backport patches to fix bugs

2024-09-25 17:09:14 +08:00 · 2024-09-25 17:09:14 +08:00 · ae9262408c
commit ae9262408c
parent 68444ad60c
3 changed files with 103 additions and 1 deletions
--- a/backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch
+++ b/backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch
@ -0,0 +1,36 @@
+From 30a9f4f389f0a09057f9d7c424b96020c940c5e1 Mon Sep 17 00:00:00 2001
+From: John Veitch <john.veitch@glasgow.ac.uk>
+Date: Mon, 1 Jul 2024 13:02:20 +0100
+Subject: [PATCH] Update sssd.in to remove -f option from sysv init script
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+fee3883 removed the -f option from the sssd but the init script was
+not updated accordingly at that time.
+
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+
+Reference:https://github.com/SSSD/sssd/commit/30a9f4f389f0a09057f9d7c424b96020c940c5e1
+Conflict:NA
+
+---
+ src/sysv/sssd.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/sysv/sssd.in b/src/sysv/sssd.in
+index 68485bfb8..52308a4e2 100644
+--- a/src/sysv/sssd.in
+++ b/src/sysv/sssd.in
+@@ -45,7 +45,7 @@ TIMEOUT=15
+ start() {
+     [ -x $SSSD ] || exit 5
+     echo -n $"Starting $prog: "
+-    daemon $SSSD -f -D
+    daemon $SSSD -D
+     RETVAL=$?
+     echo
+     [ "$RETVAL" = 0 ] && touch $LOCK_FILE
+-- 
+2.33.0
+
--- a/backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
+++ b/backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
@ -0,0 +1,61 @@
+From 986bb726202e69b05f861c14c3a220379baf9bd1 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Fri, 14 Jun 2024 16:10:34 +0200
+Subject: [PATCH] sysdb: do not fail to add non-posix user to MPG domain
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+SSSD does not handle the root user (UID==0) and treats all accounts with
+UID 0 as non-Posix accounts. The primary GID of those accounts is 0 as
+well and as a result for those accounts in MPG domains the check for a
+collisions of the primary GID should be skipped. The current code might
+e.g. cause issues during GPO evaluation when adding a host account into
+the cache which does not have any UID or GID set in AD and SSSD is
+configured to read UID and GID from AD.
+
+Resolves: https://github.com/SSSD/sssd/issues/7451
+
+Reviewed-by: Alejandro López <allopez@redhat.com>
+Reviewed-by: Tomáš Halman <thalman@redhat.com>
+
+Reference:https://github.com/SSSD/sssd/commit/986bb726202e69b05f861c14c3a220379baf9bd1
+Conflict:NA
+
+---
+ src/db/sysdb_ops.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/src/db/sysdb_ops.c b/src/db/sysdb_ops.c
+index a47d9b174..32e49d759 100644
+--- a/src/db/sysdb_ops.c
+++ b/src/db/sysdb_ops.c
+@@ -1914,15 +1914,17 @@ int sysdb_add_user(struct sss_domain_info *domain,
+             goto done;
+         }
+ 
+-        ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
+-        if (ret != ENOENT) {
+-            if (ret == EOK) {
+-                DEBUG(SSSDBG_OP_FAILURE,
+-                    "Group with GID [%"SPRIgid"] already exists in an "
+-                    "MPG domain\n", gid);
+-                ret = EEXIST;
+        if (uid != 0) { /* uid == 0 means non-POSIX object */
+            ret = sysdb_search_group_by_gid(tmp_ctx, domain, uid, NULL, &msg);
+            if (ret != ENOENT) {
+                if (ret == EOK) {
+                    DEBUG(SSSDBG_OP_FAILURE,
+                        "Group with GID [%"SPRIgid"] already exists in an "
+                        "MPG domain\n", uid);
+                    ret = EEXIST;
+                }
+                goto done;
+             }
+-            goto done;
+         }
+     }
+ 
+-- 
+2.33.0
+
--- a/sssd.spec
+++ b/sssd.spec
@ -8,7 +8,7 @@

 Name: sssd
 Version: 2.9.4
-Release: 6
+Release: 7
 Summary: System Security Services Daemon
 License: GPL-3.0-or-later
 URL: https://github.com/SSSD/sssd/
@ -18,6 +18,8 @@ Patch0001: backport-CVE-2023-3758.patch
 Patch0002: backport-UTILS-inotify-avoid-potential-NULL-deref.patch
 Patch0003: backport-ad-refresh-root-domain-when-read-directly.patch
 Patch0004: backport-RESPONDER-use-proper-context-for-getDomains.patch
+Patch0005: backport-sysdb-do-not-fail-to-add-non-posix-user-to-MPG-domai.patch
+Patch0006: backport-Update-sssd.in-to-remove-f-option-from-sysv-init-scr.patch

 Requires: sssd-ad = %{version}-%{release}
 Requires: sssd-common = %{version}-%{release}
@ -917,6 +919,9 @@ fi
 %systemd_postun_with_restart sssd.service

 %changelog
+* Wed Sep 25 2024 xuraoqing <xuraoqing@huawei.com> - 2.9.4-7
+- backport patches to fix bugs
+
 * Tue Jun 18 2024 wangjiang <wangjiang37@h-partners.com> - 2.9.4-6
 - backport upstream patches