diff --git a/harden_sssd-kcm.service.patch b/harden_sssd-kcm.service.patch index 183e0b0..a198f9e 100644 --- a/harden_sssd-kcm.service.patch +++ b/harden_sssd-kcm.service.patch @@ -1,7 +1,16 @@ -Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in -=================================================================== ---- sssd-2.5.2.orig/src/sysv/systemd/sssd-kcm.service.in -+++ sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in +From 47a18db90ae89803532d6fa8e0790fcb98b76a07 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 16 Jul 2024 09:21:00 +0200 +Subject: [PATCH] Harden sssd-kcm.service + +--- + src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in +index 2b3de184b..610ba2e18 100644 +--- a/src/sysv/systemd/sssd-kcm.service.in ++++ b/src/sysv/systemd/sssd-kcm.service.in @@ -8,6 +8,19 @@ After=sssd-kcm.socket Also=sssd-kcm.socket @@ -18,7 +27,10 @@ Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true -+# end of automatic additions ++# end of automatic additions Environment=DEBUG_LOGGER=--logger=files - ExecStartPre=-@sbindir@/sssd --genconf-section=kcm - ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER} + ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf + ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d +-- +2.45.2 + diff --git a/sssd-2.10.0-beta2.tar.gz b/sssd-2.10.0-beta2.tar.gz new file mode 100644 index 0000000..8d56fa4 --- /dev/null +++ b/sssd-2.10.0-beta2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4161a8fa48cf753253811aedc2bdd2df290774432ccee72261208fec981ebdc3 +size 9153762 diff --git a/sssd-2.10.0-beta2.tar.gz.asc b/sssd-2.10.0-beta2.tar.gz.asc new file mode 100644 index 0000000..d6eef41 --- /dev/null +++ b/sssd-2.10.0-beta2.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmZ735wACgkQ09IbKRDP +Z1lYNRAAjsjAHwIznwSYKMT+XrfKk6xS8oEgbzT8zme5jR0Dd8XtIVDAs3tTjQkm +kdRZMDXdKOTghXUCRpTOdejuxvZ3qxrfXU9YYekWoO5iWegdXy+bRgkmdvyLVyeh +Mz+Hk9EHGtCxgcZ0B64ksY6g9P4LFxTneA9mkfh9LjY+QWbONG5KfcC1J6BTpxUX +5IAO1YKuk6Pt6ERyYViSTTzW1aC2JVGIFHK8kDrqxvFgeqY7n96K0PdPtPFhtQuA +A8aOHZh8yPimO1fcnlx8G0HmnK2cSJu5zmXMhKLNQhzSgYaGURzwKu1dDQquCBEH +8Y1AOBcA7OOTfY6BdDYVGR/ewGBay5NBBl+qMH4skN/Tfz5+IyjbfrK5JNsJVIB0 +3CflPSs0PHQIkawH8h3bjYm/7EmuWidoP941TkTfw//nWHkJa++XwQQvZWsJooUN +LJYmhRO1RenhPDluZkkzmywwUGLdoqKFu5EnRkGEprYppIkso0umbgV/Ju7mi1u8 +GGFoNZugl0Cdohe0xkgyDTYwI/SESgUHbl/4Ovt3FFgrj0QOMcBUf6HqhV0/6AfY +iABz/fT7TsgrjzlO5V+3or9Q1J/DHW6n//u0oeazwdRy/S9/dUWAIQ77pWqp1kO4 +QjDLg+EZMVm9mmMJbdbMu5aRfvdgRf24yHxK/kQl7LlXBMNoMWw= +=sV+3 +-----END PGP SIGNATURE----- diff --git a/sssd-2.9.5.tar.gz b/sssd-2.9.5.tar.gz deleted file mode 100644 index 09b8ff1..0000000 --- a/sssd-2.9.5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bf955cc26b6d215bbb9083eadb613f78d7b727fb023f39987aec37680ae40ae3 -size 8001964 diff --git a/sssd-2.9.5.tar.gz.asc b/sssd-2.9.5.tar.gz.asc deleted file mode 100644 index 05b00fc..0000000 --- a/sssd-2.9.5.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmZF8CMACgkQ09IbKRDP -Z1lSVQ/9EPVvWUX1z/pHfbvDjRpfD+LDbDceYB4YBh0caYpMVFm/2wHhFIjTYEpf -SmIR+SQp50NkRSK6tE/u+Swu+YUkiCqnEWv2y9wd4Uh2NKiukyiqBC1k2cn9URNu -oRreBM1KIRvTkdoyZwteELJ7vMLVr0UT2iIXZQFIIZX+LM3FNZJ5vFcj5fF0Hz1f -v8zR0VTB7xY/6U+4KikvMyM3fOPeTOJvEtMp4xDWyquRjCADjZasOQcKRQzXp1er -zs/qLcQ8eCODXhKelGqmppVIElW+72f1FNbMpBnlQ7VtFn6pn4sPazO0Hr7eNfZJ -Vc6GXN8zZ/oF5U4x7XSMVqeOHLQoLeb2HxgUzS+1Ig19FHOs6Xoj0dO5l/TOEFav -l61qytYnj3DNZjrMVLsMvOx3qGYK7PmyaWNoIJlLO2GbWKMP/8yBm35Ugd0jybSi -T7VWX+isQHfVhSZ9wD4/yYOBAU3lABORAjXkCWQp/vMR/KiHbfaajCAbl56KiijQ -eKYaq57EH3N+qKd1sqCrPfSw3HSqm3rngG1CsMasBQgLFs2aW+Mwo3UvQ1U/ykED -mOo2D9uhOQluv4AUSpKK6E8EXoPSxDFZI4WX37depO2VGXDO90JNfVamJXjy1+bH -d/RnoZfC7h7Vb1P1bPgGdsAFQBOP0FinbEjehpw0P0U2xAZQWek= -=pY7t ------END PGP SIGNATURE----- diff --git a/sssd-rpmlintrc b/sssd-rpmlintrc new file mode 100644 index 0000000..0962594 --- /dev/null +++ b/sssd-rpmlintrc @@ -0,0 +1 @@ +addFilter("binary-or-shlib-calls-gethostbyname") diff --git a/sssd.changes b/sssd.changes index a3e3f54..028e4af 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,16 +1,3 @@ -------------------------------------------------------------------- -Wed Jul 17 09:19:20 UTC 2024 - Samuel Cabrero - -- Fix spec file for openSUSE ALP and SUSE SLFO, where the - python3_fix_shebang_path RPM macro is not available - -------------------------------------------------------------------- -Thu Jul 11 09:41:21 UTC 2024 - Samuel Cabrero - -- Revert the change dropping the default configuration file. If - /usr/etc exists will be installed there, otherwise in /etc. - (bsc#1226157); - ------------------------------------------------------------------- Thu May 16 12:13:02 UTC 2024 - Jan Engelhardt diff --git a/sssd.spec b/sssd.spec index 17e610d..c134193 100644 --- a/sssd.spec +++ b/sssd.spec @@ -17,21 +17,24 @@ Name: sssd -Version: 2.9.5 +Version: 2.10.0 Release: 0 Summary: System Security Services Daemon License: GPL-3.0-or-later AND LGPL-3.0-or-later Group: System/Daemons URL: https://github.com/SSSD/sssd #Git-Clone: https://github.com/SSSD/sssd -Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz -Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc +Source: https://github.com/SSSD/sssd/releases/download/%version/%name-2.10.0-beta2.tar.gz +Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-2.10.0-beta2.tar.gz.asc Source3: baselibs.conf Source5: %name.keyring +Source6: sssd.sysusers Patch1: krb-noversion.diff Patch2: harden_sssd-ifp.service.patch Patch3: harden_sssd-kcm.service.patch -Patch4: symvers.patch +# Does not build if ${PACKAGE_VERSION} contains a dash +#Patch4: symvers.patch + BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils @@ -53,6 +56,7 @@ BuildRequires: nss_wrapper BuildRequires: openldap2-devel BuildRequires: pam-devel BuildRequires: pkg-config >= 0.21 +BuildRequires: python3-setuptools BuildRequires: systemd-rpm-macros BuildRequires: uid_wrapper BuildRequires: pkgconfig(augeas) >= 1.0.0 @@ -68,6 +72,7 @@ BuildRequires: pkgconfig(libcrypto) %if 0%{?suse_version} >= 1600 BuildRequires: pkgconfig(libcurl) %endif +BuildRequires: pkgconfig(libcap) BuildRequires: pkgconfig(libnfsidmap) BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 @@ -75,6 +80,9 @@ BuildRequires: pkgconfig(libpcre2-8) %if 0%{?suse_version} >= 1600 BuildRequires: pkgconfig(libsemanage) %endif +BuildRequires: polkit +BuildRequires: sysuser-shadow +BuildRequires: sysuser-tools BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(ndr_krb5pac) BuildRequires: pkgconfig(ndr_nbt) @@ -94,6 +102,7 @@ BuildRequires: pkgconfig(uuid) #!BuildIgnore: libldap-data %endif %{?systemd_ordering} +%sysusers_requires Requires: sssd-ldap = %version-%release Requires(postun): pam-config Provides: libsss_sudo = %version-%release @@ -102,12 +111,18 @@ Obsoletes: libsss_sudo < %version-%release Provides: sssd-common = %version-%release Obsoletes: sssd-common < %version-%release +%global sssd_user sssd +%global child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep + %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss %define dbpath %sssdstatedir/db %define pipepath %sssdstatedir/pipes %define pubconfpath %sssdstatedir/pubconf %define gpocachepath %sssdstatedir/gpo_cache +%define keytabdir %sssdstatedir/keytabs +%define mcpath %sssdstatedir/mc +%define deskprofilepath %sssdstatedir/deskprofile %define ldbdir %(pkg-config ldb --variable=modulesdir) # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko @@ -150,6 +165,18 @@ Requires: %name = %version Provides the D-Bus responder of sssd, called InfoPipe, which allows information from sssd to be transmitted over the system bus. +%package polkit-rules +Summary: Rules for polkit integration for SSSD +Group: System/Daemons +License: GPL-3.0-or-later +Requires: %{name} = %{version}-%{release} +Requires: polkit >= 0.106 +BuildArch: noarch + +%description polkit-rules +Provides rules for polkit integration with SSSD. This is required +for smartcard support. + %package ipa Summary: FreeIPA backend plugin for sssd License: GPL-3.0-or-later @@ -386,7 +413,7 @@ Provide python module to access and manage configuration of the System Security Services Daemon (sssd). %prep -%autosetup -p1 +%autosetup -p1 -n sssd-2.10.0-beta2 %build # help configure find nscd @@ -394,6 +421,9 @@ export PATH="$PATH:/usr/sbin" autoreconf -fiv %configure \ + --runstatedir=%{_rundir} \ + --disable-rpath \ + --disable-static \ --with-db-path="%dbpath" \ --with-pipe-path="%pipepath" \ --with-pubconf-path="%pubconfpath" \ @@ -402,13 +432,14 @@ autoreconf -fiv --with-initscript=systemd \ --with-syslog=journald \ --with-pid-path="%_rundir" \ - --enable-nsslibdir="/%_lib" \ + --enable-nsslibdir="%_libdir" \ --enable-pammoddir="%_pam_moduledir" \ --with-ldb-lib-dir="%ldbdir" \ --with-os=suse \ --disable-ldb-version-check \ --without-python2-bindings \ --without-oidc-child \ + --with-sssd-user=%{sssd_user} \ %if 0%{?suse_version} >= 1600 --with-selinux=yes \ --with-subid @@ -418,7 +449,9 @@ autoreconf -fiv --with-libsifp \ --with-files-provider %endif -%make_build all +%make_build all runstatedir=%{_rundir} + +%sysusers_generate_pre %{SOURCE6} %{name} %{name}.conf %install # sss_obfuscate is compatible with both python 2 and 3 @@ -459,18 +492,30 @@ mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-util ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin %python3_fix_shebang %if 0%{?suse_version} > 1600 +# TODO Check latest fix for leap 15.6 %python3_fix_shebang_path %buildroot/%_libexecdir/%name/ %elif 0%{?suse_version} == 1600 # python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204 sed -i '1s@#!.*python.*@#!%{_bindir}/python3.11@' %{buildroot}/%{_libexecdir}/%{name}/sss_analyze %endif +install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf +install -D -p -m 0644 contrib/sssd-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/%{name}.conf + %check # sss_config-tests fails %make_build check || : %pre +%sysusers_create_package %{name} %SOURCE6 %service_add_pre sssd.service +%service_add_pre sssd-autofs.service sssd-autofs.socket +%service_add_pre sssd-nss.service sssd-nss.socket +%service_add_pre sssd-pac.service sssd-pac.socket +%service_add_pre sssd-pam.service sssd-pam.socket +%service_add_pre sssd-ssh.service sssd-ssh.socket +%service_add_pre sssd-sudo.service sssd-sudo.socket + %if "%{?_distconfdir}" != "" # Prepare for migration to /usr/etc; save any old .rpmsave for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do @@ -485,12 +530,33 @@ if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf" fi %service_add_post sssd.service +%service_add_post sssd-autofs.service sssd-autofs.socket +%service_add_post sssd-nss.service sssd-nss.socket +%service_add_post sssd-pac.service sssd-pac.socket +%service_add_post sssd-pam.service sssd-pam.socket +%service_add_post sssd-ssh.service sssd-ssh.socket +%service_add_post sssd-sudo.service sssd-sudo.socket + +%{_bindir}/rm -f %{mcpath}/passwd +%{_bindir}/rm -f %{mcpath}/group +%{_bindir}/rm -f %{mcpath}/initgroups +%{_bindir}/rm -f %{mcpath}/sid +%{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true +%{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true +%{_bindir}/chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true +%{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true # install SSSD cifs-idmap plugin as an alternative update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority %preun %service_del_preun sssd.service +%service_del_preun sssd-autofs.service sssd-autofs.socket +%service_del_preun sssd-nss.service sssd-nss.socket +%service_del_preun sssd-pac.service sssd-pac.socket +%service_del_preun sssd-pam.service sssd-pam.socket +%service_del_preun sssd-ssh.service sssd-ssh.socket +%service_del_preun sssd-sudo.service sssd-sudo.socket %postun /sbin/ldconfig @@ -499,6 +565,12 @@ if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then fi # del_postun includes a try-restart %service_del_postun sssd.service +%service_del_postun sssd-autofs.service sssd-autofs.socket +%service_del_postun sssd-nss.service sssd-nss.socket +%service_del_postun sssd-pac.service sssd-pac.socket +%service_del_postun sssd-pam.service sssd-pam.socket +%service_del_postun sssd-ssh.service sssd-ssh.socket +%service_del_postun sssd-sudo.service sssd-sudo.socket if [ ! -f "%cifs_idmap_lib" ]; then update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib @@ -550,6 +622,14 @@ fi %postun kcm %service_del_postun sssd-kcm.service sssd-kcm.socket +%pre krb5-common +%sysusers_create_package %{name} %SOURCE6 +%sysusers_create_package %{name}-krb5-common %SOURCE6 + +%pre proxy +%sysusers_create_package %{name} %SOURCE6 +%sysusers_create_package %{name}-proxy %SOURCE6 + %pretrans # Migrate sssd.service from sssd-common to sssd systemctl is-enabled sssd.service > /dev/null @@ -598,7 +678,6 @@ fi %_unitdir/sssd-pac.socket %_unitdir/sssd-pac.service %_unitdir/sssd-pam.socket -%_unitdir/sssd-pam-priv.socket %_unitdir/sssd-pam.service %_unitdir/sssd-ssh.socket %_unitdir/sssd-ssh.service @@ -654,38 +733,39 @@ fi %dir %_libdir/%name/modules/ %_libdir/%name/modules/libsss_autofs.so %_libdir/libsss_sudo.so -%ldbdir/ +%ldbdir/memberof.so %dir %_libexecdir/%name/ %_libexecdir/%name/p11_child %_libexecdir/%name/sssd_autofs %_libexecdir/%name/sssd_be %_libexecdir/%name/sssd_nss -%_libexecdir/%name/sssd_pam +%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{name}/sssd_pam %_libexecdir/%name/sssd_ssh %_libexecdir/%name/sssd_sudo %_libexecdir/%name/sss_signal %_libexecdir/%name/sssd_check_socket_activated_responders %if 0%{?suse_version} >= 1600 -%_libexecdir/%name/selinux_child +%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{name}/selinux_child %endif %dir %sssdstatedir -%attr(700,root,root) %dir %dbpath/ -%attr(755,root,root) %dir %pipepath/ -%attr(700,root,root) %dir %pipepath/private/ -%attr(755,root,root) %dir %pubconfpath/ -%attr(755,root,root) %dir %pubconfpath/krb5.include.d -%attr(755,root,root) %dir %gpocachepath/ -%attr(755,root,root) %dir %sssdstatedir/mc/ -%attr(700,root,root) %dir %sssdstatedir/keytabs/ -%attr(750,root,root) %dir %_localstatedir/log/%name/ +%attr(700,%{sssd_user},%{sssd_user}) %dir %dbpath/ +%attr(755,%{sssd_user},%{sssd_user}) %dir %pipepath/ +%attr(700,%{sssd_user},%{sssd_user}) %dir %pipepath/private/ +%attr(755,%{sssd_user},%{sssd_user}) %dir %pubconfpath/ +%attr(755,%{sssd_user},%{sssd_user}) %dir %pubconfpath/krb5.include.d +%attr(755,%{sssd_user},%{sssd_user}) %dir %gpocachepath/ +%attr(755,%{sssd_user},%{sssd_user}) %dir %mcpath/ +%attr(700,%{sssd_user},%{sssd_user}) %dir %keytabdir/ +%attr(750,%{sssd_user},%{sssd_user}) %dir %_localstatedir/log/%name/ +%attr(775,%{sssd_user},%{sssd_user}) %dir %sssdstatedir/ %if "%{?_distconfdir}" != "" -%dir %_distconfdir/sssd/ -%%dir %_distconfdir/sssd/conf.d -%config(noreplace) %_distconfdir/sssd/sssd.conf +%attr(750,%{sssd_user},%{sssd_user}) %dir %_distconfdir/sssd/ +%attr(750,%{sssd_user},%{sssd_user}) %dir %_distconfdir/sssd/conf.d +%attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %_distconfdir/sssd/sssd.conf %else -%dir %_sysconfdir/sssd/ -%%dir %_sysconfdir/sssd/conf.d -%config(noreplace) %_sysconfdir/sssd/sssd.conf +%attr(750,%{sssd_user},%{sssd_user}) %dir %_sysconfdir/sssd/ +%attr(750,%{sssd_user},%{sssd_user}) %dir %_sysconfdir/sssd/conf.d +%ghost %attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %_sysconfdir/sssd/sssd.conf %endif %if 0%{?suse_version} > 1500 %_distconfdir/logrotate.d/sssd @@ -704,11 +784,14 @@ fi %else %exclude %_mandir/*/*/sssd-files.5.gz %endif +%attr(775,%{sssd_user},%{sssd_user}) %ghost %dir %{_rundir}/sssd %doc src/examples/sssd.conf +%{_sysusersdir}/sssd.conf +%{_tmpfilesdir}/sssd.conf # # sssd-client # -/%_lib/libnss_sss.so.2 +%{_libdir}/libnss_sss.so.2 %_pam_moduledir/pam_sss.so %_pam_moduledir/pam_sss_gss.so %_libdir/krb5/ @@ -793,8 +876,11 @@ fi %dir %_libdir/%name/ %_libdir/%name/libsss_krb5_common.so %dir %_libexecdir/%name/ -%_libexecdir/%name/krb5_child -%_libexecdir/%name/ldap_child +%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %_libexecdir/%name/krb5_child +%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %_libexecdir/%name/ldap_child + +%files polkit-rules +%{_datadir}/polkit-1/rules.d/sssd-pcsc.rules %files ldap %dir %_libdir/%name/ @@ -811,7 +897,7 @@ fi %dir %_libdir/%name/ %_libdir/%name/libsss_proxy.so %dir %_libexecdir/%name/ -%_libexecdir/%name/proxy_child +%attr(0750,root,%{sssd_user}) %_libexecdir/%name/proxy_child %dir %_datadir/%name/ %dir %_datadir/%name/sssd.api.d/ %_datadir/%name/sssd.api.d/sssd-proxy.conf @@ -832,7 +918,9 @@ fi %python3_sitelib/sssd/ %files winbind-idmap -%_libdir/samba/ +%dir %_libdir/samba +%dir %_libdir/samba/idmap +%_libdir/samba/idmap/sss.so %_mandir/man8/idmap_sss.8* %files -n libipa_hbac0 diff --git a/sssd.sysusers b/sssd.sysusers new file mode 100644 index 0000000..d240dc0 --- /dev/null +++ b/sssd.sysusers @@ -0,0 +1,2 @@ +# Type Name ID GECOS [HOME] [SHELL] +u sssd - "User for sssd" /run/sssd/ /sbin/nologin diff --git a/symvers.patch b/symvers.patch index ab19be6..096851c 100644 --- a/symvers.patch +++ b/symvers.patch @@ -1,25 +1,24 @@ +From 1ad3abee3ed69cad410aff5f2e17542d2f34deb7 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt -Date: 2022-12-22 00:09:20.375896408 +0100 -References: https://bugzilla.suse.com/show_bug.cgi?id=1206592 - -The theory for this sssd crash is that during rpm upgrading it, -sssd-2.8.2 gets installed, %post runs to restart it, but oh no, -sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls -over its feet when it loads 2.7.4 .so files. Addin symvers like below -should prevent this and pin the modules to another: sssd_be's attempt -to dlopen libsss_ldap.so(-2.7.4) will fail because -libsss_ldap.so(-2.7.4) cannot find a libsss_util.so(-2.7.4), since -the system only has libsss_util.so(-2.8.2) at this point. +Date: Thu, 22 Dec 2022 00:09:20 +0100 +Subject: [PATCH] The theory for this sssd crash is that during rpm upgrading + it, sssd-2.8.2 gets installed, %post runs to restart it, but oh no, + sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls over its + feet when it loads 2.7.4 .so files. Addin symvers like below should prevent + this and pin the modules to another: sssd_be's attempt to dlopen + libsss_ldap.so(-2.7.4) will fail because libsss_ldap.so(-2.7.4) cannot find a + libsss_util.so(-2.7.4), since the system only has libsss_util.so(-2.8.2) at + this point. --- - Makefile.am | 47 ++++++++++++++++++++++++++++++++--------------- + Makefile.am | 47 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 32 insertions(+), 15 deletions(-) -Index: sssd-2.9.2/Makefile.am -=================================================================== ---- sssd-2.9.2.orig/Makefile.am -+++ sssd-2.9.2/Makefile.am -@@ -955,7 +955,11 @@ libsss_debug_la_SOURCES = \ +diff --git a/Makefile.am b/Makefile.am +index f4cadee6f..ea01d0ea5 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -971,7 +971,11 @@ libsss_debug_la_SOURCES = \ libsss_debug_la_LIBADD = \ $(SYSLOG_LIBS) libsss_debug_la_LDFLAGS = \ @@ -32,7 +31,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_child.la libsss_child_la_SOURCES = src/util/child_common.c -@@ -965,7 +969,8 @@ libsss_child_la_LIBADD = \ +@@ -981,7 +985,8 @@ libsss_child_la_LIBADD = \ $(DHASH_LIBS) \ libsss_debug.la \ $(NULL) @@ -42,7 +41,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_crypt.la -@@ -1004,7 +1009,8 @@ libsss_crypt_la_LIBADD = \ +@@ -1020,7 +1025,8 @@ libsss_crypt_la_LIBADD = \ libsss_debug.la \ $(NULL) libsss_crypt_la_LDFLAGS = \ @@ -52,7 +51,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_cert.la -@@ -1029,8 +1035,9 @@ libsss_cert_la_LIBADD = \ +@@ -1045,8 +1051,9 @@ libsss_cert_la_LIBADD = \ libsss_debug.la \ $(NULL) libsss_cert_la_LDFLAGS = \ @@ -63,7 +62,7 @@ Index: sssd-2.9.2/Makefile.am generate-sbus-code: $(builddir)/sbus_generate.sh $(abs_srcdir) -@@ -1131,8 +1138,9 @@ libsss_sbus_la_CFLAGS = \ +@@ -1147,8 +1154,9 @@ libsss_sbus_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_sbus_la_LDFLAGS = \ @@ -74,7 +73,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_sbus_sync.la libsss_sbus_sync_la_SOURCES = \ -@@ -1167,8 +1175,9 @@ libsss_sbus_sync_la_CFLAGS = \ +@@ -1183,8 +1191,9 @@ libsss_sbus_sync_la_CFLAGS = \ $(UNICODE_LIBS) \ $(NULL) libsss_sbus_sync_la_LDFLAGS = \ @@ -85,7 +84,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_iface.la libsss_iface_la_SOURCES = \ -@@ -1197,8 +1206,9 @@ libsss_iface_la_CFLAGS = \ +@@ -1213,8 +1222,9 @@ libsss_iface_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_iface_la_LDFLAGS = \ @@ -96,7 +95,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_iface_sync.la libsss_iface_sync_la_SOURCES = \ -@@ -1225,8 +1235,9 @@ libsss_iface_sync_la_CFLAGS = \ +@@ -1241,8 +1251,9 @@ libsss_iface_sync_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_iface_sync_la_LDFLAGS = \ @@ -107,7 +106,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_util.la libsss_util_la_SOURCES = \ -@@ -1322,7 +1333,8 @@ endif +@@ -1338,7 +1349,8 @@ endif if BUILD_PASSKEY libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c endif # BUILD_PASSKEY @@ -117,7 +116,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_semanage.la libsss_semanage_la_CFLAGS = \ -@@ -1341,7 +1353,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_ +@@ -1357,7 +1369,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_LIBS) endif libsss_semanage_la_LDFLAGS = \ @@ -127,7 +126,7 @@ Index: sssd-2.9.2/Makefile.am SSSD_INTERNAL_LTLIBS = \ libsss_util.la \ -@@ -1357,7 +1370,7 @@ lib_LTLIBRARIES = libipa_hbac.la \ +@@ -1373,7 +1386,7 @@ lib_LTLIBRARIES = libipa_hbac.la \ $(NULL) pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc @@ -136,7 +135,7 @@ Index: sssd-2.9.2/Makefile.am libipa_hbac_la_SOURCES = \ src/lib/ipa_hbac/hbac_evaluator.c \ src/util/sss_utf8.c -@@ -1688,8 +1701,9 @@ libifp_iface_la_CFLAGS = \ +@@ -1699,8 +1712,9 @@ libifp_iface_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libifp_iface_la_LDFLAGS = \ @@ -147,7 +146,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libifp_iface_sync.la libifp_iface_sync_la_SOURCES = \ -@@ -1714,8 +1728,9 @@ libifp_iface_sync_la_CFLAGS = \ +@@ -1725,8 +1739,9 @@ libifp_iface_sync_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libifp_iface_sync_la_LDFLAGS = \ @@ -158,7 +157,7 @@ Index: sssd-2.9.2/Makefile.am sssd_ifp_SOURCES = \ src/responder/ifp/ifpsrv.c \ -@@ -4314,8 +4329,9 @@ libsss_ldap_common_la_LIBADD = \ +@@ -4362,8 +4377,9 @@ libsss_ldap_common_la_LIBADD = \ $(SSSD_INTERNAL_LTLIBS) \ $(NULL) libsss_ldap_common_la_LDFLAGS = \ @@ -169,7 +168,7 @@ Index: sssd-2.9.2/Makefile.am if BUILD_SYSTEMTAP libsss_ldap_common_la_LIBADD += stap_generated_probes.lo endif -@@ -4372,7 +4388,8 @@ libsss_krb5_common_la_LIBADD = \ +@@ -4420,7 +4436,8 @@ libsss_krb5_common_la_LIBADD = \ $(SSSD_INTERNAL_LTLIBS) \ $(NULL) libsss_krb5_common_la_LDFLAGS = \ @@ -179,3 +178,6 @@ Index: sssd-2.9.2/Makefile.am libsss_ldap_la_SOURCES = \ src/providers/ldap/ldap_init.c \ +-- +2.46.1 +