sssd: update to 2.7.1

drop CVE-2021-3621.patch refresh a few patches fixup configure-unsafe globally via sed in build.m4 === test RESULTS - sssd.SSSDTest.test_sssd_help: PASSED (1.70s) RESULTS - sssd.SSSDTest.test_sssd_sssctl_conf_perms_chk: PASSED (2.71s) RESULTS - sssd.SSSDTest.test_sssd_sssctl_deamon: PASSED (2.07s) Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Armin Kuster <akuster808@gmail.com> 2022-06-11 07:06:24 -0700
committer: Armin Kuster <akuster808@gmail.com> 2022-06-18 06:48:22 -0700
commit: caadc8672b7f7eff6d4cfcbdca116aa76697816e (patch)
tree: 0b6d87195cc594ffb3d7ee2603911e3c8c53d464 /dynamic-layers/networking-layer
parent: 4bb7e5b84af559a4142a7f197ee2057e70216a6d (diff)
download: meta-security-caadc8672b7f7eff6d4cfcbdca116aa76697816e.tar.gz
4 files changed, 24 insertions, 307 deletions
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch
deleted file mode 100644
index 7a59df9..0000000
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch
+++ /dev/null
@@ -1,288 +0,0 @@
-Backport patch to fix CVE-2021-3621.
-Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/7ab83f9]
-CVE: CVE-2021-3621
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-From 7ab83f97e1cbefb78ece17232185bdd2985f0bbe Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Fri, 18 Jun 2021 13:17:19 +0200
-Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
- user supplied command
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-:relnote: A flaw was found in SSSD, where the sssctl command was
-vulnerable to shell command injection via the logs-fetch and
-cache-expire subcommands. This flaw allows an attacker to trick
-the root user into running a specially crafted sssctl command,
-such as via sudo, to gain root access. The highest threat from this
-vulnerability is to confidentiality, integrity, as well as system
-availability.
-This patch fixes a flaw by replacing system() with execvp().
-:fixes: CVE-2021-3621
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
- src/tools/sssctl/sssctl.c      | 39 ++++++++++++++++-------
- src/tools/sssctl/sssctl.h      |  2 +-
- src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
- src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++----
- 4 files changed, 73 insertions(+), 57 deletions(-)
-diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
-index 2997dbf968..8adaf30910 100644
--- a/src/tools/sssctl/sssctl.c
-+++ b/src/tools/sssctl/sssctl.c
-@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
-     return SSSCTL_PROMPT_ERROR;
- }
- 
-errno_t sssctl_run_command(const char *command)
-+errno_t sssctl_run_command(const char *const argv[])
- {
-     int ret;
-+    int wstatus;
- 
-    DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
-+    DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
- 
-    ret = system(command);
-+    ret = fork();
-     if (ret == -1) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
-         ERROR("Error while executing external command\n");
-         return EFAULT;
-    } else if (WEXITSTATUS(ret) != 0) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
-              command, WEXITSTATUS(ret));
-+    }
-+
-+    if (ret == 0) {
-+        /* cast is safe - see
-+        https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
-+        "The statement about argv[] and envp[] being constants ... "
-+        */
-+        execvp(argv[0], discard_const_p(char * const, argv));
-         ERROR("Error while executing external command\n");
-        return EIO;
-+        _exit(1);
-+    } else {
-+        if (waitpid(ret, &wstatus, 0) == -1) {
-+            ERROR("Error while executing external command '%s'\n", argv[0]);
-+            return EFAULT;
-+        } else if (WEXITSTATUS(wstatus) != 0) {
-+            ERROR("Command '%s' failed with [%d]\n",
-+                  argv[0], WEXITSTATUS(wstatus));
-+            return EIO;
-+        }
-     }
- 
-     return EOK;
-@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
- #elif defined(HAVE_SERVICE)
-     switch (action) {
-     case SSSCTL_SVC_START:
-        return sssctl_run_command(SERVICE_PATH" sssd start");
-+        return sssctl_run_command(
-+                      (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
-     case SSSCTL_SVC_STOP:
-        return sssctl_run_command(SERVICE_PATH" sssd stop");
-+        return sssctl_run_command(
-+                      (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
-     case SSSCTL_SVC_RESTART:
-        return sssctl_run_command(SERVICE_PATH" sssd restart");
-+        return sssctl_run_command(
-+                      (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
-     }
- #endif
- 
-diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
-index 0115b2457c..599ef65196 100644
--- a/src/tools/sssctl/sssctl.h
-+++ b/src/tools/sssctl/sssctl.h
-@@ -47,7 +47,7 @@ enum sssctl_prompt_result
- sssctl_prompt(const char *message,
-               enum sssctl_prompt_result defval);
- 
-errno_t sssctl_run_command(const char *command);
-+errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
- bool sssctl_start_sssd(bool force);
- bool sssctl_stop_sssd(bool force);
- bool sssctl_restart_sssd(bool force);
-diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
-index 8d79b977fd..bf22913416 100644
--- a/src/tools/sssctl/sssctl_data.c
-+++ b/src/tools/sssctl/sssctl_data.c
-@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
-         }
-     }
- 
-    ret = sssctl_run_command("sss_override user-export "
-                             SSS_BACKUP_USER_OVERRIDES);
-+    ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
-+                                              SSS_BACKUP_USER_OVERRIDES, NULL});
-     if (ret != EOK) {
-         ERROR("Unable to export user overrides\n");
-         return ret;
-     }
- 
-    ret = sssctl_run_command("sss_override group-export "
-                             SSS_BACKUP_GROUP_OVERRIDES);
-+    ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
-+                                              SSS_BACKUP_GROUP_OVERRIDES, NULL});
-     if (ret != EOK) {
-         ERROR("Unable to export group overrides\n");
-         return ret;
-@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
-     }
- 
-     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
-        ret = sssctl_run_command("sss_override user-import "
-                                 SSS_BACKUP_USER_OVERRIDES);
-+        ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
-+                                                  SSS_BACKUP_USER_OVERRIDES, NULL});
-         if (ret != EOK) {
-             ERROR("Unable to import user overrides\n");
-             return ret;
-@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
-     }
- 
-     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
-        ret = sssctl_run_command("sss_override group-import "
-                                 SSS_BACKUP_GROUP_OVERRIDES);
-+        ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
-+                                                  SSS_BACKUP_GROUP_OVERRIDES, NULL});
-         if (ret != EOK) {
-             ERROR("Unable to import group overrides\n");
-             return ret;
-@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
-                             void *pvt)
- {
-     errno_t ret;
-    char *cmd_args = NULL;
-    const char *cachecmd = SSS_CACHE;
-    char *cmd = NULL;
-    int i;
-
-    if (cmdline->argc == 0) {
-        ret = sssctl_run_command(cachecmd);
-        goto done;
-    }
- 
-    cmd_args = talloc_strdup(tool_ctx, "");
-    if (cmd_args == NULL) {
-        ret = ENOMEM;
-        goto done;
-+    const char **args = talloc_array_size(tool_ctx,
-+                                          sizeof(char *),
-+                                          cmdline->argc + 2);
-+    if (!args) {
-+        return ENOMEM;
-     }
-+    memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
-+    args[0] = SSS_CACHE;
-+    args[cmdline->argc + 1] = NULL;
- 
-    for (i = 0; i < cmdline->argc; i++) {
-        cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
-        if (i != cmdline->argc - 1) {
-            cmd_args = talloc_strdup_append(cmd_args, " ");
-        }
-    }
-
-    cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
-    if (cmd == NULL) {
-        ret = ENOMEM;
-        goto done;
-    }
-
-    ret = sssctl_run_command(cmd);
-
-done:
-    talloc_free(cmd_args);
-    talloc_free(cmd);
-+    ret = sssctl_run_command(args);
- 
-+    talloc_free(args);
-     return ret;
- }
-diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
-index 9ff2be05b6..ebb2c4571c 100644
--- a/src/tools/sssctl/sssctl_logs.c
-+++ b/src/tools/sssctl/sssctl_logs.c
-@@ -31,6 +31,7 @@
- #include <ldb.h>
- #include <popt.h>
- #include <stdio.h>
-+#include <glob.h>
- 
- #include "util/util.h"
- #include "tools/common/sss_process.h"
-@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
- {
-     struct sssctl_logs_opts opts = {0};
-     errno_t ret;
-+    glob_t globbuf;
- 
-     /* Parse command line. */
-     struct poptOption options[] = {
-@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
- 
-         sss_signal(SIGHUP);
-     } else {
-+        globbuf.gl_offs = 4;
-+        ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
-+        if (ret != 0) {
-+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
-+            return ret;
-+        }
-+        globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
-+        globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
-+        globbuf.gl_pathv[2] = discard_const_p(char, "--size");
-+        globbuf.gl_pathv[3] = discard_const_p(char, "0");
-+
-         PRINT("Truncating log files...\n");
-        ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES);
-+        ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
-+        globfree(&globbuf);
-         if (ret != EOK) {
-             ERROR("Unable to truncate log files\n");
-             return ret;
-@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
-                           void *pvt)
- {
-     const char *file;
-    const char *cmd;
-     errno_t ret;
-+    glob_t globbuf;
- 
-     /* Parse command line. */
-     ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
-@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
-         return ret;
-     }
- 
-    cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
-    if (cmd == NULL) {
-        ERROR("Out of memory!");
-+    globbuf.gl_offs = 3;
-+    ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
-+    if (ret != 0) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
-+        return ret;
-     }
-+    globbuf.gl_pathv[0] = discard_const_p(char, "tar");
-+    globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
-+    globbuf.gl_pathv[2] = discard_const_p(char, file);
- 
-     PRINT("Archiving log files into %s...\n", file);
-    ret = sssctl_run_command(cmd);
-+    ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
-+    globfree(&globbuf);
-     if (ret != EOK) {
-         ERROR("Unable to archive log files\n");
-         return ret;
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
index 9b481cc..419b83f 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
@@ -12,10 +12,10 @@ from ../sssd-2.5.0/src/util/sss_pam_data.c:27:
 Upstream-Status: Pending
 Signed-off-by: Armin Kuster <akuster808@gmail.com>
-Index: sssd-2.5.0/src/util/debug.h
+Index: sssd-2.7.1/src/util/debug.h
 ===================================================================
--- sssd-2.5.0.orig/src/util/debug.h
+--- sssd-2.7.1.orig/src/util/debug.h
-+++ sssd-2.5.0/src/util/debug.h
+++ sssd-2.7.1/src/util/debug.h
 @@ -24,6 +24,8 @@
 #include "config.h"
 
@@ -23,5 +23,5 @@ Index: sssd-2.5.0/src/util/debug.h
 +#include <unistd.h>
 +#include <sys/types.h>
 #include <stdbool.h>
+ #include <sys/types.h>
 
- #include "util/util_errors.h"
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
index 5c83777..7d8e80b 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
@@ -4,11 +4,11 @@ Upstream-Status: Inappropriate [OE Specific]
 Signed-off-by: Armin Kuster <akuster808@gmail.com>
-Index: sssd-2.5.0/Makefile.am
+Index: sssd-2.7.1/Makefile.am
 ===================================================================
--- sssd-2.5.0.orig/Makefile.am
+--- sssd-2.7.1.orig/Makefile.am
-+++ sssd-2.5.0/Makefile.am
+++ sssd-2.7.1/Makefile.am
-@@ -1033,8 +1033,6 @@ generate-sbus-code:
+@@ -1023,8 +1023,6 @@ generate-sbus-code:
 
 .PHONY: generate-sbus-code
 
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.1.bb
index 9f1d627..71f14a0 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.1.bb
@@ -5,8 +5,9 @@ SECTION = "base"
 LICENSE = "GPL-3.0-or-later"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
-DEPENDS = "acl attr openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
+DEPENDS = "acl attr cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
-DEPENDS:append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent bind p11-kit"
+DEPENDS:append = " libldb dbus libtalloc libpcre2 glib-2.0 popt e2fsprogs libtevent"
+DEPENDS:append = " openldap bind p11-kit jansson softhsm openssl libunistring"
 DEPENDS:append:libc-musl = " musl-nscd"
@@ -23,10 +24,9 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.g
           file://drop_ntpdate_chk.patch \
           file://fix-ldblibdir.patch \
           file://musl_fixup.patch \
-           file://CVE-2021-3621.patch \
           "
-SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f"
+SRC_URI[sha256sum] = "8eebd541a640aec95ed4b2da89713f0cbe8e4edf96895fbb972c0b9d570635c3"
 inherit autotools pkgconfig gettext python3-dir features_check systemd
@@ -39,7 +39,7 @@ CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
    ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \
    "
-PACKAGECONFIG ?="nss nscd autofs sudo infopipe"
+PACKAGECONFIG ?="nss autofs sudo infopipe"
 PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
 PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
@@ -49,8 +49,8 @@ PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson"
 PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, "
 PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native"
 PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
-PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no "
 PACKAGECONFIG[nss] = ", ,nss,"
+PACKAGECONFIG[oidc_child] = "--with-oidc-child, --without-oidc-child"
 PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings"
 PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba"
 PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux"
@@ -65,7 +65,6 @@ EXTRA_OECONF += " \
    --without-python2-bindings \
    --enable-pammoddir=${base_libdir}/security \
    --without-python2-bindings \
-    --without-secrets \
    --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
    --with-pid-path=/run \
 "
@@ -74,8 +73,8 @@ do_configure:prepend() {
    mkdir -p ${AUTOTOOLS_AUXDIR}/build
    cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/
-    # libresove has host path, remove it
+    # additional_libdir  defaults to /usr/lib so replace with staging_libdir globally
-    sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4
+    sed -i -e "s#\$additional_libdir#\${STAGING_LIBDIR}#" ${S}/src/build_macros.m4
 }
 do_compile:prepend () {
@@ -84,7 +83,11 @@ do_compile:prepend () {
 do_install () {
    oe_runmake install  DESTDIR="${D}"
    rmdir --ignore-fail-on-non-empty "${D}/${bindir}"
    install -d ${D}/${sysconfdir}/${BPN}
+    install -d ${D}/${PYTHON_SITEPACKAGES_DIR}
+    mv ${D}/${BPN}  ${D}/${PYTHON_SITEPACKAGES_DIR}
    install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN}
    # /var/log/sssd needs to be created in runtime. Use rmdir to catch if
@@ -106,6 +109,7 @@ do_install () {
    # Remove /run as it is created on startup
    rm -rf ${D}/run
+#    rm -fr ${D}/sssd
    rm -f ${D}${systemd_system_unitdir}/sssd-secrets.*
 }
@@ -116,8 +120,6 @@ fi
    chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf
 }
-FILES:${PN} += "${nonarch_libdir}/tmpfiles.d"
 CONFFILES:${PN} = "${sysconfdir}/${BPN}/${BPN}.conf"
 INITSCRIPT_NAME = "sssd"
@@ -141,10 +143,13 @@ PACKAGES =+ "libsss-sudo"
 ALLOW_EMPTY:libsss-sudo = "1"
 FILES:${PN} += "${base_libdir}/security/pam_sss*.so  \
+                ${nonarch_libdir}/tmpfiles.d \
                ${datadir}/dbus-1/system-services/*.service \
                ${libdir}/krb5/* \
                ${libdir}/ldb/* \
+                ${PYTHON_SITEPACKAGES_DIR}/sssd \
                "
 FILES:libsss-sudo = "${libdir}/libsss_sudo.so"
 RDEPENDS:${PN} = "bind bind-utils dbus libldb libpam libsss-sudo"
author	Armin Kuster <akuster808@gmail.com>	2022-06-11 07:06:24 -0700
committer	Armin Kuster <akuster808@gmail.com>	2022-06-18 06:48:22 -0700
commit	caadc8672b7f7eff6d4cfcbdca116aa76697816e (patch)
tree	0b6d87195cc594ffb3d7ee2603911e3c8c53d464 /dynamic-layers/networking-layer
parent	4bb7e5b84af559a4142a7f197ee2057e70216a6d (diff)
download	meta-security-caadc8672b7f7eff6d4cfcbdca116aa76697816e.tar.gz

diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch deleted file mode 100644 index 7a59df9..0000000 --- a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch +++ /dev/null
@@ -1,288 +0,0 @@
1	Backport patch to fix CVE-2021-3621.
2
3	Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/7ab83f9]
4	CVE: CVE-2021-3621
5
6	Signed-off-by: Kai Kang <kai.kang@windriver.com>
7
8	From 7ab83f97e1cbefb78ece17232185bdd2985f0bbe Mon Sep 17 00:00:00 2001
9	From: Alexey Tikhonov <atikhono@redhat.com>
10	Date: Fri, 18 Jun 2021 13:17:19 +0200
11	Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
12	user supplied command
13	MIME-Version: 1.0
14	Content-Type: text/plain; charset=UTF-8
15	Content-Transfer-Encoding: 8bit
16
17	:relnote: A flaw was found in SSSD, where the sssctl command was
18	vulnerable to shell command injection via the logs-fetch and
19	cache-expire subcommands. This flaw allows an attacker to trick
20	the root user into running a specially crafted sssctl command,
21	such as via sudo, to gain root access. The highest threat from this
22	vulnerability is to confidentiality, integrity, as well as system
23	availability.
24	This patch fixes a flaw by replacing system() with execvp().
25
26	:fixes: CVE-2021-3621
27
28	Reviewed-by: Pavel Březina <pbrezina@redhat.com>
29	---
30	src/tools/sssctl/sssctl.c \| 39 ++++++++++++++++-------
31	src/tools/sssctl/sssctl.h \| 2 +-
32	src/tools/sssctl/sssctl_data.c \| 57 +++++++++++-----------------------
33	src/tools/sssctl/sssctl_logs.c \| 32 +++++++++++++++----
34	4 files changed, 73 insertions(+), 57 deletions(-)
35
36	diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
37	index 2997dbf968..8adaf30910 100644
38	--- a/src/tools/sssctl/sssctl.c
39	+++ b/src/tools/sssctl/sssctl.c
40	@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
41	return SSSCTL_PROMPT_ERROR;
42	}
43
44	-errno_t sssctl_run_command(const char *command)
45	+errno_t sssctl_run_command(const char *const argv[])
46	{
47	int ret;
48	+ int wstatus;
49
50	- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
51	+ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
52
53	- ret = system(command);
54	+ ret = fork();
55	if (ret == -1) {
56	- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
57	ERROR("Error while executing external command\n");
58	return EFAULT;
59	- } else if (WEXITSTATUS(ret) != 0) {
60	- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
61	- command, WEXITSTATUS(ret));
62	+ }
63	+
64	+ if (ret == 0) {
65	+ /* cast is safe - see
66	+ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
67	+ "The statement about argv[] and envp[] being constants ... "
68	+ */
69	+ execvp(argv[0], discard_const_p(char * const, argv));
70	ERROR("Error while executing external command\n");
71	- return EIO;
72	+ _exit(1);
73	+ } else {
74	+ if (waitpid(ret, &wstatus, 0) == -1) {
75	+ ERROR("Error while executing external command '%s'\n", argv[0]);
76	+ return EFAULT;
77	+ } else if (WEXITSTATUS(wstatus) != 0) {
78	+ ERROR("Command '%s' failed with [%d]\n",
79	+ argv[0], WEXITSTATUS(wstatus));
80	+ return EIO;
81	+ }
82	}
83
84	return EOK;
85	@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
86	#elif defined(HAVE_SERVICE)
87	switch (action) {
88	case SSSCTL_SVC_START:
89	- return sssctl_run_command(SERVICE_PATH" sssd start");
90	+ return sssctl_run_command(
91	+ (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
92	case SSSCTL_SVC_STOP:
93	- return sssctl_run_command(SERVICE_PATH" sssd stop");
94	+ return sssctl_run_command(
95	+ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
96	case SSSCTL_SVC_RESTART:
97	- return sssctl_run_command(SERVICE_PATH" sssd restart");
98	+ return sssctl_run_command(
99	+ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
100	}
101	#endif
102
103	diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
104	index 0115b2457c..599ef65196 100644
105	--- a/src/tools/sssctl/sssctl.h
106	+++ b/src/tools/sssctl/sssctl.h
107	@@ -47,7 +47,7 @@ enum sssctl_prompt_result
108	sssctl_prompt(const char *message,
109	enum sssctl_prompt_result defval);
110
111	-errno_t sssctl_run_command(const char *command);
112	+errno_t sssctl_run_command(const char const argv[]); / argv[0] - command */
113	bool sssctl_start_sssd(bool force);
114	bool sssctl_stop_sssd(bool force);
115	bool sssctl_restart_sssd(bool force);
116	diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
117	index 8d79b977fd..bf22913416 100644
118	--- a/src/tools/sssctl/sssctl_data.c
119	+++ b/src/tools/sssctl/sssctl_data.c
120	@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
121	}
122	}
123
124	- ret = sssctl_run_command("sss_override user-export "
125	- SSS_BACKUP_USER_OVERRIDES);
126	+ ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
127	+ SSS_BACKUP_USER_OVERRIDES, NULL});
128	if (ret != EOK) {
129	ERROR("Unable to export user overrides\n");
130	return ret;
131	}
132
133	- ret = sssctl_run_command("sss_override group-export "
134	- SSS_BACKUP_GROUP_OVERRIDES);
135	+ ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
136	+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
137	if (ret != EOK) {
138	ERROR("Unable to export group overrides\n");
139	return ret;
140	@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
141	}
142
143	if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
144	- ret = sssctl_run_command("sss_override user-import "
145	- SSS_BACKUP_USER_OVERRIDES);
146	+ ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
147	+ SSS_BACKUP_USER_OVERRIDES, NULL});
148	if (ret != EOK) {
149	ERROR("Unable to import user overrides\n");
150	return ret;
151	@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
152	}
153
154	if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
155	- ret = sssctl_run_command("sss_override group-import "
156	- SSS_BACKUP_GROUP_OVERRIDES);
157	+ ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
158	+ SSS_BACKUP_GROUP_OVERRIDES, NULL});
159	if (ret != EOK) {
160	ERROR("Unable to import group overrides\n");
161	return ret;
162	@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
163	void *pvt)
164	{
165	errno_t ret;
166	- char *cmd_args = NULL;
167	- const char *cachecmd = SSS_CACHE;
168	- char *cmd = NULL;
169	- int i;
170	-
171	- if (cmdline->argc == 0) {
172	- ret = sssctl_run_command(cachecmd);
173	- goto done;
174	- }
175
176	- cmd_args = talloc_strdup(tool_ctx, "");
177	- if (cmd_args == NULL) {
178	- ret = ENOMEM;
179	- goto done;
180	+ const char **args = talloc_array_size(tool_ctx,
181	+ sizeof(char *),
182	+ cmdline->argc + 2);
183	+ if (!args) {
184	+ return ENOMEM;
185	}
186	+ memcpy(&args[1], cmdline->argv, sizeof(char ) cmdline->argc);
187	+ args[0] = SSS_CACHE;
188	+ args[cmdline->argc + 1] = NULL;
189
190	- for (i = 0; i < cmdline->argc; i++) {
191	- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
192	- if (i != cmdline->argc - 1) {
193	- cmd_args = talloc_strdup_append(cmd_args, " ");
194	- }
195	- }
196	-
197	- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
198	- if (cmd == NULL) {
199	- ret = ENOMEM;
200	- goto done;
201	- }
202	-
203	- ret = sssctl_run_command(cmd);
204	-
205	-done:
206	- talloc_free(cmd_args);
207	- talloc_free(cmd);
208	+ ret = sssctl_run_command(args);
209
210	+ talloc_free(args);
211	return ret;
212	}
213	diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
214	index 9ff2be05b6..ebb2c4571c 100644
215	--- a/src/tools/sssctl/sssctl_logs.c
216	+++ b/src/tools/sssctl/sssctl_logs.c
217	@@ -31,6 +31,7 @@
218	#include <ldb.h>
219	#include <popt.h>
220	#include <stdio.h>
221	+#include <glob.h>
222
223	#include "util/util.h"
224	#include "tools/common/sss_process.h"
225	@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
226	{
227	struct sssctl_logs_opts opts = {0};
228	errno_t ret;
229	+ glob_t globbuf;
230
231	/* Parse command line. */
232	struct poptOption options[] = {
233	@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
234
235	sss_signal(SIGHUP);
236	} else {
237	+ globbuf.gl_offs = 4;
238	+ ret = glob(LOG_PATH"/*.log", GLOB_ERR\|GLOB_DOOFFS, NULL, &globbuf);
239	+ if (ret != 0) {
240	+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
241	+ return ret;
242	+ }
243	+ globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
244	+ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
245	+ globbuf.gl_pathv[2] = discard_const_p(char, "--size");
246	+ globbuf.gl_pathv[3] = discard_const_p(char, "0");
247	+
248	PRINT("Truncating log files...\n");
249	- ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES);
250	+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
251	+ globfree(&globbuf);
252	if (ret != EOK) {
253	ERROR("Unable to truncate log files\n");
254	return ret;
255	@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
256	void *pvt)
257	{
258	const char *file;
259	- const char *cmd;
260	errno_t ret;
261	+ glob_t globbuf;
262
263	/* Parse command line. */
264	ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
265	@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
266	return ret;
267	}
268
269	- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
270	- if (cmd == NULL) {
271	- ERROR("Out of memory!");
272	+ globbuf.gl_offs = 3;
273	+ ret = glob(LOG_PATH"/*.log", GLOB_ERR\|GLOB_DOOFFS, NULL, &globbuf);
274	+ if (ret != 0) {
275	+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
276	+ return ret;
277	}
278	+ globbuf.gl_pathv[0] = discard_const_p(char, "tar");
279	+ globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
280	+ globbuf.gl_pathv[2] = discard_const_p(char, file);
281
282	PRINT("Archiving log files into %s...\n", file);
283	- ret = sssctl_run_command(cmd);
284	+ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
285	+ globfree(&globbuf);
286	if (ret != EOK) {
287	ERROR("Unable to archive log files\n");
288	return ret;


diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch index 9b481cc..419b83f 100644 --- a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch +++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
@@ -12,10 +12,10 @@ from ../sssd-2.5.0/src/util/sss_pam_data.c:27:
12	Upstream-Status: Pending	12	Upstream-Status: Pending
13	Signed-off-by: Armin Kuster <akuster808@gmail.com>	13	Signed-off-by: Armin Kuster <akuster808@gmail.com>
14		14
15	Index: sssd-2.5.0/src/util/debug.h	15	Index: sssd-2.7.1/src/util/debug.h
16	===================================================================	16	===================================================================
17	--- sssd-2.5.0.orig/src/util/debug.h	17	--- sssd-2.7.1.orig/src/util/debug.h
18	+++ sssd-2.5.0/src/util/debug.h	18	+++ sssd-2.7.1/src/util/debug.h
19	@@ -24,6 +24,8 @@	19	@@ -24,6 +24,8 @@
20	#include "config.h"	20	#include "config.h"
21		21
@@ -23,5 +23,5 @@ Index: sssd-2.5.0/src/util/debug.h
23	+#include <unistd.h>	23	+#include <unistd.h>
24	+#include <sys/types.h>	24	+#include <sys/types.h>
25	#include <stdbool.h>	25	#include <stdbool.h>
		26	#include <sys/types.h>
26		27
27	#include "util/util_errors.h"


diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch index 5c83777..7d8e80b 100644 --- a/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch +++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
@@ -4,11 +4,11 @@ Upstream-Status: Inappropriate [OE Specific]
4		4
5	Signed-off-by: Armin Kuster <akuster808@gmail.com>	5	Signed-off-by: Armin Kuster <akuster808@gmail.com>
6		6
7	Index: sssd-2.5.0/Makefile.am	7	Index: sssd-2.7.1/Makefile.am
8	===================================================================	8	===================================================================
9	--- sssd-2.5.0.orig/Makefile.am	9	--- sssd-2.7.1.orig/Makefile.am
10	+++ sssd-2.5.0/Makefile.am	10	+++ sssd-2.7.1/Makefile.am
11	@@ -1033,8 +1033,6 @@ generate-sbus-code:	11	@@ -1023,8 +1023,6 @@ generate-sbus-code:
12		12
13	.PHONY: generate-sbus-code	13	.PHONY: generate-sbus-code
14		14


diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.1.bb index 9f1d627..71f14a0 100644 --- a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb +++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.1.bb
@@ -5,8 +5,9 @@ SECTION = "base"
5	LICENSE = "GPL-3.0-or-later"	5	LICENSE = "GPL-3.0-or-later"
6	LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"	6	LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
7		7
8	DEPENDS = "acl attr openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"	8	DEPENDS = "acl attr cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
9	DEPENDS:append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent bind p11-kit"	9	DEPENDS:append = " libldb dbus libtalloc libpcre2 glib-2.0 popt e2fsprogs libtevent"
		10	DEPENDS:append = " openldap bind p11-kit jansson softhsm openssl libunistring"
10		11
11	DEPENDS:append:libc-musl = " musl-nscd"	12	DEPENDS:append:libc-musl = " musl-nscd"
12		13
@@ -23,10 +24,9 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.g
23	file://drop_ntpdate_chk.patch \	24	file://drop_ntpdate_chk.patch \
24	file://fix-ldblibdir.patch \	25	file://fix-ldblibdir.patch \
25	file://musl_fixup.patch \	26	file://musl_fixup.patch \
26	file://CVE-2021-3621.patch \
27	"	27	"
28		28
29	SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f"	29	SRC_URI[sha256sum] = "8eebd541a640aec95ed4b2da89713f0cbe8e4edf96895fbb972c0b9d570635c3"
30		30
31	inherit autotools pkgconfig gettext python3-dir features_check systemd	31	inherit autotools pkgconfig gettext python3-dir features_check systemd
32		32
@@ -39,7 +39,7 @@ CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
39	ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \	39	ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \
40	"	40	"
41		41
42	PACKAGECONFIG ?="nss nscd autofs sudo infopipe"	42	PACKAGECONFIG ?="nss autofs sudo infopipe"
43	PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"	43	PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
44	PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"	44	PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
45		45
@@ -49,8 +49,8 @@ PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson"
49	PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, "	49	PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, "
50	PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native"	50	PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native"
51	PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"	51	PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
52	PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no "
53	PACKAGECONFIG[nss] = ", ,nss,"	52	PACKAGECONFIG[nss] = ", ,nss,"
		53	PACKAGECONFIG[oidc_child] = "--with-oidc-child, --without-oidc-child"
54	PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings"	54	PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings"
55	PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba"	55	PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba"
56	PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux"	56	PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux"
@@ -65,7 +65,6 @@ EXTRA_OECONF += " \
65	--without-python2-bindings \	65	--without-python2-bindings \
66	--enable-pammoddir=${base_libdir}/security \	66	--enable-pammoddir=${base_libdir}/security \
67	--without-python2-bindings \	67	--without-python2-bindings \
68	--without-secrets \
69	--with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \	68	--with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
70	--with-pid-path=/run \	69	--with-pid-path=/run \
71	"	70	"
@@ -74,8 +73,8 @@ do_configure:prepend() {
74	mkdir -p ${AUTOTOOLS_AUXDIR}/build	73	mkdir -p ${AUTOTOOLS_AUXDIR}/build
75	cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/	74	cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/
76		75
77	# libresove has host path, remove it	76	# additional_libdir defaults to /usr/lib so replace with staging_libdir globally
78	sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4	77	sed -i -e "s#\$additional_libdir#\${STAGING_LIBDIR}#" ${S}/src/build_macros.m4
79	}	78	}
80		79
81	do_compile:prepend () {	80	do_compile:prepend () {
@@ -84,7 +83,11 @@ do_compile:prepend () {
84	do_install () {	83	do_install () {
85	oe_runmake install DESTDIR="${D}"	84	oe_runmake install DESTDIR="${D}"
86	rmdir --ignore-fail-on-non-empty "${D}/${bindir}"	85	rmdir --ignore-fail-on-non-empty "${D}/${bindir}"
		86
87	install -d ${D}/${sysconfdir}/${BPN}	87	install -d ${D}/${sysconfdir}/${BPN}
		88	install -d ${D}/${PYTHON_SITEPACKAGES_DIR}
		89	mv ${D}/${BPN} ${D}/${PYTHON_SITEPACKAGES_DIR}
		90
88	install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN}	91	install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN}
89		92
90	# /var/log/sssd needs to be created in runtime. Use rmdir to catch if	93	# /var/log/sssd needs to be created in runtime. Use rmdir to catch if
@@ -106,6 +109,7 @@ do_install () {
106	# Remove /run as it is created on startup	109	# Remove /run as it is created on startup
107	rm -rf ${D}/run	110	rm -rf ${D}/run
108		111
		112	# rm -fr ${D}/sssd
109	rm -f ${D}${systemd_system_unitdir}/sssd-secrets.*	113	rm -f ${D}${systemd_system_unitdir}/sssd-secrets.*
110	}	114	}
111		115
@@ -116,8 +120,6 @@ fi
116	chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf	120	chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf
117	}	121	}
118		122
119	FILES:${PN} += "${nonarch_libdir}/tmpfiles.d"
120
121	CONFFILES:${PN} = "${sysconfdir}/${BPN}/${BPN}.conf"	123	CONFFILES:${PN} = "${sysconfdir}/${BPN}/${BPN}.conf"
122		124
123	INITSCRIPT_NAME = "sssd"	125	INITSCRIPT_NAME = "sssd"
@@ -141,10 +143,13 @@ PACKAGES =+ "libsss-sudo"
141	ALLOW_EMPTY:libsss-sudo = "1"	143	ALLOW_EMPTY:libsss-sudo = "1"
142		144
143	FILES:${PN} += "${base_libdir}/security/pam_sss*.so \	145	FILES:${PN} += "${base_libdir}/security/pam_sss*.so \
		146	${nonarch_libdir}/tmpfiles.d \
144	${datadir}/dbus-1/system-services/*.service \	147	${datadir}/dbus-1/system-services/*.service \
145	${libdir}/krb5/* \	148	${libdir}/krb5/* \
146	${libdir}/ldb/* \	149	${libdir}/ldb/* \
		150	${PYTHON_SITEPACKAGES_DIR}/sssd \
147	"	151	"
		152
148	FILES:libsss-sudo = "${libdir}/libsss_sudo.so"	153	FILES:libsss-sudo = "${libdir}/libsss_sudo.so"
149		154
150	RDEPENDS:${PN} = "bind bind-utils dbus libldb libpam libsss-sudo"	155	RDEPENDS:${PN} = "bind bind-utils dbus libldb libpam libsss-sudo"