From dde63ae4196f5b44652097b03c72d8cb23def4fa Mon Sep 17 00:00:00 2001 From: DistroBaker Date: Sun, 4 Apr 2021 23:36:16 +0000 Subject: [PATCH] Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/sssd.git#04d2a458e321f58aade008d44706bfdb38a22e80 --- ...DAC_OVERRIDE-for-ifp-in-certain-case.patch | 23 +++++++++++++++++++ sssd.spec | 23 +++++++++++++------ 2 files changed, 39 insertions(+), 7 deletions(-) create mode 100644 0001-systemd-configs-add-CAP_DAC_OVERRIDE-for-ifp-in-certain-case.patch diff --git a/0001-systemd-configs-add-CAP_DAC_OVERRIDE-for-ifp-in-certain-case.patch b/0001-systemd-configs-add-CAP_DAC_OVERRIDE-for-ifp-in-certain-case.patch new file mode 100644 index 0000000..7178cc9 --- /dev/null +++ b/0001-systemd-configs-add-CAP_DAC_OVERRIDE-for-ifp-in-certain-case.patch @@ -0,0 +1,23 @@ +From 2a512fdf57055a2ce4ae02256dfabb5b74d2abd6 Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Mon, 22 Mar 2021 15:18:57 +0100 +Subject: [PATCH] systemd configs: add CAP_DAC_OVERRIDE for ifp in certain case + +Commit fd7ce7b3de9647eb6de75c3dd3974b44d860078e missed ifp. + +Reviewed-by: Sumit Bose +--- + src/sysv/systemd/sssd-ifp.service.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in +index 551c6711cf..9095da3534 100644 +--- a/src/sysv/systemd/sssd-ifp.service.in ++++ b/src/sysv/systemd/sssd-ifp.service.in +@@ -10,5 +10,5 @@ EnvironmentFile=-@environment_file@ + Type=dbus + BusName=org.freedesktop.sssd.infopipe + ExecStart=@ifp_exec_cmd@ ${DEBUG_LOGGER} +-CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID ++CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID + @ifp_restart@ diff --git a/sssd.spec b/sssd.spec index 914072f..f0584fc 100644 --- a/sssd.spec +++ b/sssd.spec @@ -27,7 +27,7 @@ Name: sssd Version: 2.4.2 -Release: 2%{?dist} +Release: 3%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://github.com/SSSD/sssd/ @@ -35,6 +35,8 @@ Source0: https://github.com/SSSD/sssd/releases/download/2.4.2/sssd-2.4.2.tar.gz ### Patches ### +Patch0001: 0001-systemd-configs-add-CAP_DAC_OVERRIDE-for-ifp-in-certain-case.patch + ### Dependencies ### Requires: sssd-ad = %{version}-%{release} @@ -100,6 +102,7 @@ BuildRequires: make BuildRequires: nss_wrapper BuildRequires: openldap-devel BuildRequires: openssh +BuildRequires: openssl BuildRequires: openssl-devel BuildRequires: p11-kit-devel BuildRequires: pam_wrapper @@ -117,6 +120,7 @@ BuildRequires: softhsm >= 2.1.0 BuildRequires: systemd-devel BuildRequires: systemtap-sdt-devel BuildRequires: uid_wrapper +BuildRequires: po4a %description Provides a set of daemons to manage access to remote directories and @@ -950,18 +954,20 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us %postun common %systemd_postun_with_restart sssd-autofs.socket -%systemd_postun_with_restart sssd-autofs.service %systemd_postun_with_restart sssd-nss.socket -%systemd_postun_with_restart sssd-nss.service %systemd_postun_with_restart sssd-pac.socket -%systemd_postun_with_restart sssd-pac.service %systemd_postun_with_restart sssd-pam.socket %systemd_postun_with_restart sssd-pam-priv.socket -%systemd_postun_with_restart sssd-pam.service %systemd_postun_with_restart sssd-ssh.socket -%systemd_postun_with_restart sssd-ssh.service %systemd_postun_with_restart sssd-sudo.socket -%systemd_postun_with_restart sssd-sudo.service + +# Services have RefuseManualStart=true, therefore we can't request restart. +%systemd_postun sssd-autofs.service +%systemd_postun sssd-nss.service +%systemd_postun sssd-pac.service +%systemd_postun sssd-pam.service +%systemd_postun sssd-ssh.service +%systemd_postun sssd-sudo.service %post dbus %systemd_post sssd-ifp.service @@ -1009,6 +1015,9 @@ fi %systemd_postun_with_restart sssd.service %changelog +* Wed Mar 31 2021 Pavel Březina - 2.4.2-3 +- Add CAP_DAC_OVERRIDE to ifp service file if required by build configuration + * Fri Feb 19 2021 Pavel Březina - 2.4.2-2 - Remove setuid from child binaries and relax requirement on python3-sssdconfig