diff --git a/0001-BUILD-configure-logrotate-to-work-with-non-root-grou.patch b/0001-BUILD-configure-logrotate-to-work-with-non-root-grou.patch new file mode 100644 index 0000000..a401bc9 --- /dev/null +++ b/0001-BUILD-configure-logrotate-to-work-with-non-root-grou.patch @@ -0,0 +1,68 @@ +From e4ae4d6129e85fe99bbb82438ed90352400ecdf3 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 26 Jul 2024 15:55:01 +0200 +Subject: [PATCH] BUILD: configure logrotate to work with non-root-group + writable folder +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Otherwise logrotate complains: +``` +error: skipping "/var/log/sssd/sssd_kcm.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. +``` + +See https://bugzilla.redhat.com/show_bug.cgi?id=2299733 for details + +Reviewed-by: Jakub Vávra +Reviewed-by: Justin Stephenson +Reviewed-by: Pavel Březina +--- + Makefile.am | 1 + + configure.ac | 1 + + src/examples/{logrotate => logrotate.in} | 1 + + 3 files changed, 3 insertions(+) + rename src/examples/{logrotate => logrotate.in} (90%) + +diff --git a/Makefile.am b/Makefile.am +index f4cadee6f..82e0c5882 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -5706,6 +5706,7 @@ endif + rm -f $(builddir)/src/sysv/systemd/sssd-kcm.socket + rm -f $(builddir)/src/sysv/systemd/sssd-kcm.service + rm -f $(builddir)/src/tools/wrappers/sss_debuglevel ++ rm -Rf $(builddir)/src/examples + rm -Rf $(builddir)/contrib + + CLEANFILES += *.X */*.X */*/*.X +diff --git a/configure.ac b/configure.ac +index 105d77a4d..380c16ba8 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -563,6 +563,7 @@ AC_DEFINE_UNQUOTED([ABS_SRC_DIR], ["$my_srcdir"], [Absolute path to the source d + AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config + contrib/sssd-pcsc.rules contrib/90-sssd-token-access.rules + contrib/sssd-tmpfiles.conf ++ src/examples/logrotate + src/sysv/sssd src/sysv/gentoo/sssd src/sysv/gentoo/sssd-kcm + po/Makefile.in src/man/Makefile src/tests/cwrap/Makefile + src/tests/intg/Makefile src/tests/test_CA/Makefile +diff --git a/src/examples/logrotate b/src/examples/logrotate.in +similarity index 90% +rename from src/examples/logrotate +rename to src/examples/logrotate.in +index 6e769451c..0421946a2 100644 +--- a/src/examples/logrotate ++++ b/src/examples/logrotate.in +@@ -6,6 +6,7 @@ + rotate 2 + compress + delaycompress ++ su @SSSD_USER@ @SSSD_USER@ + postrotate + /bin/kill -HUP `cat /var/run/sssd.pid 2>/dev/null` 2> /dev/null || true + /bin/pkill -HUP sssd_kcm 2> /dev/null || true +-- +2.45.2 + diff --git a/0002-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch b/0002-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch new file mode 100644 index 0000000..6910e76 --- /dev/null +++ b/0002-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch @@ -0,0 +1,207 @@ +From fc2a26c306e51b66680aef85aa0d2c41d8049a7f Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Tue, 16 Jul 2024 13:08:02 +0200 +Subject: [PATCH 2/3] TS_CACHE: never try to upgrade timestamps cache +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It's easier and more consistent to recreate it instead. + +This is a natural extension of 3b67fc6488ac10ca13561d9032f59951f82203e6 + +Reviewed-by: Alejandro López +Reviewed-by: Sumit Bose +Reviewed-by: Tomáš Halman +--- + src/db/sysdb_init.c | 103 +---------------------------------------- + src/db/sysdb_upgrade.c | 45 ------------------ + 2 files changed, 1 insertion(+), 147 deletions(-) + +diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c +index 85db5f9e1..ecf16fd11 100644 +--- a/src/db/sysdb_init.c ++++ b/src/db/sysdb_init.c +@@ -348,57 +348,6 @@ static errno_t sysdb_cache_create_empty(struct ldb_context *ldb, + return EOK; + } + +-static errno_t sysdb_ts_cache_upgrade(TALLOC_CTX *mem_ctx, +- struct sysdb_ctx *sysdb, +- struct ldb_context *ldb, +- struct sss_domain_info *domain, +- const char *cur_version, +- const char **_new_version) +-{ +- errno_t ret; +- TALLOC_CTX *tmp_ctx; +- const char *version; +- struct ldb_context *save_ldb; +- +- tmp_ctx = talloc_new(NULL); +- if (tmp_ctx == NULL) { +- return ENOMEM; +- } +- +- /* The upgrade process depends on having ldb around, yet the upgrade +- * function shouldn't set the ldb pointer, only the connect function +- * should after it's successful. To avoid hard refactoring, save the +- * ldb pointer here and restore in the 'done' handler +- */ +- save_ldb = sysdb->ldb; +- sysdb->ldb = ldb; +- +- version = talloc_strdup(tmp_ctx, cur_version); +- if (version == NULL) { +- ret = ENOMEM; +- goto done; +- } +- +- DEBUG(SSSDBG_CONF_SETTINGS, +- "Upgrading timstamp cache of DB [%s] from version: %s\n", +- domain->name, version); +- +- if (strcmp(version, SYSDB_TS_VERSION_0_1) == 0) { +- ret = sysdb_ts_upgrade_01(sysdb, &version); +- if (ret != EOK) { +- goto done; +- } +- } +- +- ret = EOK; +- +-done: +- sysdb->ldb = save_ldb; +- *_new_version = version; +- talloc_free(tmp_ctx); +- return ret; +-} +- + static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sysdb_dom_upgrade_ctx *upgrade_ctx, +@@ -856,56 +805,6 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb, + } + + ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version); +- switch (ret) { +- case ERR_SYSDB_VERSION_TOO_OLD: +- if (upgrade_ctx == NULL) { +- DEBUG(SSSDBG_FATAL_FAILURE, +- "DB version too old [%s], expected [%s] for domain %s!\n", +- version, SYSDB_VERSION, domain->name); +- break; +- } +- +- ret = sysdb_ts_cache_upgrade(tmp_ctx, sysdb, ldb, domain, version, +- &version); +- if (ret != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, +- "Could not upgrade the timestamp ldb file (%d) (%s)\n", +- ret, sss_strerror(ret)); +- break; +- } +- +- /* The version should now match SYSDB_VERSION. +- * If not, it means we didn't match any of the +- * known older versions. The DB might be +- * corrupt or generated by a newer version of +- * SSSD. +- */ +- ret = sysdb_version_check(SYSDB_TS_VERSION, version); +- if (ret == EOK) { +- /* The cache has been upgraded. +- * We need to reopen the LDB to ensure that +- * any changes made above take effect. +- */ +- ret = sysdb_ldb_reconnect(tmp_ctx, +- sysdb->ldb_ts_file, +- LDB_FLG_NOSYNC, +- &ldb); +- if (ret != EOK) { +- DEBUG(SSSDBG_MINOR_FAILURE, +- "Could not reopen the timestamp ldb file (%d) (%s)\n", +- ret, sss_strerror(ret)); +- } +- } +- break; +- case ERR_SYSDB_VERSION_TOO_NEW: +- DEBUG(SSSDBG_MINOR_FAILURE, +- "DB version too new [%s], expected [%s] for domain %s!\n", +- version, SYSDB_TS_VERSION, domain->name); +- break; +- default: +- break; +- } +- + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "The timestamps cache could not be opened. " +@@ -925,7 +824,7 @@ static int sysdb_timestamp_cache_connect(struct sysdb_ctx *sysdb, + ret = sysdb_ts_cache_connect(tmp_ctx, sysdb, domain, &ldb, &version); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, +- "Could not delete the timestamp ldb file (%d) (%s)\n", ++ "sysdb_ts_cache_connect() failed after cache deletion [%d]: %s\n", + ret, sss_strerror(ret)); + } + } +diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c +index 8fb17c6bb..05142d972 100644 +--- a/src/db/sysdb_upgrade.c ++++ b/src/db/sysdb_upgrade.c +@@ -2820,51 +2820,6 @@ done: + return ret; + } + +-int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver) +-{ +- struct upgrade_ctx *ctx; +- errno_t ret; +- struct ldb_message *msg = NULL; +- +- ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_TS_VERSION_0_2, &ctx); +- if (ret) { +- return ret; +- } +- +- /* Remove @IDXONE from index */ +- talloc_free(msg); +- msg = ldb_msg_new(ctx); +- if (msg == NULL) { +- ret = ENOMEM; +- goto done; +- } +- +- msg->dn = ldb_dn_new(msg, sysdb->ldb, "@INDEXLIST"); +- if (msg->dn == NULL) { +- ret = ENOMEM; +- goto done; +- } +- +- ret = ldb_msg_add_empty(msg, "@IDXONE", LDB_FLAG_MOD_DELETE, NULL); +- if (ret != LDB_SUCCESS) { +- ret = ENOMEM; +- goto done; +- } +- +- ret = ldb_modify(sysdb->ldb, msg); +- if (ret != LDB_SUCCESS) { +- ret = sysdb_error_to_errno(ret); +- goto done; +- } +- +- /* conversion done, update version number */ +- ret = update_version(ctx); +- +-done: +- ret = finish_upgrade(ret, &ctx, ver); +- return ret; +-} +- + /* + * Example template for future upgrades. + * Copy and change version numbers as appropriate. +-- +2.45.2 + diff --git a/0003-SYSDB-remove-index-on-dataExpireTimestamp.patch b/0003-SYSDB-remove-index-on-dataExpireTimestamp.patch new file mode 100644 index 0000000..2cd2730 --- /dev/null +++ b/0003-SYSDB-remove-index-on-dataExpireTimestamp.patch @@ -0,0 +1,146 @@ +From f0d45464cee1d2a6a2719dbffe5bbf6189d0554a Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 21 Jun 2024 19:09:29 +0200 +Subject: [PATCH 3/3] SYSDB: remove index on `dataExpireTimestamp` +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This index was only used in cleanup tasks that don't run often. +On the other hand, this index is huge and degrades performance of libldb +in general. + +Reviewed-by: Alejandro López +Reviewed-by: Sumit Bose +Reviewed-by: Tomáš Halman +--- + src/db/sysdb_init.c | 8 ++++++++ + src/db/sysdb_private.h | 9 +++++---- + src/db/sysdb_upgrade.c | 27 +++++++++++++++++++++++++++ + 3 files changed, 40 insertions(+), 4 deletions(-) + +diff --git a/src/db/sysdb_init.c b/src/db/sysdb_init.c +index ecf16fd11..507a97f63 100644 +--- a/src/db/sysdb_init.c ++++ b/src/db/sysdb_init.c +@@ -531,6 +531,13 @@ static errno_t sysdb_domain_cache_upgrade(TALLOC_CTX *mem_ctx, + } + } + ++ if (strcmp(version, SYSDB_VERSION_0_24) == 0) { ++ ret = sysdb_upgrade_24(sysdb, &version); ++ if (ret != EOK) { ++ goto done; ++ } ++ } ++ + ret = EOK; + done: + sysdb->ldb = save_ldb; +@@ -737,6 +744,7 @@ static int sysdb_domain_cache_connect(struct sysdb_ctx *sysdb, + ret = sysdb_domain_cache_upgrade(tmp_ctx, sysdb, upgrade_ctx, + ldb, domain, version, &version); + if (ret != EOK) { ++ DEBUG(SSSDBG_TRACE_FUNC, "sysdb_domain_cache_upgrade() failed\n"); + goto done; + } + +diff --git a/src/db/sysdb_private.h b/src/db/sysdb_private.h +index 2d7d6f62d..32d3f1c7e 100644 +--- a/src/db/sysdb_private.h ++++ b/src/db/sysdb_private.h +@@ -23,6 +23,7 @@ + #ifndef __INT_SYS_DB_H__ + #define __INT_SYS_DB_H__ + ++#define SYSDB_VERSION_0_25 "0.25" + #define SYSDB_VERSION_0_24 "0.24" + #define SYSDB_VERSION_0_23 "0.23" + #define SYSDB_VERSION_0_22 "0.22" +@@ -48,7 +49,7 @@ + #define SYSDB_VERSION_0_2 "0.2" + #define SYSDB_VERSION_0_1 "0.1" + +-#define SYSDB_VERSION SYSDB_VERSION_0_24 ++#define SYSDB_VERSION SYSDB_VERSION_0_25 + + #define SYSDB_BASE_LDIF \ + "dn: @ATTRIBUTES\n" \ +@@ -73,7 +74,6 @@ + "@IDXATTR: uidNumber\n" \ + "@IDXATTR: gidNumber\n" \ + "@IDXATTR: lastUpdate\n" \ +- "@IDXATTR: dataExpireTimestamp\n" \ + "@IDXATTR: originalDN\n" \ + "@IDXATTR: nameAlias\n" \ + "@IDXATTR: servicePort\n" \ +@@ -106,10 +106,11 @@ + "\n" + + /* The timestamp cache has its own versioning */ ++#define SYSDB_TS_VERSION_0_3 "0.3" + #define SYSDB_TS_VERSION_0_2 "0.2" + #define SYSDB_TS_VERSION_0_1 "0.1" + +-#define SYSDB_TS_VERSION SYSDB_TS_VERSION_0_2 ++#define SYSDB_TS_VERSION SYSDB_TS_VERSION_0_3 + + #define SYSDB_TS_BASE_LDIF \ + "dn: @ATTRIBUTES\n" \ +@@ -117,7 +118,6 @@ + "\n" \ + "dn: @INDEXLIST\n" \ + "@IDXATTR: lastUpdate\n" \ +- "@IDXATTR: dataExpireTimestamp\n" \ + "\n" \ + "dn: cn=sysdb\n" \ + "cn: sysdb\n" \ +@@ -196,6 +196,7 @@ int sysdb_upgrade_20(struct sysdb_ctx *sysdb, const char **ver); + int sysdb_upgrade_21(struct sysdb_ctx *sysdb, const char **ver); + int sysdb_upgrade_22(struct sysdb_ctx *sysdb, const char **ver); + int sysdb_upgrade_23(struct sysdb_ctx *sysdb, const char **ver); ++int sysdb_upgrade_24(struct sysdb_ctx *sysdb, const char **ver); + + int sysdb_ts_upgrade_01(struct sysdb_ctx *sysdb, const char **ver); + +diff --git a/src/db/sysdb_upgrade.c b/src/db/sysdb_upgrade.c +index 05142d972..c0c8e13ee 100644 +--- a/src/db/sysdb_upgrade.c ++++ b/src/db/sysdb_upgrade.c +@@ -2820,6 +2820,33 @@ done: + return ret; + } + ++int sysdb_upgrade_24(struct sysdb_ctx *sysdb, const char **ver) ++{ ++ struct upgrade_ctx *ctx; ++ errno_t ret; ++ ++ ret = commence_upgrade(sysdb, sysdb->ldb, SYSDB_VERSION_0_25, &ctx); ++ if (ret) { ++ return ret; ++ } ++ ++ ret = sysdb_ldb_mod_index(sysdb, SYSDB_IDX_DELETE, sysdb->ldb, "dataExpireTimestamp"); ++ if (ret == ENOENT) { /*nothing to delete */ ++ ret = EOK; ++ } ++ if (ret != EOK) { ++ DEBUG(SSSDBG_TRACE_FUNC, "sysdb_ldb_mod_index() failed [%d]: %s\n", ++ ret, sss_strerror(ret)); ++ goto done; ++ } ++ ++ ret = update_version(ctx); ++ ++done: ++ ret = finish_upgrade(ret, &ctx, ver); ++ return ret; ++} ++ + /* + * Example template for future upgrades. + * Copy and change version numbers as appropriate. +-- +2.45.2 + diff --git a/0004-SPEC-merge-sssd-polkit-rules-into-sssd-common.patch b/0004-SPEC-merge-sssd-polkit-rules-into-sssd-common.patch new file mode 100644 index 0000000..c17c30b --- /dev/null +++ b/0004-SPEC-merge-sssd-polkit-rules-into-sssd-common.patch @@ -0,0 +1,70 @@ +From a7d0bbeb5a8a41e80fec91d7d38b5dcb35eebe8f Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Tue, 23 Jul 2024 18:07:09 +0200 +Subject: [PATCH] SPEC: merge 'sssd-polkit-rules' into 'sssd-common' +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +'p11_child' runs under non-privileged user and thus requires +polkit-rules by default. + +Reviewed-by: Scott Poore +Reviewed-by: Sumit Bose +Reviewed-by: Tomáš Halman +--- + contrib/sssd.spec.in | 20 ++++---------------- + 1 file changed, 4 insertions(+), 16 deletions(-) + +diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in +index c65be0d27..4edabce56 100644 +--- a/contrib/sssd.spec.in ++++ b/contrib/sssd.spec.in +@@ -210,6 +210,9 @@ License: GPL-3.0-or-later + Obsoletes: libsss_simpleifp < 2.9.0 + Obsoletes: libsss_simpleifp-debuginfo < 2.9.0 + %endif ++%if %{use_sssd_user} ++Obsoletes: sssd-polkit-rules < 2.10.0 ++%endif + # Requires + # due to ABI changes in 1.1.30/1.2.0 + Requires: libldb >= %{ldb_version} +@@ -470,19 +473,6 @@ Requires: sssd-common = %{version}-%{release} + Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows + the information from the SSSD to be transmitted over the system bus. + +-%if %{use_sssd_user} +-%package polkit-rules +-Summary: Rules for polkit integration for SSSD +-Group: Applications/System +-License: GPL-3.0-or-later +-Requires: polkit >= 0.106 +-Requires: sssd-common = %{version}-%{release} +- +-%description polkit-rules +-Provides rules for polkit integration with SSSD. This is required +-for smartcard support. +-%endif +- + %if 0%{?rhel} == 9 + %package -n libsss_simpleifp + Summary: The SSSD D-Bus responder helper library +@@ -885,13 +875,11 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf + %if %{use_sysusers} + %{_sysusersdir}/sssd.conf + %endif +- +- + %if %{use_sssd_user} +-%files polkit-rules + %{_datadir}/polkit-1/rules.d/* + %endif + ++ + %files ldap -f sssd_ldap.lang + %license COPYING + %{_libdir}/%{name}/libsss_ldap.so +-- +2.45.2 + diff --git a/sssd.spec b/sssd.spec index c76dace..307d179 100644 --- a/sssd.spec +++ b/sssd.spec @@ -61,7 +61,7 @@ Name: sssd Version: 2.10.0~beta2 # Using '.el10' directly is a work around RHEL-38900 -Release: 1%{?dist} +Release: 2%{?dist} Summary: System Security Services Daemon License: GPL-3.0-or-later URL: https://github.com/SSSD/sssd/ @@ -69,6 +69,10 @@ Source0: https://github.com/SSSD/sssd/releases/download/2.10.0-beta2/sssd-2.10.0 Source1: sssd.sysusers ### Patches ### +Patch0001: 0001-BUILD-configure-logrotate-to-work-with-non-root-grou.patch +Patch0002: 0002-TS_CACHE-never-try-to-upgrade-timestamps-cache.patch +Patch0003: 0003-SYSDB-remove-index-on-dataExpireTimestamp.patch +Patch0004: 0004-SPEC-merge-sssd-polkit-rules-into-sssd-common.patch ### Dependencies ### @@ -1135,11 +1139,16 @@ fi %systemd_postun_with_restart sssd.service %changelog -* Wed Jun 26 2024 Alexey Tikhonov - 2.10.0~beta1-2 +* Fri Aug 2 2024 Alexey Tikhonov - 2.10.0~beta2-2 +- Resolves: RHEL-51891 - [RHEL-10]logrotate.service fails to start because /var/log/sssd has insecure permission +- Resolves: RHEL-52400 - SYSDB: remove index on dataExpireTimestamp [rhel-10] +- Resolves: RHEL-50243 - Please install sssd-polkit-rules by default + +* Wed Jun 26 2024 Alexey Tikhonov - 2.10.0~beta2-1 - Resolves: RHEL-40253 - Rebase SSSD for RHEL 10-beta - Resolves: RHEL-43259 - sudo does not work any more with krb ticket -* Mon Jun 24 2024 Troy Dawson - 2.10.0~beta1-2.el10 +* Mon Jun 24 2024 Troy Dawson - 2.10.0~beta1-2 - Bump release for June 2024 mass rebuild * Thu Jun 6 2024 Alexey Tikhonov - 2.10.0~beta1-1