%attr(755,root,root) %dir %pubconfpath/krb5.include.d %attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/krb5.include.d
%attr(755,root,root) %dir %gpocachepath/ %attr(755,%sssd_user,%sssd_user) %dir %gpocachepath/
%attr(755,root,root) %dir %sssdstatedir/mc/ %attr(755,%sssd_user,%sssd_user) %dir %mcpath/
%attr(700,root,root) %dir %sssdstatedir/keytabs/ %attr(700,%sssd_user,%sssd_user) %dir %keytabdir/
%attr(750,root,root) %dir %_localstatedir/log/%name/ %attr(750,%sssd_user,%sssd_user) %dir %_localstatedir/log/%name/
%if %{?_distconfdir:1} %attr(775,%sssd_user,%sssd_user) %dir %sssdstatedir/
%dir %_distconfdir/sssd/ %if "%{?_distconfdir}" != ""
%%dir %_distconfdir/sssd/conf.d %attr(750,root,%sssd_user) %dir %_distconfdir/sssd/
%config(noreplace) %_distconfdir/sssd/sssd.conf %attr(750,root,%sssd_user) %dir %_distconfdir/sssd/conf.d
%attr(640,root,%sssd_user) %_distconfdir/sssd/sssd.conf
%else %else
%dir %_sysconfdir/sssd/ %attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/
%%dir %_sysconfdir/sssd/conf.d %attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/conf.d
%config(noreplace) %_sysconfdir/sssd/sssd.conf %ghost %attr(640,root,%sssd_user) %config(noreplace) %_sysconfdir/sssd/sssd.conf
%endif %endif
%if 0%{?suse_version} > 1500 %if 0%{?suse_version} > 1500
%_distconfdir/logrotate.d/sssd %_distconfdir/logrotate.d/sssd
@ -694,11 +749,12 @@ fi
%else %else
%exclude %_mandir/*/*/sssd-files.5.gz %exclude %_mandir/*/*/sssd-files.5.gz
%endif %endif
%attr(775,%sssd_user,%sssd_user) %ghost %dir %_rundir/sssd
%doc src/examples/sssd.conf %doc src/examples/sssd.conf
# #
# sssd-client # sssd-client
# #
/%_lib/libnss_sss.so.2 %_libdir/libnss_sss.so.2
%_pam_moduledir/pam_sss.so %_pam_moduledir/pam_sss.so
%_pam_moduledir/pam_sss_gss.so %_pam_moduledir/pam_sss_gss.so
%_libdir/krb5/ %_libdir/krb5/
@ -783,8 +839,8 @@ fi
%dir %_libdir/%name/ %dir %_libdir/%name/
%_libdir/%name/libsss_krb5_common.so %_libdir/%name/libsss_krb5_common.so
%dir %_libexecdir/%name/ %dir %_libexecdir/%name/
%_libexecdir/%name/krb5_child %attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/krb5_child
%_libexecdir/%name/ldap_child %attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/ldap_child
%files ldap %files ldap
%dir %_libdir/%name/ %dir %_libdir/%name/
@ -801,7 +857,7 @@ fi
%dir %_libdir/%name/ %dir %_libdir/%name/
%_libdir/%name/libsss_proxy.so %_libdir/%name/libsss_proxy.so
%dir %_libexecdir/%name/ %dir %_libexecdir/%name/
%_libexecdir/%name/proxy_child %attr(750,root,%sssd_user) %_libexecdir/%name/proxy_child
%dir %_datadir/%name/ %dir %_datadir/%name/
%dir %_datadir/%name/sssd.api.d/ %dir %_datadir/%name/sssd.api.d/
%_datadir/%name/sssd.api.d/sssd-proxy.conf %_datadir/%name/sssd.api.d/sssd-proxy.conf
@ -822,7 +878,8 @@ fi
%python3_sitelib/sssd/ %python3_sitelib/sssd/
%files winbind-idmap %files winbind-idmap
%_libdir/samba/ %dir %_libdir/samba/
%_libdir/samba/idmap/
%_mandir/man8/idmap_sss.8* %_mandir/man8/idmap_sss.8*
%files -n libipa_hbac0 %files -n libipa_hbac0