From 2a0c4dfa602984f42737863abb02492277ebc72d Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Oct 23 2009 19:59:19 +0000 Subject: Dmitri Pal (10): COLLECTION Adding item comparison and sorting COLLECTION Realigning collection code COLLECTION Making iterations pinnable COLLECTION Enhancing hashing and iteration functions ELAPI Event resolver ELAPI Resolving message attribute ELAPI Fixing warnings in the example ELAPI Rename variables and functions not to use word template ELAPI Fixed the host name resolution ELAPI Compatibility code for getifaddr() Jakub Hrozek (3): Fix python sync operations and mem hierarchy Fix error messages in tools User home directories management Martin Nagy (7): Use correct talloc context in sss_names_init() Fix potential memory leaks in the data provider Use talloc_get_type() for type safety Use talloc to copy data from c-ares Add a new set of helpful common functions for tests Various improvements to the resolv test suite Delete sssd-i18n.h and put it's old contents into util.h Piotr Dr?g (1): Update polish translation for 0.6.0 Ralf Haferkamp (2): LDAP provider needs to link against krb libraries SUSE specific init script Simo Sorce (21): Tighten up permission. Initial implementation of sasl bind support Fix tools sync operations and mem hierarchy Fix long timeout on ldap operation Make dp requests more robust Differentiate between search and network timeouts Remove DP process Start responders predictably after providers Remove magicPrivateGroups option Fix services startup when only LOCAL is configured Make options parser available to all providers Move ldap provider configuration into its own file Fix offline authentication Return the dp error from the providers Move all ldap provider init functions Move all krb5 provider init functions Add first basic IPA provider Always list inputs before outputs Start implementing ipa specific options. Better offline/enumeration behavior Fix setting the schema in the ipa provider Stephen Gallagher (24): Update version to 0.6.0 Fix infinite loop with empty group enumeration Updating release script to use the VERSION file Change requirement on libldb to libldb >= 0.9.3 INI Add config_from_fd() to ini_config Remove unused btreemap code Add new SSSDConfig python API Add plugin configuration schema for proxy provider Package SSSDConfig API Clean up warnings in pysss.c Remove warnings caused by 5e2301b8a75d10e5cbbe11e26e5192b894af6ad7 Remove two unused functions. Fix segfault when using SSS tools with no local provider Do not allow setting auth, access or chpass providers for LOCAL Add krb5_common.h to the list of headers to 'make dist' Use Python 3-compatible sitearch and sitelib Better detect installed language files Clean up rpmlint errors and warnings in sssd-client package Set the Default-Stop LSB option for the SSSD sysv init script Fix RPM builds on older versions of rpmbuild Bring SSSDConfig API options up-to-date Add pam_ctx (similar to nss_ctx) for storing global PAM config Add support for offline auth cache timeout Update version to 0.7.0 Sumit Bose (28): update sysdb tests to new config file version add utility call check_and_open_readonly more documentation and test for sssd.conf handle expired password during authentication move password handling into subroutines ask for new password if password is expired remove redundant talloc_free add description of chpass_provider option to sssd.conf man page add support for server side LDAP password policies add syslog message similar to pam_unix use the correct kerberos context for each target fix a wrong argument to unpack_buffer add -Werror-implicit-function-declaration to default gcc flags add a replacement if ldap_control_create is missing use PYTHON_PREFIX to install SSSDConfig python API add missing %defattr to the filelist of the client package make sdap_id_connect_* independent of sdap_id_ctx send a message if a backend target is not configured use old password if available during password change set chpass_provider implicit if not set explicit more implicit provider target settings enable debugging of krb5_child Check for expired passwords in LDAP provider added generic LDAP search sdap_get_generic_send/_recv add store/search/delete interface for custom sysdb objects update krb5 option handling to new option scheme update ipa auth options to new option scheme fix a compiler warning about redefinition of DEBUG --- diff --git a/.cvsignore b/.cvsignore index c1780f2..a1b5b4a 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -sssd-0.6.1.tar.gz +sssd-0.7.0.tar.gz diff --git a/0001-Tighten-up-permission.patch b/0001-Tighten-up-permission.patch deleted file mode 100644 index 8f1d70f..0000000 --- a/0001-Tighten-up-permission.patch +++ /dev/null @@ -1,76 +0,0 @@ -From e98645b11a18d5eba14f9108504003ffdfe81f3a Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Mon, 28 Sep 2009 07:51:26 -0400 -Subject: [PATCH] Tighten up permission. - -SSSD may contain passwords and other sensitive data, make sure we always keep its -permission tight. Also make /etc/sssd permission very strict, just in case, -admins may inadvertently copy an sssd.conf file without checking it's -permissions. ---- - contrib/sssd.spec.in | 2 +- - server/upgrade/upgrade_config.py | 13 ++++++++++++- - 2 files changed, 13 insertions(+), 2 deletions(-) - -diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in -index 2dd291f..93a1401 100644 ---- a/contrib/sssd.spec.in -+++ b/contrib/sssd.spec.in -@@ -132,7 +132,7 @@ rm -rf $RPM_BUILD_ROOT - %attr(755,root,root) %dir %{pipepath} - %attr(700,root,root) %dir %{pipepath}/private - %attr(750,root,root) %dir %{_var}/log/%{name} --%dir %{_sysconfdir}/sssd -+%attr(700,root,root) %dir %{_sysconfdir}/sssd - %config(noreplace) %{_sysconfdir}/sssd/sssd.conf - %config %{_sysconfdir}/sssd/sssd.api.conf - %attr(700,root,root) %dir %{_sysconfdir}/sssd/sssd.api.d -diff --git a/server/upgrade/upgrade_config.py b/server/upgrade/upgrade_config.py -index 412fad5..87e3990 100644 ---- a/server/upgrade/upgrade_config.py -+++ b/server/upgrade/upgrade_config.py -@@ -20,6 +20,7 @@ - # You should have received a copy of the GNU General Public License - # along with this program. If not, see . - -+import os - import sys - import shutil - import traceback -@@ -91,6 +92,9 @@ class SSSDConfigFile(object): - " Copy the file we operate on to a backup location " - shutil.copy(self.file_name, self.file_name+".bak") - -+ # make sure we don't leak data, force permissions on the backup -+ os.chmod(self.file_name+".bak", 0600) -+ - def _migrate_if_exists(self, to_section, to_option, from_section, from_option): - """ - Move value of parameter from one section to another, renaming the parameter -@@ -281,8 +285,12 @@ class SSSDConfigFile(object): - # Migrate domains - self._migrate_domains() - -- # all done, write the file -+ # all done, open the file for writing - of = open(out_file_name, "wb") -+ -+ # make sure it has the right permissions too -+ os.chmod(out_file_name, 0600) -+ - self._new_config.write(of) - - def parse_options(): -@@ -337,6 +345,9 @@ def main(): - print >>sys.stderr, "Can only upgrade from v1 to v2, file %s looks like version %d" % (options.filename, config.get_version()) - return 1 - -+ # make sure we keep strict settings when creating new files -+ os.umask(0077) -+ - try: - config.upgrade_v2(options.outfile, options.backup) - except Exception, e: --- -1.6.2.5 - diff --git a/sources b/sources index 5f962ee..c51859b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2deb5f1506ae2e172c9ce1de45c1d1df sssd-0.6.1.tar.gz +403945c70c902302e5d8babecb24b096 sssd-0.7.0.tar.gz diff --git a/sssd.spec b/sssd.spec index 1ec868a..8501d9f 100644 --- a/sssd.spec +++ b/sssd.spec @@ -1,12 +1,11 @@ -%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} -%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} +%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import *; import sys; sys.stdout.write(get_python_lib(1))")} +%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import *; import sys; sys.stdout.write(get_python_lib())")} Name: sssd -Version: 0.6.1 -Release: 2%{?dist} +Version: 0.7.0 +Release: 1%{?dist} Group: Applications/System Summary: System Security Services Daemon - # The entire source code is GPLv3+ except replace/ which is LGPLv3+ License: GPLv3+ and LGPLv3+ URL: http://fedorahosted.org/sssd @@ -16,14 +15,11 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### -Patch1: 0001-Tighten-up-permission.patch - ### Dependencies ### Requires: libldb >= 0.9.3 Requires: libtdb >= 1.1.3 - -Requires: sssd-client = 0.6.1 +Requires: sssd-client = 0.7.0 Requires(post): python Requires(preun): initscripts chkconfig Requires(postun): /sbin/service @@ -77,8 +73,6 @@ service. %prep %setup -q -%patch1 -p1 -b .tighten_permission - %build %configure \ --without-tests \ @@ -94,6 +88,16 @@ rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT +# Prepare language files +/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sss_daemon +/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sss_client + +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sssd +install -m600 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf + +install -m400 server/config/etc/sssd.api.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.api.conf +install -m400 server/config/etc/sssd.api.d/* $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.api.d/ + # Remove .la files created by libtool rm -f \ $RPM_BUILD_ROOT/%{_lib}/libnss_sss.la \ @@ -105,23 +109,17 @@ rm -f \ $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.la \ $RPM_BUILD_ROOT/%{python_sitearch}/pysss.la -mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sssd -install -m600 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.conf - -mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.api.d -install -m400 server/config/etc/sssd.api.conf $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.api.conf -install -m400 server/config/etc/sssd.api.d/* $RPM_BUILD_ROOT%{_sysconfdir}/sssd/sssd.api.d/ - -touch locator.filelist if test -e $RPM_BUILD_ROOT/%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so then - echo %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so > locator.filelist + # Apppend this file to the sss_daemon.lang + # Older versions of rpmbuild can only handle one -f option + echo %{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so >> sss_daemon.lang fi %clean rm -rf $RPM_BUILD_ROOT -%files -f locator.filelist +%files -f sss_daemon.lang %defattr(-,root,root,-) %doc COPYING %attr(755,root,root) %{_initrddir}/%{name} @@ -146,6 +144,7 @@ rm -rf $RPM_BUILD_ROOT %attr(700,root,root) %dir %{_sysconfdir}/sssd/sssd.api.d %config %{_sysconfdir}/sssd/sssd.api.d/ %{_mandir}/man5/sssd.conf.5* +%{_mandir}/man5/sssd-ipa.5* %{_mandir}/man5/sssd-krb5.5* %{_mandir}/man5/sssd-ldap.5* %{_mandir}/man8/sssd.8* @@ -156,13 +155,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sss_userdel.8* %{_mandir}/man8/sss_usermod.8* %{_mandir}/man8/sssd_krb5_locator_plugin.8* -%{_datadir}/locale/*/LC_MESSAGES/sss_client.mo -%{_datadir}/locale/*/LC_MESSAGES/sss_daemon.mo %{python_sitearch}/pysss.so %{python_sitelib}/*.py* %{?fedora:%{python_sitelib}/*.egg-info} -%files client +%files client -f sss_client.lang %defattr(-,root,root,-) /%{_lib}/libnss_sss.so.2 /%{_lib}/security/pam_sss.so @@ -188,7 +185,14 @@ if [ $1 -ge 1 ] ; then /sbin/service %{servicename} condrestart 2>&1 > /dev/null fi +%post client -p /sbin/ldconfig + +%postun client -p /sbin/ldconfig + %changelog +* Fri Oct 23 2009 Stephen Gallagher - 0.7.0-1 +- New upstream release 0.7.0 + * Thu Oct 15 2009 Stephen Gallagher - 0.6.1-2 - Fix missing file permissions for sssd-clients