9 files changed, 599 insertions, 0 deletions
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch
new file mode 100644
index 0000000..7a59df9
--- /dev/null
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch
@@ -0,0 +1,288 @@
+Backport patch to fix CVE-2021-3621.
+Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/7ab83f9]
+CVE: CVE-2021-3621
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+From 7ab83f97e1cbefb78ece17232185bdd2985f0bbe Mon Sep 17 00:00:00 2001
+From: Alexey Tikhonov <atikhono@redhat.com>
+Date: Fri, 18 Jun 2021 13:17:19 +0200
+Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
+ user supplied command
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+:relnote: A flaw was found in SSSD, where the sssctl command was
+vulnerable to shell command injection via the logs-fetch and
+cache-expire subcommands. This flaw allows an attacker to trick
+the root user into running a specially crafted sssctl command,
+such as via sudo, to gain root access. The highest threat from this
+vulnerability is to confidentiality, integrity, as well as system
+availability.
+This patch fixes a flaw by replacing system() with execvp().
+:fixes: CVE-2021-3621
+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
+---
+ src/tools/sssctl/sssctl.c      | 39 ++++++++++++++++-------
+ src/tools/sssctl/sssctl.h      |  2 +-
+ src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
+ src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++----
+ 4 files changed, 73 insertions(+), 57 deletions(-)
+diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
+index 2997dbf968..8adaf30910 100644
+--- a/src/tools/sssctl/sssctl.c
+++ b/src/tools/sssctl/sssctl.c
+@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
+     return SSSCTL_PROMPT_ERROR;
+ }
+ 
+-errno_t sssctl_run_command(const char *command)
+errno_t sssctl_run_command(const char *const argv[])
+ {
+     int ret;
+    int wstatus;
+ 
+-    DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
+    DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
+ 
+-    ret = system(command);
+    ret = fork();
+     if (ret == -1) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
+         ERROR("Error while executing external command\n");
+         return EFAULT;
+-    } else if (WEXITSTATUS(ret) != 0) {
+-        DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
+-              command, WEXITSTATUS(ret));
+    }
+
+    if (ret == 0) {
+        /* cast is safe - see
+        https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
+        "The statement about argv[] and envp[] being constants ... "
+        */
+        execvp(argv[0], discard_const_p(char * const, argv));
+         ERROR("Error while executing external command\n");
+-        return EIO;
+        _exit(1);
+    } else {
+        if (waitpid(ret, &wstatus, 0) == -1) {
+            ERROR("Error while executing external command '%s'\n", argv[0]);
+            return EFAULT;
+        } else if (WEXITSTATUS(wstatus) != 0) {
+            ERROR("Command '%s' failed with [%d]\n",
+                  argv[0], WEXITSTATUS(wstatus));
+            return EIO;
+        }
+     }
+ 
+     return EOK;
+@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
+ #elif defined(HAVE_SERVICE)
+     switch (action) {
+     case SSSCTL_SVC_START:
+-        return sssctl_run_command(SERVICE_PATH" sssd start");
+        return sssctl_run_command(
+                      (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
+     case SSSCTL_SVC_STOP:
+-        return sssctl_run_command(SERVICE_PATH" sssd stop");
+        return sssctl_run_command(
+                      (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
+     case SSSCTL_SVC_RESTART:
+-        return sssctl_run_command(SERVICE_PATH" sssd restart");
+        return sssctl_run_command(
+                      (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
+     }
+ #endif
+ 
+diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
+index 0115b2457c..599ef65196 100644
+--- a/src/tools/sssctl/sssctl.h
+++ b/src/tools/sssctl/sssctl.h
+@@ -47,7 +47,7 @@ enum sssctl_prompt_result
+ sssctl_prompt(const char *message,
+               enum sssctl_prompt_result defval);
+ 
+-errno_t sssctl_run_command(const char *command);
+errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
+ bool sssctl_start_sssd(bool force);
+ bool sssctl_stop_sssd(bool force);
+ bool sssctl_restart_sssd(bool force);
+diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
+index 8d79b977fd..bf22913416 100644
+--- a/src/tools/sssctl/sssctl_data.c
+++ b/src/tools/sssctl/sssctl_data.c
+@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
+         }
+     }
+ 
+-    ret = sssctl_run_command("sss_override user-export "
+-                             SSS_BACKUP_USER_OVERRIDES);
+    ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
+                                              SSS_BACKUP_USER_OVERRIDES, NULL});
+     if (ret != EOK) {
+         ERROR("Unable to export user overrides\n");
+         return ret;
+     }
+ 
+-    ret = sssctl_run_command("sss_override group-export "
+-                             SSS_BACKUP_GROUP_OVERRIDES);
+    ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
+                                              SSS_BACKUP_GROUP_OVERRIDES, NULL});
+     if (ret != EOK) {
+         ERROR("Unable to export group overrides\n");
+         return ret;
+@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
+     }
+ 
+     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
+-        ret = sssctl_run_command("sss_override user-import "
+-                                 SSS_BACKUP_USER_OVERRIDES);
+        ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
+                                                  SSS_BACKUP_USER_OVERRIDES, NULL});
+         if (ret != EOK) {
+             ERROR("Unable to import user overrides\n");
+             return ret;
+@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
+     }
+ 
+     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
+-        ret = sssctl_run_command("sss_override group-import "
+-                                 SSS_BACKUP_GROUP_OVERRIDES);
+        ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
+                                                  SSS_BACKUP_GROUP_OVERRIDES, NULL});
+         if (ret != EOK) {
+             ERROR("Unable to import group overrides\n");
+             return ret;
+@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
+                             void *pvt)
+ {
+     errno_t ret;
+-    char *cmd_args = NULL;
+-    const char *cachecmd = SSS_CACHE;
+-    char *cmd = NULL;
+-    int i;
+-
+-    if (cmdline->argc == 0) {
+-        ret = sssctl_run_command(cachecmd);
+-        goto done;
+-    }
+ 
+-    cmd_args = talloc_strdup(tool_ctx, "");
+-    if (cmd_args == NULL) {
+-        ret = ENOMEM;
+-        goto done;
+    const char **args = talloc_array_size(tool_ctx,
+                                          sizeof(char *),
+                                          cmdline->argc + 2);
+    if (!args) {
+        return ENOMEM;
+     }
+    memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
+    args[0] = SSS_CACHE;
+    args[cmdline->argc + 1] = NULL;
+ 
+-    for (i = 0; i < cmdline->argc; i++) {
+-        cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
+-        if (i != cmdline->argc - 1) {
+-            cmd_args = talloc_strdup_append(cmd_args, " ");
+-        }
+-    }
+-
+-    cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
+-    if (cmd == NULL) {
+-        ret = ENOMEM;
+-        goto done;
+-    }
+-
+-    ret = sssctl_run_command(cmd);
+-
+-done:
+-    talloc_free(cmd_args);
+-    talloc_free(cmd);
+    ret = sssctl_run_command(args);
+ 
+    talloc_free(args);
+     return ret;
+ }
+diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
+index 9ff2be05b6..ebb2c4571c 100644
+--- a/src/tools/sssctl/sssctl_logs.c
+++ b/src/tools/sssctl/sssctl_logs.c
+@@ -31,6 +31,7 @@
+ #include <ldb.h>
+ #include <popt.h>
+ #include <stdio.h>
+#include <glob.h>
+ 
+ #include "util/util.h"
+ #include "tools/common/sss_process.h"
+@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
+ {
+     struct sssctl_logs_opts opts = {0};
+     errno_t ret;
+    glob_t globbuf;
+ 
+     /* Parse command line. */
+     struct poptOption options[] = {
+@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
+ 
+         sss_signal(SIGHUP);
+     } else {
+        globbuf.gl_offs = 4;
+        ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
+        if (ret != 0) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
+            return ret;
+        }
+        globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
+        globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
+        globbuf.gl_pathv[2] = discard_const_p(char, "--size");
+        globbuf.gl_pathv[3] = discard_const_p(char, "0");
+
+         PRINT("Truncating log files...\n");
+-        ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES);
+        ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
+        globfree(&globbuf);
+         if (ret != EOK) {
+             ERROR("Unable to truncate log files\n");
+             return ret;
+@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
+                           void *pvt)
+ {
+     const char *file;
+-    const char *cmd;
+     errno_t ret;
+    glob_t globbuf;
+ 
+     /* Parse command line. */
+     ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
+@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
+         return ret;
+     }
+ 
+-    cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
+-    if (cmd == NULL) {
+-        ERROR("Out of memory!");
+    globbuf.gl_offs = 3;
+    ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
+    if (ret != 0) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
+        return ret;
+     }
+    globbuf.gl_pathv[0] = discard_const_p(char, "tar");
+    globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
+    globbuf.gl_pathv[2] = discard_const_p(char, file);
+ 
+     PRINT("Archiving log files into %s...\n", file);
+-    ret = sssctl_run_command(cmd);
+    ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
+    globfree(&globbuf);
+     if (ret != EOK) {
+         ERROR("Unable to archive log files\n");
+         return ret;
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch
new file mode 100644
index 0000000..338af5d
--- /dev/null
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch
@@ -0,0 +1,28 @@
+nsupdate path is needed for various exec call
+but don't run natvie tests on it.
+Upstream-Status: Inappropriate [OE specific]
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+Index: sssd-2.5.0/src/external/nsupdate.m4
+===================================================================
+--- sssd-2.5.0.orig/src/external/nsupdate.m4
+++ sssd-2.5.0/src/external/nsupdate.m4
+@@ -3,16 +3,4 @@ AC_MSG_CHECKING(for executable nsupdate)
+ if test -x "$NSUPDATE"; then
+   AC_DEFINE_UNQUOTED([NSUPDATE_PATH], ["$NSUPDATE"], [The path to nsupdate])
+   AC_MSG_RESULT(yes)
+-
+-  AC_MSG_CHECKING(for nsupdate 'realm' support')
+-  if AC_RUN_LOG([echo realm |$NSUPDATE >&2]); then
+-    AC_MSG_RESULT([yes])
+-  else
+-    AC_MSG_RESULT([no])
+-    AC_MSG_ERROR([nsupdate does not support 'realm'])
+-  fi
+-
+-else
+-  AC_MSG_RESULT([no])
+-  AC_MSG_ERROR([nsupdate is not available])
+ fi
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch
new file mode 100644
index 0000000..e350baf
--- /dev/null
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch
@@ -0,0 +1,25 @@
+When calculate value of ldblibdir, it checks whether the directory of
+$ldblibdir exists. If not, it assigns ldblibdir with ${libdir}/ldb. It is not
+suitable for cross compile. Fix it that only re-assign ldblibdir when its value
+is empty.
+Upstream-Status: Inappropriate [cross compile specific]
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ src/external/libldb.m4 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/external/libldb.m4 b/src/external/libldb.m4
+index c400add..5e5f06d 100644
+--- a/src/external/libldb.m4
+++ b/src/external/libldb.m4
+@@ -19,7 +19,7 @@ if test x"$with_ldb_lib_dir" != x; then
+     ldblibdir=$with_ldb_lib_dir
+ else
+     ldblibdir="`$PKG_CONFIG --variable=modulesdir ldb`"
+-    if ! test -d $ldblibdir; then
+    if test -z $ldblibdir; then
+         ldblibdir="${libdir}/ldb"
+     fi
+ fi
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
new file mode 100644
index 0000000..9b481cc
--- /dev/null
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
@@ -0,0 +1,27 @@
+from ../sssd-2.5.0/src/util/sss_pam_data.c:27:
+| ../sssd-2.5.0/src/util/debug.h:88:44: error: unknown type name 'uid_t'; did you mean 'uint_t'?
+|    88 | int chown_debug_file(const char *filename, uid_t uid, gid_t gid);
+|       |                                            ^~~~~
+|       |                                            uint_t
+| ../sssd-2.5.0/src/util/debug.h:88:55: error: unknown type name 'gid_t'
+|    88 | int chown_debug_file(const char *filename, uid_t uid, gid_t gid);
+|       |                                                       ^~~~~
+| make[2]: *** [Makefile:22529: src/util/libsss_iface_la-sss_pam_data.lo] Error 1
+| make[2]: *** Waiting for unfinished jobs....
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+Index: sssd-2.5.0/src/util/debug.h
+===================================================================
+--- sssd-2.5.0.orig/src/util/debug.h
+++ sssd-2.5.0/src/util/debug.h
+@@ -24,6 +24,8 @@
+ #include "config.h"
+ 
+ #include <stdio.h>
+#include <unistd.h>
+#include <sys/types.h>
+ #include <stdbool.h>
+ 
+ #include "util/util_errors.h"
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch
new file mode 100644
index 0000000..68f267c
--- /dev/null
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch
@@ -0,0 +1,53 @@
+fix musl build failures
+Missing _PATH_HOSTS and some NETDB defines when musl is enabled.
+These are work arounds for now while we figure out where the real fix should reside (musl, gcompact, sssd):
+./sssd-2.5.1/src/providers/fail_over.c:1199:19: error: '_PATH_HOSTS' undeclared (first use in this function)
+|  1199 |                   _PATH_HOSTS);
+|       |                   ^~~~~~~~~~~
+and 
+i./sssd-2.5.1/src/sss_client/nss_ipnetworks.c:415:21: error: 'NETDB_INTERNAL' undeclared (first use in this function)
+|   415 |         *h_errnop = NETDB_INTERNAL;
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+Index: sssd-2.5.1/src/providers/fail_over.c
+===================================================================
+--- sssd-2.5.1.orig/src/providers/fail_over.c
+++ sssd-2.5.1/src/providers/fail_over.c
+@@ -31,6 +31,10 @@
+ #include <talloc.h>
+ #include <netdb.h>
+ 
+#if !defined(_PATH_HOSTS)
+#define _PATH_HOSTS     "/etc/hosts"
+#endif
+
+ #include "util/dlinklist.h"
+ #include "util/refcount.h"
+ #include "util/util.h"
+Index: sssd-2.5.1/src/sss_client/sss_cli.h
+===================================================================
+--- sssd-2.5.1.orig/src/sss_client/sss_cli.h
+++ sssd-2.5.1/src/sss_client/sss_cli.h
+@@ -44,6 +44,14 @@ typedef int errno_t;
+ #define EOK 0
+ #endif
+ 
+#ifndef NETDB_INTERNAL
+# define NETDB_INTERNAL (-1)
+#endif
+
+#ifndef NETDB_SUCCESS
+# define NETDB_SUCCESS (0)
+#endif
+
+ #define SSS_NSS_PROTOCOL_VERSION 1
+ #define SSS_PAM_PROTOCOL_VERSION 3
+ #define SSS_SUDO_PROTOCOL_VERSION 1
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
new file mode 100644
index 0000000..5c83777
--- /dev/null
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
@@ -0,0 +1,19 @@
+don't run generate-sbus-code
+Upstream-Status: Inappropriate [OE Specific]
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+Index: sssd-2.5.0/Makefile.am
+===================================================================
+--- sssd-2.5.0.orig/Makefile.am
+++ sssd-2.5.0/Makefile.am
+@@ -1033,8 +1033,6 @@ generate-sbus-code:
+ 
+ .PHONY: generate-sbus-code
+ 
+-BUILT_SOURCES += generate-sbus-code
+-
+ EXTRA_DIST += \
+     sbus_generate.sh.in \
+     src/sbus/codegen/dbus.xml \
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf b/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
new file mode 100644
index 0000000..1709a7a
--- /dev/null
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
@@ -0,0 +1,8 @@
+[sssd]
+services = nss, pam
+config_file_version = 2
+[nss]
+[pam]
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd b/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd
new file mode 100644
index 0000000..2a82413
--- /dev/null
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd
@@ -0,0 +1 @@
+d root root 0750 /var/log/sssd none
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb
new file mode 100644
index 0000000..9f1d627
--- /dev/null
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb
@@ -0,0 +1,150 @@
+SUMMARY = "system security services daemon"
+DESCRIPTION = "SSSD is a system security services daemon"
+HOMEPAGE = "https://pagure.io/SSSD/sssd/"
+SECTION = "base"
+LICENSE = "GPL-3.0-or-later"
+LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
+DEPENDS = "acl attr openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
+DEPENDS:append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent bind p11-kit"
+DEPENDS:append:libc-musl = " musl-nscd"
+# If no crypto has been selected, default to DEPEND on nss, since that's what
+# sssd will pick if no active choice is made during configure
+DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \
+               bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}"
+SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.gz \
+           file://sssd.conf \
+           file://volatiles.99_sssd \
+           file://no_gen.patch \
+           file://fix_gid.patch \
+           file://drop_ntpdate_chk.patch \
+           file://fix-ldblibdir.patch \
+           file://musl_fixup.patch \
+           file://CVE-2021-3621.patch \
+           "
+SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f"
+inherit autotools pkgconfig gettext python3-dir features_check systemd
+REQUIRED_DISTRO_FEATURES = "pam"
+SSSD_UID ?= "root"
+SSSD_GID ?= "root"
+CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
+    ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \
+    "
+PACKAGECONFIG ?="nss nscd autofs sudo infopipe"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
+PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no"
+PACKAGECONFIG[crypto] = ", , libcrypto"
+PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson"
+PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, "
+PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native"
+PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
+PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no "
+PACKAGECONFIG[nss] = ", ,nss,"
+PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings"
+PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba"
+PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux"
+PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, "
+PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, "
+PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv"
+EXTRA_OECONF += " \
+    --disable-cifs-idmap-plugin \
+    --without-nfsv4-idmapd-plugin \
+    --without-ipa-getkeytab \
+    --without-python2-bindings \
+    --enable-pammoddir=${base_libdir}/security \
+    --without-python2-bindings \
+    --without-secrets \
+    --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
+    --with-pid-path=/run \
+"
+do_configure:prepend() {
+    mkdir -p ${AUTOTOOLS_AUXDIR}/build
+    cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/
+    # libresove has host path, remove it
+    sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4
+}
+do_compile:prepend () {
+     echo '#define NSUPDATE_PATH "${bindir}"' >> ${B}/config.h
+}
+do_install () {
+    oe_runmake install  DESTDIR="${D}"
+    rmdir --ignore-fail-on-non-empty "${D}/${bindir}"
+    install -d ${D}/${sysconfdir}/${BPN}
+    install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN}
+    # /var/log/sssd needs to be created in runtime. Use rmdir to catch if
+    # upstream stops creating /var/log/sssd, or adds something else in
+    # /var/log.
+    rmdir ${D}${localstatedir}/log/${BPN} ${D}${localstatedir}/log
+    rmdir --ignore-fail-on-non-empty ${D}${localstatedir}
+    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+        install -d ${D}${sysconfdir}/tmpfiles.d
+        echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf
+    fi
+    if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ]; then
+        install -d ${D}${sysconfdir}/default/volatiles
+        echo "d ${SSSD_UID}:${SSSD_GID} 0755 ${localstatedir}/log/${BPN} none" > ${D}${sysconfdir}/default/volatiles/99_${BPN}
+    fi
+    # Remove /run as it is created on startup
+    rm -rf ${D}/run
+    rm -f ${D}${systemd_system_unitdir}/sssd-secrets.*
+}
+pkg_postinst_ontarget:${PN} () {
+if [ -e /etc/init.d/populate-volatile.sh ] ; then
+    ${sysconfdir}/init.d/populate-volatile.sh update
+fi
+    chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf
+}
+FILES:${PN} += "${nonarch_libdir}/tmpfiles.d"
+CONFFILES:${PN} = "${sysconfdir}/${BPN}/${BPN}.conf"
+INITSCRIPT_NAME = "sssd"
+INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ."
+SYSTEMD_SERVICE:${PN} = " \
+    ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \
+    ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \
+    ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \
+    ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \
+    ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \
+    sssd-nss.service \
+    sssd-nss.socket \
+    sssd-pam-priv.socket \
+    sssd-pam.service \
+    sssd-pam.socket \
+    sssd.service \
+"
+SYSTEMD_AUTO_ENABLE = "disable"
+PACKAGES =+ "libsss-sudo"
+ALLOW_EMPTY:libsss-sudo = "1"
+FILES:${PN} += "${base_libdir}/security/pam_sss*.so  \
+                ${datadir}/dbus-1/system-services/*.service \
+                ${libdir}/krb5/* \
+                ${libdir}/ldb/* \
+                "
+FILES:libsss-sudo = "${libdir}/libsss_sudo.so"
+RDEPENDS:${PN} = "bind bind-utils dbus libldb libpam libsss-sudo"