deleted file mode 100644
@@ -1,318 +0,0 @@
-Backport patch to fix interpreter of sss_analyze.
-
-Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/ed3726c]
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From ed3726c37fe07aab788404bfa2f9003db15f4210 Mon Sep 17 00:00:00 2001
-From: roy214 <abroy@redhat.com>
-Date: Tue, 25 Apr 2023 20:01:24 +0530
-Subject: [PATCH] sssctl: add error analyzer
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Also removing unused variable and import.
-
-Reviewed-by: Justin Stephenson <jstephen@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
----
- src/tools/analyzer/Makefile.am | 2 +
- src/tools/analyzer/modules/error.py | 61 +++++++++++++++++++++++++++
- src/tools/analyzer/modules/request.py | 54 +++++-------------------
- src/tools/analyzer/sss_analyze | 2 +-
- src/tools/analyzer/sss_analyze.py | 3 ++
- src/tools/analyzer/util.py | 44 +++++++++++++++++++
- 6 files changed, 121 insertions(+), 45 deletions(-)
- create mode 100644 src/tools/analyzer/modules/error.py
- create mode 100644 src/tools/analyzer/util.py
-
-diff --git a/src/tools/analyzer/Makefile.am b/src/tools/analyzer/Makefile.am
-index b40043d043..7692af8528 100644
---- a/src/tools/analyzer/Makefile.am
-+++ b/src/tools/analyzer/Makefile.am
-@@ -13,10 +13,12 @@ dist_pkgpython_DATA = \
- source_reader.py \
- parser.py \
- sss_analyze.py \
-+ util.py \
- $(NULL)
-
- modulesdir = $(pkgpythondir)/modules
- dist_modules_DATA = \
- modules/__init__.py \
- modules/request.py \
-+ modules/error.py \
- $(NULL)
-diff --git a/src/tools/analyzer/modules/error.py b/src/tools/analyzer/modules/error.py
-new file mode 100644
-index 0000000000..71173670c5
---- /dev/null
-+++ b/src/tools/analyzer/modules/error.py
-@@ -0,0 +1,61 @@
-+from sssd import util
-+from sssd.parser import SubparsersAction
-+from sssd import sss_analyze
-+
-+class ErrorAnalyzer:
-+ """
-+ An error analyzer module, list if there is any error reported by sssd_be
-+ """
-+ module_parser = None
-+ print_opts = []
-+
-+ def print_module_help(self, args):
-+ """
-+ Print the module parser help output
-+
-+ Args:
-+ args (Namespace): argparse parsed arguments
-+ """
-+ self.module_parser.print_help()
-+
-+ def setup_args(self, parser_grp, cli):
-+ """
-+ Setup module parser, subcommands, and options
-+
-+ Args:
-+ parser_grp (argparse.Action): Parser group to nest
-+ module and subcommands under
-+ """
-+ desc = "Analyze error check module"
-+ self.module_parser = parser_grp.add_parser('error',
-+ description=desc,
-+ help='Error checker')
-+
-+ subparser = self.module_parser.add_subparsers(title=None,
-+ dest='subparser',
-+ action=SubparsersAction,
-+ metavar='COMMANDS')
-+
-+ subcmd_grp = subparser.add_parser_group('Operation Modes')
-+ cli.add_subcommand(subcmd_grp, 'list', 'Print error messages found in backend',
-+ self.print_error, self.print_opts)
-+
-+ self.module_parser.set_defaults(func=self.print_module_help)
-+
-+ return self.module_parser
-+
-+ def print_error(self, args):
-+ err = 0
-+ utl = util.Utils()
-+ source = utl.load(args)
-+ component = source.Component.BE
-+ source.set_component(component, False)
-+ patterns = ['sdap_async_sys_connect request failed', 'terminated by own WATCHDOG',
-+ 'ldap_sasl_interactive_bind_s failed', 'Communication with KDC timed out', 'SSSD is offline', 'Backend is offline',
-+ 'tsig verify failure', 'ldap_install_tls failed', 's2n exop request failed']
-+ for line in utl.matched_line(source, patterns):
-+ err +=1
-+ print(line)
-+ if err > 0:
-+ print("For possible solutions please refer to https://sssd.io/troubleshooting/errors.html")
-+ return
-diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
-index d661dddb84..e4d5f060c7 100644
---- a/src/tools/analyzer/modules/request.py
-+++ b/src/tools/analyzer/modules/request.py
-@@ -1,6 +1,6 @@
- import re
- import logging
--
-+from sssd import util
- from sssd.parser import SubparsersAction
- from sssd.parser import Option
-
-@@ -38,7 +38,6 @@ def print_module_help(self, args):
- def setup_args(self, parser_grp, cli):
- """
- Setup module parser, subcommands, and options
--
- Args:
- parser_grp (argparse.Action): Parser group to nest
- module and subcommands under
-@@ -63,42 +62,6 @@ def setup_args(self, parser_grp, cli):
-
- return self.module_parser
-
-- def load(self, args):
-- """
-- Load the appropriate source reader.
--
-- Args:
-- args (Namespace): argparse parsed arguments
--
-- Returns:
-- Instantiated source object
-- """
-- if args.source == "journald":
-- from sssd.source_journald import Journald
-- source = Journald()
-- else:
-- from sssd.source_files import Files
-- source = Files(args.logdir)
-- return source
--
-- def matched_line(self, source, patterns):
-- """
-- Yield lines which match any number of patterns (OR) in
-- provided patterns list.
--
-- Args:
-- source (Reader): source Reader object
-- Yields:
-- lines matching the provided pattern(s)
-- """
-- for line in source:
-- for pattern in patterns:
-- re_obj = re.compile(pattern)
-- if re_obj.search(line):
-- if line.startswith(' * '):
-- continue
-- yield line
--
- def get_linked_ids(self, source, pattern, regex):
- """
- Retrieve list of associated REQ_TRACE ids. Filter
-@@ -114,8 +77,9 @@ def get_linked_ids(self, source, pattern, regex):
- Returns:
- List of linked ids discovered
- """
-+ utl = util.Utils()
- linked_ids = []
-- for match in self.matched_line(source, pattern):
-+ for match in utl.matched_line(source, pattern):
- id_re = re.compile(regex)
- match = id_re.search(match)
- if match:
-@@ -250,7 +214,8 @@ def list_requests(self, args):
- Args:
- args (Namespace): populated argparse namespace
- """
-- source = self.load(args)
-+ utl = util.Utils()
-+ source = utl.load(args)
- component = source.Component.NSS
- resp = "nss"
- # Log messages matching the following regex patterns contain
-@@ -266,7 +231,7 @@ def list_requests(self, args):
- if args.verbose:
- self.print_formatted_verbose(source)
- else:
-- for line in self.matched_line(source, patterns):
-+ for line in utl.matched_line(source, patterns):
- if type(source).__name__ == 'Journald':
- print(line)
- else:
-@@ -279,7 +244,8 @@ def track_request(self, args):
- Args:
- args (Namespace): populated argparse namespace
- """
-- source = self.load(args)
-+ utl = util.Utils()
-+ source = utl.load(args)
- cid = args.cid
- resp_results = False
- be_results = False
-@@ -294,7 +260,7 @@ def track_request(self, args):
- logger.info(f"******** Checking {resp} responder for Client ID"
- f" {cid} *******")
- source.set_component(component, args.child)
-- for match in self.matched_line(source, pattern):
-+ for match in utl.matched_line(source, pattern):
- resp_results = self.consume_line(match, source, args.merge)
-
- logger.info(f"********* Checking Backend for Client ID {cid} ********")
-@@ -307,7 +273,7 @@ def track_request(self, args):
- pattern.clear()
- [pattern.append(f'\\{id}') for id in be_ids]
-
-- for match in self.matched_line(source, pattern):
-+ for match in utl.matched_line(source, pattern):
- be_results = self.consume_line(match, source, args.merge)
-
- if args.merge:
-diff --git a/src/tools/analyzer/sss_analyze b/src/tools/analyzer/sss_analyze
-index 3f1beaf38b..6d4b5b30c6 100755
---- a/src/tools/analyzer/sss_analyze
-+++ b/src/tools/analyzer/sss_analyze
-@@ -1,4 +1,4 @@
--#!/usr/bin/env python
-+#!/usr/bin/env python3
-
- from sssd import sss_analyze
-
-diff --git a/src/tools/analyzer/sss_analyze.py b/src/tools/analyzer/sss_analyze.py
-index 18b998f380..dafc84fc03 100644
---- a/src/tools/analyzer/sss_analyze.py
-+++ b/src/tools/analyzer/sss_analyze.py
-@@ -1,6 +1,7 @@
- import argparse
-
- from sssd.modules import request
-+from sssd.modules import error
- from sssd.parser import SubparsersAction
-
-
-@@ -55,9 +56,11 @@ def load_modules(self, parser, parser_grp):
- """
- # Currently only the 'request' module exists
- req = request.RequestAnalyzer()
-+ err = error.ErrorAnalyzer()
- cli = Analyzer()
-
- req.setup_args(parser_grp, cli)
-+ err.setup_args(parser_grp, cli)
-
- def setup_args(self):
- """
-diff --git a/src/tools/analyzer/util.py b/src/tools/analyzer/util.py
-new file mode 100644
-index 0000000000..2a8d153a71
---- /dev/null
-+++ b/src/tools/analyzer/util.py
-@@ -0,0 +1,44 @@
-+import re
-+import logging
-+
-+from sssd.source_files import Files
-+from sssd.source_journald import Journald
-+
-+logger = logging.getLogger()
-+
-+
-+class Utils:
-+
-+ def load(self, args):
-+ """
-+ Load the appropriate source reader.
-+
-+ Args:
-+ args (Namespace): argparse parsed arguments
-+
-+ Returns:
-+ Instantiated source object
-+ """
-+ if args.source == "journald":
-+ source = Journald()
-+ else:
-+ source = Files(args.logdir)
-+ return source
-+
-+ def matched_line(self, source, patterns):
-+ """
-+ Yield lines which match any number of patterns (OR) in
-+ provided patterns list.
-+
-+ Args:
-+ source (Reader): source Reader object
-+ Yields:
-+ lines matching the provided pattern(s)
-+ """
-+ for line in source:
-+ for pattern in patterns:
-+ re_obj = re.compile(pattern)
-+ if re_obj.search(line):
-+ if line.startswith(' * '):
-+ continue
-+ yield line
deleted file mode 100644
@@ -1,219 +0,0 @@
-From f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 8 Nov 2023 14:50:24 +0100
-Subject: [PATCH] ad-gpo: use hash to store intermediate results
-
-Currently after the evaluation of a single GPO file the intermediate
-results are stored in the cache and this cache entry is updated until
-all applicable GPO files are evaluated. Finally the data in the cache is
-used to make the decision of access is granted or rejected.
-
-If there are two or more access-control request running in parallel one
-request might overwrite the cache object with intermediate data while
-another request reads the cached data for the access decision and as a
-result will do this decision based on intermediate data.
-
-To avoid this the intermediate results are not stored in the cache
-anymore but in hash tables which are specific to the request. Only the
-final result is written to the cache to have it available for offline
-authentication.
-
-Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
-Reviewed-by: Tomáš Halman <thalman@redhat.com>
-(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a)
-
-Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726]
-CVE: CVE-2023-3758
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
-
----
- src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++-----
- 1 file changed, 102 insertions(+), 14 deletions(-)
-
-diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
-index 44e9cbb..cec0cb4 100644
---- a/src/providers/ad/ad_gpo.c
-+++ b/src/providers/ad/ad_gpo.c
-@@ -1317,6 +1317,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
- return ret;
- }
-
-+static errno_t
-+add_result_to_hash(hash_table_t *hash, const char *key, char *value)
-+{
-+ int hret;
-+ hash_key_t k;
-+ hash_value_t v;
-+
-+ if (hash == NULL || key == NULL || value == NULL) {
-+ return EINVAL;
-+ }
-+
-+ k.type = HASH_KEY_CONST_STRING;
-+ k.c_str = key;
-+
-+ v.type = HASH_VALUE_PTR;
-+ v.ptr = value;
-+
-+ hret = hash_enter(hash, &k, &v);
-+ if (hret != HASH_SUCCESS) {
-+ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",
-+ key, value, hash_error_string(hret));
-+ return EIO;
-+ }
-+
-+ return EOK;
-+}
-+
- /*
- * This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,
- * and stores the allow_key and deny_key of all of the gpo_map_types present
-@@ -1324,6 +1351,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
- */
- static errno_t
- ad_gpo_store_policy_settings(struct sss_domain_info *domain,
-+ hash_table_t *allow_maps, hash_table_t *deny_maps,
- const char *filename)
- {
- struct ini_cfgfile *file_ctx = NULL;
-@@ -1457,14 +1485,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
- goto done;
- } else if (ret != ENOENT) {
- const char *value = allow_value ? allow_value : empty_val;
-- ret = sysdb_gpo_store_gpo_result_setting(domain,
-- allow_key,
-- value);
-+ ret = add_result_to_hash(allow_maps, allow_key,
-+ talloc_strdup(allow_maps, value));
- if (ret != EOK) {
-- DEBUG(SSSDBG_CRIT_FAILURE,
-- "sysdb_gpo_store_gpo_result_setting failed for key:"
-- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,
-- ret, sss_strerror(ret));
-+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
-+ "value: [%s] to allow maps "
-+ "[%d][%s].\n",
-+ allow_key, value, ret,
-+ sss_strerror(ret));
- goto done;
- }
- }
-@@ -1484,14 +1512,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
- goto done;
- } else if (ret != ENOENT) {
- const char *value = deny_value ? deny_value : empty_val;
-- ret = sysdb_gpo_store_gpo_result_setting(domain,
-- deny_key,
-- value);
-+ ret = add_result_to_hash(deny_maps, deny_key,
-+ talloc_strdup(deny_maps, value));
- if (ret != EOK) {
-- DEBUG(SSSDBG_CRIT_FAILURE,
-- "sysdb_gpo_store_gpo_result_setting failed for key:"
-- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,
-- ret, sss_strerror(ret));
-+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
-+ "value: [%s] to deny maps "
-+ "[%d][%s].\n",
-+ deny_key, value, ret,
-+ sss_strerror(ret));
- goto done;
- }
- }
-@@ -1784,6 +1812,8 @@ struct ad_gpo_access_state {
- int num_cse_filtered_gpos;
- int cse_gpo_index;
- const char *ad_domain;
-+ hash_table_t *allow_maps;
-+ hash_table_t *deny_maps;
- };
-
- static void ad_gpo_connect_done(struct tevent_req *subreq);
-@@ -1906,6 +1936,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
- goto immediately;
- }
-
-+ ret = sss_hash_create(state, 0, &state->allow_maps);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "
-+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
-+ goto immediately;
-+ }
-+
-+ ret = sss_hash_create(state, 0, &state->deny_maps);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "
-+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
-+ goto immediately;
-+ }
-
- subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
- if (subreq == NULL) {
-@@ -2725,6 +2768,43 @@ ad_gpo_cse_step(struct tevent_req *req)
- return EAGAIN;
- }
-
-+static errno_t
-+store_hash_maps_in_cache(struct sss_domain_info *domain,
-+ hash_table_t *allow_maps, hash_table_t *deny_maps)
-+{
-+ int ret;
-+ struct hash_iter_context_t *iter;
-+ hash_entry_t *entry;
-+ size_t c;
-+ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};
-+
-+
-+ for (c = 0; hash_list[c] != NULL; c++) {
-+ iter = new_hash_iter_context(hash_list[c]);
-+ if (iter == NULL) {
-+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");
-+ return EINVAL;
-+ }
-+
-+ while ((entry = iter->next(iter)) != NULL) {
-+ ret = sysdb_gpo_store_gpo_result_setting(domain,
-+ entry->key.c_str,
-+ entry->value.ptr);
-+ if (ret != EOK) {
-+ free(iter);
-+ DEBUG(SSSDBG_OP_FAILURE,
-+ "sysdb_gpo_store_gpo_result_setting failed for key:"
-+ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str,
-+ (char *) entry->value.ptr, ret, sss_strerror(ret));
-+ return ret;
-+ }
-+ }
-+ talloc_free(iter);
-+ }
-+
-+ return EOK;
-+}
-+
- /*
- * This cse-specific function (GP_EXT_GUID_SECURITY) increments the
- * cse_gpo_index until the policy settings for all applicable GPOs have been
-@@ -2766,6 +2846,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
- * (as part of the GPO Result object in the sysdb cache).
- */
- ret = ad_gpo_store_policy_settings(state->host_domain,
-+ state->allow_maps, state->deny_maps,
- cse_filtered_gpo->policy_filename);
- if (ret != EOK && ret != ENOENT) {
- DEBUG(SSSDBG_OP_FAILURE,
-@@ -2779,6 +2860,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)
-
- if (ret == EOK) {
- /* ret is EOK only after all GPO policy files have been downloaded */
-+ ret = store_hash_maps_in_cache(state->host_domain,
-+ state->allow_maps, state->deny_maps);
-+ if (ret != EOK) {
-+ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "
-+ "[%d][%s].\n", ret, sss_strerror(ret));
-+ goto done;
-+ }
- ret = ad_gpo_perform_hbac_processing(state,
- state->gpo_mode,
- state->gpo_map_type,
---
-2.25.1
@@ -7,7 +7,8 @@ domains = shadowutils
[pam]
[domain/shadowutils]
-id_provider = files
+id_provider = proxy
+proxy_lib_name = files
auth_provider = proxy
proxy_pam_target = sssd-shadowutils
deleted file mode 100644
@@ -1 +0,0 @@
-d root root 0750 /var/log/sssd none
similarity index 84%
rename from dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb
rename to dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.10.2.bb
@@ -18,16 +18,13 @@ DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \
SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/${BP}.tar.gz \
file://sssd.conf \
- file://volatiles.99_sssd \
file://no_gen.patch \
file://fix_gid.patch \
file://drop_ntpdate_chk.patch \
file://fix-ldblibdir.patch \
file://musl_fixup.patch \
- file://0001-sssctl-add-error-analyzer.patch \
- file://CVE-2023-3758.patch \
"
-SRC_URI[sha256sum] = "827bc65d64132410e6dd3df003f04829d60387ec30e72b2d4e22d93bb6f762ba"
+SRC_URI[sha256sum] = "e8aa5e6b48ae465bea7064048715ce7e9c53b50ec6a9c69304f59e0d35be40ff"
UPSTREAM_CHECK_URI = "https://github.com/SSSD/${BPN}/releases"
@@ -42,24 +39,23 @@ CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
ac_cv_prog_HAVE_PYTHON3=yes \
"
-PACKAGECONFIG ?= "nss autofs sudo infopipe"
+PACKAGECONFIG ?= "nss autofs sudo"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no"
PACKAGECONFIG[crypto] = ", , libcrypto"
PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson"
-PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, "
PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native"
PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
PACKAGECONFIG[nss] = ", ,nss,"
PACKAGECONFIG[oidc_child] = "--with-oidc-child, --without-oidc-child"
PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings python3dir=${PYTHON_SITEPACKAGES_DIR}, python3-setuptools-native"
PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba"
-PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux"
+PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no, libselinux"
PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, "
PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, "
-PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv,,python3-systemd"
+PACKAGECONFIG[systemd] = "--with-initscript=systemd --with-systemdunitdir=${systemd_system_unitdir} --with-systemdconfdir=${sysconfdir}/systemd/system, --with-initscript=sysv,,python3-systemd"
EXTRA_OECONF += " \
--disable-cifs-idmap-plugin \
@@ -68,11 +64,11 @@ EXTRA_OECONF += " \
--without-python2-bindings \
--enable-pammoddir=${base_libdir}/security \
--with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
- --with-pid-path=/run \
+ --with-pid-path=/run/sssd \
--with-os=fedora \
"
-do_configure:prepend() {
+do_configure:prepend () {
mkdir -p ${AUTOTOOLS_AUXDIR}/build
cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/
@@ -84,6 +80,7 @@ do_compile:prepend () {
sed -i -e "s/__useconds_t/useconds_t/g" ${S}/src/tools/tools_mc_util.c
echo '#define NSUPDATE_PATH "${bindir}"' >> ${B}/config.h
}
+
do_install () {
oe_runmake install DESTDIR="${D}"
rmdir --ignore-fail-on-non-empty "${D}/${bindir}"
@@ -99,12 +96,14 @@ do_install () {
if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
install -d ${D}${sysconfdir}/tmpfiles.d
- echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf
+ echo "d /var/log/sssd 0750 ${SSSD_UID} ${SSSD_GID} - -" > ${D}${sysconfdir}/tmpfiles.d/sssd.conf
+ echo "d /run/sssd 0750 ${SSSD_UID} ${SSSD_GID} - -" >> ${D}${sysconfdir}/tmpfiles.d/sssd.conf
fi
if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ]; then
install -d ${D}${sysconfdir}/default/volatiles
- echo "d ${SSSD_UID}:${SSSD_GID} 0755 ${localstatedir}/log/${BPN} none" > ${D}${sysconfdir}/default/volatiles/99_${BPN}
+ echo "d ${SSSD_UID}:${SSSD_GID} 0750 ${localstatedir}/log/sssd none" > ${D}${sysconfdir}/default/volatiles/99_sssd
+ echo "d ${SSSD_UID}:${SSSD_GID} 0750 ${localstatedir}/run/sssd none" >> ${D}${sysconfdir}/default/volatiles/99_sssd
fi
if ${@bb.utils.contains('PACKAGECONFIG', 'python3', 'true', 'false', d)}; then
@@ -112,15 +111,13 @@ do_install () {
fi
# Remove /run as it is created on startup
- rm -rf ${D}/run
-
- rm -f ${D}${systemd_system_unitdir}/sssd-secrets.*
+ rm -rf ${D}/run ${D}/var/run
}
pkg_postinst_ontarget:${PN} () {
-if [ -e /etc/init.d/populate-volatile.sh ] ; then
- ${sysconfdir}/init.d/populate-volatile.sh update
-fi
+ if [ -e /etc/init.d/populate-volatile.sh ] ; then
+ ${sysconfdir}/init.d/populate-volatile.sh update
+ fi
chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf
}
@@ -131,12 +128,11 @@ INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ."
SYSTEMD_SERVICE:${PN} = " \
${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \
- ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \
+ sssd-ifp.service \
sssd-nss.service \
sssd-nss.socket \
- sssd-pam-priv.socket \
sssd-pam.service \
sssd-pam.socket \
sssd.service \
ChangeLog: https://github.com/SSSD/sssd/releases/tag/2.10.2 * Drop backport patches. * Update sssd.conf and volatile files. * Drop PACKAGECONFIG[infopipe] as it has been removed upstream. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> --- .../0001-sssctl-add-error-analyzer.patch | 318 ------------------ .../sssd/files/CVE-2023-3758.patch | 219 ------------ .../recipes-security/sssd/files/sssd.conf | 3 +- .../sssd/files/volatiles.99_sssd | 1 - .../sssd/{sssd_2.9.2.bb => sssd_2.10.2.bb} | 36 +- 5 files changed, 18 insertions(+), 559 deletions(-) delete mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch delete mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch delete mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd rename dynamic-layers/networking-layer/recipes-security/sssd/{sssd_2.9.2.bb => sssd_2.10.2.bb} (84%)