From d5551df3b29ad499948e035ecfcecc2f8510a218 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20F=C3=B6rster?= Date: Sun, 27 Aug 2023 22:52:46 +0200 Subject: [PATCH] [sys-auth/sssd] merge some changes from recent pr for further testing --- .../files/sssd-2.8.2-krb5_pw_locked.patch | 12 +++ ...b5-1.21-for-building-the-PAC-plugin.patch} | 7 +- ...ertmap-fix-partial-string-comparison.patch | 87 +++++++++++++++++++ ...ssd-2.9.1-conditional-python-install.patch | 22 ++--- ...-show-and-cert-eval-rule-as-non-root.patch | 39 +++++++++ sys-auth/sssd/sssd-2.9.1.ebuild | 32 ++++--- 6 files changed, 172 insertions(+), 27 deletions(-) create mode 100644 sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch rename sys-auth/sssd/files/{sssd-2.9.1-mit-krb-1.21.patch => sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch} (83%) create mode 100644 sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch create mode 100644 sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch diff --git a/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch b/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch new file mode 100644 index 0000000..37e4e5d --- /dev/null +++ b/sys-auth/sssd/files/sssd-2.8.2-krb5_pw_locked.patch @@ -0,0 +1,12 @@ +diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c +index a1c0b36..207c010 100644 +--- a/src/providers/krb5/krb5_auth.c ++++ b/src/providers/krb5/krb5_auth.c +@@ -1037,6 +1037,7 @@ static void krb5_auth_done(struct tevent_req *subreq) + case ERR_ACCOUNT_LOCKED: + state->pam_status = PAM_PERM_DENIED; + state->dp_err = DP_ERR_OK; ++ state->pd->account_locked = true; + ret = EOK; + goto done; + \ No newline at end of file diff --git a/sys-auth/sssd/files/sssd-2.9.1-mit-krb-1.21.patch b/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch similarity index 83% rename from sys-auth/sssd/files/sssd-2.9.1-mit-krb-1.21.patch rename to sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch index 01aef9b..c849fe7 100644 --- a/sys-auth/sssd/files/sssd-2.9.1-mit-krb-1.21.patch +++ b/sys-auth/sssd/files/sssd-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch @@ -1,7 +1,7 @@ From 74d0f4538deb766592079b1abca0d949d6dea105 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Thu, 15 Jun 2023 12:05:03 +0200 -Subject: [PATCH] BUILD: Accept krb5 1.21 for building the PAC plugin +Subject: [PATCH 1/1] BUILD: Accept krb5 1.21 for building the PAC plugin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -13,7 +13,7 @@ Reviewed-by: Sumit Bose 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4 -index 3cbe3c9cfb..90727185b5 100644 +index 3cbe3c9cfba03b59e26a8c5c2d73446eead2acea..90727185b574411bddd928f8d87efdc87076eba4 100644 --- a/src/external/pac_responder.m4 +++ b/src/external/pac_responder.m4 @@ -22,7 +22,8 @@ then @@ -26,3 +26,6 @@ index 3cbe3c9cfb..90727185b5 100644 krb5_version_ok=yes AC_MSG_RESULT([yes]) ;; +-- +2.41.0 + diff --git a/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch b/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch new file mode 100644 index 0000000..258940b --- /dev/null +++ b/sys-auth/sssd/files/sssd-2.9.1-certmap-fix-partial-string-comparison.patch @@ -0,0 +1,87 @@ +From 11afa7a6ef7e15f1e98c7145ad5c80bbdfc520e2 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 4 Jul 2023 19:06:27 +0200 +Subject: [PATCH 3/3] certmap: fix partial string comparison +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the formatting option of the certificate digest/hash function +contained and additional specifier separated with a '_' the comparison +of the provided digest name and the available ones was incomplete, the +last character was ignored and the comparison was successful if even if +there was only a partial match. + +Resolves: https://github.com/SSSD/sssd/issues/6802 + +Reviewed-by: Alejandro López +Reviewed-by: Alexey Tikhonov +(cherry picked from commit 0817ca3b366f51510705ab77d7900c0b65b7d2fc) +--- + src/lib/certmap/sss_certmap_ldap_mapping.c | 9 ++++++++- + src/tests/cmocka/test_certmap.c | 22 ++++++++++++++++++++++ + 2 files changed, 30 insertions(+), 1 deletion(-) + +diff --git a/src/lib/certmap/sss_certmap_ldap_mapping.c b/src/lib/certmap/sss_certmap_ldap_mapping.c +index 2f16837a1..354b0310b 100644 +--- a/src/lib/certmap/sss_certmap_ldap_mapping.c ++++ b/src/lib/certmap/sss_certmap_ldap_mapping.c +@@ -228,14 +228,21 @@ int check_digest_conversion(const char *inp, const char **digest_list, + bool colon = false; + bool reverse = false; + char *c; ++ size_t len = 0; + + sep = strchr(inp, '_'); ++ if (sep != NULL) { ++ len = sep - inp; ++ } + + for (d = 0; digest_list[d] != NULL; d++) { + if (sep == NULL) { + cmp = strcasecmp(digest_list[d], inp); + } else { +- cmp = strncasecmp(digest_list[d], inp, (sep - inp -1)); ++ if (strlen(digest_list[d]) != len) { ++ continue; ++ } ++ cmp = strncasecmp(digest_list[d], inp, len); + } + + if (cmp == 0) { +diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c +index da312beaf..a15984d60 100644 +--- a/src/tests/cmocka/test_certmap.c ++++ b/src/tests/cmocka/test_certmap.c +@@ -2183,6 +2183,28 @@ static void test_sss_certmap_ldapu1_cert(void **state) + assert_non_null(ctx); + assert_null(ctx->prio_list); + ++ /* cert!sha */ ++ ret = sss_certmap_add_rule(ctx, 91, ++ "KRB5:.*", ++ "LDAP:rule91={cert!sha}", NULL); ++ assert_int_equal(ret, EINVAL); ++ ++ ret = sss_certmap_add_rule(ctx, 91, ++ "KRB5:.*", ++ "LDAPU1:rule91={cert!sha}", NULL); ++ assert_int_equal(ret, EINVAL); ++ ++ /* cert!sha_u */ ++ ret = sss_certmap_add_rule(ctx, 90, ++ "KRB5:.*", ++ "LDAP:rule90={cert!sha_u}", NULL); ++ assert_int_equal(ret, EINVAL); ++ ++ ret = sss_certmap_add_rule(ctx, 99, ++ "KRB5:.*", ++ "LDAPU1:rule90={cert!sha_u}", NULL); ++ assert_int_equal(ret, EINVAL); ++ + /* cert!sha555 */ + ret = sss_certmap_add_rule(ctx, 89, + "KRB5:.*", +-- +2.38.1 + diff --git a/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch b/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch index 6ebe2a3..de46b96 100644 --- a/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch +++ b/sys-auth/sssd/files/sssd-2.9.1-conditional-python-install.patch @@ -1,26 +1,18 @@ +diff --git a/src/tools/analyzer/Makefile.am b/src/tools/analyzer/Makefile.am +index b40043d04..dce6b9d36 100644 --- a/src/tools/analyzer/Makefile.am +++ b/src/tools/analyzer/Makefile.am -@@ -1,11 +1,12 @@ - sss_analyze_pythondir = $(libexecdir)/sssd -+pkgpythondir = $(python3dir)/sssd +@@ -5,7 +5,9 @@ dist_sss_analyze_python_SCRIPTS = \ + $(NULL) + + pkgpythondir = $(python3dir)/sssd +modulesdir = $(pkgpythondir)/modules +if BUILD_PYTHON_BINDINGS - dist_sss_analyze_python_SCRIPTS = \ - sss_analyze \ - $(NULL) - --pkgpythondir = $(python3dir)/sssd -- dist_pkgpython_DATA = \ __init__.py \ source_files.py \ -@@ -15,8 +16,8 @@ dist_pkgpython_DATA = \ - sss_analyze.py \ - $(NULL) - --modulesdir = $(pkgpythondir)/modules - dist_modules_DATA = \ +@@ -20,3 +22,4 @@ dist_modules_DATA = \ modules/__init__.py \ modules/request.py \ $(NULL) diff --git a/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch b/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch new file mode 100644 index 0000000..3a72436 --- /dev/null +++ b/sys-auth/sssd/files/sssd-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch @@ -0,0 +1,39 @@ +From 15d7d34b20219e2fd45c43881088f5d542e9603e Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 4 Jul 2023 18:56:35 +0200 +Subject: [PATCH 2/3] sssct: allow cert-show and cert-eval-rule as non-root +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The cert-show and cert-eval-rule sub-commands do not need root access and +do not require SSSD to be configured on the host. + +Resolves: https://github.com/SSSD/sssd/issues/6802 + +Reviewed-by: Alejandro López +Reviewed-by: Alexey Tikhonov +(cherry picked from commit 8466f0e4d0c6cd2b98d2789970847b9adc01d7d4) +--- + src/tools/sssctl/sssctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c +index 855260aed..04c41aa9a 100644 +--- a/src/tools/sssctl/sssctl.c ++++ b/src/tools/sssctl/sssctl.c +@@ -340,9 +340,9 @@ int main(int argc, const char **argv) + SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT), + #endif + SSS_TOOL_DELIMITER("Certificate related tools:"), +- SSS_TOOL_COMMAND("cert-show", "Print information about the certificate", 0, sssctl_cert_show), ++ SSS_TOOL_COMMAND_FLAGS("cert-show", "Print information about the certificate", 0, sssctl_cert_show, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK), + SSS_TOOL_COMMAND("cert-map", "Show users mapped to the certificate", 0, sssctl_cert_map), +- SSS_TOOL_COMMAND("cert-eval-rule", "Check mapping and matching rule with a certificate", 0, sssctl_cert_eval_rule), ++ SSS_TOOL_COMMAND_FLAGS("cert-eval-rule", "Check mapping and matching rule with a certificate", 0, sssctl_cert_eval_rule, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK), + #ifdef BUILD_PASSKEY + SSS_TOOL_DELIMITER("Passkey related tools:"), + SSS_TOOL_COMMAND_FLAGS("passkey-register", "Perform passkey registration", 0, sssctl_passkey_register, SSS_TOOL_FLAG_SKIP_CMD_INIT|SSS_TOOL_FLAG_SKIP_ROOT_CHECK), +-- +2.38.1 + diff --git a/sys-auth/sssd/sssd-2.9.1.ebuild b/sys-auth/sssd/sssd-2.9.1.ebuild index 3f88a61..0fbb3eb 100644 --- a/sys-auth/sssd/sssd-2.9.1.ebuild +++ b/sys-auth/sssd/sssd-2.9.1.ebuild @@ -14,13 +14,19 @@ inherit autotools linux-info multilib-minimal optfeature plocale \ DESCRIPTION="System Security Services Daemon provides access to identity and authentication" HOMEPAGE="https://github.com/SSSD/sssd" -SRC_URI="https://github.com/SSSD/sssd/releases/download/${PV}/${P}.tar.gz" -SRC_URI+=" verify-sig? ( https://github.com/SSSD/sssd/releases/download/${PV}/${P}.tar.gz.asc )" +if [[ ${PV} != 9999 ]]; then + SRC_URI="https://github.com/SSSD/sssd/releases/download/${PV}/${P}.tar.gz" + SRC_URI+=" verify-sig? ( https://github.com/SSSD/sssd/releases/download/${PV}/${P}.tar.gz.asc )" +else + inherit git-r3 + EGIT_REPO_URI="https://github.com/SSSD/sssd.git" + EGIT_BRANCH="master" +fi LICENSE="GPL-3" SLOT="0" KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" -IUSE="acl doc +netlink nfsv4 nls +man python samba selinux subid sudo systemd systemtap test" +IUSE="acl doc +netlink nfsv4 nls +man python samba selinux sudo systemd systemtap test" REQUIRED_USE=" python? ( ${PYTHON_REQUIRED_USE} ) test? ( sudo )" @@ -36,12 +42,13 @@ DEPEND=" dev-libs/libunistring:= >=dev-libs/popt-1.16 >=dev-libs/openssl-1.0.2:= + dev-libs/libunistring:= || ( >=net-dns/bind-tools-9.9[gssapi] >=net-dns/bind-9.18[gssapi] ) >=net-dns/c-ares-1.10.0-r1:=[${MULTILIB_USEDEP}] - >=net-nds/openldap-2.4.30:=[sasl] + >=net-nds/openldap-2.4.30:=[sasl,experimental] >=sys-apps/dbus-1.6 >=sys-apps/keyutils-1.5:= >=sys-libs/pam-0-r1[${MULTILIB_USEDEP}] @@ -102,8 +109,11 @@ BDEPEND=" CONFIG_CHECK="~KEYS" PATCHES=( - "${FILESDIR}"/${PN}-2.9.1-conditional-python-install.patch - "${FILESDIR}"/${PN}-2.9.1-mit-krb-1.21.patch + "${FILESDIR}/${PN}-2.8.2-krb5_pw_locked.patch" + "${FILESDIR}/${PN}-2.9.1-BUILD-Accept-krb5-1.21-for-building-the-PAC-plugin.patch" + "${FILESDIR}/${PN}-2.9.1-certmap-fix-partial-string-comparison.patch" + "${FILESDIR}/${PN}-2.9.1-sssct-allow-cert-show-and-cert-eval-rule-as-non-root.patch" + "${FILESDIR}/${PN}-2.9.1-conditional-python-install.patch" ) MULTILIB_WRAPPED_HEADERS=( @@ -171,8 +181,10 @@ multilib_src_configure() { local myconf=() myconf+=( + --libexecdir="${EPREFIX}"/usr/libexec --localstatedir="${EPREFIX}"/var --runstatedir="${EPREFIX}"/run + --sbindir="${EPREFIX}"/usr/sbin --with-pid-path="${EPREFIX}"/run --with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd --enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir) @@ -184,19 +196,19 @@ multilib_src_configure() { --with-mcache-path="${EPREFIX}"/var/lib/sss/mc --with-secrets-db-path="${EPREFIX}"/var/lib/sss/secrets --with-log-path="${EPREFIX}"/var/log/sssd + --with-kcm + --enable-kcm-renewal --with-os=gentoo --disable-rpath --disable-static # Valgrind is only used for tests --disable-valgrind - --sbindir="${EPREFIX}"/usr/sbin - --libexecdir="${EPREFIX}"/usr/libexec + $(multilib native_with files) $(use_with samba) --with-smb-idmap-interface-version=6 $(multilib_native_use_enable acl cifs-idmap-plugin) $(multilib_native_use_with selinux) $(multilib_native_use_with selinux semanage) - --with-kcm --enable-krb5-locator-plugin $(use_enable samba pac-responder) $(multilib_native_use_with nfsv4 nfsv4-idmapd-plugin) @@ -322,6 +334,6 @@ multilib_src_install_all() { pkg_postinst() { elog "You must set up sssd.conf (default installed into /etc/sssd)" elog "and (optionally) configuration in /etc/pam.d in order to use SSSD" - elog "features. Please see howto in https://sssd.io/docs/design_pages/smartcard_authentication_require.html" + elog "features." optfeature "Kerberos keytab renew (see krb5_renew_interval)" app-crypt/adcli }