[Pkg-sssd-devel] [Git][sssd-team/sssd][master] 8 commits: autopkgtests: also gather sssd logs in case of failure

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Tue Jan 7 11:54:52 GMT 2025



Timo Aaltonen pushed to branch master at Debian SSSD packaging / sssd


Commits:
a3fa66c2 by Andreas Hasenack at 2025-01-06T10:10:51-03:00
autopkgtests: also gather sssd logs in case of failure

- - - - -
ac788796 by Andreas Hasenack at 2025-01-06T15:07:46-03:00
changelog: autopkgtests

- - - - -
4d747161 by Andreas Hasenack at 2025-01-06T15:07:46-03:00
postinst: add filesystem capabilities to several helpers

d/sssd-krb5-common.postinst: add capabilities to ldap_child and krb5_child
d/sssd-ipa.postinst: add capabilities to selinux_child

- - - - -
b084aa87 by Andreas Hasenack at 2025-01-06T15:07:46-03:00
changelog: postinst

- - - - -
eb9854d6 by Andreas Hasenack at 2025-01-06T15:16:20-03:00
control: add libcap2-bin dependency

sssd-common, sssd-ipa, and sssd-krb5-common now invoke setcap in
postinst.

- - - - -
ea4e5460 by Andreas Hasenack at 2025-01-06T15:16:20-03:00
changelog: control

- - - - -
f5a844ef by Andreas Hasenack at 2025-01-06T15:16:20-03:00
rules: don't change permissions of proxy_child and sssd_pam

These also need to be installed with permissions 0750 (handled
via postinst)

- - - - -
3d30a347 by Andreas Hasenack at 2025-01-06T15:16:20-03:00
changelog: rules

- - - - -


7 changed files:

- debian/changelog
- debian/control
- debian/rules
- debian/sssd-common.postinst
- debian/sssd-ipa.postinst
- debian/sssd-krb5-common.postinst
- debian/tests/util


Changes:

=====================================
debian/changelog
=====================================
@@ -6,6 +6,12 @@ sssd (2.10.1-1) UNRELEASED; urgency=medium
   * control: Add valgrind and libcap-dev to build-depends.
   * install: Updated.
 
+  [ Andreas Hasenack ]
+  * autopkgtests: also gather sssd logs in case of failure
+  * postinst: add filesystem capabilities to several helpers
+  * control: add libcap2-bin dependency
+  * rules: don't change permissions of proxy_child and sssd_pam
+
  -- Timo Aaltonen <tjaalton at debian.org>  Fri, 03 Jan 2025 11:16:31 +0200
 
 sssd (2.9.5-5) unstable; urgency=medium


=====================================
debian/control
=====================================
@@ -109,6 +109,7 @@ Description: System Security Services Daemon -- metapackage
 Package: sssd-common
 Architecture: any
 Depends:
+ libcap2-bin,
  libnss-sss (= ${binary:Version}),
  libpam-sss (= ${binary:Version}),
  python3,
@@ -136,6 +137,7 @@ Description: System Security Services Daemon -- common files
 Package: sssd-ad
 Architecture: any
 Depends:
+ libcap2-bin,
  libsss-idmap0 (= ${binary:Version}),
  sssd-ad-common (= ${binary:Version}),
  sssd-common (= ${binary:Version}),
@@ -172,6 +174,7 @@ Description: System Security Services Daemon -- Kerberos plugins for external id
 Package: sssd-ipa
 Architecture: any
 Depends:
+ libcap2-bin,
  libipa-hbac0t64 (= ${binary:Version}),
  libsss-idmap0 (= ${binary:Version}),
  sssd-ad-common (= ${binary:Version}),
@@ -208,7 +211,10 @@ Description: System Security Services Daemon -- Kerberos back end
 
 Package: sssd-krb5-common
 Architecture: any
-Depends: sssd-common (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends}
+Depends: sssd-common (= ${binary:Version}),
+ libcap2-bin,
+ ${misc:Depends},
+ ${shlibs:Depends}
 Recommends: libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal
 Description: System Security Services Daemon -- Kerberos helpers
  Provides helper processes that the LDAP and Kerberos back ends can use for


=====================================
debian/rules
=====================================
@@ -66,7 +66,7 @@ override_dh_auto_install:
 	dh_auto_install --max-parallel=1
 
 override_dh_fixperms:
-	dh_fixperms -Xkrb5_child -Xldap_child -Xselinux_child
+	dh_fixperms -Xproxy_child -Xkrb5_child -Xldap_child -Xselinux_child -Xsssd_pam
 
 override_dh_install:
 	install -D -m755 $(CURDIR)/debian/generate-config \


=====================================
debian/sssd-common.postinst
=====================================
@@ -53,6 +53,8 @@ case "$1" in
         chmod 750 /var/log/sssd
         chmod 700 /etc/sssd
         chmod 711 /etc/sssd
+        chmod 750 $LIBDIR/sssd_pam
+        setcap cap_dac_read_search=p $LIBDIR/sssd_pam
         if [ -f /etc/sssd/sssd.conf ]; then
             chown root:root /etc/sssd/sssd.conf
             chmod 0600 /etc/sssd/sssd.conf


=====================================
debian/sssd-ipa.postinst
=====================================
@@ -6,6 +6,7 @@ LIBDIR=/usr/libexec/sssd
 case "$1" in
     configure)
         chmod 0750 $LIBDIR/selinux_child
+        setcap cap_setuid,cap_setgid=p $LIBDIR/selinux_child
         chown -R root:root /var/lib/sss/keytabs
         chmod 700 /var/lib/sss/keytabs
     ;;


=====================================
debian/sssd-krb5-common.postinst
=====================================
@@ -6,6 +6,8 @@ LIBDIR=/usr/libexec/sssd
 case "$1" in
     configure)
         chmod 0750 $LIBDIR/krb5_child $LIBDIR/ldap_child
+        setcap cap_dac_read_search=p $LIBDIR/ldap_child
+        setcap cap_dac_read_search,cap_setuid,cap_setgid=p $LIBDIR/krb5_child
     ;;
 esac
 


=====================================
debian/tests/util
=====================================
@@ -275,6 +275,9 @@ cleanup_sshd_config() {
 }
 
 gather_logs() {
+    echo "## sssd"
+    tail -n 200 /var/log/sssd/*.log
+    echo
     echo "## journalctl"
     journalctl -b --lines 200
     echo



View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/06349d90c2d967c8e4f1e8e2dcf20b7f5a7bd958...3d30a34731cd9f28d44dd25b0be9a0a66555ca85

-- 
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/06349d90c2d967c8e4f1e8e2dcf20b7f5a7bd958...3d30a34731cd9f28d44dd25b0be9a0a66555ca85
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20250107/50256207/attachment-0001.htm>


More information about the Pkg-sssd-devel mailing list