sssd-2.5.1-2: Fix CVE-2021-3621

Resolves: rhbz#1962006

.gitignore

@@ -88,3 +88,8 @@ sssd-1.2.91.tar.gz
 /sssd-2.2.3.tar.gz
 /sssd-2.3.0.tar.gz
 /sssd-2.3.1.tar.gz
+/sssd-2.4.0.tar.gz
+/sssd-2.4.1.tar.gz
+/sssd-2.4.2.tar.gz
+/sssd-2.5.0.tar.gz
+/sssd-2.5.1.tar.gz

0001-TOOLS-replace-system-with-execvp.patch

@@ -0,0 +1,277 @@
+From 5a9a2f53ff44b1bd25a6de7c4ba91c709b63b0ba Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Fri, 18 Jun 2021 13:17:19 +0200
+Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
+ user supplied command
+
+A flaw was found in SSSD, where the sssctl command was vulnerable
+to shell command injection via the logs-fetch and cache-expire
+subcommands. This flaw allows an attacker to trick the root user
+into running a specially crafted sssctl command, such as via sudo,
+to gain root access. The highest threat from this vulnerability is
+to confidentiality, integrity, as well as system availability.
+
+:fixes: CVE-2021-3621
+---
+ src/tools/sssctl/sssctl.c      | 39 ++++++++++++++++-------
+ src/tools/sssctl/sssctl.h      |  2 +-
+ src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
+ src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++----
+ 4 files changed, 73 insertions(+), 57 deletions(-)
+
+diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
+index 2997dbf968acdd0b9821f726414f8ae1cf34b5d8..8adaf30910e13ea9e7c8ab8b151920c4f307427b 100644
+--- a/src/tools/sssctl/sssctl.c
++++ b/src/tools/sssctl/sssctl.c
+@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
+     return SSSCTL_PROMPT_ERROR;
+ }
+ 
+-errno_t sssctl_run_command(const char *command)
++errno_t sssctl_run_command(const char *const argv[])
+ {
+     int ret;
++    int wstatus;
+ 
+-    DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
++    DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
+ 
+-    ret = system(command);
++    ret = fork();
+     if (ret == -1) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
+         ERROR("Error while executing external command\n");
+         return EFAULT;
+-    } else if (WEXITSTATUS(ret) != 0) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
+-              command, WEXITSTATUS(ret));
++    }
++
++    if (ret == 0) {
++        /* cast is safe - see
++        https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
++        "The statement about argv[] and envp[] being constants ... "
++        */
++        execvp(argv[0], discard_const_p(char * const, argv));
+         ERROR("Error while executing external command\n");
+-        return EIO;
++        _exit(1);
++    } else {
++        if (waitpid(ret, &wstatus, 0) == -1) {
++            ERROR("Error while executing external command '%s'\n", argv[0]);
++            return EFAULT;
++        } else if (WEXITSTATUS(wstatus) != 0) {
++            ERROR("Command '%s' failed with [%d]\n",
++                  argv[0], WEXITSTATUS(wstatus));
++            return EIO;
++        }
+     }
+ 
+     return EOK;
+@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
+ #elif defined(HAVE_SERVICE)
+     switch (action) {
+     case SSSCTL_SVC_START:
+-        return sssctl_run_command(SERVICE_PATH" sssd start");
++        return sssctl_run_command(
++                      (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
+     case SSSCTL_SVC_STOP:
+-        return sssctl_run_command(SERVICE_PATH" sssd stop");
++        return sssctl_run_command(
++                      (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
+     case SSSCTL_SVC_RESTART:
+-        return sssctl_run_command(SERVICE_PATH" sssd restart");
++        return sssctl_run_command(
++                      (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
+     }
+ #endif
+ 
+diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
+index 0115b2457c48bb0b8ad8ef8fd20d6fc81bdb58b4..599ef65196fcae6454cd5b46aa7a2cf6e7cbba73 100644
+--- a/src/tools/sssctl/sssctl.h
++++ b/src/tools/sssctl/sssctl.h
+@@ -47,7 +47,7 @@ enum sssctl_prompt_result
+ sssctl_prompt(const char *message,
+               enum sssctl_prompt_result defval);
+ 
+-errno_t sssctl_run_command(const char *command);
++errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
+ bool sssctl_start_sssd(bool force);
+ bool sssctl_stop_sssd(bool force);
+ bool sssctl_restart_sssd(bool force);
+diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
+index 8d79b977fdb63fd6c6c925538230bb4ca74a103b..bf2291341668590f4c600237593ea1fd8fe4e4dc 100644
+--- a/src/tools/sssctl/sssctl_data.c
++++ b/src/tools/sssctl/sssctl_data.c
+@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
+         }
+     }
+ 
+-    ret = sssctl_run_command("sss_override user-export "
+-                             SSS_BACKUP_USER_OVERRIDES);
++    ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
++                                              SSS_BACKUP_USER_OVERRIDES, NULL});
+     if (ret != EOK) {
+         ERROR("Unable to export user overrides\n");
+         return ret;
+     }
+ 
+-    ret = sssctl_run_command("sss_override group-export "
+-                             SSS_BACKUP_GROUP_OVERRIDES);
++    ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
++                                              SSS_BACKUP_GROUP_OVERRIDES, NULL});
+     if (ret != EOK) {
+         ERROR("Unable to export group overrides\n");
+         return ret;
+@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
+     }
+ 
+     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
+-        ret = sssctl_run_command("sss_override user-import "
+-                                 SSS_BACKUP_USER_OVERRIDES);
++        ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
++                                                  SSS_BACKUP_USER_OVERRIDES, NULL});
+         if (ret != EOK) {
+             ERROR("Unable to import user overrides\n");
+             return ret;
+@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
+     }
+ 
+     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
+-        ret = sssctl_run_command("sss_override group-import "
+-                                 SSS_BACKUP_GROUP_OVERRIDES);
++        ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
++                                                  SSS_BACKUP_GROUP_OVERRIDES, NULL});
+         if (ret != EOK) {
+             ERROR("Unable to import group overrides\n");
+             return ret;
+@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
+                             void *pvt)
+ {
+     errno_t ret;
+-    char *cmd_args = NULL;
+-    const char *cachecmd = SSS_CACHE;
+-    char *cmd = NULL;
+-    int i;
+ 
+-    if (cmdline->argc == 0) {
+-        ret = sssctl_run_command(cachecmd);
+-        goto done;
++    const char **args = talloc_array_size(tool_ctx,
++                                          sizeof(char *),
++                                          cmdline->argc + 2);
++    if (!args) {
++        return ENOMEM;
+     }
++    memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
++    args[0] = SSS_CACHE;
++    args[cmdline->argc + 1] = NULL;
+ 
+-    cmd_args = talloc_strdup(tool_ctx, "");
+-    if (cmd_args == NULL) {
+-        ret = ENOMEM;
+-        goto done;
+-    }
+-
+-    for (i = 0; i < cmdline->argc; i++) {
+-        cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
+-        if (i != cmdline->argc - 1) {
+-            cmd_args = talloc_strdup_append(cmd_args, " ");
+-        }
+-    }
+-
+-    cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
+-    if (cmd == NULL) {
+-        ret = ENOMEM;
+-        goto done;
+-    }
+-
+-    ret = sssctl_run_command(cmd);
+-
+-done:
+-    talloc_free(cmd_args);
+-    talloc_free(cmd);
++    ret = sssctl_run_command(args);
+ 
++    talloc_free(args);
+     return ret;
+ }
+diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
+index 9ff2be05b61108414462d6e17a2c4c4887907a59..ebb2c4571caec487d29ff2d5ceaee1561e845506 100644
+--- a/src/tools/sssctl/sssctl_logs.c
++++ b/src/tools/sssctl/sssctl_logs.c
+@@ -31,6 +31,7 @@
+ #include <ldb.h>
+ #include <popt.h>
+ #include <stdio.h>
++#include <glob.h>
+ 
+ #include "util/util.h"
+ #include "tools/common/sss_process.h"
+@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
+ {
+     struct sssctl_logs_opts opts = {0};
+     errno_t ret;
++    glob_t globbuf;
+ 
+     /* Parse command line. */
+     struct poptOption options[] = {
+@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
+ 
+         sss_signal(SIGHUP);
+     } else {
++        globbuf.gl_offs = 4;
++        ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
++        if (ret != 0) {
++            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
++            return ret;
++        }
++        globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
++        globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
++        globbuf.gl_pathv[2] = discard_const_p(char, "--size");
++        globbuf.gl_pathv[3] = discard_const_p(char, "0");
++
+         PRINT("Truncating log files...\n");
+-        ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES);
++        ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
++        globfree(&globbuf);
+         if (ret != EOK) {
+             ERROR("Unable to truncate log files\n");
+             return ret;
+@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
+                           void *pvt)
+ {
+     const char *file;
+-    const char *cmd;
+     errno_t ret;
++    glob_t globbuf;
+ 
+     /* Parse command line. */
+     ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
+@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
+         return ret;
+     }
+ 
+-    cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
+-    if (cmd == NULL) {
+-        ERROR("Out of memory!");
++    globbuf.gl_offs = 3;
++    ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
++    if (ret != 0) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
++        return ret;
+     }
++    globbuf.gl_pathv[0] = discard_const_p(char, "tar");
++    globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
++    globbuf.gl_pathv[2] = discard_const_p(char, file);
+ 
+     PRINT("Archiving log files into %s...\n", file);
+-    ret = sssctl_run_command(cmd);
++    ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
++    globfree(&globbuf);
+     if (ret != EOK) {
+         ERROR("Unable to archive log files\n");
+         return ret;
+-- 
+2.31.1
+

0002-DEBUG-TESTS-Fix-warnings-format-not-a-string-literal.patch

@@ -1,293 +0,0 @@
-From cb9ad222358a84e2b2ea148c2950c2389f81de2c Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@redhat.com>
-Date: Mon, 27 Jul 2020 04:01:19 +0000
-Subject: [PATCH] DEBUG-TESTS: Fix warnings format not a string literal and no
- format arguments
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-e.g.
-src/tests/resolv-tests.c: In function ‘test_timeout’:
-src/tests/resolv-tests.c:942:5: error: format not a string literal and no format arguments [-Werror=format-security]
-  942 |     ck_leaks_pop(tmp_ctx);
-      |
-
-src/tests/debug-tests.c:413:9: error: format not a string literal and no format arguments [-Werror=format-security]
-  413 |         fail_if(result == DEBUG_TEST_NOK_TS, msg);
-      |         ^~~~~~~
-
-src/tests/debug-tests.c: In function ‘test_debug_is_notset_timestamp_microseconds_fn’:
-src/tests/debug-tests.c:603:13: error: format not a string literal and no format arguments [-Werror=format-security]
-  603 |             fail(error_msg);
-      |
-
-src/tests/debug-tests.c: In function ‘test_debug_is_set_false_fn’:
-src/tests/debug-tests.c:671:9: error: format not a string literal and no format arguments [-Werror=format-security]
-  671 |         fail_unless(result == 0, msg);
-      |
----
- src/tests/common_check.h |   2 +-
- src/tests/debug-tests.c  | 128 +++++++++++++++------------------------
- 2 files changed, 49 insertions(+), 81 deletions(-)
-
-diff --git a/src/tests/common_check.h b/src/tests/common_check.h
-index 51c3c3f49..ac92d0a74 100644
---- a/src/tests/common_check.h
-+++ b/src/tests/common_check.h
-@@ -31,6 +31,6 @@ void ck_leak_check_setup(void);
- void ck_leak_check_teardown(void);
- 
- #define ck_leaks_push(ctx) check_leaks_push(ctx)
--#define ck_leaks_pop(ctx) fail_unless(check_leaks_pop(ctx) == true, check_leaks_err_msg())
-+#define ck_leaks_pop(ctx) fail_unless(check_leaks_pop(ctx) == true, "%s", check_leaks_err_msg())
- 
- #endif /* __TESTS_COMMON_CHECK_H__ */
-diff --git a/src/tests/debug-tests.c b/src/tests/debug-tests.c
-index 1e78f506e..092ccf684 100644
---- a/src/tests/debug-tests.c
-+++ b/src/tests/debug-tests.c
-@@ -55,10 +55,8 @@ START_TEST(test_debug_convert_old_level_old_format)
-     for (old_level = 0; old_level < N_ELEMENTS(levels); old_level++) {
-         expected_level |= levels[old_level];
- 
--        char *msg = NULL;
--        msg = talloc_asprintf(NULL, "Invalid conversion of %d", old_level);
--        fail_unless(debug_convert_old_level(old_level) == expected_level, msg);
--        talloc_free(msg);
-+        fail_unless(debug_convert_old_level(old_level) == expected_level,
-+                    "Invalid conversion of %d", old_level);
-     }
- }
- END_TEST
-@@ -343,7 +341,6 @@ START_TEST(test_debug_is_set_single_no_timestamp)
-         SSSDBG_TRACE_ALL,
-         SSSDBG_TRACE_LDB
-     };
--    char *error_msg;
- 
-     debug_timestamps = 0;
-     debug_microseconds = 0;
-@@ -357,15 +354,13 @@ START_TEST(test_debug_is_set_single_no_timestamp)
-         errno = 0;
-         result = test_helper_debug_check_message(levels[i]);
- 
--        if (result == DEBUG_TEST_ERROR) {
--            error_msg = strerror(errno);
--            fail(error_msg);
--        }
-+        fail_if(result == DEBUG_TEST_ERROR,
-+                "Expecting DEBUG_TEST_ERROR, got: %d, error: %s",
-+                result, strerror(errno));
- 
--        char *msg = NULL;
--        msg = talloc_asprintf(NULL, "Test of level %#.4x failed - message don't match", levels[i]);
--        fail_unless(result == EOK, msg);
--        talloc_free(msg);
-+        fail_unless(result == EOK,
-+                    "Test of level %#.4x failed - message don't match",
-+                    levels[i]);
-     }
- }
- END_TEST
-@@ -387,7 +382,6 @@ START_TEST(test_debug_is_set_single_timestamp)
-         SSSDBG_TRACE_ALL,
-         SSSDBG_TRACE_LDB
-     };
--    char *error_msg;
- 
-     debug_timestamps = 1;
-     debug_microseconds = 0;
-@@ -402,20 +396,16 @@ START_TEST(test_debug_is_set_single_timestamp)
-         errno = 0;
-         result = test_helper_debug_check_message(levels[i]);
- 
--        if (result == DEBUG_TEST_ERROR) {
--            error_msg = strerror(errno);
--            fail(error_msg);
--        }
--
--        char *msg = NULL;
-+        fail_if(result == DEBUG_TEST_ERROR,
-+                "Expecting DEBUG_TEST_ERROR, got: %d, error: %s",
-+                result, strerror(errno));
- 
--        msg = talloc_asprintf(NULL, "Test of level %#.4x failed - invalid timestamp", levels[i]);
--        fail_if(result == DEBUG_TEST_NOK_TS, msg);
--        talloc_free(msg);
-+        fail_if(result == DEBUG_TEST_NOK_TS,
-+                "Test of level %#.4x failed - invalid timestamp", levels[i]);
- 
--        msg = talloc_asprintf(NULL, "Test of level %#.4x failed - message don't match", levels[i]);
--        fail_unless(result == EOK, msg);
--        talloc_free(msg);
-+        fail_unless(result == EOK,
-+                    "Test of level %#.4x failed - message don't match",
-+                    levels[i]);
-     }
- }
- END_TEST
-@@ -437,7 +427,6 @@ START_TEST(test_debug_is_set_single_timestamp_microseconds)
-         SSSDBG_TRACE_ALL,
-         SSSDBG_TRACE_LDB
-     };
--    char *error_msg;
- 
-     debug_timestamps = 1;
-     debug_microseconds = 1;
-@@ -452,20 +441,16 @@ START_TEST(test_debug_is_set_single_timestamp_microseconds)
-         errno = 0;
-         result = test_helper_debug_check_message(levels[i]);
- 
--        if (result == DEBUG_TEST_ERROR) {
--            error_msg = strerror(errno);
--            fail(error_msg);
--        }
--
--        char *msg = NULL;
-+        fail_if(result == DEBUG_TEST_ERROR,
-+                "Expecting DEBUG_TEST_ERROR, got: %d, error: %s",
-+                result, strerror(errno));
- 
--        msg = talloc_asprintf(NULL, "Test of level %#.4x failed - invalid timestamp", levels[i]);
--        fail_if(result == DEBUG_TEST_NOK_TS, msg);
--        talloc_free(msg);
-+        fail_if(result == DEBUG_TEST_NOK_TS,
-+                "Test of level %#.4x failed - invalid timestamp", levels[i]);
- 
--        msg = talloc_asprintf(NULL, "Test of level %#.4x failed - message don't match", levels[i]);
--        fail_unless(result == EOK, msg);
--        talloc_free(msg);
-+        fail_unless(result == EOK,
-+                    "Test of level %#.4x failed - message don't match",
-+                    levels[i]);
-     }
- }
- END_TEST
-@@ -488,7 +473,6 @@ START_TEST(test_debug_is_notset_no_timestamp)
-         SSSDBG_TRACE_ALL,
-         SSSDBG_TRACE_LDB
-     };
--    char *error_msg;
- 
-     debug_timestamps = 0;
-     debug_microseconds = 0;
-@@ -503,17 +487,13 @@ START_TEST(test_debug_is_notset_no_timestamp)
-         errno = 0;
-         result = test_helper_debug_is_empty_message(levels[i]);
- 
--        if (result == DEBUG_TEST_ERROR) {
--            error_msg = strerror(errno);
--            fail(error_msg);
--        }
-+        fail_if(result == DEBUG_TEST_ERROR,
-+                "Expecting DEBUG_TEST_ERROR, got: %d, error: %s",
-+                result, strerror(errno));
- 
--        char *msg = NULL;
--        msg = talloc_asprintf(NULL,
--                              "Test of level %#.4x failed - message has been written",
--                              levels[i]);
--        fail_unless(result == EOK, msg);
--        talloc_free(msg);
-+        fail_unless(result == EOK,
-+                    "Test of level %#.4x failed - message has been written",
-+                    levels[i]);
-     }
- }
- END_TEST
-@@ -536,7 +516,6 @@ START_TEST(test_debug_is_notset_timestamp)
-         SSSDBG_TRACE_ALL,
-         SSSDBG_TRACE_LDB
-     };
--    char *error_msg;
- 
-     debug_timestamps = 0;
-     debug_microseconds = 0;
-@@ -551,17 +530,13 @@ START_TEST(test_debug_is_notset_timestamp)
-         errno = 0;
-         result = test_helper_debug_is_empty_message(levels[i]);
- 
--        if (result == DEBUG_TEST_ERROR) {
--            error_msg = strerror(errno);
--            fail(error_msg);
--        }
-+        fail_if(result == DEBUG_TEST_ERROR,
-+                "Expecting DEBUG_TEST_ERROR, got: %d, error: %s",
-+                result, strerror(errno));
- 
--        char *msg = NULL;
--        msg = talloc_asprintf(NULL,
--                        "Test of level %#.4x failed - message has been written",
--                        levels[i]);
--        fail_unless(result == EOK, msg);
--        talloc_free(msg);
-+        fail_unless(result == EOK,
-+                    "Test of level %#.4x failed - message has been written",
-+                    levels[i]);
-     }
- }
- END_TEST
-@@ -584,7 +559,6 @@ START_TEST(test_debug_is_notset_timestamp_microseconds)
-         SSSDBG_TRACE_ALL,
-         SSSDBG_TRACE_LDB
-     };
--    char *error_msg;
- 
-     debug_timestamps = 0;
-     debug_microseconds = 1;
-@@ -598,17 +572,13 @@ START_TEST(test_debug_is_notset_timestamp_microseconds)
-         errno = 0;
-         result = test_helper_debug_is_empty_message(levels[i]);
- 
--        if (result == DEBUG_TEST_ERROR) {
--            error_msg = strerror(errno);
--            fail(error_msg);
--        }
-+        fail_if(result == DEBUG_TEST_ERROR,
-+                "Expecting DEBUG_TEST_ERROR, got: %d, error: %s",
-+                result, strerror(errno));
- 
--        char *msg = NULL;
--        msg = talloc_asprintf(NULL,
--                        "Test of level %#.4x failed - message has been written",
--                        levels[i]);
--        fail_unless(result == EOK, msg);
--        talloc_free(msg);
-+        fail_unless(result == EOK,
-+                    "Test of level %#.4x failed - message has been written",
-+                    levels[i]);
-     }
- }
- END_TEST
-@@ -635,10 +605,9 @@ START_TEST(test_debug_is_set_true)
- 
-     for (i = 0; i < N_ELEMENTS(levels); i++) {
-         result = DEBUG_IS_SET(levels[i]);
--        char *msg = NULL;
--        msg = talloc_asprintf(NULL, "Test of level %#.4x failed - result is 0x%.4x", levels[i], result);
--        fail_unless(result > 0, msg);
--        talloc_free(msg);
-+        fail_unless(result > 0,
-+                    "Test of level %#.4x failed - result is 0x%.4x",
-+                    levels[i], result);
-     }
- }
- END_TEST
-@@ -666,10 +635,9 @@ START_TEST(test_debug_is_set_false)
-         debug_level = all_set & ~levels[i];
- 
-         result = DEBUG_IS_SET(levels[i]);
--        char *msg = NULL;
--        msg = talloc_asprintf(NULL, "Test of level %#.4x failed - result is 0x%.4x", levels[i], result);
--        fail_unless(result == 0, msg);
--        talloc_free(msg);
-+        fail_unless(result == 0,
-+                    "Test of level %#.4x failed - result is 0x%.4x",
-+                    levels[i], result);
-     }
- }
- END_TEST
--- 
-2.28.0.rc2
-

0502-SYSTEMD-Use-capabilities.patch

@@ -1,25 +0,0 @@
-From 565ef3ffcaaef69a768b6a341777c339217bbbab Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@fedoraproject.org>
-Date: Mon, 12 Dec 2016 21:56:16 +0100
-Subject: [PATCH] SYSTEMD: Use capabilities
-
-copied from selinux policy
----
- src/sysv/systemd/sssd.service.in | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
-index 0c515d34caaa3ea397c4c7e95eef0188df170840..252889dbb2b7b1e651966258e7b76eab38357e76 100644
---- a/src/sysv/systemd/sssd.service.in
-+++ b/src/sysv/systemd/sssd.service.in
-@@ -11,6 +11,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
- Type=notify
- NotifyAccess=main
- PIDFile=@pidpath@/sssd.pid
-+CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
- Restart=on-failure
- 
- [Install]
--- 
-2.15.1
-

sources

@@ -1 +1 @@
-SHA512 (sssd-2.3.1.tar.gz) = 6aeb52d5222c5992d581296996749327bcaf276e4eb4413a6a32ea6529343432cfe413006aca4245c19b38b515be1c4c2ef88a157c617d889274179253355bc6
+SHA512 (sssd-2.5.1.tar.gz) = 7441df3b5f1cc1eadb0c6853b048d780ecb36761876aaeb26b9a2d87729211d3ceeae01085dc3ec4fd1c5328f951c8abe854b1d01d91fae25466f930fe16e44a

sssd.spec

@@ -1,56 +1,51 @@
-%global rhel7_minor %(%{__grep} -o "7.[0-9]*" /etc/redhat-release |%{__sed} -s 's/7.//')
+# SSSD SPEC file for Fedora 34+ and RHEL-9+
+
+# define SSSD user
+%if 0%{?rhel}
+%global sssd_user sssd
+%else
+%global sssd_user root
+%endif
+
+# Set setuid bit on child helpers if we support non-root user.
+%if "%{sssd_user}" == "root"
+%global child_attrs 0750
+%else
+%global child_attrs 4750
+%endif
 
 # we don't want to provide private python extension libs
 %define __provides_exclude_from %{python3_sitearch}/.*\.so$
 
-# SSSD fails to build with -Wl,-z,defs
-%undefine _strict_symbol_defs_build
-
 %define _hardened_build 1
 
-    %global enable_polkit_rules_option --disable-polkit-rules-path
-
 # Determine the location of the LDB modules directory
 %global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
 %global ldb_version 1.2.0
 
-    %global with_cifs_utils_plugin 1
-
-%global enable_systemtap 1
-    %global enable_systemtap_opt --enable-systemtap
-
-    %global with_kcm 1
-
-    %global with_gdm_pam_extensions 1
-
-%if (0%{?fedora} > 28) || (0%{?rhel} > 7)
-    %global use_openssl 1
-%endif
+%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
 
 Name: sssd
-Version: 2.3.1
-Release: 4%{?dist}
+Version: 2.5.1
+Release: 2%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://github.com/SSSD/sssd/
-Source0: https://github.com/SSSD/sssd/releases/download/sssd-2_3_1/sssd-2.3.1.tar.gz
+Source0: https://github.com/SSSD/sssd/releases/download/2.5.1/sssd-2.5.1.tar.gz
 
 ### Patches ###
-Patch0001: 0001-fix-compilation-with-check-0.15.1.patch
-Patch0002: 0002-DEBUG-TESTS-Fix-warnings-format-not-a-string-literal.patch
-
-### Downstream only patches ###
-Patch0502: 0502-SYSTEMD-Use-capabilities.patch
 
+Patch0001: 0001-TOOLS-replace-system-with-execvp.patch
 
 ### Dependencies ###
 
-Requires: sssd-common = %{version}-%{release}
-Requires: sssd-ldap = %{version}-%{release}
-Requires: sssd-krb5 = %{version}-%{release}
-Requires: sssd-ipa = %{version}-%{release}
 Requires: sssd-ad = %{version}-%{release}
+Requires: sssd-common = %{version}-%{release}
+Requires: sssd-ipa = %{version}-%{release}
+Requires: sssd-krb5 = %{version}-%{release}
+Requires: sssd-ldap = %{version}-%{release}
 Recommends: sssd-proxy = %{version}-%{release}
+Recommends: logrotate
 Suggests: python3-sssdconfig = %{version}-%{release}
 Suggests: sssd-dbus = %{version}-%{release}
 
@@ -67,89 +62,80 @@ Suggests: sssd-dbus = %{version}-%{release}
 
 ### Build Dependencies ###
 
-BuildRequires: make
 BuildRequires: autoconf
 BuildRequires: automake
-BuildRequires: libtool
-BuildRequires: m4
-BuildRequires: gcc
-BuildRequires: popt-devel
-BuildRequires: libtalloc-devel
-BuildRequires: libtevent-devel
-BuildRequires: libtdb-devel
-BuildRequires: libldb-devel >= %{ldb_version}
-BuildRequires: libdhash-devel >= 0.4.2
-BuildRequires: libcollection-devel
-BuildRequires: libini_config-devel >= 1.1
-BuildRequires: dbus-devel
-BuildRequires: dbus-libs
-BuildRequires: openldap-devel
-BuildRequires: pam-devel
-BuildRequires: nss-devel
-BuildRequires: nspr-devel
-BuildRequires: pcre-devel
-BuildRequires: libxslt
-BuildRequires: libxml2
-BuildRequires: docbook-style-xsl
-BuildRequires: krb5-devel
+BuildRequires: bind-utils
 BuildRequires: c-ares-devel
-BuildRequires: python3-devel
 BuildRequires: check-devel
+BuildRequires: cifs-utils-devel
+BuildRequires: dbus-devel
+BuildRequires: docbook-style-xsl
 BuildRequires: doxygen
+BuildRequires: findutils
+BuildRequires: gcc
+BuildRequires: gdm-pam-extensions-devel
+BuildRequires: gettext-devel
+BuildRequires: glib2-devel
+# required for p11_child smartcard tests
+BuildRequires: gnutls-utils
+BuildRequires: jansson-devel
+BuildRequires: keyutils-libs-devel
+BuildRequires: krb5-devel
+BuildRequires: libcmocka-devel >= 1.0.0
+BuildRequires: libdhash-devel >= 0.4.2
+BuildRequires: libini_config-devel >= 1.1
+BuildRequires: libldb-devel >= %{ldb_version}
+BuildRequires: libnfsidmap-devel
+BuildRequires: libnl3-devel
 BuildRequires: libselinux-devel
 BuildRequires: libsemanage-devel
-BuildRequires: bind-utils
-BuildRequires: keyutils-libs-devel
-BuildRequires: gettext-devel
-BuildRequires: pkgconfig
-BuildRequires: diffstat
-BuildRequires: findutils
-BuildRequires: glib2-devel
-BuildRequires: selinux-policy-targeted
-BuildRequires: libcmocka-devel >= 1.0.0
-BuildRequires: uid_wrapper
-BuildRequires: nss_wrapper
-BuildRequires: pam_wrapper
-BuildRequires: libnl3-devel
-BuildRequires: systemd-devel
-BuildRequires: systemd
-BuildRequires: cifs-utils-devel
-BuildRequires: libnfsidmap-devel
-BuildRequires: samba4-devel
 BuildRequires: libsmbclient-devel
-BuildRequires: samba-winbind
-BuildRequires: systemtap-sdt-devel
-BuildRequires: http-parser-devel
+BuildRequires: libtalloc-devel
+BuildRequires: libtdb-devel
+BuildRequires: libtevent-devel
+BuildRequires: libtool
 BuildRequires: libuuid-devel
-BuildRequires: jansson-devel
-BuildRequires: libcurl-devel
-BuildRequires: gdm-pam-extensions-devel
-%if (0%{?use_openssl} == 1)
-BuildRequires: p11-kit-devel
-BuildRequires: openssl-devel
-BuildRequires: gnutls-utils
-BuildRequires: softhsm >= 2.1.0
-%endif
-BuildRequires: openssl
+BuildRequires: libxml2
+BuildRequires: libxslt
+BuildRequires: m4
+BuildRequires: make
+BuildRequires: nss_wrapper
+BuildRequires: openldap-devel
 BuildRequires: openssh
-BuildRequires: nss-tools
+# required for p11_child smartcard tests
+BuildRequires: openssl
+BuildRequires: openssl-devel
+BuildRequires: p11-kit-devel
+BuildRequires: pam_wrapper
+BuildRequires: pam-devel
+BuildRequires: pcre2-devel
+BuildRequires: pkgconfig
+BuildRequires: popt-devel
+BuildRequires: python3-devel
+BuildRequires: samba-devel
+# required for idmap_sss.so
+BuildRequires: samba-winbind
+BuildRequires: selinux-policy-targeted
+# required for p11_child smartcard tests
+BuildRequires: softhsm >= 2.1.0
+BuildRequires: systemd-devel
+BuildRequires: systemtap-sdt-devel
+BuildRequires: uid_wrapper
+BuildRequires: po4a
 
 %description
 Provides a set of daemons to manage access to remote directories and
 authentication mechanisms. It provides an NSS and PAM interface toward
-the system and a plug-gable back-end system to connect to multiple different
+the system and a pluggable back end system to connect to multiple different
 account sources. It is also the basis to provide client auditing and policy
 services for projects like FreeIPA.
 
-The sssd sub-package is a meta-package that contains the daemon as well as all
+The sssd subpackage is a meta-package that contains the daemon as well as all
 the existing back ends.
 
 %package common
 Summary: Common files for the SSSD
 License: GPLv3+
-# Conflicts
-Conflicts: selinux-policy < 3.10.0-46
-Conflicts: sssd < 1.10.0-8%{?dist}.beta2
 # Requires
 # due to ABI changes in 1.1.30/1.2.0
 Requires: libldb >= %{ldb_version}
@@ -158,6 +144,10 @@ Recommends: libsss_sudo = %{version}-%{release}
 Recommends: libsss_autofs%{?_isa} = %{version}-%{release}
 Recommends: sssd-nfs-idmap = %{version}-%{release}
 Requires: libsss_idmap = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
+%if 0%{?rhel}
+Requires(pre): shadow-utils
+%endif
 %{?systemd_requires}
 
 ### Provides ###
@@ -167,12 +157,13 @@ Obsoletes: libsss_sudo-devel <= 1.10.0-7%{?dist}.beta1
 %description common
 Common files for the SSSD. The common package includes all the files needed
 to run a particular back end, however, the back ends are packaged in separate
-sub-packages such as sssd-ldap.
+subpackages such as sssd-ldap.
 
 %package client
 Summary: SSSD Client libraries for NSS and PAM
 License: LGPLv3+
-Requires(post): /sbin/ldconfig
+Requires: libsss_nss_idmap = %{version}-%{release}
+Requires: libsss_idmap = %{version}-%{release}
 Requires(post):  /usr/sbin/alternatives
 Requires(preun): /usr/sbin/alternatives
 
@@ -203,6 +194,7 @@ Requires: sssd-common = %{version}-%{release}
 # required by sss_obfuscate
 Requires: python3-sss = %{version}-%{release}
 Requires: python3-sssdconfig = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
 Recommends: sssd-dbus
 
 %description tools
@@ -249,9 +241,10 @@ Provides python3 module for calculating the murmur hash version 3
 %package ldap
 Summary: The LDAP back end of the SSSD
 License: GPLv3+
-Conflicts: sssd < 1.10.0-8.beta2
 Requires: sssd-common = %{version}-%{release}
 Requires: sssd-krb5-common = %{version}-%{release}
+Requires: libsss_idmap = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
 
 %description ldap
 Provides the LDAP back end that the SSSD can utilize to fetch identity data
@@ -260,7 +253,6 @@ from and authenticate against an LDAP server.
 %package krb5-common
 Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
 License: GPLv3+
-Conflicts: sssd < 1.10.0-8.beta2
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: sssd-common = %{version}-%{release}
 
@@ -271,7 +263,6 @@ Kerberos user or host authentication.
 %package krb5
 Summary: The Kerberos authentication back end for the SSSD
 License: GPLv3+
-Conflicts: sssd < 1.10.0-8.beta2
 Requires: sssd-common = %{version}-%{release}
 Requires: sssd-krb5-common = %{version}-%{release}
 
@@ -283,6 +274,7 @@ against a Kerberos server.
 Summary: Common files needed for supporting PAC processing
 License: GPLv3+
 Requires: sssd-common = %{version}-%{release}
+Requires: libsss_idmap = %{version}-%{release}
 
 %description common-pac
 Provides common files needed by SSSD providers such as IPA and Active Directory
@@ -291,12 +283,14 @@ for handling Kerberos PACs.
 %package ipa
 Summary: The IPA back end of the SSSD
 License: GPLv3+
-Conflicts: sssd < 1.10.0-8.beta2
+Requires: samba-client-libs >= %{samba_package_version}
 Requires: sssd-common = %{version}-%{release}
 Requires: sssd-krb5-common = %{version}-%{release}
 Requires: libipa_hbac%{?_isa} = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
 Recommends: bind-utils
 Requires: sssd-common-pac = %{version}-%{release}
+Requires: libsss_idmap = %{version}-%{release}
 
 %description ipa
 Provides the IPA back end that the SSSD can utilize to fetch identity data
@@ -305,10 +299,12 @@ from and authenticate against an IPA server.
 %package ad
 Summary: The AD back end of the SSSD
 License: GPLv3+
-Conflicts: sssd < 1.10.0-8.beta2
+Requires: samba-client-libs >= %{samba_package_version}
 Requires: sssd-common = %{version}-%{release}
 Requires: sssd-krb5-common = %{version}-%{release}
 Requires: sssd-common-pac = %{version}-%{release}
+Requires: libsss_idmap = %{version}-%{release}
+Requires: libsss_certmap = %{version}-%{release}
 Recommends: bind-utils
 Recommends: adcli
 Suggests: sssd-winbind-idmap = %{version}-%{release}
@@ -320,7 +316,6 @@ identity data from and authenticate against an Active Directory server.
 %package proxy
 Summary: The proxy back end of the SSSD
 License: GPLv3+
-Conflicts: sssd < 1.10.0-8.beta2
 Requires: sssd-common = %{version}-%{release}
 
 %description proxy
@@ -402,6 +397,19 @@ Requires: sssd-common = %{version}-%{release}
 Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows
 the information from the SSSD to be transmitted over the system bus.
 
+%if 0%{?rhel}
+%package polkit-rules
+Summary: Rules for polkit integration for SSSD
+Group: Applications/System
+License: GPLv3+
+Requires: polkit >= 0.106
+Requires: sssd-common = %{version}-%{release}
+
+%description polkit-rules
+Provides rules for polkit integration with SSSD. This is required
+for smartcard support.
+%endif
+
 %package -n libsss_simpleifp
 Summary: The SSSD D-Bus responder helper library
 License: GPLv3+
@@ -422,6 +430,8 @@ Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.
 %package winbind-idmap
 Summary: SSSD's idmap_sss Backend for Winbind
 License: GPLv3+ and LGPLv3+
+Requires: libsss_nss_idmap = %{version}-%{release}
+Requires: libsss_idmap = %{version}-%{release}
 Conflicts: sssd-common < %{version}-%{release}
 
 %description winbind-idmap
@@ -465,62 +475,38 @@ An implementation of a Kerberos KCM server. Use this package if you want to
 use the KCM: Kerberos credentials cache.
 
 %prep
-# Update timestamps on the files touched by a patch, to avoid non-equal
-# .pyc/.pyo files across the multilib peers within a build, where "Level"
-# is the patch prefix option (e.g. -p1)
-# Taken from specfile for python-simplejson
-UpdateTimestamps() {
-  Level=$1
-  PatchFile=$2
-
-  # Locate the affected files:
-  for f in $(diffstat $Level -l $PatchFile); do
-    # Set the files to have the same timestamp as that of the patch:
-    touch -r $PatchFile $f
-  done
-}
-
-%setup -q
-
-for p in %patches ; do
-    %__patch -p1 -i $p
-    UpdateTimestamps -p1 $p
-done
+%autosetup -p1
 
 %build
-# This package uses -Wl,-wrap to wrap calls at link time.  This is incompatible
-# with LTO.
-# Disable LTO
-%define _lto_cflags %{nil}
 
 autoreconf -ivf
 
 %configure \
-    --with-test-dir=/dev/shm \
-    --with-db-path=%{dbpath} \
-    --with-mcache-path=%{mcpath} \
-    --with-pipe-path=%{pipepath} \
-    --with-pubconf-path=%{pubconfpath} \
-    --with-gpo-cache-path=%{gpocachepath} \
-    --with-init-dir=%{_initrddir} \
-    --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
-    --with-pid-path=%{_rundir} \
+    --disable-rpath \
+    --disable-static \
+    --enable-gss-spnego-for-zero-maxssf \
+    --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
     --enable-nsslibdir=%{_libdir} \
     --enable-pammoddir=%{_libdir}/security \
-    --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
-    --disable-static \
-    --disable-rpath \
-    --with-initscript=systemd \
-    --with-syslog=journald \
-    --without-python2-bindings \
-%if (0%{?use_openssl} == 1)
-    --with-crypto=libcrypto \
-%endif
     --enable-sss-default-nss-plugin \
+    --enable-systemtap \
+    --with-db-path=%{dbpath} \
+    --with-gpo-cache-path=%{gpocachepath} \
+    --with-init-dir=%{_initrddir} \
+    --with-initscript=systemd \
+    --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
+    --with-mcache-path=%{mcpath} \
+    --with-pid-path=%{_rundir} \
+    --with-pipe-path=%{pipepath} \
+    --with-pubconf-path=%{pubconfpath} \
+    --with-sssd-user=%{sssd_user} \
+    --with-syslog=journald \
+    --with-test-dir=/dev/shm \
+%if 0%{?fedora}
     --enable-files-domain \
-    --enable-gss-spnego-for-zero-maxssf \
-    %{?with_cifs_utils_plugin_option} \
-    %{?enable_systemtap_opt}
+    --disable-polkit-rules-path \
+%endif
+    %{nil}
 
 %make_build all docs runstatedir=%{_rundir}
 
@@ -710,36 +696,32 @@ done
 
 %dir %{sssdstatedir}
 %dir %{_localstatedir}/cache/krb5rcache
-%attr(700,root,root) %dir %{dbpath}
-%attr(775,root,root) %dir %{mcpath}
+%attr(700,%{sssd_user},%{sssd_user}) %dir %{dbpath}
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{mcpath}
 %attr(700,root,root) %dir %{secdbpath}
 %attr(751,root,root) %dir %{deskprofilepath}
-%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/passwd
-%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/group
-%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/initgroups
-%attr(755,root,root) %dir %{pipepath}
-%attr(700,root,root) %dir %{pipepath}/private
-%attr(755,root,root) %dir %{pubconfpath}
-%attr(755,root,root) %dir %{gpocachepath}
-%attr(750,root,root) %dir %{_var}/log/%{name}
-%attr(700,root,root) %dir %{_sysconfdir}/sssd
-%attr(711,root,root) %dir %{_sysconfdir}/sssd/conf.d
-%if (0%{?use_openssl} == 1)
+%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/passwd
+%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/group
+%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/initgroups
+%attr(755,%{sssd_user},%{sssd_user}) %dir %{pipepath}
+%attr(750,%{sssd_user},root) %dir %{pipepath}/private
+%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}
+%attr(755,%{sssd_user},%{sssd_user}) %dir %{gpocachepath}
+%attr(750,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name}
+%attr(700,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd
+%attr(711,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
 %attr(711,root,root) %dir %{_sysconfdir}/sssd/pki
-%endif
 %ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
 %dir %{_sysconfdir}/logrotate.d
 %config(noreplace) %{_sysconfdir}/logrotate.d/sssd
 %dir %{_sysconfdir}/rwtab.d
 %config(noreplace) %{_sysconfdir}/rwtab.d/sssd
 %dir %{_datadir}/sssd
-%{_sysconfdir}/pam.d/sssd-shadowutils
+%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils
 %dir %{_libdir}/%{name}/conf
 %{_libdir}/%{name}/conf/sssd.conf
 
 %{_datadir}/sssd/cfg_rules.ini
-%{_datadir}/sssd/sssd.api.conf
-%{_datadir}/sssd/sssd.api.d
 %{_mandir}/man1/sss_ssh_authorizedkeys.1*
 %{_mandir}/man1/sss_ssh_knownhostsproxy.1*
 %{_mandir}/man5/sssd.conf.5*
@@ -760,6 +742,10 @@ done
 %{_datadir}/systemtap/tapset/sssd_functions.stp
 %{_mandir}/man5/sssd-systemtap.5*
 
+%if 0%{?rhel}
+%files polkit-rules
+%{_datadir}/polkit-1/rules.d/*
+%endif
 
 %files ldap -f sssd_ldap.lang
 %license COPYING
@@ -769,9 +755,9 @@ done
 
 %files krb5-common
 %license COPYING
-%attr(755,root,root) %dir %{pubconfpath}/krb5.include.d
-%{_libexecdir}/%{servicename}/ldap_child
-%{_libexecdir}/%{servicename}/krb5_child
+%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
+%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/ldap_child
+%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/krb5_child
 
 %files krb5 -f sssd_krb5.lang
 %license COPYING
@@ -784,9 +770,9 @@ done
 
 %files ipa -f sssd_ipa.lang
 %license COPYING
-%attr(700,root,root) %dir %{keytabdir}
+%attr(700,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
 %{_libdir}/%{name}/libsss_ipa.so
-%{_libexecdir}/%{servicename}/selinux_child
+%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/selinux_child
 %{_mandir}/man5/sssd-ipa.5*
 
 %files ad -f sssd_ad.lang
@@ -797,7 +783,7 @@ done
 
 %files proxy
 %license COPYING
-%{_libexecdir}/%{servicename}/proxy_child
+%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/proxy_child
 %{_libdir}/%{name}/libsss_proxy.so
 
 %files dbus -f sssd_dbus.lang
@@ -823,6 +809,7 @@ done
 %license src/sss_client/COPYING src/sss_client/COPYING.LESSER
 %{_libdir}/libnss_sss.so.2
 %{_libdir}/security/pam_sss.so
+%{_libdir}/security/pam_sss_gss.so
 %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
 %{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so
 %dir %{_libdir}/cifs-utils
@@ -833,6 +820,7 @@ done
 %dir %{_libdir}/%{name}/modules
 %{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so
 %{_mandir}/man8/pam_sss.8*
+%{_mandir}/man8/pam_sss_gss.8*
 %{_mandir}/man8/sssd_krb5_locator_plugin.8*
 
 %files -n libsss_sudo
@@ -862,6 +850,9 @@ done
 %{python3_sitelib}/SSSDConfig/*.py*
 %dir %{python3_sitelib}/SSSDConfig/__pycache__
 %{python3_sitelib}/SSSDConfig/__pycache__/*.py*
+%dir %{_datadir}/sssd
+%{_datadir}/sssd/sssd.api.conf
+%{_datadir}/sssd/sssd.api.d
 
 %files -n python3-sss
 %{python3_sitearch}/pysss.so
@@ -935,6 +926,12 @@ done
 %{_mandir}/man8/sssd-kcm.8*
 %{_libdir}/%{name}/libsss_secrets.so
 
+%if 0%{?rhel}
+%pre common
+getent group sssd >/dev/null || groupadd -r sssd
+getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd
+%endif
+
 %post common
 %systemd_post sssd.service
 %systemd_post sssd-autofs.socket
@@ -957,18 +954,20 @@ done
 
 %postun common
 %systemd_postun_with_restart sssd-autofs.socket
-%systemd_postun_with_restart sssd-autofs.service
 %systemd_postun_with_restart sssd-nss.socket
-%systemd_postun_with_restart sssd-nss.service
 %systemd_postun_with_restart sssd-pac.socket
-%systemd_postun_with_restart sssd-pac.service
 %systemd_postun_with_restart sssd-pam.socket
 %systemd_postun_with_restart sssd-pam-priv.socket
-%systemd_postun_with_restart sssd-pam.service
 %systemd_postun_with_restart sssd-ssh.socket
-%systemd_postun_with_restart sssd-ssh.service
 %systemd_postun_with_restart sssd-sudo.socket
-%systemd_postun_with_restart sssd-sudo.service
+
+# Services have RefuseManualStart=true, therefore we can't request restart.
+%systemd_postun sssd-autofs.service
+%systemd_postun sssd-nss.service
+%systemd_postun sssd-pac.service
+%systemd_postun sssd-pam.service
+%systemd_postun sssd-ssh.service
+%systemd_postun sssd-sudo.service
 
 %post dbus
 %systemd_post sssd-ifp.service
@@ -990,7 +989,6 @@ done
 %systemd_postun_with_restart sssd-kcm.service
 
 %post client
-%{?ldconfig}
 /usr/sbin/alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so 20
 
 %preun client
@@ -998,24 +996,44 @@ if [ $1 -eq 0 ] ; then
         /usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so
 fi
 
-%ldconfig_postun client
-
-%ldconfig_scriptlets -n libsss_sudo
-
-%ldconfig_scriptlets -n libipa_hbac
-
-%ldconfig_scriptlets -n libsss_idmap
-
-%ldconfig_scriptlets -n libsss_nss_idmap
-
-%ldconfig_scriptlets -n libsss_simpleifp
-
-%ldconfig_scriptlets -n libsss_certmap
-
 %posttrans common
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Mon Aug 16 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.1-2
+- Fix CVE-2021-3621
+
+* Tue Jun 08 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.1-1
+- Rebase to SSSD 2.5.1
+
+* Wed May 19 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.0-2
+- Fix regression in sssd-kcm when upgrading from 2.4.0 directly to 2.5.0
+- Return correct error code for unknown/unsupported operations in sssd-kcm
+
+* Mon May 10 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.0-1
+- Rebase to SSSD 2.5.0
+
+* Fri Feb 19 2021 Pavel Březina <pbrezina@redhat.com> - 2.4.2-2
+- Remove setuid from child binaries and relax requirement on python3-sssdconfig
+
+* Fri Feb 19 2021 Pavel Březina <pbrezina@redhat.com> - 2.4.2-1
+- Rebase to SSSD 2.4.2
+
+* Fri Feb 5 2021 Pavel Březina <pbrezina@redhat.com> - 2.4.1-1
+- Rebase to SSSD 2.4.1
+
+* Fri Dec 11 2020 Pavel Březina <pbrezina@redhat.com> - 2.4.0-4
+- Improve sssd-kcm performance, fix upgrade with existing credentials (rhbz#1645624)
+
+* Mon Dec 7 2020 Pavel Březina <pbrezina@redhat.com> - 2.4.0-3
+- Improve sssd-kcm performance (rhbz#1645624)
+
+* Mon Oct 12 2020 Pavel Březina <pbrezina@redhat.com> - 2.4.0-2
+- Remove old patches
+
+* Mon Oct 12 2020 Pavel Březina <pbrezina@redhat.com> - 2.4.0-1
+- Rebase to SSSD 2.4.0
+
 * Tue Jul 28 2020 Pavel Březina <pbrezina@redhat.com> - 2.3.1-4
 - Actually include 2.3.1 source