IPA IPA Trust WIP

.github/workflows/ci.yml

@@ -29,14 +29,14 @@ jobs:
       working-directory: x86_64
       run: |
         source ../contrib/fedora/bashrc_sssd
-        make CFLAGS+="$SSS_WARNINGS -Werror -Wno-error=deprecated-declarations"
+        make CFLAGS+="$SSS_WARNINGS -Werror"
 
     - name: make check
       shell: bash
       working-directory: x86_64
       run: |
         source ../contrib/fedora/bashrc_sssd
-        make CFLAGS+="$SSS_WARNINGS -Werror -Wno-error=deprecated-declarations" check
+        make CFLAGS+="$SSS_WARNINGS -Werror" check
 
     - name: make distcheck
       shell: bash

.github/workflows/copr_build.yml

@@ -90,7 +90,7 @@ jobs:
         project: ${{ env.COPR_PROJECT }}
         account: ${{ env.COPR_ACCOUNT }}
 
-    - name: Add buildroot repository to CentOS Stream
+    - name: Add buildroot repository to CentOS Streams
       env:
         coprcfg: ${{ steps.copr.outputs.coprcfg }}
       run: |
@@ -99,6 +99,11 @@ jobs:
           --repos 'https://kojihub.stream.centos.org/kojifiles/repos/c9s-build/latest/$basearch/' \
           $COPR_ACCOUNT/$COPR_PROJECT/centos-stream-9-x86_64
 
+        # CentOS Stream 10
+        copr-cli --config "$coprcfg" edit-chroot                                                  \
+          --repos 'https://kojihub.stream.centos.org/kojifiles/repos/c10s-build/latest/$basearch/' \
+          $COPR_ACCOUNT/$COPR_PROJECT/centos-stream-10-x86_64
+
   build:
     runs-on: ubuntu-latest
     needs: [prepare]

Makefile.am

@@ -100,6 +100,15 @@ ifp_systemdservice = SystemdService=sssd-ifp.service
 condconfigexists = ConditionPathExists=\|/etc/sssd/sssd.conf\nConditionDirectoryNotEmpty=\|/etc/sssd/conf.d/
 
 # Bounding set needs to list capabilities required by ldap/krb5/selinux_childs and sssd_pam, otherwise they can't gain it.
+# Capabilities usage by binaries:
+#   - 'ldap_child': read keytab (dac_read_search)
+#   - 'krb5_child':
+#         - store TGT for a given user (set*id);
+#         - create path components of DIR:/FILE: cache, for example: /run/user/$UID (dac_override, chown)
+#         - read keytab (dac_read_search could be enough but dac_override due to above)
+#     If system doesn't need to support DIR:/FILE: then 'cap_chown' can be stripped and 'cap_dac_override' replaced with 'dac_read_search'
+#   - 'selinux_child': currently chown, dac_override, set*id  --  to be narrowed
+#   - 'sssd_pam': read keytab in gss ops (dac_read_search)
 capabilities = CapabilityBoundingSet= CAP_CHOWN CAP_DAC_OVERRIDE CAP_SETGID CAP_SETUID CAP_DAC_READ_SEARCH
 
 if BUILD_CONF_SERVICE_USER_SUPPORT
@@ -137,7 +146,7 @@ ifp_non_root_owner_policy =
 endif
 
 
-AM_CFLAGS =
+AM_CFLAGS = $(my_CFLAGS)
 if WANT_AUX_INFO
     AM_CFLAGS += -aux-info [email protected]
 endif
@@ -633,7 +642,6 @@ SSSD_TOOLS_OBJ = \
     src/tools/common/sss_tools.c \
     src/tools/common/sss_process.c \
     src/confdb/confdb_setup.c \
-    src/util/nscd.c \
     $(NULL)
 
 SSSD_LCL_TOOLS_OBJ = \
@@ -700,10 +708,10 @@ dist_noinst_HEADERS = \
     src/sss_iface/sss_iface_sync.h \
     src/sss_iface/sss_iface.h \
     src/util/crypto/sss_crypto.h \
-    src/util/crypto/libcrypto/sss_openssl.h \
     src/util/cert.h \
     src/util/dlinklist.h \
     src/util/debug.h \
+    src/util/memory_erase.h \
     src/util/util.h \
     src/util/util_errors.h \
     src/util/safe-format-string.h \
@@ -986,6 +994,7 @@ SSS_CRYPT_SOURCES = src/util/crypto/libcrypto/crypto_base64.c \
                     src/util/crypto/libcrypto/crypto_prng.c \
                     src/util/atomic_io.c \
                     src/util/memory.c \
+                    src/util/memory_erase.c \
                     $(NULL)
 SSS_CRYPT_CFLAGS = $(CRYPTO_CFLAGS)
 SSS_CRYPT_LIBS = $(CRYPTO_LIBS)
@@ -1265,6 +1274,7 @@ libsss_util_la_SOURCES = \
     src/util/util_ext.c \
     src/util/util_preauth.c \
     src/util/memory.c \
+    src/util/memory_erase.c \
     src/util/safe-format-string.c \
     src/util/server.c \
     src/util/signal.c \
@@ -1517,8 +1527,8 @@ endif
 sssd_SOURCES = \
     src/monitor/monitor.c \
     src/monitor/monitor_bootstrap.c \
+    src/monitor/nscd.c \
     src/confdb/confdb_setup.c \
-    src/util/nscd.c \
     $(NULL)
 sssd_LDADD = \
     $(SSSD_LIBS) \
@@ -2003,6 +2013,7 @@ endif
 if HAVE_SYSTEMD_UNIT
 sssd_check_socket_activated_responders_SOURCES = \
     src/tools/sssd_check_socket_activated_responders.c \
+    src/tools/common/sss_tools.c \
     $(NULL)
 sssd_check_socket_activated_responders_CFLAGS = \
     $(AM_CFLAGS) \
@@ -2879,7 +2890,8 @@ dyndns_tests_SOURCES = \
      $(SSSD_RESOLV_OBJ) \
      src/tests/cmocka/common_mock_be.c \
      src/tests/cmocka/test_dyndns.c \
-     src/providers/data_provider_opts.c
+     src/providers/data_provider_opts.c \
+     src/util/child_common.c
 dyndns_tests_CFLAGS = \
     $(AM_CFLAGS) \
     $(CMOCKA_CFLAGS) \
@@ -3558,10 +3570,13 @@ test_ipa_subdom_server_SOURCES = \
     src/tests/cmocka/common_mock_sdap.c \
     src/tests/cmocka/common_mock_be.c \
     src/tests/cmocka/common_mock_krb5.c \
+    src/tests/cmocka/data_provider/mock_dp.c \
     src/tests/cmocka/test_ipa_subdomains_server.c \
     src/providers/ipa/ipa_subdomains_server.c \
     src/providers/ipa/ipa_subdomains_utils.c \
+    src/providers/ipa/ipa_common.c \
     src/providers/ipa/ipa_opts.c \
+    src/providers/ipa/ipa_srv.c \
     src/providers/ldap/ldap_common.c \
     $(NULL)
 test_ipa_subdom_server_CFLAGS = \
@@ -4169,6 +4184,7 @@ pam_sss_la_SOURCES = \
     src/sss_client/sss_cli.h \
     src/util/atomic_io.c \
     src/util/authtok-utils.c \
+    src/util/memory_erase.c \
     src/sss_client/sss_pam_macros.h \
     src/sss_client/sss_pam_compat.h
 
@@ -4693,6 +4709,7 @@ krb5_child_SOURCES = \
     src/util/find_uid.c \
     src/util/atomic_io.c \
     src/util/memory.c \
+    src/util/memory_erase.c \
     src/util/authtok.c \
     src/util/authtok-utils.c \
     src/util/util.c \
@@ -4737,6 +4754,7 @@ ldap_child_SOURCES = \
     src/util/sss_iobuf.c \
     src/util/atomic_io.c \
     src/util/memory.c \
+    src/util/memory_erase.c \
     src/util/authtok.c \
     src/util/authtok-utils.c \
     src/util/util.c \
@@ -4886,6 +4904,7 @@ oidc_child_SOURCES = \
     src/oidc_child/oidc_child_json.c \
     src/util/atomic_io.c \
     src/util/memory.c \
+    src/util/memory_erase.c \
     src/util/strtonum.c \
     $(NULL)
 oidc_child_CFLAGS = \
@@ -5297,7 +5316,8 @@ edit_cmd = $(SED) \
         -e 's|@supplementary_groups[@]|$(supplementary_groups)|g' \
         -e 's|@sssdconfdir[@]|$(sssdconfdir)|g' \
         -e 's|@secdbpath[@]|$(secdbpath)|g' \
-        -e 's|@dbpath[@]|$(dbpath)|g'
+        -e 's|@dbpath[@]|$(dbpath)|g' \
+        -e 's|@gpocachepath[@]|$(gpocachepath)|g'
 
 replace_script = \
     @rm -f $@ [email protected]; \
@@ -5562,14 +5582,13 @@ else
 	$(MKDIR_P) $(DESTDIR)$(initdir)
 endif
 
-CHILD_CAPABILITIES="cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep"
 if SSSD_USER
 	-chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/ldap_child
 	chmod 750 $(DESTDIR)$(sssdlibexecdir)/ldap_child
-	-$(SETCAP) $(CHILD_CAPABILITIES) $(DESTDIR)$(sssdlibexecdir)/ldap_child
+	-$(SETCAP) cap_dac_read_search=p $(DESTDIR)$(sssdlibexecdir)/ldap_child
 	-chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/krb5_child
 	chmod 750 $(DESTDIR)$(sssdlibexecdir)/krb5_child
-	-$(SETCAP) $(CHILD_CAPABILITIES) $(DESTDIR)$(sssdlibexecdir)/krb5_child
+	-$(SETCAP) cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep $(DESTDIR)$(sssdlibexecdir)/krb5_child
 	-chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/proxy_child
 	chmod 750 $(DESTDIR)$(sssdlibexecdir)/proxy_child
 	-chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/sssd_pam
@@ -5578,7 +5597,7 @@ if SSSD_USER
 if BUILD_SELINUX
 	-chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/selinux_child
 	chmod 750 $(DESTDIR)$(sssdlibexecdir)/selinux_child
-	-$(SETCAP) $(CHILD_CAPABILITIES) $(DESTDIR)$(sssdlibexecdir)/selinux_child
+	-$(SETCAP) cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep $(DESTDIR)$(sssdlibexecdir)/selinux_child
 endif
 endif
 

configure.ac

@@ -11,7 +11,8 @@ m4_ifdef([AC_USE_SYSTEM_EXTENSIONS],
     [AC_USE_SYSTEM_EXTENSIONS],
     [AC_GNU_SOURCE])
 
-CFLAGS="$CFLAGS -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE"
+my_CFLAGS="-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE"
+AC_SUBST([my_CFLAGS])
 
 
 AM_INIT_AUTOMAKE([-Wall -Wno-portability foreign subdir-objects tar-pax
@@ -187,7 +188,6 @@ WITH_SUBID_LIB_PATH
 WITH_PASSKEY
 WITH_SSH
 WITH_SSH_KNOWN_HOSTS_PROXY
-WITH_IFP
 WITH_LIBSIFP
 WITH_SYSLOG
 WITH_SAMBA
@@ -300,9 +300,9 @@ AS_IF([! $PKG_CONFIG --atleast-version 1.0.0 dbus-1], [
 ])
 
 AS_IF([test x$has_dbus != xno], [
-    SAFE_LIBS="$LIBS"
+    SAVED_LIBS="$LIBS"
     LIBS="$DBUS_LIBS"
-    SAFE_CFLAGS=$CFLAGS
+    SAVED_CFLAGS=$CFLAGS
     CFLAGS="$CFLAGS $DBUS_CFLAGS"
 
     AC_CHECK_FUNC([dbus_watch_get_unix_fd],
@@ -313,8 +313,8 @@ AS_IF([test x$has_dbus != xno], [
                    [],
                    [ #include <dbus/dbus.h> ])
 
-    LIBS="$SAFE_LIBS"
-    CFLAGS=$SAFE_CFLAGS
+    LIBS="$SAVED_LIBS"
+    CFLAGS=$SAVED_CFLAGS
 ])
 
 # work around a bug in cov-build from Coverity
@@ -479,7 +479,7 @@ AS_IF([test x"$sss_cv_attribute_warn_unused_result" = xyes], [
              [whether compiler supports __attribute__((warn_unused_result))])
 ])
 
-SAFE_CFLAGS=$CFLAGS
+SAVED_CFLAGS=$CFLAGS
 CFLAGS="-Werror"
 AC_CACHE_CHECK(
     [whether compiler supports __attribute__((fallthrough))],
@@ -505,7 +505,7 @@ AC_CACHE_CHECK(
              sss_cv_attribute_fallthrough_val="((void)0)"
          ])
     ])
-CFLAGS=$SAFE_CFLAGS
+CFLAGS=$SAVED_CFLAGS
 
 AC_DEFINE_UNQUOTED(
     [SSS_ATTRIBUTE_FALLTHROUGH],

contrib/ci/deps.sh

@@ -48,6 +48,12 @@ if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then
         libcap-devel
     )
 
+    if [[ "$DISTRO_BRANCH" == -redhat-fedora-4[1-9]* ||
+          "$DISTRO_BRANCH" == -redhat-redhatenterprise*-10.*- ||
+          "$DISTRO_BRANCH" == -redhat-centos*-10*- ]]; then
+        DEPS_LIST+=(systemtap-sdt-dtrace)
+    fi
+
     if [[ "$DISTRO_BRANCH" == -redhat-fedora-4[0-9]* ||
           "$DISTRO_BRANCH" == -redhat-fedora-3[7-9]* ||
           "$DISTRO_BRANCH" == -redhat-redhatenterprise*-9.*- ||

contrib/fedora/make_srpm.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -x
 
 #    Authors:
 #        Lukas Slebodnik <[email protected]>
@@ -166,10 +166,20 @@ sed -e "s/@PACKAGE_NAME@/$PACKAGE_NAME/" \
     > "$RPMBUILD/SPECS/$PACKAGE_NAME.spec"
 
 NAME="$PACKAGE_NAME-$PACKAGE_VERSION"
+TARBALL="$RPMBUILD/SOURCES/$NAME.tar.gz"
+
 git archive --format=tar --prefix="$NAME"/ \
-            --remote="file://$SRC_DIR" \
-            HEAD \
-            | gzip > "$RPMBUILD/SOURCES/$NAME.tar.gz"
+            HEAD | gzip > "$TARBALL"
+
+# fallback to tar if git archive failed
+# tar may include more files so git archive is preferred
+tar -tzf "$TARBALL" &> /dev/null
+if [ $? -ne 0 ]; then
+    rm -f "$TARBALL"
+    pushd "$SRC_DIR"
+    tar -cvzf "$TARBALL" --transform "s,^,$NAME/," *
+    popd
+fi
 
 cp "$SRC_DIR"/contrib/*.patch "$RPMBUILD/SOURCES" 2>/dev/null
 add_patches "$RPMBUILD/SPECS/$PACKAGE_NAME.spec" \