[Pkg-sssd-devel] [Git][sssd-team/sssd][master] 8 commits: autopkgtests: also gather sssd logs in case of failure
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Tue Jan 7 11:54:52 GMT 2025
Timo Aaltonen pushed to branch master at Debian SSSD packaging / sssd
Commits:
a3fa66c2 by Andreas Hasenack at 2025-01-06T10:10:51-03:00
autopkgtests: also gather sssd logs in case of failure
- - - - -
ac788796 by Andreas Hasenack at 2025-01-06T15:07:46-03:00
changelog: autopkgtests
- - - - -
4d747161 by Andreas Hasenack at 2025-01-06T15:07:46-03:00
postinst: add filesystem capabilities to several helpers
d/sssd-krb5-common.postinst: add capabilities to ldap_child and krb5_child
d/sssd-ipa.postinst: add capabilities to selinux_child
- - - - -
b084aa87 by Andreas Hasenack at 2025-01-06T15:07:46-03:00
changelog: postinst
- - - - -
eb9854d6 by Andreas Hasenack at 2025-01-06T15:16:20-03:00
control: add libcap2-bin dependency
sssd-common, sssd-ipa, and sssd-krb5-common now invoke setcap in
postinst.
- - - - -
ea4e5460 by Andreas Hasenack at 2025-01-06T15:16:20-03:00
changelog: control
- - - - -
f5a844ef by Andreas Hasenack at 2025-01-06T15:16:20-03:00
rules: don't change permissions of proxy_child and sssd_pam
These also need to be installed with permissions 0750 (handled
via postinst)
- - - - -
3d30a347 by Andreas Hasenack at 2025-01-06T15:16:20-03:00
changelog: rules
- - - - -
7 changed files:
- debian/changelog
- debian/control
- debian/rules
- debian/sssd-common.postinst
- debian/sssd-ipa.postinst
- debian/sssd-krb5-common.postinst
- debian/tests/util
Changes:
=====================================
debian/changelog
=====================================
@@ -6,6 +6,12 @@ sssd (2.10.1-1) UNRELEASED; urgency=medium
* control: Add valgrind and libcap-dev to build-depends.
* install: Updated.
+ [ Andreas Hasenack ]
+ * autopkgtests: also gather sssd logs in case of failure
+ * postinst: add filesystem capabilities to several helpers
+ * control: add libcap2-bin dependency
+ * rules: don't change permissions of proxy_child and sssd_pam
+
-- Timo Aaltonen <tjaalton at debian.org> Fri, 03 Jan 2025 11:16:31 +0200
sssd (2.9.5-5) unstable; urgency=medium
=====================================
debian/control
=====================================
@@ -109,6 +109,7 @@ Description: System Security Services Daemon -- metapackage
Package: sssd-common
Architecture: any
Depends:
+ libcap2-bin,
libnss-sss (= ${binary:Version}),
libpam-sss (= ${binary:Version}),
python3,
@@ -136,6 +137,7 @@ Description: System Security Services Daemon -- common files
Package: sssd-ad
Architecture: any
Depends:
+ libcap2-bin,
libsss-idmap0 (= ${binary:Version}),
sssd-ad-common (= ${binary:Version}),
sssd-common (= ${binary:Version}),
@@ -172,6 +174,7 @@ Description: System Security Services Daemon -- Kerberos plugins for external id
Package: sssd-ipa
Architecture: any
Depends:
+ libcap2-bin,
libipa-hbac0t64 (= ${binary:Version}),
libsss-idmap0 (= ${binary:Version}),
sssd-ad-common (= ${binary:Version}),
@@ -208,7 +211,10 @@ Description: System Security Services Daemon -- Kerberos back end
Package: sssd-krb5-common
Architecture: any
-Depends: sssd-common (= ${binary:Version}), ${misc:Depends}, ${shlibs:Depends}
+Depends: sssd-common (= ${binary:Version}),
+ libcap2-bin,
+ ${misc:Depends},
+ ${shlibs:Depends}
Recommends: libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal
Description: System Security Services Daemon -- Kerberos helpers
Provides helper processes that the LDAP and Kerberos back ends can use for
=====================================
debian/rules
=====================================
@@ -66,7 +66,7 @@ override_dh_auto_install:
dh_auto_install --max-parallel=1
override_dh_fixperms:
- dh_fixperms -Xkrb5_child -Xldap_child -Xselinux_child
+ dh_fixperms -Xproxy_child -Xkrb5_child -Xldap_child -Xselinux_child -Xsssd_pam
override_dh_install:
install -D -m755 $(CURDIR)/debian/generate-config \
=====================================
debian/sssd-common.postinst
=====================================
@@ -53,6 +53,8 @@ case "$1" in
chmod 750 /var/log/sssd
chmod 700 /etc/sssd
chmod 711 /etc/sssd
+ chmod 750 $LIBDIR/sssd_pam
+ setcap cap_dac_read_search=p $LIBDIR/sssd_pam
if [ -f /etc/sssd/sssd.conf ]; then
chown root:root /etc/sssd/sssd.conf
chmod 0600 /etc/sssd/sssd.conf
=====================================
debian/sssd-ipa.postinst
=====================================
@@ -6,6 +6,7 @@ LIBDIR=/usr/libexec/sssd
case "$1" in
configure)
chmod 0750 $LIBDIR/selinux_child
+ setcap cap_setuid,cap_setgid=p $LIBDIR/selinux_child
chown -R root:root /var/lib/sss/keytabs
chmod 700 /var/lib/sss/keytabs
;;
=====================================
debian/sssd-krb5-common.postinst
=====================================
@@ -6,6 +6,8 @@ LIBDIR=/usr/libexec/sssd
case "$1" in
configure)
chmod 0750 $LIBDIR/krb5_child $LIBDIR/ldap_child
+ setcap cap_dac_read_search=p $LIBDIR/ldap_child
+ setcap cap_dac_read_search,cap_setuid,cap_setgid=p $LIBDIR/krb5_child
;;
esac
=====================================
debian/tests/util
=====================================
@@ -275,6 +275,9 @@ cleanup_sshd_config() {
}
gather_logs() {
+ echo "## sssd"
+ tail -n 200 /var/log/sssd/*.log
+ echo
echo "## journalctl"
journalctl -b --lines 200
echo
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/06349d90c2d967c8e4f1e8e2dcf20b7f5a7bd958...3d30a34731cd9f28d44dd25b0be9a0a66555ca85
--
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/-/compare/06349d90c2d967c8e4f1e8e2dcf20b7f5a7bd958...3d30a34731cd9f28d44dd25b0be9a0a66555ca85
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20250107/50256207/attachment-0001.htm>
More information about the Pkg-sssd-devel
mailing list