From 9dbc8cccb7aba3154f0d9e0c82d53db56387bf9c Mon Sep 17 00:00:00 2001
From: Peridot Bot <rockyautomation@rockylinux.org>
Date: Fri, 7 Jun 2024 18:45:11 +0000
Subject: [PATCH] import sssd-2.10.0%7ebeta1-1.el10
---
.sssd.metadata | 2 +-
SOURCES/sssd.sysusers | 1 +
SPECS/sssd.spec | 175 ++++++++++++++++++++++++++++++------------
3 files changed, 130 insertions(+), 48 deletions(-)
create mode 100644 SOURCES/sssd.sysusers
diff --git a/.sssd.metadata b/.sssd.metadata
index 2780172..f23f766 100644
--- a/.sssd.metadata
+++ b/.sssd.metadata
@@ -1 +1 @@
-82b5ef80be47c96d518de26cfb440000f1bc6b9e3441a8393a007d21af316b18 SOURCES/sssd-2.9.4.tar.gz
+2a66804d38578c8e614c99a58034550c16c5f0062a63175a9aef490a9e11abc5 SOURCES/sssd-2.10.0-beta1.tar.gz
diff --git a/SOURCES/sssd.sysusers b/SOURCES/sssd.sysusers
new file mode 100644
index 0000000..ee8a05d
--- /dev/null
+++ b/SOURCES/sssd.sysusers
@@ -0,0 +1 @@
+u sssd - "User for sssd" /run/sssd/ /sbin/nologin
diff --git a/SPECS/sssd.spec b/SPECS/sssd.spec
index 4f7a634..cb1ed50 100644
--- a/SPECS/sssd.spec
+++ b/SPECS/sssd.spec
@@ -1,19 +1,24 @@
# SSSD SPEC file for Fedora 34+ and RHEL-9+
# define SSSD user
-%if 0%{?rhel}
+%if 0%{?fedora} >= 41 || 0%{?rhel}
+%global use_sssd_user 1
%global sssd_user sssd
%else
+%global use_sssd_user 0
%global sssd_user root
%endif
-# Set setuid bit on child helpers if we support non-root user.
-%if "%{sssd_user}" == "root"
-%global child_attrs 0750
+# sysusers depends on presence of sssd user
+%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10
+%global use_sysusers 1
%else
-%global child_attrs 4750
+%global use_sysusers 0
%endif
+# Capabilities of privileged child helpers (required even if SSSD runs under root)
+%global child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
+
%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
%global build_subid 1
%else
@@ -30,6 +35,18 @@
%global build_kcm_renewals 0
%endif
+%if 0%{?fedora} >= 39 || 0%{?rhel} >= 9
+%global build_passkey 1
+%else
+%global build_passkey 0
+%endif
+
+%if 0%{?fedora} >= 41 || 0%{?rhel} >= 10
+%global build_ssh_known_hosts_proxy 0
+%else
+%global build_ssh_known_hosts_proxy 1
+%endif
+
# we don't want to provide private python extension libs
%define __provides_exclude_from %{python3_sitearch}/.*\.so$
@@ -42,17 +59,16 @@
%global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release})
Name: sssd
-Version: 2.9.4
-Release: 6%{?dist}
+Version: 2.10.0~beta1
+# Using '.el10' directly is a work around RHEL-38900
+Release: 1.el10
Summary: System Security Services Daemon
License: GPL-3.0-or-later
URL: https://github.com/SSSD/sssd/
-Source0: https://github.com/SSSD/sssd/releases/download/2.9.4/sssd-2.9.4.tar.gz
+Source0: https://github.com/SSSD/sssd/releases/download/2.10.0-beta1/sssd-2.10.0-beta1.tar.gz
+Source1: sssd.sysusers
### Patches ###
-Patch0001: 0001-ENUMERATION-conditional-build-of-enumeration-support.patch
-Patch0002: 0002-Fix-the-build-with-Samba-4.20.patch
-Patch0003: 0003-tests-Drop-extensions-from-openssl-command-if-there-.patch
### Dependencies ###
@@ -78,7 +94,6 @@ Suggests: sssd-dbus = %{version}-%{release}
%global secdbpath %{sssdstatedir}/secrets
%global deskprofilepath %{sssdstatedir}/deskprofile
-
### Build Dependencies ###
BuildRequires: autoconf
@@ -97,14 +112,17 @@ BuildRequires: gettext-devel
# required for p11_child smartcard tests
BuildRequires: gnutls-utils
BuildRequires: jansson-devel
+BuildRequires: libcap-devel
BuildRequires: libcurl-devel
BuildRequires: libjose-devel
BuildRequires: keyutils-libs-devel
BuildRequires: krb5-devel
BuildRequires: libcmocka-devel >= 1.0.0
BuildRequires: libdhash-devel >= 0.4.2
+%if %{build_passkey}
BuildRequires: libfido2-devel
-BuildRequires: libini_config-devel >= 1.1
+%endif
+BuildRequires: libini_config-devel >= 1.3
BuildRequires: libldb-devel >= %{ldb_version}
BuildRequires: libnfsidmap-devel
BuildRequires: libnl3-devel
@@ -135,7 +153,7 @@ BuildRequires: pcre2-devel
BuildRequires: pkgconfig
BuildRequires: popt-devel
BuildRequires: python3-devel
-BuildRequires: (python3-setuptools if python3 >= 3.12)
+BuildRequires: python3-setuptools
BuildRequires: samba-devel
# required for idmap_sss.so
BuildRequires: samba-winbind
@@ -147,12 +165,17 @@ BuildRequires: systemd-devel
BuildRequires: systemtap-sdt-devel
BuildRequires: uid_wrapper
BuildRequires: po4a
+BuildRequires: valgrind-devel
%if %{build_subid}
BuildRequires: shadow-utils-subid-devel
%endif
%if %{build_kcm_renewals}
BuildRequires: krb5-libs >= %{krb5_version}
%endif
+%if %{use_sysusers} || %{build_passkey}
+BuildRequires: systemd-rpm-macros
+%{?sysusers_requires_compat}
+%endif
%description
Provides a set of daemons to manage access to remote directories and
@@ -180,7 +203,9 @@ Requires: (libsss_autofs%{?_isa} = %{version}-%{release} if autofs)
Requires: (sssd-nfs-idmap = %{version}-%{release} if libnfsidmap)
Requires: libsss_idmap = %{version}-%{release}
Requires: libsss_certmap = %{version}-%{release}
-%if 0%{?rhel}
+Requires(post): coreutils
+Requires(postun): coreutils
+%if %{use_sssd_user}
Requires(pre): shadow-utils
%endif
%{?systemd_requires}
@@ -429,7 +454,7 @@ Requires: sssd-common = %{version}-%{release}
Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows
the information from the SSSD to be transmitted over the system bus.
-%if 0%{?rhel}
+%if %{use_sssd_user}
%package polkit-rules
Summary: Rules for polkit integration for SSSD
Group: Applications/System
@@ -485,6 +510,7 @@ License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}
%if %{build_kcm_renewals}
Requires: krb5-libs >= %{krb5_version}
+Requires: sssd-krb5-common = %{version}-%{release}
%endif
%{?systemd_requires}
@@ -502,24 +528,30 @@ This package provides Kerberos plugins that are required to enable
authentication against external identity providers. Additionally a helper
program to handle the OAuth 2.0 Device Authorization Grant is provided.
+%if %{build_passkey}
%package passkey
Summary: SSSD helpers and plugins needed for authentication with passkey token
License: GPL-3.0-or-later
Requires: sssd-common = %{version}-%{release}
Requires: libfido2
+%if "%{sssd_user}" != "root"
+Requires: acl
+%endif
%description passkey
This package provides helper processes and Kerberos plugins that are required to
enable authentication with passkey token.
+%endif
%prep
-%autosetup -p1
+%autosetup -n sssd-2.10.0-beta1 -p1
%build
autoreconf -ivf
%configure \
+ --runstatedir=%{_rundir} \
--disable-rpath \
--disable-static \
--enable-gss-spnego-for-zero-maxssf \
@@ -534,7 +566,6 @@ autoreconf -ivf
--with-initscript=systemd \
--with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \
--with-mcache-path=%{mcpath} \
- --with-pid-path=%{_rundir} \
--with-pipe-path=%{pipepath} \
--with-pubconf-path=%{pubconfpath} \
--with-sssd-user=%{sssd_user} \
@@ -543,10 +574,15 @@ autoreconf -ivf
%if %{build_subid}
--with-subid \
%endif
-%if 0%{?fedora}
+%if ! %{use_sssd_user}
--disable-polkit-rules-path \
%endif
+%if %{build_passkey}
--with-passkey \
+%endif
+%if %{build_ssh_known_hosts_proxy}
+ --with-ssh-known-hosts-proxy \
+%endif
%{nil}
%make_build all docs runstatedir=%{_rundir}
@@ -584,8 +620,13 @@ cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp
# Enable krb5 passkey plugins by default (when sssd-passkey package is installed)
+%if %{build_passkey}
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey \
$RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_passkey
+%if "%{sssd_user}" != "root"
+install -D -p -m 0644 contrib/90-sssd-token-access.rules %{buildroot}%{_udevrulesdir}/90-sssd-token-access.rules
+%endif
+%endif
# krb5 configuration snippet
cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
@@ -595,6 +636,9 @@ cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \
# Otherwise this directory could not be owned by sssd-client
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils
+# tmpfiles.d config
+install -D -m 0644 contrib/sssd-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/%{name}.conf
+
# Remove .la files created by libtool
find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \;
@@ -689,6 +733,10 @@ do
cat $subpackage.lang
done
+%if %{use_sysusers}
+install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
+%endif
+
%files
%license COPYING
@@ -704,13 +752,14 @@ done
%{_unitdir}/sssd-pac.socket
%{_unitdir}/sssd-pac.service
%{_unitdir}/sssd-pam.socket
-%{_unitdir}/sssd-pam-priv.socket
%{_unitdir}/sssd-pam.service
%{_unitdir}/sssd-ssh.socket
%{_unitdir}/sssd-ssh.service
%{_unitdir}/sssd-sudo.socket
%{_unitdir}/sssd-sudo.service
+%{_tmpfilesdir}/%{name}.conf
+
%dir %{_libexecdir}/%{servicename}
%{_libexecdir}/%{servicename}/sssd_be
%{_libexecdir}/%{servicename}/sssd_nss
@@ -742,40 +791,42 @@ done
%{ldb_modulesdir}/memberof.so
%{_bindir}/sss_ssh_authorizedkeys
+%{_bindir}/sss_ssh_knownhosts
%{_bindir}/sss_ssh_knownhostsproxy
%{_sbindir}/sss_cache
%{_libexecdir}/%{servicename}/sss_signal
-%dir %{sssdstatedir}
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{sssdstatedir}
%dir %{_localstatedir}/cache/krb5rcache
-%attr(700,%{sssd_user},%{sssd_user}) %dir %{dbpath}
+%attr(770,%{sssd_user},%{sssd_user}) %dir %{dbpath}
%attr(775,%{sssd_user},%{sssd_user}) %dir %{mcpath}
-%attr(700,root,root) %dir %{secdbpath}
-%attr(751,root,root) %dir %{deskprofilepath}
-%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/passwd
-%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/group
-%ghost %attr(0664,%{sssd_user},%{sssd_user}) %verify(not md5 size mtime) %{mcpath}/initgroups
-%attr(755,%{sssd_user},%{sssd_user}) %dir %{pipepath}
-%attr(750,%{sssd_user},root) %dir %{pipepath}/private
-%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}
-%attr(755,%{sssd_user},%{sssd_user}) %dir %{gpocachepath}
-%attr(750,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name}
-%attr(700,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd
-%attr(711,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
-%attr(711,root,root) %dir %{_sysconfdir}/sssd/pki
-%ghost %attr(0600,root,root) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
+%attr(770,%{sssd_user},%{sssd_user}) %dir %{secdbpath}
+%attr(771,%{sssd_user},%{sssd_user}) %dir %{deskprofilepath}
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{pipepath}
+%attr(770,%{sssd_user},%{sssd_user}) %dir %{pipepath}/private
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}
+%attr(770,%{sssd_user},%{sssd_user}) %dir %{gpocachepath}
+%attr(770,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name}
+%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd
+%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
+%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/pki
+%ghost %attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
%dir %{_sysconfdir}/logrotate.d
%config(noreplace) %{_sysconfdir}/logrotate.d/sssd
%dir %{_sysconfdir}/rwtab.d
%config(noreplace) %{_sysconfdir}/rwtab.d/sssd
%dir %{_datadir}/sssd
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{_rundir}/sssd
%config(noreplace) %{_sysconfdir}/pam.d/sssd-shadowutils
%dir %{_libdir}/%{name}/conf
%{_libdir}/%{name}/conf/sssd.conf
%{_datadir}/sssd/cfg_rules.ini
%{_mandir}/man1/sss_ssh_authorizedkeys.1*
+%{_mandir}/man1/sss_ssh_knownhosts.1*
+%if %{build_ssh_known_hosts_proxy}
%{_mandir}/man1/sss_ssh_knownhostsproxy.1*
+%endif
%{_mandir}/man5/sssd.conf.5*
%{_mandir}/man5/sssd-simple.5*
%{_mandir}/man5/sssd-sudo.5*
@@ -792,8 +843,12 @@ done
%{_datadir}/systemtap/tapset/sssd.stp
%{_datadir}/systemtap/tapset/sssd_functions.stp
%{_mandir}/man5/sssd-systemtap.5*
+%if %{use_sysusers}
+%{_sysusersdir}/sssd.conf
+%endif
+
-%if 0%{?rhel}
+%if %{use_sssd_user}
%files polkit-rules
%{_datadir}/polkit-1/rules.d/*
%endif
@@ -806,9 +861,9 @@ done
%files krb5-common
%license COPYING
-%attr(755,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
-%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/ldap_child
-%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/krb5_child
+%attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
+%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/ldap_child
+%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/krb5_child
%files krb5 -f sssd_krb5.lang
%license COPYING
@@ -824,9 +879,9 @@ done
%files ipa -f sssd_ipa.lang
%license COPYING
-%attr(700,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
+%attr(770,%{sssd_user},%{sssd_user}) %dir %{keytabdir}
%{_libdir}/%{name}/libsss_ipa.so
-%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/selinux_child
+%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{servicename}/selinux_child
%{_mandir}/man5/sssd-ipa.5*
%files ad -f sssd_ad.lang
@@ -837,7 +892,7 @@ done
%files proxy
%license COPYING
-%attr(%{child_attrs},root,%{sssd_user}) %{_libexecdir}/%{servicename}/proxy_child
+%{_libexecdir}/%{servicename}/proxy_child
%{_libdir}/%{name}/libsss_proxy.so
%files dbus -f sssd_dbus.lang
@@ -981,17 +1036,26 @@ done
%{_datadir}/sssd/krb5-snippets/sssd_enable_idp
%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp
+%if %{build_passkey}
%files passkey
%attr(755,%{sssd_user},%{sssd_user}) %{_libexecdir}/%{servicename}/passkey_child
%{_libdir}/%{name}/modules/sssd_krb5_passkey_plugin.so
%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey
+%if "%{sssd_user}" != "root"
+%{_udevrulesdir}/90-sssd-token-access.rules
+%endif
%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey
+%endif
-%if 0%{?rhel}
+%if %{use_sssd_user}
%pre common
+%if %{use_sysusers}
+%sysusers_create_compat %{SOURCE1}
+%else
getent group sssd >/dev/null || groupadd -r sssd
getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd
%endif
+%endif
%post common
%systemd_post sssd.service
@@ -999,9 +1063,17 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
%systemd_post sssd-nss.socket
%systemd_post sssd-pac.socket
%systemd_post sssd-pam.socket
-%systemd_post sssd-pam-priv.socket
%systemd_post sssd-ssh.socket
%systemd_post sssd-sudo.socket
+%__rm -f %{mcpath}/passwd
+%__rm -f %{mcpath}/group
+%__rm -f %{mcpath}/initgroups
+%__rm -f %{mcpath}/sid
+%__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
+%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true
+%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
+%__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
+%__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true
%preun common
%systemd_preun sssd.service
@@ -1009,16 +1081,18 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
%systemd_preun sssd-nss.socket
%systemd_preun sssd-pac.socket
%systemd_preun sssd-pam.socket
-%systemd_preun sssd-pam-priv.socket
%systemd_preun sssd-ssh.socket
%systemd_preun sssd-sudo.socket
%postun common
+%__rm -f %{mcpath}/passwd
+%__rm -f %{mcpath}/group
+%__rm -f %{mcpath}/initgroups
+%__rm -f %{mcpath}/sid
%systemd_postun_with_restart sssd-autofs.socket
%systemd_postun_with_restart sssd-nss.socket
%systemd_postun_with_restart sssd-pac.socket
%systemd_postun_with_restart sssd-pam.socket
-%systemd_postun_with_restart sssd-pam-priv.socket
%systemd_postun_with_restart sssd-ssh.socket
%systemd_postun_with_restart sssd-sudo.socket
@@ -1061,6 +1135,13 @@ fi
%systemd_postun_with_restart sssd.service
%changelog
+* Thu Jun 6 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.10.0~beta1-1
+- Resolves: RHEL-40253 - Rebase SSSD for RHEL 10-beta
+- Resolves: RHEL-29303 - Issue discovered by static analyzer.
+- Resolves: RHEL-11181 - sssd[4022110]: gencache_init: Failed to create directory: //.cache/samba - Permission denied
+- Resolves: RHEL-4986 - [RFE] sssd use systemd-sysusers
+- Resolves: RHEL-4974 - sssd status shows error "krb5_kt_start_seq_get failed: Permission denied" when running as unprivileged user 'sssd'
+
* Thu Feb 22 2024 Troy Dawson <tdawson@redhat.com> - 2.9.4-6
- Bump release to rebuild on correct samba
--
GitLab