Resolves: RHEL-62725 - Rebase SSSD for RHEL 10.0

0001-DEBUG-lower-missing-passkey-data-debug-level.patch

@@ -0,0 +1,26 @@
+From bd7f41895493899126579449c13a4ddf8bc34166 Mon Sep 17 00:00:00 2001
+From: Justin Stephenson <jstephen@redhat.com>
+Date: Tue, 10 Dec 2024 14:46:19 -0500
+Subject: [PATCH] DEBUG: lower missing passkey data debug level
+
+(cherry picked from commit bf99c163c1b76e8713454e74333858ead52a1823)
+---
+ src/responder/pam/pamsrv_passkey.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/responder/pam/pamsrv_passkey.c b/src/responder/pam/pamsrv_passkey.c
+index 4a6bf0d03..83f36793f 100644
+--- a/src/responder/pam/pamsrv_passkey.c
++++ b/src/responder/pam/pamsrv_passkey.c
+@@ -665,7 +665,7 @@ void pam_passkey_get_user_done(struct tevent_req *req)
+     DEBUG(SSSDBG_TRACE_ALL, "Processing passkey data\n");
+     ret = process_passkey_data(pk_data, result->msgs[0], domain_name, pk_data);
+     if (ret != EOK) {
+-        DEBUG(SSSDBG_OP_FAILURE,
++        DEBUG(SSSDBG_TRACE_FUNC,
+               "process_passkey_data failed: [%d]: %s\n",
+               ret, sss_strerror(ret));
+         goto done;
+-- 
+2.47.0
+

0002-UTILS-reduce-log-level-if-sss_krb5_touch_config-fail.patch

@@ -0,0 +1,34 @@
+From 00aadc78e8c003790b7b07baf074beacd19e1df5 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Wed, 11 Dec 2024 16:10:23 +0100
+Subject: [PATCH] UTILS: reduce log level if `sss_krb5_touch_config()` fails
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is a fix of fc5c1a1af5d868a34a687550af1e31a17576ad25 -
+when `times` argument is 'NULL' return code in case of failing
+DAC checks is 'EACCESS', not 'EPERM'
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+(cherry picked from commit 5094a3d9900fa09642b7370b9f6dffeb4db95962)
+---
+ src/util/domain_info_utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
+index caf563f86..79400e901 100644
+--- a/src/util/domain_info_utils.c
++++ b/src/util/domain_info_utils.c
+@@ -283,7 +283,7 @@ sss_krb5_touch_config(void)
+     ret = utime(config, NULL);
+     if (ret == -1) {
+         ret = errno;
+-        DEBUG(ret == EPERM ? SSSDBG_MINOR_FAILURE : SSSDBG_CRIT_FAILURE,
++        DEBUG(ret == EACCES ? SSSDBG_MINOR_FAILURE : SSSDBG_CRIT_FAILURE,
+               "Unable to change mtime of \"%s\" [%d]: %s\n",
+               config, ret, strerror(ret));
+     }
+-- 
+2.47.0
+

0003-SPEC-conf-files-are-owned-by-root-sssd.patch

@@ -0,0 +1,45 @@
+From be612e6a46b6bb53e93556b33043b3263bd3c04c Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Tue, 17 Dec 2024 13:34:28 +0100
+Subject: [PATCH] SPEC: conf files are owned by 'root:sssd'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+518db322fdd5a4de41813fbe5bc35fc20392ce67 updated service files
+but missed spec-file.
+This results in
+```
+$ rpm --verify sssd-common-0:2.10.1-1.el10.x86_64
+.....U...    /etc/sssd
+.....U...    /etc/sssd/conf.d
+.....U...    /etc/sssd/pki
+```
+
+Reviewed-by: Jakub Vávra <jvavra@redhat.com>
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit af65c00b9ca518a7769c05a41d5fc8208a2d133c)
+---
+ contrib/sssd.spec.in | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
+index b42dc743d..89b41adef 100644
+--- a/contrib/sssd.spec.in
++++ b/contrib/sssd.spec.in
+@@ -854,9 +854,9 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
+ %attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}
+ %attr(770,%{sssd_user},%{sssd_user}) %dir %{gpocachepath}
+ %attr(770,%{sssd_user},%{sssd_user}) %dir %{_var}/log/%{name}
+-%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd
+-%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
+-%attr(750,%{sssd_user},%{sssd_user}) %dir %{_sysconfdir}/sssd/pki
++%attr(750,root,%{sssd_user}) %dir %{_sysconfdir}/sssd
++%attr(750,root,%{sssd_user}) %dir %{_sysconfdir}/sssd/conf.d
++%attr(750,root,%{sssd_user}) %dir %{_sysconfdir}/sssd/pki
+ %ghost %attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf
+ %dir %{_sysconfdir}/logrotate.d
+ %config(noreplace) %{_sysconfdir}/logrotate.d/sssd
+-- 
+2.47.0
+

0004-SYSTEMD-SERVICE-use-no-dereference-for-chown.patch

@@ -0,0 +1,55 @@
+From 97629f36becb8acf7ed9de82f4d2649aa45098f9 Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Fri, 6 Dec 2024 20:03:16 +0100
+Subject: [PATCH] SYSTEMD SERVICE: use "--no-dereference" for 'chown'
+
+to avoid following accidential symbolic links in those dirs.
+
+Reviewed-by: Sumit Bose <sbose@redhat.com>
+(cherry picked from commit a20fa0ffd6cb61bc164f52403f396cce6de8b2ea)
+---
+ src/sysv/systemd/sssd-kcm.service.in | 6 +++---
+ src/sysv/systemd/sssd.service.in     | 8 ++++----
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
+index 3e48945aa..088611254 100644
+--- a/src/sysv/systemd/sssd-kcm.service.in
++++ b/src/sysv/systemd/sssd-kcm.service.in
+@@ -9,10 +9,10 @@ Also=sssd-kcm.socket
+ 
+ [Service]
+ Environment=DEBUG_LOGGER=--logger=files
+-ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
++ExecStartPre=+-/bin/chown -f -R -h root:@SSSD_USER@ @sssdconfdir@
+ ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@
+-ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb"
+-ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log
++ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb"
++ExecStartPre=+-/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log
+ ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER}
+ CapabilityBoundingSet= CAP_DAC_READ_SEARCH CAP_SETGID CAP_SETUID
+ SecureBits=noroot noroot-locked
+diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
+index 4f3cd24ff..441e35f6f 100644
+--- a/src/sysv/systemd/sssd.service.in
++++ b/src/sysv/systemd/sssd.service.in
+@@ -10,11 +10,11 @@ StartLimitBurst=5
+ [Service]
+ Environment=DEBUG_LOGGER=--logger=files
+ EnvironmentFile=-@environment_file@
+-ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@
++ExecStartPre=+-/bin/chown -f -R -h root:@SSSD_USER@ @sssdconfdir@
+ ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@
+-ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb"
+-ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @gpocachepath@
+-ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/*.log"
++ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb"
++ExecStartPre=+-/bin/chown -f -R -h @SSSD_USER@:@SSSD_USER@ @gpocachepath@
++ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @logpath@/*.log"
+ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
+ Type=notify
+ NotifyAccess=main
+-- 
+2.47.0
+

sssd.spec

@@ -57,7 +57,7 @@
 
 Name: sssd
 Version: 2.10.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: System Security Services Daemon
 License: GPL-3.0-or-later
 URL: https://github.com/SSSD/sssd/
@@ -65,7 +65,10 @@ Source0: https://github.com/SSSD/sssd/releases/download/2.10.1/sssd-2.10.1.tar.g
 Source1: sssd.sysusers
 
 ### Patches ###
-# Patch0001:
+Patch0001: 0001-DEBUG-lower-missing-passkey-data-debug-level.patch
+Patch0002: 0002-UTILS-reduce-log-level-if-sss_krb5_touch_config-fail.patch
+Patch0003: 0003-SPEC-conf-files-are-owned-by-root-sssd.patch
+Patch0004: 0004-SYSTEMD-SERVICE-use-no-dereference-for-chown.patch
 
 ### Dependencies ###
 
@@ -1116,6 +1119,9 @@ fi
 %systemd_postun_with_restart sssd.service
 
 %changelog
+* Wed Dec 18 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.10.1-2
+- Resolves: RHEL-62725 - Rebase SSSD for RHEL 10.0
+
 * Tue Dec 10 2024 Alexey Tikhonov <atikhono@redhat.com> - 2.10.1-1
 - Resolves: RHEL-62725 - Rebase SSSD for RHEL 10.0
 - Resolves: RHEL-4984 - Mismatch between input and parsed domain name when default_domain_suffix is set.