Compare commits
5 Commits
cd4781f19c
...
6b181b9260
| Author | SHA256 | Date | |
|---|---|---|---|
|
6b181b9260 | ||
|
|
5165cf2176 | ||
|
|
8aeefcbe42 | ||
| 73fb2a82f6 | |||
| 93d212c167 |
11
sssd.permissions
Normal file
11
sssd.permissions
Normal file
@ -0,0 +1,11 @@
|
||||
/usr/libexec/sssd/sssd_pam root:sssd 0750
|
||||
+capabilities cap_dac_read_search=p
|
||||
|
||||
/usr/libexec/sssd/selinux_child root:sssd 0750
|
||||
+capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
|
||||
|
||||
/usr/libexec/sssd/krb5_child root:sssd 0750
|
||||
+capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
|
||||
|
||||
/usr/libexec/sssd/ldap_child root:sssd 0750
|
||||
+capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
|
||||
294
sssd.spec
294
sssd.spec
@ -29,9 +29,11 @@ Source2: https://github.com/SSSD/sssd/releases/download/%version/%name-2.
|
||||
Source3: baselibs.conf
|
||||
Source5: %name.keyring
|
||||
Source6: sssd.sysusers
|
||||
Source7: sssd.permissions
|
||||
Patch1: krb-noversion.diff
|
||||
Patch2: harden_sssd-ifp.service.patch
|
||||
Patch3: harden_sssd-kcm.service.patch
|
||||
# Does not build if ${PACKAGE_VERSION} contains a dash
|
||||
#Patch4: symvers.patch
|
||||
|
||||
BuildRequires: autoconf >= 2.59
|
||||
@ -93,8 +95,17 @@ BuildRequires: pkgconfig(talloc)
|
||||
BuildRequires: pkgconfig(tdb) >= 1.1.3
|
||||
BuildRequires: pkgconfig(tevent)
|
||||
BuildRequires: pkgconfig(uuid)
|
||||
%if 0%{?suse_version} && 0%{?suse_version} < 1600
|
||||
# samba-client-devel pulls samba-client-libs pulls libldap-2_4-2 wants libldap-data(-2.4);
|
||||
# this conflicts with
|
||||
# openldap2-devel pulls libldap2 wants libldap-data(-2.6)
|
||||
# Package contains just config files, not needed for build.
|
||||
#!BuildIgnore: libldap-data
|
||||
%endif
|
||||
%{?systemd_ordering}
|
||||
%sysusers_requires
|
||||
Requires(pre): permissions
|
||||
Requires(post): permissions
|
||||
Requires: sssd-ldap = %version-%release
|
||||
Requires(postun): pam-config
|
||||
Provides: libsss_sudo = %version-%release
|
||||
@ -103,20 +114,31 @@ Obsoletes: libsss_sudo < %version-%release
|
||||
Provides: sssd-common = %version-%release
|
||||
Obsoletes: sssd-common < %version-%release
|
||||
|
||||
# Adjust sssd.permissions if the user changes
|
||||
%global sssd_user sssd
|
||||
%global child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
|
||||
|
||||
%define servicename sssd
|
||||
%define sssdstatedir %_localstatedir/lib/sss
|
||||
%define dbpath %sssdstatedir/db
|
||||
%define sssdstatedir %_localstatedir/lib/sss
|
||||
%define dbpath %sssdstatedir/db
|
||||
%define pipepath %sssdstatedir/pipes
|
||||
%define pubconfpath %sssdstatedir/pubconf
|
||||
%define gpocachepath %sssdstatedir/gpo_cache
|
||||
%define keytabdir %sssdstatedir/keytabs
|
||||
%define pipepath %sssdstatedir/pipes
|
||||
%define mcpath %sssdstatedir/mc
|
||||
%define pubconfpath %sssdstatedir/pubconf
|
||||
%define gpocachepath %sssdstatedir/gpo_cache
|
||||
%define deskprofilepath %sssdstatedir/deskprofile
|
||||
%define ldbdir %(pkg-config ldb --variable=modulesdir)
|
||||
|
||||
# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
|
||||
# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
|
||||
# * cifs-utils one is the default (priority 20)
|
||||
# * installing SSSD should NOT switch to SSSD plugin (priority 10)
|
||||
%define cifs_idmap_plugin %_sysconfdir/cifs-utils/idmap-plugin
|
||||
%define cifs_idmap_lib %_libdir/cifs-utils/cifs_idmap_sss.so
|
||||
%define cifs_idmap_name cifs-idmap-plugin
|
||||
%define cifs_idmap_priority 10
|
||||
Requires(post): update-alternatives
|
||||
Requires(postun): update-alternatives
|
||||
|
||||
%description
|
||||
Provides a set of daemons to manage access to remote directories and
|
||||
authentication mechanisms. It provides an NSS and PAM interface toward
|
||||
@ -197,6 +219,8 @@ Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
|
||||
License: GPL-3.0-or-later
|
||||
Group: System/Daemons
|
||||
Requires: cyrus-sasl-gssapi
|
||||
Requires(pre): permissions
|
||||
Requires(post): permissions
|
||||
|
||||
%description krb5-common
|
||||
Provides helper processes that the LDAP and Kerberos back ends can
|
||||
@ -430,7 +454,7 @@ autoreconf -fiv
|
||||
--with-libsifp \
|
||||
--with-files-provider
|
||||
%endif
|
||||
%make_build all
|
||||
%make_build all runstatedir=%{_rundir}
|
||||
|
||||
%sysusers_generate_pre %{SOURCE6} %{name} %{name}.conf
|
||||
|
||||
@ -441,8 +465,8 @@ perl -i -lpe 's{%_bindir/python\b}{%_bindir/python3}' src/tools/sss_obfuscate
|
||||
b="%buildroot"
|
||||
|
||||
# Copy some defaults
|
||||
%if %{defined _distconfdir}
|
||||
install -D -p -m 0644 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf"
|
||||
%if "%{?_distconfdir}" != ""
|
||||
install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_distconfdir/sssd/sssd.conf"
|
||||
install -d -m 0755 "$b/%_distconfdir/sssd/conf.d"
|
||||
%else
|
||||
install -D -p -m 0600 src/examples/sssd-example.conf "$b/%_sysconfdir/sssd/sssd.conf"
|
||||
@ -468,46 +492,39 @@ mkdir -pv "$b/%sssdstatedir/mc"
|
||||
find "$b" -type f -name "*.la" -print -delete
|
||||
%find_lang %name --all-name
|
||||
|
||||
# dummy target for cifs-idmap-plugin
|
||||
mkdir -pv %buildroot/%_sysconfdir/alternatives %buildroot/%_sysconfdir/cifs-utils
|
||||
ln -sfv %_sysconfdir/alternatives/%cifs_idmap_name %buildroot/%cifs_idmap_plugin
|
||||
%python3_fix_shebang
|
||||
%if %{suse_version} >= 1600
|
||||
sed -i -e 's:/usr/bin/env python3:/usr/bin/python3:' %{buildroot}/%{_libexecdir}/%{name}/sss_analyze
|
||||
%python3_fix_shebang_path %{buildroot}/%{_libexecdir}/%{name}/
|
||||
%if 0%{?suse_version} > 1600
|
||||
%python3_fix_shebang_path %{buildroot}/%{_libexecdir}/%{name}/sss_analyze
|
||||
%elif 0%{?suse_version} == 1600
|
||||
# python3_fix_shebang_path macro does not exist in < 1600, was added in python-rom-macros 20231204
|
||||
sed -i '1s@#!.*python.*@#!%{_bindir}/python3.11@' %{buildroot}/%{_libexecdir}/%{name}/sss_analyze
|
||||
%endif
|
||||
|
||||
install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf
|
||||
|
||||
# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
|
||||
# _sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
|
||||
#mkdir -pv "%{buildroot}/%_sysconfdir/cifs-utils"
|
||||
#ln -s %{buildroot}/%_libdir/cifs-utils/cifs_idmap_sss.so %{buildroot}/%_sysconfdir/cifs-utils/idmap-plugin
|
||||
install -D -p -m 0644 contrib/sssd-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
||||
install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_sysconfdir}/permissions.d/%{name}
|
||||
|
||||
%check
|
||||
# sss_config-tests fails
|
||||
%make_build check || :
|
||||
|
||||
%pre
|
||||
%sysusers_create_package %{name} %SOURCE6
|
||||
%service_add_pre sssd.service
|
||||
%service_add_pre sssd-autofs.service
|
||||
%service_add_pre sssd-nss.service
|
||||
%service_add_pre sssd-nss.service
|
||||
%service_add_pre sssd-pac.service
|
||||
%service_add_pre sssd-pam.service
|
||||
%service_add_pre sssd-ssh.service
|
||||
%service_add_pre sssd-sudo.service
|
||||
%service_add_pre sssd-autofs.service sssd-autofs.socket
|
||||
%service_add_pre sssd-nss.service sssd-nss.socket
|
||||
%service_add_pre sssd-pac.service sssd-pac.socket
|
||||
%service_add_pre sssd-pam.service sssd-pam.socket
|
||||
%service_add_pre sssd-ssh.service sssd-ssh.socket
|
||||
%service_add_pre sssd-sudo.service sssd-sudo.socket
|
||||
|
||||
%service_add_pre sssd-autofs.socket
|
||||
%service_add_pre sssd-nss.socket
|
||||
%service_add_pre sssd-nss.socket
|
||||
%service_add_pre sssd-pac.socket
|
||||
%service_add_pre sssd-pam.socket
|
||||
%service_add_pre sssd-ssh.socket
|
||||
%service_add_pre sssd-sudo.socket
|
||||
|
||||
|
||||
%if %{defined _distconfdir}
|
||||
%if "%{?_distconfdir}" != ""
|
||||
# Prepare for migration to /usr/etc; save any old .rpmsave
|
||||
for i in sssd/sssd.conf pam.d/sssd-shadowutils logrotate.d/sssd ; do
|
||||
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
|
||||
test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i.rpmsave.old" || :
|
||||
done
|
||||
%endif
|
||||
|
||||
@ -517,107 +534,60 @@ done
|
||||
if [ -f "%_sysconfdir/sssd/sssd.conf" ]; then
|
||||
/bin/sed -i -e 's,^krb5_kdcip =,krb5_server =,g' "%_sysconfdir/sssd/sssd.conf"
|
||||
fi
|
||||
%systemd_post sssd.service
|
||||
%systemd_post sssd-autofs.socket
|
||||
%systemd_post sssd-nss.socket
|
||||
%systemd_post sssd-pac.socket
|
||||
%systemd_post sssd-pam.socket
|
||||
%systemd_post sssd-ssh.socket
|
||||
%systemd_post sssd-sudo.socket
|
||||
|
||||
%service_add_post sssd.service
|
||||
%service_add_post sssd-autofs.service
|
||||
%service_add_post sssd-nss.service
|
||||
%service_add_post sssd-nss.service
|
||||
%service_add_post sssd-pac.service
|
||||
%service_add_post sssd-pam.service
|
||||
%service_add_post sssd-ssh.service
|
||||
%service_add_post sssd-sudo.service
|
||||
%service_add_post sssd-autofs.service sssd-autofs.socket
|
||||
%service_add_post sssd-nss.service sssd-nss.socket
|
||||
%service_add_post sssd-pac.service sssd-pac.socket
|
||||
%service_add_post sssd-pam.service sssd-pam.socket
|
||||
%service_add_post sssd-ssh.service sssd-ssh.socket
|
||||
%service_add_post sssd-sudo.service sssd-sudo.socket
|
||||
|
||||
%service_add_post sssd-autofs.socket
|
||||
%service_add_post sssd-nss.socket
|
||||
%service_add_post sssd-nss.socket
|
||||
%service_add_post sssd-pac.socket
|
||||
%service_add_post sssd-pam.socket
|
||||
%service_add_post sssd-ssh.socket
|
||||
%service_add_post sssd-sudo.socket
|
||||
%{_bindir}/rm -f %{mcpath}/passwd
|
||||
%{_bindir}/rm -f %{mcpath}/group
|
||||
%{_bindir}/rm -f %{mcpath}/initgroups
|
||||
%{_bindir}/rm -f %{mcpath}/sid
|
||||
%{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
|
||||
%{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true
|
||||
%{_bindir}/chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
|
||||
%{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
|
||||
|
||||
%__rm -f %{mcpath}/passwd
|
||||
%__rm -f %{mcpath}/group
|
||||
%__rm -f %{mcpath}/initgroups
|
||||
%__rm -f %{mcpath}/sid
|
||||
%tmpfiles_create %{name}.conf
|
||||
%set_permissions %_libexecdir/%{name}/selinux_child
|
||||
%set_permissions %_libexecdir/%{name}/sssd_pam
|
||||
|
||||
#__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
|
||||
#if %{defined _distconfdir}
|
||||
#__chown -f %{sssd_user}:%{sssd_user} %{_distconfdir}/sssd/sssd.conf || true
|
||||
#__chown -f -R %{sssd_user}:%{sssd_user} %{_distconfdir}/sssd/conf.d || true
|
||||
#else
|
||||
#__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true
|
||||
#__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
|
||||
#endif
|
||||
#__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
|
||||
#__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true
|
||||
# install SSSD cifs-idmap plugin as an alternative
|
||||
update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority
|
||||
|
||||
%preun
|
||||
%systemd_preun sssd.service
|
||||
%systemd_preun sssd-autofs.service
|
||||
%systemd_preun sssd-nss.service
|
||||
%systemd_preun sssd-nss.service
|
||||
%systemd_preun sssd-pac.service
|
||||
%systemd_preun sssd-pam.service
|
||||
%systemd_preun sssd-ssh.service
|
||||
%systemd_preun sssd-sudo.service
|
||||
|
||||
%systemd_preun sssd-autofs.socket
|
||||
%systemd_preun sssd-nss.socket
|
||||
%systemd_preun sssd-nss.socket
|
||||
%systemd_preun sssd-pac.socket
|
||||
%systemd_preun sssd-pam.socket
|
||||
%systemd_preun sssd-ssh.socket
|
||||
%systemd_preun sssd-sudo.socket
|
||||
|
||||
%service_del_preun sssd.service
|
||||
%service_del_preun sssd-autofs.service sssd-autofs.socket
|
||||
%service_del_preun sssd-nss.service sssd-nss.socket
|
||||
%service_del_preun sssd-pac.service sssd-pac.socket
|
||||
%service_del_preun sssd-pam.service sssd-pam.socket
|
||||
%service_del_preun sssd-ssh.service sssd-ssh.socket
|
||||
%service_del_preun sssd-sudo.service sssd-sudo.socket
|
||||
|
||||
%postun
|
||||
/sbin/ldconfig
|
||||
if [ "$1" = "0" -a -x "%_sbindir/pam-config" ]; then
|
||||
"%_sbindir/pam-config" -d --sss || :
|
||||
fi
|
||||
|
||||
# del_postun includes a try-restart
|
||||
%service_del_postun sssd.service
|
||||
%service_del_postun sssd-autofs.service
|
||||
%service_del_postun sssd-nss.service
|
||||
%service_del_postun sssd-nss.service
|
||||
%service_del_postun sssd-pac.service
|
||||
%service_del_postun sssd-pam.service
|
||||
%service_del_postun sssd-ssh.service
|
||||
%service_del_postun sssd-sudo.service
|
||||
|
||||
%service_del_postun sssd-autofs.socket
|
||||
%service_del_postun sssd-nss.socket
|
||||
%service_del_postun sssd-nss.socket
|
||||
%service_del_postun sssd-pac.socket
|
||||
%service_del_postun sssd-pam.socket
|
||||
%service_del_postun sssd-ssh.socket
|
||||
%service_del_postun sssd-sudo.socket
|
||||
|
||||
%systemd_postun sssd.service
|
||||
%systemd_postun sssd-autofs.service
|
||||
%systemd_postun sssd-nss.service
|
||||
%systemd_postun sssd-nss.service
|
||||
%systemd_postun sssd-pac.service
|
||||
%systemd_postun sssd-pam.service
|
||||
%systemd_postun sssd-ssh.service
|
||||
%systemd_postun sssd-sudo.service
|
||||
|
||||
%systemd_postun sssd-autofs.socket
|
||||
%systemd_postun sssd-nss.socket
|
||||
%systemd_postun sssd-nss.socket
|
||||
%systemd_postun sssd-pac.socket
|
||||
%systemd_postun sssd-pam.socket
|
||||
%systemd_postun sssd-ssh.socket
|
||||
%systemd_postun sssd-sudo.socket
|
||||
%service_del_postun sssd-autofs.service sssd-autofs.socket
|
||||
%service_del_postun sssd-nss.service sssd-nss.socket
|
||||
%service_del_postun sssd-pac.service sssd-pac.socket
|
||||
%service_del_postun sssd-pam.service sssd-pam.socket
|
||||
%service_del_postun sssd-ssh.service sssd-ssh.socket
|
||||
%service_del_postun sssd-sudo.service sssd-sudo.socket
|
||||
|
||||
if [ ! -f "%cifs_idmap_lib" ]; then
|
||||
update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
|
||||
fi
|
||||
|
||||
%verifyscript
|
||||
%verify_permissions -e %_libexecdir/%{name}/selinux_child
|
||||
%verify_permissions -e %_libexecdir/%{name}/sssd_pam
|
||||
|
||||
%post -n libsss_certmap0 -p /sbin/ldconfig
|
||||
%postun -n libsss_certmap0 -p /sbin/ldconfig
|
||||
@ -665,6 +635,22 @@ fi
|
||||
%postun kcm
|
||||
%service_del_postun sssd-kcm.service sssd-kcm.socket
|
||||
|
||||
%pre krb5-common
|
||||
%sysusers_create_package %{name} %SOURCE6
|
||||
%sysusers_create_package %{name}-krb5-common %SOURCE6
|
||||
|
||||
%post krb5-common
|
||||
%set_permissions %_libexecdir/%{name}/krb5_child
|
||||
%set_permissions %_libexecdir/%{name}/ldap_child
|
||||
|
||||
%verifyscript krb5-common
|
||||
%verify_permissions -e %_libexecdir/%{name}/krb5_child
|
||||
%verify_permissions -e %_libexecdir/%{name}/ldap_child
|
||||
|
||||
%pre proxy
|
||||
%sysusers_create_package %{name} %SOURCE6
|
||||
%sysusers_create_package %{name}-proxy %SOURCE6
|
||||
|
||||
%pretrans
|
||||
# Migrate sssd.service from sssd-common to sssd
|
||||
systemctl is-enabled sssd.service > /dev/null
|
||||
@ -679,10 +665,10 @@ touch /run/systemd/rpm/sssd-was-active
|
||||
fi
|
||||
|
||||
%posttrans
|
||||
%if %{defined _distconfdir}
|
||||
%if "%{?_distconfdir}" != ""
|
||||
# Migration to /usr/etc, restore just created .rpmsave
|
||||
for i in sssd/sssd.conf logrotate.d/sssd pam.d/sssd-shadowutils ; do
|
||||
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
|
||||
test -f "%_sysconfdir/$i.rpmsave" && mv -v "%_sysconfdir/$i.rpmsave" "%_sysconfdir/$i" || :
|
||||
done
|
||||
%endif
|
||||
# Migrate sssd.service from sssd-common to sssd
|
||||
@ -713,7 +699,6 @@ fi
|
||||
%_unitdir/sssd-pac.socket
|
||||
%_unitdir/sssd-pac.service
|
||||
%_unitdir/sssd-pam.socket
|
||||
#%_unitdir/sssd-pam-priv.socket
|
||||
%_unitdir/sssd-pam.service
|
||||
%_unitdir/sssd-ssh.socket
|
||||
%_unitdir/sssd-ssh.service
|
||||
@ -769,38 +754,40 @@ fi
|
||||
%dir %_libdir/%name/modules/
|
||||
%_libdir/%name/modules/libsss_autofs.so
|
||||
%_libdir/libsss_sudo.so
|
||||
%ldbdir/
|
||||
%ldbdir/memberof.so
|
||||
%dir %_libexecdir/%name/
|
||||
%_libexecdir/%name/p11_child
|
||||
%_libexecdir/%name/sssd_autofs
|
||||
%_libexecdir/%name/sssd_be
|
||||
%_libexecdir/%name/sssd_nss
|
||||
%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{name}/sssd_pam
|
||||
%attr(0750,root,%{sssd_user}) %{_libexecdir}/%{name}/sssd_pam
|
||||
%_libexecdir/%name/sssd_ssh
|
||||
%_libexecdir/%name/sssd_sudo
|
||||
%_libexecdir/%name/sss_signal
|
||||
%_libexecdir/%name/sssd_check_socket_activated_responders
|
||||
%if 0%{?suse_version} >= 1600
|
||||
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{name}/selinux_child
|
||||
%attr(0750,root,%{sssd_user}) %{_libexecdir}/%{name}/selinux_child
|
||||
%endif
|
||||
%attr(775,%{sssd_user},%{sssd_user}) %dir %{sssdstatedir}
|
||||
%attr(770,%{sssd_user},%{sssd_user}) %dir %{dbpath}
|
||||
%attr(775,%{sssd_user},%{sssd_user}) %dir %{mcpath}
|
||||
%attr(775,%{sssd_user},%{sssd_user}) %dir %{pipepath}
|
||||
%attr(770,%{sssd_user},%{sssd_user}) %dir %{pipepath}/private
|
||||
%attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}
|
||||
%attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
|
||||
%attr(770,%{sssd_user},%{sssd_user}) %dir %{gpocachepath}
|
||||
%attr(770,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
|
||||
%attr(750,%{sssd_user},%{sssd_user}) %dir %{_localstatedir}/log/%name/
|
||||
%if %{defined _distconfdir}
|
||||
%attr(750,%{sssd_user},%{sssd_user}) %dir %{_distconfdir}/sssd
|
||||
%attr(750,%{sssd_user},%{sssd_user}) %dir %{_distconfdir}/sssd/conf.d
|
||||
%ghost %attr(0600,%{sssd_user},%{sssd_user}) %{_distconfdir}/sssd/sssd.conf
|
||||
%dir %sssdstatedir
|
||||
%attr(700,%{sssd_user},%{sssd_user}) %dir %dbpath/
|
||||
%attr(755,%{sssd_user},%{sssd_user}) %dir %pipepath/
|
||||
%attr(700,%{sssd_user},%{sssd_user}) %dir %pipepath/private/
|
||||
%attr(755,%{sssd_user},%{sssd_user}) %dir %pubconfpath/
|
||||
%attr(755,%{sssd_user},%{sssd_user}) %dir %pubconfpath/krb5.include.d
|
||||
%attr(755,%{sssd_user},%{sssd_user}) %dir %gpocachepath/
|
||||
%attr(755,%{sssd_user},%{sssd_user}) %dir %mcpath/
|
||||
%attr(700,%{sssd_user},%{sssd_user}) %dir %keytabdir/
|
||||
%attr(750,%{sssd_user},%{sssd_user}) %dir %_localstatedir/log/%name/
|
||||
%attr(775,%{sssd_user},%{sssd_user}) %dir %sssdstatedir/
|
||||
%config(noreplace) %_sysconfdir/permissions.d/sssd
|
||||
%if "%{?_distconfdir}" != ""
|
||||
%attr(750,%{sssd_user},%{sssd_user}) %dir %_distconfdir/sssd/
|
||||
%attr(750,%{sssd_user},%{sssd_user}) %dir %_distconfdir/sssd/conf.d
|
||||
%attr(0600,%{sssd_user},%{sssd_user}) %_distconfdir/sssd/sssd.conf
|
||||
%else
|
||||
%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd
|
||||
%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
|
||||
%ghost %attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
|
||||
%attr(750,%{sssd_user},%{sssd_user}) %dir %_sysconfdir/sssd/
|
||||
%attr(750,%{sssd_user},%{sssd_user}) %dir %_sysconfdir/sssd/conf.d
|
||||
%ghost %attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %_sysconfdir/sssd/sssd.conf
|
||||
%endif
|
||||
%if 0%{?suse_version} > 1500
|
||||
%_distconfdir/logrotate.d/sssd
|
||||
@ -822,6 +809,7 @@ fi
|
||||
%attr(775,%{sssd_user},%{sssd_user}) %ghost %dir %{_rundir}/sssd
|
||||
%doc src/examples/sssd.conf
|
||||
%{_sysusersdir}/sssd.conf
|
||||
%{_tmpfilesdir}/sssd.conf
|
||||
#
|
||||
# sssd-client
|
||||
#
|
||||
@ -842,10 +830,12 @@ fi
|
||||
%_mandir/man8/sssd_krb5_localauth_plugin.8*
|
||||
%_mandir/??/man8/sssd_krb5_localauth_plugin.8*
|
||||
%_mandir/man8/sssd_krb5_locator_plugin.8*
|
||||
#%dir %_sysconfdir/cifs-utils
|
||||
#%_sysconfdir/cifs-utils/idmap-plugin
|
||||
# cifs idmap plugin
|
||||
%dir %_sysconfdir/cifs-utils
|
||||
%cifs_idmap_plugin
|
||||
%dir %_libdir/cifs-utils
|
||||
%_libdir/cifs-utils/cifs_idmap_sss.so
|
||||
%cifs_idmap_lib
|
||||
%ghost %_sysconfdir/alternatives/%cifs_idmap_name
|
||||
|
||||
%files ad
|
||||
%dir %_libdir/%name/
|
||||
@ -908,8 +898,8 @@ fi
|
||||
%dir %_libdir/%name/
|
||||
%_libdir/%name/libsss_krb5_common.so
|
||||
%dir %_libexecdir/%name/
|
||||
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{name}/ldap_child
|
||||
%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{name}/krb5_child
|
||||
%attr(0750,root,%{sssd_user}) %_libexecdir/%name/krb5_child
|
||||
%attr(0750,root,%{sssd_user}) %_libexecdir/%name/ldap_child
|
||||
|
||||
%files polkit-rules
|
||||
%{_datadir}/polkit-1/rules.d/sssd-pcsc.rules
|
||||
@ -929,7 +919,7 @@ fi
|
||||
%dir %_libdir/%name/
|
||||
%_libdir/%name/libsss_proxy.so
|
||||
%dir %_libexecdir/%name/
|
||||
%attr(0750,root,%{sssd_user}) %{_libexecdir}/%{name}/proxy_child
|
||||
%attr(0750,root,%{sssd_user}) %_libexecdir/%name/proxy_child
|
||||
%dir %_datadir/%name/
|
||||
%dir %_datadir/%name/sssd.api.d/
|
||||
%_datadir/%name/sssd.api.d/sssd-proxy.conf
|
||||
@ -950,7 +940,9 @@ fi
|
||||
%python3_sitelib/sssd/
|
||||
|
||||
%files winbind-idmap
|
||||
%_libdir/samba/
|
||||
%dir %_libdir/samba
|
||||
%dir %_libdir/samba/idmap
|
||||
%_libdir/samba/idmap/sss.so
|
||||
%_mandir/man8/idmap_sss.8*
|
||||
|
||||
%files -n libipa_hbac0
|
||||
|
||||
@ -1,25 +1,24 @@
|
||||
From 1ad3abee3ed69cad410aff5f2e17542d2f34deb7 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Engelhardt <jengelh@inai.de>
|
||||
Date: 2022-12-22 00:09:20.375896408 +0100
|
||||
References: https://bugzilla.suse.com/show_bug.cgi?id=1206592
|
||||
|
||||
The theory for this sssd crash is that during rpm upgrading it,
|
||||
sssd-2.8.2 gets installed, %post runs to restart it, but oh no,
|
||||
sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls
|
||||
over its feet when it loads 2.7.4 .so files. Addin symvers like below
|
||||
should prevent this and pin the modules to another: sssd_be's attempt
|
||||
to dlopen libsss_ldap.so(-2.7.4) will fail because
|
||||
libsss_ldap.so(-2.7.4) cannot find a libsss_util.so(-2.7.4), since
|
||||
the system only has libsss_util.so(-2.8.2) at this point.
|
||||
Date: Thu, 22 Dec 2022 00:09:20 +0100
|
||||
Subject: [PATCH] The theory for this sssd crash is that during rpm upgrading
|
||||
it, sssd-2.8.2 gets installed, %post runs to restart it, but oh no,
|
||||
sssd-ldap-2.7.4 is still in the system. sssd_be(-2.8.2) then falls over its
|
||||
feet when it loads 2.7.4 .so files. Addin symvers like below should prevent
|
||||
this and pin the modules to another: sssd_be's attempt to dlopen
|
||||
libsss_ldap.so(-2.7.4) will fail because libsss_ldap.so(-2.7.4) cannot find a
|
||||
libsss_util.so(-2.7.4), since the system only has libsss_util.so(-2.8.2) at
|
||||
this point.
|
||||
|
||||
---
|
||||
Makefile.am | 47 ++++++++++++++++++++++++++++++++---------------
|
||||
Makefile.am | 47 ++++++++++++++++++++++++++++++++---------------
|
||||
1 file changed, 32 insertions(+), 15 deletions(-)
|
||||
|
||||
Index: sssd-2.9.2/Makefile.am
|
||||
===================================================================
|
||||
--- sssd-2.9.2.orig/Makefile.am
|
||||
+++ sssd-2.9.2/Makefile.am
|
||||
@@ -955,7 +955,11 @@ libsss_debug_la_SOURCES = \
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index f4cadee6f..ea01d0ea5 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -971,7 +971,11 @@ libsss_debug_la_SOURCES = \
|
||||
libsss_debug_la_LIBADD = \
|
||||
$(SYSLOG_LIBS)
|
||||
libsss_debug_la_LDFLAGS = \
|
||||
@ -32,7 +31,7 @@ Index: sssd-2.9.2/Makefile.am
|
||||
|
||||
pkglib_LTLIBRARIES += libsss_child.la
|
||||
libsss_child_la_SOURCES = src/util/child_common.c
|
||||
@@ -965,7 +969,8 @@ libsss_child_la_LIBADD = \
|
||||
@@ -981,7 +985,8 @@ libsss_child_la_LIBADD = \
|
||||
$(DHASH_LIBS) \
|
||||
libsss_debug.la \
|
||||
$(NULL)
|
||||
@ -42,7 +41,7 @@ Index: sssd-2.9.2/Makefile.am
|
||||
|
||||
pkglib_LTLIBRARIES += libsss_crypt.la
|
||||
|
||||
@@ -1004,7 +1009,8 @@ libsss_crypt_la_LIBADD = \
|
||||
@@ -1020,7 +1025,8 @@ libsss_crypt_la_LIBADD = \
|
||||
libsss_debug.la \
|
||||
$(NULL)
|
||||
libsss_crypt_la_LDFLAGS = \
|
||||
@ -52,7 +51,7 @@ Index: sssd-2.9.2/Makefile.am
|
||||
|
||||
pkglib_LTLIBRARIES += libsss_cert.la
|
||||
|
||||
@@ -1029,8 +1035,9 @@ libsss_cert_la_LIBADD = \
|
||||
@@ -1045,8 +1051,9 @@ libsss_cert_la_LIBADD = \
|
||||
libsss_debug.la \
|
||||
$(NULL)
|
||||
libsss_cert_la_LDFLAGS = \
|
||||
@ -63,7 +62,7 @@ Index: sssd-2.9.2/Makefile.am
|
||||
|
||||
generate-sbus-code:
|
||||
$(builddir)/sbus_generate.sh $(abs_srcdir)
|
||||
@@ -1131,8 +1138,9 @@ libsss_sbus_la_CFLAGS = \
|
||||
@@ -1147,8 +1154,9 @@ libsss_sbus_la_CFLAGS = \
|
||||
$(DBUS_CFLAGS) \
|
||||
$(NULL)
|
||||
libsss_sbus_la_LDFLAGS = \
|
||||
@ -74,7 +73,7 @@ Index: sssd-2.9.2/Makefile.am
|
||||
|
||||
pkglib_LTLIBRARIES += libsss_sbus_sync.la
|
||||
libsss_sbus_sync_la_SOURCES = \
|
||||
@@ -1167,8 +1175,9 @@ libsss_sbus_sync_la_CFLAGS = \
|
||||
@@ -1183,8 +1191,9 @@ libsss_sbus_sync_la_CFLAGS = \
|
||||
$(UNICODE_LIBS) \
|
||||
$(NULL)
|
||||
libsss_sbus_sync_la_LDFLAGS = \
|
||||
@ -85,7 +84,7 @@ Index: sssd-2.9.2/Makefile.am
|
||||
|
||||
pkglib_LTLIBRARIES += libsss_iface.la
|
||||
libsss_iface_la_SOURCES = \
|
||||
@@ -1197,8 +1206,9 @@ libsss_iface_la_CFLAGS = \
|
||||
@@ -1213,8 +1222,9 @@ libsss_iface_la_CFLAGS = \
|
||||
$(DBUS_CFLAGS) \
|
||||
$(NULL)
|
||||
libsss_iface_la_LDFLAGS = \
|
||||
@ -96,7 +95,7 @@ Index: sssd-2.9.2/Makefile.am
|
||||
|
||||
pkglib_LTLIBRARIES += libsss_iface_sync.la
|
||||
libsss_iface_sync_la_SOURCES = \
|
||||
@@ -1225,8 +1235,9 @@ libsss_iface_sync_la_CFLAGS = \
|
||||
@@ -1241,8 +1251,9 @@ libsss_iface_sync_la_CFLAGS = \
|
||||
$(DBUS_CFLAGS) \
|
||||
$(NULL)
|
||||
libsss_iface_sync_la_LDFLAGS = \
|
||||
@ -107,7 +106,7 @@ Index: sssd-2.9.2/Makefile.am
|
||||
|
||||
pkglib_LTLIBRARIES += libsss_util.la
|
||||
libsss_util_la_SOURCES = \
|
||||
@@ -1322,7 +1333,8 @@ endif
|
||||
@@ -1338,7 +1349,8 @@ endif
|
||||
if BUILD_PASSKEY
|
||||
libsss_util_la_SOURCES += src/db/sysdb_passkey_user_verification.c
|
||||
endif # BUILD_PASSKEY
|
||||
@ -117,7 +116,7 @@ Index: sssd-2.9.2/Makefile.am
|
||||
|
||||
pkglib_LTLIBRARIES += libsss_semanage.la
|
||||
libsss_semanage_la_CFLAGS = \
|
||||
@@ -1341,7 +1353,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_
|
||||
@@ -1357,7 +1369,8 @@ libsss_semanage_la_LIBADD += $(SEMANAGE_LIBS)
|
||||
endif
|
||||
|
||||
libsss_semanage_la_LDFLAGS = \
|
||||
@ -127,7 +126,7 @@ Index: sssd-2.9.2/Makefile.am
|
||||
|
||||
SSSD_INTERNAL_LTLIBS = \
|
||||
libsss_util.la \
|
||||
@@ -1357,7 +1370,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
|
||||
@@ -1373,7 +1386,7 @@ lib_LTLIBRARIES = libipa_hbac.la \
|
||||
$(NULL)
|
||||
|
||||
pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc
|
||||
@ -136,7 +135,7 @@ Index: sssd-2.9.2/Makefile.am
|
||||
libipa_hbac_la_SOURCES = \
|
||||
src/lib/ipa_hbac/hbac_evaluator.c \
|
||||
src/util/sss_utf8.c
|
||||
@@ -1688,8 +1701,9 @@ libifp_iface_la_CFLAGS = \
|
||||
@@ -1699,8 +1712,9 @@ libifp_iface_la_CFLAGS = \
|
||||
$(DBUS_CFLAGS) \
|
||||
$(NULL)
|
||||
libifp_iface_la_LDFLAGS = \
|
||||
@ -147,7 +146,7 @@ Index: sssd-2.9.2/Makefile.am
|
||||
|
||||
pkglib_LTLIBRARIES += libifp_iface_sync.la
|
||||
libifp_iface_sync_la_SOURCES = \
|
||||
@@ -1714,8 +1728,9 @@ libifp_iface_sync_la_CFLAGS = \
|
||||
@@ -1725,8 +1739,9 @@ libifp_iface_sync_la_CFLAGS = \
|
||||
$(DBUS_CFLAGS) \
|
||||
$(NULL)
|
||||
libifp_iface_sync_la_LDFLAGS = \
|
||||
@ -158,7 +157,7 @@ Index: sssd-2.9.2/Makefile.am
|
||||
|
||||
sssd_ifp_SOURCES = \
|
||||
src/responder/ifp/ifpsrv.c \
|
||||
@@ -4314,8 +4329,9 @@ libsss_ldap_common_la_LIBADD = \
|
||||
@@ -4362,8 +4377,9 @@ libsss_ldap_common_la_LIBADD = \
|
||||
$(SSSD_INTERNAL_LTLIBS) \
|
||||
$(NULL)
|
||||
libsss_ldap_common_la_LDFLAGS = \
|
||||
@ -169,7 +168,7 @@ Index: sssd-2.9.2/Makefile.am
|
||||
if BUILD_SYSTEMTAP
|
||||
libsss_ldap_common_la_LIBADD += stap_generated_probes.lo
|
||||
endif
|
||||
@@ -4372,7 +4388,8 @@ libsss_krb5_common_la_LIBADD = \
|
||||
@@ -4420,7 +4436,8 @@ libsss_krb5_common_la_LIBADD = \
|
||||
$(SSSD_INTERNAL_LTLIBS) \
|
||||
$(NULL)
|
||||
libsss_krb5_common_la_LDFLAGS = \
|
||||
@ -179,3 +178,6 @@ Index: sssd-2.9.2/Makefile.am
|
||||
|
||||
libsss_ldap_la_SOURCES = \
|
||||
src/providers/ldap/ldap_init.c \
|
||||
--
|
||||
2.46.1
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user