SHA256
1
0
forked from pool/sssd
This commit is contained in:
Samuel Cabrero 2024-10-01 11:56:51 +02:00
parent 5165cf2176
commit 6b181b9260
3 changed files with 42 additions and 6 deletions

2
TODO Normal file
View File

@ -0,0 +1,2 @@
* Enable symvers.patch
* cifs idmap plugin alternatives

11
sssd.permissions Normal file
View File

@ -0,0 +1,11 @@
/usr/libexec/sssd/sssd_pam root:sssd 0750
+capabilities cap_dac_read_search=p
/usr/libexec/sssd/selinux_child root:sssd 0750
+capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
/usr/libexec/sssd/krb5_child root:sssd 0750
+capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
/usr/libexec/sssd/ldap_child root:sssd 0750
+capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep

View File

@ -29,6 +29,7 @@ Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-2.
Source3: baselibs.conf
Source5: %name.keyring
Source6: sssd.sysusers
Source7: sssd.permissions
Patch1: krb-noversion.diff
Patch2: harden_sssd-ifp.service.patch
Patch3: harden_sssd-kcm.service.patch
@ -103,6 +104,8 @@ BuildRequires: pkgconfig(uuid)
%endif
%{?systemd_ordering}
%sysusers_requires
Requires(pre): permissions
Requires(post): permissions
Requires: sssd-ldap = %version-%release
Requires(postun): pam-config
Provides: libsss_sudo = %version-%release
@ -111,8 +114,8 @@ Obsoletes: libsss_sudo < %version-%release
Provides: sssd-common = %version-%release
Obsoletes: sssd-common < %version-%release
# Adjust sssd.permissions if the user changes
%global sssd_user sssd
%global child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
%define servicename sssd
%define sssdstatedir %_localstatedir/lib/sss
@ -216,6 +219,8 @@ Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
License: GPL-3.0-or-later
Group: System/Daemons
Requires: cyrus-sasl-gssapi
Requires(pre): permissions
Requires(post): permissions
%description krb5-common
Provides helper processes that the LDAP and Kerberos back ends can
@ -500,6 +505,7 @@ sed -i '1s@#!.*python.*@#!%{_bindir}/python3.11@' %{buildroot}/%{_libexecdir}/%{
install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf
install -D -p -m 0644 contrib/sssd-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_sysconfdir}/permissions.d/%{name}
%check
# sss_config-tests fails
@ -545,6 +551,10 @@ fi
%{_bindir}/chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
%{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
%tmpfiles_create %{name}.conf
%set_permissions %_libexecdir/%{name}/selinux_child
%set_permissions %_libexecdir/%{name}/sssd_pam
# install SSSD cifs-idmap plugin as an alternative
update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority
@ -575,6 +585,10 @@ if [ ! -f "%cifs_idmap_lib" ]; then
update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
fi
%verifyscript
%verify_permissions -e %_libexecdir/%{name}/selinux_child
%verify_permissions -e %_libexecdir/%{name}/sssd_pam
%post -n libsss_certmap0 -p /sbin/ldconfig
%postun -n libsss_certmap0 -p /sbin/ldconfig
%post -n libipa_hbac0 -p /sbin/ldconfig
@ -625,6 +639,14 @@ fi
%sysusers_create_package %{name} %SOURCE6
%sysusers_create_package %{name}-krb5-common %SOURCE6
%post krb5-common
%set_permissions %_libexecdir/%{name}/krb5_child
%set_permissions %_libexecdir/%{name}/ldap_child
%verifyscript krb5-common
%verify_permissions -e %_libexecdir/%{name}/krb5_child
%verify_permissions -e %_libexecdir/%{name}/ldap_child
%pre proxy
%sysusers_create_package %{name} %SOURCE6
%sysusers_create_package %{name}-proxy %SOURCE6
@ -738,13 +760,13 @@ fi
%_libexecdir/%name/sssd_autofs
%_libexecdir/%name/sssd_be
%_libexecdir/%name/sssd_nss
%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{name}/sssd_pam
%attr(0750,root,%{sssd_user}) %{_libexecdir}/%{name}/sssd_pam
%_libexecdir/%name/sssd_ssh
%_libexecdir/%name/sssd_sudo
%_libexecdir/%name/sss_signal
%_libexecdir/%name/sssd_check_socket_activated_responders
%if 0%{?suse_version} >= 1600
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{name}/selinux_child
%attr(0750,root,%{sssd_user}) %{_libexecdir}/%{name}/selinux_child
%endif
%dir %sssdstatedir
%attr(700,%{sssd_user},%{sssd_user}) %dir %dbpath/
@ -757,10 +779,11 @@ fi
%attr(700,%{sssd_user},%{sssd_user}) %dir %keytabdir/
%attr(750,%{sssd_user},%{sssd_user}) %dir %_localstatedir/log/%name/
%attr(775,%{sssd_user},%{sssd_user}) %dir %sssdstatedir/
%config(noreplace) %_sysconfdir/permissions.d/sssd
%if "%{?_distconfdir}" != ""
%attr(750,%{sssd_user},%{sssd_user}) %dir %_distconfdir/sssd/
%attr(750,%{sssd_user},%{sssd_user}) %dir %_distconfdir/sssd/conf.d
%attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %_distconfdir/sssd/sssd.conf
%attr(0600,%{sssd_user},%{sssd_user}) %_distconfdir/sssd/sssd.conf
%else
%attr(750,%{sssd_user},%{sssd_user}) %dir %_sysconfdir/sssd/
%attr(750,%{sssd_user},%{sssd_user}) %dir %_sysconfdir/sssd/conf.d
@ -875,8 +898,8 @@ fi
%dir %_libdir/%name/
%_libdir/%name/libsss_krb5_common.so
%dir %_libexecdir/%name/
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %_libexecdir/%name/krb5_child
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %_libexecdir/%name/ldap_child
%attr(0750,root,%{sssd_user}) %_libexecdir/%name/krb5_child
%attr(0750,root,%{sssd_user}) %_libexecdir/%name/ldap_child
%files polkit-rules
%{_datadir}/polkit-1/rules.d/sssd-pcsc.rules