Compare commits
11 Commits
Author | SHA1 | Date |
---|---|---|
Pavel Březina | 54c155f6b3 | |
Pavel Březina | 7a1369a87d | |
Pavel Březina | 4e01c65433 | |
Pavel Březina | 697d46eda6 | |
Pavel Březina | 696fad9f16 | |
Pavel Březina | d9c757ed1b | |
Pavel Březina | 16f62f98d0 | |
Pavel Březina | 89c0ae2622 | |
Pavel Březina | 0513351754 | |
Pavel Březina | bd0f5a7397 | |
Pavel Březina | f1a3a9edaf |
|
@ -88,3 +88,8 @@ sssd-1.2.91.tar.gz
|
|||
/sssd-2.2.3.tar.gz
|
||||
/sssd-2.3.0.tar.gz
|
||||
/sssd-2.3.1.tar.gz
|
||||
/sssd-2.4.0.tar.gz
|
||||
/sssd-2.4.1.tar.gz
|
||||
/sssd-2.4.2.tar.gz
|
||||
/sssd-2.5.0.tar.gz
|
||||
/sssd-2.5.1.tar.gz
|
||||
|
|
|
@ -0,0 +1,277 @@
|
|||
From 5a9a2f53ff44b1bd25a6de7c4ba91c709b63b0ba Mon Sep 17 00:00:00 2001
|
||||
From: Alexey Tikhonov <atikhono@redhat.com>
|
||||
Date: Fri, 18 Jun 2021 13:17:19 +0200
|
||||
Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
|
||||
user supplied command
|
||||
|
||||
A flaw was found in SSSD, where the sssctl command was vulnerable
|
||||
to shell command injection via the logs-fetch and cache-expire
|
||||
subcommands. This flaw allows an attacker to trick the root user
|
||||
into running a specially crafted sssctl command, such as via sudo,
|
||||
to gain root access. The highest threat from this vulnerability is
|
||||
to confidentiality, integrity, as well as system availability.
|
||||
|
||||
:fixes: CVE-2021-3621
|
||||
---
|
||||
src/tools/sssctl/sssctl.c | 39 ++++++++++++++++-------
|
||||
src/tools/sssctl/sssctl.h | 2 +-
|
||||
src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
|
||||
src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++----
|
||||
4 files changed, 73 insertions(+), 57 deletions(-)
|
||||
|
||||
diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
|
||||
index 2997dbf968acdd0b9821f726414f8ae1cf34b5d8..8adaf30910e13ea9e7c8ab8b151920c4f307427b 100644
|
||||
--- a/src/tools/sssctl/sssctl.c
|
||||
+++ b/src/tools/sssctl/sssctl.c
|
||||
@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
|
||||
return SSSCTL_PROMPT_ERROR;
|
||||
}
|
||||
|
||||
-errno_t sssctl_run_command(const char *command)
|
||||
+errno_t sssctl_run_command(const char *const argv[])
|
||||
{
|
||||
int ret;
|
||||
+ int wstatus;
|
||||
|
||||
- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
|
||||
+ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
|
||||
|
||||
- ret = system(command);
|
||||
+ ret = fork();
|
||||
if (ret == -1) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
|
||||
ERROR("Error while executing external command\n");
|
||||
return EFAULT;
|
||||
- } else if (WEXITSTATUS(ret) != 0) {
|
||||
- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
|
||||
- command, WEXITSTATUS(ret));
|
||||
+ }
|
||||
+
|
||||
+ if (ret == 0) {
|
||||
+ /* cast is safe - see
|
||||
+ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
|
||||
+ "The statement about argv[] and envp[] being constants ... "
|
||||
+ */
|
||||
+ execvp(argv[0], discard_const_p(char * const, argv));
|
||||
ERROR("Error while executing external command\n");
|
||||
- return EIO;
|
||||
+ _exit(1);
|
||||
+ } else {
|
||||
+ if (waitpid(ret, &wstatus, 0) == -1) {
|
||||
+ ERROR("Error while executing external command '%s'\n", argv[0]);
|
||||
+ return EFAULT;
|
||||
+ } else if (WEXITSTATUS(wstatus) != 0) {
|
||||
+ ERROR("Command '%s' failed with [%d]\n",
|
||||
+ argv[0], WEXITSTATUS(wstatus));
|
||||
+ return EIO;
|
||||
+ }
|
||||
}
|
||||
|
||||
return EOK;
|
||||
@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
|
||||
#elif defined(HAVE_SERVICE)
|
||||
switch (action) {
|
||||
case SSSCTL_SVC_START:
|
||||
- return sssctl_run_command(SERVICE_PATH" sssd start");
|
||||
+ return sssctl_run_command(
|
||||
+ (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
|
||||
case SSSCTL_SVC_STOP:
|
||||
- return sssctl_run_command(SERVICE_PATH" sssd stop");
|
||||
+ return sssctl_run_command(
|
||||
+ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
|
||||
case SSSCTL_SVC_RESTART:
|
||||
- return sssctl_run_command(SERVICE_PATH" sssd restart");
|
||||
+ return sssctl_run_command(
|
||||
+ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
|
||||
}
|
||||
#endif
|
||||
|
||||
diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
|
||||
index 0115b2457c48bb0b8ad8ef8fd20d6fc81bdb58b4..599ef65196fcae6454cd5b46aa7a2cf6e7cbba73 100644
|
||||
--- a/src/tools/sssctl/sssctl.h
|
||||
+++ b/src/tools/sssctl/sssctl.h
|
||||
@@ -47,7 +47,7 @@ enum sssctl_prompt_result
|
||||
sssctl_prompt(const char *message,
|
||||
enum sssctl_prompt_result defval);
|
||||
|
||||
-errno_t sssctl_run_command(const char *command);
|
||||
+errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
|
||||
bool sssctl_start_sssd(bool force);
|
||||
bool sssctl_stop_sssd(bool force);
|
||||
bool sssctl_restart_sssd(bool force);
|
||||
diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
|
||||
index 8d79b977fdb63fd6c6c925538230bb4ca74a103b..bf2291341668590f4c600237593ea1fd8fe4e4dc 100644
|
||||
--- a/src/tools/sssctl/sssctl_data.c
|
||||
+++ b/src/tools/sssctl/sssctl_data.c
|
||||
@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
|
||||
}
|
||||
}
|
||||
|
||||
- ret = sssctl_run_command("sss_override user-export "
|
||||
- SSS_BACKUP_USER_OVERRIDES);
|
||||
+ ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
|
||||
+ SSS_BACKUP_USER_OVERRIDES, NULL});
|
||||
if (ret != EOK) {
|
||||
ERROR("Unable to export user overrides\n");
|
||||
return ret;
|
||||
}
|
||||
|
||||
- ret = sssctl_run_command("sss_override group-export "
|
||||
- SSS_BACKUP_GROUP_OVERRIDES);
|
||||
+ ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
|
||||
+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
|
||||
if (ret != EOK) {
|
||||
ERROR("Unable to export group overrides\n");
|
||||
return ret;
|
||||
@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
|
||||
}
|
||||
|
||||
if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
|
||||
- ret = sssctl_run_command("sss_override user-import "
|
||||
- SSS_BACKUP_USER_OVERRIDES);
|
||||
+ ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
|
||||
+ SSS_BACKUP_USER_OVERRIDES, NULL});
|
||||
if (ret != EOK) {
|
||||
ERROR("Unable to import user overrides\n");
|
||||
return ret;
|
||||
@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
|
||||
}
|
||||
|
||||
if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
|
||||
- ret = sssctl_run_command("sss_override group-import "
|
||||
- SSS_BACKUP_GROUP_OVERRIDES);
|
||||
+ ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
|
||||
+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
|
||||
if (ret != EOK) {
|
||||
ERROR("Unable to import group overrides\n");
|
||||
return ret;
|
||||
@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
|
||||
void *pvt)
|
||||
{
|
||||
errno_t ret;
|
||||
- char *cmd_args = NULL;
|
||||
- const char *cachecmd = SSS_CACHE;
|
||||
- char *cmd = NULL;
|
||||
- int i;
|
||||
|
||||
- if (cmdline->argc == 0) {
|
||||
- ret = sssctl_run_command(cachecmd);
|
||||
- goto done;
|
||||
+ const char **args = talloc_array_size(tool_ctx,
|
||||
+ sizeof(char *),
|
||||
+ cmdline->argc + 2);
|
||||
+ if (!args) {
|
||||
+ return ENOMEM;
|
||||
}
|
||||
+ memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
|
||||
+ args[0] = SSS_CACHE;
|
||||
+ args[cmdline->argc + 1] = NULL;
|
||||
|
||||
- cmd_args = talloc_strdup(tool_ctx, "");
|
||||
- if (cmd_args == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- for (i = 0; i < cmdline->argc; i++) {
|
||||
- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
|
||||
- if (i != cmdline->argc - 1) {
|
||||
- cmd_args = talloc_strdup_append(cmd_args, " ");
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
|
||||
- if (cmd == NULL) {
|
||||
- ret = ENOMEM;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- ret = sssctl_run_command(cmd);
|
||||
-
|
||||
-done:
|
||||
- talloc_free(cmd_args);
|
||||
- talloc_free(cmd);
|
||||
+ ret = sssctl_run_command(args);
|
||||
|
||||
+ talloc_free(args);
|
||||
return ret;
|
||||
}
|
||||
diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
|
||||
index 9ff2be05b61108414462d6e17a2c4c4887907a59..ebb2c4571caec487d29ff2d5ceaee1561e845506 100644
|
||||
--- a/src/tools/sssctl/sssctl_logs.c
|
||||
+++ b/src/tools/sssctl/sssctl_logs.c
|
||||
@@ -31,6 +31,7 @@
|
||||
#include <ldb.h>
|
||||
#include <popt.h>
|
||||
#include <stdio.h>
|
||||
+#include <glob.h>
|
||||
|
||||
#include "util/util.h"
|
||||
#include "tools/common/sss_process.h"
|
||||
@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
|
||||
{
|
||||
struct sssctl_logs_opts opts = {0};
|
||||
errno_t ret;
|
||||
+ glob_t globbuf;
|
||||
|
||||
/* Parse command line. */
|
||||
struct poptOption options[] = {
|
||||
@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
|
||||
|
||||
sss_signal(SIGHUP);
|
||||
} else {
|
||||
+ globbuf.gl_offs = 4;
|
||||
+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
|
||||
+ if (ret != 0) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
|
||||
+ return ret;
|
||||
+ }
|
||||
+ globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
|
||||
+ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
|
||||
+ globbuf.gl_pathv[2] = discard_const_p(char, "--size");
|
||||
+ globbuf.gl_pathv[3] = discard_const_p(char, "0");
|
||||
+
|
||||
PRINT("Truncating log files...\n");
|
||||
- ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES);
|
||||
+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
|
||||
+ globfree(&globbuf);
|
||||
if (ret != EOK) {
|
||||
ERROR("Unable to truncate log files\n");
|
||||
return ret;
|
||||
@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
|
||||
void *pvt)
|
||||
{
|
||||
const char *file;
|
||||
- const char *cmd;
|
||||
errno_t ret;
|
||||
+ glob_t globbuf;
|
||||
|
||||
/* Parse command line. */
|
||||
ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
|
||||
@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
|
||||
return ret;
|
||||
}
|
||||
|
||||
- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
|
||||
- if (cmd == NULL) {
|
||||
- ERROR("Out of memory!");
|
||||
+ globbuf.gl_offs = 3;
|
||||
+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
|
||||
+ if (ret != 0) {
|
||||
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
|
||||
+ return ret;
|
||||
}
|
||||
+ globbuf.gl_pathv[0] = discard_const_p(char, "tar");
|
||||
+ globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
|
||||
+ globbuf.gl_pathv[2] = discard_const_p(char, file);
|
||||
|
||||
PRINT("Archiving log files into %s...\n", file);
|
||||
- ret = sssctl_run_command(cmd);
|
||||
+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
|
||||
+ globfree(&globbuf);
|
||||
if (ret != EOK) {
|
||||
ERROR("Unable to archive log files\n");
|
||||
return ret;
|
||||
--
|
||||
2.31.1
|
||||
|
File diff suppressed because it is too large
Load Diff
|
@ -1,293 +0,0 @@
|
|||
From cb9ad222358a84e2b2ea148c2950c2389f81de2c Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@redhat.com>
|
||||
Date: Mon, 27 Jul 2020 04:01:19 +0000
|
||||
Subject: [PATCH] DEBUG-TESTS: Fix warnings format not a string literal and no
|
||||
format arguments
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
e.g.
|
||||
src/tests/resolv-tests.c: In function ‘test_timeout’:
|
||||
src/tests/resolv-tests.c:942:5: error: format not a string literal and no format arguments [-Werror=format-security]
|
||||
942 | ck_leaks_pop(tmp_ctx);
|
||||
|
|
||||
|
||||
src/tests/debug-tests.c:413:9: error: format not a string literal and no format arguments [-Werror=format-security]
|
||||
413 | fail_if(result == DEBUG_TEST_NOK_TS, msg);
|
||||
| ^~~~~~~
|
||||
|
||||
src/tests/debug-tests.c: In function ‘test_debug_is_notset_timestamp_microseconds_fn’:
|
||||
src/tests/debug-tests.c:603:13: error: format not a string literal and no format arguments [-Werror=format-security]
|
||||
603 | fail(error_msg);
|
||||
|
|
||||
|
||||
src/tests/debug-tests.c: In function ‘test_debug_is_set_false_fn’:
|
||||
src/tests/debug-tests.c:671:9: error: format not a string literal and no format arguments [-Werror=format-security]
|
||||
671 | fail_unless(result == 0, msg);
|
||||
|
|
||||
---
|
||||
src/tests/common_check.h | 2 +-
|
||||
src/tests/debug-tests.c | 128 +++++++++++++++------------------------
|
||||
2 files changed, 49 insertions(+), 81 deletions(-)
|
||||
|
||||
diff --git a/src/tests/common_check.h b/src/tests/common_check.h
|
||||
index 51c3c3f49..ac92d0a74 100644
|
||||
--- a/src/tests/common_check.h
|
||||
+++ b/src/tests/common_check.h
|
||||
@@ -31,6 +31,6 @@ void ck_leak_check_setup(void);
|
||||
void ck_leak_check_teardown(void);
|
||||
|
||||
#define ck_leaks_push(ctx) check_leaks_push(ctx)
|
||||
-#define ck_leaks_pop(ctx) fail_unless(check_leaks_pop(ctx) == true, check_leaks_err_msg())
|
||||
+#define ck_leaks_pop(ctx) fail_unless(check_leaks_pop(ctx) == true, "%s", check_leaks_err_msg())
|
||||
|
||||
#endif /* __TESTS_COMMON_CHECK_H__ */
|
||||
diff --git a/src/tests/debug-tests.c b/src/tests/debug-tests.c
|
||||
index 1e78f506e..092ccf684 100644
|
||||
--- a/src/tests/debug-tests.c
|
||||
+++ b/src/tests/debug-tests.c
|
||||
@@ -55,10 +55,8 @@ START_TEST(test_debug_convert_old_level_old_format)
|
||||
for (old_level = 0; old_level < N_ELEMENTS(levels); old_level++) {
|
||||
expected_level |= levels[old_level];
|
||||
|
||||
- char *msg = NULL;
|
||||
- msg = talloc_asprintf(NULL, "Invalid conversion of %d", old_level);
|
||||
- fail_unless(debug_convert_old_level(old_level) == expected_level, msg);
|
||||
- talloc_free(msg);
|
||||
+ fail_unless(debug_convert_old_level(old_level) == expected_level,
|
||||
+ "Invalid conversion of %d", old_level);
|
||||
}
|
||||
}
|
||||
END_TEST
|
||||
@@ -343,7 +341,6 @@ START_TEST(test_debug_is_set_single_no_timestamp)
|
||||
SSSDBG_TRACE_ALL,
|
||||
SSSDBG_TRACE_LDB
|
||||
};
|
||||
- char *error_msg;
|
||||
|
||||
debug_timestamps = 0;
|
||||
debug_microseconds = 0;
|
||||
@@ -357,15 +354,13 @@ START_TEST(test_debug_is_set_single_no_timestamp)
|
||||
errno = 0;
|
||||
result = test_helper_debug_check_message(levels[i]);
|
||||
|
||||
- if (result == DEBUG_TEST_ERROR) {
|
||||
- error_msg = strerror(errno);
|
||||
- fail(error_msg);
|
||||
- }
|
||||
+ fail_if(result == DEBUG_TEST_ERROR,
|
||||
+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s",
|
||||
+ result, strerror(errno));
|
||||
|
||||
- char *msg = NULL;
|
||||
- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - message don't match", levels[i]);
|
||||
- fail_unless(result == EOK, msg);
|
||||
- talloc_free(msg);
|
||||
+ fail_unless(result == EOK,
|
||||
+ "Test of level %#.4x failed - message don't match",
|
||||
+ levels[i]);
|
||||
}
|
||||
}
|
||||
END_TEST
|
||||
@@ -387,7 +382,6 @@ START_TEST(test_debug_is_set_single_timestamp)
|
||||
SSSDBG_TRACE_ALL,
|
||||
SSSDBG_TRACE_LDB
|
||||
};
|
||||
- char *error_msg;
|
||||
|
||||
debug_timestamps = 1;
|
||||
debug_microseconds = 0;
|
||||
@@ -402,20 +396,16 @@ START_TEST(test_debug_is_set_single_timestamp)
|
||||
errno = 0;
|
||||
result = test_helper_debug_check_message(levels[i]);
|
||||
|
||||
- if (result == DEBUG_TEST_ERROR) {
|
||||
- error_msg = strerror(errno);
|
||||
- fail(error_msg);
|
||||
- }
|
||||
-
|
||||
- char *msg = NULL;
|
||||
+ fail_if(result == DEBUG_TEST_ERROR,
|
||||
+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s",
|
||||
+ result, strerror(errno));
|
||||
|
||||
- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - invalid timestamp", levels[i]);
|
||||
- fail_if(result == DEBUG_TEST_NOK_TS, msg);
|
||||
- talloc_free(msg);
|
||||
+ fail_if(result == DEBUG_TEST_NOK_TS,
|
||||
+ "Test of level %#.4x failed - invalid timestamp", levels[i]);
|
||||
|
||||
- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - message don't match", levels[i]);
|
||||
- fail_unless(result == EOK, msg);
|
||||
- talloc_free(msg);
|
||||
+ fail_unless(result == EOK,
|
||||
+ "Test of level %#.4x failed - message don't match",
|
||||
+ levels[i]);
|
||||
}
|
||||
}
|
||||
END_TEST
|
||||
@@ -437,7 +427,6 @@ START_TEST(test_debug_is_set_single_timestamp_microseconds)
|
||||
SSSDBG_TRACE_ALL,
|
||||
SSSDBG_TRACE_LDB
|
||||
};
|
||||
- char *error_msg;
|
||||
|
||||
debug_timestamps = 1;
|
||||
debug_microseconds = 1;
|
||||
@@ -452,20 +441,16 @@ START_TEST(test_debug_is_set_single_timestamp_microseconds)
|
||||
errno = 0;
|
||||
result = test_helper_debug_check_message(levels[i]);
|
||||
|
||||
- if (result == DEBUG_TEST_ERROR) {
|
||||
- error_msg = strerror(errno);
|
||||
- fail(error_msg);
|
||||
- }
|
||||
-
|
||||
- char *msg = NULL;
|
||||
+ fail_if(result == DEBUG_TEST_ERROR,
|
||||
+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s",
|
||||
+ result, strerror(errno));
|
||||
|
||||
- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - invalid timestamp", levels[i]);
|
||||
- fail_if(result == DEBUG_TEST_NOK_TS, msg);
|
||||
- talloc_free(msg);
|
||||
+ fail_if(result == DEBUG_TEST_NOK_TS,
|
||||
+ "Test of level %#.4x failed - invalid timestamp", levels[i]);
|
||||
|
||||
- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - message don't match", levels[i]);
|
||||
- fail_unless(result == EOK, msg);
|
||||
- talloc_free(msg);
|
||||
+ fail_unless(result == EOK,
|
||||
+ "Test of level %#.4x failed - message don't match",
|
||||
+ levels[i]);
|
||||
}
|
||||
}
|
||||
END_TEST
|
||||
@@ -488,7 +473,6 @@ START_TEST(test_debug_is_notset_no_timestamp)
|
||||
SSSDBG_TRACE_ALL,
|
||||
SSSDBG_TRACE_LDB
|
||||
};
|
||||
- char *error_msg;
|
||||
|
||||
debug_timestamps = 0;
|
||||
debug_microseconds = 0;
|
||||
@@ -503,17 +487,13 @@ START_TEST(test_debug_is_notset_no_timestamp)
|
||||
errno = 0;
|
||||
result = test_helper_debug_is_empty_message(levels[i]);
|
||||
|
||||
- if (result == DEBUG_TEST_ERROR) {
|
||||
- error_msg = strerror(errno);
|
||||
- fail(error_msg);
|
||||
- }
|
||||
+ fail_if(result == DEBUG_TEST_ERROR,
|
||||
+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s",
|
||||
+ result, strerror(errno));
|
||||
|
||||
- char *msg = NULL;
|
||||
- msg = talloc_asprintf(NULL,
|
||||
- "Test of level %#.4x failed - message has been written",
|
||||
- levels[i]);
|
||||
- fail_unless(result == EOK, msg);
|
||||
- talloc_free(msg);
|
||||
+ fail_unless(result == EOK,
|
||||
+ "Test of level %#.4x failed - message has been written",
|
||||
+ levels[i]);
|
||||
}
|
||||
}
|
||||
END_TEST
|
||||
@@ -536,7 +516,6 @@ START_TEST(test_debug_is_notset_timestamp)
|
||||
SSSDBG_TRACE_ALL,
|
||||
SSSDBG_TRACE_LDB
|
||||
};
|
||||
- char *error_msg;
|
||||
|
||||
debug_timestamps = 0;
|
||||
debug_microseconds = 0;
|
||||
@@ -551,17 +530,13 @@ START_TEST(test_debug_is_notset_timestamp)
|
||||
errno = 0;
|
||||
result = test_helper_debug_is_empty_message(levels[i]);
|
||||
|
||||
- if (result == DEBUG_TEST_ERROR) {
|
||||
- error_msg = strerror(errno);
|
||||
- fail(error_msg);
|
||||
- }
|
||||
+ fail_if(result == DEBUG_TEST_ERROR,
|
||||
+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s",
|
||||
+ result, strerror(errno));
|
||||
|
||||
- char *msg = NULL;
|
||||
- msg = talloc_asprintf(NULL,
|
||||
- "Test of level %#.4x failed - message has been written",
|
||||
- levels[i]);
|
||||
- fail_unless(result == EOK, msg);
|
||||
- talloc_free(msg);
|
||||
+ fail_unless(result == EOK,
|
||||
+ "Test of level %#.4x failed - message has been written",
|
||||
+ levels[i]);
|
||||
}
|
||||
}
|
||||
END_TEST
|
||||
@@ -584,7 +559,6 @@ START_TEST(test_debug_is_notset_timestamp_microseconds)
|
||||
SSSDBG_TRACE_ALL,
|
||||
SSSDBG_TRACE_LDB
|
||||
};
|
||||
- char *error_msg;
|
||||
|
||||
debug_timestamps = 0;
|
||||
debug_microseconds = 1;
|
||||
@@ -598,17 +572,13 @@ START_TEST(test_debug_is_notset_timestamp_microseconds)
|
||||
errno = 0;
|
||||
result = test_helper_debug_is_empty_message(levels[i]);
|
||||
|
||||
- if (result == DEBUG_TEST_ERROR) {
|
||||
- error_msg = strerror(errno);
|
||||
- fail(error_msg);
|
||||
- }
|
||||
+ fail_if(result == DEBUG_TEST_ERROR,
|
||||
+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s",
|
||||
+ result, strerror(errno));
|
||||
|
||||
- char *msg = NULL;
|
||||
- msg = talloc_asprintf(NULL,
|
||||
- "Test of level %#.4x failed - message has been written",
|
||||
- levels[i]);
|
||||
- fail_unless(result == EOK, msg);
|
||||
- talloc_free(msg);
|
||||
+ fail_unless(result == EOK,
|
||||
+ "Test of level %#.4x failed - message has been written",
|
||||
+ levels[i]);
|
||||
}
|
||||
}
|
||||
END_TEST
|
||||
@@ -635,10 +605,9 @@ START_TEST(test_debug_is_set_true)
|
||||
|
||||
for (i = 0; i < N_ELEMENTS(levels); i++) {
|
||||
result = DEBUG_IS_SET(levels[i]);
|
||||
- char *msg = NULL;
|
||||
- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - result is 0x%.4x", levels[i], result);
|
||||
- fail_unless(result > 0, msg);
|
||||
- talloc_free(msg);
|
||||
+ fail_unless(result > 0,
|
||||
+ "Test of level %#.4x failed - result is 0x%.4x",
|
||||
+ levels[i], result);
|
||||
}
|
||||
}
|
||||
END_TEST
|
||||
@@ -666,10 +635,9 @@ START_TEST(test_debug_is_set_false)
|
||||
debug_level = all_set & ~levels[i];
|
||||
|
||||
result = DEBUG_IS_SET(levels[i]);
|
||||
- char *msg = NULL;
|
||||
- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - result is 0x%.4x", levels[i], result);
|
||||
- fail_unless(result == 0, msg);
|
||||
- talloc_free(msg);
|
||||
+ fail_unless(result == 0,
|
||||
+ "Test of level %#.4x failed - result is 0x%.4x",
|
||||
+ levels[i], result);
|
||||
}
|
||||
}
|
||||
END_TEST
|
||||
--
|
||||
2.28.0.rc2
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
From 565ef3ffcaaef69a768b6a341777c339217bbbab Mon Sep 17 00:00:00 2001
|
||||
From: Lukas Slebodnik <lslebodn@fedoraproject.org>
|
||||
Date: Mon, 12 Dec 2016 21:56:16 +0100
|
||||
Subject: [PATCH] SYSTEMD: Use capabilities
|
||||
|
||||
copied from selinux policy
|
||||
---
|
||||
src/sysv/systemd/sssd.service.in | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
|
||||
index 0c515d34caaa3ea397c4c7e95eef0188df170840..252889dbb2b7b1e651966258e7b76eab38357e76 100644
|
||||
--- a/src/sysv/systemd/sssd.service.in
|
||||
+++ b/src/sysv/systemd/sssd.service.in
|
||||
@@ -11,6 +11,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
|
||||
Type=notify
|
||||
NotifyAccess=main
|
||||
PIDFile=@pidpath@/sssd.pid
|
||||
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
|
||||
Restart=on-failure
|
||||
|
||||
[Install]
|
||||
--
|
||||
2.15.1
|
||||
|
2
sources
2
sources
|
@ -1 +1 @@
|
|||
SHA512 (sssd-2.3.1.tar.gz) = 6aeb52d5222c5992d581296996749327bcaf276e4eb4413a6a32ea6529343432cfe413006aca4245c19b38b515be1c4c2ef88a157c617d889274179253355bc6
|
||||
SHA512 (sssd-2.5.1.tar.gz) = 7441df3b5f1cc1eadb0c6853b048d780ecb36761876aaeb26b9a2d87729211d3ceeae01085dc3ec4fd1c5328f951c8abe854b1d01d91fae25466f930fe16e44a
|
||||
|
|
396
sssd.spec
396
sssd.spec
|
@ -1,56 +1,51 @@
|
|||
%global rhel7_minor %(%{__grep} -o "7.[0-9]*" /etc/redhat-release |%{__sed} -s 's/7.//')
|
||||
# SSSD SPEC file for Fedora 34+ and RHEL-9+
|
||||
|
||||
# define SSSD user
|
||||
%if 0%{?rhel}
|
||||
%global sssd_user sssd
|
||||
%else
|
||||
%global sssd_user root
|
||||
%endif
|
||||
|
||||
# Set setuid bit on child helpers if we support non-root user.
|
||||
%if "%{sssd_user}" == "root"
|
||||
%global child_attrs 0750
|
||||
%else
|
||||
%global child_attrs 4750
|
||||
%endif
|
||||
|
||||
# we don't want to provide private python extension libs
|
||||
%define __provides_exclude_from %{python3_sitearch}/.*\.so$
|
||||
|
||||
# SSSD fails to build with -Wl,-z,defs
|
||||
%undefine _strict_symbol_defs_build
|
||||
|
||||
%define _hardened_build 1
|
||||
|
||||
%global enable_polkit_rules_option --disable-polkit-rules-path
|
||||
|
||||
# Determine the location of the LDB modules directory
|
||||
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
|
||||
%global ldb_version 1.2.0
|
||||
|
||||
%global with_cifs_utils_plugin 1
|
||||
|
||||
%global enable_systemtap 1
|
||||
%global enable_systemtap_opt --enable-systemtap
|
||||
|
||||
%global with_kcm 1
|
||||
|
||||
%global with_gdm_pam_extensions 1
|
||||
|
||||
%if (0%{?fedora} > 28) || (0%{?rhel} > 7)
|
||||
%global use_openssl 1
|
||||
%endif
|
||||
%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
|
||||
|
||||
Name: sssd
|
||||
Version: 2.3.1
|
||||
Release: 4%{?dist}
|
||||
Version: 2.5.1
|
||||
Release: 2%{?dist}
|
||||
Summary: System Security Services Daemon
|
||||
License: GPLv3+
|
||||
URL: https://github.com/SSSD/sssd/
|
||||
Source0: https://github.com/SSSD/sssd/releases/download/sssd-2_3_1/sssd-2.3.1.tar.gz
|
||||
Source0: https://github.com/SSSD/sssd/releases/download/2.5.1/sssd-2.5.1.tar.gz
|
||||
|
||||
### Patches ###
|
||||
Patch0001: 0001-fix-compilation-with-check-0.15.1.patch
|
||||
Patch0002: 0002-DEBUG-TESTS-Fix-warnings-format-not-a-string-literal.patch
|
||||
|
||||
### Downstream only patches ###
|
||||
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
|
||||
|
||||
Patch0001: 0001-TOOLS-replace-system-with-execvp.patch
|
||||
|
||||
### Dependencies ###
|
||||
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
Requires: sssd-ldap = %{version}-%{release}
|
||||
Requires: sssd-krb5 = %{version}-%{release}
|
||||
Requires: sssd-ipa = %{version}-%{release}
|
||||
Requires: sssd-ad = %{version}-%{release}
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
Requires: sssd-ipa = %{version}-%{release}
|
||||
Requires: sssd-krb5 = %{version}-%{release}
|
||||
Requires: sssd-ldap = %{version}-%{release}
|
||||
Recommends: sssd-proxy = %{version}-%{release}
|
||||
Recommends: logrotate
|
||||
Suggests: python3-sssdconfig = %{version}-%{release}
|
||||
Suggests: sssd-dbus = %{version}-%{release}
|
||||
|
||||
|
@ -67,89 +62,80 @@ Suggests: sssd-dbus = %{version}-%{release}
|
|||
|
||||
### Build Dependencies ###
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: libtool
|
||||
BuildRequires: m4
|
||||
BuildRequires: gcc
|
||||
BuildRequires: popt-devel
|
||||
BuildRequires: libtalloc-devel
|
||||
BuildRequires: libtevent-devel
|
||||
BuildRequires: libtdb-devel
|
||||
BuildRequires: libldb-devel >= %{ldb_version}
|
||||
BuildRequires: libdhash-devel >= 0.4.2
|
||||
BuildRequires: libcollection-devel
|
||||
BuildRequires: libini_config-devel >= 1.1
|
||||
BuildRequires: dbus-devel
|
||||
BuildRequires: dbus-libs
|
||||
BuildRequires: openldap-devel
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: nss-devel
|
||||
BuildRequires: nspr-devel
|
||||
BuildRequires: pcre-devel
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: libxml2
|
||||
BuildRequires: docbook-style-xsl
|
||||
BuildRequires: krb5-devel
|
||||
BuildRequires: bind-utils
|
||||
BuildRequires: c-ares-devel
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: check-devel
|
||||
BuildRequires: cifs-utils-devel
|
||||
BuildRequires: dbus-devel
|
||||
BuildRequires: docbook-style-xsl
|
||||
BuildRequires: doxygen
|
||||
BuildRequires: findutils
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gdm-pam-extensions-devel
|
||||
BuildRequires: gettext-devel
|
||||
BuildRequires: glib2-devel
|
||||
# required for p11_child smartcard tests
|
||||
BuildRequires: gnutls-utils
|
||||
BuildRequires: jansson-devel
|
||||
BuildRequires: keyutils-libs-devel
|
||||
BuildRequires: krb5-devel
|
||||
BuildRequires: libcmocka-devel >= 1.0.0
|
||||
BuildRequires: libdhash-devel >= 0.4.2
|
||||
BuildRequires: libini_config-devel >= 1.1
|
||||
BuildRequires: libldb-devel >= %{ldb_version}
|
||||
BuildRequires: libnfsidmap-devel
|
||||
BuildRequires: libnl3-devel
|
||||
BuildRequires: libselinux-devel
|
||||
BuildRequires: libsemanage-devel
|
||||
BuildRequires: bind-utils
|
||||
BuildRequires: keyutils-libs-devel
|
||||
BuildRequires: gettext-devel
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: diffstat
|
||||
BuildRequires: findutils
|
||||
BuildRequires: glib2-devel
|
||||
BuildRequires: selinux-policy-targeted
|
||||
BuildRequires: libcmocka-devel >= 1.0.0
|
||||
BuildRequires: uid_wrapper
|
||||
BuildRequires: nss_wrapper
|
||||
BuildRequires: pam_wrapper
|
||||
BuildRequires: libnl3-devel
|
||||
BuildRequires: systemd-devel
|
||||
BuildRequires: systemd
|
||||
BuildRequires: cifs-utils-devel
|
||||
BuildRequires: libnfsidmap-devel
|
||||
BuildRequires: samba4-devel
|
||||
BuildRequires: libsmbclient-devel
|
||||
BuildRequires: samba-winbind
|
||||
BuildRequires: systemtap-sdt-devel
|
||||
BuildRequires: http-parser-devel
|
||||
BuildRequires: libtalloc-devel
|
||||
BuildRequires: libtdb-devel
|
||||
BuildRequires: libtevent-devel
|
||||
BuildRequires: libtool
|
||||
BuildRequires: libuuid-devel
|
||||
BuildRequires: jansson-devel
|
||||
BuildRequires: libcurl-devel
|
||||
BuildRequires: gdm-pam-extensions-devel
|
||||
%if (0%{?use_openssl} == 1)
|
||||
BuildRequires: p11-kit-devel
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: gnutls-utils
|
||||
BuildRequires: softhsm >= 2.1.0
|
||||
%endif
|
||||
BuildRequires: openssl
|
||||
BuildRequires: libxml2
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: m4
|
||||
BuildRequires: make
|
||||
BuildRequires: nss_wrapper
|
||||
BuildRequires: openldap-devel
|
||||
BuildRequires: openssh
|
||||
BuildRequires: nss-tools
|
||||
# required for p11_child smartcard tests
|
||||
BuildRequires: openssl
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: p11-kit-devel
|
||||
BuildRequires: pam_wrapper
|
||||
BuildRequires: pam-devel
|
||||
BuildRequires: pcre2-devel
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: popt-devel
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: samba-devel
|
||||
# required for idmap_sss.so
|
||||
BuildRequires: samba-winbind
|
||||
BuildRequires: selinux-policy-targeted
|
||||
# required for p11_child smartcard tests
|
||||
BuildRequires: softhsm >= 2.1.0
|
||||
BuildRequires: systemd-devel
|
||||
BuildRequires: systemtap-sdt-devel
|
||||
BuildRequires: uid_wrapper
|
||||
BuildRequires: po4a
|
||||
|
||||
%description
|
||||
Provides a set of daemons to manage access to remote directories and
|
||||
authentication mechanisms. It provides an NSS and PAM interface toward
|
||||
the system and a plug-gable back-end system to connect to multiple different
|
||||
the system and a pluggable back end system to connect to multiple different
|
||||
account sources. It is also the basis to provide client auditing and policy
|
||||
services for projects like FreeIPA.
|
||||
|
||||
The sssd sub-package is a meta-package that contains the daemon as well as all
|
||||
The sssd subpackage is a meta-package that contains the daemon as well as all
|
||||
the existing back ends.
|
||||
|
||||
%package common
|
||||
Summary: Common files for the SSSD
|
||||
License: GPLv3+
|
||||
# Conflicts
|
||||
Conflicts: selinux-policy < 3.10.0-46
|
||||
Conflicts: sssd < 1.10.0-8%{?dist}.beta2
|
||||
# Requires
|
||||
# due to ABI changes in 1.1.30/1.2.0
|
||||
Requires: libldb >= %{ldb_version}
|
||||
|
@ -158,6 +144,10 @@ Recommends: libsss_sudo = %{version}-%{release}
|
|||
Recommends: libsss_autofs%{?_isa} = %{version}-%{release}
|
||||
Recommends: sssd-nfs-idmap = %{version}-%{release}
|
||||
Requires: libsss_idmap = %{version}-%{release}
|
||||
Requires: libsss_certmap = %{version}-%{release}
|
||||
%if 0%{?rhel}
|
||||
Requires(pre): shadow-utils
|
||||
%endif
|
||||
%{?systemd_requires}
|
||||
|
||||
### Provides ###
|
||||
|
@ -167,12 +157,13 @@ Obsoletes: libsss_sudo-devel <= 1.10.0-7%{?dist}.beta1
|
|||
%description common
|
||||
Common files for the SSSD. The common package includes all the files needed
|
||||
to run a particular back end, however, the back ends are packaged in separate
|
||||
sub-packages such as sssd-ldap.
|
||||
subpackages such as sssd-ldap.
|
||||
|
||||
%package client
|
||||
Summary: SSSD Client libraries for NSS and PAM
|
||||
License: LGPLv3+
|
||||
Requires(post): /sbin/ldconfig
|
||||
Requires: libsss_nss_idmap = %{version}-%{release}
|
||||
Requires: libsss_idmap = %{version}-%{release}
|
||||
Requires(post): /usr/sbin/alternatives
|
||||
Requires(preun): /usr/sbin/alternatives
|
||||
|
||||
|
@ -203,6 +194,7 @@ Requires: sssd-common = %{version}-%{release}
|
|||
# required by sss_obfuscate
|
||||
Requires: python3-sss = %{version}-%{release}
|
||||
Requires: python3-sssdconfig = %{version}-%{release}
|
||||
Requires: libsss_certmap = %{version}-%{release}
|
||||
Recommends: sssd-dbus
|
||||
|
||||
%description tools
|
||||
|
@ -249,9 +241,10 @@ Provides python3 module for calculating the murmur hash version 3
|
|||
%package ldap
|
||||
Summary: The LDAP back end of the SSSD
|
||||
License: GPLv3+
|
||||
Conflicts: sssd < 1.10.0-8.beta2
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
Requires: sssd-krb5-common = %{version}-%{release}
|
||||
Requires: libsss_idmap = %{version}-%{release}
|
||||
Requires: libsss_certmap = %{version}-%{release}
|
||||
|
||||
%description ldap
|
||||
Provides the LDAP back end that the SSSD can utilize to fetch identity data
|
||||
|
@ -260,7 +253,6 @@ from and authenticate against an LDAP server.
|
|||
%package krb5-common
|
||||
Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
|
||||
License: GPLv3+
|
||||
Conflicts: sssd < 1.10.0-8.beta2
|
||||
Requires: cyrus-sasl-gssapi%{?_isa}
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
|
||||
|
@ -271,7 +263,6 @@ Kerberos user or host authentication.
|
|||
%package krb5
|
||||
Summary: The Kerberos authentication back end for the SSSD
|
||||
License: GPLv3+
|
||||
Conflicts: sssd < 1.10.0-8.beta2
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
Requires: sssd-krb5-common = %{version}-%{release}
|
||||
|
||||
|
@ -283,6 +274,7 @@ against a Kerberos server.
|
|||
Summary: Common files needed for supporting PAC processing
|
||||
License: GPLv3+
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
Requires: libsss_idmap = %{version}-%{release}
|
||||
|
||||
%description common-pac
|
||||
Provides common files needed by SSSD providers such as IPA and Active Directory
|
||||
|
@ -291,12 +283,14 @@ for handling Kerberos PACs.
|
|||
%package ipa
|
||||
Summary: The IPA back end of the SSSD
|
||||
License: GPLv3+
|
||||
Conflicts: sssd < 1.10.0-8.beta2
|
||||
Requires: samba-client-libs >= %{samba_package_version}
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
Requires: sssd-krb5-common = %{version}-%{release}
|
||||
Requires: libipa_hbac%{?_isa} = %{version}-%{release}
|
||||
Requires: libsss_certmap = %{version}-%{release}
|
||||
Recommends: bind-utils
|
||||
Requires: sssd-common-pac = %{version}-%{release}
|
||||
Requires: libsss_idmap = %{version}-%{release}
|
||||
|
||||
%description ipa
|
||||
Provides the IPA back end that the SSSD can utilize to fetch identity data
|
||||
|
@ -305,10 +299,12 @@ from and authenticate against an IPA server.
|
|||
%package ad
|
||||
Summary: The AD back end of the SSSD
|
||||
License: GPLv3+
|
||||
Conflicts: sssd < 1.10.0-8.beta2
|
||||
Requires: samba-client-libs >= %{samba_package_version}
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
Requires: sssd-krb5-common = %{version}-%{release}
|
||||
Requires: sssd-common-pac = %{version}-%{release}
|
||||
Requires: libsss_idmap = %{version}-%{release}
|
||||
Requires: libsss_certmap = %{version}-%{release}
|
||||
Recommends: bind-utils
|
||||
Recommends: adcli
|
||||
Suggests: sssd-winbind-idmap = %{version}-%{release}
|
||||
|
@ -320,7 +316,6 @@ identity data from and authenticate against an Active Directory server.
|
|||
%package proxy
|
||||
Summary: The proxy back end of the SSSD
|
||||
License: GPLv3+
|
||||
Conflicts: sssd < 1.10.0-8.beta2
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
|
||||
%description proxy
|
||||
|
@ -402,6 +397,19 @@ Requires: sssd-common = %{version}-%{release}
|
|||
Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows
|
||||
the information from the SSSD to be transmitted over the system bus.
|
||||
|
||||
%if 0%{?rhel}
|
||||
%package polkit-rules
|
||||
Summary: Rules for polkit integration for SSSD
|
||||
Group: Applications/System
|
||||
License: GPLv3+
|
||||
Requires: polkit >= 0.106
|
||||
Requires: sssd-common = %{version}-%{release}
|
||||
|
||||
%description polkit-rules
|
||||
Provides rules for polkit integration with SSSD. This is required
|
||||
for smartcard support.
|
||||
%endif
|
||||
|
||||
%package -n libsss_simpleifp
|
||||
Summary: The SSSD D-Bus responder helper library
|
||||
License: GPLv3+
|
||||
|
@ -422,6 +430,8 @@ Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.
|
|||
%package winbind-idmap
|
||||
Summary: SSSD's idmap_sss Backend for Winbind
|
||||
License: GPLv3+ and LGPLv3+
|
||||
Requires: libsss_nss_idmap = %{version}-%{release}
|
||||
Requires: libsss_idmap = %{version}-%{release}
|
||||
Conflicts: sssd-common < %{version}-%{release}
|
||||
|
||||
%description winbind-idmap
|
||||
|
@ -465,62 +475,38 @@ An implementation of a Kerberos KCM server. Use this package if you want to
|
|||
use the KCM: Kerberos credentials cache.
|
||||
|
||||
%prep
|
||||
# Update timestamps on the files touched by a patch, to avoid non-equal
|
||||
# .pyc/.pyo files across the multilib peers within a build, where "Level"
|
||||
# is the patch prefix option (e.g. -p1)
|
||||
# Taken from specfile for python-simplejson
|
||||
UpdateTimestamps() {
|
||||
Level=$1
|
||||
PatchFile=$2
|
||||
|
||||
# Locate the affected files:
|
||||
for f in $(diffstat $Level -l $PatchFile); do
|
||||
# Set the files to have the same timestamp as that of the patch:
|
||||
touch -r $PatchFile $f
|
||||
done
|
||||
}
|
||||
|
||||
%setup -q
|
||||
|
||||
for p in %patches ; do
|
||||
%__patch -p1 -i $p
|
||||
UpdateTimestamps -p1 $p
|
||||
done
|
||||
%autosetup -p1
|
||||
|
||||
%build
|
||||
# This package uses -Wl,-wrap to wrap calls at link time. This is incompatible
|
||||
# with LTO.
|
||||
# Disable LTO
|
||||
%define _lto_cflags %{nil}
|
||||
|
||||
autoreconf -ivf
|
||||
|
||||
%configure \
|
||||
--with-test-dir=/dev/shm \
|
||||
--with-db-path=%{dbpath} \
|
||||
--with-mcache-path=%{mcpath} \
|
||||
--with-pipe-path=%{pipepath} \
|
||||
--with-pubconf-path=%{pubconfpath} \
|
||||
--with-gpo-cache-path=%{gpocachepath} \
|
||||
--with-init-dir=%{_initrddir} \
|
||||
--with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
|
||||
--with-pid-path=%{_rundir} \
|
||||
--disable-rpath \
|
||||
--disable-static \
|
||||
--enable-gss-spnego-for-zero-maxssf \
|
||||
--enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
|
||||
--enable-nsslibdir=%{_libdir} \
|
||||
--enable-pammoddir=%{_libdir}/security \
|
||||
--enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
|
||||
--disable-static \
|
||||
--disable-rpath \
|
||||
--with-initscript=systemd \
|
||||
--with-syslog=journald \
|
||||
--without-python2-bindings \
|
||||
%if (0%{?use_openssl} == 1)
|
||||
--with-crypto=libcrypto \
|
||||
%endif
|
||||
--enable-sss-default-nss-plugin \
|
||||
--enable-systemtap \
|
||||
--with-db-path=%{dbpath} \
|
||||
--with-gpo-cache-path=%{gpocachepath} \
|
||||
--with-init-dir=%{_initrddir} \
|
||||
--with-initscript=systemd \
|
||||
--with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
|
||||
--with-mcache-path=%{mcpath} \
|
||||
--with-pid-path=%{_rundir} \
|
||||
--with-pipe-path=%{pipepath} \
|
||||
--with-pubconf-path=%{pubconfpath} \
|
||||
--with-sssd-user=%{sssd_user} \
|
||||
--with-syslog=journald \
|
||||
--with-test-dir=/dev/shm \
|
||||
%if 0%{?fedora}
|
||||
--enable-files-domain \
|
||||
--enable-gss-spnego-for-zero-maxssf \
|
||||
%{?with_cifs_utils_plugin_option} \
|
||||
%{?enable_systemtap_opt}
|
||||
--disable-polkit-rules-path \
|
||||
%endif
|
||||
%{nil}
|
||||
|
||||
%make_build all docs runstatedir=%{_rundir}
|
||||
|
||||
|
@ -710,36 +696,32 @@ done
|
|||
|
||||
%dir %{sssdstatedir}
|
||||
%dir %{_localstatedir}/cache/krb5rcache
|
||||
%attr(700,root,root) %dir %{dbpath}
|
||||
%attr(775,root,root) %dir %{mcpath}
|
||||
%attr(700,%{sssd_user},%{sssd_user}) %dir %{dbpath}
|
||||
%attr(775,%{sssd_user},%{sssd_user}) %dir %{mcpath}
|
||||
%attr(700,root,root) %dir %{secdbpath}
|
||||
%attr(751,root,root) %dir %{deskprofilepath}
|
||||
%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/passwd
|
||||
%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/group
|
||||
%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/initgroups
|
||||
%attr(755,root,root) %dir %{pipepath}
|
||||
%attr(700,root,root) %dir %{pipepath}/private
|
||||
%attr(755,root,root) %dir %{pubconfpath}
|
||||
%attr(755,root,root) %dir %{gpocachepath}
|
||||
%attr(750,root,root) %dir %{_var}/log/%{name}
|
||||
%attr(700,root,root) %dir %{_sysconfdir}/sssd
|
||||
%attr(711,root,root) %dir %{_sysconfdir}/sssd/conf.d
|
||||
%if (0%{?use_openssl} == 1)
|
||||
%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/passwd
|
||||
%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/group
|
||||
%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/initgroups
|
||||
%attr(755,%{sssd_user},%{sssd_user}) %dir %{pipepath}
|
||||
%attr(750,%{sssd_user},root) %dir %{pipepath}/private
|
||||
%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}
|
||||
%attr(755,%{sssd_user},%{sssd_user}) %dir %{gpocachepath}
|
||||
%attr(750,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name}
|
||||
%attr(700,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd
|
||||
%attr(711,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
|
||||
%attr(711,root,root) %dir %{_sysconfdir}/sssd/pki
|
||||
%endif
|
||||
%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
|
||||
%dir %{_sysconfdir}/logrotate.d
|
||||
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd
|
||||
%dir %{_sysconfdir}/rwtab.d
|
||||
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
|
||||
%dir %{_datadir}/sssd
|
||||
%{_sysconfdir}/pam.d/sssd-shadowutils
|
||||
%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils
|
||||
%dir %{_libdir}/%{name}/conf
|
||||
%{_libdir}/%{name}/conf/sssd.conf
|
||||
|
||||
%{_datadir}/sssd/cfg_rules.ini
|
||||
%{_datadir}/sssd/sssd.api.conf
|
||||
%{_datadir}/sssd/sssd.api.d
|
||||
%{_mandir}/man1/sss_ssh_authorizedkeys.1*
|
||||
%{_mandir}/man1/sss_ssh_knownhostsproxy.1*
|
||||
%{_mandir}/man5/sssd.conf.5*
|
||||
|
@ -760,6 +742,10 @@ done
|
|||
%{_datadir}/systemtap/tapset/sssd_functions.stp
|
||||
%{_mandir}/man5/sssd-systemtap.5*
|
||||
|
||||
%if 0%{?rhel}
|
||||
%files polkit-rules
|
||||
%{_datadir}/polkit-1/rules.d/*
|
||||
%endif
|
||||
|
||||
%files ldap -f sssd_ldap.lang
|
||||
%license COPYING
|
||||
|
@ -769,9 +755,9 @@ done
|
|||
|
||||
%files krb5-common
|
||||
%license COPYING
|
||||
%attr(755,root,root) %dir %{pubconfpath}/krb5.include.d
|
||||
%{_libexecdir}/%{servicename}/ldap_child
|
||||
%{_libexecdir}/%{servicename}/krb5_child
|
||||
%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
|
||||
%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/ldap_child
|
||||
%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/krb5_child
|
||||
|
||||
%files krb5 -f sssd_krb5.lang
|
||||
%license COPYING
|
||||
|
@ -784,9 +770,9 @@ done
|
|||
|
||||
%files ipa -f sssd_ipa.lang
|
||||
%license COPYING
|
||||
%attr(700,root,root) %dir %{keytabdir}
|
||||
%attr(700,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
|
||||
%{_libdir}/%{name}/libsss_ipa.so
|
||||
%{_libexecdir}/%{servicename}/selinux_child
|
||||
%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/selinux_child
|
||||
%{_mandir}/man5/sssd-ipa.5*
|
||||
|
||||
%files ad -f sssd_ad.lang
|
||||
|
@ -797,7 +783,7 @@ done
|
|||
|
||||
%files proxy
|
||||
%license COPYING
|
||||
%{_libexecdir}/%{servicename}/proxy_child
|
||||
%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/proxy_child
|
||||
%{_libdir}/%{name}/libsss_proxy.so
|
||||
|
||||
%files dbus -f sssd_dbus.lang
|
||||
|
@ -823,6 +809,7 @@ done
|
|||
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
|
||||
%{_libdir}/libnss_sss.so.2
|
||||
%{_libdir}/security/pam_sss.so
|
||||
%{_libdir}/security/pam_sss_gss.so
|
||||
%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
|
||||
%{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so
|
||||
%dir %{_libdir}/cifs-utils
|
||||
|
@ -833,6 +820,7 @@ done
|
|||
%dir %{_libdir}/%{name}/modules
|
||||
%{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so
|
||||
%{_mandir}/man8/pam_sss.8*
|
||||
%{_mandir}/man8/pam_sss_gss.8*
|
||||
%{_mandir}/man8/sssd_krb5_locator_plugin.8*
|
||||
|
||||
%files -n libsss_sudo
|
||||
|
@ -862,6 +850,9 @@ done
|
|||
%{python3_sitelib}/SSSDConfig/*.py*
|
||||
%dir %{python3_sitelib}/SSSDConfig/__pycache__
|
||||
%{python3_sitelib}/SSSDConfig/__pycache__/*.py*
|
||||
%dir %{_datadir}/sssd
|
||||
%{_datadir}/sssd/sssd.api.conf
|
||||
%{_datadir}/sssd/sssd.api.d
|
||||
|
||||
%files -n python3-sss
|
||||
%{python3_sitearch}/pysss.so
|
||||
|
@ -935,6 +926,12 @@ done
|
|||
%{_mandir}/man8/sssd-kcm.8*
|
||||
%{_libdir}/%{name}/libsss_secrets.so
|
||||
|
||||
%if 0%{?rhel}
|
||||
%pre common
|
||||
getent group sssd >/dev/null || groupadd -r sssd
|
||||
getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd
|
||||
%endif
|
||||
|
||||
%post common
|
||||
%systemd_post sssd.service
|
||||
%systemd_post sssd-autofs.socket
|
||||
|
@ -957,18 +954,20 @@ done
|
|||
|
||||
%postun common
|
||||
%systemd_postun_with_restart sssd-autofs.socket
|
||||
%systemd_postun_with_restart sssd-autofs.service
|
||||
%systemd_postun_with_restart sssd-nss.socket
|
||||
%systemd_postun_with_restart sssd-nss.service
|
||||
%systemd_postun_with_restart sssd-pac.socket
|
||||
%systemd_postun_with_restart sssd-pac.service
|
||||
%systemd_postun_with_restart sssd-pam.socket
|
||||
%systemd_postun_with_restart sssd-pam-priv.socket
|
||||
%systemd_postun_with_restart sssd-pam.service
|
||||
%systemd_postun_with_restart sssd-ssh.socket
|
||||
%systemd_postun_with_restart sssd-ssh.service
|
||||
%systemd_postun_with_restart sssd-sudo.socket
|
||||
%systemd_postun_with_restart sssd-sudo.service
|
||||
|
||||
# Services have RefuseManualStart=true, therefore we can't request restart.
|
||||
%systemd_postun sssd-autofs.service
|
||||
%systemd_postun sssd-nss.service
|
||||
%systemd_postun sssd-pac.service
|
||||
%systemd_postun sssd-pam.service
|
||||
%systemd_postun sssd-ssh.service
|
||||
%systemd_postun sssd-sudo.service
|
||||
|
||||
%post dbus
|
||||
%systemd_post sssd-ifp.service
|
||||
|
@ -990,7 +989,6 @@ done
|
|||
%systemd_postun_with_restart sssd-kcm.service
|
||||
|
||||
%post client
|
||||
%{?ldconfig}
|
||||
/usr/sbin/alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so 20
|
||||
|
||||
%preun client
|
||||
|
@ -998,24 +996,44 @@ if [ $1 -eq 0 ] ; then
|
|||
/usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so
|
||||
fi
|
||||
|
||||
%ldconfig_postun client
|
||||
|
||||
%ldconfig_scriptlets -n libsss_sudo
|
||||
|
||||
%ldconfig_scriptlets -n libipa_hbac
|
||||
|
||||
%ldconfig_scriptlets -n libsss_idmap
|
||||
|
||||
%ldconfig_scriptlets -n libsss_nss_idmap
|
||||
|
||||
%ldconfig_scriptlets -n libsss_simpleifp
|
||||
|
||||
%ldconfig_scriptlets -n libsss_certmap
|
||||
|
||||
%posttrans common
|
||||
%systemd_postun_with_restart sssd.service
|
||||
|
||||
%changelog
|
||||
* Mon Aug 16 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.1-2
|
||||
- Fix CVE-2021-3621
|
||||
|
||||
* Tue Jun 08 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.1-1
|
||||
- Rebase to SSSD 2.5.1
|
||||
|
||||
* Wed May 19 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.0-2
|
||||
- Fix regression in sssd-kcm when upgrading from 2.4.0 directly to 2.5.0
|
||||
- Return correct error code for unknown/unsupported operations in sssd-kcm
|
||||
|
||||
* Mon May 10 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.0-1
|
||||
- Rebase to SSSD 2.5.0
|
||||
|
||||
* Fri Feb 19 2021 Pavel Březina <pbrezina@redhat.com> - 2.4.2-2
|
||||
- Remove setuid from child binaries and relax requirement on python3-sssdconfig
|
||||
|
||||
* Fri Feb 19 2021 Pavel Březina <pbrezina@redhat.com> - 2.4.2-1
|
||||
- Rebase to SSSD 2.4.2
|
||||
|
||||
* Fri Feb 5 2021 Pavel Březina <pbrezina@redhat.com> - 2.4.1-1
|
||||
- Rebase to SSSD 2.4.1
|
||||
|
||||
* Fri Dec 11 2020 Pavel Březina <pbrezina@redhat.com> - 2.4.0-4
|
||||
- Improve sssd-kcm performance, fix upgrade with existing credentials (rhbz#1645624)
|
||||
|
||||
* Mon Dec 7 2020 Pavel Březina <pbrezina@redhat.com> - 2.4.0-3
|
||||
- Improve sssd-kcm performance (rhbz#1645624)
|
||||
|
||||
* Mon Oct 12 2020 Pavel Březina <pbrezina@redhat.com> - 2.4.0-2
|
||||
- Remove old patches
|
||||
|
||||
* Mon Oct 12 2020 Pavel Březina <pbrezina@redhat.com> - 2.4.0-1
|
||||
- Rebase to SSSD 2.4.0
|
||||
|
||||
* Tue Jul 28 2020 Pavel Březina <pbrezina@redhat.com> - 2.3.1-4
|
||||
- Actually include 2.3.1 source
|
||||
|
||||
|
|
Loading…
Reference in New Issue