sssd-2.5.2-2: Fix CVE-2021-3621

Resolves: rhbz#1962006

.gitignore

@@ -90,3 +90,7 @@ sssd-1.2.91.tar.gz
 /sssd-2.3.1.tar.gz
 /sssd-2.4.0.tar.gz
 /sssd-2.4.1.tar.gz
+/sssd-2.4.2.tar.gz
+/sssd-2.5.0.tar.gz
+/sssd-2.5.1.tar.gz
+/sssd-2.5.2.tar.gz

0001-BUILD-fixes-gpo_child-linking-issue.patch

@@ -1,49 +0,0 @@
-From cf308d6c0e763336526b2e6295f1a075b217900f Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Fri, 5 Feb 2021 14:51:26 +0100
-Subject: [PATCH] BUILD: fixes gpo_child linking issue
-
-/usr/bin/ld: src/util/gpo_child-signal.o (symbol from plugin): undefined reference to symbol 'BlockSignals@@SAMBA_UTIL_0.0.1'
-
-Resolves: https://github.com/SSSD/sssd/issues/5385
----
- Makefile.am           | 3 ++-
- src/external/samba.m4 | 8 ++++++++
- 2 files changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/Makefile.am b/Makefile.am
-index f0083ffd7aaec01d87d9e38569b4714b3dbb2caa..41fc6517beec348daf58ce4d41f03a444901c81c 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -4738,7 +4738,8 @@ gpo_child_LDADD = \
-     $(POPT_LIBS) \
-     $(DHASH_LIBS) \
-     $(INI_CONFIG_LIBS) \
--    $(SMBCLIENT_LIBS)
-+    $(SMBCLIENT_LIBS) \
-+    $(SAMBA_UTIL_LIBS)
- 
- proxy_child_SOURCES = \
-     src/providers/proxy/proxy_child.c \
-diff --git a/src/external/samba.m4 b/src/external/samba.m4
-index 0bc573a0f28d8b0aecd8953f7485944b8bc71baa..bbfa996048ab5e773b686836cfbb4378d412d1b0 100644
---- a/src/external/samba.m4
-+++ b/src/external/samba.m4
-@@ -30,6 +30,14 @@ without them. In this case, you will need to execute configure script
- with argument --without-samba
-     ]]))
- 
-+    PKG_CHECK_MODULES(SAMBA_UTIL, samba-util, ,
-+        AC_MSG_ERROR([[Please install libsamba-util development libraries.
-+libsamba-util libraries are necessary for building ad and ipa provider.
-+If you do not want to build these providers it is possible to build SSSD
-+without them. In this case, you will need to execute configure script
-+with argument --without-samba
-+    ]]))
-+
-     if test x"$HAVE_LIBINI_CONFIG_V1_1" != x1; then
-         AC_MSG_ERROR([[Please install libini_config development libraries
- v1.1.0, or newer. libini_config libraries are necessary for building ipa
--- 
-2.25.4
-

0001-TOOLS-replace-system-with-execvp.patch

@@ -0,0 +1,277 @@
+From 5a9a2f53ff44b1bd25a6de7c4ba91c709b63b0ba Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Fri, 18 Jun 2021 13:17:19 +0200
+Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
+ user supplied command
+
+A flaw was found in SSSD, where the sssctl command was vulnerable
+to shell command injection via the logs-fetch and cache-expire
+subcommands. This flaw allows an attacker to trick the root user
+into running a specially crafted sssctl command, such as via sudo,
+to gain root access. The highest threat from this vulnerability is
+to confidentiality, integrity, as well as system availability.
+
+:fixes: CVE-2021-3621
+---
+ src/tools/sssctl/sssctl.c      | 39 ++++++++++++++++-------
+ src/tools/sssctl/sssctl.h      |  2 +-
+ src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
+ src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++----
+ 4 files changed, 73 insertions(+), 57 deletions(-)
+
+diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
+index 2997dbf968acdd0b9821f726414f8ae1cf34b5d8..8adaf30910e13ea9e7c8ab8b151920c4f307427b 100644
+--- a/src/tools/sssctl/sssctl.c
++++ b/src/tools/sssctl/sssctl.c
+@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
+     return SSSCTL_PROMPT_ERROR;
+ }
+ 
+-errno_t sssctl_run_command(const char *command)
++errno_t sssctl_run_command(const char *const argv[])
+ {
+     int ret;
++    int wstatus;
+ 
+-    DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
++    DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
+ 
+-    ret = system(command);
++    ret = fork();
+     if (ret == -1) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
+         ERROR("Error while executing external command\n");
+         return EFAULT;
+-    } else if (WEXITSTATUS(ret) != 0) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
+-              command, WEXITSTATUS(ret));
++    }
++
++    if (ret == 0) {
++        /* cast is safe - see
++        https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
++        "The statement about argv[] and envp[] being constants ... "
++        */
++        execvp(argv[0], discard_const_p(char * const, argv));
+         ERROR("Error while executing external command\n");
+-        return EIO;
++        _exit(1);
++    } else {
++        if (waitpid(ret, &wstatus, 0) == -1) {
++            ERROR("Error while executing external command '%s'\n", argv[0]);
++            return EFAULT;
++        } else if (WEXITSTATUS(wstatus) != 0) {
++            ERROR("Command '%s' failed with [%d]\n",
++                  argv[0], WEXITSTATUS(wstatus));
++            return EIO;
++        }
+     }
+ 
+     return EOK;
+@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
+ #elif defined(HAVE_SERVICE)
+     switch (action) {
+     case SSSCTL_SVC_START:
+-        return sssctl_run_command(SERVICE_PATH" sssd start");
++        return sssctl_run_command(
++                      (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
+     case SSSCTL_SVC_STOP:
+-        return sssctl_run_command(SERVICE_PATH" sssd stop");
++        return sssctl_run_command(
++                      (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
+     case SSSCTL_SVC_RESTART:
+-        return sssctl_run_command(SERVICE_PATH" sssd restart");
++        return sssctl_run_command(
++                      (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
+     }
+ #endif
+ 
+diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
+index 0115b2457c48bb0b8ad8ef8fd20d6fc81bdb58b4..599ef65196fcae6454cd5b46aa7a2cf6e7cbba73 100644
+--- a/src/tools/sssctl/sssctl.h
++++ b/src/tools/sssctl/sssctl.h
+@@ -47,7 +47,7 @@ enum sssctl_prompt_result
+ sssctl_prompt(const char *message,
+               enum sssctl_prompt_result defval);
+ 
+-errno_t sssctl_run_command(const char *command);
++errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
+ bool sssctl_start_sssd(bool force);
+ bool sssctl_stop_sssd(bool force);
+ bool sssctl_restart_sssd(bool force);
+diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
+index 8d79b977fdb63fd6c6c925538230bb4ca74a103b..bf2291341668590f4c600237593ea1fd8fe4e4dc 100644
+--- a/src/tools/sssctl/sssctl_data.c
++++ b/src/tools/sssctl/sssctl_data.c
+@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
+         }
+     }
+ 
+-    ret = sssctl_run_command("sss_override user-export "
+-                             SSS_BACKUP_USER_OVERRIDES);
++    ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
++                                              SSS_BACKUP_USER_OVERRIDES, NULL});
+     if (ret != EOK) {
+         ERROR("Unable to export user overrides\n");
+         return ret;
+     }
+ 
+-    ret = sssctl_run_command("sss_override group-export "
+-                             SSS_BACKUP_GROUP_OVERRIDES);
++    ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
++                                              SSS_BACKUP_GROUP_OVERRIDES, NULL});
+     if (ret != EOK) {
+         ERROR("Unable to export group overrides\n");
+         return ret;
+@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
+     }
+ 
+     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
+-        ret = sssctl_run_command("sss_override user-import "
+-                                 SSS_BACKUP_USER_OVERRIDES);
++        ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
++                                                  SSS_BACKUP_USER_OVERRIDES, NULL});
+         if (ret != EOK) {
+             ERROR("Unable to import user overrides\n");
+             return ret;
+@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
+     }
+ 
+     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
+-        ret = sssctl_run_command("sss_override group-import "
+-                                 SSS_BACKUP_GROUP_OVERRIDES);
++        ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
++                                                  SSS_BACKUP_GROUP_OVERRIDES, NULL});
+         if (ret != EOK) {
+             ERROR("Unable to import group overrides\n");
+             return ret;
+@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
+                             void *pvt)
+ {
+     errno_t ret;
+-    char *cmd_args = NULL;
+-    const char *cachecmd = SSS_CACHE;
+-    char *cmd = NULL;
+-    int i;
+ 
+-    if (cmdline->argc == 0) {
+-        ret = sssctl_run_command(cachecmd);
+-        goto done;
++    const char **args = talloc_array_size(tool_ctx,
++                                          sizeof(char *),
++                                          cmdline->argc + 2);
++    if (!args) {
++        return ENOMEM;
+     }
++    memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
++    args[0] = SSS_CACHE;
++    args[cmdline->argc + 1] = NULL;
+ 
+-    cmd_args = talloc_strdup(tool_ctx, "");
+-    if (cmd_args == NULL) {
+-        ret = ENOMEM;
+-        goto done;
+-    }
+-
+-    for (i = 0; i < cmdline->argc; i++) {
+-        cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
+-        if (i != cmdline->argc - 1) {
+-            cmd_args = talloc_strdup_append(cmd_args, " ");
+-        }
+-    }
+-
+-    cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
+-    if (cmd == NULL) {
+-        ret = ENOMEM;
+-        goto done;
+-    }
+-
+-    ret = sssctl_run_command(cmd);
+-
+-done:
+-    talloc_free(cmd_args);
+-    talloc_free(cmd);
++    ret = sssctl_run_command(args);
+ 
++    talloc_free(args);
+     return ret;
+ }
+diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
+index 9ff2be05b61108414462d6e17a2c4c4887907a59..ebb2c4571caec487d29ff2d5ceaee1561e845506 100644
+--- a/src/tools/sssctl/sssctl_logs.c
++++ b/src/tools/sssctl/sssctl_logs.c
+@@ -31,6 +31,7 @@
+ #include <ldb.h>
+ #include <popt.h>
+ #include <stdio.h>
++#include <glob.h>
+ 
+ #include "util/util.h"
+ #include "tools/common/sss_process.h"
+@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
+ {
+     struct sssctl_logs_opts opts = {0};
+     errno_t ret;
++    glob_t globbuf;
+ 
+     /* Parse command line. */
+     struct poptOption options[] = {
+@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
+ 
+         sss_signal(SIGHUP);
+     } else {
++        globbuf.gl_offs = 4;
++        ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
++        if (ret != 0) {
++            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
++            return ret;
++        }
++        globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
++        globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
++        globbuf.gl_pathv[2] = discard_const_p(char, "--size");
++        globbuf.gl_pathv[3] = discard_const_p(char, "0");
++
+         PRINT("Truncating log files...\n");
+-        ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES);
++        ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
++        globfree(&globbuf);
+         if (ret != EOK) {
+             ERROR("Unable to truncate log files\n");
+             return ret;
+@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
+                           void *pvt)
+ {
+     const char *file;
+-    const char *cmd;
+     errno_t ret;
++    glob_t globbuf;
+ 
+     /* Parse command line. */
+     ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
+@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
+         return ret;
+     }
+ 
+-    cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
+-    if (cmd == NULL) {
+-        ERROR("Out of memory!");
++    globbuf.gl_offs = 3;
++    ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
++    if (ret != 0) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
++        return ret;
+     }
++    globbuf.gl_pathv[0] = discard_const_p(char, "tar");
++    globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
++    globbuf.gl_pathv[2] = discard_const_p(char, file);
+ 
+     PRINT("Archiving log files into %s...\n", file);
+-    ret = sssctl_run_command(cmd);
++    ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
++    globfree(&globbuf);
+     if (ret != EOK) {
+         ERROR("Unable to archive log files\n");
+         return ret;
+-- 
+2.31.1
+

0502-SYSTEMD-Use-capabilities.patch

@@ -1,25 +0,0 @@
-From 565ef3ffcaaef69a768b6a341777c339217bbbab Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@fedoraproject.org>
-Date: Mon, 12 Dec 2016 21:56:16 +0100
-Subject: [PATCH] SYSTEMD: Use capabilities
-
-copied from selinux policy
----
- src/sysv/systemd/sssd.service.in | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
-index 0c515d34caaa3ea397c4c7e95eef0188df170840..252889dbb2b7b1e651966258e7b76eab38357e76 100644
---- a/src/sysv/systemd/sssd.service.in
-+++ b/src/sysv/systemd/sssd.service.in
-@@ -11,6 +11,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
- Type=notify
- NotifyAccess=main
- PIDFile=@pidpath@/sssd.pid
-+CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
- Restart=on-failure
- 
- [Install]
--- 
-2.15.1
-

sources

@@ -1 +1 @@
-SHA512 (sssd-2.4.1.tar.gz) = 27b53585c43ee8387fda85afd894bcbd2aa037e8b7e05ffb68a17232fcc6a8b4aaf5f83eda65b91f656de3f040372ddfa49d0a905ff37b1064b6e22544025669
+SHA512 (sssd-2.5.2.tar.gz) = a9bac7b2cc23022dce3bcda314c9c26a0a0914c448f6d5a51c5ba18670f04c1fd1a94cb20173235b6285df1dcc9251cb6b3f3e71a220037b4eb66668e6f33c48

sssd.spec

@@ -7,6 +7,13 @@
 %global sssd_user root
 %endif
 
+# Set setuid bit on child helpers if we support non-root user.
+%if "%{sssd_user}" == "root"
+%global child_attrs 0750
+%else
+%global child_attrs 4750
+%endif
+
 # we don't want to provide private python extension libs
 %define __provides_exclude_from %{python3_sitearch}/.*\.so$
 
@@ -19,22 +26,19 @@
 %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
 
 Name: sssd
-Version: 2.4.1
-Release: 1%{?dist}
+Version: 2.5.2
+Release: 2%{?dist}
 Summary: System Security Services Daemon
 License: GPLv3+
 URL: https://github.com/SSSD/sssd/
-Source0: https://github.com/SSSD/sssd/releases/download/2.4.1/sssd-2.4.1.tar.gz
+Source0: https://github.com/SSSD/sssd/releases/download/2.5.2/sssd-2.5.2.tar.gz
 
 ### Patches ###
-Patch0001:  0001-BUILD-fixes-gpo_child-linking-issue.patch
 
-### Downstream only patches ###
-Patch0502: 0502-SYSTEMD-Use-capabilities.patch
+Patch0001: 0001-TOOLS-replace-system-with-execvp.patch
 
 ### Dependencies ###
 
-Requires: python3-sssdconfig = %{version}-%{release}
 Requires: sssd-ad = %{version}-%{release}
 Requires: sssd-common = %{version}-%{release}
 Requires: sssd-ipa = %{version}-%{release}
@@ -42,6 +46,7 @@ Requires: sssd-krb5 = %{version}-%{release}
 Requires: sssd-ldap = %{version}-%{release}
 Recommends: sssd-proxy = %{version}-%{release}
 Recommends: logrotate
+Suggests: python3-sssdconfig = %{version}-%{release}
 Suggests: sssd-dbus = %{version}-%{release}
 
 %global servicename sssd
@@ -97,11 +102,13 @@ BuildRequires: make
 BuildRequires: nss_wrapper
 BuildRequires: openldap-devel
 BuildRequires: openssh
+# required for p11_child smartcard tests
+BuildRequires: openssl
 BuildRequires: openssl-devel
 BuildRequires: p11-kit-devel
 BuildRequires: pam_wrapper
 BuildRequires: pam-devel
-BuildRequires: pcre-devel
+BuildRequires: pcre2-devel
 BuildRequires: pkgconfig
 BuildRequires: popt-devel
 BuildRequires: python3-devel
@@ -114,6 +121,7 @@ BuildRequires: softhsm >= 2.1.0
 BuildRequires: systemd-devel
 BuildRequires: systemtap-sdt-devel
 BuildRequires: uid_wrapper
+BuildRequires: po4a
 
 %description
 Provides a set of daemons to manage access to remote directories and
@@ -131,6 +139,7 @@ License: GPLv3+
 # Requires
 # due to ABI changes in 1.1.30/1.2.0
 Requires: libldb >= %{ldb_version}
+Requires: libtevent >= 0.11.0
 Requires: sssd-client%{?_isa} = %{version}-%{release}
 Recommends: libsss_sudo = %{version}-%{release}
 Recommends: libsss_autofs%{?_isa} = %{version}-%{release}
@@ -156,7 +165,6 @@ Summary: SSSD Client libraries for NSS and PAM
 License: LGPLv3+
 Requires: libsss_nss_idmap = %{version}-%{release}
 Requires: libsss_idmap = %{version}-%{release}
-Requires(post): /sbin/ldconfig
 Requires(post):  /usr/sbin/alternatives
 Requires(preun): /usr/sbin/alternatives
 
@@ -461,6 +469,7 @@ Library to map certificates to users based on rules
 Summary: An implementation of a Kerberos KCM server
 License: GPLv3+
 Requires: sssd-common = %{version}-%{release}
+Requires: krb5-libs >= 1.19.1
 %{?systemd_requires}
 
 %description kcm
@@ -477,7 +486,6 @@ autoreconf -ivf
 %configure \
     --disable-rpath \
     --disable-static \
-    --enable-files-domain \
     --enable-gss-spnego-for-zero-maxssf \
     --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \
     --enable-nsslibdir=%{_libdir} \
@@ -497,6 +505,7 @@ autoreconf -ivf
     --with-syslog=journald \
     --with-test-dir=/dev/shm \
 %if 0%{?fedora}
+    --enable-files-domain \
     --disable-polkit-rules-path \
 %endif
     %{nil}
@@ -749,8 +758,8 @@ done
 %files krb5-common
 %license COPYING
 %attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
-%attr(4750,root,%{sssd_user}) %{_libexecdir}/%{servicename}/ldap_child
-%attr(4750,root,%{sssd_user}) %{_libexecdir}/%{servicename}/krb5_child
+%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/ldap_child
+%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/krb5_child
 
 %files krb5 -f sssd_krb5.lang
 %license COPYING
@@ -765,7 +774,7 @@ done
 %license COPYING
 %attr(700,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
 %{_libdir}/%{name}/libsss_ipa.so
-%attr(4750,root,%{sssd_user}) %{_libexecdir}/%{servicename}/selinux_child
+%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/selinux_child
 %{_mandir}/man5/sssd-ipa.5*
 
 %files ad -f sssd_ad.lang
@@ -776,7 +785,7 @@ done
 
 %files proxy
 %license COPYING
-%attr(4750,root,%{sssd_user}) %{_libexecdir}/%{servicename}/proxy_child
+%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/proxy_child
 %{_libdir}/%{name}/libsss_proxy.so
 
 %files dbus -f sssd_dbus.lang
@@ -947,18 +956,20 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
 
 %postun common
 %systemd_postun_with_restart sssd-autofs.socket
-%systemd_postun_with_restart sssd-autofs.service
 %systemd_postun_with_restart sssd-nss.socket
-%systemd_postun_with_restart sssd-nss.service
 %systemd_postun_with_restart sssd-pac.socket
-%systemd_postun_with_restart sssd-pac.service
 %systemd_postun_with_restart sssd-pam.socket
 %systemd_postun_with_restart sssd-pam-priv.socket
-%systemd_postun_with_restart sssd-pam.service
 %systemd_postun_with_restart sssd-ssh.socket
-%systemd_postun_with_restart sssd-ssh.service
 %systemd_postun_with_restart sssd-sudo.socket
-%systemd_postun_with_restart sssd-sudo.service
+
+# Services have RefuseManualStart=true, therefore we can't request restart.
+%systemd_postun sssd-autofs.service
+%systemd_postun sssd-nss.service
+%systemd_postun sssd-pac.service
+%systemd_postun sssd-pam.service
+%systemd_postun sssd-ssh.service
+%systemd_postun sssd-sudo.service
 
 %post dbus
 %systemd_post sssd-ifp.service
@@ -980,7 +991,6 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
 %systemd_postun_with_restart sssd-kcm.service
 
 %post client
-%{?ldconfig}
 /usr/sbin/alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so 20
 
 %preun client
@@ -988,24 +998,39 @@ if [ $1 -eq 0 ] ; then
         /usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so
 fi
 
-%ldconfig_postun client
-
-%ldconfig_scriptlets -n libsss_sudo
-
-%ldconfig_scriptlets -n libipa_hbac
-
-%ldconfig_scriptlets -n libsss_idmap
-
-%ldconfig_scriptlets -n libsss_nss_idmap
-
-%ldconfig_scriptlets -n libsss_simpleifp
-
-%ldconfig_scriptlets -n libsss_certmap
-
 %posttrans common
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Mon Aug 16 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.2-2
+- Fix CVE-2021-3621
+
+* Tue Jul 13 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.2-1
+- Rebase to SSSD 2.5.2
+
+* Thu Jun 24 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.1-2
+- Multiple small fixes to reduce size of log files with debug_backtrace on
+- Fix a corner case bug in KCM renewals that makes user lookup in the daemon fail
+
+* Tue Jun 08 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.1-1
+- Rebase to SSSD 2.5.1
+
+* Wed May 19 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.0-2
+- Fix regression in sssd-kcm when upgrading from 2.4.0 directly to 2.5.0
+- Return correct error code for unknown/unsupported operations in sssd-kcm
+
+* Mon May 10 2021 Pavel Březina <pbrezina@redhat.com> - 2.5.0-1
+- Rebase to SSSD 2.5.0
+
+* Wed Mar 31 2021 Pavel Březina <pbrezina@redhat.com> - 2.4.2-3
+- Add CAP_DAC_OVERRIDE to ifp service file if required by build configuration
+
+* Fri Feb 19 2021 Pavel Březina <pbrezina@redhat.com> - 2.4.2-2
+- Remove setuid from child binaries and relax requirement on python3-sssdconfig
+
+* Fri Feb 19 2021 Pavel Březina <pbrezina@redhat.com> - 2.4.2-1
+- Rebase to SSSD 2.4.2
+
 * Fri Feb 5 2021 Pavel Březina <pbrezina@redhat.com> - 2.4.1-1
 - Rebase to SSSD 2.4.1