Compare commits

...

11 Commits
rawhide ... f33

Author SHA1 Message Date
Pavel Březina 54c155f6b3 sssd-2.5.1-2: Fix CVE-2021-3621 2021-08-16 15:04:28 +02:00
Pavel Březina 7a1369a87d sssd-2.5.1-1: Rebase to latest upstream release 2021-06-08 13:13:25 +02:00
Pavel Březina 4e01c65433 sssd-2.5.0-2: Fix KCM regression on long upgrade path
Resolves: rhbz#1962006
2021-05-19 19:30:59 +02:00
Pavel Březina 697d46eda6 sssd-2.5.0-1: Rebase to latest upstream release 2021-05-10 16:22:58 +02:00
Pavel Březina 696fad9f16 sssd-2.4.2-2: Remove setuid from child binaries and relax requirement on python3-sssdconfig 2021-02-19 18:25:35 +01:00
Pavel Březina d9c757ed1b sssd-2.4.2-1: Rebase to latest upstream release 2021-02-19 17:10:16 +01:00
Pavel Březina 16f62f98d0 sssd-2.4.1-1: Rebase to latest upstream release 2021-02-05 18:53:12 +01:00
Pavel Březina 89c0ae2622 sssd-2.4.0-4 - improve kcm performance 2020-12-11 10:34:18 +01:00
Pavel Březina 0513351754 sssd-2.4.0.5 - improve kcm performance 2020-12-07 17:56:49 +01:00
Pavel Březina bd0f5a7397 sssd-2.4.0-2: remove old patches 2020-10-12 14:13:26 +02:00
Pavel Březina f1a3a9edaf sssd-2.4.0-1: Rebase to latest upstream release 2020-10-12 13:43:06 +02:00
7 changed files with 490 additions and 4513 deletions

5
.gitignore vendored
View File

@ -88,3 +88,8 @@ sssd-1.2.91.tar.gz
/sssd-2.2.3.tar.gz
/sssd-2.3.0.tar.gz
/sssd-2.3.1.tar.gz
/sssd-2.4.0.tar.gz
/sssd-2.4.1.tar.gz
/sssd-2.4.2.tar.gz
/sssd-2.5.0.tar.gz
/sssd-2.5.1.tar.gz

View File

@ -0,0 +1,277 @@
From 5a9a2f53ff44b1bd25a6de7c4ba91c709b63b0ba Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 18 Jun 2021 13:17:19 +0200
Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
user supplied command
A flaw was found in SSSD, where the sssctl command was vulnerable
to shell command injection via the logs-fetch and cache-expire
subcommands. This flaw allows an attacker to trick the root user
into running a specially crafted sssctl command, such as via sudo,
to gain root access. The highest threat from this vulnerability is
to confidentiality, integrity, as well as system availability.
:fixes: CVE-2021-3621
---
src/tools/sssctl/sssctl.c | 39 ++++++++++++++++-------
src/tools/sssctl/sssctl.h | 2 +-
src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++----
4 files changed, 73 insertions(+), 57 deletions(-)
diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
index 2997dbf968acdd0b9821f726414f8ae1cf34b5d8..8adaf30910e13ea9e7c8ab8b151920c4f307427b 100644
--- a/src/tools/sssctl/sssctl.c
+++ b/src/tools/sssctl/sssctl.c
@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
return SSSCTL_PROMPT_ERROR;
}
-errno_t sssctl_run_command(const char *command)
+errno_t sssctl_run_command(const char *const argv[])
{
int ret;
+ int wstatus;
- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
+ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
- ret = system(command);
+ ret = fork();
if (ret == -1) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
ERROR("Error while executing external command\n");
return EFAULT;
- } else if (WEXITSTATUS(ret) != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
- command, WEXITSTATUS(ret));
+ }
+
+ if (ret == 0) {
+ /* cast is safe - see
+ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
+ "The statement about argv[] and envp[] being constants ... "
+ */
+ execvp(argv[0], discard_const_p(char * const, argv));
ERROR("Error while executing external command\n");
- return EIO;
+ _exit(1);
+ } else {
+ if (waitpid(ret, &wstatus, 0) == -1) {
+ ERROR("Error while executing external command '%s'\n", argv[0]);
+ return EFAULT;
+ } else if (WEXITSTATUS(wstatus) != 0) {
+ ERROR("Command '%s' failed with [%d]\n",
+ argv[0], WEXITSTATUS(wstatus));
+ return EIO;
+ }
}
return EOK;
@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
#elif defined(HAVE_SERVICE)
switch (action) {
case SSSCTL_SVC_START:
- return sssctl_run_command(SERVICE_PATH" sssd start");
+ return sssctl_run_command(
+ (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
case SSSCTL_SVC_STOP:
- return sssctl_run_command(SERVICE_PATH" sssd stop");
+ return sssctl_run_command(
+ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
case SSSCTL_SVC_RESTART:
- return sssctl_run_command(SERVICE_PATH" sssd restart");
+ return sssctl_run_command(
+ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
}
#endif
diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
index 0115b2457c48bb0b8ad8ef8fd20d6fc81bdb58b4..599ef65196fcae6454cd5b46aa7a2cf6e7cbba73 100644
--- a/src/tools/sssctl/sssctl.h
+++ b/src/tools/sssctl/sssctl.h
@@ -47,7 +47,7 @@ enum sssctl_prompt_result
sssctl_prompt(const char *message,
enum sssctl_prompt_result defval);
-errno_t sssctl_run_command(const char *command);
+errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
bool sssctl_start_sssd(bool force);
bool sssctl_stop_sssd(bool force);
bool sssctl_restart_sssd(bool force);
diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
index 8d79b977fdb63fd6c6c925538230bb4ca74a103b..bf2291341668590f4c600237593ea1fd8fe4e4dc 100644
--- a/src/tools/sssctl/sssctl_data.c
+++ b/src/tools/sssctl/sssctl_data.c
@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
}
}
- ret = sssctl_run_command("sss_override user-export "
- SSS_BACKUP_USER_OVERRIDES);
+ ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
+ SSS_BACKUP_USER_OVERRIDES, NULL});
if (ret != EOK) {
ERROR("Unable to export user overrides\n");
return ret;
}
- ret = sssctl_run_command("sss_override group-export "
- SSS_BACKUP_GROUP_OVERRIDES);
+ ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
if (ret != EOK) {
ERROR("Unable to export group overrides\n");
return ret;
@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
}
if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
- ret = sssctl_run_command("sss_override user-import "
- SSS_BACKUP_USER_OVERRIDES);
+ ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
+ SSS_BACKUP_USER_OVERRIDES, NULL});
if (ret != EOK) {
ERROR("Unable to import user overrides\n");
return ret;
@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
}
if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
- ret = sssctl_run_command("sss_override group-import "
- SSS_BACKUP_GROUP_OVERRIDES);
+ ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
if (ret != EOK) {
ERROR("Unable to import group overrides\n");
return ret;
@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
void *pvt)
{
errno_t ret;
- char *cmd_args = NULL;
- const char *cachecmd = SSS_CACHE;
- char *cmd = NULL;
- int i;
- if (cmdline->argc == 0) {
- ret = sssctl_run_command(cachecmd);
- goto done;
+ const char **args = talloc_array_size(tool_ctx,
+ sizeof(char *),
+ cmdline->argc + 2);
+ if (!args) {
+ return ENOMEM;
}
+ memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
+ args[0] = SSS_CACHE;
+ args[cmdline->argc + 1] = NULL;
- cmd_args = talloc_strdup(tool_ctx, "");
- if (cmd_args == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- for (i = 0; i < cmdline->argc; i++) {
- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
- if (i != cmdline->argc - 1) {
- cmd_args = talloc_strdup_append(cmd_args, " ");
- }
- }
-
- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
- if (cmd == NULL) {
- ret = ENOMEM;
- goto done;
- }
-
- ret = sssctl_run_command(cmd);
-
-done:
- talloc_free(cmd_args);
- talloc_free(cmd);
+ ret = sssctl_run_command(args);
+ talloc_free(args);
return ret;
}
diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
index 9ff2be05b61108414462d6e17a2c4c4887907a59..ebb2c4571caec487d29ff2d5ceaee1561e845506 100644
--- a/src/tools/sssctl/sssctl_logs.c
+++ b/src/tools/sssctl/sssctl_logs.c
@@ -31,6 +31,7 @@
#include <ldb.h>
#include <popt.h>
#include <stdio.h>
+#include <glob.h>
#include "util/util.h"
#include "tools/common/sss_process.h"
@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
{
struct sssctl_logs_opts opts = {0};
errno_t ret;
+ glob_t globbuf;
/* Parse command line. */
struct poptOption options[] = {
@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
sss_signal(SIGHUP);
} else {
+ globbuf.gl_offs = 4;
+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
+ return ret;
+ }
+ globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
+ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
+ globbuf.gl_pathv[2] = discard_const_p(char, "--size");
+ globbuf.gl_pathv[3] = discard_const_p(char, "0");
+
PRINT("Truncating log files...\n");
- ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES);
+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
+ globfree(&globbuf);
if (ret != EOK) {
ERROR("Unable to truncate log files\n");
return ret;
@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
void *pvt)
{
const char *file;
- const char *cmd;
errno_t ret;
+ glob_t globbuf;
/* Parse command line. */
ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
return ret;
}
- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
- if (cmd == NULL) {
- ERROR("Out of memory!");
+ globbuf.gl_offs = 3;
+ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
+ return ret;
}
+ globbuf.gl_pathv[0] = discard_const_p(char, "tar");
+ globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
+ globbuf.gl_pathv[2] = discard_const_p(char, file);
PRINT("Archiving log files into %s...\n", file);
- ret = sssctl_run_command(cmd);
+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
+ globfree(&globbuf);
if (ret != EOK) {
ERROR("Unable to archive log files\n");
return ret;
--
2.31.1

File diff suppressed because it is too large Load Diff

View File

@ -1,293 +0,0 @@
From cb9ad222358a84e2b2ea148c2950c2389f81de2c Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 27 Jul 2020 04:01:19 +0000
Subject: [PATCH] DEBUG-TESTS: Fix warnings format not a string literal and no
format arguments
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
e.g.
src/tests/resolv-tests.c: In function test_timeout:
src/tests/resolv-tests.c:942:5: error: format not a string literal and no format arguments [-Werror=format-security]
942 | ck_leaks_pop(tmp_ctx);
|
src/tests/debug-tests.c:413:9: error: format not a string literal and no format arguments [-Werror=format-security]
413 | fail_if(result == DEBUG_TEST_NOK_TS, msg);
| ^~~~~~~
src/tests/debug-tests.c: In function test_debug_is_notset_timestamp_microseconds_fn:
src/tests/debug-tests.c:603:13: error: format not a string literal and no format arguments [-Werror=format-security]
603 | fail(error_msg);
|
src/tests/debug-tests.c: In function test_debug_is_set_false_fn:
src/tests/debug-tests.c:671:9: error: format not a string literal and no format arguments [-Werror=format-security]
671 | fail_unless(result == 0, msg);
|
---
src/tests/common_check.h | 2 +-
src/tests/debug-tests.c | 128 +++++++++++++++------------------------
2 files changed, 49 insertions(+), 81 deletions(-)
diff --git a/src/tests/common_check.h b/src/tests/common_check.h
index 51c3c3f49..ac92d0a74 100644
--- a/src/tests/common_check.h
+++ b/src/tests/common_check.h
@@ -31,6 +31,6 @@ void ck_leak_check_setup(void);
void ck_leak_check_teardown(void);
#define ck_leaks_push(ctx) check_leaks_push(ctx)
-#define ck_leaks_pop(ctx) fail_unless(check_leaks_pop(ctx) == true, check_leaks_err_msg())
+#define ck_leaks_pop(ctx) fail_unless(check_leaks_pop(ctx) == true, "%s", check_leaks_err_msg())
#endif /* __TESTS_COMMON_CHECK_H__ */
diff --git a/src/tests/debug-tests.c b/src/tests/debug-tests.c
index 1e78f506e..092ccf684 100644
--- a/src/tests/debug-tests.c
+++ b/src/tests/debug-tests.c
@@ -55,10 +55,8 @@ START_TEST(test_debug_convert_old_level_old_format)
for (old_level = 0; old_level < N_ELEMENTS(levels); old_level++) {
expected_level |= levels[old_level];
- char *msg = NULL;
- msg = talloc_asprintf(NULL, "Invalid conversion of %d", old_level);
- fail_unless(debug_convert_old_level(old_level) == expected_level, msg);
- talloc_free(msg);
+ fail_unless(debug_convert_old_level(old_level) == expected_level,
+ "Invalid conversion of %d", old_level);
}
}
END_TEST
@@ -343,7 +341,6 @@ START_TEST(test_debug_is_set_single_no_timestamp)
SSSDBG_TRACE_ALL,
SSSDBG_TRACE_LDB
};
- char *error_msg;
debug_timestamps = 0;
debug_microseconds = 0;
@@ -357,15 +354,13 @@ START_TEST(test_debug_is_set_single_no_timestamp)
errno = 0;
result = test_helper_debug_check_message(levels[i]);
- if (result == DEBUG_TEST_ERROR) {
- error_msg = strerror(errno);
- fail(error_msg);
- }
+ fail_if(result == DEBUG_TEST_ERROR,
+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s",
+ result, strerror(errno));
- char *msg = NULL;
- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - message don't match", levels[i]);
- fail_unless(result == EOK, msg);
- talloc_free(msg);
+ fail_unless(result == EOK,
+ "Test of level %#.4x failed - message don't match",
+ levels[i]);
}
}
END_TEST
@@ -387,7 +382,6 @@ START_TEST(test_debug_is_set_single_timestamp)
SSSDBG_TRACE_ALL,
SSSDBG_TRACE_LDB
};
- char *error_msg;
debug_timestamps = 1;
debug_microseconds = 0;
@@ -402,20 +396,16 @@ START_TEST(test_debug_is_set_single_timestamp)
errno = 0;
result = test_helper_debug_check_message(levels[i]);
- if (result == DEBUG_TEST_ERROR) {
- error_msg = strerror(errno);
- fail(error_msg);
- }
-
- char *msg = NULL;
+ fail_if(result == DEBUG_TEST_ERROR,
+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s",
+ result, strerror(errno));
- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - invalid timestamp", levels[i]);
- fail_if(result == DEBUG_TEST_NOK_TS, msg);
- talloc_free(msg);
+ fail_if(result == DEBUG_TEST_NOK_TS,
+ "Test of level %#.4x failed - invalid timestamp", levels[i]);
- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - message don't match", levels[i]);
- fail_unless(result == EOK, msg);
- talloc_free(msg);
+ fail_unless(result == EOK,
+ "Test of level %#.4x failed - message don't match",
+ levels[i]);
}
}
END_TEST
@@ -437,7 +427,6 @@ START_TEST(test_debug_is_set_single_timestamp_microseconds)
SSSDBG_TRACE_ALL,
SSSDBG_TRACE_LDB
};
- char *error_msg;
debug_timestamps = 1;
debug_microseconds = 1;
@@ -452,20 +441,16 @@ START_TEST(test_debug_is_set_single_timestamp_microseconds)
errno = 0;
result = test_helper_debug_check_message(levels[i]);
- if (result == DEBUG_TEST_ERROR) {
- error_msg = strerror(errno);
- fail(error_msg);
- }
-
- char *msg = NULL;
+ fail_if(result == DEBUG_TEST_ERROR,
+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s",
+ result, strerror(errno));
- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - invalid timestamp", levels[i]);
- fail_if(result == DEBUG_TEST_NOK_TS, msg);
- talloc_free(msg);
+ fail_if(result == DEBUG_TEST_NOK_TS,
+ "Test of level %#.4x failed - invalid timestamp", levels[i]);
- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - message don't match", levels[i]);
- fail_unless(result == EOK, msg);
- talloc_free(msg);
+ fail_unless(result == EOK,
+ "Test of level %#.4x failed - message don't match",
+ levels[i]);
}
}
END_TEST
@@ -488,7 +473,6 @@ START_TEST(test_debug_is_notset_no_timestamp)
SSSDBG_TRACE_ALL,
SSSDBG_TRACE_LDB
};
- char *error_msg;
debug_timestamps = 0;
debug_microseconds = 0;
@@ -503,17 +487,13 @@ START_TEST(test_debug_is_notset_no_timestamp)
errno = 0;
result = test_helper_debug_is_empty_message(levels[i]);
- if (result == DEBUG_TEST_ERROR) {
- error_msg = strerror(errno);
- fail(error_msg);
- }
+ fail_if(result == DEBUG_TEST_ERROR,
+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s",
+ result, strerror(errno));
- char *msg = NULL;
- msg = talloc_asprintf(NULL,
- "Test of level %#.4x failed - message has been written",
- levels[i]);
- fail_unless(result == EOK, msg);
- talloc_free(msg);
+ fail_unless(result == EOK,
+ "Test of level %#.4x failed - message has been written",
+ levels[i]);
}
}
END_TEST
@@ -536,7 +516,6 @@ START_TEST(test_debug_is_notset_timestamp)
SSSDBG_TRACE_ALL,
SSSDBG_TRACE_LDB
};
- char *error_msg;
debug_timestamps = 0;
debug_microseconds = 0;
@@ -551,17 +530,13 @@ START_TEST(test_debug_is_notset_timestamp)
errno = 0;
result = test_helper_debug_is_empty_message(levels[i]);
- if (result == DEBUG_TEST_ERROR) {
- error_msg = strerror(errno);
- fail(error_msg);
- }
+ fail_if(result == DEBUG_TEST_ERROR,
+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s",
+ result, strerror(errno));
- char *msg = NULL;
- msg = talloc_asprintf(NULL,
- "Test of level %#.4x failed - message has been written",
- levels[i]);
- fail_unless(result == EOK, msg);
- talloc_free(msg);
+ fail_unless(result == EOK,
+ "Test of level %#.4x failed - message has been written",
+ levels[i]);
}
}
END_TEST
@@ -584,7 +559,6 @@ START_TEST(test_debug_is_notset_timestamp_microseconds)
SSSDBG_TRACE_ALL,
SSSDBG_TRACE_LDB
};
- char *error_msg;
debug_timestamps = 0;
debug_microseconds = 1;
@@ -598,17 +572,13 @@ START_TEST(test_debug_is_notset_timestamp_microseconds)
errno = 0;
result = test_helper_debug_is_empty_message(levels[i]);
- if (result == DEBUG_TEST_ERROR) {
- error_msg = strerror(errno);
- fail(error_msg);
- }
+ fail_if(result == DEBUG_TEST_ERROR,
+ "Expecting DEBUG_TEST_ERROR, got: %d, error: %s",
+ result, strerror(errno));
- char *msg = NULL;
- msg = talloc_asprintf(NULL,
- "Test of level %#.4x failed - message has been written",
- levels[i]);
- fail_unless(result == EOK, msg);
- talloc_free(msg);
+ fail_unless(result == EOK,
+ "Test of level %#.4x failed - message has been written",
+ levels[i]);
}
}
END_TEST
@@ -635,10 +605,9 @@ START_TEST(test_debug_is_set_true)
for (i = 0; i < N_ELEMENTS(levels); i++) {
result = DEBUG_IS_SET(levels[i]);
- char *msg = NULL;
- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - result is 0x%.4x", levels[i], result);
- fail_unless(result > 0, msg);
- talloc_free(msg);
+ fail_unless(result > 0,
+ "Test of level %#.4x failed - result is 0x%.4x",
+ levels[i], result);
}
}
END_TEST
@@ -666,10 +635,9 @@ START_TEST(test_debug_is_set_false)
debug_level = all_set & ~levels[i];
result = DEBUG_IS_SET(levels[i]);
- char *msg = NULL;
- msg = talloc_asprintf(NULL, "Test of level %#.4x failed - result is 0x%.4x", levels[i], result);
- fail_unless(result == 0, msg);
- talloc_free(msg);
+ fail_unless(result == 0,
+ "Test of level %#.4x failed - result is 0x%.4x",
+ levels[i], result);
}
}
END_TEST
--
2.28.0.rc2

View File

@ -1,25 +0,0 @@
From 565ef3ffcaaef69a768b6a341777c339217bbbab Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@fedoraproject.org>
Date: Mon, 12 Dec 2016 21:56:16 +0100
Subject: [PATCH] SYSTEMD: Use capabilities
copied from selinux policy
---
src/sysv/systemd/sssd.service.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
index 0c515d34caaa3ea397c4c7e95eef0188df170840..252889dbb2b7b1e651966258e7b76eab38357e76 100644
--- a/src/sysv/systemd/sssd.service.in
+++ b/src/sysv/systemd/sssd.service.in
@@ -11,6 +11,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
Type=notify
NotifyAccess=main
PIDFile=@pidpath@/sssd.pid
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
Restart=on-failure
[Install]
--
2.15.1

View File

@ -1 +1 @@
SHA512 (sssd-2.3.1.tar.gz) = 6aeb52d5222c5992d581296996749327bcaf276e4eb4413a6a32ea6529343432cfe413006aca4245c19b38b515be1c4c2ef88a157c617d889274179253355bc6
SHA512 (sssd-2.5.1.tar.gz) = 7441df3b5f1cc1eadb0c6853b048d780ecb36761876aaeb26b9a2d87729211d3ceeae01085dc3ec4fd1c5328f951c8abe854b1d01d91fae25466f930fe16e44a

396
sssd.spec
View File

@ -1,56 +1,51 @@
%global rhel7_minor %(%{__grep} -o "7.[0-9]*" /etc/redhat-release |%{__sed} -s 's/7.//')
# SSSD SPEC file for Fedora 34+ and RHEL-9+
# define SSSD user
%if 0%{?rhel}
%global sssd_user sssd
%else
%global sssd_user root
%endif
# Set setuid bit on child helpers if we support non-root user.
%if "%{sssd_user}" == "root"
%global child_attrs 0750
%else
%global child_attrs 4750
%endif
# we don't want to provide private python extension libs
%define __provides_exclude_from %{python3_sitearch}/.*\.so$
# SSSD fails to build with -Wl,-z,defs
%undefine _strict_symbol_defs_build
%define _hardened_build 1
%global enable_polkit_rules_option --disable-polkit-rules-path
# Determine the location of the LDB modules directory
%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb)
%global ldb_version 1.2.0
%global with_cifs_utils_plugin 1
%global enable_systemtap 1
%global enable_systemtap_opt --enable-systemtap
%global with_kcm 1
%global with_gdm_pam_extensions 1
%if (0%{?fedora} > 28) || (0%{?rhel} > 7)
%global use_openssl 1
%endif
%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
Name: sssd
Version: 2.3.1
Release: 4%{?dist}
Version: 2.5.1
Release: 2%{?dist}
Summary: System Security Services Daemon
License: GPLv3+
URL: https://github.com/SSSD/sssd/
Source0: https://github.com/SSSD/sssd/releases/download/sssd-2_3_1/sssd-2.3.1.tar.gz
Source0: https://github.com/SSSD/sssd/releases/download/2.5.1/sssd-2.5.1.tar.gz
### Patches ###
Patch0001: 0001-fix-compilation-with-check-0.15.1.patch
Patch0002: 0002-DEBUG-TESTS-Fix-warnings-format-not-a-string-literal.patch
### Downstream only patches ###
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
Patch0001: 0001-TOOLS-replace-system-with-execvp.patch
### Dependencies ###
Requires: sssd-common = %{version}-%{release}
Requires: sssd-ldap = %{version}-%{release}
Requires: sssd-krb5 = %{version}-%{release}
Requires: sssd-ipa = %{version}-%{release}
Requires: sssd-ad = %{version}-%{release}
Requires: sssd-common = %{version}-%{release}
Requires: sssd-ipa = %{version}-%{release}
Requires: sssd-krb5 = %{version}-%{release}
Requires: sssd-ldap = %{version}-%{release}
Recommends: sssd-proxy = %{version}-%{release}
Recommends: logrotate
Suggests: python3-sssdconfig = %{version}-%{release}
Suggests: sssd-dbus = %{version}-%{release}
@ -67,89 +62,80 @@ Suggests: sssd-dbus = %{version}-%{release}
### Build Dependencies ###
BuildRequires: make
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: libtool
BuildRequires: m4
BuildRequires: gcc
BuildRequires: popt-devel
BuildRequires: libtalloc-devel
BuildRequires: libtevent-devel
BuildRequires: libtdb-devel
BuildRequires: libldb-devel >= %{ldb_version}
BuildRequires: libdhash-devel >= 0.4.2
BuildRequires: libcollection-devel
BuildRequires: libini_config-devel >= 1.1
BuildRequires: dbus-devel
BuildRequires: dbus-libs
BuildRequires: openldap-devel
BuildRequires: pam-devel
BuildRequires: nss-devel
BuildRequires: nspr-devel
BuildRequires: pcre-devel
BuildRequires: libxslt
BuildRequires: libxml2
BuildRequires: docbook-style-xsl
BuildRequires: krb5-devel
BuildRequires: bind-utils
BuildRequires: c-ares-devel
BuildRequires: python3-devel
BuildRequires: check-devel
BuildRequires: cifs-utils-devel
BuildRequires: dbus-devel
BuildRequires: docbook-style-xsl
BuildRequires: doxygen
BuildRequires: findutils
BuildRequires: gcc
BuildRequires: gdm-pam-extensions-devel
BuildRequires: gettext-devel
BuildRequires: glib2-devel
# required for p11_child smartcard tests
BuildRequires: gnutls-utils
BuildRequires: jansson-devel
BuildRequires: keyutils-libs-devel
BuildRequires: krb5-devel
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: libdhash-devel >= 0.4.2
BuildRequires: libini_config-devel >= 1.1
BuildRequires: libldb-devel >= %{ldb_version}
BuildRequires: libnfsidmap-devel
BuildRequires: libnl3-devel
BuildRequires: libselinux-devel
BuildRequires: libsemanage-devel
BuildRequires: bind-utils
BuildRequires: keyutils-libs-devel
BuildRequires: gettext-devel
BuildRequires: pkgconfig
BuildRequires: diffstat
BuildRequires: findutils
BuildRequires: glib2-devel
BuildRequires: selinux-policy-targeted
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: uid_wrapper
BuildRequires: nss_wrapper
BuildRequires: pam_wrapper
BuildRequires: libnl3-devel
BuildRequires: systemd-devel
BuildRequires: systemd
BuildRequires: cifs-utils-devel
BuildRequires: libnfsidmap-devel
BuildRequires: samba4-devel
BuildRequires: libsmbclient-devel
BuildRequires: samba-winbind
BuildRequires: systemtap-sdt-devel
BuildRequires: http-parser-devel
BuildRequires: libtalloc-devel
BuildRequires: libtdb-devel
BuildRequires: libtevent-devel
BuildRequires: libtool
BuildRequires: libuuid-devel
BuildRequires: jansson-devel
BuildRequires: libcurl-devel
BuildRequires: gdm-pam-extensions-devel
%if (0%{?use_openssl} == 1)
BuildRequires: p11-kit-devel
BuildRequires: openssl-devel
BuildRequires: gnutls-utils
BuildRequires: softhsm >= 2.1.0
%endif
BuildRequires: openssl
BuildRequires: libxml2
BuildRequires: libxslt
BuildRequires: m4
BuildRequires: make
BuildRequires: nss_wrapper
BuildRequires: openldap-devel
BuildRequires: openssh
BuildRequires: nss-tools
# required for p11_child smartcard tests
BuildRequires: openssl
BuildRequires: openssl-devel
BuildRequires: p11-kit-devel
BuildRequires: pam_wrapper
BuildRequires: pam-devel
BuildRequires: pcre2-devel
BuildRequires: pkgconfig
BuildRequires: popt-devel
BuildRequires: python3-devel
BuildRequires: samba-devel
# required for idmap_sss.so
BuildRequires: samba-winbind
BuildRequires: selinux-policy-targeted
# required for p11_child smartcard tests
BuildRequires: softhsm >= 2.1.0
BuildRequires: systemd-devel
BuildRequires: systemtap-sdt-devel
BuildRequires: uid_wrapper
BuildRequires: po4a
%description
Provides a set of daemons to manage access to remote directories and
authentication mechanisms. It provides an NSS and PAM interface toward
the system and a plug-gable back-end system to connect to multiple different
the system and a pluggable back end system to connect to multiple different
account sources. It is also the basis to provide client auditing and policy
services for projects like FreeIPA.
The sssd sub-package is a meta-package that contains the daemon as well as all
The sssd subpackage is a meta-package that contains the daemon as well as all
the existing back ends.
%package common
Summary: Common files for the SSSD
License: GPLv3+
# Conflicts
Conflicts: selinux-policy < 3.10.0-46
Conflicts: sssd < 1.10.0-8%{?dist}.beta2
# Requires
# due to ABI changes in 1.1.30/1.2.0
Requires: libldb >= %{ldb_version}
@ -158,6 +144,10 @@ Recommends: libsss_sudo = %{version}-%{release}
Recommends: libsss_autofs%{?_isa} = %{version}-%{release}
Recommends: sssd-nfs-idmap = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
%if 0%{?rhel}
Requires(pre): shadow-utils
%endif
%{?systemd_requires}
### Provides ###
@ -167,12 +157,13 @@ Obsoletes: libsss_sudo-devel <= 1.10.0-7%{?dist}.beta1
%description common
Common files for the SSSD. The common package includes all the files needed
to run a particular back end, however, the back ends are packaged in separate
sub-packages such as sssd-ldap.
subpackages such as sssd-ldap.
%package client
Summary: SSSD Client libraries for NSS and PAM
License: LGPLv3+
Requires(post): /sbin/ldconfig
Requires: libsss_nss_idmap = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
Requires(post): /usr/sbin/alternatives
Requires(preun): /usr/sbin/alternatives
@ -203,6 +194,7 @@ Requires: sssd-common = %{version}-%{release}
# required by sss_obfuscate
Requires: python3-sss = %{version}-%{release}
Requires: python3-sssdconfig = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
Recommends: sssd-dbus
%description tools
@ -249,9 +241,10 @@ Provides python3 module for calculating the murmur hash version 3
%package ldap
Summary: The LDAP back end of the SSSD
License: GPLv3+
Conflicts: sssd < 1.10.0-8.beta2
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
%description ldap
Provides the LDAP back end that the SSSD can utilize to fetch identity data
@ -260,7 +253,6 @@ from and authenticate against an LDAP server.
%package krb5-common
Summary: SSSD helpers needed for Kerberos and GSSAPI authentication
License: GPLv3+
Conflicts: sssd < 1.10.0-8.beta2
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: sssd-common = %{version}-%{release}
@ -271,7 +263,6 @@ Kerberos user or host authentication.
%package krb5
Summary: The Kerberos authentication back end for the SSSD
License: GPLv3+
Conflicts: sssd < 1.10.0-8.beta2
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
@ -283,6 +274,7 @@ against a Kerberos server.
Summary: Common files needed for supporting PAC processing
License: GPLv3+
Requires: sssd-common = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
%description common-pac
Provides common files needed by SSSD providers such as IPA and Active Directory
@ -291,12 +283,14 @@ for handling Kerberos PACs.
%package ipa
Summary: The IPA back end of the SSSD
License: GPLv3+
Conflicts: sssd < 1.10.0-8.beta2
Requires: samba-client-libs >= %{samba_package_version}
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: libipa_hbac%{?_isa} = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
Recommends: bind-utils
Requires: sssd-common-pac = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
%description ipa
Provides the IPA back end that the SSSD can utilize to fetch identity data
@ -305,10 +299,12 @@ from and authenticate against an IPA server.
%package ad
Summary: The AD back end of the SSSD
License: GPLv3+
Conflicts: sssd < 1.10.0-8.beta2
Requires: samba-client-libs >= %{samba_package_version}
Requires: sssd-common = %{version}-%{release}
Requires: sssd-krb5-common = %{version}-%{release}
Requires: sssd-common-pac = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
Recommends: bind-utils
Recommends: adcli
Suggests: sssd-winbind-idmap = %{version}-%{release}
@ -320,7 +316,6 @@ identity data from and authenticate against an Active Directory server.
%package proxy
Summary: The proxy back end of the SSSD
License: GPLv3+
Conflicts: sssd < 1.10.0-8.beta2
Requires: sssd-common = %{version}-%{release}
%description proxy
@ -402,6 +397,19 @@ Requires: sssd-common = %{version}-%{release}
Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows
the information from the SSSD to be transmitted over the system bus.
%if 0%{?rhel}
%package polkit-rules
Summary: Rules for polkit integration for SSSD
Group: Applications/System
License: GPLv3+
Requires: polkit >= 0.106
Requires: sssd-common = %{version}-%{release}
%description polkit-rules
Provides rules for polkit integration with SSSD. This is required
for smartcard support.
%endif
%package -n libsss_simpleifp
Summary: The SSSD D-Bus responder helper library
License: GPLv3+
@ -422,6 +430,8 @@ Provides library that simplifies D-Bus API for the SSSD InfoPipe responder.
%package winbind-idmap
Summary: SSSD's idmap_sss Backend for Winbind
License: GPLv3+ and LGPLv3+
Requires: libsss_nss_idmap = %{version}-%{release}
Requires: libsss_idmap = %{version}-%{release}
Conflicts: sssd-common < %{version}-%{release}
%description winbind-idmap
@ -465,62 +475,38 @@ An implementation of a Kerberos KCM server. Use this package if you want to
use the KCM: Kerberos credentials cache.
%prep
# Update timestamps on the files touched by a patch, to avoid non-equal
# .pyc/.pyo files across the multilib peers within a build, where "Level"
# is the patch prefix option (e.g. -p1)
# Taken from specfile for python-simplejson
UpdateTimestamps() {
Level=$1
PatchFile=$2
# Locate the affected files:
for f in $(diffstat $Level -l $PatchFile); do
# Set the files to have the same timestamp as that of the patch:
touch -r $PatchFile $f
done
}
%setup -q
for p in %patches ; do
%__patch -p1 -i $p
UpdateTimestamps -p1 $p
done
%autosetup -p1
%build
# This package uses -Wl,-wrap to wrap calls at link time. This is incompatible
# with LTO.
# Disable LTO
%define _lto_cflags %{nil}
autoreconf -ivf
%configure \
--with-test-dir=/dev/shm \
--with-db-path=%{dbpath} \
--with-mcache-path=%{mcpath} \
--with-pipe-path=%{pipepath} \
--with-pubconf-path=%{pubconfpath} \
--with-gpo-cache-path=%{gpocachepath} \
--with-init-dir=%{_initrddir} \
--with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
--with-pid-path=%{_rundir} \
--disable-rpath \
--disable-static \
--enable-gss-spnego-for-zero-maxssf \
--enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
--enable-nsslibdir=%{_libdir} \
--enable-pammoddir=%{_libdir}/security \
--enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
--disable-static \
--disable-rpath \
--with-initscript=systemd \
--with-syslog=journald \
--without-python2-bindings \
%if (0%{?use_openssl} == 1)
--with-crypto=libcrypto \
%endif
--enable-sss-default-nss-plugin \
--enable-systemtap \
--with-db-path=%{dbpath} \
--with-gpo-cache-path=%{gpocachepath} \
--with-init-dir=%{_initrddir} \
--with-initscript=systemd \
--with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
--with-mcache-path=%{mcpath} \
--with-pid-path=%{_rundir} \
--with-pipe-path=%{pipepath} \
--with-pubconf-path=%{pubconfpath} \
--with-sssd-user=%{sssd_user} \
--with-syslog=journald \
--with-test-dir=/dev/shm \
%if 0%{?fedora}
--enable-files-domain \
--enable-gss-spnego-for-zero-maxssf \
%{?with_cifs_utils_plugin_option} \
%{?enable_systemtap_opt}
--disable-polkit-rules-path \
%endif
%{nil}
%make_build all docs runstatedir=%{_rundir}
@ -710,36 +696,32 @@ done
%dir %{sssdstatedir}
%dir %{_localstatedir}/cache/krb5rcache
%attr(700,root,root) %dir %{dbpath}
%attr(775,root,root) %dir %{mcpath}
%attr(700,%{sssd_user},%{sssd_user}) %dir %{dbpath}
%attr(775,%{sssd_user},%{sssd_user}) %dir %{mcpath}
%attr(700,root,root) %dir %{secdbpath}
%attr(751,root,root) %dir %{deskprofilepath}
%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/passwd
%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/group
%ghost %attr(0664,root,root) %verify(not md5 size mtime) %{mcpath}/initgroups
%attr(755,root,root) %dir %{pipepath}
%attr(700,root,root) %dir %{pipepath}/private
%attr(755,root,root) %dir %{pubconfpath}
%attr(755,root,root) %dir %{gpocachepath}
%attr(750,root,root) %dir %{_var}/log/%{name}
%attr(700,root,root) %dir %{_sysconfdir}/sssd
%attr(711,root,root) %dir %{_sysconfdir}/sssd/conf.d
%if (0%{?use_openssl} == 1)
%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/passwd
%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/group
%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/initgroups
%attr(755,%{sssd_user},%{sssd_user}) %dir %{pipepath}
%attr(750,%{sssd_user},root) %dir %{pipepath}/private
%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}
%attr(755,%{sssd_user},%{sssd_user}) %dir %{gpocachepath}
%attr(750,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name}
%attr(700,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd
%attr(711,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
%attr(711,root,root) %dir %{_sysconfdir}/sssd/pki
%endif
%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
%dir %{_sysconfdir}/logrotate.d
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd
%dir %{_sysconfdir}/rwtab.d
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
%dir %{_datadir}/sssd
%{_sysconfdir}/pam.d/sssd-shadowutils
%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils
%dir %{_libdir}/%{name}/conf
%{_libdir}/%{name}/conf/sssd.conf
%{_datadir}/sssd/cfg_rules.ini
%{_datadir}/sssd/sssd.api.conf
%{_datadir}/sssd/sssd.api.d
%{_mandir}/man1/sss_ssh_authorizedkeys.1*
%{_mandir}/man1/sss_ssh_knownhostsproxy.1*
%{_mandir}/man5/sssd.conf.5*
@ -760,6 +742,10 @@ done
%{_datadir}/systemtap/tapset/sssd_functions.stp
%{_mandir}/man5/sssd-systemtap.5*
%if 0%{?rhel}
%files polkit-rules
%{_datadir}/polkit-1/rules.d/*
%endif
%files ldap -f sssd_ldap.lang
%license COPYING
@ -769,9 +755,9 @@ done
%files krb5-common
%license COPYING
%attr(755,root,root) %dir %{pubconfpath}/krb5.include.d
%{_libexecdir}/%{servicename}/ldap_child
%{_libexecdir}/%{servicename}/krb5_child
%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/ldap_child
%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/krb5_child
%files krb5 -f sssd_krb5.lang
%license COPYING
@ -784,9 +770,9 @@ done
%files ipa -f sssd_ipa.lang
%license COPYING
%attr(700,root,root) %dir %{keytabdir}
%attr(700,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
%{_libdir}/%{name}/libsss_ipa.so
%{_libexecdir}/%{servicename}/selinux_child
%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/selinux_child
%{_mandir}/man5/sssd-ipa.5*
%files ad -f sssd_ad.lang
@ -797,7 +783,7 @@ done
%files proxy
%license COPYING
%{_libexecdir}/%{servicename}/proxy_child
%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/proxy_child
%{_libdir}/%{name}/libsss_proxy.so
%files dbus -f sssd_dbus.lang
@ -823,6 +809,7 @@ done
%license src/sss_client/COPYING src/sss_client/COPYING.LESSER
%{_libdir}/libnss_sss.so.2
%{_libdir}/security/pam_sss.so
%{_libdir}/security/pam_sss_gss.so
%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
%{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so
%dir %{_libdir}/cifs-utils
@ -833,6 +820,7 @@ done
%dir %{_libdir}/%{name}/modules
%{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so
%{_mandir}/man8/pam_sss.8*
%{_mandir}/man8/pam_sss_gss.8*
%{_mandir}/man8/sssd_krb5_locator_plugin.8*
%files -n libsss_sudo
@ -862,6 +850,9 @@ done
%{python3_sitelib}/SSSDConfig/*.py*
%dir %{python3_sitelib}/SSSDConfig/__pycache__
%{python3_sitelib}/SSSDConfig/__pycache__/*.py*
%dir %{_datadir}/sssd
%{_datadir}/sssd/sssd.api.conf
%{_datadir}/sssd/sssd.api.d
%files -n python3-sss
%{python3_sitearch}/pysss.so
@ -935,6 +926,12 @@ done
%{_mandir}/man8/sssd-kcm.8*
%{_libdir}/%{name}/libsss_secrets.so
%if 0%{?rhel}
%pre common
getent group sssd >/dev/null || groupadd -r sssd
getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd
%endif
%post common
%systemd_post sssd.service
%systemd_post sssd-autofs.socket
@ -957,18 +954,20 @@ done
%postun common
%systemd_postun_with_restart sssd-autofs.socket
%systemd_postun_with_restart sssd-autofs.service
%systemd_postun_with_restart sssd-nss.socket
%systemd_postun_with_restart sssd-nss.service
%systemd_postun_with_restart sssd-pac.socket
%systemd_postun_with_restart sssd-pac.service
%systemd_postun_with_restart sssd-pam.socket
%systemd_postun_with_restart sssd-pam-priv.socket
%systemd_postun_with_restart sssd-pam.service
%systemd_postun_with_restart sssd-ssh.socket
%systemd_postun_with_restart sssd-ssh.service
%systemd_postun_with_restart sssd-sudo.socket
%systemd_postun_with_restart sssd-sudo.service
# Services have RefuseManualStart=true, therefore we can't request restart.
%systemd_postun sssd-autofs.service
%systemd_postun sssd-nss.service
%systemd_postun sssd-pac.service
%systemd_postun sssd-pam.service
%systemd_postun sssd-ssh.service
%systemd_postun sssd-sudo.service
%post dbus
%systemd_post sssd-ifp.service
@ -990,7 +989,6 @@ done
%systemd_postun_with_restart sssd-kcm.service
%post client
%{?ldconfig}
/usr/sbin/alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so 20
%preun client
@ -998,24 +996,44 @@ if [ $1 -eq 0 ] ; then
/usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so
fi
%ldconfig_postun client
%ldconfig_scriptlets -n libsss_sudo
%ldconfig_scriptlets -n libipa_hbac
%ldconfig_scriptlets -n libsss_idmap
%ldconfig_scriptlets -n libsss_nss_idmap
%ldconfig_scriptlets -n libsss_simpleifp
%ldconfig_scriptlets -n libsss_certmap
%posttrans common
%systemd_postun_with_restart sssd.service
%changelog
* Mon Aug 16 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.1-2
- Fix CVE-2021-3621
* Tue Jun 08 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.1-1
- Rebase to SSSD 2.5.1
* Wed May 19 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.0-2
- Fix regression in sssd-kcm when upgrading from 2.4.0 directly to 2.5.0
- Return correct error code for unknown/unsupported operations in sssd-kcm
* Mon May 10 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.0-1
- Rebase to SSSD 2.5.0
* Fri Feb 19 2021 Pavel Březina <pbrezina@redhat.com> - 2.4.2-2
- Remove setuid from child binaries and relax requirement on python3-sssdconfig
* Fri Feb 19 2021 Pavel Březina <pbrezina@redhat.com> - 2.4.2-1
- Rebase to SSSD 2.4.2
* Fri Feb 5 2021 Pavel Březina <pbrezina@redhat.com> - 2.4.1-1
- Rebase to SSSD 2.4.1
* Fri Dec 11 2020 Pavel Březina <pbrezina@redhat.com> - 2.4.0-4
- Improve sssd-kcm performance, fix upgrade with existing credentials (rhbz#1645624)
* Mon Dec 7 2020 Pavel Březina <pbrezina@redhat.com> - 2.4.0-3
- Improve sssd-kcm performance (rhbz#1645624)
* Mon Oct 12 2020 Pavel Březina <pbrezina@redhat.com> - 2.4.0-2
- Remove old patches
* Mon Oct 12 2020 Pavel Březina <pbrezina@redhat.com> - 2.4.0-1
- Rebase to SSSD 2.4.0
* Tue Jul 28 2020 Pavel Březina <pbrezina@redhat.com> - 2.3.1-4
- Actually include 2.3.1 source