From patchwork Thu Mar 27 13:23:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yi Zhao X-Patchwork-Id: 60076 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 965F4C3600B for ; Thu, 27 Mar 2025 13:23:59 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.49723.1743081831167739925 for ; Thu, 27 Mar 2025 06:23:51 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=5181a5ef2b=yi.zhao@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 52RBcHI4031145 for ; Thu, 27 Mar 2025 13:23:50 GMT Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2046.outbound.protection.outlook.com [104.47.70.46]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 45hm68nxb2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 27 Mar 2025 13:23:49 +0000 (GMT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=rDxsccehrlif58O8KYFqGairJfe4ujFSYNxfwi5Tde53rW8sR3OR71lYKM7XH5m3+V8HnJMfQL3NiVJ2hgTAZ91RyQjQSOt+dkO0GUoU9ujBapH2ow3tcSXcdh4MWQma0BU+WB4hirXf2roXJF3C+d88sBo8mKtrMPofsOQ7nemwb2br8oOpEO4NiDoVFStRCi/08p8RI7aWIhqa9pTHn3HiIvIF9zGBw4P/gX4bHjOtXq1BnyOjSHdFKW4iwF8TAsldJdICY5v0pdfoLHmCp1TgI3YG4BhxnLZ/fGsSCEOQXeIwc++5ohXvMC73BSsG5u8T4ZlaD341x0quajGeMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=AoY7kR/tfqKTu5w09+n1yQRMWHc0odIUByJ5XaVHJ8E=; b=jY0Q9q2MDYC5MSZpeGX8HjGYsKZHWz93zoDs+JsXKxuiSaZ9kBImz8a6xEjuMURB4kdbKj7anp4qVt2mobawSsMp0mTKdHoKCrgmOV/5Q6t3uFg/pGcQPOXIFsostd5rs3punHXxQ9OQaWK3QLp4aIvfVjBwp++7vleu1OpLSiJBbU+CxQTWixv5mVwZhcRdh/RqTRKSkPwB8sHeO5oKL4Dfq4IhfZxUBlIFcNmLJQ44acpOXYL/9fqqScZaD5cNndUG6DZTvSJCj8SQUZOjTs/V6wiElYikV592Cjsj+hgBwh0vKWokcN/JgfXYa3D7CmSsHVg8CZsfdW8EBPW65w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from DS0PR11MB6399.namprd11.prod.outlook.com (2603:10b6:8:c8::5) by MW4PR11MB5773.namprd11.prod.outlook.com (2603:10b6:303:180::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8534.44; Thu, 27 Mar 2025 13:23:47 +0000 Received: from DS0PR11MB6399.namprd11.prod.outlook.com ([fe80::2b44:787c:e7ee:bfad]) by DS0PR11MB6399.namprd11.prod.outlook.com ([fe80::2b44:787c:e7ee:bfad%5]) with mapi id 15.20.8534.043; Thu, 27 Mar 2025 13:23:47 +0000 From: Yi Zhao To: yocto-patches@lists.yoctoproject.org Subject: [meta-security][PATCH 4/5] sssd: upgrade 2.9.2 -> 2.10.2 Date: Thu, 27 Mar 2025 21:23:26 +0800 Message-Id: <20250327132327.3477926-4-yi.zhao@windriver.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250327132327.3477926-1-yi.zhao@windriver.com> References: <20250327132327.3477926-1-yi.zhao@windriver.com> X-ClientProxiedBy: SI1PR02CA0038.apcprd02.prod.outlook.com (2603:1096:4:1f6::15) To DS0PR11MB6399.namprd11.prod.outlook.com (2603:10b6:8:c8::5) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS0PR11MB6399:EE_|MW4PR11MB5773:EE_ X-MS-Office365-Filtering-Correlation-Id: 81c21a20-8b1a-45cc-7756-08dd6d329af9 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|52116014|1800799024|366016|38350700014; X-Microsoft-Antispam-Message-Info: =?utf-8?q?MDmsULso+3Uz0s/G1PwOchukQ7rMdQn?= =?utf-8?q?MEy05YtHankPrXbJtIaC7MWGH6K1RmQHjm0pcthbzi1xIaUOaKm6k4th4e5Llvmhx?= =?utf-8?q?apDMv13ENtNsp1L5F57b9st6l8BiV4qBT+5c23mjb9zPFbiDMZQeWpvvQR+6yVkUn?= =?utf-8?q?l/IFNsQt1fXtrzdijN1EKsiGN/Q2nUmpRNdDsuSe8yCn0W05c7UWXyFdt8S7z0fIr?= =?utf-8?q?ADWD9kB2EuJcZqeDzSpmnevM5cNljc0+tqT7E9c2c6p3TFv9Zp1tMoP/m+vRxZUu9?= =?utf-8?q?bgxQL95jZpn2IGC8GAow2+CRp+lUZf0YiTSq5RHHmuePUnuqcXKsvy/bH4dx6lohj?= =?utf-8?q?7jZ6t50LrAXr/Gh0gcvPu1BigrfB/R95nRio6n6So8JdVjFDK6sDK8GlTp19IiwJX?= =?utf-8?q?fiL6KjEUzIaAlfYypbnz5oxwGl3uP2ipDmKyvkj6TVQ12e6merJa/uWvrIQpwMdl+?= =?utf-8?q?zzygKa4OjRkVJi/Uc14HzqOQVLhmGeTfrTiZI4ujG+ybAkVIQ6UBuYJKqq8wRSSwr?= =?utf-8?q?SMGzgHQDeRe8lmrS9teFFPgPFy8lkPa4Tcvt2qiFFT7fyyKgfuGSEd6rx6amCDh4N?= =?utf-8?q?QlrZwprQYPq3g00XM72wzkJbd4CkgM+/3N7ZZzSS/xWi8u404B3DyQGc6tc9MSH8W?= =?utf-8?q?tuULRJi/BGgf00ri9RvX7Y2JjwCQ/0X2Z7kLU65gfNQGoO9u4GeanBbI18rCtgrmK?= =?utf-8?q?b98c/5g7oqTg9clKWv+Q3OyFVO3OZ1VFcAuIIWOjpx52qlkMjpt+5jyIWd87TbOIe?= =?utf-8?q?gO0SjCcJZuFfCfOWUxXgiTMzmNZr9F4Vp0qt8+eMGM+tWSz0kS+0uMe0k96sB4YPv?= =?utf-8?q?kGWvFtaHbIGv6smlCq9Zus+x2YLiNwfyy7Lc1o2C9brF1Wgr8fO8XKARTlrPw9rIj?= =?utf-8?q?LaKJ4JvSs7JxV3FMkPPXkfXlWHIK1ltGZrhcuL1FL9+hGtXhgqcFH2TbFf2phnNCB?= =?utf-8?q?cn350nDu8nXAK4A+thblJdVK2/tulJZsOrVuxRubqZk310QUo1AP2Ax5zPgJiz2wd?= =?utf-8?q?cTSIML0JbuaeFst3CF16yZNVC5VznbbPMQxCbg4qcMK53bHf/i8nlqoigc40NrMqG?= =?utf-8?q?pVBuYnuBZTZNdjY/efcAZtC4sKa1S0/CLM3l9wIUxj4RkvdiByfuSb61kx1QjinDV?= =?utf-8?q?tAgBc9dzxBBzMi5xMXyEpqCPDnC6SVxPhCXLx2cJHOo7sFYrnSaNTUXdOrsxWYYGe?= =?utf-8?q?GoBy02BcTO7k4quFCPXbHHk5LyWKghx4S6THsAmAlUNjkmLyHOjFcrtVrBBPLjJPw?= =?utf-8?q?KmOAsXt4muyq8QeR4/1AU9wNeBDZnIJkMrsBTePHEBiCgGq0W6b8iFetKtuL5JAbc?= =?utf-8?q?gcmkbr8B4m2N3pWmoiojVekkd+XqpA3+PQ=3D=3D?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS0PR11MB6399.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(52116014)(1800799024)(366016)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?8L1+8/zioZ0aKNX3lr6NC8xR3jtU?= =?utf-8?q?FVxownoChj6ZgHX2Hbgqe2IRhVjFHgBzi1KyWtuKPbbEhGD+Cwq478Mbapy9d/1t2?= =?utf-8?q?nI2jyNE7uBX0YNFijvbdI03NCr9UbAbeCEvh4gkhlXi4c3ro4t8MwvsHbMlTE7JOs?= =?utf-8?q?0Dp0yTKRZdaYz+RNfQkKmQ5ojHEWch0/ykEMJGVQZjHHr/aPgu9DUvTbNAFsi/v0k?= =?utf-8?q?wLqMhU/MhWE2SG6MRQwGoqOyiXQVI6eATepk5syfk0rMAT/JWrugaYiDkfD3HFiU6?= =?utf-8?q?Jz+q4vvUY005dcHLZY5vwjd3vyetkxw5b441V+kEG5jcS247zjaubGuDPH4dxs1xA?= =?utf-8?q?wQcMcnp/sbpsl84SVdoxdjmVBVSZdLl3Av9kLgCj6QLEpgAMf8aWMJNg6dnTb4yRq?= =?utf-8?q?Lr1DP5NToGmx+/kd0dTntmjO0oAZ9XZ2XWMxcvLQPQUJzBHVrtLz0XGVjbwl0HA+r?= =?utf-8?q?SKvO5Oyz3m7eUHtXVD2UxAnRjEb3iK1CnpIqmkX3FzojDJhQdPp4JLLt3oe71s91o?= =?utf-8?q?f3b817mDrbGkiMuUBllnInf0r5mpLJRTAe3DVKj70En4bl8JkjmSoTTez2AcqdjFt?= =?utf-8?q?YoBY5V3y+d4l/WKDr1OU37N64jCfp4S5h2Z4iA/160A/sZ+xk9S/+SqKYGna+uxY4?= =?utf-8?q?f8+67FkpBVOpRarZNidvrEOdIIwVuDsVn7NCAAgvmdNojXqcI2IuFp0z99+o5t0hM?= =?utf-8?q?W5miNgi2Nb5NJuFCrFbNCd+GtHZsbShaYwxAPcq40RDlTRRtWFtzqVO2Tob8w62NS?= =?utf-8?q?drX1VcAtQPpnUKVf8CDWSD/gYqbqM2Q2mlkEfFq3XbLTstNqMS2gPZ0uYaI1XGpE3?= =?utf-8?q?2HynnwNwl486En+I3yFJDrjNUedDUolyNAp6qBHhePhcJWES0cSrKSkoUh/Z9BwAv?= =?utf-8?q?2umieW0wAzscxCxUmE5c9MmZcRS4dNlwAVcVPc4s5s5bWTnVMuMeGwhUSYUCs7uQa?= =?utf-8?q?B3HFZethdqp9+zEjT7trAjQvMHV4WK66KCbWMsOFva6tRE4/0DPAoOBeWPGBpT4x5?= =?utf-8?q?zB0fTSEvGIBeUrkayoAmDAqEpjebiCDMYXrhGk5/RzIGPrWKO8SgNlukVqUA1Tbzg?= =?utf-8?q?xRwSaDWK13D4sNpFULLoGHg3jGAIs4me7yrV6KOCO5nU5mChvWeUej1udULuMJhrs?= =?utf-8?q?Kcgttu/+gKn1so2f6nm+6Tz0y9EPQbx2XxNOmP4o63u+blON/w5Tpn3YQZS3Njpve?= =?utf-8?q?LE7kndAyITXtHcaypHMZJZkxc0BP84c7uE0aTSHG+eRbRh94h13UXHJ+5p2H4H8Q7?= =?utf-8?q?lzsO5WfZGvvIGUe0/J8RZoCpCZ3kMTXQJzIfnn6AjcD+Yn3ZqltkIdhahgPPuLKF7?= =?utf-8?q?6Isj4qZqaMnXoaCl5zQ4yKW0qKr0pLHQKTpsP625w0GTeDcirvQIPXwQORIv5iAd8?= =?utf-8?q?6GXcBYzCiibMnHlFHz6ff1/wId9nNkqvTsaqucCkT2WXKw/vJdwdeBU56T5dQ/Iwo?= =?utf-8?q?FNWXnNHr9AXwiWqyT3rhrizeDUwYUVB/0TJNLQZ+X8Wk56YZ8nOny3fXBNQPBnPWL?= =?utf-8?q?+bkvsR3/KhYl?= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 81c21a20-8b1a-45cc-7756-08dd6d329af9 X-MS-Exchange-CrossTenant-AuthSource: DS0PR11MB6399.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Mar 2025 13:23:47.5851 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: qOg3j339lbaNbb4JAa5ZfodAUhgjwjCjXlj87FIDahw/sFHQbfmNIQysMzFY5qn+0/sjF3bchPmQeC2VYWl+wg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR11MB5773 X-Proofpoint-ORIG-GUID: KHbl4Hau4Qd6Kmt1ZIAruw3wIZO_8hF0 X-Authority-Analysis: v=2.4 cv=etjfzppX c=1 sm=1 tr=0 ts=67e55166 cx=c_pps a=IwUfk5KXFkOzJxXNjnChew==:117 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=IkcTkHD0fZMA:10 a=Vs1iUdzkB0EA:10 a=H5OGdu5hBBwA:10 a=NEAV23lmAAAA:8 a=ArOQHuw0AAAA:8 a=t7CeM3EgAAAA:8 a=20KFwNOVAAAA:8 a=2V6DY6BgAAAA:8 a=fk1lIlRQAAAA:8 a=Uvb3nusRVCz4S-CZC-IA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=DB1PmDU-bksA:10 a=sD7ozVhDsUP0bFIHhcxq:22 a=FdTzh2GWekK77mhwV6Dw:22 a=ldqKKs2zR4t-S6fqr-1n:22 a=U75ogvRika4pmaD_UPO0:22 X-Proofpoint-GUID: KHbl4Hau4Qd6Kmt1ZIAruw3wIZO_8hF0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-03-27_01,2025-03-26_02,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 phishscore=0 malwarescore=0 lowpriorityscore=0 mlxscore=0 adultscore=0 suspectscore=0 impostorscore=0 mlxlogscore=999 priorityscore=1501 spamscore=0 clxscore=1015 classifier=spam authscore=0 authtc=n/a authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.21.0-2502280000 definitions=main-2503270093 X-MIME-Autoconverted: from 8bit to quoted-printable by mx0a-0064b401.pphosted.com id 52RBcHI4031145 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 27 Mar 2025 13:23:59 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/1269 ChangeLog: https://github.com/SSSD/sssd/releases/tag/2.10.2 * Drop backport patches. * Update sssd.conf and volatile files. * Drop PACKAGECONFIG[infopipe] as it has been removed upstream. Signed-off-by: Yi Zhao --- .../0001-sssctl-add-error-analyzer.patch | 318 ------------------ .../sssd/files/CVE-2023-3758.patch | 219 ------------ .../recipes-security/sssd/files/sssd.conf | 3 +- .../sssd/files/volatiles.99_sssd | 1 - .../sssd/{sssd_2.9.2.bb => sssd_2.10.2.bb} | 36 +- 5 files changed, 18 insertions(+), 559 deletions(-) delete mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch delete mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch delete mode 100644 dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd rename dynamic-layers/networking-layer/recipes-security/sssd/{sssd_2.9.2.bb => sssd_2.10.2.bb} (84%) diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch deleted file mode 100644 index 6880405..0000000 --- a/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch +++ /dev/null @@ -1,318 +0,0 @@ -Backport patch to fix interpreter of sss_analyze. - -Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/ed3726c] - -Signed-off-by: Kai Kang - -From ed3726c37fe07aab788404bfa2f9003db15f4210 Mon Sep 17 00:00:00 2001 -From: roy214 -Date: Tue, 25 Apr 2023 20:01:24 +0530 -Subject: [PATCH] sssctl: add error analyzer -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Also removing unused variable and import. - -Reviewed-by: Justin Stephenson -Reviewed-by: Tomáš Halman ---- - src/tools/analyzer/Makefile.am | 2 + - src/tools/analyzer/modules/error.py | 61 +++++++++++++++++++++++++++ - src/tools/analyzer/modules/request.py | 54 +++++------------------- - src/tools/analyzer/sss_analyze | 2 +- - src/tools/analyzer/sss_analyze.py | 3 ++ - src/tools/analyzer/util.py | 44 +++++++++++++++++++ - 6 files changed, 121 insertions(+), 45 deletions(-) - create mode 100644 src/tools/analyzer/modules/error.py - create mode 100644 src/tools/analyzer/util.py - -diff --git a/src/tools/analyzer/Makefile.am b/src/tools/analyzer/Makefile.am -index b40043d043..7692af8528 100644 ---- a/src/tools/analyzer/Makefile.am -+++ b/src/tools/analyzer/Makefile.am -@@ -13,10 +13,12 @@ dist_pkgpython_DATA = \ - source_reader.py \ - parser.py \ - sss_analyze.py \ -+ util.py \ - $(NULL) - - modulesdir = $(pkgpythondir)/modules - dist_modules_DATA = \ - modules/__init__.py \ - modules/request.py \ -+ modules/error.py \ - $(NULL) -diff --git a/src/tools/analyzer/modules/error.py b/src/tools/analyzer/modules/error.py -new file mode 100644 -index 0000000000..71173670c5 ---- /dev/null -+++ b/src/tools/analyzer/modules/error.py -@@ -0,0 +1,61 @@ -+from sssd import util -+from sssd.parser import SubparsersAction -+from sssd import sss_analyze -+ -+class ErrorAnalyzer: -+ """ -+ An error analyzer module, list if there is any error reported by sssd_be -+ """ -+ module_parser = None -+ print_opts = [] -+ -+ def print_module_help(self, args): -+ """ -+ Print the module parser help output -+ -+ Args: -+ args (Namespace): argparse parsed arguments -+ """ -+ self.module_parser.print_help() -+ -+ def setup_args(self, parser_grp, cli): -+ """ -+ Setup module parser, subcommands, and options -+ -+ Args: -+ parser_grp (argparse.Action): Parser group to nest -+ module and subcommands under -+ """ -+ desc = "Analyze error check module" -+ self.module_parser = parser_grp.add_parser('error', -+ description=desc, -+ help='Error checker') -+ -+ subparser = self.module_parser.add_subparsers(title=None, -+ dest='subparser', -+ action=SubparsersAction, -+ metavar='COMMANDS') -+ -+ subcmd_grp = subparser.add_parser_group('Operation Modes') -+ cli.add_subcommand(subcmd_grp, 'list', 'Print error messages found in backend', -+ self.print_error, self.print_opts) -+ -+ self.module_parser.set_defaults(func=self.print_module_help) -+ -+ return self.module_parser -+ -+ def print_error(self, args): -+ err = 0 -+ utl = util.Utils() -+ source = utl.load(args) -+ component = source.Component.BE -+ source.set_component(component, False) -+ patterns = ['sdap_async_sys_connect request failed', 'terminated by own WATCHDOG', -+ 'ldap_sasl_interactive_bind_s failed', 'Communication with KDC timed out', 'SSSD is offline', 'Backend is offline', -+ 'tsig verify failure', 'ldap_install_tls failed', 's2n exop request failed'] -+ for line in utl.matched_line(source, patterns): -+ err +=1 -+ print(line) -+ if err > 0: -+ print("For possible solutions please refer to https://sssd.io/troubleshooting/errors.html") -+ return -diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py -index d661dddb84..e4d5f060c7 100644 ---- a/src/tools/analyzer/modules/request.py -+++ b/src/tools/analyzer/modules/request.py -@@ -1,6 +1,6 @@ - import re - import logging -- -+from sssd import util - from sssd.parser import SubparsersAction - from sssd.parser import Option - -@@ -38,7 +38,6 @@ def print_module_help(self, args): - def setup_args(self, parser_grp, cli): - """ - Setup module parser, subcommands, and options -- - Args: - parser_grp (argparse.Action): Parser group to nest - module and subcommands under -@@ -63,42 +62,6 @@ def setup_args(self, parser_grp, cli): - - return self.module_parser - -- def load(self, args): -- """ -- Load the appropriate source reader. -- -- Args: -- args (Namespace): argparse parsed arguments -- -- Returns: -- Instantiated source object -- """ -- if args.source == "journald": -- from sssd.source_journald import Journald -- source = Journald() -- else: -- from sssd.source_files import Files -- source = Files(args.logdir) -- return source -- -- def matched_line(self, source, patterns): -- """ -- Yield lines which match any number of patterns (OR) in -- provided patterns list. -- -- Args: -- source (Reader): source Reader object -- Yields: -- lines matching the provided pattern(s) -- """ -- for line in source: -- for pattern in patterns: -- re_obj = re.compile(pattern) -- if re_obj.search(line): -- if line.startswith(' * '): -- continue -- yield line -- - def get_linked_ids(self, source, pattern, regex): - """ - Retrieve list of associated REQ_TRACE ids. Filter -@@ -114,8 +77,9 @@ def get_linked_ids(self, source, pattern, regex): - Returns: - List of linked ids discovered - """ -+ utl = util.Utils() - linked_ids = [] -- for match in self.matched_line(source, pattern): -+ for match in utl.matched_line(source, pattern): - id_re = re.compile(regex) - match = id_re.search(match) - if match: -@@ -250,7 +214,8 @@ def list_requests(self, args): - Args: - args (Namespace): populated argparse namespace - """ -- source = self.load(args) -+ utl = util.Utils() -+ source = utl.load(args) - component = source.Component.NSS - resp = "nss" - # Log messages matching the following regex patterns contain -@@ -266,7 +231,7 @@ def list_requests(self, args): - if args.verbose: - self.print_formatted_verbose(source) - else: -- for line in self.matched_line(source, patterns): -+ for line in utl.matched_line(source, patterns): - if type(source).__name__ == 'Journald': - print(line) - else: -@@ -279,7 +244,8 @@ def track_request(self, args): - Args: - args (Namespace): populated argparse namespace - """ -- source = self.load(args) -+ utl = util.Utils() -+ source = utl.load(args) - cid = args.cid - resp_results = False - be_results = False -@@ -294,7 +260,7 @@ def track_request(self, args): - logger.info(f"******** Checking {resp} responder for Client ID" - f" {cid} *******") - source.set_component(component, args.child) -- for match in self.matched_line(source, pattern): -+ for match in utl.matched_line(source, pattern): - resp_results = self.consume_line(match, source, args.merge) - - logger.info(f"********* Checking Backend for Client ID {cid} ********") -@@ -307,7 +273,7 @@ def track_request(self, args): - pattern.clear() - [pattern.append(f'\\{id}') for id in be_ids] - -- for match in self.matched_line(source, pattern): -+ for match in utl.matched_line(source, pattern): - be_results = self.consume_line(match, source, args.merge) - - if args.merge: -diff --git a/src/tools/analyzer/sss_analyze b/src/tools/analyzer/sss_analyze -index 3f1beaf38b..6d4b5b30c6 100755 ---- a/src/tools/analyzer/sss_analyze -+++ b/src/tools/analyzer/sss_analyze -@@ -1,4 +1,4 @@ --#!/usr/bin/env python -+#!/usr/bin/env python3 - - from sssd import sss_analyze - -diff --git a/src/tools/analyzer/sss_analyze.py b/src/tools/analyzer/sss_analyze.py -index 18b998f380..dafc84fc03 100644 ---- a/src/tools/analyzer/sss_analyze.py -+++ b/src/tools/analyzer/sss_analyze.py -@@ -1,6 +1,7 @@ - import argparse - - from sssd.modules import request -+from sssd.modules import error - from sssd.parser import SubparsersAction - - -@@ -55,9 +56,11 @@ def load_modules(self, parser, parser_grp): - """ - # Currently only the 'request' module exists - req = request.RequestAnalyzer() -+ err = error.ErrorAnalyzer() - cli = Analyzer() - - req.setup_args(parser_grp, cli) -+ err.setup_args(parser_grp, cli) - - def setup_args(self): - """ -diff --git a/src/tools/analyzer/util.py b/src/tools/analyzer/util.py -new file mode 100644 -index 0000000000..2a8d153a71 ---- /dev/null -+++ b/src/tools/analyzer/util.py -@@ -0,0 +1,44 @@ -+import re -+import logging -+ -+from sssd.source_files import Files -+from sssd.source_journald import Journald -+ -+logger = logging.getLogger() -+ -+ -+class Utils: -+ -+ def load(self, args): -+ """ -+ Load the appropriate source reader. -+ -+ Args: -+ args (Namespace): argparse parsed arguments -+ -+ Returns: -+ Instantiated source object -+ """ -+ if args.source == "journald": -+ source = Journald() -+ else: -+ source = Files(args.logdir) -+ return source -+ -+ def matched_line(self, source, patterns): -+ """ -+ Yield lines which match any number of patterns (OR) in -+ provided patterns list. -+ -+ Args: -+ source (Reader): source Reader object -+ Yields: -+ lines matching the provided pattern(s) -+ """ -+ for line in source: -+ for pattern in patterns: -+ re_obj = re.compile(pattern) -+ if re_obj.search(line): -+ if line.startswith(' * '): -+ continue -+ yield line diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch b/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch deleted file mode 100644 index 1e9fca5..0000000 --- a/dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch +++ /dev/null @@ -1,219 +0,0 @@ -From f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 8 Nov 2023 14:50:24 +0100 -Subject: [PATCH] ad-gpo: use hash to store intermediate results - -Currently after the evaluation of a single GPO file the intermediate -results are stored in the cache and this cache entry is updated until -all applicable GPO files are evaluated. Finally the data in the cache is -used to make the decision of access is granted or rejected. - -If there are two or more access-control request running in parallel one -request might overwrite the cache object with intermediate data while -another request reads the cached data for the access decision and as a -result will do this decision based on intermediate data. - -To avoid this the intermediate results are not stored in the cache -anymore but in hash tables which are specific to the request. Only the -final result is written to the cache to have it available for offline -authentication. - -Reviewed-by: Alexey Tikhonov -Reviewed-by: Tomáš Halman -(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a) - -Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726] -CVE: CVE-2023-3758 -Signed-off-by: Hitendra Prajapati - ---- - src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++----- - 1 file changed, 102 insertions(+), 14 deletions(-) - -diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c -index 44e9cbb..cec0cb4 100644 ---- a/src/providers/ad/ad_gpo.c -+++ b/src/providers/ad/ad_gpo.c -@@ -1317,6 +1317,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx, - return ret; - } - -+static errno_t -+add_result_to_hash(hash_table_t *hash, const char *key, char *value) -+{ -+ int hret; -+ hash_key_t k; -+ hash_value_t v; -+ -+ if (hash == NULL || key == NULL || value == NULL) { -+ return EINVAL; -+ } -+ -+ k.type = HASH_KEY_CONST_STRING; -+ k.c_str = key; -+ -+ v.type = HASH_VALUE_PTR; -+ v.ptr = value; -+ -+ hret = hash_enter(hash, &k, &v); -+ if (hret != HASH_SUCCESS) { -+ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n", -+ key, value, hash_error_string(hret)); -+ return EIO; -+ } -+ -+ return EOK; -+} -+ - /* - * This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename, - * and stores the allow_key and deny_key of all of the gpo_map_types present -@@ -1324,6 +1351,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx, - */ - static errno_t - ad_gpo_store_policy_settings(struct sss_domain_info *domain, -+ hash_table_t *allow_maps, hash_table_t *deny_maps, - const char *filename) - { - struct ini_cfgfile *file_ctx = NULL; -@@ -1457,14 +1485,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain, - goto done; - } else if (ret != ENOENT) { - const char *value = allow_value ? allow_value : empty_val; -- ret = sysdb_gpo_store_gpo_result_setting(domain, -- allow_key, -- value); -+ ret = add_result_to_hash(allow_maps, allow_key, -+ talloc_strdup(allow_maps, value)); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "sysdb_gpo_store_gpo_result_setting failed for key:" -- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value, -- ret, sss_strerror(ret)); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] " -+ "value: [%s] to allow maps " -+ "[%d][%s].\n", -+ allow_key, value, ret, -+ sss_strerror(ret)); - goto done; - } - } -@@ -1484,14 +1512,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain, - goto done; - } else if (ret != ENOENT) { - const char *value = deny_value ? deny_value : empty_val; -- ret = sysdb_gpo_store_gpo_result_setting(domain, -- deny_key, -- value); -+ ret = add_result_to_hash(deny_maps, deny_key, -+ talloc_strdup(deny_maps, value)); - if (ret != EOK) { -- DEBUG(SSSDBG_CRIT_FAILURE, -- "sysdb_gpo_store_gpo_result_setting failed for key:" -- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value, -- ret, sss_strerror(ret)); -+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] " -+ "value: [%s] to deny maps " -+ "[%d][%s].\n", -+ deny_key, value, ret, -+ sss_strerror(ret)); - goto done; - } - } -@@ -1784,6 +1812,8 @@ struct ad_gpo_access_state { - int num_cse_filtered_gpos; - int cse_gpo_index; - const char *ad_domain; -+ hash_table_t *allow_maps; -+ hash_table_t *deny_maps; - }; - - static void ad_gpo_connect_done(struct tevent_req *subreq); -@@ -1906,6 +1936,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx, - goto immediately; - } - -+ ret = sss_hash_create(state, 0, &state->allow_maps); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps " -+ "hash table [%d]: %s\n", ret, sss_strerror(ret)); -+ goto immediately; -+ } -+ -+ ret = sss_hash_create(state, 0, &state->deny_maps); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps " -+ "hash table [%d]: %s\n", ret, sss_strerror(ret)); -+ goto immediately; -+ } - - subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); - if (subreq == NULL) { -@@ -2725,6 +2768,43 @@ ad_gpo_cse_step(struct tevent_req *req) - return EAGAIN; - } - -+static errno_t -+store_hash_maps_in_cache(struct sss_domain_info *domain, -+ hash_table_t *allow_maps, hash_table_t *deny_maps) -+{ -+ int ret; -+ struct hash_iter_context_t *iter; -+ hash_entry_t *entry; -+ size_t c; -+ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL}; -+ -+ -+ for (c = 0; hash_list[c] != NULL; c++) { -+ iter = new_hash_iter_context(hash_list[c]); -+ if (iter == NULL) { -+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n"); -+ return EINVAL; -+ } -+ -+ while ((entry = iter->next(iter)) != NULL) { -+ ret = sysdb_gpo_store_gpo_result_setting(domain, -+ entry->key.c_str, -+ entry->value.ptr); -+ if (ret != EOK) { -+ free(iter); -+ DEBUG(SSSDBG_OP_FAILURE, -+ "sysdb_gpo_store_gpo_result_setting failed for key:" -+ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str, -+ (char *) entry->value.ptr, ret, sss_strerror(ret)); -+ return ret; -+ } -+ } -+ talloc_free(iter); -+ } -+ -+ return EOK; -+} -+ - /* - * This cse-specific function (GP_EXT_GUID_SECURITY) increments the - * cse_gpo_index until the policy settings for all applicable GPOs have been -@@ -2766,6 +2846,7 @@ ad_gpo_cse_done(struct tevent_req *subreq) - * (as part of the GPO Result object in the sysdb cache). - */ - ret = ad_gpo_store_policy_settings(state->host_domain, -+ state->allow_maps, state->deny_maps, - cse_filtered_gpo->policy_filename); - if (ret != EOK && ret != ENOENT) { - DEBUG(SSSDBG_OP_FAILURE, -@@ -2779,6 +2860,13 @@ ad_gpo_cse_done(struct tevent_req *subreq) - - if (ret == EOK) { - /* ret is EOK only after all GPO policy files have been downloaded */ -+ ret = store_hash_maps_in_cache(state->host_domain, -+ state->allow_maps, state->deny_maps); -+ if (ret != EOK) { -+ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps " -+ "[%d][%s].\n", ret, sss_strerror(ret)); -+ goto done; -+ } - ret = ad_gpo_perform_hbac_processing(state, - state->gpo_mode, - state->gpo_map_type, --- -2.25.1 diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf b/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf index 1e8b537..2c9c6fc 100644 --- a/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf +++ b/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf @@ -7,7 +7,8 @@ domains = shadowutils [pam] [domain/shadowutils] -id_provider = files +id_provider = proxy +proxy_lib_name = files auth_provider = proxy proxy_pam_target = sssd-shadowutils diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd b/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd deleted file mode 100644 index 2a82413..0000000 --- a/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd +++ /dev/null @@ -1 +0,0 @@ -d root root 0750 /var/log/sssd none diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.10.2.bb similarity index 84% rename from dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb rename to dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.10.2.bb index f35d0c8..0ed62b8 100644 --- a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb +++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.10.2.bb @@ -18,16 +18,13 @@ DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/${BP}.tar.gz \ file://sssd.conf \ - file://volatiles.99_sssd \ file://no_gen.patch \ file://fix_gid.patch \ file://drop_ntpdate_chk.patch \ file://fix-ldblibdir.patch \ file://musl_fixup.patch \ - file://0001-sssctl-add-error-analyzer.patch \ - file://CVE-2023-3758.patch \ " -SRC_URI[sha256sum] = "827bc65d64132410e6dd3df003f04829d60387ec30e72b2d4e22d93bb6f762ba" +SRC_URI[sha256sum] = "e8aa5e6b48ae465bea7064048715ce7e9c53b50ec6a9c69304f59e0d35be40ff" UPSTREAM_CHECK_URI = "https://github.com/SSSD/${BPN}/releases" @@ -42,24 +39,23 @@ CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ ac_cv_prog_HAVE_PYTHON3=yes \ " -PACKAGECONFIG ?= "nss autofs sudo infopipe" +PACKAGECONFIG ?= "nss autofs sudo" PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" PACKAGECONFIG[crypto] = ", , libcrypto" PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson" -PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" PACKAGECONFIG[nss] = ", ,nss," PACKAGECONFIG[oidc_child] = "--with-oidc-child, --without-oidc-child" PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings python3dir=${PYTHON_SITEPACKAGES_DIR}, python3-setuptools-native" PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" -PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" +PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no, libselinux" PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, " -PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv,,python3-systemd" +PACKAGECONFIG[systemd] = "--with-initscript=systemd --with-systemdunitdir=${systemd_system_unitdir} --with-systemdconfdir=${sysconfdir}/systemd/system, --with-initscript=sysv,,python3-systemd" EXTRA_OECONF += " \ --disable-cifs-idmap-plugin \ @@ -68,11 +64,11 @@ EXTRA_OECONF += " \ --without-python2-bindings \ --enable-pammoddir=${base_libdir}/security \ --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \ - --with-pid-path=/run \ + --with-pid-path=/run/sssd \ --with-os=fedora \ " -do_configure:prepend() { +do_configure:prepend () { mkdir -p ${AUTOTOOLS_AUXDIR}/build cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ @@ -84,6 +80,7 @@ do_compile:prepend () { sed -i -e "s/__useconds_t/useconds_t/g" ${S}/src/tools/tools_mc_util.c echo '#define NSUPDATE_PATH "${bindir}"' >> ${B}/config.h } + do_install () { oe_runmake install DESTDIR="${D}" rmdir --ignore-fail-on-non-empty "${D}/${bindir}" @@ -99,12 +96,14 @@ do_install () { if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then install -d ${D}${sysconfdir}/tmpfiles.d - echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf + echo "d /var/log/sssd 0750 ${SSSD_UID} ${SSSD_GID} - -" > ${D}${sysconfdir}/tmpfiles.d/sssd.conf + echo "d /run/sssd 0750 ${SSSD_UID} ${SSSD_GID} - -" >> ${D}${sysconfdir}/tmpfiles.d/sssd.conf fi if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ]; then install -d ${D}${sysconfdir}/default/volatiles - echo "d ${SSSD_UID}:${SSSD_GID} 0755 ${localstatedir}/log/${BPN} none" > ${D}${sysconfdir}/default/volatiles/99_${BPN} + echo "d ${SSSD_UID}:${SSSD_GID} 0750 ${localstatedir}/log/sssd none" > ${D}${sysconfdir}/default/volatiles/99_sssd + echo "d ${SSSD_UID}:${SSSD_GID} 0750 ${localstatedir}/run/sssd none" >> ${D}${sysconfdir}/default/volatiles/99_sssd fi if ${@bb.utils.contains('PACKAGECONFIG', 'python3', 'true', 'false', d)}; then @@ -112,15 +111,13 @@ do_install () { fi # Remove /run as it is created on startup - rm -rf ${D}/run - - rm -f ${D}${systemd_system_unitdir}/sssd-secrets.* + rm -rf ${D}/run ${D}/var/run } pkg_postinst_ontarget:${PN} () { -if [ -e /etc/init.d/populate-volatile.sh ] ; then - ${sysconfdir}/init.d/populate-volatile.sh update -fi + if [ -e /etc/init.d/populate-volatile.sh ] ; then + ${sysconfdir}/init.d/populate-volatile.sh update + fi chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf } @@ -131,12 +128,11 @@ INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." SYSTEMD_SERVICE:${PN} = " \ ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \ + sssd-ifp.service \ sssd-nss.service \ sssd-nss.socket \ - sssd-pam-priv.socket \ sssd-pam.service \ sssd-pam.socket \ sssd.service \