Use default nsslibdir

0001-Configuration-make-sure-etc-sssd-and-everything.patch is
added ahead of the stack because it is an upstream-accepted patch.
harden_sssd-kcm.service.patch then needs a refresh for reasons of
fuzz 2.

0001-Configuration-make-sure-etc-sssd-and-everything.patch

@@ -0,0 +1,76 @@
+From 8db2df4fcbd09badafbc207bd4150b5f1cc2d5fb Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Thu, 24 Oct 2024 15:34:26 +0200
+Subject: [PATCH] Configuration: make sure /etc/sssd and everything
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+beneath is owned by 'sssd' group and readable by group.
+
+This should allow for reasonable rw-r----- root:sssd
+
+At some points those chown/chmod can be removed.
+
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 518db322fdd5a4de41813fbe5bc35fc20392ce67)
+---
+ contrib/sssd.spec.in                 | 4 ++--
+ src/sysv/systemd/sssd-kcm.service.in | 5 ++---
+ src/sysv/systemd/sssd.service.in     | 6 ++----
+ 3 files changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
+index 4fbacb959..83de563f3 100644
+--- a/contrib/sssd.spec.in
++++ b/contrib/sssd.spec.in
+@@ -1136,9 +1136,9 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi
+ %__rm -f %{mcpath}/group
+ %__rm -f %{mcpath}/initgroups
+ %__rm -f %{mcpath}/sid
++%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true
++%__chmod -f -R g+r %{_sysconfdir}/sssd || true
+ %__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
+-%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true
+-%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
+ %__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
+ %__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true
+ %__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true
+diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
+index 0c839ec5c..ba9e27cd9 100644
+--- a/src/sysv/systemd/sssd-kcm.service.in
++++ b/src/sysv/systemd/sssd-kcm.service.in
+@@ -9,9 +9,8 @@ Also=sssd-kcm.socket
+ 
+ [Service]
+ Environment=DEBUG_LOGGER=--logger=files
+-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
+-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
+-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
++ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
++ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@
+ ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb"
+ ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log
+ ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER}
+diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
+index 37e0a63f8..a6f79ff8a 100644
+--- a/src/sysv/systemd/sssd.service.in
++++ b/src/sysv/systemd/sssd.service.in
+@@ -10,10 +10,8 @@ StartLimitBurst=5
+ [Service]
+ Environment=DEBUG_LOGGER=--logger=files
+ EnvironmentFile=-@environment_file@
+-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
+-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
+-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
+-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki
++ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
++ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@
+ ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb"
+ ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @gpocachepath@/*"
+ ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/*.log"
+-- 
+2.47.0
+

0001-INI-relax-config-files-checks.patch

@@ -0,0 +1,135 @@
+From 340671f16abb9c26ae97b11c4e2845337e67973e Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Wed, 23 Oct 2024 20:59:32 +0200
+Subject: [PATCH] INI: relax config files checks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Only make sure:
+ - user is root or sssd
+ - group is root or sssd
+ - other can't access it
+
+Don't make any assumptions wrt user/group read/write-ability.
+
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit 8472777ec472607ea450ddb4c4666017bd0de704)
+---
+ src/man/sssd.conf.5.xml |  5 ++-
+ src/util/sss_ini.c      | 68 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 70 insertions(+), 3 deletions(-)
+
+diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
+index a074cc674..bf10acb2a 100644
+--- a/src/man/sssd.conf.5.xml
++++ b/src/man/sssd.conf.5.xml
+@@ -57,9 +57,8 @@
+             readable, and writeable only by 'root'.
+         </para>
+         <para condition="with_non_root_user_support">
+-            <filename>sssd.conf</filename> must be a regular file that is owned,
+-            readable, and writeable by the same user as configured to run SSSD
+-            service.
++            <filename>sssd.conf</filename> must be a regular file that is
++            accessible only by the user used to run SSSD service or root.
+         </para>
+     </refsect1>
+ 
+diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
+index e989d8caf..74cf61e0e 100644
+--- a/src/util/sss_ini.c
++++ b/src/util/sss_ini.c
+@@ -26,6 +26,7 @@
+ #include <unistd.h>
+ #include <string.h>
+ #include <errno.h>
++#include <sys/stat.h>
+ #include <talloc.h>
+ 
+ #include "config.h"
+@@ -781,6 +782,71 @@ int sss_ini_open(struct sss_ini *self,
+     return ret;
+ }
+ 
++static int access_check_file(const char *filename)
++{
++    int ret;
++    struct stat st;
++    uid_t uid;
++    gid_t gid;
++
++    sss_sssd_user_uid_and_gid(&uid, &gid);
++
++    ret = stat(filename, &st);
++    if (ret != 0) {
++        ret = errno;
++        DEBUG(SSSDBG_CRIT_FAILURE, "stat(%s) failed: %s\n",
++              filename, strerror(ret));
++        return EINVAL;
++    }
++
++    if ((st.st_uid != 0) && (st.st_uid != uid)) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected user owner of '%s': %"SPRIuid"\n",
++              filename, st.st_uid);
++        return ERR_INI_INVALID_PERMISSION;
++    }
++
++    if ((st.st_gid != 0) && (st.st_gid != gid)) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected group owner of '%s': %"SPRIgid"\n",
++              filename, st.st_gid);
++        return ERR_INI_INVALID_PERMISSION;
++    }
++
++    if ((st.st_mode & (S_IROTH|S_IWOTH|S_IXOTH)) != 0) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected access to '%s' by other users\n",
++              filename);
++        return ERR_INI_INVALID_PERMISSION;
++    }
++
++    return EOK;
++}
++
++static int access_check_ini(struct sss_ini *self)
++{
++    int ret;
++    const char *path;
++    uint32_t i;
++    const char **snippet;
++    struct ref_array *used_snippets;
++
++    if (self->main_config_exists) {
++        path = ini_config_get_filename(self->file);
++        ret = access_check_file(path);
++        if (ret != EOK) {
++            return ret;
++        }
++    }
++
++    used_snippets = sss_ini_get_ra_success_list(self);
++    for (i = 0; (snippet = ref_array_get(used_snippets, i, NULL)) != NULL; ++i) {
++        ret = access_check_file(*snippet);
++        if (ret != EOK) {
++            return ret;
++        }
++    }
++
++    return EOK;
++}
++
+ int sss_ini_read_sssd_conf(struct sss_ini *self,
+                            const char *config_file,
+                            const char *config_dir)
+@@ -833,5 +899,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
+         return ERR_INI_EMPTY_CONFIG;
+     }
+ 
++    ret = access_check_ini(self);
++
+     return ret;
+ }
+-- 
+2.47.0
+

0001-INI-stop-using-libini_config-for-access-check.patch

@@ -0,0 +1,182 @@
+From 1d19b8ad9415e0a12ed3aaf039d4d0956ef4dbad Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Wed, 23 Oct 2024 19:53:09 +0200
+Subject: [PATCH] INI: stop using 'libini_config' for access check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+---
+ src/util/sss_ini.c |  100 +----------------------------------------------------
+ src/util/sss_ini.h |   12 ------
+ 2 files changed, 3 insertions(+), 109 deletions(-)
+
+Index: sssd-2.10.0/src/util/sss_ini.c
+===================================================================
+--- sssd-2.10.0.orig/src/util/sss_ini.c
++++ sssd-2.10.0/src/util/sss_ini.c
+@@ -147,81 +147,6 @@ static int sss_ini_config_file_from_mem(
+                                    &self->file);
+ }
+ 
+-/* Check configuration file permissions */
+-
+-static bool is_running_sssd(void)
+-{
+-    static char exe[1024];
+-    int ret;
+-    const char *s = NULL;
+-
+-    ret = readlink("/proc/self/exe", exe, sizeof(exe) - 1);
+-    if ((ret > 0) && (ret < 1024)) {
+-        exe[ret] = 0;
+-        s = strstr(exe, debug_prg_name);
+-        if ((s != NULL) && (strlen(s) == strlen(debug_prg_name))) {
+-            return true;
+-        }
+-    }
+-
+-    return false;
+-}
+-
+-static int sss_ini_access_check(struct sss_ini *self)
+-{
+-    int ret;
+-    uint32_t flags = INI_ACCESS_CHECK_MODE;
+-
+-    if (!self->main_config_exists) {
+-        return EOK;
+-    }
+-
+-    if (is_running_sssd()) {
+-        flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID;
+-    }
+-
+-    ret = ini_config_access_check(self->file,
+-                                  flags,
+-                                  geteuid(),
+-                                  getegid(),
+-                                  S_IRUSR, /* r**------ */
+-                                  ALLPERMS & ~(S_IWUSR|S_IXUSR));
+-
+-    return ret;
+-}
+-
+-
+-
+-/* Get cstat */
+-
+-int sss_ini_get_stat(struct sss_ini *self)
+-{
+-    self->cstat = ini_config_get_stat(self->file);
+-
+-    if (!self->cstat) return EIO;
+-
+-    return EOK;
+-}
+-
+-
+-
+-/* Get mtime */
+-
+-int sss_ini_get_mtime(struct sss_ini *self,
+-                      size_t timestr_len,
+-                      char *timestr)
+-{
+-    return snprintf(timestr, timestr_len, "%llu",
+-                    (long long unsigned)self->cstat->st_mtime);
+-}
+-
+-/* Get file_exists */
+-
+-bool sss_ini_exists(struct sss_ini *self)
+-{
+-    return self->main_config_exists;
+-}
+-
+ /* Print ini_config errors */
+ 
+ static void sss_ini_config_print_errors(char **error_list)
+@@ -289,7 +214,6 @@ static int sss_ini_add_snippets(struct s
+     uint32_t i = 0;
+     char *msg = NULL;
+     struct ini_cfgobj *modified_sssd_config = NULL;
+-    struct access_check snip_check;
+ 
+     if (self == NULL || self->sssd_config == NULL || config_dir == NULL) {
+         return EINVAL;
+@@ -297,21 +221,11 @@ static int sss_ini_add_snippets(struct s
+ 
+     sss_ini_free_ra_messages(self);
+ 
+-    snip_check.flags = INI_ACCESS_CHECK_MODE;
+-
+-    if (is_running_sssd()) {
+-        snip_check.flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID;
+-    }
+-    snip_check.uid = geteuid();
+-    snip_check.gid = getegid();
+-    snip_check.mode = S_IRUSR; /* r**------ */
+-    snip_check.mask = ALLPERMS & ~(S_IWUSR | S_IXUSR);
+-
+     ret = ini_config_augment(self->sssd_config,
+                              config_dir,
+                              patterns,
+                              sections,
+-                             &snip_check,
++                             NULL,
+                              INI_STOP_ON_ANY,
+                              INI_MV1S_OVERWRITE,
+                              INI_PARSE_NOWRAP,
+@@ -894,15 +808,7 @@ int sss_ini_read_sssd_conf(struct sss_in
+         return ERR_INI_OPEN_FAILED;
+     }
+ 
+-    if (sss_ini_exists(self)) {
+-        ret = sss_ini_access_check(self);
+-        if (ret != EOK) {
+-            DEBUG(SSSDBG_CRIT_FAILURE,
+-                  "Permission check on config file %s failed: %d\n",
+-                  config_file, ret);
+-            return ERR_INI_INVALID_PERMISSION;
+-        }
+-    } else {
++    if (!self->main_config_exists) {
+         DEBUG(SSSDBG_CONF_SETTINGS,
+               "File %s does not exist.\n", config_file);
+     }
+@@ -923,7 +829,7 @@ int sss_ini_read_sssd_conf(struct sss_in
+         return ERR_INI_ADD_SNIPPETS_FAILED;
+     }
+ 
+-    if (!sss_ini_exists(self) &&
++    if ((!self->main_config_exists) &&
+         (ref_array_len(sss_ini_get_ra_success_list(self)) == 0)) {
+         return ERR_INI_EMPTY_CONFIG;
+     }
+Index: sssd-2.10.0/src/util/sss_ini.h
+===================================================================
+--- sssd-2.10.0.orig/src/util/sss_ini.h
++++ sssd-2.10.0/src/util/sss_ini.h
+@@ -81,18 +81,6 @@ int sss_ini_open(struct sss_ini *self,
+                  const char *fallback_cfg);
+ 
+ /**
+- * @brief Check whether sss_ini_open() reported that ini file is
+- *        not present
+- *
+- * @param[in] self  pointer to sss_ini structure
+- *
+- * @return
+- *   - true   we are using ini file
+- *   - false  file was not found
+- */
+-bool sss_ini_exists(struct sss_ini *self);
+-
+-/**
+  * @brief get Cstat structure of the ini file
+  */
+ int sss_ini_get_stat(struct sss_ini *self);

0001-sssd-always-print-path-when-config-object-is-rejecte.patch

@@ -0,0 +1,75 @@
+From 1a743a4123c104a10c694f7ee9d2f0a1e7182513 Mon Sep 17 00:00:00 2001
+From: Jan Engelhardt <jengelh@inai.de>
+Date: Wed, 16 Oct 2024 09:55:50 +0200
+Subject: [PATCH] sssd: always print path when config object is rejected
+References: https://github.com/SSSD/sssd/pull/7649
+
+Observed:
+
+```
+Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed.
+Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed'
+Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed'
+```
+
+Expected:
+
+_Well yes, but **which one**_!?
+
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
+(cherry picked from commit 2b7915dd84a6b8c3ee26e45357283677fe22f2cb)
+---
+ src/util/sss_ini.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
+index 7f9824d88..2a611eb8c 100644
+--- a/src/util/sss_ini.c
++++ b/src/util/sss_ini.c
+@@ -888,7 +888,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
+     ret = sss_ini_open(self, config_file, "[sssd]\n");
+     if (ret != EOK) {
+         DEBUG(SSSDBG_CRIT_FAILURE,
+-              "The sss_ini_open failed %s: %d\n",
++              "sss_ini_open on %s failed: %d\n",
+               config_file,
+               ret);
+         return ERR_INI_OPEN_FAILED;
+@@ -898,26 +898,28 @@ int sss_ini_read_sssd_conf(struct sss_ini *self,
+         ret = sss_ini_access_check(self);
+         if (ret != EOK) {
+             DEBUG(SSSDBG_CRIT_FAILURE,
+-                  "Permission check on config file failed.\n");
++                  "Permission check on config file %s failed: %d\n",
++                  config_file, ret);
+             return ERR_INI_INVALID_PERMISSION;
+         }
+     } else {
+         DEBUG(SSSDBG_CONF_SETTINGS,
+-              "File %1$s does not exist.\n",
+-              (config_file ? config_file : "NULL"));
++              "File %s does not exist.\n", config_file);
+     }
+ 
+     ret = sss_ini_parse(self);
+     if (ret != EOK) {
+         sss_ini_config_print_errors(self->error_list);
+-        DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n");
++        DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration file %s: %d\n",
++              config_file, ret);
+         return ERR_INI_PARSE_FAILED;
+     }
+ 
+     ret = sss_ini_add_snippets(self, config_dir);
+     if (ret != EOK) {
+         DEBUG(SSSDBG_FATAL_FAILURE,
+-              "Error while reading configuration directory.\n");
++              "Error while reading configuration directory %s: %d\n",
++              config_dir, ret);
+         return ERR_INI_ADD_SNIPPETS_FAILED;
+     }
+ 
+-- 
+2.47.0
+

harden_sssd-kcm.service.patch

@@ -1,7 +1,11 @@
-Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
+---
+ src/sysv/systemd/sssd-kcm.service.in |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in
 ===================================================================
---- sssd-2.5.2.orig/src/sysv/systemd/sssd-kcm.service.in
+--- sssd-2.10.0.orig/src/sysv/systemd/sssd-kcm.service.in
-+++ sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
++++ sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in
 @@ -8,6 +8,19 @@ After=sssd-kcm.socket
  Also=sssd-kcm.socket
  
@@ -20,5 +24,5 @@ Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
 +RestrictRealtime=true
 +# end of automatic additions 
  Environment=DEBUG_LOGGER=--logger=files
- ExecStartPre=-@sbindir@/sssd --genconf-section=kcm
+ ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
- ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER}
+ ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@

sssd-2.10.0.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmcOPUoACgkQ09IbKRDP
+Z1myuA//anDvdZcQp0EUia2NsiWt2MFE8esmsEIN6QmEYjUxvEeXI9q4YJQimMi8
+wdt0zqZE1PLrTcroWaeGcgt2+CJWUbVanZtNn3oo7lUVYrLKemrUzavM7dXTaA43
+cdKAFyEO+nHJQ2yBNUt6sRXc3tM0H27yZs0iL+CcYu6YshUTbMnZuwdpz7DqDTN8
+nbG+LWa+U0en5mI3waP8Ionwmdv9AJAuCHQZLlZDpM0+YfGumcIUJdbxU/I8pqP8
+MQaulPv3e+BNwdbUiLlk0cXRjuEfSd0bmMa3MqB4IqMvvjACU0GuSgK3FDhutZJe
+HfmzYSo/Zntmr7F/eYLz6zy/GU3VewEilOyRV08oz+EVJRbGyo2t4k6PUYbn+I4V
+kJ/maed5jnBzIZGf6o+P1r+3mavJg7k2LDV4s48MsZ4Y5ED4X0c+boT1L5FZbquW
+gp99Di0RG4VoWiYOfVfszLzeDWOLbOrKMyA6PTqlmjGYAdV9SBwZP5WEdwXyPovo
+D7uual7Eqdd+Y/lt+8O4Wd+Y+a9xI2kwVFo8KYmHc8PhgLpPIKTWbBTEI+0nw3fJ
+qqyyA7JWA81bt4WKVuJaeS87S/9F4yn8ps2dzSgHjZ2Tzr7Eu1a3RWLjKYsjKZrT
+PPd2d/02rQAZPwLYHN5qM3Xjh0DD7IiXav1QuIPxmUQA9z8ZiuA=
+=mJVY
+-----END PGP SIGNATURE-----

sssd-2.9.5.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmZF8CMACgkQ09IbKRDP
-Z1lSVQ/9EPVvWUX1z/pHfbvDjRpfD+LDbDceYB4YBh0caYpMVFm/2wHhFIjTYEpf
-SmIR+SQp50NkRSK6tE/u+Swu+YUkiCqnEWv2y9wd4Uh2NKiukyiqBC1k2cn9URNu
-oRreBM1KIRvTkdoyZwteELJ7vMLVr0UT2iIXZQFIIZX+LM3FNZJ5vFcj5fF0Hz1f
-v8zR0VTB7xY/6U+4KikvMyM3fOPeTOJvEtMp4xDWyquRjCADjZasOQcKRQzXp1er
-zs/qLcQ8eCODXhKelGqmppVIElW+72f1FNbMpBnlQ7VtFn6pn4sPazO0Hr7eNfZJ
-Vc6GXN8zZ/oF5U4x7XSMVqeOHLQoLeb2HxgUzS+1Ig19FHOs6Xoj0dO5l/TOEFav
-l61qytYnj3DNZjrMVLsMvOx3qGYK7PmyaWNoIJlLO2GbWKMP/8yBm35Ugd0jybSi
-T7VWX+isQHfVhSZ9wD4/yYOBAU3lABORAjXkCWQp/vMR/KiHbfaajCAbl56KiijQ
-eKYaq57EH3N+qKd1sqCrPfSw3HSqm3rngG1CsMasBQgLFs2aW+Mwo3UvQ1U/ykED
-mOo2D9uhOQluv4AUSpKK6E8EXoPSxDFZI4WX37depO2VGXDO90JNfVamJXjy1+bH
-d/RnoZfC7h7Vb1P1bPgGdsAFQBOP0FinbEjehpw0P0U2xAZQWek=
-=pY7t
------END PGP SIGNATURE-----

sssd.changes

@@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
+
+- Update to release 2.10.0
+  * The ``sssctl cache-upgrade`` command was removed. SSSD
+    performs automatic upgrades at startup when needed.
+  * Support of ``enumeration`` feature (i.e. ability to list all
+    users/groups using ``getent passwd/group`` without argument)
+    for AD/IPA providers is deprecated and might be removed in
+    further releases.
+  * The new tool ``sss_ssh_knownhosts`` can be used with ssh's
+    ``KnownHostsCommand`` configuration option to retrieve the
+    host's public keys from a remote server (FreeIPA, LDAP,
+    etc.). It replaces ```sss_ssh_knownhostsproxy``.
+  * The default value for ``ldap_id_use_start_tls`` changed from
+    false to true for improved security.
+  * https://github.com/SSSD/sssd/releases/tag/2.10.0
+- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch,
+  0001-INI-stop-using-libini_config-for-access-check.patch,
+  0001-INI-relax-config-files-checks.patch,
+  0001-Configuration-make-sure-etc-sssd-and-everything.patch
+- Fix socket activation of responders
+
 -------------------------------------------------------------------
 Tue Oct  1 10:15:07 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
 

sssd.spec

@@ -17,7 +17,7 @@
 
 
 Name:           sssd
-Version:        2.9.5
+Version:        2.10.0
 Release:        0
 Summary:        System Security Services Daemon
 License:        GPL-3.0-or-later AND LGPL-3.0-or-later
@@ -28,10 +28,14 @@ Source:         https://github.com/SSSD/sssd/releases/download/%version/%name-%v
 Source2:        https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc
 Source3:        baselibs.conf
 Source5:        %name.keyring
-Patch1:         krb-noversion.diff
+Patch3:         0001-sssd-always-print-path-when-config-object-is-rejecte.patch
-Patch2:         harden_sssd-ifp.service.patch
+Patch4:         0001-INI-stop-using-libini_config-for-access-check.patch
-Patch3:         harden_sssd-kcm.service.patch
+Patch5:         0001-INI-relax-config-files-checks.patch
-Patch4:         symvers.patch
+Patch6:         0001-Configuration-make-sure-etc-sssd-and-everything.patch
+Patch11:        krb-noversion.diff
+Patch12:        harden_sssd-ifp.service.patch
+Patch13:        harden_sssd-kcm.service.patch
+Patch14:        symvers.patch
 BuildRequires:  autoconf >= 2.59
 BuildRequires:  automake
 BuildRequires:  bind-utils
@@ -53,18 +57,22 @@ BuildRequires:  nss_wrapper
 BuildRequires:  openldap2-devel
 BuildRequires:  pam-devel
 BuildRequires:  pkg-config >= 0.21
+BuildRequires:  python3-wheel
+BuildRequires:  python3-setuptools
 BuildRequires:  systemd-rpm-macros
+BuildRequires:  sysuser-tools
 BuildRequires:  uid_wrapper
 BuildRequires:  pkgconfig(augeas) >= 1.0.0
 BuildRequires:  pkgconfig(collection) >= 0.5.1
 BuildRequires:  pkgconfig(dbus-1) >= 1.0.0
 BuildRequires:  pkgconfig(dhash) >= 0.4.2
 BuildRequires:  pkgconfig(glib-2.0)
-BuildRequires:  pkgconfig(ini_config) >= 1.1.0
+BuildRequires:  pkgconfig(ini_config) >= 1.3
 BuildRequires:  pkgconfig(jansson)
 BuildRequires:  pkgconfig(ldb) >= 0.9.2
+BuildRequires:  pkgconfig(libcap)
 BuildRequires:  pkgconfig(libcares)
-BuildRequires:  pkgconfig(libcrypto)
+BuildRequires:  pkgconfig(libcrypto) >= 1.0.1
 %if 0%{?suse_version} >= 1600
 BuildRequires:  pkgconfig(libcurl)
 %endif
@@ -93,6 +101,7 @@ BuildRequires:  pkgconfig(uuid)
 # Package contains just config files, not needed for build.
 #!BuildIgnore: libldap-data
 %endif
+%sysusers_requires
 %{?systemd_ordering}
 Requires:       sssd-ldap = %version-%release
 Requires(postun): pam-config
@@ -122,11 +131,11 @@ Requires(post): update-alternatives
 Requires(postun): update-alternatives
 
 %description
-Provides a set of daemons to manage access to remote directories and
+A set of daemons to manage access to remote directories and
-authentication mechanisms. It provides an NSS and PAM interface toward
+authentication mechanisms. sssd provides an NSS and PAM interfaces
-the system and a pluggable backend system to connect to multiple different
+toward the system and a pluggable backend system to connect to
-account sources. It is also the basis to provide client auditing and policy
+multiple different account sources. It is also the basis to provide
-services for projects like FreeIPA.
+client auditing and policy services for projects like FreeIPA.
 
 %package ad
 Summary:        The ActiveDirectory backend plugin for sssd
@@ -136,9 +145,8 @@ Requires:       %name-krb5-common = %version-%release
 Requires:       adcli
 
 %description ad
-Provides the Active Directory back end that the SSSD can utilize to
+A back-end provider that the SSSD can utilize to fetch identity data
-fetch identity data from and authenticate against an Active Directory
+from, and authenticate with, an Active Directory server.
-server.
 
 %package dbus
 Summary:        The D-Bus responder of sssd
@@ -147,7 +155,7 @@ Group:          System/Base
 Requires:       %name = %version
 
 %description dbus
-Provides the D-Bus responder of sssd, called InfoPipe, which allows
+D-Bus responder of sssd, called InfoPipe, which allows
 information from sssd to be transmitted over the system bus.
 
 %package ipa
@@ -161,8 +169,8 @@ Obsoletes:      %name-ipa-provider < %version-%release
 Provides:       %name-ipa-provider = %version-%release
 
 %description ipa
-Provides the IPA back end that the SSSD can utilize to fetch identity
+A back-end provider that the SSSD can utilize to fetch identity data
-data from and authenticate against an IPA server.
+from, and authenticate with, an IPA server.
 
 %package kcm
 Summary:        SSSD's Kerberos cache manager
@@ -181,8 +189,8 @@ Group:          System/Daemons
 Requires:       %name-krb5-common = %version-%release
 
 %description krb5
-Provides the Kerberos back end that the SSSD can utilize authenticate
+A back-end provider that the SSSD can utilize to authenticate against
-against a Kerberos server.
+a Kerberos server.
 
 %package krb5-common
 Summary:        SSSD helpers needed for Kerberos and GSSAPI authentication
@@ -201,8 +209,8 @@ Group:          System/Daemons
 Requires:       %name-krb5-common = %version-%release
 
 %description ldap
-Provides the LDAP back end that the SSSD can utilize to fetch
+A back-end provider that the SSSD can utilize to fetch identity data
-identity data from and authenticate against an LDAP server.
+from, and authenticate with, an LDAP server.
 
 %package proxy
 Summary:        The proxy backend plugin for sssd
@@ -210,8 +218,8 @@ License:        GPL-3.0-or-later
 Group:          System/Daemons
 
 %description proxy
-Provides the proxy back end which can be used to wrap an existing NSS
+A back-end provider which can be used to wrap existing NSS and/or PAM
-and/or PAM modules to leverage SSSD caching.
+modules to leverage SSSD caching. (This can replace nscd.)
 
 %package tools
 Summary:        Commandline tools for sssd
@@ -221,7 +229,7 @@ Requires:       python3-sssd-config = %version-%release
 Requires:       sssd = %version
 
 %description tools
-The packages contains commandline tools for managing users and groups using
+The packages contains command-line tools for managing users and groups using
 the "local" id provider of the System Security Services Daemon (sssd).
 
 %package winbind-idmap
@@ -238,7 +246,7 @@ License:        LGPL-3.0-or-later
 Group:          System/Libraries
 
 %description -n libsss_certmap0
-A utility library for FreeIPA to map certs.
+A utility library for FreeIPA to map certificates.
 
 %package -n libsss_certmap-devel
 Summary:        Development files for the FreeIPA certmap library
@@ -247,7 +255,7 @@ Group:          Development/Libraries/C and C++
 Requires:       libsss_certmap0 = %version
 
 %description -n libsss_certmap-devel
-A utility library for FreeIPA to map certs.
+A utility library for FreeIPA to map certificates.
 
 %package -n libipa_hbac0
 Summary:        FreeIPA HBAC Evaluator library
@@ -311,7 +319,6 @@ Requires:       libsss_nss_idmap0 = %version
 %description -n libsss_nss_idmap-devel
 A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs.
 
-%if 0%{?suse_version} < 1600
 %package -n libsss_simpleifp0
 Summary:        The SSSD D-Bus responder helper library
 License:        GPL-3.0-or-later
@@ -334,7 +341,6 @@ Requires:       libsss_simpleifp0 = %version
 This subpackage provides the development files for sssd's simpleifp,
 a library that simplifies the D-Bus API for the SSSD InfoPipe
 responder.
-%endif
 
 %package -n libsss_sudo
 Summary:        A library to allow communication between sudo and SSSD
@@ -402,7 +408,6 @@ autoreconf -fiv
 	--with-initscript=systemd \
 	--with-syslog=journald \
 	--with-pid-path="%_rundir" \
-	--enable-nsslibdir="/%_lib" \
 	--enable-pammoddir="%_pam_moduledir" \
 	--with-ldb-lib-dir="%ldbdir" \
 	--with-os=suse \
@@ -414,14 +419,13 @@ autoreconf -fiv
 	--with-subid
 %else
 	--with-selinux=no \
-	--with-semanage=no \
 	--with-libsifp \
 	--with-files-provider
 %endif
 %make_build all
 
 %install
-# sss_obfuscate is compatible with both python 2 and 3
+# sss_obfuscate is compatible with both Python 2 and 3
 perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
 %make_install dbuspolicydir=%_datadir/dbus-1/system.d
 b="%buildroot"
@@ -455,22 +459,27 @@ find "$b" -type f -name "*.la" -print -delete
 %find_lang %name --all-name
 
 # dummy target for cifs-idmap-plugin
-mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils
+mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils"
-ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin
+ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin"
 %python3_fix_shebang
 %if 0%{?suse_version} > 1600
 %python3_fix_shebang_path %buildroot/%_libexecdir/%name/
 %elif 0%{?suse_version} == 1600
 # python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204
-sed -i '1s@#!.*python.*@#!%{_bindir}/python3.11@' %{buildroot}/%{_libexecdir}/%{name}/sss_analyze
+sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze"
 %endif
 
+echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf
+mkdir -p "$b/%_sysusersdir"
+cp -a system-user-sssd.conf "$b/%_sysusersdir/"
+%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf
+
 %check
 # sss_config-tests fails
 %make_build check || :
 
-%pre
+%pre -f random.pre
-%service_add_pre sssd.service
+%service_add_pre sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
 %if "%{?_distconfdir}" != ""
 # Prepare for migration to /usr/etc; save any old .rpmsave
 for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do
@@ -484,38 +493,31 @@ done
 if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then
 	/bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf"
 fi
-%service_add_post sssd.service
+%service_add_post sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
 
 # install SSSD cifs-idmap plugin as an alternative
 update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority
 
 %preun
-%service_del_preun sssd.service
+%service_del_preun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
 
 %postun
 /sbin/ldconfig
-if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then
+if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then
 	"%_sbindir/pam-config" -d --sss || :
 fi
 # del_postun includes a try-restart
-%service_del_postun sssd.service
+%service_del_postun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket
 
 if [ ! -f "%cifs_idmap_lib" ]; then
 	update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
 fi
 
-%post   -n libsss_certmap0 -p /sbin/ldconfig
+%ldconfig_scriptlets -n libsss_certmap0
-%postun -n libsss_certmap0 -p /sbin/ldconfig
+%ldconfig_scriptlets -n libipa_hbac0
-%post   -n libipa_hbac0 -p /sbin/ldconfig
+%ldconfig_scriptlets -n libsss_idmap0
-%postun -n libipa_hbac0 -p /sbin/ldconfig
+%ldconfig_scriptlets -n libsss_nss_idmap0
-%post   -n libsss_idmap0 -p /sbin/ldconfig
+%ldconfig_scriptlets -n libsss_simpleifp0
-%postun -n libsss_idmap0 -p /sbin/ldconfig
-%post   -n libsss_nss_idmap0 -p /sbin/ldconfig
-%postun -n libsss_nss_idmap0 -p /sbin/ldconfig
-%if 0%{?suse_version} < 1600
-%post   -n libsss_simpleifp0 -p /sbin/ldconfig
-%postun -n libsss_simpleifp0 -p /sbin/ldconfig
-%endif
 
 %triggerun -- %name < %version-%release
 # sssd takes care of upgrading the database but it doesn't handle downgrades.
@@ -554,13 +556,13 @@ fi
 # Migrate sssd.service from sssd-common to sssd
 systemctl is-enabled sssd.service > /dev/null
 if [ $? -eq 0 ]; then
-mkdir -p /run/systemd/rpm/
+	mkdir -p /run/systemd/rpm/
-touch /run/systemd/rpm/sssd-was-enabled
+	touch /run/systemd/rpm/sssd-was-enabled
 fi
 systemctl is-active sssd.service > /dev/null
 if [ $? -eq 0 ]; then
-mkdir -p /run/systemd/rpm/
+	mkdir -p /run/systemd/rpm/
-touch /run/systemd/rpm/sssd-was-active
+	touch /run/systemd/rpm/sssd-was-active
 fi
 
 %posttrans
@@ -572,20 +574,20 @@ done
 %endif
 # Migrate sssd.service from sssd-common to sssd
 if [ -e /run/systemd/rpm/sssd-was-enabled ]; then
-systemctl is-enabled sssd.service > /dev/null
+	systemctl is-enabled sssd.service >/dev/null
-if [ $? -ne 0 ]; then
+	if [ $? -ne 0 ]; then
-    echo "Migrating sssd.service, was enabled"
+		echo "Migrating sssd.service, was enabled"
-    systemctl enable sssd.service
+		systemctl enable sssd.service
-fi
+	fi
-rm /run/systemd/rpm/sssd-was-enabled
+	rm /run/systemd/rpm/sssd-was-enabled
 fi
 if [ -e /run/systemd/rpm/sssd-was-active ]; then
-systemctl is-active sssd.service > /dev/null
+	systemctl is-active sssd.service >/dev/null
-if [ $? -ne 0 ]; then
+	if [ $? -ne 0 ]; then
-    echo "Migrating sssd.service, was active"
+		echo "Migrating sssd.service, was active"
-    systemctl start sssd.service
+		systemctl start sssd.service
-fi
+	fi
-rm /run/systemd/rpm/sssd-was-active
+	rm /run/systemd/rpm/sssd-was-active
 fi
 
 %files -f sssd.lang
@@ -598,12 +600,12 @@ fi
 %_unitdir/sssd-pac.socket
 %_unitdir/sssd-pac.service
 %_unitdir/sssd-pam.socket
-%_unitdir/sssd-pam-priv.socket
 %_unitdir/sssd-pam.service
 %_unitdir/sssd-ssh.socket
 %_unitdir/sssd-ssh.service
 %_unitdir/sssd-sudo.socket
 %_unitdir/sssd-sudo.service
+%_sysusersdir/*sssd*
 %_bindir/sss_ssh_*
 %_sbindir/sssd
 %if 0%{?suse_version} < 1600
@@ -708,7 +710,7 @@ fi
 #
 # sssd-client
 #
-/%_lib/libnss_sss.so.2
+%_libdir/libnss_sss.so.2
 %_pam_moduledir/pam_sss.so
 %_pam_moduledir/pam_sss_gss.so
 %_libdir/krb5/