Update for sssd 2.10.0

* Run as sssd user
* Set capabilities
* Fix rundir, pid file wasn't created
* Rename patches

Signed-off-by: Samuel Cabrero <scabrero@suse.de>

0001-Remove-versions-checks-that-need-updating-every-iter.patch

@@ -0,0 +1,25 @@
+From f3ee55182600b2731b21bbdabbc5c891202f6dbb Mon Sep 17 00:00:00 2001
+From: Jan Engelhardt <jengelh@inai.de>
+Date: Fri, 15 Feb 2019 17:20:47 +0100
+Subject: [PATCH 1/4] Remove versions checks that need updating every
+ iteration.
+
+---
+ src/external/pac_responder.m4 | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4
+index 90727185b..af9fded6f 100644
+--- a/src/external/pac_responder.m4
++++ b/src/external/pac_responder.m4
+@@ -11,6 +11,7 @@ then
+     AC_MSG_CHECKING(for supported MIT krb5 version)
+     KRB5_VERSION="`$KRB5_CONFIG --version`"
+     case $KRB5_VERSION in
++        *|\
+         Kerberos\ 5\ release\ 1.9* | \
+         Kerberos\ 5\ release\ 1.10* | \
+         Kerberos\ 5\ release\ 1.11* | \
+-- 
+2.46.1
+

0002-Harden-sssd-ifp.service.patch

@@ -0,0 +1,36 @@
+From 7889dbb390091f0be5fea8f915fab68020556de7 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Wed, 16 Oct 2024 14:03:06 +0200
+Subject: [PATCH 2/4] Harden sssd-ifp.service
+
+---
+ src/sysv/systemd/sssd-ifp.service.in | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in
+index 1ab163392..c8d6dc9ae 100644
+--- a/src/sysv/systemd/sssd-ifp.service.in
++++ b/src/sysv/systemd/sssd-ifp.service.in
+@@ -5,6 +5,19 @@ After=sssd.service
+ BindsTo=sssd.service
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions
+ Environment=DEBUG_LOGGER=--logger=files
+ EnvironmentFile=-@environment_file@
+ Type=dbus
+-- 
+2.46.1
+

0003-Harden-sssd-kcm.service.patch

@@ -1,11 +1,16 @@
+From 1fea2a4039f9e838554abe17bbf1513a8f99f348 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Wed, 16 Oct 2024 14:05:02 +0200
+Subject: [PATCH 3/4] Harden sssd-kcm.service
+
 ---
- src/sysv/systemd/sssd-kcm.service.in |   13 +++++++++++++
+ src/sysv/systemd/sssd-kcm.service.in | 13 +++++++++++++
  1 file changed, 13 insertions(+)
 
-Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in
+diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
-===================================================================
+index 0c839ec5c..b403cd709 100644
---- sssd-2.10.0.orig/src/sysv/systemd/sssd-kcm.service.in
+--- a/src/sysv/systemd/sssd-kcm.service.in
-+++ sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in
++++ b/src/sysv/systemd/sssd-kcm.service.in
 @@ -8,6 +8,19 @@ After=sssd-kcm.socket
  Also=sssd-kcm.socket
  
@@ -22,7 +27,10 @@ Index: sssd-2.10.0/src/sysv/systemd/sssd-kcm.service.in
 +ProtectKernelLogs=true
 +ProtectControlGroups=true
 +RestrictRealtime=true
-+# end of automatic additions 
++# end of automatic additions
  Environment=DEBUG_LOGGER=--logger=files
  ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
  ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
+-- 
+2.46.1
+

0004-Add-symvers.patch

@@ -1,25 +1,25 @@
+From 20c2e36a1a98a5fc648d16389fc9861eb61768d3 Mon Sep 17 00:00:00 2001
 From: Jan Engelhardt <jengelh@inai.de>
-Date: 2022-12-22 00:09:20.375896408 +0100
+Date: Thu, 22 Dec 2022 00:09:20 +0100
-References: https://bugzilla.suse.com/show_bug.cgi?id=1206592
+Subject: [PATCH 4/4] Add symvers
 
 The theory for this sssd crash is that during rpm upgrading it,
 sssd-2.8.2 gets installed, %post runs to restart it, but oh no,
-sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls
+sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls over
-over its feet when it loads 2.7.4 .so files. Addin symvers like below
+its feet when it loads 2.7.4 .so files. Addin symvers like below should
-should prevent this and pin the modules to another: sssd_be's attempt
+prevent this and pin the modules to another: sssd_be's attempt to dlopen
-to dlopen libsss_ldap.so(-2.7.4) will fail because
+libsss_ldap.so(-2.7.4) will fail because libsss_ldap.so(-2.7.4) cannot
-libsss_ldap.so(-2.7.4) cannot find a libsss_util.so(-2.7.4), since
+find a libsss_util.so(-2.7.4), since the system only has
-the system only has libsss_util.so(-2.8.2) at this point.
+libsss_util.so(-2.8.2) at this point.
-
 ---
- Makefile.am |   47 ++++++++++++++++++++++++++++++++---------------
+ Makefile.am | 47 ++++++++++++++++++++++++++++++++---------------
  1 file changed, 32 insertions(+), 15 deletions(-)
 
-Index: sssd-2.9.2/Makefile.am
+diff --git a/Makefile.am b/Makefile.am
-===================================================================
+index 839b25eae..e79da4a40 100644
---- sssd-2.9.2.orig/Makefile.am
+--- a/Makefile.am
-+++ sssd-2.9.2/Makefile.am
++++ b/Makefile.am
-@@ -955,7 +955,11 @@ libsss_debug_la_SOURCES = \
+@@ -964,7 +964,11 @@ libsss_debug_la_SOURCES = \
  libsss_debug_la_LIBADD = \
      $(SYSLOG_LIBS)
  libsss_debug_la_LDFLAGS = \
@@ -32,7 +32,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_child.la
  libsss_child_la_SOURCES = src/util/child_common.c
-@@ -965,7 +969,8 @@ libsss_child_la_LIBADD = \
+@@ -974,7 +978,8 @@ libsss_child_la_LIBADD = \
      $(DHASH_LIBS) \
      libsss_debug.la \
      $(NULL)
@@ -42,7 +42,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_crypt.la
  
-@@ -1004,7 +1009,8 @@ libsss_crypt_la_LIBADD = \
+@@ -1014,7 +1019,8 @@ libsss_crypt_la_LIBADD = \
      libsss_debug.la \
      $(NULL)
  libsss_crypt_la_LDFLAGS = \
@@ -52,7 +52,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_cert.la
  
-@@ -1029,8 +1035,9 @@ libsss_cert_la_LIBADD = \
+@@ -1039,8 +1045,9 @@ libsss_cert_la_LIBADD = \
      libsss_debug.la \
      $(NULL)
  libsss_cert_la_LDFLAGS = \
@@ -63,7 +63,7 @@ Index: sssd-2.9.2/Makefile.am
  
  generate-sbus-code:
  	$(builddir)/sbus_generate.sh $(abs_srcdir)
-@@ -1131,8 +1138,9 @@ libsss_sbus_la_CFLAGS = \
+@@ -1141,8 +1148,9 @@ libsss_sbus_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libsss_sbus_la_LDFLAGS = \
@@ -74,7 +74,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_sbus_sync.la
  libsss_sbus_sync_la_SOURCES = \
-@@ -1167,8 +1175,9 @@ libsss_sbus_sync_la_CFLAGS = \
+@@ -1177,8 +1185,9 @@ libsss_sbus_sync_la_CFLAGS = \
      $(UNICODE_LIBS) \
      $(NULL)
  libsss_sbus_sync_la_LDFLAGS = \
@@ -85,7 +85,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_iface.la
  libsss_iface_la_SOURCES = \
-@@ -1197,8 +1206,9 @@ libsss_iface_la_CFLAGS = \
+@@ -1207,8 +1216,9 @@ libsss_iface_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libsss_iface_la_LDFLAGS = \
@@ -96,7 +96,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_iface_sync.la
  libsss_iface_sync_la_SOURCES = \
-@@ -1225,8 +1235,9 @@ libsss_iface_sync_la_CFLAGS = \
+@@ -1235,8 +1245,9 @@ libsss_iface_sync_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libsss_iface_sync_la_LDFLAGS = \
@@ -107,7 +107,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_util.la
  libsss_util_la_SOURCES = \
-@@ -1322,7 +1333,8 @@ endif
+@@ -1333,7 +1344,8 @@ endif
  if BUILD_PASSKEY
  libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c
  endif # BUILD_PASSKEY
@@ -117,7 +117,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libsss_semanage.la
  libsss_semanage_la_CFLAGS = \
-@@ -1341,7 +1353,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_
+@@ -1352,7 +1364,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_LIBS)
  endif
  
  libsss_semanage_la_LDFLAGS = \
@@ -127,7 +127,7 @@ Index: sssd-2.9.2/Makefile.am
  
  SSSD_INTERNAL_LTLIBS = \
      libsss_util.la \
-@@ -1357,7 +1370,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
+@@ -1368,7 +1381,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
                    $(NULL)
  
  pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc
@@ -136,7 +136,7 @@ Index: sssd-2.9.2/Makefile.am
  libipa_hbac_la_SOURCES = \
      src/lib/ipa_hbac/hbac_evaluator.c \
      src/util/sss_utf8.c
-@@ -1688,8 +1701,9 @@ libifp_iface_la_CFLAGS = \
+@@ -1691,8 +1704,9 @@ libifp_iface_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libifp_iface_la_LDFLAGS = \
@@ -147,7 +147,7 @@ Index: sssd-2.9.2/Makefile.am
  
  pkglib_LTLIBRARIES += libifp_iface_sync.la
  libifp_iface_sync_la_SOURCES = \
-@@ -1714,8 +1728,9 @@ libifp_iface_sync_la_CFLAGS = \
+@@ -1717,8 +1731,9 @@ libifp_iface_sync_la_CFLAGS = \
      $(DBUS_CFLAGS) \
      $(NULL)
  libifp_iface_sync_la_LDFLAGS = \
@@ -158,7 +158,7 @@ Index: sssd-2.9.2/Makefile.am
  
  sssd_ifp_SOURCES = \
      src/responder/ifp/ifpsrv.c \
-@@ -4314,8 +4329,9 @@ libsss_ldap_common_la_LIBADD = \
+@@ -4352,8 +4367,9 @@ libsss_ldap_common_la_LIBADD = \
      $(SSSD_INTERNAL_LTLIBS) \
      $(NULL)
  libsss_ldap_common_la_LDFLAGS = \
@@ -169,7 +169,7 @@ Index: sssd-2.9.2/Makefile.am
  if BUILD_SYSTEMTAP
  libsss_ldap_common_la_LIBADD += stap_generated_probes.lo
  endif
-@@ -4372,7 +4388,8 @@ libsss_krb5_common_la_LIBADD = \
+@@ -4410,7 +4426,8 @@ libsss_krb5_common_la_LIBADD = \
      $(SSSD_INTERNAL_LTLIBS) \
      $(NULL)
  libsss_krb5_common_la_LDFLAGS = \
@@ -179,3 +179,6 @@ Index: sssd-2.9.2/Makefile.am
  
  libsss_ldap_la_SOURCES = \
      src/providers/ldap/ldap_init.c \
+-- 
+2.46.1
+

0005-sssd-always-print-path-when-config-object-is-rejecte.patch

@@ -1,8 +1,7 @@
-From 338638cd5f374e0699d7b7495a5fa8f25511fa55 Mon Sep 17 00:00:00 2001
+From 2b7915dd84a6b8c3ee26e45357283677fe22f2cb Mon Sep 17 00:00:00 2001
 From: Jan Engelhardt <jengelh@inai.de>
 Date: Wed, 16 Oct 2024 09:55:50 +0200
 Subject: [PATCH] sssd: always print path when config object is rejected
-References: https://github.com/SSSD/sssd/pull/7649
 
 Observed:
 
@@ -15,27 +14,13 @@ Oct 16 09:44:04 a4 sssd[28717]: Failed to read configuration: 'File ownership an
 Expected:
 
 _Well yes, but **which one**_!?
----
- src/monitor/monitor.c |  4 ++--
- src/util/sss_ini.c    | 14 ++++++++------
- 2 files changed, 10 insertions(+), 8 deletions(-)
 
-diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-index e17b0e416..f67e4446f 100644
+Reviewed-by: Justin Stephenson <jstephen@redhat.com>
---- a/src/monitor/monitor.c
+---
-+++ b/src/monitor/monitor.c
+ src/util/sss_ini.c | 14 ++++++++------
-@@ -1931,9 +1931,9 @@ int main(int argc, const char *argv[])
+ 1 file changed, 8 insertions(+), 6 deletions(-)
-     ret = confdb_read_ini(tmp_ctx, config_file, CONFDB_DEFAULT_CONFIG_DIR, false,
+
-                           &config);
-     if (ret != EOK) {
--        ERROR("Can't read config: '%s'\n", sss_strerror(ret));
-+        ERROR("Cannot read config %s: '%s'\n", config_file, sss_strerror(ret));
-         sss_log(SSS_LOG_ALERT,
--                "Failed to read configuration: '%s'", sss_strerror(ret));
-+                "Failed to read configuration %s: '%s'", config_file, sss_strerror(ret));
-         ret = 3;
-         goto out;
-     }
 diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c
 index 7f9824d88..2a611eb8c 100644
 --- a/src/util/sss_ini.c

harden_sssd-ifp.service.patch

@@ -1,24 +0,0 @@
-Index: sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in
-===================================================================
---- sssd-2.5.2.orig/src/sysv/systemd/sssd-ifp.service.in
-+++ sssd-2.5.2/src/sysv/systemd/sssd-ifp.service.in
-@@ -5,6 +5,19 @@ After=sssd.service
- BindsTo=sssd.service
- 
- [Service]
-+# added automatically, for details please see
-+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
-+ProtectSystem=full
-+ProtectHome=true
-+PrivateDevices=true
-+ProtectHostname=true
-+ProtectClock=true
-+ProtectKernelTunables=true
-+ProtectKernelModules=true
-+ProtectKernelLogs=true
-+ProtectControlGroups=true
-+RestrictRealtime=true
-+# end of automatic additions 
- Environment=DEBUG_LOGGER=--logger=files
- EnvironmentFile=-@environment_file@
- Type=dbus

krb-noversion.diff

@@ -1,20 +0,0 @@
-From: Jan Engelhardt <jengelh@inai.de>
-Date: 2019-02-15 17:20:47.842813210 +0100
-
-Remove versions checks that need updating every iteration.
----
- src/external/pac_responder.m4 |    1 +
- 1 file changed, 1 insertion(+)
-
-Index: sssd-2.0.0/src/external/pac_responder.m4
-===================================================================
---- sssd-2.0.0.orig/src/external/pac_responder.m4
-+++ sssd-2.0.0/src/external/pac_responder.m4
-@@ -11,6 +11,7 @@ then
-     AC_MSG_CHECKING(for supported MIT krb5 version)
-     KRB5_VERSION="`$KRB5_CONFIG --version`"
-     case $KRB5_VERSION in
-+        *|\
-         Kerberos\ 5\ release\ 1.9* | \
-         Kerberos\ 5\ release\ 1.10* | \
-         Kerberos\ 5\ release\ 1.11* | \

sssd-rpmlintrc

@@ -0,0 +1 @@
+addFilter("binary-or-shlib-calls-gethostbyname")

sssd.changes

@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Wed Oct 16 14:52:05 UTC 2024 - Samuel Cabrero <scabrero@suse.de>
+
+- Daemon runs now as unprivileged user 'sssd'
+- Add sssd.permissions to set capabilities
+- Fix socket activation of responders
+- Renamed patches:
+  krb-noversion.diff -> 0001-Remove-versions-checks-that-need-updating-every-iter.patch
+  harden_sssd-ifp.service.patch -> 0002-Harden-sssd-ifp.service.patch
+  harden_sssd-kcm.service.patch -> 0003-Harden-sssd-kcm.service.patch
+  symvers.patch -> 0004-Add-symvers.patch
+  0001-sssd-always-print-path-when-config-object-is-rejecte.patch ->
+  0005-sssd-always-print-path-when-config-object-is-rejecte.patch
+
 -------------------------------------------------------------------
 Tue Oct 15 12:59:51 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
 

sssd.permissions

@@ -0,0 +1,11 @@
+/usr/libexec/sssd/sssd_pam root:sssd 0750
+ +capabilities cap_dac_read_search=p
+
+/usr/libexec/sssd/selinux_child root:sssd 0750
+ +capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
+
+/usr/libexec/sssd/krb5_child root:sssd 0750
+ +capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
+
+/usr/libexec/sssd/ldap_child root:sssd 0750
+ +capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep

sssd.spec

@@ -28,11 +28,14 @@ Source:         https://github.com/SSSD/sssd/releases/download/%version/%name-%v
 Source2:        https://github.com/SSSD/sssd/releases/download/%version/%name-%version.tar.gz.asc
 Source3:        baselibs.conf
 Source5:        %name.keyring
-Patch1:         krb-noversion.diff
+Source6:        sssd.sysusers
-Patch2:         harden_sssd-ifp.service.patch
+Source7:        sssd.permissions
-Patch3:         harden_sssd-kcm.service.patch
+Patch1:         0001-Remove-versions-checks-that-need-updating-every-iter.patch
-Patch4:         symvers.patch
+Patch2:         0002-Harden-sssd-ifp.service.patch
-Patch5:         0001-sssd-always-print-path-when-config-object-is-rejecte.patch
+Patch3:         0003-Harden-sssd-kcm.service.patch
+Patch4:         0004-Add-symvers.patch
+Patch5:         0005-sssd-always-print-path-when-config-object-is-rejecte.patch
+
 BuildRequires:  autoconf >= 2.59
 BuildRequires:  automake
 BuildRequires:  bind-utils
@@ -66,13 +69,14 @@ BuildRequires:  pkgconfig(dhash) >= 0.4.2
 BuildRequires:  pkgconfig(glib-2.0)
 BuildRequires:  pkgconfig(ini_config) >= 1.3
 BuildRequires:  pkgconfig(jansson)
-BuildRequires:  pkgconfig(ldb) >= 0.9.2
+BuildRequires:  pkgconfig(ldb) >= 1.2.0
 BuildRequires:  pkgconfig(libcap)
 BuildRequires:  pkgconfig(libcares)
 BuildRequires:  pkgconfig(libcrypto) >= 1.0.1
 %if 0%{?suse_version} >= 1600
 BuildRequires:  pkgconfig(libcurl)
 %endif
+BuildRequires:  pkgconfig(libcap)
 BuildRequires:  pkgconfig(libnfsidmap)
 BuildRequires:  pkgconfig(libnl-3.0) >= 3.0
 BuildRequires:  pkgconfig(libnl-route-3.0) >= 3.0
@@ -80,6 +84,9 @@ BuildRequires:  pkgconfig(libpcre2-8)
 %if 0%{?suse_version} >= 1600
 BuildRequires:  pkgconfig(libsemanage)
 %endif
+BuildRequires:  polkit
+BuildRequires:  sysuser-shadow
+BuildRequires:  sysuser-tools
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  pkgconfig(ndr_krb5pac)
 BuildRequires:  pkgconfig(ndr_nbt)
@@ -100,6 +107,9 @@ BuildRequires:  pkgconfig(uuid)
 %endif
 %sysusers_requires
 %{?systemd_ordering}
+%sysusers_requires
+Requires(pre):  permissions
+Requires(post): permissions
 Requires:       sssd-ldap = %version-%release
 Requires(postun): pam-config
 Provides:       libsss_sudo = %version-%release
@@ -108,13 +118,20 @@ Obsoletes:      libsss_sudo < %version-%release
 Provides:       sssd-common = %version-%release
 Obsoletes:      sssd-common < %version-%release
 
+# Adjust sssd.permissions if the user changes
+%global sssd_user sssd
+
 %define servicename	sssd
 %define sssdstatedir	%_localstatedir/lib/sss
 %define dbpath		%sssdstatedir/db
 %define pipepath	%sssdstatedir/pipes
 %define pubconfpath	%sssdstatedir/pubconf
 %define gpocachepath	%sssdstatedir/gpo_cache
+%define keytabdir	%sssdstatedir/keytabs
+%define mcpath		%sssdstatedir/mc
+%define deskprofilepath	%sssdstatedir/deskprofile
 %define ldbdir %(pkg-config ldb --variable=modulesdir)
+%define child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
 
 # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
 # %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
@@ -155,6 +172,18 @@ Requires:       %name = %version
 D-Bus responder of sssd, called InfoPipe, which allows
 information from sssd to be transmitted over the system bus.
 
+%package polkit-rules
+Summary:        Rules for polkit integration for SSSD
+Group:          System/Daemons
+License:        GPL-3.0-or-later
+Requires:       %{name} = %{version}-%{release}
+Requires:       polkit >= 0.106
+BuildArch:      noarch
+
+%description polkit-rules
+Provides rules for polkit integration with SSSD. This is required
+for smartcard support.
+
 %package ipa
 Summary:        FreeIPA backend plugin for sssd
 License:        GPL-3.0-or-later
@@ -194,6 +223,8 @@ Summary:        SSSD helpers needed for Kerberos and GSSAPI authentication
 License:        GPL-3.0-or-later
 Group:          System/Daemons
 Requires:       cyrus-sasl-gssapi
+Requires(pre):  permissions
+Requires(post): permissions
 
 %description krb5-common
 Provides helper processes that the LDAP and Kerberos back ends can
@@ -404,14 +435,15 @@ autoreconf -fiv
 	--with-environment-file="%_sysconfdir/sysconfig/sssd" \
 	--with-initscript=systemd \
 	--with-syslog=journald \
-	--with-pid-path="%_rundir" \
+	--with-pid-path="%_rundir/sssd/" \
-	--enable-nsslibdir="/%_lib" \
+	--enable-nsslibdir="%_libdir" \
 	--enable-pammoddir="%_pam_moduledir" \
 	--with-ldb-lib-dir="%ldbdir" \
 	--with-os=suse \
 	--disable-ldb-version-check \
 	--without-python2-bindings \
 	--without-oidc-child \
+	--with-sssd-user=%{sssd_user} \
 %if 0%{?suse_version} >= 1600
 	--with-selinux=yes \
 	--with-subid
@@ -422,6 +454,8 @@ autoreconf -fiv
 %endif
 %make_build all
 
+%sysusers_generate_pre %{SOURCE6} %{name} %{name}.conf
+
 %install
 # sss_obfuscate is compatible with both Python 2 and 3
 perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
@@ -461,23 +495,30 @@ mkdir -pv "$b/%_sysconfdir/alternatives" "$b/%_sysconfdir/cifs-utils"
 ln -sfv "%_sysconfdir/alternatives/%cifs_idmap_name" "$b/%cifs_idmap_plugin"
 %python3_fix_shebang
 %if 0%{?suse_version} > 1600
-%python3_fix_shebang_path %buildroot/%_libexecdir/%name/
+%python3_fix_shebang_path %{buildroot}/%{_libexecdir}/%{name}/sss_analyze
 %elif 0%{?suse_version} == 1600
 # python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204
 sed -i '1s@#!.*python.*@#!%_bindir/python3.11@' "$b/%_libexecdir/%name/sss_analyze"
 %endif
 
-echo 'u sssd - "System Security Services Daemon" /run/sssd /sbin/nologin' >system-user-sssd.conf
+install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf
-mkdir -p "$b/%_sysusersdir"
+install -D -p -m 0644 contrib/sssd-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/%{name}.conf
-cp -a system-user-sssd.conf "$b/%_sysusersdir/"
+install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_sysconfdir}/permissions.d/%{name}
-%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf
 
 %check
 # sss_config-tests fails
 %make_build check || :
 
-%pre -f random.pre
+%pre
+%sysusers_create_package %{name} %SOURCE6
 %service_add_pre sssd.service
+%service_add_pre sssd-autofs.service sssd-autofs.socket
+%service_add_pre sssd-nss.service sssd-nss.socket
+%service_add_pre sssd-pac.service sssd-pac.socket
+%service_add_pre sssd-pam.service sssd-pam.socket
+%service_add_pre sssd-ssh.service sssd-ssh.socket
+%service_add_pre sssd-sudo.service sssd-sudo.socket
+
 %if "%{?_distconfdir}" != ""
 # Prepare for migration to /usr/etc; save any old .rpmsave
 for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do
@@ -492,12 +533,37 @@ if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then
 	/bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf"
 fi
 %service_add_post sssd.service
+%service_add_post sssd-autofs.service sssd-autofs.socket
+%service_add_post sssd-nss.service sssd-nss.socket
+%service_add_post sssd-pac.service sssd-pac.socket
+%service_add_post sssd-pam.service sssd-pam.socket
+%service_add_post sssd-ssh.service sssd-ssh.socket
+%service_add_post sssd-sudo.service sssd-sudo.socket
+
+%{_bindir}/rm -f %{mcpath}/passwd
+%{_bindir}/rm -f %{mcpath}/group
+%{_bindir}/rm -f %{mcpath}/initgroups
+%{_bindir}/rm -f %{mcpath}/sid
+%{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
+%{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true
+%{_bindir}/chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
+%{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
+
+%tmpfiles_create %{name}.conf
+%set_permissions %_libexecdir/%{name}/selinux_child
+%set_permissions %_libexecdir/%{name}/sssd_pam
 
 # install SSSD cifs-idmap plugin as an alternative
 update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority
 
 %preun
 %service_del_preun sssd.service
+%service_del_preun sssd-autofs.service sssd-autofs.socket
+%service_del_preun sssd-nss.service sssd-nss.socket
+%service_del_preun sssd-pac.service sssd-pac.socket
+%service_del_preun sssd-pam.service sssd-pam.socket
+%service_del_preun sssd-ssh.service sssd-ssh.socket
+%service_del_preun sssd-sudo.service sssd-sudo.socket
 
 %postun
 /sbin/ldconfig
@@ -506,6 +572,12 @@ if [ "$1" = "0" ] && [ -x "%_sbindir/pam-config" ]; then
 fi
 # del_postun includes a try-restart
 %service_del_postun sssd.service
+%service_del_postun sssd-autofs.service sssd-autofs.socket
+%service_del_postun sssd-nss.service sssd-nss.socket
+%service_del_postun sssd-pac.service sssd-pac.socket
+%service_del_postun sssd-pam.service sssd-pam.socket
+%service_del_postun sssd-ssh.service sssd-ssh.socket
+%service_del_postun sssd-sudo.service sssd-sudo.socket
 
 if [ ! -f "%cifs_idmap_lib" ]; then
 	update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
@@ -515,7 +587,13 @@ fi
 %ldconfig_scriptlets -n libipa_hbac0
 %ldconfig_scriptlets -n libsss_idmap0
 %ldconfig_scriptlets -n libsss_nss_idmap0
+%if 0%{?suse_version} < 1600
 %ldconfig_scriptlets -n libsss_simpleifp0
+%endif
+
+%verifyscript
+%verify_permissions -e %_libexecdir/%{name}/selinux_child
+%verify_permissions -e %_libexecdir/%{name}/sssd_pam
 
 %triggerun -- %name < %version-%release
 # sssd takes care of upgrading the database but it doesn't handle downgrades.
@@ -550,6 +628,22 @@ fi
 %postun kcm
 %service_del_postun sssd-kcm.service sssd-kcm.socket
 
+%pre krb5-common
+%sysusers_create_package %{name} %SOURCE6
+%sysusers_create_package %{name}-krb5-common %SOURCE6
+
+%post krb5-common
+%set_permissions %_libexecdir/%{name}/krb5_child
+%set_permissions %_libexecdir/%{name}/ldap_child
+
+%verifyscript krb5-common
+%verify_permissions -e %_libexecdir/%{name}/krb5_child
+%verify_permissions -e %_libexecdir/%{name}/ldap_child
+
+%pre proxy
+%sysusers_create_package %{name} %SOURCE6
+%sysusers_create_package %{name}-proxy %SOURCE6
+
 %pretrans
 # Migrate sssd.service from sssd-common to sssd
 systemctl is-enabled sssd.service > /dev/null
@@ -660,32 +754,34 @@ fi
 %_libexecdir/%name/sssd_autofs
 %_libexecdir/%name/sssd_be
 %_libexecdir/%name/sssd_nss
-%_libexecdir/%name/sssd_pam
+%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{name}/sssd_pam
 %_libexecdir/%name/sssd_ssh
 %_libexecdir/%name/sssd_sudo
 %_libexecdir/%name/sss_signal
 %_libexecdir/%name/sssd_check_socket_activated_responders
 %if 0%{?suse_version} >= 1600
-%_libexecdir/%name/selinux_child
+%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{name}/selinux_child
 %endif
 %dir %sssdstatedir
-%attr(700,root,root) %dir %dbpath/
+%attr(700,%{sssd_user},%{sssd_user}) %dir %dbpath/
-%attr(755,root,root) %dir %pipepath/
+%attr(755,%{sssd_user},%{sssd_user}) %dir %pipepath/
-%attr(700,root,root) %dir %pipepath/private/
+%attr(700,%{sssd_user},%{sssd_user}) %dir %pipepath/private/
-%attr(755,root,root) %dir %pubconfpath/
+%attr(755,%{sssd_user},%{sssd_user}) %dir %pubconfpath/
-%attr(755,root,root) %dir %pubconfpath/krb5.include.d
+%attr(755,%{sssd_user},%{sssd_user}) %dir %pubconfpath/krb5.include.d
-%attr(755,root,root) %dir %gpocachepath/
+%attr(755,%{sssd_user},%{sssd_user}) %dir %gpocachepath/
-%attr(755,root,root) %dir %sssdstatedir/mc/
+%attr(755,%{sssd_user},%{sssd_user}) %dir %mcpath/
-%attr(700,root,root) %dir %sssdstatedir/keytabs/
+%attr(700,%{sssd_user},%{sssd_user}) %dir %keytabdir/
-%attr(750,root,root) %dir %_localstatedir/log/%name/
+%attr(750,%{sssd_user},%{sssd_user}) %dir %_localstatedir/log/%name/
+%attr(775,%{sssd_user},%{sssd_user}) %dir %sssdstatedir/
+%config(noreplace) %_sysconfdir/permissions.d/sssd
 %if "%{?_distconfdir}" != ""
-%dir %_distconfdir/sssd/
+%attr(750,%{sssd_user},%{sssd_user}) %dir %_distconfdir/sssd/
-%%dir %_distconfdir/sssd/conf.d
+%attr(750,%{sssd_user},%{sssd_user}) %dir %_distconfdir/sssd/conf.d
-%config(noreplace) %_distconfdir/sssd/sssd.conf
+%attr(0600,%{sssd_user},%{sssd_user}) %_distconfdir/sssd/sssd.conf
 %else
-%dir %_sysconfdir/sssd/
+%attr(750,%{sssd_user},%{sssd_user}) %dir %_sysconfdir/sssd/
-%%dir %_sysconfdir/sssd/conf.d
+%attr(750,%{sssd_user},%{sssd_user}) %dir %_sysconfdir/sssd/conf.d
-%config(noreplace) %_sysconfdir/sssd/sssd.conf
+%ghost %attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %_sysconfdir/sssd/sssd.conf
 %endif
 %if 0%{?suse_version} > 1500
 %_distconfdir/logrotate.d/sssd
@@ -704,11 +800,14 @@ fi
 %else
 %exclude %_mandir/*/*/sssd-files.5.gz
 %endif
+%attr(775,%{sssd_user},%{sssd_user}) %ghost %dir %{_rundir}/sssd
 %doc src/examples/sssd.conf
+%{_sysusersdir}/sssd.conf
+%{_tmpfilesdir}/sssd.conf
 #
 # sssd-client
 #
-/%_lib/libnss_sss.so.2
+%{_libdir}/libnss_sss.so.2
 %_pam_moduledir/pam_sss.so
 %_pam_moduledir/pam_sss_gss.so
 %_libdir/krb5/
@@ -793,8 +892,11 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_krb5_common.so
 %dir %_libexecdir/%name/
-%_libexecdir/%name/krb5_child
+%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %_libexecdir/%name/krb5_child
-%_libexecdir/%name/ldap_child
+%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %_libexecdir/%name/ldap_child
+
+%files polkit-rules
+%{_datadir}/polkit-1/rules.d/sssd-pcsc.rules
 
 %files ldap
 %dir %_libdir/%name/
@@ -811,7 +913,7 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_proxy.so
 %dir %_libexecdir/%name/
-%_libexecdir/%name/proxy_child
+%attr(0750,root,%{sssd_user}) %_libexecdir/%name/proxy_child
 %dir %_datadir/%name/
 %dir %_datadir/%name/sssd.api.d/
 %_datadir/%name/sssd.api.d/sssd-proxy.conf

sssd.sysusers

@@ -0,0 +1 @@
+u     sssd   -   "System Security Services Daemon"     /run/sssd/      /sbin/nologin