diff --git a/.gitignore b/.gitignore index ed34c5e..ba972dc 100644 --- a/.gitignore +++ b/.gitignore @@ -82,3 +82,4 @@ sssd-1.2.91.tar.gz /sssd-1.16.2.tar.gz /sssd-2.0.0.tar.gz /sssd-2.1.0.tar.gz +/sssd-2.2.0.tar.gz diff --git a/0001-GPO-Add-option-ad_gpo_ignore_unreadable.patch b/0001-GPO-Add-option-ad_gpo_ignore_unreadable.patch deleted file mode 100644 index 63ac122..0000000 --- a/0001-GPO-Add-option-ad_gpo_ignore_unreadable.patch +++ /dev/null @@ -1,218 +0,0 @@ -From 2f27dd9f05c2d3ed1c190ba387bc97738988efb0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20=C5=BDidek?= -Date: Wed, 17 Oct 2018 16:57:20 +0200 -Subject: [PATCH] GPO: Add option ad_gpo_ignore_unreadable - -Add option to ignore group policy containers in AD -with unreadable or missing attributes. This is -for the case when server contains GPOs that -have very strict permissions on their attributes -in AD but are unrelated to access control. - -Rather then using this option it is better to -change the permissions on the AD objects but -that may not be always possible (company policy, -not access to server etc.). - -Resolves: -https://pagure.io/SSSD/sssd/issue/3867 -CVE-2018-16838 - -Reviewed-by: Jakub Hrozek ---- - src/config/cfg_rules.ini | 1 + - src/man/sssd-ad.5.xml | 19 +++++++++++++ - src/providers/ad/ad_common.h | 1 + - src/providers/ad/ad_gpo.c | 67 +++++++++++++++++++++++++++++++++++++++++--- - src/providers/ad/ad_opts.c | 1 + - 5 files changed, 85 insertions(+), 4 deletions(-) - -diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini -index b3764bd..292aa4d 100644 ---- a/src/config/cfg_rules.ini -+++ b/src/config/cfg_rules.ini -@@ -441,6 +441,7 @@ option = ad_enabled_domains - option = ad_enable_gc - option = ad_gpo_access_control - option = ad_gpo_implicit_deny -+option = ad_gpo_ignore_unreadable - option = ad_gpo_cache_timeout - option = ad_gpo_default_right - option = ad_gpo_map_batch -diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml -index ae3279d..5c51e80 100644 ---- a/src/man/sssd-ad.5.xml -+++ b/src/man/sssd-ad.5.xml -@@ -437,6 +437,25 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example, - - - -+ -+ ad_gpo_ignore_unreadable (boolean) -+ -+ -+ Normally when some group policy containers (AD -+ object) of applicable group policy objects are -+ not readable by SSSD then users are denied access. -+ This option allows to ignore group policy -+ containers and with them associated policies -+ if their attributes in group policy containers -+ are not readable for SSSD. -+ -+ -+ Default: False -+ -+ -+ -+ -+ - - - ad_gpo_cache_timeout (integer) -diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h -index 662276c..4eb4101 100644 ---- a/src/providers/ad/ad_common.h -+++ b/src/providers/ad/ad_common.h -@@ -53,6 +53,7 @@ enum ad_basic_opt { - AD_ENABLE_GC, - AD_GPO_ACCESS_CONTROL, - AD_GPO_IMPLICIT_DENY, -+ AD_GPO_IGNORE_UNREADABLE, - AD_GPO_CACHE_TIMEOUT, - AD_GPO_MAP_INTERACTIVE, - AD_GPO_MAP_REMOTE_INTERACTIVE, -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index 3b472e0..5f85910 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -3603,6 +3603,7 @@ struct ad_gpo_process_gpo_state { - struct ad_access_ctx *access_ctx; - struct tevent_context *ev; - struct sdap_id_op *sdap_op; -+ struct dp_option *ad_options; - struct sdap_options *opts; - char *server_hostname; - struct sss_domain_info *host_domain; -@@ -3647,6 +3648,7 @@ ad_gpo_process_gpo_send(TALLOC_CTX *mem_ctx, - - state->ev = ev; - state->sdap_op = sdap_op; -+ state->ad_options = access_ctx->ad_options; - state->opts = opts; - state->server_hostname = server_hostname; - state->host_domain = host_domain; -@@ -3872,6 +3874,54 @@ static bool machine_ext_names_is_blank(char *attr_value) - } - - static errno_t -+ad_gpo_missing_or_unreadable_attr(struct ad_gpo_process_gpo_state *state, -+ struct tevent_req *req) -+{ -+ bool ignore_unreadable = dp_opt_get_bool(state->ad_options, -+ AD_GPO_IGNORE_UNREADABLE); -+ -+ if (ignore_unreadable) { -+ /* If admins decided to skip GPOs with unreadable -+ * attributes just log the SID of skipped GPO */ -+ DEBUG(SSSDBG_TRACE_FUNC, -+ "Group Policy Container with DN [%s] has unreadable or missing " -+ "attributes -> skipping this GPO " -+ "(ad_gpo_ignore_unreadable = True)\n", -+ state->candidate_gpos[state->gpo_index]->gpo_dn); -+ state->gpo_index++; -+ return ad_gpo_get_gpo_attrs_step(req); -+ } else { -+ /* Inform in logs and syslog that this GPO can -+ * not be processed due to unreadable or missing -+ * attributes and point to possible server side -+ * and client side solutions. */ -+ DEBUG(SSSDBG_CRIT_FAILURE, -+ "Group Policy Container with DN [%s] is unreadable or has " -+ "unreadable or missing attributes. In order to fix this " -+ "make sure that this AD object has following attributes " -+ "readable: nTSecurityDescriptor, cn, gPCFileSysPath, " -+ "gPCMachineExtensionNames, gPCFunctionalityVersion, flags. " -+ "Alternatively if you do not have access to the server or can " -+ "not change permissions on this object, you can use option " -+ "ad_gpo_ignore_unreadable = True which will skip this GPO." -+ "See 'man ad_gpo_ignore_unreadable for details.'\n", -+ state->candidate_gpos[state->gpo_index]->gpo_dn); -+ sss_log(SSSDBG_CRIT_FAILURE, -+ "Group Policy Container with DN [%s] is unreadable or has " -+ "unreadable or missing attributes. In order to fix this " -+ "make sure that this AD object has following attributes " -+ "readable: nTSecurityDescriptor, cn, gPCFileSysPath, " -+ "gPCMachineExtensionNames, gPCFunctionalityVersion, flags. " -+ "Alternatively if you do not have access to the server or can " -+ "not change permissions on this object, you can use option " -+ "ad_gpo_ignore_unreadable = True which will skip this GPO." -+ "See 'man ad_gpo_ignore_unreadable for details.'\n", -+ state->candidate_gpos[state->gpo_index]->gpo_dn); -+ return EFAULT; -+ } -+} -+ -+static errno_t - ad_gpo_sd_process_attrs(struct tevent_req *req, - char *smb_host, - struct sysdb_attrs *result) -@@ -3890,7 +3940,10 @@ ad_gpo_sd_process_attrs(struct tevent_req *req, - - /* retrieve AD_AT_CN */ - ret = sysdb_attrs_get_string(result, AD_AT_CN, &gpo_guid); -- if (ret != EOK) { -+ if (ret == ENOENT) { -+ ret = ad_gpo_missing_or_unreadable_attr(state, req); -+ goto done; -+ } else if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "sysdb_attrs_get_string failed: [%d](%s)\n", - ret, sss_strerror(ret)); -@@ -3911,7 +3964,10 @@ ad_gpo_sd_process_attrs(struct tevent_req *req, - AD_AT_FILE_SYS_PATH, - &raw_file_sys_path); - -- if (ret != EOK) { -+ if (ret == ENOENT) { -+ ret = ad_gpo_missing_or_unreadable_attr(state, req); -+ goto done; -+ } else if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "sysdb_attrs_get_string failed: [%d](%s)\n", - ret, sss_strerror(ret)); -@@ -3959,7 +4015,10 @@ ad_gpo_sd_process_attrs(struct tevent_req *req, - /* retrieve AD_AT_FLAGS */ - ret = sysdb_attrs_get_int32_t(result, AD_AT_FLAGS, - &gp_gpo->gpo_flags); -- if (ret != EOK) { -+ if (ret == ENOENT) { -+ ret = ad_gpo_missing_or_unreadable_attr(state, req); -+ goto done; -+ } else if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "sysdb_attrs_get_int32_t failed: [%d](%s)\n", - ret, sss_strerror(ret)); -@@ -3977,7 +4036,7 @@ ad_gpo_sd_process_attrs(struct tevent_req *req, - if ((ret == ENOENT) || (el->num_values == 0)) { - DEBUG(SSSDBG_OP_FAILURE, - "nt_sec_desc attribute not found or has no value\n"); -- ret = ENOENT; -+ ret = ad_gpo_missing_or_unreadable_attr(state, req); - goto done; - } - -diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c -index 9ca18c4..f2ca215 100644 ---- a/src/providers/ad/ad_opts.c -+++ b/src/providers/ad/ad_opts.c -@@ -39,6 +39,7 @@ struct dp_option ad_basic_opts[] = { - { "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, - { "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING }, - { "ad_gpo_implicit_deny", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, -+ { "ad_gpo_ignore_unreadable", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, - { "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, - { "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING }, - { "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING }, --- -2.9.5 - diff --git a/0502-SYSTEMD-Use-capabilities.patch b/0502-SYSTEMD-Use-capabilities.patch index cfc1827..8e42fce 100644 --- a/0502-SYSTEMD-Use-capabilities.patch +++ b/0502-SYSTEMD-Use-capabilities.patch @@ -15,7 +15,7 @@ index 0c515d34caaa3ea397c4c7e95eef0188df170840..252889dbb2b7b1e651966258e7b76eab @@ -11,6 +11,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER} Type=notify NotifyAccess=main - PIDFile=@localstatedir@/run/sssd.pid + PIDFile=@pidpath@/sssd.pid +CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND [Install] diff --git a/sources b/sources index 339e4a8..7333855 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sssd-2.1.0.tar.gz) = 12a7e5b89d462350af3c43e15b24a437dd985ac4a2e419d5e52cc0d05c6eacb9319d39b23681595ef860120cd1ae6e5fb265054afeddcb05d3d5f5de5d6ffa63 +SHA512 (sssd-2.2.0.tar.gz) = 9ebd8784e1f0c72cb808bbc153c0b0aa9bf507938f78336a260073a89b49350dc2c6172653509738ea7a50bb9da596725e1d6c92f99c7a03308aa42f6378dbbb diff --git a/sssd.spec b/sssd.spec index fa00890..74c36ad 100644 --- a/sssd.spec +++ b/sssd.spec @@ -35,15 +35,15 @@ %endif Name: sssd -Version: 2.1.0 -Release: 2%{?dist} +Version: 2.2.0 +Release: 1%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://pagure.io/SSSD/sssd/ Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz ### Patches ### -Patch0001: 0001-GPO-Add-option-ad_gpo_ignore_unreadable.patch +#Patch0001: ... ### Downstream only patches ### Patch0502: 0502-SYSTEMD-Use-capabilities.patch @@ -461,7 +461,7 @@ UIDs/GIDs to names and vice versa. It can be also used for mapping principal (user) name to IDs(UID or GID) or to obtain groups which user are member of. %package -n libsss_certmap -Summary: SSSD Certficate Mapping Library +Summary: SSSD Certificate Mapping Library License: LGPLv3+ Conflicts: sssd-common < %{version}-%{release} @@ -469,7 +469,7 @@ Conflicts: sssd-common < %{version}-%{release} Library to map certificates to users based on rules %package -n libsss_certmap-devel -Summary: SSSD Certficate Mapping Library +Summary: SSSD Certificate Mapping Library License: LGPLv3+ Requires: libsss_certmap = %{version}-%{release} @@ -1068,6 +1068,9 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Mon Jun 17 2019 Michal Židek - 2.2.0-1 +- Update to latest released upstream version +- https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_2_2_0.html * Wed Mar 27 2019 Michal Židek - 2.1.0-2 - Resolves: upstream#3867 - [RFE] Need an option in SSSD so that it will skip