From be0ba00c3bb550b376b1de783a1265a8f80a2ab18a335eb50af141041088911d Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Mon, 25 Nov 2024 09:06:26 +0000 Subject: [PATCH] [info=8faca55b4aa3e3e74cbabb4b015f0b7beb4b2f1dd7b98a27b382d43be057f672] OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=329 --- ...on-make-sure-etc-sssd-and-everything.patch | 76 ------ 0001-INI-relax-config-files-checks.patch | 135 --------- ...using-libini_config-for-access-check.patch | 182 ------------- ...t-path-when-config-object-is-rejecte.patch | 75 ----- _scmsync.obsinfo | 8 +- build.specials.obscpio | 2 +- harden_sssd-kcm.service.patch | 14 +- sssd-2.10.0.tar.gz | 3 - sssd-2.10.0.tar.gz.asc | 16 -- sssd.changes | 39 --- sssd.spec | 257 +++++++----------- 11 files changed, 110 insertions(+), 697 deletions(-) delete mode 100644 0001-Configuration-make-sure-etc-sssd-and-everything.patch delete mode 100644 0001-INI-relax-config-files-checks.patch delete mode 100644 0001-INI-stop-using-libini_config-for-access-check.patch delete mode 100644 0001-sssd-always-print-path-when-config-object-is-rejecte.patch delete mode 100644 sssd-2.10.0.tar.gz delete mode 100644 sssd-2.10.0.tar.gz.asc diff --git a/0001-Configuration-make-sure-etc-sssd-and-everything.patch b/0001-Configuration-make-sure-etc-sssd-and-everything.patch deleted file mode 100644 index 8cf0fe0..0000000 --- a/0001-Configuration-make-sure-etc-sssd-and-everything.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 8db2df4fcbd09badafbc207bd4150b5f1cc2d5fb Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Thu, 24 Oct 2024 15:34:26 +0200 -Subject: [PATCH] Configuration: make sure /etc/sssd and everything -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -beneath is owned by 'sssd' group and readable by group. - -This should allow for reasonable rw-r----- root:sssd - -At some points those chown/chmod can be removed. - -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose -(cherry picked from commit 518db322fdd5a4de41813fbe5bc35fc20392ce67) ---- - contrib/sssd.spec.in | 4 ++-- - src/sysv/systemd/sssd-kcm.service.in | 5 ++--- - src/sysv/systemd/sssd.service.in | 6 ++---- - 3 files changed, 6 insertions(+), 9 deletions(-) - -diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in -index 4fbacb959..83de563f3 100644 ---- a/contrib/sssd.spec.in -+++ b/contrib/sssd.spec.in -@@ -1136,9 +1136,9 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi - %__rm -f %{mcpath}/group - %__rm -f %{mcpath}/initgroups - %__rm -f %{mcpath}/sid -+%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true -+%__chmod -f -R g+r %{_sysconfdir}/sssd || true - %__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true --%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true --%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true - %__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true - %__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true - %__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true -diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in -index 0c839ec5c..ba9e27cd9 100644 ---- a/src/sysv/systemd/sssd-kcm.service.in -+++ b/src/sysv/systemd/sssd-kcm.service.in -@@ -9,9 +9,8 @@ Also=sssd-kcm.socket - - [Service] - Environment=DEBUG_LOGGER=--logger=files --ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ --ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf --ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d -+ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ -+ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ - ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb" - ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log - ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER} -diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in -index 37e0a63f8..a6f79ff8a 100644 ---- a/src/sysv/systemd/sssd.service.in -+++ b/src/sysv/systemd/sssd.service.in -@@ -10,10 +10,8 @@ StartLimitBurst=5 - [Service] - Environment=DEBUG_LOGGER=--logger=files - EnvironmentFile=-@environment_file@ --ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ --ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf --ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d --ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki -+ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ -+ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ - ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb" - ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @gpocachepath@/*" - ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/*.log" --- -2.47.0 - diff --git a/0001-INI-relax-config-files-checks.patch b/0001-INI-relax-config-files-checks.patch deleted file mode 100644 index 69ac630..0000000 --- a/0001-INI-relax-config-files-checks.patch +++ /dev/null @@ -1,135 +0,0 @@ -From 340671f16abb9c26ae97b11c4e2845337e67973e Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 23 Oct 2024 20:59:32 +0200 -Subject: [PATCH] INI: relax config files checks -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Only make sure: - - user is root or sssd - - group is root or sssd - - other can't access it - -Don't make any assumptions wrt user/group read/write-ability. - -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose -(cherry picked from commit 8472777ec472607ea450ddb4c4666017bd0de704) ---- - src/man/sssd.conf.5.xml | 5 ++- - src/util/sss_ini.c | 68 +++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 70 insertions(+), 3 deletions(-) - -diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml -index a074cc674..bf10acb2a 100644 ---- a/src/man/sssd.conf.5.xml -+++ b/src/man/sssd.conf.5.xml -@@ -57,9 +57,8 @@ - readable, and writeable only by 'root'. - - -- sssd.conf must be a regular file that is owned, -- readable, and writeable by the same user as configured to run SSSD -- service. -+ sssd.conf must be a regular file that is -+ accessible only by the user used to run SSSD service or root. - - - -diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c -index e989d8caf..74cf61e0e 100644 ---- a/src/util/sss_ini.c -+++ b/src/util/sss_ini.c -@@ -26,6 +26,7 @@ - #include - #include - #include -+#include - #include - - #include "config.h" -@@ -781,6 +782,71 @@ int sss_ini_open(struct sss_ini *self, - return ret; - } - -+static int access_check_file(const char *filename) -+{ -+ int ret; -+ struct stat st; -+ uid_t uid; -+ gid_t gid; -+ -+ sss_sssd_user_uid_and_gid(&uid, &gid); -+ -+ ret = stat(filename, &st); -+ if (ret != 0) { -+ ret = errno; -+ DEBUG(SSSDBG_CRIT_FAILURE, "stat(%s) failed: %s\n", -+ filename, strerror(ret)); -+ return EINVAL; -+ } -+ -+ if ((st.st_uid != 0) && (st.st_uid != uid)) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected user owner of '%s': %"SPRIuid"\n", -+ filename, st.st_uid); -+ return ERR_INI_INVALID_PERMISSION; -+ } -+ -+ if ((st.st_gid != 0) && (st.st_gid != gid)) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected group owner of '%s': %"SPRIgid"\n", -+ filename, st.st_gid); -+ return ERR_INI_INVALID_PERMISSION; -+ } -+ -+ if ((st.st_mode & (S_IROTH|S_IWOTH|S_IXOTH)) != 0) { -+ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected access to '%s' by other users\n", -+ filename); -+ return ERR_INI_INVALID_PERMISSION; -+ } -+ -+ return EOK; -+} -+ -+static int access_check_ini(struct sss_ini *self) -+{ -+ int ret; -+ const char *path; -+ uint32_t i; -+ const char **snippet; -+ struct ref_array *used_snippets; -+ -+ if (self->main_config_exists) { -+ path = ini_config_get_filename(self->file); -+ ret = access_check_file(path); -+ if (ret != EOK) { -+ return ret; -+ } -+ } -+ -+ used_snippets = sss_ini_get_ra_success_list(self); -+ for (i = 0; (snippet = ref_array_get(used_snippets, i, NULL)) != NULL; ++i) { -+ ret = access_check_file(*snippet); -+ if (ret != EOK) { -+ return ret; -+ } -+ } -+ -+ return EOK; -+} -+ - int sss_ini_read_sssd_conf(struct sss_ini *self, - const char *config_file, - const char *config_dir) -@@ -833,5 +899,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, - return ERR_INI_EMPTY_CONFIG; - } - -+ ret = access_check_ini(self); -+ - return ret; - } --- -2.47.0 - diff --git a/0001-INI-stop-using-libini_config-for-access-check.patch b/0001-INI-stop-using-libini_config-for-access-check.patch deleted file mode 100644 index abe0cb0..0000000 --- a/0001-INI-stop-using-libini_config-for-access-check.patch +++ /dev/null @@ -1,182 +0,0 @@ -From 1d19b8ad9415e0a12ed3aaf039d4d0956ef4dbad Mon Sep 17 00:00:00 2001 -From: Alexey Tikhonov -Date: Wed, 23 Oct 2024 19:53:09 +0200 -Subject: [PATCH] INI: stop using 'libini_config' for access check -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reviewed-by: Justin Stephenson -Reviewed-by: Pavel Březina -Reviewed-by: Sumit Bose ---- - src/util/sss_ini.c | 100 +---------------------------------------------------- - src/util/sss_ini.h | 12 ------ - 2 files changed, 3 insertions(+), 109 deletions(-) - -Index: sssd-2.10.0/src/util/sss_ini.c -=================================================================== ---- sssd-2.10.0.orig/src/util/sss_ini.c -+++ sssd-2.10.0/src/util/sss_ini.c -@@ -147,81 +147,6 @@ static int sss_ini_config_file_from_mem( - &self->file); - } - --/* Check configuration file permissions */ -- --static bool is_running_sssd(void) --{ -- static char exe[1024]; -- int ret; -- const char *s = NULL; -- -- ret = readlink("/proc/self/exe", exe, sizeof(exe) - 1); -- if ((ret > 0) && (ret < 1024)) { -- exe[ret] = 0; -- s = strstr(exe, debug_prg_name); -- if ((s != NULL) && (strlen(s) == strlen(debug_prg_name))) { -- return true; -- } -- } -- -- return false; --} -- --static int sss_ini_access_check(struct sss_ini *self) --{ -- int ret; -- uint32_t flags = INI_ACCESS_CHECK_MODE; -- -- if (!self->main_config_exists) { -- return EOK; -- } -- -- if (is_running_sssd()) { -- flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID; -- } -- -- ret = ini_config_access_check(self->file, -- flags, -- geteuid(), -- getegid(), -- S_IRUSR, /* r**------ */ -- ALLPERMS & ~(S_IWUSR|S_IXUSR)); -- -- return ret; --} -- -- -- --/* Get cstat */ -- --int sss_ini_get_stat(struct sss_ini *self) --{ -- self->cstat = ini_config_get_stat(self->file); -- -- if (!self->cstat) return EIO; -- -- return EOK; --} -- -- -- --/* Get mtime */ -- --int sss_ini_get_mtime(struct sss_ini *self, -- size_t timestr_len, -- char *timestr) --{ -- return snprintf(timestr, timestr_len, "%llu", -- (long long unsigned)self->cstat->st_mtime); --} -- --/* Get file_exists */ -- --bool sss_ini_exists(struct sss_ini *self) --{ -- return self->main_config_exists; --} -- - /* Print ini_config errors */ - - static void sss_ini_config_print_errors(char **error_list) -@@ -289,7 +214,6 @@ static int sss_ini_add_snippets(struct s - uint32_t i = 0; - char *msg = NULL; - struct ini_cfgobj *modified_sssd_config = NULL; -- struct access_check snip_check; - - if (self == NULL || self->sssd_config == NULL || config_dir == NULL) { - return EINVAL; -@@ -297,21 +221,11 @@ static int sss_ini_add_snippets(struct s - - sss_ini_free_ra_messages(self); - -- snip_check.flags = INI_ACCESS_CHECK_MODE; -- -- if (is_running_sssd()) { -- snip_check.flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID; -- } -- snip_check.uid = geteuid(); -- snip_check.gid = getegid(); -- snip_check.mode = S_IRUSR; /* r**------ */ -- snip_check.mask = ALLPERMS & ~(S_IWUSR | S_IXUSR); -- - ret = ini_config_augment(self->sssd_config, - config_dir, - patterns, - sections, -- &snip_check, -+ NULL, - INI_STOP_ON_ANY, - INI_MV1S_OVERWRITE, - INI_PARSE_NOWRAP, -@@ -894,15 +808,7 @@ int sss_ini_read_sssd_conf(struct sss_in - return ERR_INI_OPEN_FAILED; - } - -- if (sss_ini_exists(self)) { -- ret = sss_ini_access_check(self); -- if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "Permission check on config file %s failed: %d\n", -- config_file, ret); -- return ERR_INI_INVALID_PERMISSION; -- } -- } else { -+ if (!self->main_config_exists) { - DEBUG(SSSDBG_CONF_SETTINGS, - "File %s does not exist.\n", config_file); - } -@@ -923,7 +829,7 @@ int sss_ini_read_sssd_conf(struct sss_in - return ERR_INI_ADD_SNIPPETS_FAILED; - } - -- if (!sss_ini_exists(self) && -+ if ((!self->main_config_exists) && - (ref_array_len(sss_ini_get_ra_success_list(self)) == 0)) { - return ERR_INI_EMPTY_CONFIG; - } -Index: sssd-2.10.0/src/util/sss_ini.h -=================================================================== ---- sssd-2.10.0.orig/src/util/sss_ini.h -+++ sssd-2.10.0/src/util/sss_ini.h -@@ -81,18 +81,6 @@ int sss_ini_open(struct sss_ini *self, - const char *fallback_cfg); - - /** -- * @brief Check whether sss_ini_open() reported that ini file is -- * not present -- * -- * @param[in] self pointer to sss_ini structure -- * -- * @return -- * - true we are using ini file -- * - false file was not found -- */ --bool sss_ini_exists(struct sss_ini *self); -- --/** - * @brief get Cstat structure of the ini file - */ - int sss_ini_get_stat(struct sss_ini *self); diff --git a/0001-sssd-always-print-path-when-config-object-is-rejecte.patch b/0001-sssd-always-print-path-when-config-object-is-rejecte.patch deleted file mode 100644 index d24c30a..0000000 --- a/0001-sssd-always-print-path-when-config-object-is-rejecte.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 1a743a4123c104a10c694f7ee9d2f0a1e7182513 Mon Sep 17 00:00:00 2001 -From: Jan Engelhardt -Date: Wed, 16 Oct 2024 09:55:50 +0200 -Subject: [PATCH] sssd: always print path when config object is rejected -References: https://github.com/SSSD/sssd/pull/7649 - -Observed: - -``` -Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed. -Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed' -Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed' -``` - -Expected: - -_Well yes, but **which one**_!? - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Justin Stephenson -(cherry picked from commit 2b7915dd84a6b8c3ee26e45357283677fe22f2cb) ---- - src/util/sss_ini.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c -index 7f9824d88..2a611eb8c 100644 ---- a/src/util/sss_ini.c -+++ b/src/util/sss_ini.c -@@ -888,7 +888,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, - ret = sss_ini_open(self, config_file, "[sssd]\n"); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "The sss_ini_open failed %s: %d\n", -+ "sss_ini_open on %s failed: %d\n", - config_file, - ret); - return ERR_INI_OPEN_FAILED; -@@ -898,26 +898,28 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, - ret = sss_ini_access_check(self); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, -- "Permission check on config file failed.\n"); -+ "Permission check on config file %s failed: %d\n", -+ config_file, ret); - return ERR_INI_INVALID_PERMISSION; - } - } else { - DEBUG(SSSDBG_CONF_SETTINGS, -- "File %1$s does not exist.\n", -- (config_file ? config_file : "NULL")); -+ "File %s does not exist.\n", config_file); - } - - ret = sss_ini_parse(self); - if (ret != EOK) { - sss_ini_config_print_errors(self->error_list); -- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n"); -+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration file %s: %d\n", -+ config_file, ret); - return ERR_INI_PARSE_FAILED; - } - - ret = sss_ini_add_snippets(self, config_dir); - if (ret != EOK) { - DEBUG(SSSDBG_FATAL_FAILURE, -- "Error while reading configuration directory.\n"); -+ "Error while reading configuration directory %s: %d\n", -+ config_dir, ret); - return ERR_INI_ADD_SNIPPETS_FAILED; - } - --- -2.47.0 - diff --git a/_scmsync.obsinfo b/_scmsync.obsinfo index 9d0500b..a092931 100644 --- a/_scmsync.obsinfo +++ b/_scmsync.obsinfo @@ -1,4 +1,4 @@ -mtime: 1730841300 -commit: 6e6893108add570a0ec8a1cc983e87b11279bc98ee96e4f1af76ab397f1d0074 -url: https://src.opensuse.org/jengelh/sssd -revision: master +mtime: 1721222057 +commit: 8faca55b4aa3e3e74cbabb4b015f0b7beb4b2f1dd7b98a27b382d43be057f672 +url: https://src.opensuse.org/pool/sssd +revision: factory diff --git a/build.specials.obscpio b/build.specials.obscpio index a02cbff..3ea1e2e 100644 --- a/build.specials.obscpio +++ b/build.specials.obscpio @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:45cd1621350925e1ff05dca141f73a7fefb05743b16ab567b40f479349faf97c +oid sha256:c18d7bdbfefa831e2d93711cb40de6966d0c640e4ec9dccbb61cf299ca5aedaf size 256 diff --git a/harden_sssd-kcm.service.patch b/harden_sssd-kcm.service.patch index 5ff85b4..183e0b0 100644 --- a/harden_sssd-kcm.service.patch +++ b/harden_sssd-kcm.service.patch @@ -1,11 +1,7 @@ ---- - src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in +Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in =================================================================== ---- sssd-2.10.0.orig/src/sysv/systemd/sssd-kcm.service.in -+++ sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in +--- sssd-2.5.2.orig/src/sysv/systemd/sssd-kcm.service.in ++++ sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in @@ -8,6 +8,19 @@ After=sssd-kcm.socket Also=sssd-kcm.socket @@ -24,5 +20,5 @@ Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in +RestrictRealtime=true +# end of automatic additions Environment=DEBUG_LOGGER=--logger=files - ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ - ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ + ExecStartPre=-@sbindir@/sssd --genconf-section=kcm + ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER} diff --git a/sssd-2.10.0.tar.gz b/sssd-2.10.0.tar.gz deleted file mode 100644 index 38e2605..0000000 --- a/sssd-2.10.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0b1167e8017209ec25b9683e0006947eaa0cfd7a8161bfea120bd8511006db0d -size 9177851 diff --git a/sssd-2.10.0.tar.gz.asc b/sssd-2.10.0.tar.gz.asc deleted file mode 100644 index 3783730..0000000 --- a/sssd-2.10.0.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmcOPUoACgkQ09IbKRDP -Z1myuA//anDvdZcQp0EUia2NsiWt2MFE8esmsEIN6QmEYjUxvEeXI9q4YJQimMi8 -wdt0zqZE1PLrTcroWaeGcgt2+CJWUbVanZtNn3oo7lUVYrLKemrUzavM7dXTaA43 -cdKAFyEO+nHJQ2yBNUt6sRXc3tM0H27yZs0iL+CcYu6YshUTbMnZuwdpz7DqDTN8 -nbG+LWa+U0en5mI3waP8Ionwmdv9AJAuCHQZLlZDpM0+YfGumcIUJdbxU/I8pqP8 -MQaulPv3e+BNwdbUiLlk0cXRjuEfSd0bmMa3MqB4IqMvvjACU0GuSgK3FDhutZJe -HfmzYSo/Zntmr7F/eYLz6zy/GU3VewEilOyRV08oz+EVJRbGyo2t4k6PUYbn+I4V -kJ/maed5jnBzIZGf6o+P1r+3mavJg7k2LDV4s48MsZ4Y5ED4X0c+boT1L5FZbquW -gp99Di0RG4VoWiYOfVfszLzeDWOLbOrKMyA6PTqlmjGYAdV9SBwZP5WEdwXyPovo -D7uual7Eqdd+Y/lt+8O4Wd+Y+a9xI2kwVFo8KYmHc8PhgLpPIKTWbBTEI+0nw3fJ -qqyyA7JWA81bt4WKVuJaeS87S/9F4yn8ps2dzSgHjZ2Tzr7Eu1a3RWLjKYsjKZrT -PPd2d/02rQAZPwLYHN5qM3Xjh0DD7IiXav1QuIPxmUQA9z8ZiuA= -=mJVY ------END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 5b4d1eb..ec838e0 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,42 +1,3 @@ -------------------------------------------------------------------- -Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt - -- Update to release 2.10.0 - * The ``sssctl cache-upgrade`` command was removed. SSSD - performs automatic upgrades at startup when needed. - * Support of ``enumeration`` feature (i.e. ability to list all - users/groups using ``getent passwd/group`` without argument) - for AD/IPA providers is deprecated and might be removed in - further releases. - * The new tool ``sss_ssh_knownhosts`` can be used with ssh's - ``KnownHostsCommand`` configuration option to retrieve the - host's public keys from a remote server (FreeIPA, LDAP, - etc.). It replaces ```sss_ssh_knownhostsproxy``. - * The default value for ``ldap_id_use_start_tls`` changed from - false to true for improved security. - * https://github.com/SSSD/sssd/releases/tag/2.10.0 -- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch, - 0001-INI-stop-using-libini_config-for-access-check.patch, - 0001-INI-relax-config-files-checks.patch, - 0001-Configuration-make-sure-etc-sssd-and-everything.patch -- Fix socket activation of responders -- Daemon runs now as unprivileged user 'sssd' - -------------------------------------------------------------------- -Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt - -- Update filelists involving memberof.so and idmap/sss.so to - avoid gobbling up one file into multiple sssd subpackages. - (Between samba-4.20 and 4.21, %ldbdir changes from - /usr/lib64/ldb2/modules/ldb to /usr/lib64/samba/ldb, so now - `%_libdir/samba` is a bit too broad.) - -------------------------------------------------------------------- -Wed Jul 17 09:19:20 UTC 2024 - Samuel Cabrero - -- Fix spec file for openSUSE ALP and SUSE SLFO, where the - python3_fix_shebang_path RPM macro is not available - ------------------------------------------------------------------- Thu Jul 11 09:41:21 UTC 2024 - Samuel Cabrero diff --git a/sssd.spec b/sssd.spec index d360e18..41a153c 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 2.10.0 +Version: 2.9.5 Release: 0 Summary: System Security Services Daemon License: GPL-3.0-or-later AND LGPL-3.0-or-later @@ -28,14 +28,10 @@ Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%v Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source3: baselibs.conf Source5: %name.keyring -Patch3: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch -Patch4: 0001-INI-stop-using-libini_config-for-access-check.patch -Patch5: 0001-INI-relax-config-files-checks.patch -Patch6: 0001-Configuration-make-sure-etc-sssd-and-everything.patch -Patch11: krb-noversion.diff -Patch12: harden_sssd-ifp.service.patch -Patch13: harden_sssd-kcm.service.patch -Patch14: symvers.patch +Patch1: krb-noversion.diff +Patch2: harden_sssd-ifp.service.patch +Patch3: harden_sssd-kcm.service.patch +Patch4: symvers.patch BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils @@ -57,26 +53,21 @@ BuildRequires: nss_wrapper BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pkg-config >= 0.21 -BuildRequires: python3-wheel -BuildRequires: python3-setuptools BuildRequires: systemd-rpm-macros -BuildRequires: sysuser-tools BuildRequires: uid_wrapper BuildRequires: pkgconfig(augeas) >= 1.0.0 BuildRequires: pkgconfig(collection) >= 0.5.1 BuildRequires: pkgconfig(dbus-1) >= 1.0.0 BuildRequires: pkgconfig(dhash) >= 0.4.2 BuildRequires: pkgconfig(glib-2.0) -BuildRequires: pkgconfig(ini_config) >= 1.3 +BuildRequires: pkgconfig(ini_config) >= 1.1.0 BuildRequires: pkgconfig(jansson) -BuildRequires: pkgconfig(ldb) >= 1.2.0 -BuildRequires: pkgconfig(libcap) +BuildRequires: pkgconfig(ldb) >= 0.9.2 BuildRequires: pkgconfig(libcares) -BuildRequires: pkgconfig(libcrypto) >= 1.0.1 +BuildRequires: pkgconfig(libcrypto) %if 0%{?suse_version} >= 1600 BuildRequires: pkgconfig(libcurl) %endif -BuildRequires: pkgconfig(libcap) BuildRequires: pkgconfig(libnfsidmap) BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 @@ -95,17 +86,7 @@ BuildRequires: pkgconfig(talloc) BuildRequires: pkgconfig(tdb) >= 1.1.3 BuildRequires: pkgconfig(tevent) BuildRequires: pkgconfig(uuid) -%if 0%{?suse_version} && 0%{?suse_version} < 1600 -# samba-client-devel pulls samba-client-libs pulls libldap-2_4-2 wants libldap-data(-2.4); -# this conflicts with -# openldap2-devel pulls libldap2 wants libldap-data(-2.6) -# Package contains just config files, not needed for build. -#!BuildIgnore: libldap-data -%endif -%sysusers_requires %{?systemd_ordering} -Requires(post): permissions -Requires(verify): permissions Requires: sssd-ldap = %version-%release Requires(postun): pam-config Provides: libsss_sudo = %version-%release @@ -114,20 +95,16 @@ Obsoletes: libsss_sudo < %version-%release Provides: sssd-common = %version-%release Obsoletes: sssd-common < %version-%release -%global sssd_user sssd %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss %define dbpath %sssdstatedir/db %define pipepath %sssdstatedir/pipes %define pubconfpath %sssdstatedir/pubconf %define gpocachepath %sssdstatedir/gpo_cache -%define keytabdir %sssdstatedir/keytabs -%define mcpath %sssdstatedir/mc %define ldbdir %(pkg-config ldb --variable=modulesdir) -%define child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko -# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins +# %_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins # * cifs-utils one is the default (priority 20) # * installing SSSD should NOT switch to SSSD plugin (priority 10) %define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin @@ -138,11 +115,11 @@ Requires(post): update-alternatives Requires(postun): update-alternatives %description -A set of daemons to manage access to remote directories and -authentication mechanisms. sssd provides an NSS and PAM interfaces -toward the system and a pluggable backend system to connect to -multiple different account sources. It is also the basis to provide -client auditing and policy services for projects like FreeIPA. +Provides a set of daemons to manage access to remote directories and +authentication mechanisms. It provides an NSS and PAM interface toward +the system and a pluggable backend system to connect to multiple different +account sources. It is also the basis to provide client auditing and policy +services for projects like FreeIPA. %package ad Summary: The ActiveDirectory backend plugin for sssd @@ -152,8 +129,9 @@ Requires: %name-krb5-common = %version-%release Requires: adcli %description ad -A back-end provider that the SSSD can utilize to fetch identity data -from, and authenticate with, an Active Directory server. +Provides the Active Directory back end that the SSSD can utilize to +fetch identity data from and authenticate against an Active Directory +server. %package dbus Summary: The D-Bus responder of sssd @@ -162,7 +140,7 @@ Group: System/Base Requires: %name = %version %description dbus -D-Bus responder of sssd, called InfoPipe, which allows +Provides the D-Bus responder of sssd, called InfoPipe, which allows information from sssd to be transmitted over the system bus. %package ipa @@ -176,8 +154,8 @@ Obsoletes: %name-ipa-provider < %version-%release Provides: %name-ipa-provider = %version-%release %description ipa -A back-end provider that the SSSD can utilize to fetch identity data -from, and authenticate with, an IPA server. +Provides the IPA back end that the SSSD can utilize to fetch identity +data from and authenticate against an IPA server. %package kcm Summary: SSSD's Kerberos cache manager @@ -196,16 +174,14 @@ Group: System/Daemons Requires: %name-krb5-common = %version-%release %description krb5 -A back-end provider that the SSSD can utilize to authenticate against -a Kerberos server. +Provides the Kerberos back end that the SSSD can utilize authenticate +against a Kerberos server. %package krb5-common Summary: SSSD helpers needed for Kerberos and GSSAPI authentication License: GPL-3.0-or-later Group: System/Daemons Requires: cyrus-sasl-gssapi -Requires(post): permissions -Requires(verify): permissions %description krb5-common Provides helper processes that the LDAP and Kerberos back ends can @@ -218,8 +194,8 @@ Group: System/Daemons Requires: %name-krb5-common = %version-%release %description ldap -A back-end provider that the SSSD can utilize to fetch identity data -from, and authenticate with, an LDAP server. +Provides the LDAP back end that the SSSD can utilize to fetch +identity data from and authenticate against an LDAP server. %package proxy Summary: The proxy backend plugin for sssd @@ -227,8 +203,8 @@ License: GPL-3.0-or-later Group: System/Daemons %description proxy -A back-end provider which can be used to wrap existing NSS and/or PAM -modules to leverage SSSD caching. (This can replace nscd.) +Provides the proxy back end which can be used to wrap an existing NSS +and/or PAM modules to leverage SSSD caching. %package tools Summary: Commandline tools for sssd @@ -238,7 +214,7 @@ Requires: python3-sssd-config = %version-%release Requires: sssd = %version %description tools -The packages contains command-line tools for managing users and groups using +The packages contains commandline tools for managing users and groups using the "local" id provider of the System Security Services Daemon (sssd). %package winbind-idmap @@ -255,7 +231,7 @@ License: LGPL-3.0-or-later Group: System/Libraries %description -n libsss_certmap0 -A utility library for FreeIPA to map certificates. +A utility library for FreeIPA to map certs. %package -n libsss_certmap-devel Summary: Development files for the FreeIPA certmap library @@ -264,7 +240,7 @@ Group: Development/Libraries/C and C++ Requires: libsss_certmap0 = %version %description -n libsss_certmap-devel -A utility library for FreeIPA to map certificates. +A utility library for FreeIPA to map certs. %package -n libipa_hbac0 Summary: FreeIPA HBAC Evaluator library @@ -328,6 +304,7 @@ Requires: libsss_nss_idmap0 = %version %description -n libsss_nss_idmap-devel A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. +%if 0%{?suse_version} < 1600 %package -n libsss_simpleifp0 Summary: The SSSD D-Bus responder helper library License: GPL-3.0-or-later @@ -350,6 +327,7 @@ Requires: libsss_simpleifp0 = %version This subpackage provides the development files for sssd's simpleifp, a library that simplifies the D-Bus API for the SSSD InfoPipe responder. +%endif %package -n libsss_sudo Summary: A library to allow communication between sudo and SSSD @@ -416,32 +394,33 @@ autoreconf -fiv --with-environment-file="%_sysconfdir/sysconfig/sssd" \ --with-initscript=systemd \ --with-syslog=journald \ - --with-pid-path="%_rundir/sssd" \ + --with-pid-path="%_rundir" \ + --enable-nsslibdir="/%_lib" \ --enable-pammoddir="%_pam_moduledir" \ --with-ldb-lib-dir="%ldbdir" \ --with-os=suse \ --disable-ldb-version-check \ --without-python2-bindings \ --without-oidc-child \ - --with-sssd-user="%sssd_user" \ %if 0%{?suse_version} >= 1600 --with-selinux=yes \ --with-subid %else --with-selinux=no \ + --with-semanage=no \ --with-libsifp \ --with-files-provider %endif %make_build all %install -# sss_obfuscate is compatible with both Python 2 and 3 +# sss_obfuscate is compatible with both python 2 and 3 perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate %make_install dbuspolicydir=%_datadir/dbus-1/system.d b="%buildroot" # Copy some defaults -%if "%{?_distconfdir}" != "" +%if %{?_distconfdir:1} install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf" install -d -m 0755 "$b/%_distconfdir/sssd/conf.d" %else @@ -469,40 +448,20 @@ find "$b" -type f -name "*.la" -print -delete %find_lang %name --all-name # dummy target for cifs-idmap-plugin -mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils" -ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin" +mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils +ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin %python3_fix_shebang -%if 0%{?suse_version} > 1600 -%python3_fix_shebang_path %buildroot/%_libexecdir/%name/sss_analyze -%elif 0%{?suse_version} == 1600 -# python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204 -sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze" +%if 0%{?suse_version} >= 1600 +%python3_fix_shebang_path %buildroot/%_libexecdir/%name/ %endif -echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf -mkdir -p "$b/%_sysusersdir" "$b/etc/permissions.d" -cp -a system-user-sssd.conf "$b/%_sysusersdir/" -%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf -install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf" -# should match entry from %%files list -cat >"$b/etc/permissions.d/sssd" <<-EOF - %_libexecdir/sssd/sssd_pam root:sssd 0750 - +capabilities cap_dac_read_search=p - %_libexecdir/sssd/selinux_child root:sssd 0750 - +capabilities %child_capabilities - %_libexecdir/sssd/krb5_child root:sssd 0750 - +capabilities %child_capabilities - %_libexecdir/sssd/ldap_child root:sssd 0750 - +capabilities %child_capabilities -EOF - %check # sss_config-tests fails %make_build check || : -%pre -f random.pre -%service_add_pre sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket -%if "%{?_distconfdir}" != "" +%pre +%service_add_pre sssd.service +%if %{?_distconfdir:1} # Prepare for migration to /usr/etc; save any old .rpmsave for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i.rpmsave.old" || : @@ -515,38 +474,38 @@ done if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf" fi -%service_add_post sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket - -%_bindir/rm -f %mcpath/passwd %mcpath/group %mcpath/initgroups %mcpath/sid -%tmpfiles_create %name.conf -%set_permissions %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam +%service_add_post sssd.service # install SSSD cifs-idmap plugin as an alternative update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority %preun -%service_del_preun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket +%service_del_preun sssd.service %postun /sbin/ldconfig -if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then +if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then "%_sbindir/pam-config" -d --sss || : fi # del_postun includes a try-restart -%service_del_postun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket +%service_del_postun sssd.service if [ ! -f "%cifs_idmap_lib" ]; then update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib fi -%ldconfig_scriptlets -n libsss_certmap0 -%ldconfig_scriptlets -n libipa_hbac0 -%ldconfig_scriptlets -n libsss_idmap0 -%ldconfig_scriptlets -n libsss_nss_idmap0 -%ldconfig_scriptlets -n libsss_simpleifp0 - -%verifyscript -%verify_permissions -e %_libexecdir/%name/selinux_child %_libexecdir/%name/sssd_pam +%post -n libsss_certmap0 -p /sbin/ldconfig +%postun -n libsss_certmap0 -p /sbin/ldconfig +%post -n libipa_hbac0 -p /sbin/ldconfig +%postun -n libipa_hbac0 -p /sbin/ldconfig +%post -n libsss_idmap0 -p /sbin/ldconfig +%postun -n libsss_idmap0 -p /sbin/ldconfig +%post -n libsss_nss_idmap0 -p /sbin/ldconfig +%postun -n libsss_nss_idmap0 -p /sbin/ldconfig +%if 0%{?suse_version} < 1600 +%post -n libsss_simpleifp0 -p /sbin/ldconfig +%postun -n libsss_simpleifp0 -p /sbin/ldconfig +%endif %triggerun -- %name < %version-%release # sssd takes care of upgrading the database but it doesn't handle downgrades. @@ -581,31 +540,21 @@ fi %postun kcm %service_del_postun sssd-kcm.service sssd-kcm.socket -%pre krb5-common -f random.pre - -%post krb5-common -%set_permissions %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child - -%verifyscript krb5-common -%verify_permissions -e %_libexecdir/%name/krb5_child %_libexecdir/%name/ldap_child - -%pre proxy -f random.pre - %pretrans # Migrate sssd.service from sssd-common to sssd systemctl is-enabled sssd.service > /dev/null if [ $? -eq 0 ]; then - mkdir -p /run/systemd/rpm/ - touch /run/systemd/rpm/sssd-was-enabled +mkdir -p /run/systemd/rpm/ +touch /run/systemd/rpm/sssd-was-enabled fi systemctl is-active sssd.service > /dev/null if [ $? -eq 0 ]; then - mkdir -p /run/systemd/rpm/ - touch /run/systemd/rpm/sssd-was-active +mkdir -p /run/systemd/rpm/ +touch /run/systemd/rpm/sssd-was-active fi %posttrans -%if "%{?_distconfdir}" != "" +%if %{?_distconfdir:1} # Migration to /usr/etc, restore just created .rpmsave for i in sssd/sssd.conf logrotate.d/sssd pam.d/sssd-shadowutils ; do test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i" || : @@ -613,20 +562,20 @@ done %endif # Migrate sssd.service from sssd-common to sssd if [ -e /run/systemd/rpm/sssd-was-enabled ]; then - systemctl is-enabled sssd.service >/dev/null - if [ $? -ne 0 ]; then - echo "Migrating sssd.service, was enabled" - systemctl enable sssd.service - fi - rm /run/systemd/rpm/sssd-was-enabled +systemctl is-enabled sssd.service > /dev/null +if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was enabled" + systemctl enable sssd.service +fi +rm /run/systemd/rpm/sssd-was-enabled fi if [ -e /run/systemd/rpm/sssd-was-active ]; then - systemctl is-active sssd.service >/dev/null - if [ $? -ne 0 ]; then - echo "Migrating sssd.service, was active" - systemctl start sssd.service - fi - rm /run/systemd/rpm/sssd-was-active +systemctl is-active sssd.service > /dev/null +if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was active" + systemctl start sssd.service +fi +rm /run/systemd/rpm/sssd-was-active fi %files -f sssd.lang @@ -639,15 +588,12 @@ fi %_unitdir/sssd-pac.socket %_unitdir/sssd-pac.service %_unitdir/sssd-pam.socket +%_unitdir/sssd-pam-priv.socket %_unitdir/sssd-pam.service %_unitdir/sssd-ssh.socket %_unitdir/sssd-ssh.service %_unitdir/sssd-sudo.socket %_unitdir/sssd-sudo.service -%_sysusersdir/*sssd* -%_tmpfilesdir/*sssd* -%_sysconfdir/permissions.d/* -%_datadir/polkit-1/ %_bindir/sss_ssh_* %_sbindir/sssd %if 0%{?suse_version} < 1600 @@ -704,33 +650,32 @@ fi %_libexecdir/%name/sssd_autofs %_libexecdir/%name/sssd_be %_libexecdir/%name/sssd_nss -%attr(750,root,%sssd_user) %caps(cap_dac_read_search=p) %_libexecdir/%name/sssd_pam +%_libexecdir/%name/sssd_pam %_libexecdir/%name/sssd_ssh %_libexecdir/%name/sssd_sudo %_libexecdir/%name/sss_signal %_libexecdir/%name/sssd_check_socket_activated_responders %if 0%{?suse_version} >= 1600 -%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/selinux_child +%_libexecdir/%name/selinux_child %endif %dir %sssdstatedir -%attr(700,%sssd_user,%sssd_user) %dir %dbpath/ -%attr(755,%sssd_user,%sssd_user) %dir %pipepath/ -%attr(700,%sssd_user,%sssd_user) %dir %pipepath/private/ -%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/ -%attr(755,%sssd_user,%sssd_user) %dir %pubconfpath/krb5.include.d -%attr(755,%sssd_user,%sssd_user) %dir %gpocachepath/ -%attr(755,%sssd_user,%sssd_user) %dir %mcpath/ -%attr(700,%sssd_user,%sssd_user) %dir %keytabdir/ -%attr(750,%sssd_user,%sssd_user) %dir %_localstatedir/log/%name/ -%attr(775,%sssd_user,%sssd_user) %dir %sssdstatedir/ -%if "%{?_distconfdir}" != "" -%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/ -%attr(750,root,%sssd_user) %dir %_distconfdir/sssd/conf.d -%attr(640,root,%sssd_user) %_distconfdir/sssd/sssd.conf +%attr(700,root,root) %dir %dbpath/ +%attr(755,root,root) %dir %pipepath/ +%attr(700,root,root) %dir %pipepath/private/ +%attr(755,root,root) %dir %pubconfpath/ +%attr(755,root,root) %dir %pubconfpath/krb5.include.d +%attr(755,root,root) %dir %gpocachepath/ +%attr(755,root,root) %dir %sssdstatedir/mc/ +%attr(700,root,root) %dir %sssdstatedir/keytabs/ +%attr(750,root,root) %dir %_localstatedir/log/%name/ +%if %{?_distconfdir:1} +%dir %_distconfdir/sssd/ +%%dir %_distconfdir/sssd/conf.d +%config(noreplace) %_distconfdir/sssd/sssd.conf %else -%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/ -%attr(750,root,%sssd_user) %dir %_sysconfdir/sssd/conf.d -%ghost %attr(640,root,%sssd_user) %config(noreplace) %_sysconfdir/sssd/sssd.conf +%dir %_sysconfdir/sssd/ +%%dir %_sysconfdir/sssd/conf.d +%config(noreplace) %_sysconfdir/sssd/sssd.conf %endif %if 0%{?suse_version} > 1500 %_distconfdir/logrotate.d/sssd @@ -749,12 +694,11 @@ fi %else %exclude %_mandir/*/*/sssd-files.5.gz %endif -%attr(775,%sssd_user,%sssd_user) %ghost %dir %_rundir/sssd %doc src/examples/sssd.conf # # sssd-client # -%_libdir/libnss_sss.so.2 +/%_lib/libnss_sss.so.2 %_pam_moduledir/pam_sss.so %_pam_moduledir/pam_sss_gss.so %_libdir/krb5/ @@ -839,8 +783,8 @@ fi %dir %_libdir/%name/ %_libdir/%name/libsss_krb5_common.so %dir %_libexecdir/%name/ -%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/krb5_child -%attr(750,root,%sssd_user) %caps(%child_capabilities) %_libexecdir/%name/ldap_child +%_libexecdir/%name/krb5_child +%_libexecdir/%name/ldap_child %files ldap %dir %_libdir/%name/ @@ -857,7 +801,7 @@ fi %dir %_libdir/%name/ %_libdir/%name/libsss_proxy.so %dir %_libexecdir/%name/ -%attr(750,root,%sssd_user) %_libexecdir/%name/proxy_child +%_libexecdir/%name/proxy_child %dir %_datadir/%name/ %dir %_datadir/%name/sssd.api.d/ %_datadir/%name/sssd.api.d/sssd-proxy.conf @@ -878,8 +822,7 @@ fi %python3_sitelib/sssd/ %files winbind-idmap -%dir %_libdir/samba/ -%_libdir/samba/idmap/ +%_libdir/samba/ %_mandir/man8/idmap_sss.8* %files -n libipa_hbac0