builds

2024-08-30 11:37:19 +02:00 · 2024-08-30 11:37:19 +02:00 · cd4781f19c
commit cd4781f19c
parent bf358d8fff
9 changed files with 241 additions and 114 deletions
--- a/harden_sssd-kcm.service.patch
+++ b/harden_sssd-kcm.service.patch
@ -1,7 +1,16 @@
-Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
-===================================================================
--- sssd-2.5.2.orig/src/sysv/systemd/sssd-kcm.service.in
-+++ sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
+From 47a18db90ae89803532d6fa8e0790fcb98b76a07 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Tue, 16 Jul 2024 09:21:00 +0200
+Subject: [PATCH] Harden sssd-kcm.service
+
+---
+ src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
+index 2b3de184b..610ba2e18 100644
+--- a/src/sysv/systemd/sssd-kcm.service.in
+++ b/src/sysv/systemd/sssd-kcm.service.in
@@ -8,6 +8,19 @@ After=sssd-kcm.socket
 Also=sssd-kcm.socket
 
@ -18,7 +27,10 @@ Index: sssd-2.5.2/src/sysv/systemd/sssd-kcm.service.in
 +ProtectKernelLogs=true
 +ProtectControlGroups=true
 +RestrictRealtime=true
-+# end of automatic additions 
+# end of automatic additions
 Environment=DEBUG_LOGGER=--logger=files
- ExecStartPre=-@sbindir@/sssd --genconf-section=kcm
- ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER}
+ ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
+ ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
+-- 
+2.45.2
+
--- a/sssd-2.10.0-beta2.tar.gz
+++ b/sssd-2.10.0-beta2.tar.gz
--- a/sssd-2.10.0-beta2.tar.gz.asc
+++ b/sssd-2.10.0-beta2.tar.gz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmZ735wACgkQ09IbKRDP
+Z1lYNRAAjsjAHwIznwSYKMT+XrfKk6xS8oEgbzT8zme5jR0Dd8XtIVDAs3tTjQkm
+kdRZMDXdKOTghXUCRpTOdejuxvZ3qxrfXU9YYekWoO5iWegdXy+bRgkmdvyLVyeh
+Mz+Hk9EHGtCxgcZ0B64ksY6g9P4LFxTneA9mkfh9LjY+QWbONG5KfcC1J6BTpxUX
+5IAO1YKuk6Pt6ERyYViSTTzW1aC2JVGIFHK8kDrqxvFgeqY7n96K0PdPtPFhtQuA
+A8aOHZh8yPimO1fcnlx8G0HmnK2cSJu5zmXMhKLNQhzSgYaGURzwKu1dDQquCBEH
+8Y1AOBcA7OOTfY6BdDYVGR/ewGBay5NBBl+qMH4skN/Tfz5+IyjbfrK5JNsJVIB0
+3CflPSs0PHQIkawH8h3bjYm/7EmuWidoP941TkTfw//nWHkJa++XwQQvZWsJooUN
+LJYmhRO1RenhPDluZkkzmywwUGLdoqKFu5EnRkGEprYppIkso0umbgV/Ju7mi1u8
+GGFoNZugl0Cdohe0xkgyDTYwI/SESgUHbl/4Ovt3FFgrj0QOMcBUf6HqhV0/6AfY
+iABz/fT7TsgrjzlO5V+3or9Q1J/DHW6n//u0oeazwdRy/S9/dUWAIQ77pWqp1kO4
+QjDLg+EZMVm9mmMJbdbMu5aRfvdgRf24yHxK/kQl7LlXBMNoMWw=
+=sV+3
+-----END PGP SIGNATURE-----
--- a/sssd-2.9.5.tar.gz
+++ b/sssd-2.9.5.tar.gz
--- a/sssd-2.9.5.tar.gz.asc
+++ b/sssd-2.9.5.tar.gz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEwTzQf/stsUCORXo809IbKRDPZ1kFAmZF8CMACgkQ09IbKRDP
-Z1lSVQ/9EPVvWUX1z/pHfbvDjRpfD+LDbDceYB4YBh0caYpMVFm/2wHhFIjTYEpf
-SmIR+SQp50NkRSK6tE/u+Swu+YUkiCqnEWv2y9wd4Uh2NKiukyiqBC1k2cn9URNu
-oRreBM1KIRvTkdoyZwteELJ7vMLVr0UT2iIXZQFIIZX+LM3FNZJ5vFcj5fF0Hz1f
-v8zR0VTB7xY/6U+4KikvMyM3fOPeTOJvEtMp4xDWyquRjCADjZasOQcKRQzXp1er
-zs/qLcQ8eCODXhKelGqmppVIElW+72f1FNbMpBnlQ7VtFn6pn4sPazO0Hr7eNfZJ
-Vc6GXN8zZ/oF5U4x7XSMVqeOHLQoLeb2HxgUzS+1Ig19FHOs6Xoj0dO5l/TOEFav
-l61qytYnj3DNZjrMVLsMvOx3qGYK7PmyaWNoIJlLO2GbWKMP/8yBm35Ugd0jybSi
-T7VWX+isQHfVhSZ9wD4/yYOBAU3lABORAjXkCWQp/vMR/KiHbfaajCAbl56KiijQ
-eKYaq57EH3N+qKd1sqCrPfSw3HSqm3rngG1CsMasBQgLFs2aW+Mwo3UvQ1U/ykED
-mOo2D9uhOQluv4AUSpKK6E8EXoPSxDFZI4WX37depO2VGXDO90JNfVamJXjy1+bH
-d/RnoZfC7h7Vb1P1bPgGdsAFQBOP0FinbEjehpw0P0U2xAZQWek=
-=pY7t
-----END PGP SIGNATURE-----
--- a/1
+++ b/1
@ -0,0 +1 @@
+addFilter("binary-or-shlib-calls-gethostbyname")
--- a/sssd.changes
+++ b/sssd.changes
@ -1,16 +1,3 @@
-------------------------------------------------------------------
-Wed Jul 17 09:19:20 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
-
- Fix spec file for openSUSE ALP and SUSE SLFO, where the
-  python3_fix_shebang_path RPM macro is not available
-
-------------------------------------------------------------------
-Thu Jul 11 09:41:21 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
-
- Revert the change dropping the default configuration file. If
-  /usr/etc exists will be installed there, otherwise in /etc.
-  (bsc#1226157);
-
 -------------------------------------------------------------------
 Thu May 16 12:13:02 UTC 2024 - Jan Engelhardt <jengelh@inai.de>

--- a/sssd.spec
+++ b/sssd.spec
@ -17,21 +17,23 @@


 Name:           sssd
-Version:        2.9.5
+Version:        2.10.0
 Release:        0
 Summary:        System Security Services Daemon
 License:        GPL-3.0-or-later AND LGPL-3.0-or-later
 Group:          System/Daemons
 URL:            https://github.com/SSSD/sssd
 #Git-Clone:	https://github.com/SSSD/sssd
-Source:         https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz
-Source2:        https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc
+Source:         https://github.com/SSSD/sssd/releases/download/%version/%name-2.10.0-beta2.tar.gz
+Source2:        https://github.com/SSSD/sssd/releases/download/%version/%name-2.10.0-beta2.tar.gz.asc
 Source3:        baselibs.conf
 Source5:        %name.keyring
+Source6:        sssd.sysusers
 Patch1:         krb-noversion.diff
 Patch2:         harden_sssd-ifp.service.patch
 Patch3:         harden_sssd-kcm.service.patch
-Patch4:         symvers.patch
+#Patch4:         symvers.patch
+
 BuildRequires:  autoconf >= 2.59
 BuildRequires:  automake
 BuildRequires:  bind-utils
@ -53,6 +55,7 @@ BuildRequires:  nss_wrapper
 BuildRequires:  openldap2-devel
 BuildRequires:  pam-devel
 BuildRequires:  pkg-config >= 0.21
+BuildRequires:  python3-setuptools
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  uid_wrapper
 BuildRequires:  pkgconfig(augeas) >= 1.0.0
@ -68,6 +71,7 @@ BuildRequires:  pkgconfig(libcrypto)
 %if 0%{?suse_version} >= 1600
 BuildRequires:  pkgconfig(libcurl)
 %endif
+BuildRequires:  pkgconfig(libcap)
 BuildRequires:  pkgconfig(libnfsidmap)
 BuildRequires:  pkgconfig(libnl-3.0) >= 3.0
 BuildRequires:  pkgconfig(libnl-route-3.0) >= 3.0
@ -75,6 +79,9 @@ BuildRequires:  pkgconfig(libpcre2-8)
 %if 0%{?suse_version} >= 1600
 BuildRequires:  pkgconfig(libsemanage)
 %endif
+BuildRequires:  polkit
+BuildRequires:  sysuser-shadow
+BuildRequires:  sysuser-tools
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  pkgconfig(ndr_krb5pac)
 BuildRequires:  pkgconfig(ndr_nbt)
@ -87,6 +94,7 @@ BuildRequires:  pkgconfig(tdb) >= 1.1.3
 BuildRequires:  pkgconfig(tevent)
 BuildRequires:  pkgconfig(uuid)
 %{?systemd_ordering}
+%sysusers_requires
 Requires:       sssd-ldap = %version-%release
 Requires(postun): pam-config
 Provides:       libsss_sudo = %version-%release
@ -95,24 +103,19 @@ Obsoletes:      libsss_sudo < %version-%release
 Provides:       sssd-common = %version-%release
 Obsoletes:      sssd-common < %version-%release

-%define servicename	sssd
-%define sssdstatedir	%_localstatedir/lib/sss
-%define dbpath		%sssdstatedir/db
-%define pipepath	%sssdstatedir/pipes
-%define pubconfpath	%sssdstatedir/pubconf
-%define gpocachepath	%sssdstatedir/gpo_cache
-%define ldbdir %(pkg-config ldb --variable=modulesdir)
+%global sssd_user sssd
+%global child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep

-# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
-# %_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
-# * cifs-utils one is the default (priority 20)
-# * installing SSSD should NOT switch to SSSD plugin (priority 10)
-%define cifs_idmap_plugin       %_sysconfdir/cifs-utils/idmap-plugin
-%define cifs_idmap_lib          %_libdir/cifs-utils/cifs_idmap_sss.so
-%define cifs_idmap_name         cifs-idmap-plugin
-%define cifs_idmap_priority     10
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
+%define servicename	sssd
+%define sssdstatedir %_localstatedir/lib/sss
+%define dbpath %sssdstatedir/db
+%define keytabdir %sssdstatedir/keytabs
+%define pipepath %sssdstatedir/pipes
+%define mcpath %sssdstatedir/mc
+%define pubconfpath %sssdstatedir/pubconf
+%define gpocachepath %sssdstatedir/gpo_cache
+%define deskprofilepath %sssdstatedir/deskprofile
+%define ldbdir %(pkg-config ldb --variable=modulesdir)

 %description
 Provides a set of daemons to manage access to remote directories and
@ -143,6 +146,18 @@ Requires:       %name = %version
 Provides the D-Bus responder of sssd, called InfoPipe, which allows
 information from sssd to be transmitted over the system bus.

+%package polkit-rules
+Summary:        Rules for polkit integration for SSSD
+Group:          System/Daemons
+License:        GPL-3.0-or-later
+Requires:       %{name} = %{version}-%{release}
+Requires:       polkit >= 0.106
+BuildArch:      noarch
+
+%description polkit-rules
+Provides rules for polkit integration with SSSD. This is required
+for smartcard support.
+
 %package ipa
 Summary:        FreeIPA backend plugin for sssd
 License:        GPL-3.0-or-later
@ -379,7 +394,7 @@ Provide python module to access and manage configuration of the System
 Security Services Daemon (sssd).

 %prep
-%autosetup -p1
+%autosetup -p1 -n sssd-2.10.0-beta2

 %build
 # help configure find nscd
@ -387,6 +402,9 @@ export PATH="$PATH:/usr/sbin"

 autoreconf -fiv
 %configure \
+  --runstatedir=%{_rundir} \
+  --disable-rpath \
+  --disable-static \
 	--with-db-path="%dbpath" \
 	--with-pipe-path="%pipepath" \
 	--with-pubconf-path="%pubconfpath" \
@ -395,13 +413,14 @@ autoreconf -fiv
 	--with-initscript=systemd \
 	--with-syslog=journald \
 	--with-pid-path="%_rundir" \
-	--enable-nsslibdir="/%_lib" \
+	--enable-nsslibdir="%_libdir" \
 	--enable-pammoddir="%_pam_moduledir" \
 	--with-ldb-lib-dir="%ldbdir" \
 	--with-os=suse \
 	--disable-ldb-version-check \
 	--without-python2-bindings \
 	--without-oidc-child \
+  --with-sssd-user=%{sssd_user} \
 %if 0%{?suse_version} >= 1600
 	--with-selinux=yes \
 	--with-subid
@ -413,6 +432,8 @@ autoreconf -fiv
 %endif
 %make_build all

+%sysusers_generate_pre %{SOURCE6} %{name} %{name}.conf
+
 %install
 # sss_obfuscate is compatible with both python 2 and 3
 perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
@ -420,8 +441,8 @@ perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
 b="%buildroot"

 # Copy some defaults
-%if %{?_distconfdir:1}
-install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf"
+%if %{defined _distconfdir}
+install -D -p -m 0644 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf"
 install -d -m 0755 "$b/%_distconfdir/sssd/conf.d"
 %else
 install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"
@ -447,27 +468,46 @@ mkdir -pv "$b/%sssdstatedir/mc"
 find "$b" -type f -name "*.la" -print -delete
 %find_lang %name --all-name

-# dummy target for cifs-idmap-plugin
-mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils
-ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin
 %python3_fix_shebang
-%if 0%{?suse_version} > 1600
-%python3_fix_shebang_path %buildroot/%_libexecdir/%name/
-%elif 0%{?suse_version} == 1600
-# python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204
-sed -i '1s@#!.*python.*@#!%{_bindir}/python3.11@' %{buildroot}/%{_libexecdir}/%{name}/sss_analyze
+%if %{suse_version} >= 1600
+sed -i -e 's:/usr/bin/env python3:/usr/bin/python3:' %{buildroot}/%{_libexecdir}/%{name}/sss_analyze
+%python3_fix_shebang_path %{buildroot}/%{_libexecdir}/%{name}/
 %endif

+install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf
+
+# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
+# _sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
+#mkdir -pv "%{buildroot}/%_sysconfdir/cifs-utils"
+#ln -s %{buildroot}/%_libdir/cifs-utils/cifs_idmap_sss.so %{buildroot}/%_sysconfdir/cifs-utils/idmap-plugin
+
 %check
 # sss_config-tests fails
 %make_build check || :

 %pre
 %service_add_pre sssd.service
-%if %{?_distconfdir:1}
+%service_add_pre sssd-autofs.service
+%service_add_pre sssd-nss.service
+%service_add_pre sssd-nss.service
+%service_add_pre sssd-pac.service
+%service_add_pre sssd-pam.service
+%service_add_pre sssd-ssh.service
+%service_add_pre sssd-sudo.service
+
+%service_add_pre sssd-autofs.socket
+%service_add_pre sssd-nss.socket
+%service_add_pre sssd-nss.socket
+%service_add_pre sssd-pac.socket
+%service_add_pre sssd-pam.socket
+%service_add_pre sssd-ssh.socket
+%service_add_pre sssd-sudo.socket
+
+
+%if %{defined _distconfdir}
 # Prepare for migration to /usr/etc; save any old .rpmsave
 for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do
-	test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i.rpmsave.old" || :
+	test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
 done
 %endif

@ -477,25 +517,107 @@ done
 if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then
 	/bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf"
 fi
-%service_add_post sssd.service
+%systemd_post sssd.service
+%systemd_post sssd-autofs.socket
+%systemd_post sssd-nss.socket
+%systemd_post sssd-pac.socket
+%systemd_post sssd-pam.socket
+%systemd_post sssd-ssh.socket
+%systemd_post sssd-sudo.socket

-# install SSSD cifs-idmap plugin as an alternative
-update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority
+%service_add_post sssd.service
+%service_add_post sssd-autofs.service
+%service_add_post sssd-nss.service
+%service_add_post sssd-nss.service
+%service_add_post sssd-pac.service
+%service_add_post sssd-pam.service
+%service_add_post sssd-ssh.service
+%service_add_post sssd-sudo.service
+
+%service_add_post sssd-autofs.socket
+%service_add_post sssd-nss.socket
+%service_add_post sssd-nss.socket
+%service_add_post sssd-pac.socket
+%service_add_post sssd-pam.socket
+%service_add_post sssd-ssh.socket
+%service_add_post sssd-sudo.socket
+
+%__rm -f %{mcpath}/passwd
+%__rm -f %{mcpath}/group
+%__rm -f %{mcpath}/initgroups
+%__rm -f %{mcpath}/sid
+
+#__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
+#if %{defined _distconfdir}
+#__chown -f %{sssd_user}:%{sssd_user} %{_distconfdir}/sssd/sssd.conf || true
+#__chown -f -R %{sssd_user}:%{sssd_user} %{_distconfdir}/sssd/conf.d || true
+#else
+#__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true
+#__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
+#endif
+#__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
+#__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true

 %preun
-%service_del_preun sssd.service
+%systemd_preun sssd.service
+%systemd_preun sssd-autofs.service
+%systemd_preun sssd-nss.service
+%systemd_preun sssd-nss.service
+%systemd_preun sssd-pac.service
+%systemd_preun sssd-pam.service
+%systemd_preun sssd-ssh.service
+%systemd_preun sssd-sudo.service
+
+%systemd_preun sssd-autofs.socket
+%systemd_preun sssd-nss.socket
+%systemd_preun sssd-nss.socket
+%systemd_preun sssd-pac.socket
+%systemd_preun sssd-pam.socket
+%systemd_preun sssd-ssh.socket
+%systemd_preun sssd-sudo.socket
+

 %postun
 /sbin/ldconfig
 if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then
 	"%_sbindir/pam-config" -d --sss || :
 fi
-# del_postun includes a try-restart
-%service_del_postun sssd.service

-if [ ! -f "%cifs_idmap_lib" ]; then
-	update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
-fi
+%service_del_postun sssd.service
+%service_del_postun sssd-autofs.service
+%service_del_postun sssd-nss.service
+%service_del_postun sssd-nss.service
+%service_del_postun sssd-pac.service
+%service_del_postun sssd-pam.service
+%service_del_postun sssd-ssh.service
+%service_del_postun sssd-sudo.service
+
+%service_del_postun sssd-autofs.socket
+%service_del_postun sssd-nss.socket
+%service_del_postun sssd-nss.socket
+%service_del_postun sssd-pac.socket
+%service_del_postun sssd-pam.socket
+%service_del_postun sssd-ssh.socket
+%service_del_postun sssd-sudo.socket
+
+%systemd_postun sssd.service
+%systemd_postun sssd-autofs.service
+%systemd_postun sssd-nss.service
+%systemd_postun sssd-nss.service
+%systemd_postun sssd-pac.service
+%systemd_postun sssd-pam.service
+%systemd_postun sssd-ssh.service
+%systemd_postun sssd-sudo.service
+
+%systemd_postun sssd-autofs.socket
+%systemd_postun sssd-nss.socket
+%systemd_postun sssd-nss.socket
+%systemd_postun sssd-pac.socket
+%systemd_postun sssd-pam.socket
+%systemd_postun sssd-ssh.socket
+%systemd_postun sssd-sudo.socket
+
+

 %post   -n libsss_certmap0 -p /sbin/ldconfig
 %postun -n libsss_certmap0 -p /sbin/ldconfig
@ -557,10 +679,10 @@ touch /run/systemd/rpm/sssd-was-active
 fi

 %posttrans
-%if %{?_distconfdir:1}
+%if %{defined _distconfdir}
 # Migration to /usr/etc, restore just created .rpmsave
 for i in sssd/sssd.conf logrotate.d/sssd pam.d/sssd-shadowutils ; do
-	test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i" || :
+	test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
 done
 %endif
 # Migrate sssd.service from sssd-common to sssd
@ -591,7 +713,7 @@ fi
 %_unitdir/sssd-pac.socket
 %_unitdir/sssd-pac.service
 %_unitdir/sssd-pam.socket
-%_unitdir/sssd-pam-priv.socket
+#%_unitdir/sssd-pam-priv.socket
 %_unitdir/sssd-pam.service
 %_unitdir/sssd-ssh.socket
 %_unitdir/sssd-ssh.service
@ -653,32 +775,32 @@ fi
 %_libexecdir/%name/sssd_autofs
 %_libexecdir/%name/sssd_be
 %_libexecdir/%name/sssd_nss
-%_libexecdir/%name/sssd_pam
+%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{name}/sssd_pam
 %_libexecdir/%name/sssd_ssh
 %_libexecdir/%name/sssd_sudo
 %_libexecdir/%name/sss_signal
 %_libexecdir/%name/sssd_check_socket_activated_responders
 %if 0%{?suse_version} >= 1600
-%_libexecdir/%name/selinux_child
+%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{name}/selinux_child
 %endif
-%dir %sssdstatedir
-%attr(700,root,root) %dir %dbpath/
-%attr(755,root,root) %dir %pipepath/
-%attr(700,root,root) %dir %pipepath/private/
-%attr(755,root,root) %dir %pubconfpath/
-%attr(755,root,root) %dir %pubconfpath/krb5.include.d
-%attr(755,root,root) %dir %gpocachepath/
-%attr(755,root,root) %dir %sssdstatedir/mc/
-%attr(700,root,root) %dir %sssdstatedir/keytabs/
-%attr(750,root,root) %dir %_localstatedir/log/%name/
-%if %{?_distconfdir:1}
-%dir %_distconfdir/sssd/
-%%dir %_distconfdir/sssd/conf.d
-%config(noreplace) %_distconfdir/sssd/sssd.conf
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{sssdstatedir}
+%attr(770,%{sssd_user},%{sssd_user}) %dir %{dbpath}
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{mcpath}
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{pipepath}
+%attr(770,%{sssd_user},%{sssd_user}) %dir %{pipepath}/private
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
+%attr(770,%{sssd_user},%{sssd_user}) %dir %{gpocachepath}
+%attr(770,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
+%attr(750,%{sssd_user},%{sssd_user}) %dir %{_localstatedir}/log/%name/
+%if %{defined _distconfdir}
+%attr(750,%{sssd_user},%{sssd_user}) %dir %{_distconfdir}/sssd
+%attr(750,%{sssd_user},%{sssd_user}) %dir %{_distconfdir}/sssd/conf.d
+%ghost %attr(0600,%{sssd_user},%{sssd_user}) %{_distconfdir}/sssd/sssd.conf
 %else
-%dir %_sysconfdir/sssd/
-%%dir %_sysconfdir/sssd/conf.d
-%config(noreplace) %_sysconfdir/sssd/sssd.conf
+%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd
+%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
+%ghost %attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
 %endif
 %if 0%{?suse_version} > 1500
 %_distconfdir/logrotate.d/sssd
@ -697,11 +819,13 @@ fi
 %else
 %exclude %_mandir/*/*/sssd-files.5.gz
 %endif
+%attr(775,%{sssd_user},%{sssd_user}) %ghost %dir %{_rundir}/sssd
 %doc src/examples/sssd.conf
+%{_sysusersdir}/sssd.conf
 #
 # sssd-client
 #
-/%_lib/libnss_sss.so.2
+%{_libdir}/libnss_sss.so.2
 %_pam_moduledir/pam_sss.so
 %_pam_moduledir/pam_sss_gss.so
 %_libdir/krb5/
@ -718,12 +842,10 @@ fi
 %_mandir/man8/sssd_krb5_localauth_plugin.8*
 %_mandir/??/man8/sssd_krb5_localauth_plugin.8*
 %_mandir/man8/sssd_krb5_locator_plugin.8*
-# cifs idmap plugin
-%dir %_sysconfdir/cifs-utils
-%cifs_idmap_plugin
+#%dir %_sysconfdir/cifs-utils
+#%_sysconfdir/cifs-utils/idmap-plugin
 %dir %_libdir/cifs-utils
-%cifs_idmap_lib
-%ghost %_sysconfdir/alternatives/%cifs_idmap_name
+%_libdir/cifs-utils/cifs_idmap_sss.so

 %files ad
 %dir %_libdir/%name/
@ -786,8 +908,11 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_krb5_common.so
 %dir %_libexecdir/%name/
-%_libexecdir/%name/krb5_child
-%_libexecdir/%name/ldap_child
+%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{name}/ldap_child
+%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{name}/krb5_child
+
+%files polkit-rules
+%{_datadir}/polkit-1/rules.d/sssd-pcsc.rules

 %files ldap
 %dir %_libdir/%name/
@ -804,7 +929,7 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_proxy.so
 %dir %_libexecdir/%name/
-%_libexecdir/%name/proxy_child
+%attr(0750,root,%{sssd_user}) %{_libexecdir}/%{name}/proxy_child
 %dir %_datadir/%name/
 %dir %_datadir/%name/sssd.api.d/
 %_datadir/%name/sssd.api.d/sssd-proxy.conf
--- a/sssd.sysusers
+++ b/sssd.sysusers
@ -0,0 +1,2 @@
+# Type Name ID GECOS [HOME] [SHELL]
+u     sssd   -   "User for sssd"     /run/sssd/      /sbin/nologin
				`@ -0,0 +1 @@`
				`addFilter("binary-or-shlib-calls-gethostbyname")`