commit sssd for openSUSE:Factory
![](https://seccdn.libravatar.org/avatar/e2145bc5cf53dda95c308a3c75e8fef3.jpg?s=120&d=mm&r=g)
Hello community, here is the log from the commit of package sssd for openSUSE:Factory checked in at 2018-07-02 23:28:55 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sssd (Old) and /work/SRC/openSUSE:Factory/.sssd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "sssd" Mon Jul 2 23:28:55 2018 rev:89 rq:620031 version:1.16.2 Changes: -------- --- /work/SRC/openSUSE:Factory/sssd/sssd.changes 2018-05-06 14:54:55.575430135 +0200 +++ /work/SRC/openSUSE:Factory/.sssd.new/sssd.changes 2018-07-02 23:29:02.297577514 +0200 @@ -1,0 +2,69 @@ +Sun Jul 1 12:44:00 UTC 2018 - ckowalczyk@suse.com + +- Fixed patch name. + +------------------------------------------------------------------- +Wed Jun 20 10:46:34 UTC 2018 - ckowalczyk@suse.com + +- Introduce patches: + * Create sockets with right permissions: + 0001-SUDO-Create-the-socket-with-stricter-permissions.patch + (bsc#1098377, CVE-2018-10852) + * Fix for sssd upstream integration tests + 0002-intg-Do-not-hardcode-nsslibdir.patch + (bsc#1098163) + +------------------------------------------------------------------- +Wed Jun 20 08:38:53 UTC 2018 - varkoly@suse.com + +- Update to new minor upstream release 1.16.2 +New Features: + * The smart card authentication, or in more general certificate + authentication code now supports OpenSSL in addition to previously + supported NSS (#3489). In addition, the SSH responder can now + return public SSH keys derived from the public keys stored in a + X.509 certificate. Please refer to the ssh_use_certificate_keys + option in the man pages. + * The files provider now supports mirroring multiple passwd or + group files. This enhancement can be used to use the SSSD files + provider instead of the nss_altfiles module +Bugfixes: + * A memory handling issue in the nss_ex interface was fixed. This + bug would manifest in IPA environments with a trusted AD domain + as a crash of the ns-slapd process, because a ns-slapd plugin + loads the nss_ex interface (#3715) + * Several fixes for the KCM deamon were merged (see #3687, #3671, #3633) + * The ad_site override is now honored in GPO code as well (#3646) + * Several potential crashes in the NSS responder’s netgroup code + were fixed (#3679, #3731) + * A potential crash in the autofs responder’s code was fixed (#3752) + * The LDAP provider now supports group renaming (#2653) + * The GPO access control code no longer returns an error if one + of the relevant GPO rules contained no SIDs at all (#3680) + * A memory leak in the IPA provider related to resolving external + AD groups was fixed (#3719) + * Setups that used multiple domains where one of the domains had + its ID space limited using the min_id/max_id options did not + resolve requests by ID properly (#3728) + * Overriding IDs or names did not work correctly when the domain + resolution order was set as well (#3595) + * A version mismatch between certain newer Samba versions (e.g. + those shipped in RHEL-7.5) and the Winbind interface provided + by SSSD was fixed. To further prevent issues like this in the + future, the correct interface is now detected at build time (#3741) + * The files provider no longer returns a qualified name in case + domain resolution order is used (#3743) + * A race condition between evaluating IPA group memberships and + AD group memberships in setups with IPA-AD trusts that would + have manifested as randomly losing IPA group memberships assigned + to an AD user was fixed (#3744) + * Setting an SELinux login label was broken in setups where the + domain resolution order was used (#3740) + * SSSD start up issue on systems that use the libldb library + with version 1.4.0 or newer was fixed. +Introduce a patch: + * Fix build of sssd of 1.16.2 version: + 0003-Fix-build-for-1-16-2-version.patch + (back then called fix-build.patch) + +------------------------------------------------------------------- Old: ---- sssd-1.16.1.tar.gz sssd-1.16.1.tar.gz.asc New: ---- 0001-SUDO-Create-the-socket-with-stricter-permissions.patch 0002-intg-Do-not-hardcode-nsslibdir.patch 0003-Fix-build-for-1-16-2-version.patch sssd-1.16.2.tar.gz sssd-1.16.2.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sssd.spec ++++++ --- /var/tmp/diff_new_pack.LFaRPO/_old 2018-07-02 23:29:02.785576913 +0200 +++ /var/tmp/diff_new_pack.LFaRPO/_new 2018-07-02 23:29:02.789576908 +0200 @@ -17,7 +17,7 @@ Name: sssd -Version: 1.16.1 +Version: 1.16.2 Release: 0 Summary: System Security Services Daemon License: GPL-3.0+ and LGPL-3.0+ @@ -31,6 +31,9 @@ Source4: sssd.service Source5: %name.keyring BuildRoot: %_tmppath/%name-%version-build +Patch1: 0001-SUDO-Create-the-socket-with-stricter-permissions.patch +Patch2: 0002-intg-Do-not-hardcode-nsslibdir.patch +Patch3: 0003-Fix-build-for-1-16-2-version.patch %define servicename sssd %define sssdstatedir %_localstatedir/lib/sss @@ -80,6 +83,7 @@ BuildRequires: pkgconfig(tdb) >= 1.1.3 BuildRequires: pkgconfig(tevent) BuildRequires: pkgconfig(ndr_krb5pac) +BuildRequires: p11-kit-devel %{?systemd_requires} Requires: sssd-ldap = %version-%release Requires(postun): pam-config @@ -363,6 +367,9 @@ %prep %setup -q +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build %if 0%{?suse_version} < 1210 @@ -424,6 +431,8 @@ find "$b" -type f -name "*.la" -delete rm -Rf "$b/%_sysconfdir/dbus-1" "$b/%_datadir/dbus-1" +rm -rf "$b/usr/lib/debug/usr/lib/sssd/p11_child-1.16.2-0.x86_64.debug" + %find_lang %name --all-name @@ -476,17 +485,17 @@ %_mandir/??/man1/sss_ssh_* %_mandir/??/man5/sssd-simple.5* %_mandir/??/man5/sssd-sudo.5* -#%_mandir/??/man5/sssd.conf.5* %_mandir/??/man8/sssd.8* %_mandir/??/man5/sss-certmap.5.gz %_mandir/??/man5/sssd-ad.5.gz -%_mandir/??/man5/sssd-files.5.gz %_mandir/??/man5/sssd-secrets.5.gz %_mandir/??/man5/sssd.conf.5.gz %_mandir/??/man8/idmap_sss.8.gz %_mandir/??/man8/sssctl.8.gz %_mandir/??/man8/sssd-kcm.8.gz %_mandir/??/man5/sssd-simple.5* +%_mandir/??/man5/sssd-session-recording.5.gz +%_mandir/??/man5/sssd-systemtap.5.gz %_mandir/man1/sss_ssh_* %_mandir/man8/sssctl.8* %_mandir/man5/sssd-files.5* @@ -512,6 +521,7 @@ %dir %_libdir/ldb/ %_libdir/ldb/memberof.so %dir %_libexecdir/%name/ +%_libexecdir/%name/p11_child %_libexecdir/%name/sssd_autofs %_libexecdir/%name/sssd_be %_libexecdir/%name/sssd_nss @@ -538,6 +548,7 @@ %dir %_datadir/%name/sssd.api.d/ %_datadir/%name/sssd.api.d/sssd-local.conf %_datadir/%name/sssd.api.d/sssd-simple.conf +%_datadir/%name/sssd.api.d/sssd-files.conf # # sssd-client # ++++++ 0001-SUDO-Create-the-socket-with-stricter-permissions.patch ++++++
From 06193adc0de042484f672cadd0808c78c5ebb70e Mon Sep 17 00:00:00 2001 From: Jakub Hrozek
Date: Fri, 15 Jun 2018 22:29:34 +0200 Subject: [PATCH] SUDO: Create the socket with stricter permissions
This patch switches the sudo responder from being created as a public responder where the permissions are open and not checked by the sssd deaamon to a private socket. In this case, sssd creates the pipes with strict permissions (see the umask in the call to create_pipe_fd() in set_unix_socket()) and additionaly checks the permissions with every read via the tevent integrations (see accept_fd_handler()). --- src/responder/sudo/sudosrv.c | 3 ++- src/sysv/systemd/sssd-sudo.socket.in | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c index ac4258710d3a9b48285522abd23bdd59ba42ad4e..e87a24499c2d82fafaa8e1f9b386e44332394266 100644 --- a/src/responder/sudo/sudosrv.c +++ b/src/responder/sudo/sudosrv.c @@ -79,7 +79,8 @@ int sudo_process_init(TALLOC_CTX *mem_ctx, sudo_cmds = get_sudo_cmds(); ret = sss_process_init(mem_ctx, ev, cdb, sudo_cmds, - SSS_SUDO_SOCKET_NAME, -1, NULL, -1, + NULL, -1, /* No public socket */ + SSS_SUDO_SOCKET_NAME, -1, /* Private socket only */ CONFDB_SUDO_CONF_ENTRY, SSS_SUDO_SBUS_SERVICE_NAME, SSS_SUDO_SBUS_SERVICE_VERSION, diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in index c9abb875f0accbaf58d78846020fef74c7473528..96a8b0327ddb4d331c9b2e97ece3453f8f76872d 100644 --- a/src/sysv/systemd/sssd-sudo.socket.in +++ b/src/sysv/systemd/sssd-sudo.socket.in @@ -11,6 +11,7 @@ ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo ListenStream=@pipepath@/sudo SocketUser=@SSSD_USER@ SocketGroup=@SSSD_USER@ +SocketMode=0600 [Install] WantedBy=sssd.service -- 2.14.3 ++++++ 0002-intg-Do-not-hardcode-nsslibdir.patch ++++++
From b34fcff0f8bccd7b827686b50c53f45b7e20bb44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?=
Date: Tue, 12 Jun 2018 19:07:52 +0200 Subject: [PATCH] intg: Do not hardcode nsslibdir MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
This change is needed in order to have make intgcheck-run properly
running on opensuse systems.
Signed-off-by: Fabiano Fidêncio
participants (1)
-
root