From db3a3e87a6f6fcc424eb208bf37417ab3aeaf43a Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Thu, 9 Jun 2022 16:11:29 -0700 Subject: sssd:move to dynamic networking-layer Signed-off-by: Armin Kuster --- .../sssd/files/CVE-2021-3621.patch | 288 +++++++++++++++++++++ .../sssd/files/drop_ntpdate_chk.patch | 28 ++ .../sssd/files/fix-ldblibdir.patch | 25 ++ .../recipes-security/sssd/files/fix_gid.patch | 27 ++ .../recipes-security/sssd/files/musl_fixup.patch | 53 ++++ .../recipes-security/sssd/files/no_gen.patch | 19 ++ .../recipes-security/sssd/files/sssd.conf | 8 + .../recipes-security/sssd/files/volatiles.99_sssd | 1 + .../recipes-security/sssd/sssd_2.5.2.bb | 150 +++++++++++ 9 files changed, 599 insertions(+) create mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch create mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch create mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch create mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch create mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch create mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch create mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf create mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd create mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb (limited to 'dynamic-layers/networking-layer') diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch new file mode 100644 index 0000000..7a59df9 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2021-3621.patch @@ -0,0 +1,288 @@ +Backport patch to fix CVE-2021-3621. + +Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/7ab83f9] +CVE: CVE-2021-3621 + +Signed-off-by: Kai Kang + +From 7ab83f97e1cbefb78ece17232185bdd2985f0bbe Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Fri, 18 Jun 2021 13:17:19 +0200 +Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of + user supplied command +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +:relnote: A flaw was found in SSSD, where the sssctl command was +vulnerable to shell command injection via the logs-fetch and +cache-expire subcommands. This flaw allows an attacker to trick +the root user into running a specially crafted sssctl command, +such as via sudo, to gain root access. The highest threat from this +vulnerability is to confidentiality, integrity, as well as system +availability. +This patch fixes a flaw by replacing system() with execvp(). + +:fixes: CVE-2021-3621 + +Reviewed-by: Pavel Březina +--- + src/tools/sssctl/sssctl.c | 39 ++++++++++++++++------- + src/tools/sssctl/sssctl.h | 2 +- + src/tools/sssctl/sssctl_data.c | 57 +++++++++++----------------------- + src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++---- + 4 files changed, 73 insertions(+), 57 deletions(-) + +diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c +index 2997dbf968..8adaf30910 100644 +--- a/src/tools/sssctl/sssctl.c ++++ b/src/tools/sssctl/sssctl.c +@@ -97,22 +97,36 @@ sssctl_prompt(const char *message, + return SSSCTL_PROMPT_ERROR; + } + +-errno_t sssctl_run_command(const char *command) ++errno_t sssctl_run_command(const char *const argv[]) + { + int ret; ++ int wstatus; + +- DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command); ++ DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]); + +- ret = system(command); ++ ret = fork(); + if (ret == -1) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command); + ERROR("Error while executing external command\n"); + return EFAULT; +- } else if (WEXITSTATUS(ret) != 0) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n", +- command, WEXITSTATUS(ret)); ++ } ++ ++ if (ret == 0) { ++ /* cast is safe - see ++ https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html ++ "The statement about argv[] and envp[] being constants ... " ++ */ ++ execvp(argv[0], discard_const_p(char * const, argv)); + ERROR("Error while executing external command\n"); +- return EIO; ++ _exit(1); ++ } else { ++ if (waitpid(ret, &wstatus, 0) == -1) { ++ ERROR("Error while executing external command '%s'\n", argv[0]); ++ return EFAULT; ++ } else if (WEXITSTATUS(wstatus) != 0) { ++ ERROR("Command '%s' failed with [%d]\n", ++ argv[0], WEXITSTATUS(wstatus)); ++ return EIO; ++ } + } + + return EOK; +@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action) + #elif defined(HAVE_SERVICE) + switch (action) { + case SSSCTL_SVC_START: +- return sssctl_run_command(SERVICE_PATH" sssd start"); ++ return sssctl_run_command( ++ (const char *[]){SERVICE_PATH, "sssd", "start", NULL}); + case SSSCTL_SVC_STOP: +- return sssctl_run_command(SERVICE_PATH" sssd stop"); ++ return sssctl_run_command( ++ (const char *[]){SERVICE_PATH, "sssd", "stop", NULL}); + case SSSCTL_SVC_RESTART: +- return sssctl_run_command(SERVICE_PATH" sssd restart"); ++ return sssctl_run_command( ++ (const char *[]){SERVICE_PATH, "sssd", "restart", NULL}); + } + #endif + +diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h +index 0115b2457c..599ef65196 100644 +--- a/src/tools/sssctl/sssctl.h ++++ b/src/tools/sssctl/sssctl.h +@@ -47,7 +47,7 @@ enum sssctl_prompt_result + sssctl_prompt(const char *message, + enum sssctl_prompt_result defval); + +-errno_t sssctl_run_command(const char *command); ++errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */ + bool sssctl_start_sssd(bool force); + bool sssctl_stop_sssd(bool force); + bool sssctl_restart_sssd(bool force); +diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c +index 8d79b977fd..bf22913416 100644 +--- a/src/tools/sssctl/sssctl_data.c ++++ b/src/tools/sssctl/sssctl_data.c +@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force) + } + } + +- ret = sssctl_run_command("sss_override user-export " +- SSS_BACKUP_USER_OVERRIDES); ++ ret = sssctl_run_command((const char *[]){"sss_override", "user-export", ++ SSS_BACKUP_USER_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to export user overrides\n"); + return ret; + } + +- ret = sssctl_run_command("sss_override group-export " +- SSS_BACKUP_GROUP_OVERRIDES); ++ ret = sssctl_run_command((const char *[]){"sss_override", "group-export", ++ SSS_BACKUP_GROUP_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to export group overrides\n"); + return ret; +@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) + } + + if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { +- ret = sssctl_run_command("sss_override user-import " +- SSS_BACKUP_USER_OVERRIDES); ++ ret = sssctl_run_command((const char *[]){"sss_override", "user-import", ++ SSS_BACKUP_USER_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to import user overrides\n"); + return ret; +@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart) + } + + if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { +- ret = sssctl_run_command("sss_override group-import " +- SSS_BACKUP_GROUP_OVERRIDES); ++ ret = sssctl_run_command((const char *[]){"sss_override", "group-import", ++ SSS_BACKUP_GROUP_OVERRIDES, NULL}); + if (ret != EOK) { + ERROR("Unable to import group overrides\n"); + return ret; +@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline, + void *pvt) + { + errno_t ret; +- char *cmd_args = NULL; +- const char *cachecmd = SSS_CACHE; +- char *cmd = NULL; +- int i; +- +- if (cmdline->argc == 0) { +- ret = sssctl_run_command(cachecmd); +- goto done; +- } + +- cmd_args = talloc_strdup(tool_ctx, ""); +- if (cmd_args == NULL) { +- ret = ENOMEM; +- goto done; ++ const char **args = talloc_array_size(tool_ctx, ++ sizeof(char *), ++ cmdline->argc + 2); ++ if (!args) { ++ return ENOMEM; + } ++ memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc); ++ args[0] = SSS_CACHE; ++ args[cmdline->argc + 1] = NULL; + +- for (i = 0; i < cmdline->argc; i++) { +- cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]); +- if (i != cmdline->argc - 1) { +- cmd_args = talloc_strdup_append(cmd_args, " "); +- } +- } +- +- cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args); +- if (cmd == NULL) { +- ret = ENOMEM; +- goto done; +- } +- +- ret = sssctl_run_command(cmd); +- +-done: +- talloc_free(cmd_args); +- talloc_free(cmd); ++ ret = sssctl_run_command(args); + ++ talloc_free(args); + return ret; + } +diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c +index 9ff2be05b6..ebb2c4571c 100644 +--- a/src/tools/sssctl/sssctl_logs.c ++++ b/src/tools/sssctl/sssctl_logs.c +@@ -31,6 +31,7 @@ + #include + #include + #include ++#include + + #include "util/util.h" + #include "tools/common/sss_process.h" +@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, + { + struct sssctl_logs_opts opts = {0}; + errno_t ret; ++ glob_t globbuf; + + /* Parse command line. */ + struct poptOption options[] = { +@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, + + sss_signal(SIGHUP); + } else { ++ globbuf.gl_offs = 4; ++ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf); ++ if (ret != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n"); ++ return ret; ++ } ++ globbuf.gl_pathv[0] = discard_const_p(char, "truncate"); ++ globbuf.gl_pathv[1] = discard_const_p(char, "--no-create"); ++ globbuf.gl_pathv[2] = discard_const_p(char, "--size"); ++ globbuf.gl_pathv[3] = discard_const_p(char, "0"); ++ + PRINT("Truncating log files...\n"); +- ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES); ++ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv); ++ globfree(&globbuf); + if (ret != EOK) { + ERROR("Unable to truncate log files\n"); + return ret; +@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, + void *pvt) + { + const char *file; +- const char *cmd; + errno_t ret; ++ glob_t globbuf; + + /* Parse command line. */ + ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL, +@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, + return ret; + } + +- cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES); +- if (cmd == NULL) { +- ERROR("Out of memory!"); ++ globbuf.gl_offs = 3; ++ ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf); ++ if (ret != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n"); ++ return ret; + } ++ globbuf.gl_pathv[0] = discard_const_p(char, "tar"); ++ globbuf.gl_pathv[1] = discard_const_p(char, "-czf"); ++ globbuf.gl_pathv[2] = discard_const_p(char, file); + + PRINT("Archiving log files into %s...\n", file); +- ret = sssctl_run_command(cmd); ++ ret = sssctl_run_command((const char * const*)globbuf.gl_pathv); ++ globfree(&globbuf); + if (ret != EOK) { + ERROR("Unable to archive log files\n"); + return ret; diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch new file mode 100644 index 0000000..338af5d --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch @@ -0,0 +1,28 @@ +nsupdate path is needed for various exec call +but don't run natvie tests on it. + + +Upstream-Status: Inappropriate [OE specific] +Signed-off-by: Armin Kuster + +Index: sssd-2.5.0/src/external/nsupdate.m4 +=================================================================== +--- sssd-2.5.0.orig/src/external/nsupdate.m4 ++++ sssd-2.5.0/src/external/nsupdate.m4 +@@ -3,16 +3,4 @@ AC_MSG_CHECKING(for executable nsupdate) + if test -x "$NSUPDATE"; then + AC_DEFINE_UNQUOTED([NSUPDATE_PATH], ["$NSUPDATE"], [The path to nsupdate]) + AC_MSG_RESULT(yes) +- +- AC_MSG_CHECKING(for nsupdate 'realm' support') +- if AC_RUN_LOG([echo realm |$NSUPDATE >&2]); then +- AC_MSG_RESULT([yes]) +- else +- AC_MSG_RESULT([no]) +- AC_MSG_ERROR([nsupdate does not support 'realm']) +- fi +- +-else +- AC_MSG_RESULT([no]) +- AC_MSG_ERROR([nsupdate is not available]) + fi diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch new file mode 100644 index 0000000..e350baf --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch @@ -0,0 +1,25 @@ +When calculate value of ldblibdir, it checks whether the directory of +$ldblibdir exists. If not, it assigns ldblibdir with ${libdir}/ldb. It is not +suitable for cross compile. Fix it that only re-assign ldblibdir when its value +is empty. + +Upstream-Status: Inappropriate [cross compile specific] + +Signed-off-by: Kai Kang +--- + src/external/libldb.m4 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/external/libldb.m4 b/src/external/libldb.m4 +index c400add..5e5f06d 100644 +--- a/src/external/libldb.m4 ++++ b/src/external/libldb.m4 +@@ -19,7 +19,7 @@ if test x"$with_ldb_lib_dir" != x; then + ldblibdir=$with_ldb_lib_dir + else + ldblibdir="`$PKG_CONFIG --variable=modulesdir ldb`" +- if ! test -d $ldblibdir; then ++ if test -z $ldblibdir; then + ldblibdir="${libdir}/ldb" + fi + fi diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch new file mode 100644 index 0000000..9b481cc --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch @@ -0,0 +1,27 @@ +from ../sssd-2.5.0/src/util/sss_pam_data.c:27: +| ../sssd-2.5.0/src/util/debug.h:88:44: error: unknown type name 'uid_t'; did you mean 'uint_t'? +| 88 | int chown_debug_file(const char *filename, uid_t uid, gid_t gid); +| | ^~~~~ +| | uint_t +| ../sssd-2.5.0/src/util/debug.h:88:55: error: unknown type name 'gid_t' +| 88 | int chown_debug_file(const char *filename, uid_t uid, gid_t gid); +| | ^~~~~ +| make[2]: *** [Makefile:22529: src/util/libsss_iface_la-sss_pam_data.lo] Error 1 +| make[2]: *** Waiting for unfinished jobs.... + +Upstream-Status: Pending +Signed-off-by: Armin Kuster + +Index: sssd-2.5.0/src/util/debug.h +=================================================================== +--- sssd-2.5.0.orig/src/util/debug.h ++++ sssd-2.5.0/src/util/debug.h +@@ -24,6 +24,8 @@ + #include "config.h" + + #include ++#include ++#include + #include + + #include "util/util_errors.h" diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch new file mode 100644 index 0000000..68f267c --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch @@ -0,0 +1,53 @@ +fix musl build failures + +Missing _PATH_HOSTS and some NETDB defines when musl is enabled. + +These are work arounds for now while we figure out where the real fix should reside (musl, gcompact, sssd): + +./sssd-2.5.1/src/providers/fail_over.c:1199:19: error: '_PATH_HOSTS' undeclared (first use in this function) +| 1199 | _PATH_HOSTS); +| | ^~~~~~~~~~~ + +and + +i./sssd-2.5.1/src/sss_client/nss_ipnetworks.c:415:21: error: 'NETDB_INTERNAL' undeclared (first use in this function) +| 415 | *h_errnop = NETDB_INTERNAL; + + +Upstream-Status: Pending +Signed-off-by: Armin Kuster + +Index: sssd-2.5.1/src/providers/fail_over.c +=================================================================== +--- sssd-2.5.1.orig/src/providers/fail_over.c ++++ sssd-2.5.1/src/providers/fail_over.c +@@ -31,6 +31,10 @@ + #include + #include + ++#if !defined(_PATH_HOSTS) ++#define _PATH_HOSTS "/etc/hosts" ++#endif ++ + #include "util/dlinklist.h" + #include "util/refcount.h" + #include "util/util.h" +Index: sssd-2.5.1/src/sss_client/sss_cli.h +=================================================================== +--- sssd-2.5.1.orig/src/sss_client/sss_cli.h ++++ sssd-2.5.1/src/sss_client/sss_cli.h +@@ -44,6 +44,14 @@ typedef int errno_t; + #define EOK 0 + #endif + ++#ifndef NETDB_INTERNAL ++# define NETDB_INTERNAL (-1) ++#endif ++ ++#ifndef NETDB_SUCCESS ++# define NETDB_SUCCESS (0) ++#endif ++ + #define SSS_NSS_PROTOCOL_VERSION 1 + #define SSS_PAM_PROTOCOL_VERSION 3 + #define SSS_SUDO_PROTOCOL_VERSION 1 diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch new file mode 100644 index 0000000..5c83777 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch @@ -0,0 +1,19 @@ +don't run generate-sbus-code + +Upstream-Status: Inappropriate [OE Specific] + +Signed-off-by: Armin Kuster + +Index: sssd-2.5.0/Makefile.am +=================================================================== +--- sssd-2.5.0.orig/Makefile.am ++++ sssd-2.5.0/Makefile.am +@@ -1033,8 +1033,6 @@ generate-sbus-code: + + .PHONY: generate-sbus-code + +-BUILT_SOURCES += generate-sbus-code +- + EXTRA_DIST += \ + sbus_generate.sh.in \ + src/sbus/codegen/dbus.xml \ diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf b/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf new file mode 100644 index 0000000..1709a7a --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf @@ -0,0 +1,8 @@ +[sssd] +services = nss, pam +config_file_version = 2 + +[nss] + +[pam] + diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd b/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd new file mode 100644 index 0000000..2a82413 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd @@ -0,0 +1 @@ +d root root 0750 /var/log/sssd none diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb new file mode 100644 index 0000000..9f1d627 --- /dev/null +++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.5.2.bb @@ -0,0 +1,150 @@ +SUMMARY = "system security services daemon" +DESCRIPTION = "SSSD is a system security services daemon" +HOMEPAGE = "https://pagure.io/SSSD/sssd/" +SECTION = "base" +LICENSE = "GPL-3.0-or-later" +LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" + +DEPENDS = "acl attr openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" +DEPENDS:append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent bind p11-kit" + +DEPENDS:append:libc-musl = " musl-nscd" + +# If no crypto has been selected, default to DEPEND on nss, since that's what +# sssd will pick if no active choice is made during configure +DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \ + bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}" + +SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.gz \ + file://sssd.conf \ + file://volatiles.99_sssd \ + file://no_gen.patch \ + file://fix_gid.patch \ + file://drop_ntpdate_chk.patch \ + file://fix-ldblibdir.patch \ + file://musl_fixup.patch \ + file://CVE-2021-3621.patch \ + " + +SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f" + +inherit autotools pkgconfig gettext python3-dir features_check systemd + +REQUIRED_DISTRO_FEATURES = "pam" + +SSSD_UID ?= "root" +SSSD_GID ?= "root" + +CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ + ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ + " + +PACKAGECONFIG ?="nss nscd autofs sudo infopipe" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" + +PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" +PACKAGECONFIG[crypto] = ", , libcrypto" +PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson" +PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " +PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" +PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" +PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " +PACKAGECONFIG[nss] = ", ,nss," +PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" +PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" +PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" +PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " +PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, " +PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv" + +EXTRA_OECONF += " \ + --disable-cifs-idmap-plugin \ + --without-nfsv4-idmapd-plugin \ + --without-ipa-getkeytab \ + --without-python2-bindings \ + --enable-pammoddir=${base_libdir}/security \ + --without-python2-bindings \ + --without-secrets \ + --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \ + --with-pid-path=/run \ +" + +do_configure:prepend() { + mkdir -p ${AUTOTOOLS_AUXDIR}/build + cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ + + # libresove has host path, remove it + sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4 +} + +do_compile:prepend () { + echo '#define NSUPDATE_PATH "${bindir}"' >> ${B}/config.h +} +do_install () { + oe_runmake install DESTDIR="${D}" + rmdir --ignore-fail-on-non-empty "${D}/${bindir}" + install -d ${D}/${sysconfdir}/${BPN} + install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} + + # /var/log/sssd needs to be created in runtime. Use rmdir to catch if + # upstream stops creating /var/log/sssd, or adds something else in + # /var/log. + rmdir ${D}${localstatedir}/log/${BPN} ${D}${localstatedir}/log + rmdir --ignore-fail-on-non-empty ${D}${localstatedir} + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf + fi + + if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ]; then + install -d ${D}${sysconfdir}/default/volatiles + echo "d ${SSSD_UID}:${SSSD_GID} 0755 ${localstatedir}/log/${BPN} none" > ${D}${sysconfdir}/default/volatiles/99_${BPN} + fi + + # Remove /run as it is created on startup + rm -rf ${D}/run + + rm -f ${D}${systemd_system_unitdir}/sssd-secrets.* +} + +pkg_postinst_ontarget:${PN} () { +if [ -e /etc/init.d/populate-volatile.sh ] ; then + ${sysconfdir}/init.d/populate-volatile.sh update +fi + chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf +} + +FILES:${PN} += "${nonarch_libdir}/tmpfiles.d" + +CONFFILES:${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" + +INITSCRIPT_NAME = "sssd" +INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." +SYSTEMD_SERVICE:${PN} = " \ + ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \ + sssd-nss.service \ + sssd-nss.socket \ + sssd-pam-priv.socket \ + sssd-pam.service \ + sssd-pam.socket \ + sssd.service \ +" +SYSTEMD_AUTO_ENABLE = "disable" + +PACKAGES =+ "libsss-sudo" +ALLOW_EMPTY:libsss-sudo = "1" + +FILES:${PN} += "${base_libdir}/security/pam_sss*.so \ + ${datadir}/dbus-1/system-services/*.service \ + ${libdir}/krb5/* \ + ${libdir}/ldb/* \ + " +FILES:libsss-sudo = "${libdir}/libsss_sudo.so" + +RDEPENDS:${PN} = "bind bind-utils dbus libldb libpam libsss-sudo" -- cgit v1.2.3-54-g00ecf