summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch318
-rw-r--r--dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch219
-rw-r--r--dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf3
-rw-r--r--dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd1
-rw-r--r--dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.10.2.bb (renamed from dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb)36
5 files changed, 18 insertions, 559 deletions
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch
deleted file mode 100644
index 6880405..0000000
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch
+++ /dev/null
@@ -1,318 +0,0 @@
1Backport patch to fix interpreter of sss_analyze.
2
3Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/ed3726c]
4
5Signed-off-by: Kai Kang <kai.kang@windriver.com>
6
7From ed3726c37fe07aab788404bfa2f9003db15f4210 Mon Sep 17 00:00:00 2001
8From: roy214 <abroy@redhat.com>
9Date: Tue, 25 Apr 2023 20:01:24 +0530
10Subject: [PATCH] sssctl: add error analyzer
11MIME-Version: 1.0
12Content-Type: text/plain; charset=UTF-8
13Content-Transfer-Encoding: 8bit
14
15Also removing unused variable and import.
16
17Reviewed-by: Justin Stephenson <jstephen@redhat.com>
18Reviewed-by: Tomáš Halman <thalman@redhat.com>
19---
20 src/tools/analyzer/Makefile.am | 2 +
21 src/tools/analyzer/modules/error.py | 61 +++++++++++++++++++++++++++
22 src/tools/analyzer/modules/request.py | 54 +++++-------------------
23 src/tools/analyzer/sss_analyze | 2 +-
24 src/tools/analyzer/sss_analyze.py | 3 ++
25 src/tools/analyzer/util.py | 44 +++++++++++++++++++
26 6 files changed, 121 insertions(+), 45 deletions(-)
27 create mode 100644 src/tools/analyzer/modules/error.py
28 create mode 100644 src/tools/analyzer/util.py
29
30diff --git a/src/tools/analyzer/Makefile.am b/src/tools/analyzer/Makefile.am
31index b40043d043..7692af8528 100644
32--- a/src/tools/analyzer/Makefile.am
33+++ b/src/tools/analyzer/Makefile.am
34@@ -13,10 +13,12 @@ dist_pkgpython_DATA = \
35 source_reader.py \
36 parser.py \
37 sss_analyze.py \
38+ util.py \
39 $(NULL)
40
41 modulesdir = $(pkgpythondir)/modules
42 dist_modules_DATA = \
43 modules/__init__.py \
44 modules/request.py \
45+ modules/error.py \
46 $(NULL)
47diff --git a/src/tools/analyzer/modules/error.py b/src/tools/analyzer/modules/error.py
48new file mode 100644
49index 0000000000..71173670c5
50--- /dev/null
51+++ b/src/tools/analyzer/modules/error.py
52@@ -0,0 +1,61 @@
53+from sssd import util
54+from sssd.parser import SubparsersAction
55+from sssd import sss_analyze
56+
57+class ErrorAnalyzer:
58+ """
59+ An error analyzer module, list if there is any error reported by sssd_be
60+ """
61+ module_parser = None
62+ print_opts = []
63+
64+ def print_module_help(self, args):
65+ """
66+ Print the module parser help output
67+
68+ Args:
69+ args (Namespace): argparse parsed arguments
70+ """
71+ self.module_parser.print_help()
72+
73+ def setup_args(self, parser_grp, cli):
74+ """
75+ Setup module parser, subcommands, and options
76+
77+ Args:
78+ parser_grp (argparse.Action): Parser group to nest
79+ module and subcommands under
80+ """
81+ desc = "Analyze error check module"
82+ self.module_parser = parser_grp.add_parser('error',
83+ description=desc,
84+ help='Error checker')
85+
86+ subparser = self.module_parser.add_subparsers(title=None,
87+ dest='subparser',
88+ action=SubparsersAction,
89+ metavar='COMMANDS')
90+
91+ subcmd_grp = subparser.add_parser_group('Operation Modes')
92+ cli.add_subcommand(subcmd_grp, 'list', 'Print error messages found in backend',
93+ self.print_error, self.print_opts)
94+
95+ self.module_parser.set_defaults(func=self.print_module_help)
96+
97+ return self.module_parser
98+
99+ def print_error(self, args):
100+ err = 0
101+ utl = util.Utils()
102+ source = utl.load(args)
103+ component = source.Component.BE
104+ source.set_component(component, False)
105+ patterns = ['sdap_async_sys_connect request failed', 'terminated by own WATCHDOG',
106+ 'ldap_sasl_interactive_bind_s failed', 'Communication with KDC timed out', 'SSSD is offline', 'Backend is offline',
107+ 'tsig verify failure', 'ldap_install_tls failed', 's2n exop request failed']
108+ for line in utl.matched_line(source, patterns):
109+ err +=1
110+ print(line)
111+ if err > 0:
112+ print("For possible solutions please refer to https://sssd.io/troubleshooting/errors.html")
113+ return
114diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
115index d661dddb84..e4d5f060c7 100644
116--- a/src/tools/analyzer/modules/request.py
117+++ b/src/tools/analyzer/modules/request.py
118@@ -1,6 +1,6 @@
119 import re
120 import logging
121-
122+from sssd import util
123 from sssd.parser import SubparsersAction
124 from sssd.parser import Option
125
126@@ -38,7 +38,6 @@ def print_module_help(self, args):
127 def setup_args(self, parser_grp, cli):
128 """
129 Setup module parser, subcommands, and options
130-
131 Args:
132 parser_grp (argparse.Action): Parser group to nest
133 module and subcommands under
134@@ -63,42 +62,6 @@ def setup_args(self, parser_grp, cli):
135
136 return self.module_parser
137
138- def load(self, args):
139- """
140- Load the appropriate source reader.
141-
142- Args:
143- args (Namespace): argparse parsed arguments
144-
145- Returns:
146- Instantiated source object
147- """
148- if args.source == "journald":
149- from sssd.source_journald import Journald
150- source = Journald()
151- else:
152- from sssd.source_files import Files
153- source = Files(args.logdir)
154- return source
155-
156- def matched_line(self, source, patterns):
157- """
158- Yield lines which match any number of patterns (OR) in
159- provided patterns list.
160-
161- Args:
162- source (Reader): source Reader object
163- Yields:
164- lines matching the provided pattern(s)
165- """
166- for line in source:
167- for pattern in patterns:
168- re_obj = re.compile(pattern)
169- if re_obj.search(line):
170- if line.startswith(' * '):
171- continue
172- yield line
173-
174 def get_linked_ids(self, source, pattern, regex):
175 """
176 Retrieve list of associated REQ_TRACE ids. Filter
177@@ -114,8 +77,9 @@ def get_linked_ids(self, source, pattern, regex):
178 Returns:
179 List of linked ids discovered
180 """
181+ utl = util.Utils()
182 linked_ids = []
183- for match in self.matched_line(source, pattern):
184+ for match in utl.matched_line(source, pattern):
185 id_re = re.compile(regex)
186 match = id_re.search(match)
187 if match:
188@@ -250,7 +214,8 @@ def list_requests(self, args):
189 Args:
190 args (Namespace): populated argparse namespace
191 """
192- source = self.load(args)
193+ utl = util.Utils()
194+ source = utl.load(args)
195 component = source.Component.NSS
196 resp = "nss"
197 # Log messages matching the following regex patterns contain
198@@ -266,7 +231,7 @@ def list_requests(self, args):
199 if args.verbose:
200 self.print_formatted_verbose(source)
201 else:
202- for line in self.matched_line(source, patterns):
203+ for line in utl.matched_line(source, patterns):
204 if type(source).__name__ == 'Journald':
205 print(line)
206 else:
207@@ -279,7 +244,8 @@ def track_request(self, args):
208 Args:
209 args (Namespace): populated argparse namespace
210 """
211- source = self.load(args)
212+ utl = util.Utils()
213+ source = utl.load(args)
214 cid = args.cid
215 resp_results = False
216 be_results = False
217@@ -294,7 +260,7 @@ def track_request(self, args):
218 logger.info(f"******** Checking {resp} responder for Client ID"
219 f" {cid} *******")
220 source.set_component(component, args.child)
221- for match in self.matched_line(source, pattern):
222+ for match in utl.matched_line(source, pattern):
223 resp_results = self.consume_line(match, source, args.merge)
224
225 logger.info(f"********* Checking Backend for Client ID {cid} ********")
226@@ -307,7 +273,7 @@ def track_request(self, args):
227 pattern.clear()
228 [pattern.append(f'\\{id}') for id in be_ids]
229
230- for match in self.matched_line(source, pattern):
231+ for match in utl.matched_line(source, pattern):
232 be_results = self.consume_line(match, source, args.merge)
233
234 if args.merge:
235diff --git a/src/tools/analyzer/sss_analyze b/src/tools/analyzer/sss_analyze
236index 3f1beaf38b..6d4b5b30c6 100755
237--- a/src/tools/analyzer/sss_analyze
238+++ b/src/tools/analyzer/sss_analyze
239@@ -1,4 +1,4 @@
240-#!/usr/bin/env python
241+#!/usr/bin/env python3
242
243 from sssd import sss_analyze
244
245diff --git a/src/tools/analyzer/sss_analyze.py b/src/tools/analyzer/sss_analyze.py
246index 18b998f380..dafc84fc03 100644
247--- a/src/tools/analyzer/sss_analyze.py
248+++ b/src/tools/analyzer/sss_analyze.py
249@@ -1,6 +1,7 @@
250 import argparse
251
252 from sssd.modules import request
253+from sssd.modules import error
254 from sssd.parser import SubparsersAction
255
256
257@@ -55,9 +56,11 @@ def load_modules(self, parser, parser_grp):
258 """
259 # Currently only the 'request' module exists
260 req = request.RequestAnalyzer()
261+ err = error.ErrorAnalyzer()
262 cli = Analyzer()
263
264 req.setup_args(parser_grp, cli)
265+ err.setup_args(parser_grp, cli)
266
267 def setup_args(self):
268 """
269diff --git a/src/tools/analyzer/util.py b/src/tools/analyzer/util.py
270new file mode 100644
271index 0000000000..2a8d153a71
272--- /dev/null
273+++ b/src/tools/analyzer/util.py
274@@ -0,0 +1,44 @@
275+import re
276+import logging
277+
278+from sssd.source_files import Files
279+from sssd.source_journald import Journald
280+
281+logger = logging.getLogger()
282+
283+
284+class Utils:
285+
286+ def load(self, args):
287+ """
288+ Load the appropriate source reader.
289+
290+ Args:
291+ args (Namespace): argparse parsed arguments
292+
293+ Returns:
294+ Instantiated source object
295+ """
296+ if args.source == "journald":
297+ source = Journald()
298+ else:
299+ source = Files(args.logdir)
300+ return source
301+
302+ def matched_line(self, source, patterns):
303+ """
304+ Yield lines which match any number of patterns (OR) in
305+ provided patterns list.
306+
307+ Args:
308+ source (Reader): source Reader object
309+ Yields:
310+ lines matching the provided pattern(s)
311+ """
312+ for line in source:
313+ for pattern in patterns:
314+ re_obj = re.compile(pattern)
315+ if re_obj.search(line):
316+ if line.startswith(' * '):
317+ continue
318+ yield line
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch
deleted file mode 100644
index 1e9fca5..0000000
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch
+++ /dev/null
@@ -1,219 +0,0 @@
1From f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726 Mon Sep 17 00:00:00 2001
2From: Sumit Bose <sbose@redhat.com>
3Date: Wed, 8 Nov 2023 14:50:24 +0100
4Subject: [PATCH] ad-gpo: use hash to store intermediate results
5
6Currently after the evaluation of a single GPO file the intermediate
7results are stored in the cache and this cache entry is updated until
8all applicable GPO files are evaluated. Finally the data in the cache is
9used to make the decision of access is granted or rejected.
10
11If there are two or more access-control request running in parallel one
12request might overwrite the cache object with intermediate data while
13another request reads the cached data for the access decision and as a
14result will do this decision based on intermediate data.
15
16To avoid this the intermediate results are not stored in the cache
17anymore but in hash tables which are specific to the request. Only the
18final result is written to the cache to have it available for offline
19authentication.
20
21Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
22Reviewed-by: Tomáš Halman <thalman@redhat.com>
23(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a)
24
25Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726]
26CVE: CVE-2023-3758
27Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
28
29---
30 src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++-----
31 1 file changed, 102 insertions(+), 14 deletions(-)
32
33diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
34index 44e9cbb..cec0cb4 100644
35--- a/src/providers/ad/ad_gpo.c
36+++ b/src/providers/ad/ad_gpo.c
37@@ -1317,6 +1317,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
38 return ret;
39 }
40
41+static errno_t
42+add_result_to_hash(hash_table_t *hash, const char *key, char *value)
43+{
44+ int hret;
45+ hash_key_t k;
46+ hash_value_t v;
47+
48+ if (hash == NULL || key == NULL || value == NULL) {
49+ return EINVAL;
50+ }
51+
52+ k.type = HASH_KEY_CONST_STRING;
53+ k.c_str = key;
54+
55+ v.type = HASH_VALUE_PTR;
56+ v.ptr = value;
57+
58+ hret = hash_enter(hash, &k, &v);
59+ if (hret != HASH_SUCCESS) {
60+ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",
61+ key, value, hash_error_string(hret));
62+ return EIO;
63+ }
64+
65+ return EOK;
66+}
67+
68 /*
69 * This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,
70 * and stores the allow_key and deny_key of all of the gpo_map_types present
71@@ -1324,6 +1351,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
72 */
73 static errno_t
74 ad_gpo_store_policy_settings(struct sss_domain_info *domain,
75+ hash_table_t *allow_maps, hash_table_t *deny_maps,
76 const char *filename)
77 {
78 struct ini_cfgfile *file_ctx = NULL;
79@@ -1457,14 +1485,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
80 goto done;
81 } else if (ret != ENOENT) {
82 const char *value = allow_value ? allow_value : empty_val;
83- ret = sysdb_gpo_store_gpo_result_setting(domain,
84- allow_key,
85- value);
86+ ret = add_result_to_hash(allow_maps, allow_key,
87+ talloc_strdup(allow_maps, value));
88 if (ret != EOK) {
89- DEBUG(SSSDBG_CRIT_FAILURE,
90- "sysdb_gpo_store_gpo_result_setting failed for key:"
91- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,
92- ret, sss_strerror(ret));
93+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
94+ "value: [%s] to allow maps "
95+ "[%d][%s].\n",
96+ allow_key, value, ret,
97+ sss_strerror(ret));
98 goto done;
99 }
100 }
101@@ -1484,14 +1512,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
102 goto done;
103 } else if (ret != ENOENT) {
104 const char *value = deny_value ? deny_value : empty_val;
105- ret = sysdb_gpo_store_gpo_result_setting(domain,
106- deny_key,
107- value);
108+ ret = add_result_to_hash(deny_maps, deny_key,
109+ talloc_strdup(deny_maps, value));
110 if (ret != EOK) {
111- DEBUG(SSSDBG_CRIT_FAILURE,
112- "sysdb_gpo_store_gpo_result_setting failed for key:"
113- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,
114- ret, sss_strerror(ret));
115+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
116+ "value: [%s] to deny maps "
117+ "[%d][%s].\n",
118+ deny_key, value, ret,
119+ sss_strerror(ret));
120 goto done;
121 }
122 }
123@@ -1784,6 +1812,8 @@ struct ad_gpo_access_state {
124 int num_cse_filtered_gpos;
125 int cse_gpo_index;
126 const char *ad_domain;
127+ hash_table_t *allow_maps;
128+ hash_table_t *deny_maps;
129 };
130
131 static void ad_gpo_connect_done(struct tevent_req *subreq);
132@@ -1906,6 +1936,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
133 goto immediately;
134 }
135
136+ ret = sss_hash_create(state, 0, &state->allow_maps);
137+ if (ret != EOK) {
138+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "
139+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
140+ goto immediately;
141+ }
142+
143+ ret = sss_hash_create(state, 0, &state->deny_maps);
144+ if (ret != EOK) {
145+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "
146+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
147+ goto immediately;
148+ }
149
150 subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
151 if (subreq == NULL) {
152@@ -2725,6 +2768,43 @@ ad_gpo_cse_step(struct tevent_req *req)
153 return EAGAIN;
154 }
155
156+static errno_t
157+store_hash_maps_in_cache(struct sss_domain_info *domain,
158+ hash_table_t *allow_maps, hash_table_t *deny_maps)
159+{
160+ int ret;
161+ struct hash_iter_context_t *iter;
162+ hash_entry_t *entry;
163+ size_t c;
164+ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};
165+
166+
167+ for (c = 0; hash_list[c] != NULL; c++) {
168+ iter = new_hash_iter_context(hash_list[c]);
169+ if (iter == NULL) {
170+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");
171+ return EINVAL;
172+ }
173+
174+ while ((entry = iter->next(iter)) != NULL) {
175+ ret = sysdb_gpo_store_gpo_result_setting(domain,
176+ entry->key.c_str,
177+ entry->value.ptr);
178+ if (ret != EOK) {
179+ free(iter);
180+ DEBUG(SSSDBG_OP_FAILURE,
181+ "sysdb_gpo_store_gpo_result_setting failed for key:"
182+ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str,
183+ (char *) entry->value.ptr, ret, sss_strerror(ret));
184+ return ret;
185+ }
186+ }
187+ talloc_free(iter);
188+ }
189+
190+ return EOK;
191+}
192+
193 /*
194 * This cse-specific function (GP_EXT_GUID_SECURITY) increments the
195 * cse_gpo_index until the policy settings for all applicable GPOs have been
196@@ -2766,6 +2846,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
197 * (as part of the GPO Result object in the sysdb cache).
198 */
199 ret = ad_gpo_store_policy_settings(state->host_domain,
200+ state->allow_maps, state->deny_maps,
201 cse_filtered_gpo->policy_filename);
202 if (ret != EOK && ret != ENOENT) {
203 DEBUG(SSSDBG_OP_FAILURE,
204@@ -2779,6 +2860,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)
205
206 if (ret == EOK) {
207 /* ret is EOK only after all GPO policy files have been downloaded */
208+ ret = store_hash_maps_in_cache(state->host_domain,
209+ state->allow_maps, state->deny_maps);
210+ if (ret != EOK) {
211+ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "
212+ "[%d][%s].\n", ret, sss_strerror(ret));
213+ goto done;
214+ }
215 ret = ad_gpo_perform_hbac_processing(state,
216 state->gpo_mode,
217 state->gpo_map_type,
218--
2192.25.1
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf b/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
index 1e8b537..2c9c6fc 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
@@ -7,7 +7,8 @@ domains = shadowutils
7[pam] 7[pam]
8 8
9[domain/shadowutils] 9[domain/shadowutils]
10id_provider = files 10id_provider = proxy
11proxy_lib_name = files
11 12
12auth_provider = proxy 13auth_provider = proxy
13proxy_pam_target = sssd-shadowutils 14proxy_pam_target = sssd-shadowutils
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd b/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd
deleted file mode 100644
index 2a82413..0000000
--- a/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd
+++ /dev/null
@@ -1 +0,0 @@
1d root root 0750 /var/log/sssd none
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.10.2.bb
index f35d0c8..0ed62b8 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.10.2.bb
@@ -18,16 +18,13 @@ DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \
18 18
19SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/${BP}.tar.gz \ 19SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/${BP}.tar.gz \
20 file://sssd.conf \ 20 file://sssd.conf \
21 file://volatiles.99_sssd \
22 file://no_gen.patch \ 21 file://no_gen.patch \
23 file://fix_gid.patch \ 22 file://fix_gid.patch \
24 file://drop_ntpdate_chk.patch \ 23 file://drop_ntpdate_chk.patch \
25 file://fix-ldblibdir.patch \ 24 file://fix-ldblibdir.patch \
26 file://musl_fixup.patch \ 25 file://musl_fixup.patch \
27 file://0001-sssctl-add-error-analyzer.patch \
28 file://CVE-2023-3758.patch \
29 " 26 "
30SRC_URI[sha256sum] = "827bc65d64132410e6dd3df003f04829d60387ec30e72b2d4e22d93bb6f762ba" 27SRC_URI[sha256sum] = "e8aa5e6b48ae465bea7064048715ce7e9c53b50ec6a9c69304f59e0d35be40ff"
31 28
32UPSTREAM_CHECK_URI = "https://github.com/SSSD/${BPN}/releases" 29UPSTREAM_CHECK_URI = "https://github.com/SSSD/${BPN}/releases"
33 30
@@ -42,24 +39,23 @@ CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
42 ac_cv_prog_HAVE_PYTHON3=yes \ 39 ac_cv_prog_HAVE_PYTHON3=yes \
43 " 40 "
44 41
45PACKAGECONFIG ?= "nss autofs sudo infopipe" 42PACKAGECONFIG ?= "nss autofs sudo"
46PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" 43PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
47PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" 44PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
48 45
49PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" 46PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no"
50PACKAGECONFIG[crypto] = ", , libcrypto" 47PACKAGECONFIG[crypto] = ", , libcrypto"
51PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson" 48PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson"
52PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, "
53PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" 49PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native"
54PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" 50PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
55PACKAGECONFIG[nss] = ", ,nss," 51PACKAGECONFIG[nss] = ", ,nss,"
56PACKAGECONFIG[oidc_child] = "--with-oidc-child, --without-oidc-child" 52PACKAGECONFIG[oidc_child] = "--with-oidc-child, --without-oidc-child"
57PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings python3dir=${PYTHON_SITEPACKAGES_DIR}, python3-setuptools-native" 53PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings python3dir=${PYTHON_SITEPACKAGES_DIR}, python3-setuptools-native"
58PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" 54PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba"
59PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" 55PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no, libselinux"
60PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " 56PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, "
61PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, " 57PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, "
62PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv,,python3-systemd" 58PACKAGECONFIG[systemd] = "--with-initscript=systemd --with-systemdunitdir=${systemd_system_unitdir} --with-systemdconfdir=${sysconfdir}/systemd/system, --with-initscript=sysv,,python3-systemd"
63 59
64EXTRA_OECONF += " \ 60EXTRA_OECONF += " \
65 --disable-cifs-idmap-plugin \ 61 --disable-cifs-idmap-plugin \
@@ -68,11 +64,11 @@ EXTRA_OECONF += " \
68 --without-python2-bindings \ 64 --without-python2-bindings \
69 --enable-pammoddir=${base_libdir}/security \ 65 --enable-pammoddir=${base_libdir}/security \
70 --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \ 66 --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
71 --with-pid-path=/run \ 67 --with-pid-path=/run/sssd \
72 --with-os=fedora \ 68 --with-os=fedora \
73" 69"
74 70
75do_configure:prepend() { 71do_configure:prepend () {
76 mkdir -p ${AUTOTOOLS_AUXDIR}/build 72 mkdir -p ${AUTOTOOLS_AUXDIR}/build
77 cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ 73 cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/
78 74
@@ -84,6 +80,7 @@ do_compile:prepend () {
84 sed -i -e "s/__useconds_t/useconds_t/g" ${S}/src/tools/tools_mc_util.c 80 sed -i -e "s/__useconds_t/useconds_t/g" ${S}/src/tools/tools_mc_util.c
85 echo '#define NSUPDATE_PATH "${bindir}"' >> ${B}/config.h 81 echo '#define NSUPDATE_PATH "${bindir}"' >> ${B}/config.h
86} 82}
83
87do_install () { 84do_install () {
88 oe_runmake install DESTDIR="${D}" 85 oe_runmake install DESTDIR="${D}"
89 rmdir --ignore-fail-on-non-empty "${D}/${bindir}" 86 rmdir --ignore-fail-on-non-empty "${D}/${bindir}"
@@ -99,12 +96,14 @@ do_install () {
99 96
100 if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then 97 if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
101 install -d ${D}${sysconfdir}/tmpfiles.d 98 install -d ${D}${sysconfdir}/tmpfiles.d
102 echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf 99 echo "d /var/log/sssd 0750 ${SSSD_UID} ${SSSD_GID} - -" > ${D}${sysconfdir}/tmpfiles.d/sssd.conf
100 echo "d /run/sssd 0750 ${SSSD_UID} ${SSSD_GID} - -" >> ${D}${sysconfdir}/tmpfiles.d/sssd.conf
103 fi 101 fi
104 102
105 if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ]; then 103 if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ]; then
106 install -d ${D}${sysconfdir}/default/volatiles 104 install -d ${D}${sysconfdir}/default/volatiles
107 echo "d ${SSSD_UID}:${SSSD_GID} 0755 ${localstatedir}/log/${BPN} none" > ${D}${sysconfdir}/default/volatiles/99_${BPN} 105 echo "d ${SSSD_UID}:${SSSD_GID} 0750 ${localstatedir}/log/sssd none" > ${D}${sysconfdir}/default/volatiles/99_sssd
106 echo "d ${SSSD_UID}:${SSSD_GID} 0750 ${localstatedir}/run/sssd none" >> ${D}${sysconfdir}/default/volatiles/99_sssd
108 fi 107 fi
109 108
110 if ${@bb.utils.contains('PACKAGECONFIG', 'python3', 'true', 'false', d)}; then 109 if ${@bb.utils.contains('PACKAGECONFIG', 'python3', 'true', 'false', d)}; then
@@ -112,15 +111,13 @@ do_install () {
112 fi 111 fi
113 112
114 # Remove /run as it is created on startup 113 # Remove /run as it is created on startup
115 rm -rf ${D}/run 114 rm -rf ${D}/run ${D}/var/run
116
117 rm -f ${D}${systemd_system_unitdir}/sssd-secrets.*
118} 115}
119 116
120pkg_postinst_ontarget:${PN} () { 117pkg_postinst_ontarget:${PN} () {
121if [ -e /etc/init.d/populate-volatile.sh ] ; then 118 if [ -e /etc/init.d/populate-volatile.sh ] ; then
122 ${sysconfdir}/init.d/populate-volatile.sh update 119 ${sysconfdir}/init.d/populate-volatile.sh update
123fi 120 fi
124 chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf 121 chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf
125} 122}
126 123
@@ -131,12 +128,11 @@ INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ."
131SYSTEMD_SERVICE:${PN} = " \ 128SYSTEMD_SERVICE:${PN} = " \
132 ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \ 129 ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \
133 ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \ 130 ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \
134 ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \
135 ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \ 131 ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \
136 ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \ 132 ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \
133 sssd-ifp.service \
137 sssd-nss.service \ 134 sssd-nss.service \
138 sssd-nss.socket \ 135 sssd-nss.socket \
139 sssd-pam-priv.socket \
140 sssd-pam.service \ 136 sssd-pam.service \
141 sssd-pam.socket \ 137 sssd-pam.socket \
142 sssd.service \ 138 sssd.service \
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-05-13 08:20:18 +0000