[Pkg-sssd-devel] [Git][sssd-team/sssd][master] 4 commits: rules, add-cap_dac_override.diff: Explicitly set sssd-user as root, and add...

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Wed Sep 22 09:54:06 BST 2021 


Timo Aaltonen pushed to branch master at Debian SSSD packaging / sssd


Commits:
10fd3c51 by Timo Aaltonen at 2021-09-22T10:40:11+03:00
rules, add-cap_dac_override.diff: Explicitly set sssd-user as root, and add CAP_DAC_OVERRIDE so files owned by sssd system user can be read by the service. (Closes: #994807)

- - - - -
aeab7bd8 by Timo Aaltonen at 2021-09-22T10:40:28+03:00
install: Add sssd-pcsc.rules to -common.

- - - - -
23692067 by Timo Aaltonen at 2021-09-22T11:41:07+03:00
postinst: Correct file/dir permissions and ownership when the daemon is run as root.

- - - - -
6f09ad58 by Timo Aaltonen at 2021-09-22T11:42:25+03:00
dac override patch is not needed when permissions are corrected

- - - - -


7 changed files:

- debian/changelog
- debian/rules
- debian/sssd-common.install
- debian/sssd-common.postinst
- debian/sssd-ipa.postinst
- debian/sssd-krb5-common.postinst
- debian/sssd-proxy.postinst


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,12 @@
+sssd (2.5.2-3) UNRELEASED; urgency=medium
+
+  * rules: Explicitly set sssd-user as root.
+  * install: Add sssd-pcsc.rules to -common.
+  * postinst: Correct file/dir permissions and ownership when the daemon
+    is run as root. (Closes: #994807)
+
+ -- Timo Aaltonen <tjaalton at debian.org>  Wed, 22 Sep 2021 09:23:33 +0300
+
 sssd (2.5.2-2) unstable; urgency=medium
 
   * rules: Disable tests for now. (Closes: #994479)


=====================================
debian/rules
=====================================
@@ -43,6 +43,7 @@ override_dh_auto_configure:
 	--without-python2-bindings \
 	--with-syslog=journald \
 	--with-pid-path=/run \
+	--with-sssd-user=root \
 	--with-sudo
 
 override_dh_auto_test:


=====================================
debian/sssd-common.install
=====================================
@@ -62,5 +62,6 @@ usr/share/man/man5/sssd.conf.5*
 usr/share/man/man8/idmap_sss.8*
 usr/share/man/man8/sssd.8*
 usr/share/man/man8/sssd_krb5_locator_plugin.8*
+usr/share/polkit-1/rules.d/sssd-pcsc.rules
 usr/share/sssd/*
 usr/share/systemtap


=====================================
debian/sssd-common.postinst
=====================================
@@ -30,7 +30,7 @@ case "$1" in
                 --gecos "SSSD system user" \
                 sssd > $OUT
         fi
-        chown sssd:sssd \
+        chown -R root:root \
             $HOME/db \
             $HOME/gpo_cache \
             $HOME/mc \
@@ -40,14 +40,19 @@ case "$1" in
             $HOME/secrets \
             /etc/sssd \
             /var/log/sssd
-        chown root:sssd $LIBDIR/p11_child
 
-        chmod 4754 $LIBDIR/p11_child
-        chmod 755 $HOME/gpo_cache $HOME/mc $HOME/pipes $HOME/pubconf
-	chmod 751 $HOME/deskprofile
+        # for easier review keep the same order as on sssd.spec
+        chmod 700 $HOME/db
+        chmod 775 $HOME/mc
+        chmod 700 $HOME/secrets
+        chmod 751 $HOME/deskprofile
+        chmod 755 $HOME/pipes
+        chmod 750 $HOME/pipes/private
+        chmod 755 $HOME/pubconf
+        chmod 755 $HOME/gpo_cache
         chmod 750 /var/log/sssd
+        chmod 700 /etc/sssd
         chmod 711 /etc/sssd
-        chmod 700 $HOME/db $HOME/pipes/private $HOME/secrets
         if [ -f /etc/sssd/sssd.conf ]; then
             chown root:root /etc/sssd/sssd.conf
             chmod 0600 /etc/sssd/sssd.conf


=====================================
debian/sssd-ipa.postinst
=====================================
@@ -5,9 +5,8 @@ LIBDIR=/usr/libexec/sssd
 
 case "$1" in
     configure)
-        chown root:sssd $LIBDIR/selinux_child
-        chmod 4754 $LIBDIR/selinux_child
-        chown sssd:sssd /var/lib/sss/keytabs
+        chmod 0750 $LIBDIR/selinux_child
+        chown -R root:root /var/lib/sss/keytabs
         chmod 700 /var/lib/sss/keytabs
     ;;
 esac


=====================================
debian/sssd-krb5-common.postinst
=====================================
@@ -5,8 +5,7 @@ LIBDIR=/usr/libexec/sssd
 
 case "$1" in
     configure)
-        chown root:sssd $LIBDIR/krb5_child $LIBDIR/ldap_child
-        chmod 4754 $LIBDIR/krb5_child $LIBDIR/ldap_child
+        chmod 0750 $LIBDIR/krb5_child $LIBDIR/ldap_child
     ;;
 esac
 


=====================================
debian/sssd-proxy.postinst
=====================================
@@ -5,8 +5,7 @@ LIBDIR=/usr/libexec/sssd
 
 case "$1" in
     configure)
-        chown root:sssd $LIBDIR/proxy_child
-        chmod 4754 $LIBDIR/proxy_child
+        chmod 0750 $LIBDIR/proxy_child
     ;;
 esac
 



View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/f64f37201c8ebb748e926ab0047ce08847561204...6f09ad587bc37d3372f47e6b74762e1e6912902d

-- 
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/f64f37201c8ebb748e926ab0047ce08847561204...6f09ad587bc37d3372f47e6b74762e1e6912902d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20210922/1c246b3d/attachment-0001.htm>

More information about the Pkg-sssd-devel mailing list