commit: f85b90959ccdba7479d1fa455031e3bb0b839c14 Author: Mikle Kolyada <zlogene <AT> gentoo <DOT> org> AuthorDate: Fri Mar 8 15:09:20 2019 +0000 Commit: Mikle Kolyada <zlogene <AT> gentoo <DOT> org> CommitDate: Fri Mar 8 15:10:17 2019 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f85b9095
sys-auth/sssd: fix CVE-2019-3811 Bug: https://bugs.gentoo.org/679538 Signed-off-by: Mikle Kolyada <zlogene <AT> gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch | 96 +++++++++ sys-auth/sssd/sssd-1.16.3-r2.ebuild | 239 +++++++++++++++++++++++ 2 files changed, 335 insertions(+) diff --git a/sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch b/sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch new file mode 100644 index 00000000000..87db45fd24b --- /dev/null +++ b/sys-auth/sssd/files/sssd-fix-CVE-2019-3811.patch @@ -0,0 +1,96 @@ +From 28792523a01a7d21bcc8931794164f253e691a68 Mon Sep 17 00:00:00 2001 +From: Tomas Halman <thal...@redhat.com> +Date: Mon, 3 Dec 2018 14:11:31 +0100 +Subject: [PATCH] nss: sssd returns '/' for emtpy home directories + +For empty home directory in passwd file sssd returns "/". Sssd +should respect system behaviour and return the same as nsswitch +"files" module - return empty string. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3901 + +Reviewed-by: Simo Sorce <s...@redhat.com> +Reviewed-by: Jakub Hrozek <jhro...@redhat.com> +(cherry picked from commit 90f32399b4100ce39cf665649fde82d215e5eb49) +--- + src/confdb/confdb.c | 9 +++++++++ + src/man/include/ad_modified_defaults.xml | 19 +++++++++++++++++++ + src/responder/nss/nss_protocol_pwent.c | 2 +- + src/tests/intg/test_files_provider.py | 2 +- + 4 files changed, 30 insertions(+), 2 deletions(-) + +diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c +index a3eb9c66d9..17bb4f8274 100644 +--- a/src/confdb/confdb.c ++++ b/src/confdb/confdb.c +@@ -1301,6 +1301,15 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, + ret = ENOMEM; + goto done; + } ++ } else { ++ if (strcasecmp(domain->provider, "ad") == 0) { ++ /* ad provider default */ ++ domain->fallback_homedir = talloc_strdup(domain, "/home/%d/%u"); ++ if (!domain->fallback_homedir) { ++ ret = ENOMEM; ++ goto done; ++ } ++ } + } + + tmp = ldb_msg_find_attr_as_string(res->msgs[0], +diff --git a/src/man/include/ad_modified_defaults.xml b/src/man/include/ad_modified_defaults.xml +index 818a2bf787..425b7e8ee0 100644 +--- a/src/man/include/ad_modified_defaults.xml ++++ b/src/man/include/ad_modified_defaults.xml +@@ -76,4 +76,23 @@ + </listitem> + </itemizedlist> + </refsect2> ++ <refsect2 id='nss_modifications'> ++ <title>NSS configuration</title> ++ <itemizedlist> ++ <listitem> ++ <para> ++ fallback_homedir = /home/%d/%u ++ </para> ++ <para> ++ The AD provider automatically sets ++ "fallback_homedir = /home/%d/%u" to provide personal ++ home directories for users without the homeDirectory ++ attribute. If your AD Domain is properly ++ populated with Posix attributes, and you want to avoid ++ this fallback behavior, you can explicitly ++ set "fallback_homedir = %o". ++ </para> ++ </listitem> ++ </itemizedlist> ++ </refsect2> + </refsect1> +diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c +index af9e74fc86..86fa4ec465 100644 +--- a/src/responder/nss/nss_protocol_pwent.c ++++ b/src/responder/nss/nss_protocol_pwent.c +@@ -118,7 +118,7 @@ nss_get_homedir(TALLOC_CTX *mem_ctx, + + homedir = nss_get_homedir_override(mem_ctx, msg, nss_ctx, domain, &hd_ctx); + if (homedir == NULL) { +- return "/"; ++ return ""; + } + + return homedir; +diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py +index ead1cc4c34..4761f1bd15 100644 +--- a/src/tests/intg/test_files_provider.py ++++ b/src/tests/intg/test_files_provider.py +@@ -678,7 +678,7 @@ def test_user_no_dir(setup_pw_with_canary, files_domain_only): + Test that resolving a user without a homedir defined works and returns + a fallback value + """ +- check_user(incomplete_user_setup(setup_pw_with_canary, 'dir', '/')) ++ check_user(incomplete_user_setup(setup_pw_with_canary, 'dir', '')) + + + def test_user_no_gecos(setup_pw_with_canary, files_domain_only): diff --git a/sys-auth/sssd/sssd-1.16.3-r2.ebuild b/sys-auth/sssd/sssd-1.16.3-r2.ebuild new file mode 100644 index 00000000000..a52daabfc41 --- /dev/null +++ b/sys-auth/sssd/sssd-1.16.3-r2.ebuild @@ -0,0 +1,239 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +PYTHON_COMPAT=( python{2_7,3_3,3_4,3_5,3_6,3_7} ) + +inherit autotools flag-o-matic linux-info multilib-minimal pam python-r1 systemd toolchain-funcs + +DESCRIPTION="System Security Services Daemon provides access to identity and authentication" +HOMEPAGE="https://pagure.io/SSSD/sssd"; +SRC_URI="http://releases.pagure.org/SSSD/${PN}/${P}.tar.gz"; +KEYWORDS="amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc x86" + +LICENSE="GPL-3" +SLOT="0" +IUSE="acl autofs +locator +netlink nfsv4 nls +manpages python samba selinux sudo ssh test" + +COMMON_DEP=" + >=virtual/pam-0-r1[${MULTILIB_USEDEP}] + >=dev-libs/popt-1.16 + dev-libs/glib:2 + >=dev-libs/ding-libs-0.2 + >=sys-libs/talloc-2.0.7 + >=sys-libs/tdb-1.2.9 + >=sys-libs/tevent-0.9.16 + >=sys-libs/ldb-1.1.17-r1:= + >=net-nds/openldap-2.4.30[sasl] + net-libs/http-parser + >=dev-libs/libpcre-8.30 + >=app-crypt/mit-krb5-1.10.3 + dev-libs/jansson + net-misc/curl + locator? ( + >=app-crypt/mit-krb5-1.12.2[${MULTILIB_USEDEP}] + >=net-dns/c-ares-1.10.0-r1[${MULTILIB_USEDEP}] + ) + >=sys-apps/keyutils-1.5 + >=net-dns/c-ares-1.7.4 + >=dev-libs/nss-3.12.9 + selinux? ( + >=sys-libs/libselinux-2.1.9 + >=sys-libs/libsemanage-2.1 + ) + >=net-dns/bind-tools-9.9[gssapi] + >=dev-libs/cyrus-sasl-2.1.25-r3[kerberos] + >=sys-apps/dbus-1.6 + acl? ( net-fs/cifs-utils[acl] ) + nfsv4? ( || ( >=net-fs/nfs-utils-2.3.1-r2 net-libs/libnfsidmap ) ) + nls? ( >=sys-devel/gettext-0.18 ) + virtual/libintl + netlink? ( dev-libs/libnl:3 ) + samba? ( >=net-fs/samba-4.5 ) + " + +RDEPEND="${COMMON_DEP} + >=sys-libs/glibc-2.17[nscd] + selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 ) + " +DEPEND="${COMMON_DEP} + test? ( dev-libs/check ) + manpages? ( + >=dev-libs/libxslt-1.1.26 + app-text/docbook-xml-dtd:4.4 + )" + +CONFIG_CHECK="~KEYS" + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/ipa_hbac.h + /usr/include/sss_idmap.h + /usr/include/sss_nss_idmap.h + /usr/include/wbclient_sssd.h + # --with-ifp + /usr/include/sss_sifp.h + /usr/include/sss_sifp_dbus.h + # from 1.15.3 + /usr/include/sss_certmap.h +) + +pkg_setup(){ + linux-info_pkg_setup +} + +src_prepare() { + sed -i 's:#!/sbin/runscript:#!/sbin/openrc-run:' \ + "${S}"/src/sysv/gentoo/sssd.in || die "sed sssd.in" + + eapply "${FILESDIR}"/${PN}-curl-macros.patch + eapply "${FILESDIR}"/${PN}-fix-CVE-2019-3811.patch + + default + eautoreconf + multilib_copy_sources +} + +src_configure() { + local native_dbus_cflags=$($(tc-getPKG_CONFIG) --cflags dbus-1) + + multilib-minimal_src_configure +} + +multilib_src_configure() { + # set initscript to sysv because the systemd option needs systemd to + # be installed. We provide our own systemd file anyway. + local myconf=() + if [[ "${PYTHON_TARGETS}" == *python2* ]]; then + myconf+=($(multilib_native_use_with python python2-bindings)) + fi + if [[ "${PYTHON_TARGETS}" == *python3* ]]; then + myconf+=($(multilib_native_use_with python python3-bindings)) + fi + #Work around linker dependency problem. + append-ldflags "-Wl,--allow-shlib-undefined" + + myconf+=( + --localstatedir="${EPREFIX}"/var + --enable-nsslibdir="${EPREFIX}"/$(get_libdir) + --with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd + --enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir) + --with-ldb-lib-dir="${EPREFIX}"/usr/$(get_libdir)/samba/ldb + --with-os=gentoo + --with-nscd + --with-unicode-lib="glib2" + --disable-rpath + --disable-silent-rules + --sbindir=/usr/sbin + --without-kcm + $(use_with samba libwbclient) + --with-secrets + $(multilib_native_use_with samba) + $(multilib_native_use_enable acl cifs-idmap-plugin) + $(multilib_native_use_with selinux) + $(multilib_native_use_with selinux semanage) + $(use_enable locator krb5-locator-plugin) + $(multilib_native_use_with nfsv4 nfsv4-idmapd-plugin) + $(use_enable nls ) + $(multilib_native_use_with netlink libnl) + $(multilib_native_use_with manpages) + $(multilib_native_use_with sudo) + $(multilib_native_use_with autofs) + $(multilib_native_use_with ssh) + --with-crypto="nss" + --with-initscript="sysv" + + KRB5_CONFIG=/usr/bin/${CHOST}-krb5-config + ) + + if ! multilib_is_native_abi; then + # work-around all the libraries that are used for CLI and server + myconf+=( + {POPT,TALLOC,TDB,TEVENT,LDB}_{CFLAGS,LIBS}=' ' + # ldb headers are fine since native needs it + # ldb lib fails... but it does not seem to bother + {DHASH,COLLECTION,INI_CONFIG_V{0,1,1_1}}_{CFLAGS,LIBS}=' ' + {PCRE,CARES,SYSTEMD_LOGIN,SASL,GLIB2,DBUS,CRYPTO}_{CFLAGS,LIBS}=' ' + + # use native include path for dbus (needed for build) + DBUS_CFLAGS="${native_dbus_cflags}" + + # non-pkgconfig checks + ac_cv_lib_ldap_ldap_search=yes + --without-secrets + --without-libwbclient + --without-kcm + --with-crypto="" + ) + + use locator || myconf+=( + KRB5_CONFIG=/bin/true + ) + fi + + econf "${myconf[@]}" +} + +multilib_src_compile() { + if multilib_is_native_abi; then + default + else + emake libnss_sss.la pam_sss.la + use locator && emake sssd_krb5_locator_plugin.la + fi +} + +multilib_src_install() { + if multilib_is_native_abi; then + emake -j1 DESTDIR="${D}" "${_at_args[@]}" install + else + # easier than playing with automake... + dopammod .libs/pam_sss.so + + into / + dolib .libs/libnss_sss.so* + + if use locator; then + exeinto /usr/$(get_libdir)/krb5/plugins/libkrb5 + doexe .libs/sssd_krb5_locator_plugin.so + fi + fi +} + +multilib_src_install_all() { + einstalldocs + find "${ED}" -type f -name '*.la' -delete || die + + insinto /etc/sssd + insopts -m600 + doins "${S}"/src/examples/sssd-example.conf + + insinto /etc/logrotate.d + insopts -m644 + newins "${S}"/src/examples/logrotate sssd + + newconfd "${FILESDIR}"/sssd.conf sssd + newinitd "${FILESDIR}"/sssd sssd + + keepdir /var/lib/sss/db + keepdir /var/lib/sss/deskprofile + keepdir /var/lib/sss/gpo_cache + keepdir /var/lib/sss/keytabs + keepdir /var/lib/sss/mc + keepdir /var/lib/sss/pipes/private + keepdir /var/lib/sss/pubconf/krb5.include.d + keepdir /var/lib/sss/secrets + keepdir /var/log/sssd + + systemd_dounit "${FILESDIR}/${PN}.service" +} + +multilib_src_test() { + default +} + +pkg_postinst(){ + elog "You must set up sssd.conf (default installed into /etc/sssd)" + elog "and (optionally) configuration in /etc/pam.d in order to use SSSD" + elog "features. Please see howto in https://docs.pagure.org/SSSD.sssd/design_pages/index.html#implemented-in-1-16-x"; +}
