Merge branch 'SSSD:master' into references

SSSD · Dec 10, 2024 · 21e3b85 · 21e3b85
2 parents ad457a9 + ef53531
commit 21e3b85
Show file tree

Hide file tree

Showing 211 changed files with 44,200 additions and 42,936 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -29,14 +29,14 @@ jobs:
       working-directory: x86_64
       run: |
         source ../contrib/fedora/bashrc_sssd
-        make CFLAGS+="$SSS_WARNINGS -Werror -Wno-error=deprecated-declarations"
+        make CFLAGS+="$SSS_WARNINGS -Werror"
 
     - name: make check
       shell: bash
       working-directory: x86_64
       run: |
         source ../contrib/fedora/bashrc_sssd
-        make CFLAGS+="$SSS_WARNINGS -Werror -Wno-error=deprecated-declarations" check
+        make CFLAGS+="$SSS_WARNINGS -Werror" check
 
     - name: make distcheck
       shell: bash

diff --git a/.github/workflows/copr_build.yml b/.github/workflows/copr_build.yml
@@ -90,7 +90,7 @@ jobs:
         project: ${{ env.COPR_PROJECT }}
         account: ${{ env.COPR_ACCOUNT }}
 
-    - name: Add buildroot repository to CentOS Stream
+    - name: Add buildroot repository to CentOS Streams
       env:
         coprcfg: ${{ steps.copr.outputs.coprcfg }}
       run: |
@@ -99,6 +99,11 @@ jobs:
           --repos 'https://kojihub.stream.centos.org/kojifiles/repos/c9s-build/latest/$basearch/' \
           $COPR_ACCOUNT/$COPR_PROJECT/centos-stream-9-x86_64
 
+        # CentOS Stream 10
+        copr-cli --config "$coprcfg" edit-chroot                                                  \
+          --repos 'https://kojihub.stream.centos.org/kojifiles/repos/c10s-build/latest/$basearch/' \
+          $COPR_ACCOUNT/$COPR_PROJECT/centos-stream-10-x86_64
+
   build:
     runs-on: ubuntu-latest
     needs: [prepare]

diff --git a/Makefile.am b/Makefile.am
@@ -100,6 +100,14 @@ ifp_systemdservice = SystemdService=sssd-ifp.service
 condconfigexists = ConditionPathExists=\|/etc/sssd/sssd.conf\nConditionDirectoryNotEmpty=\|/etc/sssd/conf.d/
 
 # Bounding set needs to list capabilities required by ldap/krb5/selinux_childs and sssd_pam, otherwise they can't gain it.
+# Capabilities usage by binaries:
+#   - 'ldap_child': read keytab (dac_read_search)
+#   - 'krb5_child':
+#         - check old ccache / pre-check ccache path (dac_read_search, set*id)
+#         - read keytab (dac_read_search)
+#         - store TGT for a given user (set*id)
+#   - 'selinux_child': currently chown, dac_override, set*id  --  to be narrowed
+#   - 'sssd_pam': read keytab in gss ops (dac_read_search)
 capabilities = CapabilityBoundingSet= CAP_CHOWN CAP_DAC_OVERRIDE CAP_SETGID CAP_SETUID CAP_DAC_READ_SEARCH
 
 if BUILD_CONF_SERVICE_USER_SUPPORT
@@ -137,7 +145,7 @@ ifp_non_root_owner_policy =
 endif
 
 
-AM_CFLAGS =
+AM_CFLAGS = $(my_CFLAGS)
 if WANT_AUX_INFO
     AM_CFLAGS += -aux-info $@.X
 endif
@@ -361,7 +369,6 @@ endif   # HAVE_CMOCKA
 
 check_PROGRAMS = \
     stress-tests \
-    krb5-child-test \
     test_ssh_client \
     $(non_interactive_cmocka_based_tests) \
     $(non_interactive_check_based_tests)
@@ -633,7 +640,6 @@ SSSD_TOOLS_OBJ = \
     src/tools/common/sss_tools.c \
     src/tools/common/sss_process.c \
     src/confdb/confdb_setup.c \
-    src/util/nscd.c \
     $(NULL)
 
 SSSD_LCL_TOOLS_OBJ = \
@@ -700,10 +706,10 @@ dist_noinst_HEADERS = \
     src/sss_iface/sss_iface_sync.h \
     src/sss_iface/sss_iface.h \
     src/util/crypto/sss_crypto.h \
-    src/util/crypto/libcrypto/sss_openssl.h \
     src/util/cert.h \
     src/util/dlinklist.h \
     src/util/debug.h \
+    src/util/memory_erase.h \
     src/util/util.h \
     src/util/util_errors.h \
     src/util/safe-format-string.h \
@@ -986,6 +992,7 @@ SSS_CRYPT_SOURCES = src/util/crypto/libcrypto/crypto_base64.c \
                     src/util/crypto/libcrypto/crypto_prng.c \
                     src/util/atomic_io.c \
                     src/util/memory.c \
+                    src/util/memory_erase.c \
                     $(NULL)
 SSS_CRYPT_CFLAGS = $(CRYPTO_CFLAGS)
 SSS_CRYPT_LIBS = $(CRYPTO_LIBS)
@@ -1265,6 +1272,7 @@ libsss_util_la_SOURCES = \
     src/util/util_ext.c \
     src/util/util_preauth.c \
     src/util/memory.c \
+    src/util/memory_erase.c \
     src/util/safe-format-string.c \
     src/util/server.c \
     src/util/signal.c \
@@ -1292,7 +1300,6 @@ libsss_util_la_SOURCES = \
     src/util/util_sss_idmap.c \
     src/util/well_known_sids.c \
     src/util/string_utils.c \
-    src/util/become_user.c \
     src/util/capabilities.c \
     src/util/util_watchdog.c \
     src/util/sss_ptr_hash.c \
@@ -1517,9 +1524,14 @@ endif
 sssd_SOURCES = \
     src/monitor/monitor.c \
     src/monitor/monitor_bootstrap.c \
+    src/monitor/nscd.c \
     src/confdb/confdb_setup.c \
-    src/util/nscd.c \
     $(NULL)
+
+if BUILD_CONF_SERVICE_USER_SUPPORT
+sssd_SOURCES += src/monitor/become_user.c
+endif # BUILD_CONF_SERVICE_USER_SUPPORT
+
 sssd_LDADD = \
     $(SSSD_LIBS) \
     $(INOTIFY_LIBS) \
@@ -2003,6 +2015,7 @@ endif
 if HAVE_SYSTEMD_UNIT
 sssd_check_socket_activated_responders_SOURCES = \
     src/tools/sssd_check_socket_activated_responders.c \
+    src/tools/common/sss_tools.c \
     $(NULL)
 sssd_check_socket_activated_responders_CFLAGS = \
     $(AM_CFLAGS) \
@@ -2199,7 +2212,6 @@ krb5_utils_tests_SOURCES = \
     src/providers/data_provider_fo.c \
     src/providers/data_provider_opts.c \
     src/providers/data_provider_callbacks.c \
-    src/util/become_user.c \
     $(SSSD_FAILOVER_OBJ) \
     $(NULL)
 krb5_utils_tests_CFLAGS = \
@@ -2489,35 +2501,6 @@ stress_tests_LDADD = \
     $(SSSD_LIBS) \
     libsss_test_common.la
 
-krb5_child_test_SOURCES = \
-    src/tests/krb5_child-test.c \
-    src/providers/krb5/krb5_utils.c \
-    src/providers/krb5/krb5_ccache.c \
-    src/providers/krb5/krb5_child_handler.c \
-    src/providers/krb5/krb5_common.c \
-    src/providers/krb5/krb5_opts.c \
-    src/util/sss_krb5.c \
-    src/util/sss_iobuf.c \
-    src/providers/data_provider_fo.c \
-    src/providers/data_provider_opts.c \
-    src/providers/data_provider_callbacks.c \
-    src/util/become_user.c \
-    $(SSSD_FAILOVER_OBJ) \
-    $(NULL)
-krb5_child_test_CFLAGS = \
-    $(AM_CFLAGS) \
-    -DKRB5_CHILD_DIR=\"$(builddir)\" \
-    $(KRB5_CFLAGS) \
-    $(CHECK_CFLAGS)
-krb5_child_test_LDADD = \
-    $(SSSD_LIBS) \
-    $(CARES_LIBS) \
-    $(KRB5_LIBS) \
-    $(CHECK_LIBS) \
-    $(PCRE_LIBS) \
-    $(SSSD_INTERNAL_LTLIBS) \
-    libsss_test_common.la
-
 test_ssh_client_SOURCES = \
     src/tests/test_ssh_client.c \
     $(NULL)
@@ -2879,7 +2862,8 @@ dyndns_tests_SOURCES = \
      $(SSSD_RESOLV_OBJ) \
      src/tests/cmocka/common_mock_be.c \
      src/tests/cmocka/test_dyndns.c \
-     src/providers/data_provider_opts.c
+     src/providers/data_provider_opts.c \
+     src/util/child_common.c
 dyndns_tests_CFLAGS = \
     $(AM_CFLAGS) \
     $(CMOCKA_CFLAGS) \
@@ -4169,6 +4153,7 @@ pam_sss_la_SOURCES = \
     src/sss_client/sss_cli.h \
     src/util/atomic_io.c \
     src/util/authtok-utils.c \
+    src/util/memory_erase.c \
     src/sss_client/sss_pam_macros.h \
     src/sss_client/sss_pam_compat.h
 
@@ -4391,7 +4376,6 @@ libsss_krb5_common_la_SOURCES = \
     src/providers/krb5/krb5_ccache.c \
     src/util/sss_krb5.c \
     src/util/sss_iobuf.c \
-    src/util/become_user.c \
     src/util/pac_utils.c \
     $(NULL)
 libsss_krb5_common_la_CFLAGS = \
@@ -4693,6 +4677,7 @@ krb5_child_SOURCES = \
     src/util/find_uid.c \
     src/util/atomic_io.c \
     src/util/memory.c \
+    src/util/memory_erase.c \
     src/util/authtok.c \
     src/util/authtok-utils.c \
     src/util/util.c \
@@ -4701,7 +4686,6 @@ krb5_child_SOURCES = \
     src/util/signal.c \
     src/util/sss_chain_id.c \
     src/util/strtonum.c \
-    src/util/become_user.c \
     src/util/util_errors.c \
     src/sss_client/common.c \
     src/krb5_plugin/common/utils.c \
@@ -4737,13 +4721,13 @@ ldap_child_SOURCES = \
     src/util/sss_iobuf.c \
     src/util/atomic_io.c \
     src/util/memory.c \
+    src/util/memory_erase.c \
     src/util/authtok.c \
     src/util/authtok-utils.c \
     src/util/util.c \
     src/util/util_ext.c \
     src/util/capabilities.c \
     src/util/signal.c \
-    src/util/become_user.c \
     src/util/util_errors.c \
     $(NULL)
 ldap_child_CFLAGS = \
@@ -4886,6 +4870,7 @@ oidc_child_SOURCES = \
     src/oidc_child/oidc_child_json.c \
     src/util/atomic_io.c \
     src/util/memory.c \
+    src/util/memory_erase.c \
     src/util/strtonum.c \
     $(NULL)
 oidc_child_CFLAGS = \
@@ -5297,7 +5282,8 @@ edit_cmd = $(SED) \
         -e 's|@supplementary_groups[@]|$(supplementary_groups)|g' \
         -e 's|@sssdconfdir[@]|$(sssdconfdir)|g' \
         -e 's|@secdbpath[@]|$(secdbpath)|g' \
-        -e 's|@dbpath[@]|$(dbpath)|g'
+        -e 's|@dbpath[@]|$(dbpath)|g' \
+        -e 's|@gpocachepath[@]|$(gpocachepath)|g'
 
 replace_script = \
     @rm -f $@ $@.tmp; \
@@ -5562,14 +5548,13 @@ else
 	$(MKDIR_P) $(DESTDIR)$(initdir)
 endif
 
-CHILD_CAPABILITIES="cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep"
 if SSSD_USER
 	-chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/ldap_child
 	chmod 750 $(DESTDIR)$(sssdlibexecdir)/ldap_child
-	-$(SETCAP) $(CHILD_CAPABILITIES) $(DESTDIR)$(sssdlibexecdir)/ldap_child
+	-$(SETCAP) cap_dac_read_search=p $(DESTDIR)$(sssdlibexecdir)/ldap_child
 	-chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/krb5_child
 	chmod 750 $(DESTDIR)$(sssdlibexecdir)/krb5_child
-	-$(SETCAP) $(CHILD_CAPABILITIES) $(DESTDIR)$(sssdlibexecdir)/krb5_child
+	-$(SETCAP) cap_dac_read_search,cap_setuid,cap_setgid=p $(DESTDIR)$(sssdlibexecdir)/krb5_child
 	-chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/proxy_child
 	chmod 750 $(DESTDIR)$(sssdlibexecdir)/proxy_child
 	-chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/sssd_pam
@@ -5578,7 +5563,7 @@ if SSSD_USER
 if BUILD_SELINUX
 	-chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/selinux_child
 	chmod 750 $(DESTDIR)$(sssdlibexecdir)/selinux_child
-	-$(SETCAP) $(CHILD_CAPABILITIES) $(DESTDIR)$(sssdlibexecdir)/selinux_child
+	-$(SETCAP) cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep $(DESTDIR)$(sssdlibexecdir)/selinux_child
 endif
 endif
 

diff --git a/configure.ac b/configure.ac
@@ -11,7 +11,8 @@ m4_ifdef([AC_USE_SYSTEM_EXTENSIONS],
     [AC_USE_SYSTEM_EXTENSIONS],
     [AC_GNU_SOURCE])
 
-CFLAGS="$CFLAGS -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE"
+my_CFLAGS="-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE"
+AC_SUBST([my_CFLAGS])
 
 
 AM_INIT_AUTOMAKE([-Wall -Wno-portability foreign subdir-objects tar-pax
@@ -181,13 +182,13 @@ WITH_SUDO_LIB_PATH
 WITH_AUTOFS
 WITH_FILES_PROVIDER
 WITH_EXTENDED_ENUMERATION_SUPPORT
+WITH_ALLOW_REMOTE_DOMAIN_LOCAL_GROUPS
 WITH_CONF_SERVICE_USER_SUPPORT
 WITH_SUBID
 WITH_SUBID_LIB_PATH
 WITH_PASSKEY
 WITH_SSH
 WITH_SSH_KNOWN_HOSTS_PROXY
-WITH_IFP
 WITH_LIBSIFP
 WITH_SYSLOG
 WITH_SAMBA
@@ -300,9 +301,9 @@ AS_IF([! $PKG_CONFIG --atleast-version 1.0.0 dbus-1], [
 ])
 
 AS_IF([test x$has_dbus != xno], [
-    SAFE_LIBS="$LIBS"
+    SAVED_LIBS="$LIBS"
     LIBS="$DBUS_LIBS"
-    SAFE_CFLAGS=$CFLAGS
+    SAVED_CFLAGS=$CFLAGS
     CFLAGS="$CFLAGS $DBUS_CFLAGS"
 
     AC_CHECK_FUNC([dbus_watch_get_unix_fd],
@@ -313,8 +314,8 @@ AS_IF([test x$has_dbus != xno], [
                    [],
                    [ #include <dbus/dbus.h> ])
 
-    LIBS="$SAFE_LIBS"
-    CFLAGS=$SAFE_CFLAGS
+    LIBS="$SAVED_LIBS"
+    CFLAGS=$SAVED_CFLAGS
 ])
 
 # work around a bug in cov-build from Coverity
@@ -479,7 +480,7 @@ AS_IF([test x"$sss_cv_attribute_warn_unused_result" = xyes], [
              [whether compiler supports __attribute__((warn_unused_result))])
 ])
 
-SAFE_CFLAGS=$CFLAGS
+SAVED_CFLAGS=$CFLAGS
 CFLAGS="-Werror"
 AC_CACHE_CHECK(
     [whether compiler supports __attribute__((fallthrough))],
@@ -505,7 +506,7 @@ AC_CACHE_CHECK(
              sss_cv_attribute_fallthrough_val="((void)0)"
          ])
     ])
-CFLAGS=$SAFE_CFLAGS
+CFLAGS=$SAVED_CFLAGS
 
 AC_DEFINE_UNQUOTED(
     [SSS_ATTRIBUTE_FALLTHROUGH],

diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh
@@ -48,6 +48,12 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then
         libcap-devel
     )
 
+    if [[ "$DISTRO_BRANCH" == -redhat-fedora-4[1-9]* ||
+          "$DISTRO_BRANCH" == -redhat-redhatenterprise*-10.*- ||
+          "$DISTRO_BRANCH" == -redhat-centos*-10*- ]]; then
+        DEPS_LIST+=(systemtap-sdt-dtrace)
+    fi
+
     if [[ "$DISTRO_BRANCH" == -redhat-fedora-4[0-9]* ||
           "$DISTRO_BRANCH" == -redhat-fedora-3[7-9]* ||
           "$DISTRO_BRANCH" == -redhat-redhatenterprise*-9.*- ||

diff --git a/contrib/fedora/make_srpm.sh b/contrib/fedora/make_srpm.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -x
 
 #    Authors:
 #        Lukas Slebodnik <[email protected]>
@@ -166,10 +166,20 @@ sed -e "s/@PACKAGE_NAME@/$PACKAGE_NAME/" \
     > "$RPMBUILD/SPECS/$PACKAGE_NAME.spec"
 
 NAME="$PACKAGE_NAME-$PACKAGE_VERSION"
+TARBALL="$RPMBUILD/SOURCES/$NAME.tar.gz"
+
 git archive --format=tar --prefix="$NAME"/ \
-            --remote="file://$SRC_DIR" \
-            HEAD \
-            | gzip > "$RPMBUILD/SOURCES/$NAME.tar.gz"
+            HEAD | gzip > "$TARBALL"
+
+# fallback to tar if git archive failed
+# tar may include more files so git archive is preferred
+tar -tzf "$TARBALL" &> /dev/null
+if [ $? -ne 0 ]; then
+    rm -f "$TARBALL"
+    pushd "$SRC_DIR"
+    tar -cvzf "$TARBALL" --transform "s,^,$NAME/," *
+    popd
+fi
 
 cp "$SRC_DIR"/contrib/*.patch "$RPMBUILD/SOURCES" 2>/dev/null
 add_patches "$RPMBUILD/SPECS/$PACKAGE_NAME.spec" \