diff --git a/0001-Remove-versions-checks-that-need-updating-every-iter.patch b/0001-Remove-versions-checks-that-need-updating-every-iter.patch new file mode 100644 index 0000000..2ecd592 --- /dev/null +++ b/0001-Remove-versions-checks-that-need-updating-every-iter.patch @@ -0,0 +1,25 @@ +From f3ee55182600b2731b21bbdabbc5c891202f6dbb Mon Sep 17 00:00:00 2001 +From: Jan Engelhardt +Date: Fri, 15 Feb 2019 17:20:47 +0100 +Subject: [PATCH 1/4] Remove versions checks that need updating every + iteration. + +--- + src/external/pac_responder.m4 | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4 +index 90727185b..af9fded6f 100644 +--- a/src/external/pac_responder.m4 ++++ b/src/external/pac_responder.m4 +@@ -11,6 +11,7 @@ then + AC_MSG_CHECKING(for supported MIT krb5 version) + KRB5_VERSION="`$KRB5_CONFIG --version`" + case $KRB5_VERSION in ++ *|\ + Kerberos\ 5\ release\ 1.9* | \ + Kerberos\ 5\ release\ 1.10* | \ + Kerberos\ 5\ release\ 1.11* | \ +-- +2.46.1 + diff --git a/0002-Harden-sssd-ifp.service.patch b/0002-Harden-sssd-ifp.service.patch new file mode 100644 index 0000000..a168400 --- /dev/null +++ b/0002-Harden-sssd-ifp.service.patch @@ -0,0 +1,36 @@ +From 7889dbb390091f0be5fea8f915fab68020556de7 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 16 Oct 2024 14:03:06 +0200 +Subject: [PATCH 2/4] Harden sssd-ifp.service + +--- + src/sysv/systemd/sssd-ifp.service.in | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in +index 1ab163392..c8d6dc9ae 100644 +--- a/src/sysv/systemd/sssd-ifp.service.in ++++ b/src/sysv/systemd/sssd-ifp.service.in +@@ -5,6 +5,19 @@ After=sssd.service + BindsTo=sssd.service + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectKernelLogs=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Environment=DEBUG_LOGGER=--logger=files + EnvironmentFile=-@environment_file@ + Type=dbus +-- +2.46.1 + diff --git a/harden_sssd-kcm.service.patch b/0003-Harden-sssd-kcm.service.patch similarity index 56% rename from harden_sssd-kcm.service.patch rename to 0003-Harden-sssd-kcm.service.patch index 6526831..24e0ac1 100644 --- a/harden_sssd-kcm.service.patch +++ b/0003-Harden-sssd-kcm.service.patch @@ -1,11 +1,16 @@ +From 1fea2a4039f9e838554abe17bbf1513a8f99f348 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 16 Oct 2024 14:05:02 +0200 +Subject: [PATCH 3/4] Harden sssd-kcm.service + --- - src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++ + src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++ 1 file changed, 13 insertions(+) -Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in -=================================================================== ---- sssd-2.10.0.orig/src/sysv/systemd/sssd-kcm.service.in -+++ sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in +diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in +index 0c839ec5c..b403cd709 100644 +--- a/src/sysv/systemd/sssd-kcm.service.in ++++ b/src/sysv/systemd/sssd-kcm.service.in @@ -8,6 +8,19 @@ After=sssd-kcm.socket Also=sssd-kcm.socket @@ -22,7 +27,10 @@ Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true -+# end of automatic additions ++# end of automatic additions Environment=DEBUG_LOGGER=--logger=files ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf +-- +2.46.1 + diff --git a/symvers.patch b/0004-Add-symvers.patch similarity index 74% rename from symvers.patch rename to 0004-Add-symvers.patch index ab19be6..6a9b63f 100644 --- a/symvers.patch +++ b/0004-Add-symvers.patch @@ -1,25 +1,25 @@ +From 20c2e36a1a98a5fc648d16389fc9861eb61768d3 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt -Date: 2022-12-22 00:09:20.375896408 +0100 -References: https://bugzilla.suse.com/show_bug.cgi?id=1206592 +Date: Thu, 22 Dec 2022 00:09:20 +0100 +Subject: [PATCH 4/4] Add symvers The theory for this sssd crash is that during rpm upgrading it, sssd-2.8.2 gets installed, %post runs to restart it, but oh no, -sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls -over its feet when it loads 2.7.4 .so files. Addin symvers like below -should prevent this and pin the modules to another: sssd_be's attempt -to dlopen libsss_ldap.so(-2.7.4) will fail because -libsss_ldap.so(-2.7.4) cannot find a libsss_util.so(-2.7.4), since -the system only has libsss_util.so(-2.8.2) at this point. - +sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls over +its feet when it loads 2.7.4 .so files. Addin symvers like below should +prevent this and pin the modules to another: sssd_be's attempt to dlopen +libsss_ldap.so(-2.7.4) will fail because libsss_ldap.so(-2.7.4) cannot +find a libsss_util.so(-2.7.4), since the system only has +libsss_util.so(-2.8.2) at this point. --- - Makefile.am | 47 ++++++++++++++++++++++++++++++++--------------- + Makefile.am | 47 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 32 insertions(+), 15 deletions(-) -Index: sssd-2.9.2/Makefile.am -=================================================================== ---- sssd-2.9.2.orig/Makefile.am -+++ sssd-2.9.2/Makefile.am -@@ -955,7 +955,11 @@ libsss_debug_la_SOURCES = \ +diff --git a/Makefile.am b/Makefile.am +index 839b25eae..e79da4a40 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -964,7 +964,11 @@ libsss_debug_la_SOURCES = \ libsss_debug_la_LIBADD = \ $(SYSLOG_LIBS) libsss_debug_la_LDFLAGS = \ @@ -32,7 +32,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_child.la libsss_child_la_SOURCES = src/util/child_common.c -@@ -965,7 +969,8 @@ libsss_child_la_LIBADD = \ +@@ -974,7 +978,8 @@ libsss_child_la_LIBADD = \ $(DHASH_LIBS) \ libsss_debug.la \ $(NULL) @@ -42,7 +42,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_crypt.la -@@ -1004,7 +1009,8 @@ libsss_crypt_la_LIBADD = \ +@@ -1014,7 +1019,8 @@ libsss_crypt_la_LIBADD = \ libsss_debug.la \ $(NULL) libsss_crypt_la_LDFLAGS = \ @@ -52,7 +52,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_cert.la -@@ -1029,8 +1035,9 @@ libsss_cert_la_LIBADD = \ +@@ -1039,8 +1045,9 @@ libsss_cert_la_LIBADD = \ libsss_debug.la \ $(NULL) libsss_cert_la_LDFLAGS = \ @@ -63,7 +63,7 @@ Index: sssd-2.9.2/Makefile.am generate-sbus-code: $(builddir)/sbus_generate.sh $(abs_srcdir) -@@ -1131,8 +1138,9 @@ libsss_sbus_la_CFLAGS = \ +@@ -1141,8 +1148,9 @@ libsss_sbus_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_sbus_la_LDFLAGS = \ @@ -74,7 +74,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_sbus_sync.la libsss_sbus_sync_la_SOURCES = \ -@@ -1167,8 +1175,9 @@ libsss_sbus_sync_la_CFLAGS = \ +@@ -1177,8 +1185,9 @@ libsss_sbus_sync_la_CFLAGS = \ $(UNICODE_LIBS) \ $(NULL) libsss_sbus_sync_la_LDFLAGS = \ @@ -85,7 +85,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_iface.la libsss_iface_la_SOURCES = \ -@@ -1197,8 +1206,9 @@ libsss_iface_la_CFLAGS = \ +@@ -1207,8 +1216,9 @@ libsss_iface_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_iface_la_LDFLAGS = \ @@ -96,7 +96,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_iface_sync.la libsss_iface_sync_la_SOURCES = \ -@@ -1225,8 +1235,9 @@ libsss_iface_sync_la_CFLAGS = \ +@@ -1235,8 +1245,9 @@ libsss_iface_sync_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libsss_iface_sync_la_LDFLAGS = \ @@ -107,7 +107,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_util.la libsss_util_la_SOURCES = \ -@@ -1322,7 +1333,8 @@ endif +@@ -1333,7 +1344,8 @@ endif if BUILD_PASSKEY libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c endif # BUILD_PASSKEY @@ -117,7 +117,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libsss_semanage.la libsss_semanage_la_CFLAGS = \ -@@ -1341,7 +1353,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_ +@@ -1352,7 +1364,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_LIBS) endif libsss_semanage_la_LDFLAGS = \ @@ -127,7 +127,7 @@ Index: sssd-2.9.2/Makefile.am SSSD_INTERNAL_LTLIBS = \ libsss_util.la \ -@@ -1357,7 +1370,7 @@ lib_LTLIBRARIES = libipa_hbac.la \ +@@ -1368,7 +1381,7 @@ lib_LTLIBRARIES = libipa_hbac.la \ $(NULL) pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc @@ -136,7 +136,7 @@ Index: sssd-2.9.2/Makefile.am libipa_hbac_la_SOURCES = \ src/lib/ipa_hbac/hbac_evaluator.c \ src/util/sss_utf8.c -@@ -1688,8 +1701,9 @@ libifp_iface_la_CFLAGS = \ +@@ -1691,8 +1704,9 @@ libifp_iface_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libifp_iface_la_LDFLAGS = \ @@ -147,7 +147,7 @@ Index: sssd-2.9.2/Makefile.am pkglib_LTLIBRARIES += libifp_iface_sync.la libifp_iface_sync_la_SOURCES = \ -@@ -1714,8 +1728,9 @@ libifp_iface_sync_la_CFLAGS = \ +@@ -1717,8 +1731,9 @@ libifp_iface_sync_la_CFLAGS = \ $(DBUS_CFLAGS) \ $(NULL) libifp_iface_sync_la_LDFLAGS = \ @@ -158,7 +158,7 @@ Index: sssd-2.9.2/Makefile.am sssd_ifp_SOURCES = \ src/responder/ifp/ifpsrv.c \ -@@ -4314,8 +4329,9 @@ libsss_ldap_common_la_LIBADD = \ +@@ -4352,8 +4367,9 @@ libsss_ldap_common_la_LIBADD = \ $(SSSD_INTERNAL_LTLIBS) \ $(NULL) libsss_ldap_common_la_LDFLAGS = \ @@ -169,7 +169,7 @@ Index: sssd-2.9.2/Makefile.am if BUILD_SYSTEMTAP libsss_ldap_common_la_LIBADD += stap_generated_probes.lo endif -@@ -4372,7 +4388,8 @@ libsss_krb5_common_la_LIBADD = \ +@@ -4410,7 +4426,8 @@ libsss_krb5_common_la_LIBADD = \ $(SSSD_INTERNAL_LTLIBS) \ $(NULL) libsss_krb5_common_la_LDFLAGS = \ @@ -179,3 +179,6 @@ Index: sssd-2.9.2/Makefile.am libsss_ldap_la_SOURCES = \ src/providers/ldap/ldap_init.c \ +-- +2.46.1 + diff --git a/0001-sssd-always-print-path-when-config-object-is-rejecte.patch b/0005-sssd-always-print-path-when-config-object-is-rejecte.patch similarity index 70% rename from 0001-sssd-always-print-path-when-config-object-is-rejecte.patch rename to 0005-sssd-always-print-path-when-config-object-is-rejecte.patch index 5ea6697..f1c2765 100644 --- a/0001-sssd-always-print-path-when-config-object-is-rejecte.patch +++ b/0005-sssd-always-print-path-when-config-object-is-rejecte.patch @@ -1,8 +1,7 @@ -From 338638cd5f374e0699d7b7495a5fa8f25511fa55 Mon Sep 17 00:00:00 2001 +From 2b7915dd84a6b8c3ee26e45357283677fe22f2cb Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Wed, 16 Oct 2024 09:55:50 +0200 Subject: [PATCH] sssd: always print path when config object is rejected -References: https://github.com/SSSD/sssd/pull/7649 Observed: @@ -15,27 +14,13 @@ Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership an Expected: _Well yes, but **which one**_!? ---- - src/monitor/monitor.c | 4 ++-- - src/util/sss_ini.c | 14 ++++++++------ - 2 files changed, 10 insertions(+), 8 deletions(-) -diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c -index e17b0e416..f67e4446f 100644 ---- a/src/monitor/monitor.c -+++ b/src/monitor/monitor.c -@@ -1931,9 +1931,9 @@ int main(int argc, const char *argv[]) - ret = confdb_read_ini(tmp_ctx, config_file, CONFDB_DEFAULT_CONFIG_DIR, false, - &config); - if (ret != EOK) { -- ERROR("Can't read config: '%s'\n", sss_strerror(ret)); -+ ERROR("Cannot read config %s: '%s'\n", config_file, sss_strerror(ret)); - sss_log(SSS_LOG_ALERT, -- "Failed to read configuration: '%s'", sss_strerror(ret)); -+ "Failed to read configuration %s: '%s'", config_file, sss_strerror(ret)); - ret = 3; - goto out; - } +Reviewed-by: Alexey Tikhonov +Reviewed-by: Justin Stephenson +--- + src/util/sss_ini.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c index 7f9824d88..2a611eb8c 100644 --- a/src/util/sss_ini.c diff --git a/harden_sssd-ifp.service.patch b/harden_sssd-ifp.service.patch deleted file mode 100644 index 250a49f..0000000 --- a/harden_sssd-ifp.service.patch +++ /dev/null @@ -1,24 +0,0 @@ -Index: sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in -=================================================================== ---- sssd-2.5.2.orig/src/sysv/systemd/sssd-ifp.service.in -+++ sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in -@@ -5,6 +5,19 @@ After=sssd.service - BindsTo=sssd.service - - [Service] -+# added automatically, for details please see -+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort -+ProtectSystem=full -+ProtectHome=true -+PrivateDevices=true -+ProtectHostname=true -+ProtectClock=true -+ProtectKernelTunables=true -+ProtectKernelModules=true -+ProtectKernelLogs=true -+ProtectControlGroups=true -+RestrictRealtime=true -+# end of automatic additions - Environment=DEBUG_LOGGER=--logger=files - EnvironmentFile=-@environment_file@ - Type=dbus diff --git a/krb-noversion.diff b/krb-noversion.diff deleted file mode 100644 index 3dea2c2..0000000 --- a/krb-noversion.diff +++ /dev/null @@ -1,20 +0,0 @@ -From: Jan Engelhardt -Date: 2019-02-15 17:20:47.842813210 +0100 - -Remove versions checks that need updating every iteration. ---- - src/external/pac_responder.m4 | 1 + - 1 file changed, 1 insertion(+) - -Index: sssd-2.0.0/src/external/pac_responder.m4 -=================================================================== ---- sssd-2.0.0.orig/src/external/pac_responder.m4 -+++ sssd-2.0.0/src/external/pac_responder.m4 -@@ -11,6 +11,7 @@ then - AC_MSG_CHECKING(for supported MIT krb5 version) - KRB5_VERSION="`$KRB5_CONFIG --version`" - case $KRB5_VERSION in -+ *|\ - Kerberos\ 5\ release\ 1.9* | \ - Kerberos\ 5\ release\ 1.10* | \ - Kerberos\ 5\ release\ 1.11* | \ diff --git a/sssd-rpmlintrc b/sssd-rpmlintrc new file mode 100644 index 0000000..0962594 --- /dev/null +++ b/sssd-rpmlintrc @@ -0,0 +1 @@ +addFilter("binary-or-shlib-calls-gethostbyname") diff --git a/sssd.changes b/sssd.changes index 97bef57..b58785d 100644 --- a/sssd.changes +++ b/sssd.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Wed Oct 16 14:52:05 UTC 2024 - Samuel Cabrero + +- Daemon runs now as unprivileged user 'sssd' +- Add sssd.permissions to set capabilities +- Fix socket activation of responders +- Renamed patches: + krb-noversion.diff -> 0001-Remove-versions-checks-that-need-updating-every-iter.patch + harden_sssd-ifp.service.patch -> 0002-Harden-sssd-ifp.service.patch + harden_sssd-kcm.service.patch -> 0003-Harden-sssd-kcm.service.patch + symvers.patch -> 0004-Add-symvers.patch + 0001-sssd-always-print-path-when-config-object-is-rejecte.patch -> + 0005-sssd-always-print-path-when-config-object-is-rejecte.patch + ------------------------------------------------------------------- Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt diff --git a/sssd.permissions b/sssd.permissions new file mode 100644 index 0000000..8a20ff8 --- /dev/null +++ b/sssd.permissions @@ -0,0 +1,11 @@ +/usr/libexec/sssd/sssd_pam root:sssd 0750 + +capabilities cap_dac_read_search=p + +/usr/libexec/sssd/selinux_child root:sssd 0750 + +capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep + +/usr/libexec/sssd/krb5_child root:sssd 0750 + +capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep + +/usr/libexec/sssd/ldap_child root:sssd 0750 + +capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep diff --git a/sssd.spec b/sssd.spec index 867b56e..227b38e 100644 --- a/sssd.spec +++ b/sssd.spec @@ -28,11 +28,14 @@ Source: https://github.com/SSSD/sssd/releases/download/%version/%name-%v Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc Source3: baselibs.conf Source5: %name.keyring -Patch1: krb-noversion.diff -Patch2: harden_sssd-ifp.service.patch -Patch3: harden_sssd-kcm.service.patch -Patch4: symvers.patch -Patch5: 0001-sssd-always-print-path-when-config-object-is-rejecte.patch +Source6: sssd.sysusers +Source7: sssd.permissions +Patch1: 0001-Remove-versions-checks-that-need-updating-every-iter.patch +Patch2: 0002-Harden-sssd-ifp.service.patch +Patch3: 0003-Harden-sssd-kcm.service.patch +Patch4: 0004-Add-symvers.patch +Patch5: 0005-sssd-always-print-path-when-config-object-is-rejecte.patch + BuildRequires: autoconf >= 2.59 BuildRequires: automake BuildRequires: bind-utils @@ -66,13 +69,14 @@ BuildRequires: pkgconfig(dhash) >= 0.4.2 BuildRequires: pkgconfig(glib-2.0) BuildRequires: pkgconfig(ini_config) >= 1.3 BuildRequires: pkgconfig(jansson) -BuildRequires: pkgconfig(ldb) >= 0.9.2 +BuildRequires: pkgconfig(ldb) >= 1.2.0 BuildRequires: pkgconfig(libcap) BuildRequires: pkgconfig(libcares) BuildRequires: pkgconfig(libcrypto) >= 1.0.1 %if 0%{?suse_version} >= 1600 BuildRequires: pkgconfig(libcurl) %endif +BuildRequires: pkgconfig(libcap) BuildRequires: pkgconfig(libnfsidmap) BuildRequires: pkgconfig(libnl-3.0) >= 3.0 BuildRequires: pkgconfig(libnl-route-3.0) >= 3.0 @@ -80,6 +84,9 @@ BuildRequires: pkgconfig(libpcre2-8) %if 0%{?suse_version} >= 1600 BuildRequires: pkgconfig(libsemanage) %endif +BuildRequires: polkit +BuildRequires: sysuser-shadow +BuildRequires: sysuser-tools BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(ndr_krb5pac) BuildRequires: pkgconfig(ndr_nbt) @@ -100,6 +107,9 @@ BuildRequires: pkgconfig(uuid) %endif %sysusers_requires %{?systemd_ordering} +%sysusers_requires +Requires(pre): permissions +Requires(post): permissions Requires: sssd-ldap = %version-%release Requires(postun): pam-config Provides: libsss_sudo = %version-%release @@ -108,13 +118,20 @@ Obsoletes: libsss_sudo < %version-%release Provides: sssd-common = %version-%release Obsoletes: sssd-common < %version-%release +# Adjust sssd.permissions if the user changes +%global sssd_user sssd + %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss %define dbpath %sssdstatedir/db %define pipepath %sssdstatedir/pipes %define pubconfpath %sssdstatedir/pubconf %define gpocachepath %sssdstatedir/gpo_cache +%define keytabdir %sssdstatedir/keytabs +%define mcpath %sssdstatedir/mc +%define deskprofilepath %sssdstatedir/deskprofile %define ldbdir %(pkg-config ldb --variable=modulesdir) +%define child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko # %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins @@ -155,6 +172,18 @@ Requires: %name = %version D-Bus responder of sssd, called InfoPipe, which allows information from sssd to be transmitted over the system bus. +%package polkit-rules +Summary: Rules for polkit integration for SSSD +Group: System/Daemons +License: GPL-3.0-or-later +Requires: %{name} = %{version}-%{release} +Requires: polkit >= 0.106 +BuildArch: noarch + +%description polkit-rules +Provides rules for polkit integration with SSSD. This is required +for smartcard support. + %package ipa Summary: FreeIPA backend plugin for sssd License: GPL-3.0-or-later @@ -194,6 +223,8 @@ Summary: SSSD helpers needed for Kerberos and GSSAPI authentication License: GPL-3.0-or-later Group: System/Daemons Requires: cyrus-sasl-gssapi +Requires(pre): permissions +Requires(post): permissions %description krb5-common Provides helper processes that the LDAP and Kerberos back ends can @@ -404,14 +435,15 @@ autoreconf -fiv --with-environment-file="%_sysconfdir/sysconfig/sssd" \ --with-initscript=systemd \ --with-syslog=journald \ - --with-pid-path="%_rundir" \ - --enable-nsslibdir="/%_lib" \ + --with-pid-path="%_rundir/sssd/" \ + --enable-nsslibdir="%_libdir" \ --enable-pammoddir="%_pam_moduledir" \ --with-ldb-lib-dir="%ldbdir" \ --with-os=suse \ --disable-ldb-version-check \ --without-python2-bindings \ --without-oidc-child \ + --with-sssd-user=%{sssd_user} \ %if 0%{?suse_version} >= 1600 --with-selinux=yes \ --with-subid @@ -422,6 +454,8 @@ autoreconf -fiv %endif %make_build all +%sysusers_generate_pre %{SOURCE6} %{name} %{name}.conf + %install # sss_obfuscate is compatible with both Python 2 and 3 perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate @@ -461,23 +495,30 @@ mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils" ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin" %python3_fix_shebang %if 0%{?suse_version} > 1600 -%python3_fix_shebang_path %buildroot/%_libexecdir/%name/ +%python3_fix_shebang_path %{buildroot}/%{_libexecdir}/%{name}/sss_analyze %elif 0%{?suse_version} == 1600 # python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204 sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze" %endif -echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf -mkdir -p "$b/%_sysusersdir" -cp -a system-user-sssd.conf "$b/%_sysusersdir/" -%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf +install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf +install -D -p -m 0644 contrib/sssd-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/%{name}.conf +install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_sysconfdir}/permissions.d/%{name} %check # sss_config-tests fails %make_build check || : -%pre -f random.pre +%pre +%sysusers_create_package %{name} %SOURCE6 %service_add_pre sssd.service +%service_add_pre sssd-autofs.service sssd-autofs.socket +%service_add_pre sssd-nss.service sssd-nss.socket +%service_add_pre sssd-pac.service sssd-pac.socket +%service_add_pre sssd-pam.service sssd-pam.socket +%service_add_pre sssd-ssh.service sssd-ssh.socket +%service_add_pre sssd-sudo.service sssd-sudo.socket + %if "%{?_distconfdir}" != "" # Prepare for migration to /usr/etc; save any old .rpmsave for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do @@ -492,12 +533,37 @@ if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then /bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf" fi %service_add_post sssd.service +%service_add_post sssd-autofs.service sssd-autofs.socket +%service_add_post sssd-nss.service sssd-nss.socket +%service_add_post sssd-pac.service sssd-pac.socket +%service_add_post sssd-pam.service sssd-pam.socket +%service_add_post sssd-ssh.service sssd-ssh.socket +%service_add_post sssd-sudo.service sssd-sudo.socket + +%{_bindir}/rm -f %{mcpath}/passwd +%{_bindir}/rm -f %{mcpath}/group +%{_bindir}/rm -f %{mcpath}/initgroups +%{_bindir}/rm -f %{mcpath}/sid +%{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true +%{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true +%{_bindir}/chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true +%{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true + +%tmpfiles_create %{name}.conf +%set_permissions %_libexecdir/%{name}/selinux_child +%set_permissions %_libexecdir/%{name}/sssd_pam # install SSSD cifs-idmap plugin as an alternative update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority %preun %service_del_preun sssd.service +%service_del_preun sssd-autofs.service sssd-autofs.socket +%service_del_preun sssd-nss.service sssd-nss.socket +%service_del_preun sssd-pac.service sssd-pac.socket +%service_del_preun sssd-pam.service sssd-pam.socket +%service_del_preun sssd-ssh.service sssd-ssh.socket +%service_del_preun sssd-sudo.service sssd-sudo.socket %postun /sbin/ldconfig @@ -506,6 +572,12 @@ if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then fi # del_postun includes a try-restart %service_del_postun sssd.service +%service_del_postun sssd-autofs.service sssd-autofs.socket +%service_del_postun sssd-nss.service sssd-nss.socket +%service_del_postun sssd-pac.service sssd-pac.socket +%service_del_postun sssd-pam.service sssd-pam.socket +%service_del_postun sssd-ssh.service sssd-ssh.socket +%service_del_postun sssd-sudo.service sssd-sudo.socket if [ ! -f "%cifs_idmap_lib" ]; then update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib @@ -515,7 +587,13 @@ fi %ldconfig_scriptlets -n libipa_hbac0 %ldconfig_scriptlets -n libsss_idmap0 %ldconfig_scriptlets -n libsss_nss_idmap0 +%if 0%{?suse_version} < 1600 %ldconfig_scriptlets -n libsss_simpleifp0 +%endif + +%verifyscript +%verify_permissions -e %_libexecdir/%{name}/selinux_child +%verify_permissions -e %_libexecdir/%{name}/sssd_pam %triggerun -- %name < %version-%release # sssd takes care of upgrading the database but it doesn't handle downgrades. @@ -550,6 +628,22 @@ fi %postun kcm %service_del_postun sssd-kcm.service sssd-kcm.socket +%pre krb5-common +%sysusers_create_package %{name} %SOURCE6 +%sysusers_create_package %{name}-krb5-common %SOURCE6 + +%post krb5-common +%set_permissions %_libexecdir/%{name}/krb5_child +%set_permissions %_libexecdir/%{name}/ldap_child + +%verifyscript krb5-common +%verify_permissions -e %_libexecdir/%{name}/krb5_child +%verify_permissions -e %_libexecdir/%{name}/ldap_child + +%pre proxy +%sysusers_create_package %{name} %SOURCE6 +%sysusers_create_package %{name}-proxy %SOURCE6 + %pretrans # Migrate sssd.service from sssd-common to sssd systemctl is-enabled sssd.service > /dev/null @@ -660,32 +754,34 @@ fi %_libexecdir/%name/sssd_autofs %_libexecdir/%name/sssd_be %_libexecdir/%name/sssd_nss -%_libexecdir/%name/sssd_pam +%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{name}/sssd_pam %_libexecdir/%name/sssd_ssh %_libexecdir/%name/sssd_sudo %_libexecdir/%name/sss_signal %_libexecdir/%name/sssd_check_socket_activated_responders %if 0%{?suse_version} >= 1600 -%_libexecdir/%name/selinux_child +%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{name}/selinux_child %endif %dir %sssdstatedir -%attr(700,root,root) %dir %dbpath/ -%attr(755,root,root) %dir %pipepath/ -%attr(700,root,root) %dir %pipepath/private/ -%attr(755,root,root) %dir %pubconfpath/ -%attr(755,root,root) %dir %pubconfpath/krb5.include.d -%attr(755,root,root) %dir %gpocachepath/ -%attr(755,root,root) %dir %sssdstatedir/mc/ -%attr(700,root,root) %dir %sssdstatedir/keytabs/ -%attr(750,root,root) %dir %_localstatedir/log/%name/ +%attr(700,%{sssd_user},%{sssd_user}) %dir %dbpath/ +%attr(755,%{sssd_user},%{sssd_user}) %dir %pipepath/ +%attr(700,%{sssd_user},%{sssd_user}) %dir %pipepath/private/ +%attr(755,%{sssd_user},%{sssd_user}) %dir %pubconfpath/ +%attr(755,%{sssd_user},%{sssd_user}) %dir %pubconfpath/krb5.include.d +%attr(755,%{sssd_user},%{sssd_user}) %dir %gpocachepath/ +%attr(755,%{sssd_user},%{sssd_user}) %dir %mcpath/ +%attr(700,%{sssd_user},%{sssd_user}) %dir %keytabdir/ +%attr(750,%{sssd_user},%{sssd_user}) %dir %_localstatedir/log/%name/ +%attr(775,%{sssd_user},%{sssd_user}) %dir %sssdstatedir/ +%config(noreplace) %_sysconfdir/permissions.d/sssd %if "%{?_distconfdir}" != "" -%dir %_distconfdir/sssd/ -%%dir %_distconfdir/sssd/conf.d -%config(noreplace) %_distconfdir/sssd/sssd.conf +%attr(750,%{sssd_user},%{sssd_user}) %dir %_distconfdir/sssd/ +%attr(750,%{sssd_user},%{sssd_user}) %dir %_distconfdir/sssd/conf.d +%attr(0600,%{sssd_user},%{sssd_user}) %_distconfdir/sssd/sssd.conf %else -%dir %_sysconfdir/sssd/ -%%dir %_sysconfdir/sssd/conf.d -%config(noreplace) %_sysconfdir/sssd/sssd.conf +%attr(750,%{sssd_user},%{sssd_user}) %dir %_sysconfdir/sssd/ +%attr(750,%{sssd_user},%{sssd_user}) %dir %_sysconfdir/sssd/conf.d +%ghost %attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %_sysconfdir/sssd/sssd.conf %endif %if 0%{?suse_version} > 1500 %_distconfdir/logrotate.d/sssd @@ -704,11 +800,14 @@ fi %else %exclude %_mandir/*/*/sssd-files.5.gz %endif +%attr(775,%{sssd_user},%{sssd_user}) %ghost %dir %{_rundir}/sssd %doc src/examples/sssd.conf +%{_sysusersdir}/sssd.conf +%{_tmpfilesdir}/sssd.conf # # sssd-client # -/%_lib/libnss_sss.so.2 +%{_libdir}/libnss_sss.so.2 %_pam_moduledir/pam_sss.so %_pam_moduledir/pam_sss_gss.so %_libdir/krb5/ @@ -793,8 +892,11 @@ fi %dir %_libdir/%name/ %_libdir/%name/libsss_krb5_common.so %dir %_libexecdir/%name/ -%_libexecdir/%name/krb5_child -%_libexecdir/%name/ldap_child +%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %_libexecdir/%name/krb5_child +%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %_libexecdir/%name/ldap_child + +%files polkit-rules +%{_datadir}/polkit-1/rules.d/sssd-pcsc.rules %files ldap %dir %_libdir/%name/ @@ -811,7 +913,7 @@ fi %dir %_libdir/%name/ %_libdir/%name/libsss_proxy.so %dir %_libexecdir/%name/ -%_libexecdir/%name/proxy_child +%attr(0750,root,%{sssd_user}) %_libexecdir/%name/proxy_child %dir %_datadir/%name/ %dir %_datadir/%name/sssd.api.d/ %_datadir/%name/sssd.api.d/sssd-proxy.conf diff --git a/sssd.sysusers b/sssd.sysusers new file mode 100644 index 0000000..43a2328 --- /dev/null +++ b/sssd.sysusers @@ -0,0 +1 @@ +u sssd - "System Security Services Daemon" /run/sssd/ /sbin/nologin