mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-01-11 15:00:34 +00:00
Code Issues Projects Releases Wiki Activity

sssd: upgrade 2.9.2 -> 2.10.2

Browse Source 
ChangeLog:
https://github.com/SSSD/sssd/releases/tag/2.10.2

* Drop backport patches.
* Update sssd.conf and volatile files.
* Drop PACKAGECONFIG[infopipe] as it has been removed upstream.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Yi Zhao
2025-03-27 21:23:26 +08:00
committed by Armin Kuster
parent b7b2d12c4f
commit 0d6aa528cf
5 changed files with 18 additions and 559 deletions
Download Patch File Download Diff File Expand all files Collapse all files

318
dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch
View File

@@ -1,318 +0,0 @@
Backport patch to fix interpreter of sss_analyze.
Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/ed3726c]
Signed-off-by: Kai Kang <kai.kang@windriver.com>
From ed3726c37fe07aab788404bfa2f9003db15f4210 Mon Sep 17 00:00:00 2001
From: roy214 <abroy@redhat.com>
Date: Tue, 25 Apr 2023 20:01:24 +0530
Subject: [PATCH] sssctl: add error analyzer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Also removing unused variable and import.
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/tools/analyzer/Makefile.am | 2 +
src/tools/analyzer/modules/error.py | 61 +++++++++++++++++++++++++++
src/tools/analyzer/modules/request.py | 54 +++++-------------------
src/tools/analyzer/sss_analyze | 2 +-
src/tools/analyzer/sss_analyze.py | 3 ++
src/tools/analyzer/util.py | 44 +++++++++++++++++++
6 files changed, 121 insertions(+), 45 deletions(-)
create mode 100644 src/tools/analyzer/modules/error.py
create mode 100644 src/tools/analyzer/util.py
diff --git a/src/tools/analyzer/Makefile.am b/src/tools/analyzer/Makefile.am
index b40043d043..7692af8528 100644
--- a/src/tools/analyzer/Makefile.am
+++ b/src/tools/analyzer/Makefile.am
@@ -13,10 +13,12 @@ dist_pkgpython_DATA = \
source_reader.py \
parser.py \
sss_analyze.py \
+ util.py \
$(NULL)
modulesdir = $(pkgpythondir)/modules
dist_modules_DATA = \
modules/__init__.py \
modules/request.py \
+ modules/error.py \
$(NULL)
diff --git a/src/tools/analyzer/modules/error.py b/src/tools/analyzer/modules/error.py
new file mode 100644
index 0000000000..71173670c5
--- /dev/null
+++ b/src/tools/analyzer/modules/error.py
@@ -0,0 +1,61 @@
+from sssd import util
+from sssd.parser import SubparsersAction
+from sssd import sss_analyze
+
+class ErrorAnalyzer:
+ """
+ An error analyzer module, list if there is any error reported by sssd_be
+ """
+ module_parser = None
+ print_opts = []
+
+ def print_module_help(self, args):
+ """
+ Print the module parser help output
+
+ Args:
+ args (Namespace): argparse parsed arguments
+ """
+ self.module_parser.print_help()
+
+ def setup_args(self, parser_grp, cli):
+ """
+ Setup module parser, subcommands, and options
+
+ Args:
+ parser_grp (argparse.Action): Parser group to nest
+ module and subcommands under
+ """
+ desc = "Analyze error check module"
+ self.module_parser = parser_grp.add_parser('error',
+ description=desc,
+ help='Error checker')
+
+ subparser = self.module_parser.add_subparsers(title=None,
+ dest='subparser',
+ action=SubparsersAction,
+ metavar='COMMANDS')
+
+ subcmd_grp = subparser.add_parser_group('Operation Modes')
+ cli.add_subcommand(subcmd_grp, 'list', 'Print error messages found in backend',
+ self.print_error, self.print_opts)
+
+ self.module_parser.set_defaults(func=self.print_module_help)
+
+ return self.module_parser
+
+ def print_error(self, args):
+ err = 0
+ utl = util.Utils()
+ source = utl.load(args)
+ component = source.Component.BE
+ source.set_component(component, False)
+ patterns = ['sdap_async_sys_connect request failed', 'terminated by own WATCHDOG',
+ 'ldap_sasl_interactive_bind_s failed', 'Communication with KDC timed out', 'SSSD is offline', 'Backend is offline',
+ 'tsig verify failure', 'ldap_install_tls failed', 's2n exop request failed']
+ for line in utl.matched_line(source, patterns):
+ err +=1
+ print(line)
+ if err > 0:
+ print("For possible solutions please refer to https://sssd.io/troubleshooting/errors.html")
+ return
diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py
index d661dddb84..e4d5f060c7 100644
--- a/src/tools/analyzer/modules/request.py
+++ b/src/tools/analyzer/modules/request.py
@@ -1,6 +1,6 @@
import re
import logging
-
+from sssd import util
from sssd.parser import SubparsersAction
from sssd.parser import Option
@@ -38,7 +38,6 @@ def print_module_help(self, args):
def setup_args(self, parser_grp, cli):
"""
Setup module parser, subcommands, and options
-
Args:
parser_grp (argparse.Action): Parser group to nest
module and subcommands under
@@ -63,42 +62,6 @@ def setup_args(self, parser_grp, cli):
return self.module_parser
- def load(self, args):
- """
- Load the appropriate source reader.
-
- Args:
- args (Namespace): argparse parsed arguments
-
- Returns:
- Instantiated source object
- """
- if args.source == "journald":
- from sssd.source_journald import Journald
- source = Journald()
- else:
- from sssd.source_files import Files
- source = Files(args.logdir)
- return source
-
- def matched_line(self, source, patterns):
- """
- Yield lines which match any number of patterns (OR) in
- provided patterns list.
-
- Args:
- source (Reader): source Reader object
- Yields:
- lines matching the provided pattern(s)
- """
- for line in source:
- for pattern in patterns:
- re_obj = re.compile(pattern)
- if re_obj.search(line):
- if line.startswith(' * '):
- continue
- yield line
-
def get_linked_ids(self, source, pattern, regex):
"""
Retrieve list of associated REQ_TRACE ids. Filter
@@ -114,8 +77,9 @@ def get_linked_ids(self, source, pattern, regex):
Returns:
List of linked ids discovered
"""
+ utl = util.Utils()
linked_ids = []
- for match in self.matched_line(source, pattern):
+ for match in utl.matched_line(source, pattern):
id_re = re.compile(regex)
match = id_re.search(match)
if match:
@@ -250,7 +214,8 @@ def list_requests(self, args):
Args:
args (Namespace): populated argparse namespace
"""
- source = self.load(args)
+ utl = util.Utils()
+ source = utl.load(args)
component = source.Component.NSS
resp = "nss"
# Log messages matching the following regex patterns contain
@@ -266,7 +231,7 @@ def list_requests(self, args):
if args.verbose:
self.print_formatted_verbose(source)
else:
- for line in self.matched_line(source, patterns):
+ for line in utl.matched_line(source, patterns):
if type(source).__name__ == 'Journald':
print(line)
else:
@@ -279,7 +244,8 @@ def track_request(self, args):
Args:
args (Namespace): populated argparse namespace
"""
- source = self.load(args)
+ utl = util.Utils()
+ source = utl.load(args)
cid = args.cid
resp_results = False
be_results = False
@@ -294,7 +260,7 @@ def track_request(self, args):
logger.info(f"******** Checking {resp} responder for Client ID"
f" {cid} *******")
source.set_component(component, args.child)
- for match in self.matched_line(source, pattern):
+ for match in utl.matched_line(source, pattern):
resp_results = self.consume_line(match, source, args.merge)
logger.info(f"********* Checking Backend for Client ID {cid} ********")
@@ -307,7 +273,7 @@ def track_request(self, args):
pattern.clear()
[pattern.append(f'\\{id}') for id in be_ids]
- for match in self.matched_line(source, pattern):
+ for match in utl.matched_line(source, pattern):
be_results = self.consume_line(match, source, args.merge)
if args.merge:
diff --git a/src/tools/analyzer/sss_analyze b/src/tools/analyzer/sss_analyze
index 3f1beaf38b..6d4b5b30c6 100755
--- a/src/tools/analyzer/sss_analyze
+++ b/src/tools/analyzer/sss_analyze
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
from sssd import sss_analyze
diff --git a/src/tools/analyzer/sss_analyze.py b/src/tools/analyzer/sss_analyze.py
index 18b998f380..dafc84fc03 100644
--- a/src/tools/analyzer/sss_analyze.py
+++ b/src/tools/analyzer/sss_analyze.py
@@ -1,6 +1,7 @@
import argparse
from sssd.modules import request
+from sssd.modules import error
from sssd.parser import SubparsersAction
@@ -55,9 +56,11 @@ def load_modules(self, parser, parser_grp):
"""
# Currently only the 'request' module exists
req = request.RequestAnalyzer()
+ err = error.ErrorAnalyzer()
cli = Analyzer()
req.setup_args(parser_grp, cli)
+ err.setup_args(parser_grp, cli)
def setup_args(self):
"""
diff --git a/src/tools/analyzer/util.py b/src/tools/analyzer/util.py
new file mode 100644
index 0000000000..2a8d153a71
--- /dev/null
+++ b/src/tools/analyzer/util.py
@@ -0,0 +1,44 @@
+import re
+import logging
+
+from sssd.source_files import Files
+from sssd.source_journald import Journald
+
+logger = logging.getLogger()
+
+
+class Utils:
+
+ def load(self, args):
+ """
+ Load the appropriate source reader.
+
+ Args:
+ args (Namespace): argparse parsed arguments
+
+ Returns:
+ Instantiated source object
+ """
+ if args.source == "journald":
+ source = Journald()
+ else:
+ source = Files(args.logdir)
+ return source
+
+ def matched_line(self, source, patterns):
+ """
+ Yield lines which match any number of patterns (OR) in
+ provided patterns list.
+
+ Args:
+ source (Reader): source Reader object
+ Yields:
+ lines matching the provided pattern(s)
+ """
+ for line in source:
+ for pattern in patterns:
+ re_obj = re.compile(pattern)
+ if re_obj.search(line):
+ if line.startswith(' * '):
+ continue
+ yield line

219
dynamic-layers/networking-layer/recipes-security/sssd/files/CVE-2023-3758.patch
View File

@@ -1,219 +0,0 @@
From f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 8 Nov 2023 14:50:24 +0100
Subject: [PATCH] ad-gpo: use hash to store intermediate results
Currently after the evaluation of a single GPO file the intermediate
results are stored in the cache and this cache entry is updated until
all applicable GPO files are evaluated. Finally the data in the cache is
used to make the decision of access is granted or rejected.
If there are two or more access-control request running in parallel one
request might overwrite the cache object with intermediate data while
another request reads the cached data for the access decision and as a
result will do this decision based on intermediate data.
To avoid this the intermediate results are not stored in the cache
anymore but in hash tables which are specific to the request. Only the
final result is written to the cache to have it available for offline
authentication.
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit d7db7971682da2dbf7642ac94940d6b0577ec35a)
Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726]
CVE: CVE-2023-3758
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
src/providers/ad/ad_gpo.c | 116 +++++++++++++++++++++++++++++++++-----
1 file changed, 102 insertions(+), 14 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 44e9cbb..cec0cb4 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1317,6 +1317,33 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
return ret;
}
+static errno_t
+add_result_to_hash(hash_table_t *hash, const char *key, char *value)
+{
+ int hret;
+ hash_key_t k;
+ hash_value_t v;
+
+ if (hash == NULL || key == NULL || value == NULL) {
+ return EINVAL;
+ }
+
+ k.type = HASH_KEY_CONST_STRING;
+ k.c_str = key;
+
+ v.type = HASH_VALUE_PTR;
+ v.ptr = value;
+
+ hret = hash_enter(hash, &k, &v);
+ if (hret != HASH_SUCCESS) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to add [%s][%s] to hash: [%s].\n",
+ key, value, hash_error_string(hret));
+ return EIO;
+ }
+
+ return EOK;
+}
+
/*
* This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename,
* and stores the allow_key and deny_key of all of the gpo_map_types present
@@ -1324,6 +1351,7 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx,
*/
static errno_t
ad_gpo_store_policy_settings(struct sss_domain_info *domain,
+ hash_table_t *allow_maps, hash_table_t *deny_maps,
const char *filename)
{
struct ini_cfgfile *file_ctx = NULL;
@@ -1457,14 +1485,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
goto done;
} else if (ret != ENOENT) {
const char *value = allow_value ? allow_value : empty_val;
- ret = sysdb_gpo_store_gpo_result_setting(domain,
- allow_key,
- value);
+ ret = add_result_to_hash(allow_maps, allow_key,
+ talloc_strdup(allow_maps, value));
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "sysdb_gpo_store_gpo_result_setting failed for key:"
- "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value,
- ret, sss_strerror(ret));
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
+ "value: [%s] to allow maps "
+ "[%d][%s].\n",
+ allow_key, value, ret,
+ sss_strerror(ret));
goto done;
}
}
@@ -1484,14 +1512,14 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
goto done;
} else if (ret != ENOENT) {
const char *value = deny_value ? deny_value : empty_val;
- ret = sysdb_gpo_store_gpo_result_setting(domain,
- deny_key,
- value);
+ ret = add_result_to_hash(deny_maps, deny_key,
+ talloc_strdup(deny_maps, value));
if (ret != EOK) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "sysdb_gpo_store_gpo_result_setting failed for key:"
- "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value,
- ret, sss_strerror(ret));
+ DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add key: [%s] "
+ "value: [%s] to deny maps "
+ "[%d][%s].\n",
+ deny_key, value, ret,
+ sss_strerror(ret));
goto done;
}
}
@@ -1784,6 +1812,8 @@ struct ad_gpo_access_state {
int num_cse_filtered_gpos;
int cse_gpo_index;
const char *ad_domain;
+ hash_table_t *allow_maps;
+ hash_table_t *deny_maps;
};
static void ad_gpo_connect_done(struct tevent_req *subreq);
@@ -1906,6 +1936,19 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
goto immediately;
}
+ ret = sss_hash_create(state, 0, &state->allow_maps);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create allow maps "
+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
+ goto immediately;
+ }
+
+ ret = sss_hash_create(state, 0, &state->deny_maps);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_FATAL_FAILURE, "Could not create deny maps "
+ "hash table [%d]: %s\n", ret, sss_strerror(ret));
+ goto immediately;
+ }
subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret);
if (subreq == NULL) {
@@ -2725,6 +2768,43 @@ ad_gpo_cse_step(struct tevent_req *req)
return EAGAIN;
}
+static errno_t
+store_hash_maps_in_cache(struct sss_domain_info *domain,
+ hash_table_t *allow_maps, hash_table_t *deny_maps)
+{
+ int ret;
+ struct hash_iter_context_t *iter;
+ hash_entry_t *entry;
+ size_t c;
+ hash_table_t *hash_list[] = { allow_maps, deny_maps, NULL};
+
+
+ for (c = 0; hash_list[c] != NULL; c++) {
+ iter = new_hash_iter_context(hash_list[c]);
+ if (iter == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to create hash iterator.\n");
+ return EINVAL;
+ }
+
+ while ((entry = iter->next(iter)) != NULL) {
+ ret = sysdb_gpo_store_gpo_result_setting(domain,
+ entry->key.c_str,
+ entry->value.ptr);
+ if (ret != EOK) {
+ free(iter);
+ DEBUG(SSSDBG_OP_FAILURE,
+ "sysdb_gpo_store_gpo_result_setting failed for key:"
+ "[%s] value:[%s] [%d][%s]\n", entry->key.c_str,
+ (char *) entry->value.ptr, ret, sss_strerror(ret));
+ return ret;
+ }
+ }
+ talloc_free(iter);
+ }
+
+ return EOK;
+}
+
/*
* This cse-specific function (GP_EXT_GUID_SECURITY) increments the
* cse_gpo_index until the policy settings for all applicable GPOs have been
@@ -2766,6 +2846,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
* (as part of the GPO Result object in the sysdb cache).
*/
ret = ad_gpo_store_policy_settings(state->host_domain,
+ state->allow_maps, state->deny_maps,
cse_filtered_gpo->policy_filename);
if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_OP_FAILURE,
@@ -2779,6 +2860,13 @@ ad_gpo_cse_done(struct tevent_req *subreq)
if (ret == EOK) {
/* ret is EOK only after all GPO policy files have been downloaded */
+ ret = store_hash_maps_in_cache(state->host_domain,
+ state->allow_maps, state->deny_maps);
+ if (ret != EOK) {
+ DEBUG(SSSDBG_OP_FAILURE, "Failed to store evaluated GPO maps "
+ "[%d][%s].\n", ret, sss_strerror(ret));
+ goto done;
+ }
ret = ad_gpo_perform_hbac_processing(state,
state->gpo_mode,
state->gpo_map_type,
--
2.25.1

3
dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
View File

@@ -7,7 +7,8 @@ domains = shadowutils
[pam]
[domain/shadowutils]
id_provider = files
id_provider = proxy
proxy_lib_name = files
auth_provider = proxy
proxy_pam_target = sssd-shadowutils

1
dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd
View File

@@ -1 +0,0 @@
d root root 0750 /var/log/sssd none

36
dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.2.bb → dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.10.2.bb
View File

@@ -18,16 +18,13 @@ DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \
SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/${BP}.tar.gz \
file://sssd.conf \
file://volatiles.99_sssd \
file://no_gen.patch \
file://fix_gid.patch \
file://drop_ntpdate_chk.patch \
file://fix-ldblibdir.patch \
file://musl_fixup.patch \
file://0001-sssctl-add-error-analyzer.patch \
file://CVE-2023-3758.patch \
"
SRC_URI[sha256sum] = "827bc65d64132410e6dd3df003f04829d60387ec30e72b2d4e22d93bb6f762ba"
SRC_URI[sha256sum] = "e8aa5e6b48ae465bea7064048715ce7e9c53b50ec6a9c69304f59e0d35be40ff"
UPSTREAM_CHECK_URI = "https://github.com/SSSD/${BPN}/releases"
@@ -42,24 +39,23 @@ CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
ac_cv_prog_HAVE_PYTHON3=yes \
"
PACKAGECONFIG ?= "nss autofs sudo infopipe"
PACKAGECONFIG ?= "nss autofs sudo"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no"
PACKAGECONFIG[crypto] = ", , libcrypto"
PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson"
PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, "
PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native"
PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
PACKAGECONFIG[nss] = ", ,nss,"
PACKAGECONFIG[oidc_child] = "--with-oidc-child, --without-oidc-child"
PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings python3dir=${PYTHON_SITEPACKAGES_DIR}, python3-setuptools-native"
PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba"
PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux"
PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no, libselinux"
PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, "
PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, "
PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv,,python3-systemd"
PACKAGECONFIG[systemd] = "--with-initscript=systemd --with-systemdunitdir=${systemd_system_unitdir} --with-systemdconfdir=${sysconfdir}/systemd/system, --with-initscript=sysv,,python3-systemd"
EXTRA_OECONF += " \
--disable-cifs-idmap-plugin \
@@ -68,11 +64,11 @@ EXTRA_OECONF += " \
--without-python2-bindings \
--enable-pammoddir=${base_libdir}/security \
--with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
--with-pid-path=/run \
--with-pid-path=/run/sssd \
--with-os=fedora \
"
do_configure:prepend() {
do_configure:prepend () {
mkdir -p ${AUTOTOOLS_AUXDIR}/build
cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/
@@ -84,6 +80,7 @@ do_compile:prepend () {
sed -i -e "s/__useconds_t/useconds_t/g" ${S}/src/tools/tools_mc_util.c
echo '#define NSUPDATE_PATH "${bindir}"' >> ${B}/config.h
}
do_install () {
oe_runmake install DESTDIR="${D}"
rmdir --ignore-fail-on-non-empty "${D}/${bindir}"
@@ -99,12 +96,14 @@ do_install () {
if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
install -d ${D}${sysconfdir}/tmpfiles.d
echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf
echo "d /var/log/sssd 0750 ${SSSD_UID} ${SSSD_GID} - -" > ${D}${sysconfdir}/tmpfiles.d/sssd.conf
echo "d /run/sssd 0750 ${SSSD_UID} ${SSSD_GID} - -" >> ${D}${sysconfdir}/tmpfiles.d/sssd.conf
fi
if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ]; then
install -d ${D}${sysconfdir}/default/volatiles
echo "d ${SSSD_UID}:${SSSD_GID} 0755 ${localstatedir}/log/${BPN} none" > ${D}${sysconfdir}/default/volatiles/99_${BPN}
echo "d ${SSSD_UID}:${SSSD_GID} 0750 ${localstatedir}/log/sssd none" > ${D}${sysconfdir}/default/volatiles/99_sssd
echo "d ${SSSD_UID}:${SSSD_GID} 0750 ${localstatedir}/run/sssd none" >> ${D}${sysconfdir}/default/volatiles/99_sssd
fi
if ${@bb.utils.contains('PACKAGECONFIG', 'python3', 'true', 'false', d)}; then
@@ -112,15 +111,13 @@ do_install () {
fi
# Remove /run as it is created on startup
rm -rf ${D}/run
rm -f ${D}${systemd_system_unitdir}/sssd-secrets.*
rm -rf ${D}/run ${D}/var/run
}
pkg_postinst_ontarget:${PN} () {
if [ -e /etc/init.d/populate-volatile.sh ] ; then
${sysconfdir}/init.d/populate-volatile.sh update
fi
if [ -e /etc/init.d/populate-volatile.sh ] ; then
${sysconfdir}/init.d/populate-volatile.sh update
fi
chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf
}
@@ -131,12 +128,11 @@ INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ."
SYSTEMD_SERVICE:${PN} = " \
${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \
sssd-ifp.service \
sssd-nss.service \
sssd-nss.socket \
sssd-pam-priv.socket \
sssd-pam.service \
sssd-pam.socket \
sssd.service \