diff --git a/0001-systemd-configs-add-CAP_DAC_OVERRIDE-for-ifp-in-certain-case.patch b/0001-systemd-configs-add-CAP_DAC_OVERRIDE-for-ifp-in-certain-case.patch new file mode 100644 index 0000000..7178cc9 --- /dev/null +++ b/0001-systemd-configs-add-CAP_DAC_OVERRIDE-for-ifp-in-certain-case.patch @@ -0,0 +1,23 @@ +From 2a512fdf57055a2ce4ae02256dfabb5b74d2abd6 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 22 Mar 2021 15:18:57 +0100 +Subject: [PATCH] systemd configs: add CAP_DAC_OVERRIDE for ifp in certain case + +Commit fd7ce7b3de9647eb6de75c3dd3974b44d860078e missed ifp. + +Reviewed-by: Sumit Bose +--- + src/sysv/systemd/sssd-ifp.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in +index 551c6711cf..9095da3534 100644 +--- a/src/sysv/systemd/sssd-ifp.service.in ++++ b/src/sysv/systemd/sssd-ifp.service.in +@@ -10,5 +10,5 @@ EnvironmentFile=-@environment_file@ + Type=dbus + BusName=org.freedesktop.sssd.infopipe + ExecStart=@ifp_exec_cmd@ ${DEBUG_LOGGER} +-CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID ++CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID + @ifp_restart@ diff --git a/sssd.spec b/sssd.spec index 914072f..f0584fc 100644 --- a/sssd.spec +++ b/sssd.spec @@ -27,7 +27,7 @@ Name: sssd Version: 2.4.2 -Release: 2%{?dist} +Release: 3%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ @@ -35,6 +35,8 @@ Source0: https://github.com/SSSD/sssd/releases/download/2.4.2/sssd-2.4.2.tar.gz ### Patches ### +Patch0001: 0001-systemd-configs-add-CAP_DAC_OVERRIDE-for-ifp-in-certain-case.patch + ### Dependencies ### Requires: sssd-ad = %{version}-%{release} @@ -100,6 +102,7 @@ BuildRequires: make BuildRequires: nss_wrapper BuildRequires: openldap-devel BuildRequires: openssh +BuildRequires: openssl BuildRequires: openssl-devel BuildRequires: p11-kit-devel BuildRequires: pam_wrapper @@ -117,6 +120,7 @@ BuildRequires: softhsm >= 2.1.0 BuildRequires: systemd-devel BuildRequires: systemtap-sdt-devel BuildRequires: uid_wrapper +BuildRequires: po4a %description Provides a set of daemons to manage access to remote directories and @@ -950,18 +954,20 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us %postun common %systemd_postun_with_restart sssd-autofs.socket -%systemd_postun_with_restart sssd-autofs.service %systemd_postun_with_restart sssd-nss.socket -%systemd_postun_with_restart sssd-nss.service %systemd_postun_with_restart sssd-pac.socket -%systemd_postun_with_restart sssd-pac.service %systemd_postun_with_restart sssd-pam.socket %systemd_postun_with_restart sssd-pam-priv.socket -%systemd_postun_with_restart sssd-pam.service %systemd_postun_with_restart sssd-ssh.socket -%systemd_postun_with_restart sssd-ssh.service %systemd_postun_with_restart sssd-sudo.socket -%systemd_postun_with_restart sssd-sudo.service + +# Services have RefuseManualStart=true, therefore we can't request restart. +%systemd_postun sssd-autofs.service +%systemd_postun sssd-nss.service +%systemd_postun sssd-pac.service +%systemd_postun sssd-pam.service +%systemd_postun sssd-ssh.service +%systemd_postun sssd-sudo.service %post dbus %systemd_post sssd-ifp.service @@ -1009,6 +1015,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Wed Mar 31 2021 Pavel Březina - 2.4.2-3 +- Add CAP_DAC_OVERRIDE to ifp service file if required by build configuration + * Fri Feb 19 2021 Pavel Březina - 2.4.2-2 - Remove setuid from child binaries and relax requirement on python3-sssdconfig