diff --git a/src/release-notes/sssd-2.10.0.rst b/src/release-notes/sssd-2.10.0.rst new file mode 100644 index 0000000..c700591 --- /dev/null +++ b/src/release-notes/sssd-2.10.0.rst @@ -0,0 +1,128 @@ +SSSD 2.10.0 Release Notes +=============================== + +Highlights +---------- + +General information +~~~~~~~~~~~~~~~~~~~ + +* **IMPORTANT note for downstream maintainers!** + + This release features significant improvements of "running with less + privileges (under unprivileged service user)" feature. There is still a + ``./configure`` option ``--with-sssd-user=`` available that allows downstream + package maintainers to choose if support of non-root service user should be + built. In case such support is built, a preferred way to configure service + user is simply by starting SSSD under this user; for example, using + ``User=/Group=`` options of systemd sssd.service file. Upstream defaults are + to build ``--with-sssd-user=sssd`` and to install systemd service with + ``User=/Group=sssd``. In this case, only several helper processes - + ``ldap_child``, ``krb5_child`` and ``selinux_child`` - are executed with + elevated capabilities (that are now granted using fine grained file + capabilities instead of SUID bit). All other SSSD components run without any + capabilities. In this scenario it's still possible to re-configure SSSD to run + under ``root`` (if needed for some reason): besides changing ``User/Group=`` + options, some other tweaks of systemd service files are required. + + A legacy method to configure a service user - sssd.conf ``user`` option - is + now deprecated and its support isn’t built by default. It can be enabled using + ``--with-conf-service-user-support`` ``./configure`` option if needed (for + example, due to backward compatibility requirements of stable releases). + + Further, no matter if SSSD is built ``--with-sssd-user=sssd`` or + ``--with-sssd-user=root``, when it's configured to run under ``root`` (in both + cases) it still runs without capabilities, the same way as when it's + configured to run under ``sssd`` user. The only difference is from the DAC + perspective. + + Important note: owner of ``/etc/sssd/sssd.conf`` file (and snippets) should + match the user configured to start SSSD service. Upstream spec file and + service files change ownership of existing ``sssd.conf`` to sssd during + package installation and at runtime for seamless upgrades / transition period + only. + + Additionally, this release fixes a large number of issues with "socket + activation of responders" feature, making it operable out-of-the-box when the + package is built ``--with-sssd-user=sssd``. Please take a note, that user + configured to run main sssd.service and socket activated responders (if used) + should match (i.e. if sssd.service is re-configured from upstream defaults to + ``root`` then responders services also should be re-configured). + + Downstream package maintainers are advised to carefully inspect changes in + ``contrib/sssd.spec.in``, ``src/sysv/systemd/*`` and ``./configure`` options + that this release brings! + +* sssctl ``cache-upgrade`` command was removed. SSSD performs automatic upgrades + at startup when needed. + +* Support of ``enumeration`` feature (i.e. ability to list all users/groups + using ``getent passwd/group`` without argument) for AD/IPA providers is + deprecated and might be removed in further releases. Those who are interested + to keep using it awhile should configure its build explicitly using + ``--with-extended-enumeration-support`` ./configure option. + +* A number of minor glitches of ``sssd-2.10.0-beta1`` around building and + packaging were fixed. + +* Support of ``--without-infopipe`` ``./configure`` option was dropped. Feature + is long time out of experimental state. Since building it doesn't require any + additional dependencies, there is not much sense to keep option available. + Those who not interested in feature can skip installing sssd-ifp sub-package. + +New features +~~~~~~~~~~~~ + +* The new tool ``sss_ssh_knownhosts`` can be used with ssh's + ``KnownHostsCommand`` configuration option to retrieve the host's public keys + from a remote server (FreeIPA, LDAP, etc.). This new tool, which is more + reliable, replaces ``sss_ssh_knownhostsproxy``. The latter is no longer built + by default, but its build can be forced with configure + ``--with-ssh-known-hosts-proxy``. + +Packaging changes +~~~~~~~~~~~~~~~~~ + +* Building SSSD now unconditionally requires availability of ``ucred``/ + ``SO_PEERCRED`` to enforce certain security checks at runtime (see ``man 7 + unix`` for details). + +* SSSD now requires ``libini`` not older than v1.3 + +* Explicit ``--with-semanage`` ./configure switch was removed, going forward + ``--with-selinux`` includes this. + +* ``sssd_pam`` binary lost public ``rx`` bits and got ``cap_dac_read_search=p`` + file capability to be able to use GSSAPI + +* Support of OpenSSL older than 1.0.1 was dropped + +Configuration changes +~~~~~~~~~~~~~~~~~~~~~ + +* Default ``ldap_id_use_start_tls`` value changed from ``false`` to ``true`` for + improved security. + +* Added a ``ldap_use_ppolicy`` option for backends with broken ppolicy extension + handling. + +* Obsolete ``config_file_version`` option was removed. + +* Option ``reconnection_retries`` was removed since it is no longer used. SSSD + switch to a new architecte of internal IPC between SSSD processes where + responders do not connect to backend anymore and therefore this option is no + longer used. + +Tickets Fixed +------------- + +TBD + +Detailed Changelog +------------------ + +.. code-block:: release-notes-shortlog + + $ git shortlog --pretty=format:"%h %s" -w0,4 2.9.0..2.10.0 + + TBD diff --git a/src/releases.rst b/src/releases.rst index a43254e..0a5962a 100644 --- a/src/releases.rst +++ b/src/releases.rst @@ -8,6 +8,10 @@ SSSD Releases .. releases:: + .. release:: sssd-2.10.0 + :date: 2024-10-16 + :download: https://github.com/SSSD/sssd/releases/tag/2.10.0 + .. release:: sssd-2.10.0-beta2 :date: 2024-06-26 :download: https://github.com/SSSD/sssd/releases/tag/2.10.0-beta2