diff --git a/.gitignore b/.gitignore index be63522..4c74636 100644 --- a/.gitignore +++ b/.gitignore @@ -105,3 +105,4 @@ sssd-1.2.91.tar.gz /sssd-2.8.0.tar.gz /sssd-2.8.1.tar.gz /sssd-2.8.2.tar.gz +/sssd-2.9.0.tar.gz diff --git a/0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch b/0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch new file mode 100644 index 0000000..d2c10a6 --- /dev/null +++ b/0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch @@ -0,0 +1,251 @@ +From eb43c2400a34a4ab77be4f75ba7536baecda3bef Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Alejandro=20L=C3=B3pez?= +Date: Wed, 10 May 2023 17:29:07 +0200 +Subject: [PATCH 1/4] FILE WATCH: Callback not executed on link or relative + path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When the watched file was a symbolic link or was a relative path, +the calback was not executed because the filename comparison +was wrongly considering the files to be different. + +The solution is to normalize the filenames before comparing them. +This cannot be easily done at setup because the file could not +exist at that moment. + +The test was adapted to check this situation. + +Resolves: https://github.com/SSSD/sssd/issues/6718 + +Reviewed-by: Alexey Tikhonov +Reviewed-by: Pavel Březina +(cherry picked from commit b2a4ff2aa67707c226c5835c1fcac042fce1cae3) +--- + src/tests/file_watch-tests.c | 87 +++++++++++++++++++++++++----------- + src/util/file_watch.c | 26 +++++++++-- + 2 files changed, 85 insertions(+), 28 deletions(-) + +diff --git a/src/tests/file_watch-tests.c b/src/tests/file_watch-tests.c +index 3ca5b44f9553e26bfefa5ee3449b374121c7fcca..3e1aea6cece863c6a762d6a98cc1885aeb395c5a 100644 +--- a/src/tests/file_watch-tests.c ++++ b/src/tests/file_watch-tests.c +@@ -36,11 +36,19 @@ + #include "util/file_watch.h" + #include "tests/common.h" + +-#define FW_DIR TEST_DIR "/file-watch" +-#define WATCHED_FILE_INOTIFY FW_DIR "/watched_file_inotify" +-#define WATCHED_FILE_POLL FW_DIR "/watched_file_poll" +-#define WATCHED_EXISTING_FILE_INOTIFY FW_DIR "/watched_file_inotify.exists" +-#define WATCHED_EXISTING_FILE_POLL FW_DIR "/watched_file_poll.exists" ++#define FW_NAME "/file-watch-test-dir" ++#define FILE_INOTIFY_NAME "watched_file_inotify" ++#define FILE_POLL_NAME "watched_file_poll" ++#define FW_DIR TEST_DIR FW_NAME ++#define EXISTING_FILE_INOTIFY_NAME FILE_INOTIFY_NAME ".exists" ++#define EXISTING_FILE_POLL_NAME FILE_POLL_NAME ".exists" ++#define WATCHED_FILE_INOTIFY FW_DIR "/.." FW_NAME "/" FILE_INOTIFY_NAME ++#define WATCHED_FILE_POLL FW_DIR "/.." FW_NAME "/" FILE_POLL_NAME ++#define WATCHED_EXISTING_FILE_INOTIFY FW_DIR "/.." FW_NAME "/" EXISTING_FILE_INOTIFY_NAME ++#define WATCHED_EXISTING_FILE_POLL FW_DIR "/.." FW_NAME "/" EXISTING_FILE_POLL_NAME ++#define WATCHED_EXISTING_LINK_INOTIFY FW_DIR "/" EXISTING_FILE_INOTIFY_NAME ".link" ++#define WATCHED_EXISTING_LINK_POLL FW_DIR "/" EXISTING_FILE_POLL_NAME ".link" ++#define UNWATCHED_FILE FW_DIR "/unwatched_file" + + + static TALLOC_CTX *test_mem_ctx; +@@ -50,34 +58,51 @@ struct fn_arg { + int counter; + }; + ++static void remove_files(void) ++{ ++ unlink(WATCHED_FILE_INOTIFY); ++ unlink(WATCHED_FILE_POLL); ++ unlink(WATCHED_EXISTING_LINK_INOTIFY); ++ unlink(WATCHED_EXISTING_LINK_POLL); ++ unlink(WATCHED_EXISTING_FILE_INOTIFY); ++ unlink(WATCHED_EXISTING_FILE_POLL); ++ unlink(UNWATCHED_FILE); ++} ++ + static void setup_file_watch(void) + { ++ DEBUG(SSSDBG_TRACE_ALL, "==========================================\n"); + test_mem_ctx = talloc_new(NULL); + mkdir(FW_DIR, 0700); +- unlink(WATCHED_FILE_INOTIFY); +- unlink(WATCHED_FILE_POLL); +- unlink(WATCHED_EXISTING_FILE_INOTIFY); +- unlink(WATCHED_EXISTING_FILE_POLL); ++ remove_files(); + } + +- + static void teardown_file_watch(void) + { +- unlink(WATCHED_FILE_INOTIFY); +- unlink(WATCHED_FILE_POLL); +- unlink(WATCHED_EXISTING_FILE_INOTIFY); +- unlink(WATCHED_EXISTING_FILE_POLL); + talloc_free(test_mem_ctx); ++ remove_files(); ++ rmdir(FW_DIR); + } + + + static void callback(const char *filename, void *arg) + { +- DEBUG(SSSDBG_TRACE_FUNC, "Callback invoked\n"); ++ static char received[PATH_MAX + 1]; ++ static char expected[PATH_MAX + 1]; ++ char *res; + struct fn_arg *data = (struct fn_arg *) arg; + ++ DEBUG(SSSDBG_TRACE_FUNC, "Callback invoked\n"); ++ + ck_assert_msg(data != NULL, "Callback received NULL argument"); +- ck_assert_msg(strcmp(filename, data->filename) == 0, ++ ++ res = realpath(data->filename, expected); ++ ck_assert_msg(res != NULL, "Failed to normalize the expected filename"); ++ ++ res = realpath(filename, received); ++ ck_assert_msg(res != NULL, "Failed to normalize the received filename"); ++ ++ ck_assert_msg(strcmp(expected, received) == 0, + "Wrong filename in the callback."); + data->counter++; + } +@@ -88,7 +113,7 @@ static void modify_file(const char *filename) + int fd; + int res; + +- DEBUG(SSSDBG_TRACE_FUNC, "File modified\n"); ++ DEBUG(SSSDBG_TRACE_FUNC, "Modifying file %s\n", filename); + fd = open(filename, O_WRONLY | O_CREAT | O_APPEND, S_IRUSR | S_IWUSR); + ck_assert_msg(fd != -1, "Failed to open the file."); + +@@ -119,11 +144,14 @@ static void test_file_watch_no_file(bool use_inotify) + arg.filename = filename; + arg.counter = 0; + ++ DEBUG(SSSDBG_TRACE_ALL, "Watching file %s\n", filename); + ctx = fw_watch_file(test_mem_ctx, ev, filename, use_inotify, callback, &arg); + ck_assert_msg(ctx != NULL, "Failed to watch a file."); + ck_assert_msg(arg.counter == 0, "Unexpected callback invocation."); + +- // At this point the file doesn't exist, we will create it. ++ // At this point the file doesn't exist. We create the watched and an ++ // unwatched file ++ modify_file(UNWATCHED_FILE); + modify_file(filename); + if (use_inotify) { + res = tevent_loop_once(ev); +@@ -152,26 +180,35 @@ static void test_file_watch_with_file(bool use_inotify) + { + struct file_watch_ctx *ctx; + struct tevent_context *ev; ++ const char *filepath; + const char *filename; ++ const char *linkpath; + struct fn_arg arg; + int res; + + if (use_inotify) { +- filename = WATCHED_EXISTING_FILE_INOTIFY; ++ filename = EXISTING_FILE_INOTIFY_NAME; ++ filepath = WATCHED_EXISTING_FILE_INOTIFY; ++ linkpath = WATCHED_EXISTING_LINK_INOTIFY; + } else { +- filename = WATCHED_EXISTING_FILE_POLL; ++ filename = EXISTING_FILE_POLL_NAME; ++ filepath = WATCHED_EXISTING_FILE_POLL; ++ linkpath = WATCHED_EXISTING_LINK_POLL; + } +- modify_file(filename); ++ modify_file(filepath); ++ res = symlink(filename, linkpath); ++ ck_assert_msg(res == 0, "Failed create the symbolic link"); + + ev = tevent_context_init(test_mem_ctx); + ck_assert_msg(ev != NULL, "Failed to create the tevent context."); + +- arg.filename = filename; ++ arg.filename = linkpath; + arg.counter = 0; + + // File already exists +- ctx = fw_watch_file(test_mem_ctx, ev, filename, use_inotify, callback, &arg); +- ck_assert_msg(ctx != NULL, "Failed to watch a file."); ++ DEBUG(SSSDBG_TRACE_ALL, "Watching link %s\n", linkpath); ++ ctx = fw_watch_file(test_mem_ctx, ev, linkpath, use_inotify, callback, &arg); ++ ck_assert_msg(ctx != NULL, "Failed to watch a link."); + ck_assert_msg(arg.counter >= 1, "Callback not invoked at start up."); + ck_assert_msg(arg.counter <= 1, "Callback invoked too many times at start up."); + +@@ -179,7 +216,7 @@ static void test_file_watch_with_file(bool use_inotify) + if (!use_inotify) { + sleep(2); // Detection by polling is based on the file's modification time. + } +- modify_file(filename); ++ modify_file(filepath); + if (use_inotify) { + res = tevent_loop_once(ev); + ck_assert_msg(res == 0, "tevent_loop_once() failed."); +diff --git a/src/util/file_watch.c b/src/util/file_watch.c +index b994e41163a4955a2f68f3b12f6f99831d64ed2e..d19fdccd608a378f3351200a62708a02fb61a529 100644 +--- a/src/util/file_watch.c ++++ b/src/util/file_watch.c +@@ -121,7 +121,10 @@ static int watched_file_inotify_cb(const char *filename, + uint32_t flags, + void *pvt) + { ++ static char received[PATH_MAX + 1]; ++ static char expected[PATH_MAX + 1]; + struct file_watch_ctx *fw_ctx; ++ char *res; + + DEBUG(SSSDBG_TRACE_LIBS, + "Received inotify notification for %s\n", filename); +@@ -131,15 +134,32 @@ static int watched_file_inotify_cb(const char *filename, + return EINVAL; + } + +- if (strcmp(fw_ctx->filename, filename) == 0) { +- if (access(fw_ctx->filename, F_OK) == 0) { +- fw_ctx->cb(fw_ctx->filename, fw_ctx->cb_arg); ++ res = realpath(fw_ctx->filename, expected); ++ if (res == NULL) { ++ DEBUG(SSSDBG_TRACE_LIBS, ++ "Normalization failed for expected %s. Skipping the callback.\n", ++ fw_ctx->filename); ++ goto done; ++ } ++ ++ res = realpath(filename, received); ++ if (res == NULL) { ++ DEBUG(SSSDBG_TRACE_LIBS, ++ "Normalization failed for received %s. Skipping the callback.\n", ++ filename); ++ goto done; ++ } ++ ++ if (strcmp(expected, received) == 0) { ++ if (access(received, F_OK) == 0) { ++ fw_ctx->cb(received, fw_ctx->cb_arg); + } else { + DEBUG(SSSDBG_TRACE_LIBS, + "File %s is missing. Skipping the callback.\n", filename); + } + } + ++done: + return EOK; + } + +-- +2.39.2 + diff --git a/sources b/sources index 49e768c..230117e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sssd-2.8.2.tar.gz) = 10b7a641823aefb43e30bff9e5f309a1f48446ffff421a06f86496db24ba1fbd384733b5690864507ef9b2f04c91e563fe9820536031f83f1bd6e93edfedee55 +SHA512 (sssd-2.9.0.tar.gz) = cf65572cfa6468c4b3edc3a33a48ab6d58979917901662eb8b2d8fc5931494be81da13295246500a3a315b71d0395594c9a565014e5875f3cdde50da096f253d diff --git a/sssd.spec b/sssd.spec index 8c5bdf0..c682e6f 100644 --- a/sssd.spec +++ b/sssd.spec @@ -42,14 +42,15 @@ %global samba_package_version %(rpm -q samba-devel --queryformat %{version}-%{release}) Name: sssd -Version: 2.8.2 -Release: 4%{?dist} +Version: 2.9.0 +Release: 1%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ -Source0: https://github.com/SSSD/sssd/releases/download/2.8.2/sssd-2.8.2.tar.gz +Source0: https://github.com/SSSD/sssd/releases/download/2.9.0/sssd-2.9.0.tar.gz ### Patches ### +Patch0001: 0001-FILE-WATCH-Callback-not-executed-on-link-or-relative.patch ### Dependencies ### @@ -98,6 +99,7 @@ BuildRequires: keyutils-libs-devel BuildRequires: krb5-devel BuildRequires: libcmocka-devel >= 1.0.0 BuildRequires: libdhash-devel >= 0.4.2 +BuildRequires: libfido2-devel BuildRequires: libini_config-devel >= 1.1 BuildRequires: libldb-devel >= %{ldb_version} BuildRequires: libnfsidmap-devel @@ -161,6 +163,9 @@ the existing back ends. %package common Summary: Common files for the SSSD License: GPLv3+ +# libsss_simpleifp is removed starting 2.9.0 +Obsoletes: libsss_simpleifp < 2.9.0 +Obsoletes: libsss_simpleifp-debuginfo < 2.9.0 # Requires # due to ABI changes in 1.1.30/1.2.0 Requires: libldb >= %{ldb_version} @@ -432,23 +437,6 @@ Provides rules for polkit integration with SSSD. This is required for smartcard support. %endif -%package -n libsss_simpleifp -Summary: The SSSD D-Bus responder helper library -License: GPLv3+ -Requires: sssd-dbus = %{version}-%{release} - -%description -n libsss_simpleifp -Provides library that simplifies D-Bus API for the SSSD InfoPipe responder. - -%package -n libsss_simpleifp-devel -Summary: The SSSD D-Bus responder helper library -License: GPLv3+ -Requires: dbus-devel -Requires: libsss_simpleifp = %{version}-%{release} - -%description -n libsss_simpleifp-devel -Provides library that simplifies D-Bus API for the SSSD InfoPipe responder. - %package winbind-idmap Summary: SSSD's idmap_sss Backend for Winbind License: GPLv3+ and LGPLv3+ @@ -509,6 +497,16 @@ This package provides Kerberos plugins that are required to enable authentication against external identity providers. Additionally a helper program to handle the OAuth 2.0 Device Authorization Grant is provided. +%package passkey +Summary: SSSD helpers and plugins needed for authentication with passkey token +License: GPLv3+ +Requires: sssd-common = %{version}-%{release} +Requires: libfido2 + +%description passkey +This package provides helper processes and Kerberos plugins that are required to +enable authentication with passkey token. + %prep %autosetup -p1 @@ -537,12 +535,14 @@ autoreconf -ivf --with-sssd-user=%{sssd_user} \ --with-syslog=journald \ --with-test-dir=/dev/shm \ + --with-files-provider \ %if %{build_subid} --with-subid \ %endif %if 0%{?fedora} --disable-polkit-rules-path \ %endif + --with-passkey \ %{nil} %make_build all docs runstatedir=%{_rundir} @@ -579,6 +579,10 @@ cp $RPM_BUILD_ROOT/%{_datadir}/sssd-kcm/kcm_default_ccache \ cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_idp \ $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_idp +# Enable krb5 passkey plugins by default (when sssd-passkey package is installed) +cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey \ + $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/sssd_enable_passkey + # krb5 configuration snippet cp $RPM_BUILD_ROOT/%{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir \ $RPM_BUILD_ROOT/%{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir @@ -714,7 +718,6 @@ done %{_libexecdir}/%{servicename}/sssd_check_socket_activated_responders %dir %{_libdir}/%{name} -# The files provider is intentionally packaged in -common %{_libdir}/%{name}/libsss_files.so %{_libdir}/%{name}/libsss_simple.so @@ -841,19 +844,9 @@ done %{_mandir}/man5/sssd-ifp.5* %{_unitdir}/sssd-ifp.service # InfoPipe DBus plumbing -%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf +%{_datadir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf %{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service -%files -n libsss_simpleifp -%{_libdir}/libsss_simpleifp.so.* - -%files -n libsss_simpleifp-devel -%doc sss_simpleifp_doc/html -%{_includedir}/sss_sifp.h -%{_includedir}/sss_sifp_dbus.h -%{_libdir}/libsss_simpleifp.so -%{_libdir}/pkgconfig/sss_simpleifp.pc - %files client -f sssd_client.lang %license src/sss_client/COPYING src/sss_client/COPYING.LESSER %{_libdir}/libnss_sss.so.2 @@ -986,6 +979,12 @@ done %{_datadir}/sssd/krb5-snippets/sssd_enable_idp %config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_idp +%files passkey +%attr(755,%{sssd_user},%{sssd_user}) %{_libexecdir}/%{servicename}/passkey_child +%{_libdir}/%{name}/modules/sssd_krb5_passkey_plugin.so +%{_datadir}/sssd/krb5-snippets/sssd_enable_passkey +%config(noreplace) %{_sysconfdir}/krb5.conf.d/sssd_enable_passkey + %if 0%{?rhel} %pre common getent group sssd >/dev/null || groupadd -r sssd @@ -1060,6 +1059,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Fri May 5 2023 Pavel Březina - 2.9.0-1 +- Rebase to SSSD 2.9.0 + * Thu Jan 26 2023 Stephen Gallagher - 2.8.2-4 - Rebuild against libunistring 1.1