wip
This commit is contained in:
parent
5165cf2176
commit
6b181b9260
11
sssd.permissions
Normal file
11
sssd.permissions
Normal file
@ -0,0 +1,11 @@
|
||||
/usr/libexec/sssd/sssd_pam root:sssd 0750
|
||||
+capabilities cap_dac_read_search=p
|
||||
|
||||
/usr/libexec/sssd/selinux_child root:sssd 0750
|
||||
+capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
|
||||
|
||||
/usr/libexec/sssd/krb5_child root:sssd 0750
|
||||
+capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
|
||||
|
||||
/usr/libexec/sssd/ldap_child root:sssd 0750
|
||||
+capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
|
35
sssd.spec
35
sssd.spec
@ -29,6 +29,7 @@ Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-2.
|
||||
Source3: baselibs.conf
|
||||
Source5: %name.keyring
|
||||
Source6: sssd.sysusers
|
||||
Source7: sssd.permissions
|
||||
Patch1: krb-noversion.diff
|
||||
Patch2: harden_sssd-ifp.service.patch
|
||||
Patch3: harden_sssd-kcm.service.patch
|
||||
@ -103,6 +104,8 @@ BuildRequires: pkgconfig(uuid)
|
||||
%endif
|
||||
%{?systemd_ordering}
|
||||
%sysusers_requires
|
||||
Requires(pre): permissions
|
||||
Requires(post): permissions
|
||||
Requires: sssd-ldap = %version-%release
|
||||
Requires(postun): pam-config
|
||||
Provides: libsss_sudo = %version-%release
|
||||
@ -111,8 +114,8 @@ Obsoletes: libsss_sudo < %version-%release
|
||||
Provides: sssd-common = %version-%release
|
||||
Obsoletes: sssd-common < %version-%release
|
||||
|
||||
# Adjust sssd.permissions if the user changes
|
||||
%global sssd_user sssd
|
||||
%global child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
|
||||
|
||||
%define servicename sssd
|
||||
%define sssdstatedir %_localstatedir/lib/sss
|
||||
@ -216,6 +219,8 @@ Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
|
||||
License: GPL-3.0-or-later
|
||||
Group: System/Daemons
|
||||
Requires: cyrus-sasl-gssapi
|
||||
Requires(pre): permissions
|
||||
Requires(post): permissions
|
||||
|
||||
%description krb5-common
|
||||
Provides helper processes that the LDAP and Kerberos back ends can
|
||||
@ -500,6 +505,7 @@ sed -i '1s@#!.*python.*@#!%{_bindir}/python3.11@' %{buildroot}/%{_libexecdir}/%{
|
||||
|
||||
install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf
|
||||
install -D -p -m 0644 contrib/sssd-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
||||
install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_sysconfdir}/permissions.d/%{name}
|
||||
|
||||
%check
|
||||
# sss_config-tests fails
|
||||
@ -545,6 +551,10 @@ fi
|
||||
%{_bindir}/chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
|
||||
%{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
|
||||
|
||||
%tmpfiles_create %{name}.conf
|
||||
%set_permissions %_libexecdir/%{name}/selinux_child
|
||||
%set_permissions %_libexecdir/%{name}/sssd_pam
|
||||
|
||||
# install SSSD cifs-idmap plugin as an alternative
|
||||
update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority
|
||||
|
||||
@ -575,6 +585,10 @@ if [ ! -f "%cifs_idmap_lib" ]; then
|
||||
update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
|
||||
fi
|
||||
|
||||
%verifyscript
|
||||
%verify_permissions -e %_libexecdir/%{name}/selinux_child
|
||||
%verify_permissions -e %_libexecdir/%{name}/sssd_pam
|
||||
|
||||
%post -n libsss_certmap0 -p /sbin/ldconfig
|
||||
%postun -n libsss_certmap0 -p /sbin/ldconfig
|
||||
%post -n libipa_hbac0 -p /sbin/ldconfig
|
||||
@ -625,6 +639,14 @@ fi
|
||||
%sysusers_create_package %{name} %SOURCE6
|
||||
%sysusers_create_package %{name}-krb5-common %SOURCE6
|
||||
|
||||
%post krb5-common
|
||||
%set_permissions %_libexecdir/%{name}/krb5_child
|
||||
%set_permissions %_libexecdir/%{name}/ldap_child
|
||||
|
||||
%verifyscript krb5-common
|
||||
%verify_permissions -e %_libexecdir/%{name}/krb5_child
|
||||
%verify_permissions -e %_libexecdir/%{name}/ldap_child
|
||||
|
||||
%pre proxy
|
||||
%sysusers_create_package %{name} %SOURCE6
|
||||
%sysusers_create_package %{name}-proxy %SOURCE6
|
||||
@ -738,13 +760,13 @@ fi
|
||||
%_libexecdir/%name/sssd_autofs
|
||||
%_libexecdir/%name/sssd_be
|
||||
%_libexecdir/%name/sssd_nss
|
||||
%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{name}/sssd_pam
|
||||
%attr(0750,root,%{sssd_user}) %{_libexecdir}/%{name}/sssd_pam
|
||||
%_libexecdir/%name/sssd_ssh
|
||||
%_libexecdir/%name/sssd_sudo
|
||||
%_libexecdir/%name/sss_signal
|
||||
%_libexecdir/%name/sssd_check_socket_activated_responders
|
||||
%if 0%{?suse_version} >= 1600
|
||||
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{name}/selinux_child
|
||||
%attr(0750,root,%{sssd_user}) %{_libexecdir}/%{name}/selinux_child
|
||||
%endif
|
||||
%dir %sssdstatedir
|
||||
%attr(700,%{sssd_user},%{sssd_user}) %dir %dbpath/
|
||||
@ -757,10 +779,11 @@ fi
|
||||
%attr(700,%{sssd_user},%{sssd_user}) %dir %keytabdir/
|
||||
%attr(750,%{sssd_user},%{sssd_user}) %dir %_localstatedir/log/%name/
|
||||
%attr(775,%{sssd_user},%{sssd_user}) %dir %sssdstatedir/
|
||||
%config(noreplace) %_sysconfdir/permissions.d/sssd
|
||||
%if "%{?_distconfdir}" != ""
|
||||
%attr(750,%{sssd_user},%{sssd_user}) %dir %_distconfdir/sssd/
|
||||
%attr(750,%{sssd_user},%{sssd_user}) %dir %_distconfdir/sssd/conf.d
|
||||
%attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %_distconfdir/sssd/sssd.conf
|
||||
%attr(0600,%{sssd_user},%{sssd_user}) %_distconfdir/sssd/sssd.conf
|
||||
%else
|
||||
%attr(750,%{sssd_user},%{sssd_user}) %dir %_sysconfdir/sssd/
|
||||
%attr(750,%{sssd_user},%{sssd_user}) %dir %_sysconfdir/sssd/conf.d
|
||||
@ -875,8 +898,8 @@ fi
|
||||
%dir %_libdir/%name/
|
||||
%_libdir/%name/libsss_krb5_common.so
|
||||
%dir %_libexecdir/%name/
|
||||
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %_libexecdir/%name/krb5_child
|
||||
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %_libexecdir/%name/ldap_child
|
||||
%attr(0750,root,%{sssd_user}) %_libexecdir/%name/krb5_child
|
||||
%attr(0750,root,%{sssd_user}) %_libexecdir/%name/ldap_child
|
||||
|
||||
%files polkit-rules
|
||||
%{_datadir}/polkit-1/rules.d/sssd-pcsc.rules
|
||||
|
Loading…
Reference in New Issue
Block a user