From f13f969b0805bc1c556a6a9f860cb80352ebc6e2fc845364b8f3ec9be0cb9a84 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Tue, 15 Oct 2024 15:33:24 +0200 Subject: [PATCH 1/7] sssd 2.10.0 --- harden_sssd-kcm.service.patch | 14 +++++++++----- sssd-2.10.0.tar.gz | 3 +++ sssd-2.10.0.tar.gz.asc | 16 ++++++++++++++++ sssd-2.9.5.tar.gz | 3 --- sssd-2.9.5.tar.gz.asc | 16 ---------------- sssd.changes | 18 ++++++++++++++++++ sssd.spec | 11 ++++++----- 7 files changed, 52 insertions(+), 29 deletions(-) create mode 100644 sssd-2.10.0.tar.gz create mode 100644 sssd-2.10.0.tar.gz.asc delete mode 100644 sssd-2.9.5.tar.gz delete mode 100644 sssd-2.9.5.tar.gz.asc diff --git a/harden_sssd-kcm.service.patch b/harden_sssd-kcm.service.patch index 183e0b0..6526831 100644 --- a/harden_sssd-kcm.service.patch +++ b/harden_sssd-kcm.service.patch @@ -1,7 +1,11 @@ -Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in +--- + src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in =================================================================== ---- sssd-2.5.2.orig/src/sysv/systemd/sssd-kcm.service.in -+++ sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in +--- sssd-2.10.0.orig/src/sysv/systemd/sssd-kcm.service.in ++++ sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in @@ -8,6 +8,19 @@ After=sssd-kcm.socket Also=sssd-kcm.socket @@ -20,5 +24,5 @@ Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in +RestrictRealtime=true +# end of automatic additions Environment=DEBUG_LOGGER=--logger=files - ExecStartPre=-@sbindir@/sssd --genconf-section=kcm - ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER} + ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ + ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf diff --git a/sssd-2.10.0.tar.gz b/sssd-2.10.0.tar.gz new file mode 100644 index 0000000..38e2605 --- /dev/null +++ b/sssd-2.10.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0b1167e8017209ec25b9683e0006947eaa0cfd7a8161bfea120bd8511006db0d +size 9177851 diff --git a/sssd-2.10.0.tar.gz.asc b/sssd-2.10.0.tar.gz.asc new file mode 100644 index 0000000..3783730 --- /dev/null +++ b/sssd-2.10.0.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmcOPUoACgkQ09IbKRDP +Z1myuA//anDvdZcQp0EUia2NsiWt2MFE8esmsEIN6QmEYjUxvEeXI9q4YJQimMi8 +wdt0zqZE1PLrTcroWaeGcgt2+CJWUbVanZtNn3oo7lUVYrLKemrUzavM7dXTaA43 +cdKAFyEO+nHJQ2yBNUt6sRXc3tM0H27yZs0iL+CcYu6YshUTbMnZuwdpz7DqDTN8 +nbG+LWa+U0en5mI3waP8Ionwmdv9AJAuCHQZLlZDpM0+YfGumcIUJdbxU/I8pqP8 +MQaulPv3e+BNwdbUiLlk0cXRjuEfSd0bmMa3MqB4IqMvvjACU0GuSgK3FDhutZJe +HfmzYSo/Zntmr7F/eYLz6zy/GU3VewEilOyRV08oz+EVJRbGyo2t4k6PUYbn+I4V +kJ/maed5jnBzIZGf6o+P1r+3mavJg7k2LDV4s48MsZ4Y5ED4X0c+boT1L5FZbquW +gp99Di0RG4VoWiYOfVfszLzeDWOLbOrKMyA6PTqlmjGYAdV9SBwZP5WEdwXyPovo +D7uual7Eqdd+Y/lt+8O4Wd+Y+a9xI2kwVFo8KYmHc8PhgLpPIKTWbBTEI+0nw3fJ +qqyyA7JWA81bt4WKVuJaeS87S/9F4yn8ps2dzSgHjZ2Tzr7Eu1a3RWLjKYsjKZrT +PPd2d/02rQAZPwLYHN5qM3Xjh0DD7IiXav1QuIPxmUQA9z8ZiuA= +=mJVY +-----END PGP SIGNATURE----- diff --git a/sssd-2.9.5.tar.gz b/sssd-2.9.5.tar.gz deleted file mode 100644 index 09b8ff1..0000000 --- a/sssd-2.9.5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bf955cc26b6d215bbb9083eadb613f78d7b727fb023f39987aec37680ae40ae3 -size 8001964 diff --git a/sssd-2.9.5.tar.gz.asc b/sssd-2.9.5.tar.gz.asc deleted file mode 100644 index 05b00fc..0000000 --- a/sssd-2.9.5.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmZF8CMACgkQ09IbKRDP -Z1lSVQ/9EPVvWUX1z/pHfbvDjRpfD+LDbDceYB4YBh0caYpMVFm/2wHhFIjTYEpf -SmIR+SQp50NkRSK6tE/u+Swu+YUkiCqnEWv2y9wd4Uh2NKiukyiqBC1k2cn9URNu -oRreBM1KIRvTkdoyZwteELJ7vMLVr0UT2iIXZQFIIZX+LM3FNZJ5vFcj5fF0Hz1f -v8zR0VTB7xY/6U+4KikvMyM3fOPeTOJvEtMp4xDWyquRjCADjZasOQcKRQzXp1er -zs/qLcQ8eCODXhKelGqmppVIElW+72f1FNbMpBnlQ7VtFn6pn4sPazO0Hr7eNfZJ -Vc6GXN8zZ/oF5U4x7XSMVqeOHLQoLeb2HxgUzS+1Ig19FHOs6Xoj0dO5l/TOEFav -l61qytYnj3DNZjrMVLsMvOx3qGYK7PmyaWNoIJlLO2GbWKMP/8yBm35Ugd0jybSi -T7VWX+isQHfVhSZ9wD4/yYOBAU3lABORAjXkCWQp/vMR/KiHbfaajCAbl56KiijQ -eKYaq57EH3N+qKd1sqCrPfSw3HSqm3rngG1CsMasBQgLFs2aW+Mwo3UvQ1U/ykED -mOo2D9uhOQluv4AUSpKK6E8EXoPSxDFZI4WX37depO2VGXDO90JNfVamJXjy1+bH -d/RnoZfC7h7Vb1P1bPgGdsAFQBOP0FinbEjehpw0P0U2xAZQWek= -=pY7t ------END PGP SIGNATURE----- diff --git a/sssd.changes b/sssd.changes index 473f4d7..9e67996 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt + +- Update to release 2.10.0 + * The ``sssctl cache-upgrade`` command was removed. SSSD + performs automatic upgrades at startup when needed. + * Support of ``enumeration`` feature (i.e. ability to list all + users/groups using ``getent passwd/group`` without argument) + for AD/IPA providers is deprecated and might be removed in + further releases. + * The new tool ``sss_ssh_knownhosts`` can be used with ssh's + ``KnownHostsCommand`` configuration option to retrieve the + host's public keys from a remote server (FreeIPA, LDAP, + etc.). It replaces ```sss_ssh_knownhostsproxy``. + * The default value for ``ldap_id_use_start_tls`` changed from + false to true for improved security. + * https://github.com/SSSD/sssd/releases/tag/2.10.0 + ------------------------------------------------------------------- Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index 354fd6e..158b0a0 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,7 +17,7 @@ Name: sssd -Version: 2.9.5 +Version: 2.10.0 Release: 0 Summary: System Security Services Daemon License: GPL-3.0-or-later AND LGPL-3.0-or-later @@ -60,11 +60,12 @@ BuildRequires: pkgconfig(collection) >= 0.5.1 BuildRequires: pkgconfig(dbus-1) >= 1.0.0 BuildRequires: pkgconfig(dhash) >= 0.4.2 BuildRequires: pkgconfig(glib-2.0) -BuildRequires: pkgconfig(ini_config) >= 1.1.0 +BuildRequires: pkgconfig(ini_config) >= 1.3 BuildRequires: pkgconfig(jansson) BuildRequires: pkgconfig(ldb) >= 0.9.2 +BuildRequires: pkgconfig(libcap) BuildRequires: pkgconfig(libcares) -BuildRequires: pkgconfig(libcrypto) +BuildRequires: pkgconfig(libcrypto) >= 1.0.1 %if 0%{?suse_version} >= 1600 BuildRequires: pkgconfig(libcurl) %endif @@ -86,6 +87,8 @@ BuildRequires: pkgconfig(talloc) BuildRequires: pkgconfig(tdb) >= 1.1.3 BuildRequires: pkgconfig(tevent) BuildRequires: pkgconfig(uuid) +BuildRequires: python3-wheel +BuildRequires: python3-setuptools %if 0%{?suse_version} && 0%{?suse_version} < 1600 # samba-client-devel pulls samba-client-libs pulls libldap-2_4-2 wants libldap-data(-2.4); # this conflicts with @@ -414,7 +417,6 @@ autoreconf -fiv --with-subid %else --with-selinux=no \ - --with-semanage=no \ --with-libsifp \ --with-files-provider %endif @@ -598,7 +600,6 @@ fi %_unitdir/sssd-pac.socket %_unitdir/sssd-pac.service %_unitdir/sssd-pam.socket -%_unitdir/sssd-pam-priv.socket %_unitdir/sssd-pam.service %_unitdir/sssd-ssh.socket %_unitdir/sssd-ssh.service -- 2.51.1 From c48ef1197804f54ce1aba25ef24b22c0f86177a02e2ec50a5734f0f3d4670168 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 16 Oct 2024 17:05:53 +0200 Subject: [PATCH 2/7] sssd 2.10.0 (part 2) --- ...t-path-when-config-object-is-rejecte.patch | 88 ++++++++++++++ sssd.changes | 1 + sssd.spec | 115 +++++++++--------- 3 files changed, 146 insertions(+), 58 deletions(-) create mode 100644 0001-sssd-always-print-path-when-config-object-is-rejecte.patch diff --git a/0001-sssd-always-print-path-when-config-object-is-rejecte.patch b/0001-sssd-always-print-path-when-config-object-is-rejecte.patch new file mode 100644 index 0000000..5ea6697 --- /dev/null +++ b/0001-sssd-always-print-path-when-config-object-is-rejecte.patch @@ -0,0 +1,88 @@ +From 338638cd5f374e0699d7b7495a5fa8f25511fa55 Mon Sep 17 00:00:00 2001 +From: Jan Engelhardt +Date: Wed, 16 Oct 2024 09:55:50 +0200 +Subject: [PATCH] sssd: always print path when config object is rejected +References: https://github.com/SSSD/sssd/pull/7649 + +Observed: + +``` +Oct 16 09:44:04 a4 sssd[28717]: [sssd] [sss_ini_read_sssd_conf] (0x0020): Permission check on config file failed. +Oct 16 09:44:04 a4 sssd[28717]: Can't read config: 'File ownership and permissions check failed' +Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership and permissions check failed' +``` + +Expected: + +_Well yes, but **which one**_!? +--- + src/monitor/monitor.c | 4 ++-- + src/util/sss_ini.c | 14 ++++++++------ + 2 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c +index e17b0e416..f67e4446f 100644 +--- a/src/monitor/monitor.c ++++ b/src/monitor/monitor.c +@@ -1931,9 +1931,9 @@ int main(int argc, const char *argv[]) + ret = confdb_read_ini(tmp_ctx, config_file, CONFDB_DEFAULT_CONFIG_DIR, false, + &config); + if (ret != EOK) { +- ERROR("Can't read config: '%s'\n", sss_strerror(ret)); ++ ERROR("Cannot read config %s: '%s'\n", config_file, sss_strerror(ret)); + sss_log(SSS_LOG_ALERT, +- "Failed to read configuration: '%s'", sss_strerror(ret)); ++ "Failed to read configuration %s: '%s'", config_file, sss_strerror(ret)); + ret = 3; + goto out; + } +diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c +index 7f9824d88..2a611eb8c 100644 +--- a/src/util/sss_ini.c ++++ b/src/util/sss_ini.c +@@ -888,7 +888,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, + ret = sss_ini_open(self, config_file, "[sssd]\n"); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "The sss_ini_open failed %s: %d\n", ++ "sss_ini_open on %s failed: %d\n", + config_file, + ret); + return ERR_INI_OPEN_FAILED; +@@ -898,26 +898,28 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, + ret = sss_ini_access_check(self); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, +- "Permission check on config file failed.\n"); ++ "Permission check on config file %s failed: %d\n", ++ config_file, ret); + return ERR_INI_INVALID_PERMISSION; + } + } else { + DEBUG(SSSDBG_CONF_SETTINGS, +- "File %1$s does not exist.\n", +- (config_file ? config_file : "NULL")); ++ "File %s does not exist.\n", config_file); + } + + ret = sss_ini_parse(self); + if (ret != EOK) { + sss_ini_config_print_errors(self->error_list); +- DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration.\n"); ++ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse configuration file %s: %d\n", ++ config_file, ret); + return ERR_INI_PARSE_FAILED; + } + + ret = sss_ini_add_snippets(self, config_dir); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, +- "Error while reading configuration directory.\n"); ++ "Error while reading configuration directory %s: %d\n", ++ config_dir, ret); + return ERR_INI_ADD_SNIPPETS_FAILED; + } + +-- +2.47.0 + diff --git a/sssd.changes b/sssd.changes index 9e67996..97bef57 100644 --- a/sssd.changes +++ b/sssd.changes @@ -15,6 +15,7 @@ Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt * The default value for ``ldap_id_use_start_tls`` changed from false to true for improved security. * https://github.com/SSSD/sssd/releases/tag/2.10.0 +- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch ------------------------------------------------------------------- Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index 158b0a0..867b56e 100644 --- a/sssd.spec +++ b/sssd.spec @@ -32,6 +32,7 @@ Patch1: krb-noversion.diff Patch2: harden_sssd-ifp.service.patch Patch3: harden_sssd-kcm.service.patch Patch4: symvers.patch +Patch5: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils @@ -53,7 +54,10 @@ BuildRequires: nss_wrapper BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pkg-config >= 0.21 +BuildRequires: python3-wheel +BuildRequires: python3-setuptools BuildRequires: systemd-rpm-macros +BuildRequires: sysuser-tools BuildRequires: uid_wrapper BuildRequires: pkgconfig(augeas) >= 1.0.0 BuildRequires: pkgconfig(collection) >= 0.5.1 @@ -87,8 +91,6 @@ BuildRequires: pkgconfig(talloc) BuildRequires: pkgconfig(tdb) >= 1.1.3 BuildRequires: pkgconfig(tevent) BuildRequires: pkgconfig(uuid) -BuildRequires: python3-wheel -BuildRequires: python3-setuptools %if 0%{?suse_version} && 0%{?suse_version} < 1600 # samba-client-devel pulls samba-client-libs pulls libldap-2_4-2 wants libldap-data(-2.4); # this conflicts with @@ -96,6 +98,7 @@ BuildRequires: python3-setuptools # Package contains just config files, not needed for build. #!BuildIgnore: libldap-data %endif +%sysusers_requires %{?systemd_ordering} Requires: sssd-ldap = %version-%release Requires(postun): pam-config @@ -125,11 +128,11 @@ Requires(post): update-alternatives Requires(postun): update-alternatives %description -Provides a set of daemons to manage access to remote directories and -authentication mechanisms. It provides an NSS and PAM interface toward -the system and a pluggable backend system to connect to multiple different -account sources. It is also the basis to provide client auditing and policy -services for projects like FreeIPA. +A set of daemons to manage access to remote directories and +authentication mechanisms. sssd provides an NSS and PAM interfaces +toward the system and a pluggable backend system to connect to +multiple different account sources. It is also the basis to provide +client auditing and policy services for projects like FreeIPA. %package ad Summary: The ActiveDirectory backend plugin for sssd @@ -139,9 +142,8 @@ Requires: %name-krb5-common = %version-%release Requires: adcli %description ad -Provides the Active Directory back end that the SSSD can utilize to -fetch identity data from and authenticate against an Active Directory -server. +A back-end provider that the SSSD can utilize to fetch identity data +from, and authenticate with, an Active Directory server. %package dbus Summary: The D-Bus responder of sssd @@ -150,7 +152,7 @@ Group: System/Base Requires: %name = %version %description dbus -Provides the D-Bus responder of sssd, called InfoPipe, which allows +D-Bus responder of sssd, called InfoPipe, which allows information from sssd to be transmitted over the system bus. %package ipa @@ -164,8 +166,8 @@ Obsoletes: %name-ipa-provider < %version-%release Provides: %name-ipa-provider = %version-%release %description ipa -Provides the IPA back end that the SSSD can utilize to fetch identity -data from and authenticate against an IPA server. +A back-end provider that the SSSD can utilize to fetch identity data +from, and authenticate with, an IPA server. %package kcm Summary: SSSD's Kerberos cache manager @@ -184,8 +186,8 @@ Group: System/Daemons Requires: %name-krb5-common = %version-%release %description krb5 -Provides the Kerberos back end that the SSSD can utilize authenticate -against a Kerberos server. +A back-end provider that the SSSD can utilize to authenticate against +a Kerberos server. %package krb5-common Summary: SSSD helpers needed for Kerberos and GSSAPI authentication @@ -204,8 +206,8 @@ Group: System/Daemons Requires: %name-krb5-common = %version-%release %description ldap -Provides the LDAP back end that the SSSD can utilize to fetch -identity data from and authenticate against an LDAP server. +A back-end provider that the SSSD can utilize to fetch identity data +from, and authenticate with, an LDAP server. %package proxy Summary: The proxy backend plugin for sssd @@ -213,8 +215,8 @@ License: GPL-3.0-or-later Group: System/Daemons %description proxy -Provides the proxy back end which can be used to wrap an existing NSS -and/or PAM modules to leverage SSSD caching. +A back-end provider which can be used to wrap existing NSS and/or PAM +modules to leverage SSSD caching. (This can replace nscd.) %package tools Summary: Commandline tools for sssd @@ -224,7 +226,7 @@ Requires: python3-sssd-config = %version-%release Requires: sssd = %version %description tools -The packages contains commandline tools for managing users and groups using +The packages contains command-line tools for managing users and groups using the "local" id provider of the System Security Services Daemon (sssd). %package winbind-idmap @@ -241,7 +243,7 @@ License: LGPL-3.0-or-later Group: System/Libraries %description -n libsss_certmap0 -A utility library for FreeIPA to map certs. +A utility library for FreeIPA to map certificates. %package -n libsss_certmap-devel Summary: Development files for the FreeIPA certmap library @@ -250,7 +252,7 @@ Group: Development/Libraries/C and C++ Requires: libsss_certmap0 = %version %description -n libsss_certmap-devel -A utility library for FreeIPA to map certs. +A utility library for FreeIPA to map certificates. %package -n libipa_hbac0 Summary: FreeIPA HBAC Evaluator library @@ -314,7 +316,6 @@ Requires: libsss_nss_idmap0 = %version %description -n libsss_nss_idmap-devel A utility library for FreeIPA to map Windows SIDs to Unix user/group IDs. -%if 0%{?suse_version} < 1600 %package -n libsss_simpleifp0 Summary: The SSSD D-Bus responder helper library License: GPL-3.0-or-later @@ -337,7 +338,6 @@ Requires: libsss_simpleifp0 = %version This subpackage provides the development files for sssd's simpleifp, a library that simplifies the D-Bus API for the SSSD InfoPipe responder. -%endif %package -n libsss_sudo Summary: A library to allow communication between sudo and SSSD @@ -423,7 +423,7 @@ autoreconf -fiv %make_build all %install -# sss_obfuscate is compatible with both python 2 and 3 +# sss_obfuscate is compatible with both Python 2 and 3 perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate %make_install dbuspolicydir=%_datadir/dbus-1/system.d b="%buildroot" @@ -457,21 +457,26 @@ find "$b" -type f -name "*.la" -print -delete %find_lang %name --all-name # dummy target for cifs-idmap-plugin -mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils -ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin +mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils" +ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin" %python3_fix_shebang %if 0%{?suse_version} > 1600 %python3_fix_shebang_path %buildroot/%_libexecdir/%name/ %elif 0%{?suse_version} == 1600 # python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204 -sed -i '1s@#!.*python.*@#!%{_bindir}/python3.11@' %{buildroot}/%{_libexecdir}/%{name}/sss_analyze +sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze" %endif +echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf +mkdir -p "$b/%_sysusersdir" +cp -a system-user-sssd.conf "$b/%_sysusersdir/" +%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf + %check # sss_config-tests fails %make_build check || : -%pre +%pre -f random.pre %service_add_pre sssd.service %if "%{?_distconfdir}" != "" # Prepare for migration to /usr/etc; save any old .rpmsave @@ -496,7 +501,7 @@ update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_li %postun /sbin/ldconfig -if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then +if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then "%_sbindir/pam-config" -d --sss || : fi # del_postun includes a try-restart @@ -506,18 +511,11 @@ if [ ! -f "%cifs_idmap_lib" ]; then update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib fi -%post -n libsss_certmap0 -p /sbin/ldconfig -%postun -n libsss_certmap0 -p /sbin/ldconfig -%post -n libipa_hbac0 -p /sbin/ldconfig -%postun -n libipa_hbac0 -p /sbin/ldconfig -%post -n libsss_idmap0 -p /sbin/ldconfig -%postun -n libsss_idmap0 -p /sbin/ldconfig -%post -n libsss_nss_idmap0 -p /sbin/ldconfig -%postun -n libsss_nss_idmap0 -p /sbin/ldconfig -%if 0%{?suse_version} < 1600 -%post -n libsss_simpleifp0 -p /sbin/ldconfig -%postun -n libsss_simpleifp0 -p /sbin/ldconfig -%endif +%ldconfig_scriptlets -n libsss_certmap0 +%ldconfig_scriptlets -n libipa_hbac0 +%ldconfig_scriptlets -n libsss_idmap0 +%ldconfig_scriptlets -n libsss_nss_idmap0 +%ldconfig_scriptlets -n libsss_simpleifp0 %triggerun -- %name < %version-%release # sssd takes care of upgrading the database but it doesn't handle downgrades. @@ -556,13 +554,13 @@ fi # Migrate sssd.service from sssd-common to sssd systemctl is-enabled sssd.service > /dev/null if [ $? -eq 0 ]; then -mkdir -p /run/systemd/rpm/ -touch /run/systemd/rpm/sssd-was-enabled + mkdir -p /run/systemd/rpm/ + touch /run/systemd/rpm/sssd-was-enabled fi systemctl is-active sssd.service > /dev/null if [ $? -eq 0 ]; then -mkdir -p /run/systemd/rpm/ -touch /run/systemd/rpm/sssd-was-active + mkdir -p /run/systemd/rpm/ + touch /run/systemd/rpm/sssd-was-active fi %posttrans @@ -574,20 +572,20 @@ done %endif # Migrate sssd.service from sssd-common to sssd if [ -e /run/systemd/rpm/sssd-was-enabled ]; then -systemctl is-enabled sssd.service > /dev/null -if [ $? -ne 0 ]; then - echo "Migrating sssd.service, was enabled" - systemctl enable sssd.service -fi -rm /run/systemd/rpm/sssd-was-enabled + systemctl is-enabled sssd.service >/dev/null + if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was enabled" + systemctl enable sssd.service + fi + rm /run/systemd/rpm/sssd-was-enabled fi if [ -e /run/systemd/rpm/sssd-was-active ]; then -systemctl is-active sssd.service > /dev/null -if [ $? -ne 0 ]; then - echo "Migrating sssd.service, was active" - systemctl start sssd.service -fi -rm /run/systemd/rpm/sssd-was-active + systemctl is-active sssd.service >/dev/null + if [ $? -ne 0 ]; then + echo "Migrating sssd.service, was active" + systemctl start sssd.service + fi + rm /run/systemd/rpm/sssd-was-active fi %files -f sssd.lang @@ -605,6 +603,7 @@ fi %_unitdir/sssd-ssh.service %_unitdir/sssd-sudo.socket %_unitdir/sssd-sudo.service +%_sysusersdir/*sssd* %_bindir/sss_ssh_* %_sbindir/sssd %if 0%{?suse_version} < 1600 -- 2.51.1 From 34e8574098caa0fb5cc6d7354255201fba83ffb5350cda85d2f429f4778ddb3a Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Tue, 5 Nov 2024 18:52:51 +0100 Subject: [PATCH 3/7] Update 0001-sssd-always-print-path-when-config-object-is-rejecte.patch with accepted commit --- ...t-path-when-config-object-is-rejecte.patch | 29 +++++-------------- 1 file changed, 8 insertions(+), 21 deletions(-) diff --git a/0001-sssd-always-print-path-when-config-object-is-rejecte.patch b/0001-sssd-always-print-path-when-config-object-is-rejecte.patch index 5ea6697..d24c30a 100644 --- a/0001-sssd-always-print-path-when-config-object-is-rejecte.patch +++ b/0001-sssd-always-print-path-when-config-object-is-rejecte.patch @@ -1,4 +1,4 @@ -From 338638cd5f374e0699d7b7495a5fa8f25511fa55 Mon Sep 17 00:00:00 2001 +From 1a743a4123c104a10c694f7ee9d2f0a1e7182513 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 16 Oct 2024 09:55:50 +0200 Subject: [PATCH] sssd: always print path when config object is rejected @@ -15,27 +15,14 @@ Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership an Expected: _Well yes, but **which one**_!? ---- - src/monitor/monitor.c | 4 ++-- - src/util/sss_ini.c | 14 ++++++++------ - 2 files changed, 10 insertions(+), 8 deletions(-) -diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c -index e17b0e416..f67e4446f 100644 ---- a/src/monitor/monitor.c -+++ b/src/monitor/monitor.c -@@ -1931,9 +1931,9 @@ int main(int argc, const char *argv[]) - ret = confdb_read_ini(tmp_ctx, config_file, CONFDB_DEFAULT_CONFIG_DIR, false, - &config); - if (ret != EOK) { -- ERROR("Can't read config: '%s'\n", sss_strerror(ret)); -+ ERROR("Cannot read config %s: '%s'\n", config_file, sss_strerror(ret)); - sss_log(SSS_LOG_ALERT, -- "Failed to read configuration: '%s'", sss_strerror(ret)); -+ "Failed to read configuration %s: '%s'", config_file, sss_strerror(ret)); - ret = 3; - goto out; - } +Reviewed-by: Alexey Tikhonov +Reviewed-by: Justin Stephenson +(cherry picked from commit 2b7915dd84a6b8c3ee26e45357283677fe22f2cb) +--- + src/util/sss_ini.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c index 7f9824d88..2a611eb8c 100644 --- a/src/util/sss_ini.c -- 2.51.1 From 59da6568f5a58bbce00bbb151c4e8ac27fe117539cbfb67fa5537e870395ccfe Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Fri, 30 Aug 2024 11:37:19 +0200 Subject: [PATCH 4/7] Fix socket activation for responders --- sssd.changes | 1 + sssd.spec | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/sssd.changes b/sssd.changes index 97bef57..5cf3900 100644 --- a/sssd.changes +++ b/sssd.changes @@ -16,6 +16,7 @@ Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt false to true for improved security. * https://github.com/SSSD/sssd/releases/tag/2.10.0 - Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch +- Fix socket activation of responders ------------------------------------------------------------------- Tue Oct 1 10:15:07 UTC 2024 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index 867b56e..8319ec9 100644 --- a/sssd.spec +++ b/sssd.spec @@ -477,7 +477,7 @@ cp -a system-user-sssd.conf "$b/%_sysusersdir/" %make_build check || : %pre -f random.pre -%service_add_pre sssd.service +%service_add_pre sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket %if "%{?_distconfdir}" != "" # Prepare for migration to /usr/etc; save any old .rpmsave for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do @@ -491,13 +491,13 @@ done if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf" fi -%service_add_post sssd.service +%service_add_post sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket # install SSSD cifs-idmap plugin as an alternative update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority %preun -%service_del_preun sssd.service +%service_del_preun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket %postun /sbin/ldconfig @@ -505,7 +505,7 @@ if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then "%_sbindir/pam-config" -d --sss || : fi # del_postun includes a try-restart -%service_del_postun sssd.service +%service_del_postun sssd.service sssd-autofs.service sssd-autofs.socket sssd-nss.service sssd-nss.socket sssd-pac.service sssd-pac.socket sssd-pam.service sssd-pam.socket sssd-ssh.service sssd-ssh.socket sssd-sudo.service sssd-sudo.socket if [ ! -f "%cifs_idmap_lib" ]; then update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib -- 2.51.1 From 0d72b3229f26d5945552ba553565bb9c966c0d63b0ff696c4c3e5e931f285a14 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Tue, 5 Nov 2024 19:07:28 +0100 Subject: [PATCH 5/7] Add 0001-Configuration-make-sure-etc-sssd-and-everything.patch 0001-Configuration-make-sure-etc-sssd-and-everything.patch is added ahead of the stack because it is an upstream-accepted patch. harden_sssd-kcm.service.patch then needs a refresh for reasons of fuzz 2. --- ...on-make-sure-etc-sssd-and-everything.patch | 76 +++++++++++++++++++ harden_sssd-kcm.service.patch | 4 +- sssd.changes | 3 +- sssd.spec | 9 ++- 4 files changed, 85 insertions(+), 7 deletions(-) create mode 100644 0001-Configuration-make-sure-etc-sssd-and-everything.patch diff --git a/0001-Configuration-make-sure-etc-sssd-and-everything.patch b/0001-Configuration-make-sure-etc-sssd-and-everything.patch new file mode 100644 index 0000000..8cf0fe0 --- /dev/null +++ b/0001-Configuration-make-sure-etc-sssd-and-everything.patch @@ -0,0 +1,76 @@ +From 8db2df4fcbd09badafbc207bd4150b5f1cc2d5fb Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Thu, 24 Oct 2024 15:34:26 +0200 +Subject: [PATCH] Configuration: make sure /etc/sssd and everything +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +beneath is owned by 'sssd' group and readable by group. + +This should allow for reasonable rw-r----- root:sssd + +At some points those chown/chmod can be removed. + +Reviewed-by: Justin Stephenson +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +(cherry picked from commit 518db322fdd5a4de41813fbe5bc35fc20392ce67) +--- + contrib/sssd.spec.in | 4 ++-- + src/sysv/systemd/sssd-kcm.service.in | 5 ++--- + src/sysv/systemd/sssd.service.in | 6 ++---- + 3 files changed, 6 insertions(+), 9 deletions(-) + +diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in +index 4fbacb959..83de563f3 100644 +--- a/contrib/sssd.spec.in ++++ b/contrib/sssd.spec.in +@@ -1136,9 +1136,9 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi + %__rm -f %{mcpath}/group + %__rm -f %{mcpath}/initgroups + %__rm -f %{mcpath}/sid ++%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true ++%__chmod -f -R g+r %{_sysconfdir}/sssd || true + %__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true +-%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true +-%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true + %__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true + %__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true + %__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true +diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in +index 0c839ec5c..ba9e27cd9 100644 +--- a/src/sysv/systemd/sssd-kcm.service.in ++++ b/src/sysv/systemd/sssd-kcm.service.in +@@ -9,9 +9,8 @@ Also=sssd-kcm.socket + + [Service] + Environment=DEBUG_LOGGER=--logger=files +-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ +-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf +-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d ++ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ ++ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ + ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb" + ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log + ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER} +diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in +index 37e0a63f8..a6f79ff8a 100644 +--- a/src/sysv/systemd/sssd.service.in ++++ b/src/sysv/systemd/sssd.service.in +@@ -10,10 +10,8 @@ StartLimitBurst=5 + [Service] + Environment=DEBUG_LOGGER=--logger=files + EnvironmentFile=-@environment_file@ +-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ +-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf +-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d +-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki ++ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ ++ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ + ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb" + ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @gpocachepath@/*" + ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/*.log" +-- +2.47.0 + diff --git a/harden_sssd-kcm.service.patch b/harden_sssd-kcm.service.patch index 6526831..5ff85b4 100644 --- a/harden_sssd-kcm.service.patch +++ b/harden_sssd-kcm.service.patch @@ -24,5 +24,5 @@ Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in +RestrictRealtime=true +# end of automatic additions Environment=DEBUG_LOGGER=--logger=files - ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ - ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf + ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ + ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ diff --git a/sssd.changes b/sssd.changes index 5cf3900..a5b1f81 100644 --- a/sssd.changes +++ b/sssd.changes @@ -15,7 +15,8 @@ Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt * The default value for ``ldap_id_use_start_tls`` changed from false to true for improved security. * https://github.com/SSSD/sssd/releases/tag/2.10.0 -- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch +- Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch, + 0001-Configuration-make-sure-etc-sssd-and-everything.patch - Fix socket activation of responders ------------------------------------------------------------------- diff --git a/sssd.spec b/sssd.spec index 8319ec9..3ff1f09 100644 --- a/sssd.spec +++ b/sssd.spec @@ -28,11 +28,12 @@ Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%v Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source3: baselibs.conf Source5: %name.keyring -Patch1: krb-noversion.diff -Patch2: harden_sssd-ifp.service.patch -Patch3: harden_sssd-kcm.service.patch -Patch4: symvers.patch Patch5: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch +Patch6: 0001-Configuration-make-sure-etc-sssd-and-everything.patch +Patch11: krb-noversion.diff +Patch12: harden_sssd-ifp.service.patch +Patch13: harden_sssd-kcm.service.patch +Patch14: symvers.patch BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils -- 2.51.1 From 3024aae2eb7d777c034062823366421fc6510b988160179f672803b25e4692ba Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Tue, 5 Nov 2024 20:41:43 +0100 Subject: [PATCH 6/7] Add patches to kill extraneous INI permission checks --- 0001-INI-relax-config-files-checks.patch | 135 +++++++++++++ ...using-libini_config-for-access-check.patch | 182 ++++++++++++++++++ sssd.changes | 2 + sssd.spec | 4 +- 4 files changed, 322 insertions(+), 1 deletion(-) create mode 100644 0001-INI-relax-config-files-checks.patch create mode 100644 0001-INI-stop-using-libini_config-for-access-check.patch diff --git a/0001-INI-relax-config-files-checks.patch b/0001-INI-relax-config-files-checks.patch new file mode 100644 index 0000000..69ac630 --- /dev/null +++ b/0001-INI-relax-config-files-checks.patch @@ -0,0 +1,135 @@ +From 340671f16abb9c26ae97b11c4e2845337e67973e Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 23 Oct 2024 20:59:32 +0200 +Subject: [PATCH] INI: relax config files checks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Only make sure: + - user is root or sssd + - group is root or sssd + - other can't access it + +Don't make any assumptions wrt user/group read/write-ability. + +Reviewed-by: Justin Stephenson +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +(cherry picked from commit 8472777ec472607ea450ddb4c4666017bd0de704) +--- + src/man/sssd.conf.5.xml | 5 ++- + src/util/sss_ini.c | 68 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 70 insertions(+), 3 deletions(-) + +diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml +index a074cc674..bf10acb2a 100644 +--- a/src/man/sssd.conf.5.xml ++++ b/src/man/sssd.conf.5.xml +@@ -57,9 +57,8 @@ + readable, and writeable only by 'root'. + + +- sssd.conf must be a regular file that is owned, +- readable, and writeable by the same user as configured to run SSSD +- service. ++ sssd.conf must be a regular file that is ++ accessible only by the user used to run SSSD service or root. + + + +diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c +index e989d8caf..74cf61e0e 100644 +--- a/src/util/sss_ini.c ++++ b/src/util/sss_ini.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + + #include "config.h" +@@ -781,6 +782,71 @@ int sss_ini_open(struct sss_ini *self, + return ret; + } + ++static int access_check_file(const char *filename) ++{ ++ int ret; ++ struct stat st; ++ uid_t uid; ++ gid_t gid; ++ ++ sss_sssd_user_uid_and_gid(&uid, &gid); ++ ++ ret = stat(filename, &st); ++ if (ret != 0) { ++ ret = errno; ++ DEBUG(SSSDBG_CRIT_FAILURE, "stat(%s) failed: %s\n", ++ filename, strerror(ret)); ++ return EINVAL; ++ } ++ ++ if ((st.st_uid != 0) && (st.st_uid != uid)) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected user owner of '%s': %"SPRIuid"\n", ++ filename, st.st_uid); ++ return ERR_INI_INVALID_PERMISSION; ++ } ++ ++ if ((st.st_gid != 0) && (st.st_gid != gid)) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected group owner of '%s': %"SPRIgid"\n", ++ filename, st.st_gid); ++ return ERR_INI_INVALID_PERMISSION; ++ } ++ ++ if ((st.st_mode & (S_IROTH|S_IWOTH|S_IXOTH)) != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected access to '%s' by other users\n", ++ filename); ++ return ERR_INI_INVALID_PERMISSION; ++ } ++ ++ return EOK; ++} ++ ++static int access_check_ini(struct sss_ini *self) ++{ ++ int ret; ++ const char *path; ++ uint32_t i; ++ const char **snippet; ++ struct ref_array *used_snippets; ++ ++ if (self->main_config_exists) { ++ path = ini_config_get_filename(self->file); ++ ret = access_check_file(path); ++ if (ret != EOK) { ++ return ret; ++ } ++ } ++ ++ used_snippets = sss_ini_get_ra_success_list(self); ++ for (i = 0; (snippet = ref_array_get(used_snippets, i, NULL)) != NULL; ++i) { ++ ret = access_check_file(*snippet); ++ if (ret != EOK) { ++ return ret; ++ } ++ } ++ ++ return EOK; ++} ++ + int sss_ini_read_sssd_conf(struct sss_ini *self, + const char *config_file, + const char *config_dir) +@@ -833,5 +899,7 @@ int sss_ini_read_sssd_conf(struct sss_ini *self, + return ERR_INI_EMPTY_CONFIG; + } + ++ ret = access_check_ini(self); ++ + return ret; + } +-- +2.47.0 + diff --git a/0001-INI-stop-using-libini_config-for-access-check.patch b/0001-INI-stop-using-libini_config-for-access-check.patch new file mode 100644 index 0000000..abe0cb0 --- /dev/null +++ b/0001-INI-stop-using-libini_config-for-access-check.patch @@ -0,0 +1,182 @@ +From 1d19b8ad9415e0a12ed3aaf039d4d0956ef4dbad Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Wed, 23 Oct 2024 19:53:09 +0200 +Subject: [PATCH] INI: stop using 'libini_config' for access check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Reviewed-by: Justin Stephenson +Reviewed-by: Pavel Březina +Reviewed-by: Sumit Bose +--- + src/util/sss_ini.c | 100 +---------------------------------------------------- + src/util/sss_ini.h | 12 ------ + 2 files changed, 3 insertions(+), 109 deletions(-) + +Index: sssd-2.10.0/src/util/sss_ini.c +=================================================================== +--- sssd-2.10.0.orig/src/util/sss_ini.c ++++ sssd-2.10.0/src/util/sss_ini.c +@@ -147,81 +147,6 @@ static int sss_ini_config_file_from_mem( + &self->file); + } + +-/* Check configuration file permissions */ +- +-static bool is_running_sssd(void) +-{ +- static char exe[1024]; +- int ret; +- const char *s = NULL; +- +- ret = readlink("/proc/self/exe", exe, sizeof(exe) - 1); +- if ((ret > 0) && (ret < 1024)) { +- exe[ret] = 0; +- s = strstr(exe, debug_prg_name); +- if ((s != NULL) && (strlen(s) == strlen(debug_prg_name))) { +- return true; +- } +- } +- +- return false; +-} +- +-static int sss_ini_access_check(struct sss_ini *self) +-{ +- int ret; +- uint32_t flags = INI_ACCESS_CHECK_MODE; +- +- if (!self->main_config_exists) { +- return EOK; +- } +- +- if (is_running_sssd()) { +- flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID; +- } +- +- ret = ini_config_access_check(self->file, +- flags, +- geteuid(), +- getegid(), +- S_IRUSR, /* r**------ */ +- ALLPERMS & ~(S_IWUSR|S_IXUSR)); +- +- return ret; +-} +- +- +- +-/* Get cstat */ +- +-int sss_ini_get_stat(struct sss_ini *self) +-{ +- self->cstat = ini_config_get_stat(self->file); +- +- if (!self->cstat) return EIO; +- +- return EOK; +-} +- +- +- +-/* Get mtime */ +- +-int sss_ini_get_mtime(struct sss_ini *self, +- size_t timestr_len, +- char *timestr) +-{ +- return snprintf(timestr, timestr_len, "%llu", +- (long long unsigned)self->cstat->st_mtime); +-} +- +-/* Get file_exists */ +- +-bool sss_ini_exists(struct sss_ini *self) +-{ +- return self->main_config_exists; +-} +- + /* Print ini_config errors */ + + static void sss_ini_config_print_errors(char **error_list) +@@ -289,7 +214,6 @@ static int sss_ini_add_snippets(struct s + uint32_t i = 0; + char *msg = NULL; + struct ini_cfgobj *modified_sssd_config = NULL; +- struct access_check snip_check; + + if (self == NULL || self->sssd_config == NULL || config_dir == NULL) { + return EINVAL; +@@ -297,21 +221,11 @@ static int sss_ini_add_snippets(struct s + + sss_ini_free_ra_messages(self); + +- snip_check.flags = INI_ACCESS_CHECK_MODE; +- +- if (is_running_sssd()) { +- snip_check.flags |= INI_ACCESS_CHECK_UID | INI_ACCESS_CHECK_GID; +- } +- snip_check.uid = geteuid(); +- snip_check.gid = getegid(); +- snip_check.mode = S_IRUSR; /* r**------ */ +- snip_check.mask = ALLPERMS & ~(S_IWUSR | S_IXUSR); +- + ret = ini_config_augment(self->sssd_config, + config_dir, + patterns, + sections, +- &snip_check, ++ NULL, + INI_STOP_ON_ANY, + INI_MV1S_OVERWRITE, + INI_PARSE_NOWRAP, +@@ -894,15 +808,7 @@ int sss_ini_read_sssd_conf(struct sss_in + return ERR_INI_OPEN_FAILED; + } + +- if (sss_ini_exists(self)) { +- ret = sss_ini_access_check(self); +- if (ret != EOK) { +- DEBUG(SSSDBG_CRIT_FAILURE, +- "Permission check on config file %s failed: %d\n", +- config_file, ret); +- return ERR_INI_INVALID_PERMISSION; +- } +- } else { ++ if (!self->main_config_exists) { + DEBUG(SSSDBG_CONF_SETTINGS, + "File %s does not exist.\n", config_file); + } +@@ -923,7 +829,7 @@ int sss_ini_read_sssd_conf(struct sss_in + return ERR_INI_ADD_SNIPPETS_FAILED; + } + +- if (!sss_ini_exists(self) && ++ if ((!self->main_config_exists) && + (ref_array_len(sss_ini_get_ra_success_list(self)) == 0)) { + return ERR_INI_EMPTY_CONFIG; + } +Index: sssd-2.10.0/src/util/sss_ini.h +=================================================================== +--- sssd-2.10.0.orig/src/util/sss_ini.h ++++ sssd-2.10.0/src/util/sss_ini.h +@@ -81,18 +81,6 @@ int sss_ini_open(struct sss_ini *self, + const char *fallback_cfg); + + /** +- * @brief Check whether sss_ini_open() reported that ini file is +- * not present +- * +- * @param[in] self pointer to sss_ini structure +- * +- * @return +- * - true we are using ini file +- * - false file was not found +- */ +-bool sss_ini_exists(struct sss_ini *self); +- +-/** + * @brief get Cstat structure of the ini file + */ + int sss_ini_get_stat(struct sss_ini *self); diff --git a/sssd.changes b/sssd.changes index a5b1f81..f1b1dc8 100644 --- a/sssd.changes +++ b/sssd.changes @@ -16,6 +16,8 @@ Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt false to true for improved security. * https://github.com/SSSD/sssd/releases/tag/2.10.0 - Add 0001-sssd-always-print-path-when-config-object-is-rejecte.patch, + 0001-INI-stop-using-libini_config-for-access-check.patch, + 0001-INI-relax-config-files-checks.patch, 0001-Configuration-make-sure-etc-sssd-and-everything.patch - Fix socket activation of responders diff --git a/sssd.spec b/sssd.spec index 3ff1f09..356aa33 100644 --- a/sssd.spec +++ b/sssd.spec @@ -28,7 +28,9 @@ Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%v Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source3: baselibs.conf Source5: %name.keyring -Patch5: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch +Patch3: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch +Patch4: 0001-INI-stop-using-libini_config-for-access-check.patch +Patch5: 0001-INI-relax-config-files-checks.patch Patch6: 0001-Configuration-make-sure-etc-sssd-and-everything.patch Patch11: krb-noversion.diff Patch12: harden_sssd-ifp.service.patch -- 2.51.1 From de427be83583a08869aceff671b4034a58d776c796c32738a3b5258a8adb4a54 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Fri, 30 Aug 2024 11:37:19 +0200 Subject: [PATCH 7/7] Use default nsslibdir --- sssd.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sssd.spec b/sssd.spec index 356aa33..a02ec95 100644 --- a/sssd.spec +++ b/sssd.spec @@ -408,7 +408,6 @@ autoreconf -fiv --with-initscript=systemd \ --with-syslog=journald \ --with-pid-path="%_rundir" \ - --enable-nsslibdir="/%_lib" \ --enable-pammoddir="%_pam_moduledir" \ --with-ldb-lib-dir="%ldbdir" \ --with-os=suse \ @@ -711,7 +710,7 @@ fi # # sssd-client # -/%_lib/libnss_sss.so.2 +%_libdir/libnss_sss.so.2 %_pam_moduledir/pam_sss.so %_pam_moduledir/pam_sss_gss.so %_libdir/krb5/ -- 2.51.1