Merge ~3v1n0/ubuntu/+source/sssd:ubuntu/focal into ubuntu/+source/sssd:ubuntu/focal-devel

Proposed by Marco Trevisan (Treviño)
Status: Needs review
Proposed branch: ~3v1n0/ubuntu/+source/sssd:ubuntu/focal
Merge into: ubuntu/+source/sssd:ubuntu/focal-devel
Diff against target: 500 lines (+357/-1)
9 files modified
debian/changelog (+35/-0)
debian/control (+10/-1)
debian/nss-database-pem-exporter/README.md (+13/-0)
debian/nss-database-pem-exporter/nss-database-pem-exporter.c (+179/-0)
debian/patches/series (+1/-0)
debian/patches/test_ca-Look-for-libsofthsm2-in-libdir-before-falling-bac.patch (+37/-0)
debian/rules (+13/-0)
debian/sssd-common.install (+1/-0)
debian/sssd-common.postinst (+68/-0)
Reviewer Review Type Date Requested Status
Dimitri John Ledkov (community) with logs Approve
Sergio Durigan Junior Approve
Review via email: mp+395411@code.launchpad.net

This proposal supersedes a proposal from 2020-12-16.

Description of the change

* debian/control:
- Add missing (test) dependencies as per libcrypto usage (LP: #1905790)
- Update Maintainer to Ubuntu devs
* debian/rules: Compile using libcrypto as crypto backend (LP: #1905790)
* debian/nss-database-pem-exporter: Add to sssd-common and run on postinst.
When upgrading from previous versions (that were compiled using the NSS
crypto backend) we need to migrate the trusted CA certificates that the
user may have added to the SSSD's NSS system database (that defaults to
/etc/pki/nssdb).
To do this, and not to introduce a new dependency on libnss3-tools
(which is not shipped by default, other than making the parsing not
working in some scenarios) I've added a small C tool that we compile and
install as part of the sssd-common package which is able to get all the
trusted CA certificates for a NSS database and export them in PEM
format.
The nss-database-pem-exporter is then used in the postinst script where
we now:
    1. Read the SSSD settings
    2. Convert all the certificates in the configured NSS databases
    3. Store them all, appending them to the (new) default location
    (/etc/sssd/pki/sssd_auth_ca_db.pem)
    4. Disables the configured locations if pointing to NSS dbs (needed or
    we'll leave the configuration with broken values).
At this point nss-database-pem-exporter is then the only binary in the
package that still depends on NSS libraries. (LP: #1905790)
* debian/patches:
- Get libsofthsm2 from right path for each architecture, this is now used
    for real (wasn't before) to test p11k components with libcrypto and
    p11-kit, also avoids a test build failure on armhf (LP: #1905790)

To post a comment you must log in.
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :
d6e9b9c... by Marco Trevisan (Treviño)

debian/patches: Get libsofthsm2 from right path for each architecture

This is now used for real (wasn't before) to test p11k components with
libcrypto and p11-kit

LP: #1905790

e5a94d6... by Marco Trevisan (Treviño)

debian/control: Add missing test dependencies as per libcrypto usage

In order to run all the tests with libcrypto we need some more
components to be installed at build time, as some tool that were
provided by NSS are not used anymore.

LP: #1905790

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks for the MP, and sorry about the delay in reviewing it.

I have a few minor comments, mostly about the packaging, but otherwise this MP looks fine. I'm not the best person to review the new program you wrote; I looked at it as a C programmer, and it looks OK, but when it comes to a security review I'll defer to xnox.

I'm marking this as Needs Fixing because of the small things I've found/commented on, and because I'm SRUing sssd on Focal (for another, unrelated problem), so you will need to rebase the branch when that is accepted.

review: Needs Fixing
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

Good, thanks... I've sent my replies.

I noticed you were going to do a new focal release, so fine for me to rebase it.

Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

Ok, I've addressed your comments and rebased...

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

From my side, everything LGTM (we still need to hear from xnox, I think). Thanks!

review: Approve
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

I think he approved in chat :)

[18:20] Trevinho: hey [18:20] Trevinho: have you had some time to look at <https://github.com/3v1n0/nss-database-pem-exporter> that is inculde in <https://code.launchpad.net/~3v1n0/ubuntu/+source/sssd/+git/sssd/+merge/395411> ? (edited) [18:27] xnox: I did look at the .c programme [18:27] xnox: It is fine. [18:28] xnox: And packaging looks good too. [20:18] Trevinho: Ok cool, on the c file the only things I was insure was related to trusted flags thing <https://github.com/3v1n0/nss-database-pem-exporter/blob/cafec16fc414945527df6f9a25f77fedeee30485/nss-database-pem-exporter.c#L86> [20:18] Trevinho: Maybe put a line on the LP MR as well as Sergio was wating for your ACK ;) ──────────────────────────────────────────────────────────────────────2021-01-20────────────────────────────────────────
[02:13] xnox: I've seen flags be everything and anything. [02:13] xnox: Many UK passports don't even have valid checksums on their NFC chips so I wouldn't worry about flags 😀 [02:14] xnox: It is a good quick check, as you implemented. [02:15] │ Trevinho: Eheh ok, good then. Thanks for checking!

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Looks good to me!

review: Approve (with logs)

Unmerged commits

7f55160... by Marco Trevisan (Treviño)

Update changelog

b8c4d9c... by Marco Trevisan (Treviño)

debian/control: Update Maintainer to Ubuntu devs

c16c499... by Marco Trevisan (Treviño)

debian: Add nss-database-pem-exporter tool to the package and run it on postinst

When upgrading from previous versions (that were compiled using the NSS
crypto backend) we need to migrate the trusted CA certificates that the
user may have added to the SSSD's NSS system database (that defaults to
/etc/pki/nssdb).

To do this, and not to introduce a new dependency on libnss3-tools
(which is not shipped by default, other than making the parsing not
working in some scenarios) I've added a small C tool that we compile and
install as part of the sssd-common package which is able to get all the
trusted CA certificates for a NSS database and export them in PEM
format.

The nss-database-pem-exporter is then used in the postinst script where
we now:
 1. Read the SSSD settings
 2. Convert all the certificates in the configured NSS databases
 3. Store them all, appending them to the (new) default location
    (/etc/sssd/pki/sssd_auth_ca_db.pem)
 4. Disables the configured locations if pointing to NSS dbs (needed or
    we'll leave the configuration with broken values).

At this point nss-database-pem-exporter is then the only binary in the
package that still depends on NSS libraries.

LP: #1905790

d6e9b9c... by Marco Trevisan (Treviño)

debian/patches: Get libsofthsm2 from right path for each architecture

This is now used for real (wasn't before) to test p11k components with
libcrypto and p11-kit

LP: #1905790

e5a94d6... by Marco Trevisan (Treviño)

debian/control: Add missing test dependencies as per libcrypto usage

In order to run all the tests with libcrypto we need some more
components to be installed at build time, as some tool that were
provided by NSS are not used anymore.

LP: #1905790

22d3d57... by Marco Trevisan (Treviño)

debian/{control,rules}: Compile using libcrypto as crypto backend

LP: #1905790

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index b6366f5..95463f8 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,38 @@
6+sssd (2.2.3-3ubuntu0.3) UNRELEASED; urgency=medium
7+
8+ * debian/control:
9+ - Add missing (test) dependencies as per libcrypto usage (LP: #1905790)
10+ - Update Maintainer to Ubuntu devs
11+ * debian/rules: Compile using libcrypto as crypto backend (LP: #1905790)
12+ * debian/nss-database-pem-exporter: Add to sssd-common and run on postinst.
13+ When upgrading from previous versions (that were compiled using the NSS
14+ crypto backend) we need to migrate the trusted CA certificates that the
15+ user may have added to the SSSD's NSS system database (that defaults to
16+ /etc/pki/nssdb).
17+ To do this, and not to introduce a new dependency on libnss3-tools
18+ (which is not shipped by default, other than making the parsing not
19+ working in some scenarios) I've added a small C tool that we compile and
20+ install as part of the sssd-common package which is able to get all the
21+ trusted CA certificates for a NSS database and export them in PEM
22+ format.
23+ The nss-database-pem-exporter is then used in the postinst script where
24+ we now:
25+ 1. Read the SSSD settings
26+ 2. Convert all the certificates in the configured NSS databases
27+ 3. Store them all, appending them to the (new) default location
28+ (/etc/sssd/pki/sssd_auth_ca_db.pem)
29+ 4. Disables the configured locations if pointing to NSS dbs (needed or
30+ we'll leave the configuration with broken values).
31+ At this point nss-database-pem-exporter is then the only binary in the
32+ package that still depends on NSS libraries. (LP: #1905790)
33+ * debian/patches:
34+ - Get libsofthsm2 from right path for each architecture, this is now used
35+ for real (wasn't before) to test p11k components with libcrypto and
36+ p11-kit, also avoids a test build failure on armhf (LP: #1905790)
37+ * Update changelog
38+
39+ -- Marco Trevisan (Treviño) <marco@ubuntu.com> Tue, 19 Jan 2021 20:05:24 +0100
40+
41 sssd (2.2.3-3ubuntu0.2) focal; urgency=medium
42
43 * d/p/0003-Only-start-sssd.service-if-there-s-a-configuration-f.patch:
44diff --git a/debian/control b/debian/control
45index 648a240..2180505 100644
46--- a/debian/control
47+++ b/debian/control
48@@ -1,7 +1,8 @@
49 Source: sssd
50 Section: utils
51 Priority: optional
52-Maintainer: Debian SSSD Team <pkg-sssd-devel@alioth-lists.debian.net>
53+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
54+XSBC-Original-Maintainer: Debian SSSD Team <pkg-sssd-devel@alioth-lists.debian.net>
55 Uploaders: Timo Aaltonen <tjaalton@debian.org>,
56 Dominik George <natureshadow@debian.org>
57 Build-Depends:
58@@ -15,6 +16,8 @@ Build-Depends:
59 docbook-xml,
60 docbook-xsl,
61 dpkg-dev (>= 1.16.1~),
62+ faketime <!nocheck>,
63+ gnutls-bin <!nocheck>,
64 krb5-config,
65 ldap-utils,
66 libaugeas-dev,
67@@ -38,6 +41,8 @@ Build-Depends:
68 libnspr4-dev,
69 libnss-wrapper,
70 libnss3-dev,
71+ libp11-kit-dev,
72+ libpam-wrapper <!nocheck>,
73 libpam0g-dev | libpam-dev,
74 libpcre3-dev,
75 libpopt-dev,
76@@ -45,6 +50,7 @@ Build-Depends:
77 libselinux1-dev [linux-any],
78 libsemanage1-dev [linux-any],
79 libsmbclient-dev,
80+ libssl-dev,
81 libsystemd-dev [linux-any],
82 libtalloc-dev,
83 libtdb-dev,
84@@ -52,10 +58,13 @@ Build-Depends:
85 libuid-wrapper,
86 libxml2-utils,
87 lsb-release,
88+ openssh-client <!nocheck>,
89+ openssl <!nocheck>,
90 python3-dev,
91 python3-setuptools,
92 quilt,
93 samba-dev (>= 2:4.1.13),
94+ softhsm2 <!nocheck>,
95 systemd,
96 systemtap-sdt-dev,
97 uuid-dev,
98diff --git a/debian/nss-database-pem-exporter/README.md b/debian/nss-database-pem-exporter/README.md
99new file mode 100644
100index 0000000..919d5cd
101--- /dev/null
102+++ b/debian/nss-database-pem-exporter/README.md
103@@ -0,0 +1,13 @@
104+# NSS Database Certificates exporter
105+
106+A simple tool to export all the trusted CA certificates in a NSS database
107+(aka nssdb, usually in `~/.pki/nssdb` or `/etc/pki/nssdb`) as a chained cert
108+PEM cert file.
109+
110+ ./nss-database-pem-exporter > chained-certs.pem
111+
112+You can verify the parsed content using:
113+
114+ openssl crl2pkcs7 -nocrl -certfile chained-certs.pem | openssl pkcs7 -print_certs -text -noout
115+
116+It defaults to `/etc/pki/nssdb`, use `NSS_DATABASE` env variable to override it.
117diff --git a/debian/nss-database-pem-exporter/nss-database-pem-exporter.c b/debian/nss-database-pem-exporter/nss-database-pem-exporter.c
118new file mode 100644
119index 0000000..e3afebc
120--- /dev/null
121+++ b/debian/nss-database-pem-exporter/nss-database-pem-exporter.c
122@@ -0,0 +1,179 @@
123+/*
124+ * This file is part of the nss-database-pem-exporter distribution.
125+ * Copyright (c) 2020 Marco Trevisan <marco.trevisan@canonical.com>.
126+ *
127+ * This program is free software: you can redistribute it and/or modify
128+ * it under the terms of the GNU General Public License as published by
129+ * the Free Software Foundation, version 3.
130+ *
131+ * This program is distributed in the hope that it will be useful, but
132+ * WITHOUT ANY WARRANTY; without even the implied warranty of
133+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
134+ * General Public License for more details.
135+ *
136+ * You should have received a copy of the GNU General Public License
137+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
138+ */
139+
140+#include <assert.h>
141+#include <stdbool.h>
142+#include <stdio.h>
143+#include <stdlib.h>
144+#include <string.h>
145+
146+#include <nss.h>
147+#include <nss/base64.h>
148+#include <nss/cert.h>
149+#include <nss/certdb.h>
150+#include <nss/pk11func.h>
151+
152+#define NSS_DATABASE_PATH "/etc/pki/nssdb"
153+#define OPEN_FLAGS (NSS_INIT_READONLY | NSS_INIT_NOROOTINIT | NSS_INIT_FORCEOPEN)
154+
155+#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
156+#define NS_CERT_TRAILER "-----END CERTIFICATE-----"
157+
158+static SECStatus
159+print_ascii_certificate (CERTCertDBHandle *handle,
160+ const CERTCertificate *cert)
161+{
162+ CERTCertList *certs;
163+ CERTCertListNode *node;
164+
165+ certs = CERT_CreateSubjectCertList (NULL, handle, &cert->derSubject,
166+ PR_Now (), PR_FALSE);
167+
168+ for (node = CERT_LIST_HEAD (certs); !CERT_LIST_END (node, certs);
169+ node = CERT_LIST_NEXT (node))
170+ {
171+ CERTCertificate *c = node->cert;
172+ char *ascii_cert = BTOA_DataToAscii (c->derCert.data, c->derCert.len);
173+
174+ fprintf (stdout, NS_CERT_HEADER "\n");
175+ fprintf (stdout, "%s\n", ascii_cert);
176+ fprintf (stdout, NS_CERT_TRAILER "\n");
177+
178+ free (ascii_cert);
179+ }
180+
181+ if (certs)
182+ CERT_DestroyCertList (certs);
183+
184+ return SECSuccess;
185+}
186+
187+const char *
188+get_cert_name (CERTCertListNode *node)
189+{
190+ CERTCertificate * cert = node->cert;
191+ const char *name = node->appData;
192+
193+ if (name && *name != '\0')
194+ return name;
195+
196+ name = cert->nickname;
197+ if (name && *name != '\0')
198+ return name;
199+
200+ name = cert->emailAddr;
201+ if (name && *name != '\0')
202+ return name;
203+
204+ return NULL;
205+}
206+
207+bool
208+check_trusted_flags (unsigned int flags)
209+{
210+ if (!(flags & CERTDB_VALID_CA))
211+ return false;
212+
213+ /* Just return true here in any case (to handle the 'c' flag)? */
214+ return (flags & (CERTDB_TRUSTED |
215+ CERTDB_TRUSTED_CA |
216+ CERTDB_TRUSTED_CLIENT_CA |
217+ CERTDB_GOVT_APPROVED_CA)) != 0;
218+}
219+
220+bool
221+cert_is_trusted (const CERTCertificate *cert)
222+{
223+ CERTCertTrust *trust = cert->trust;
224+
225+ if (!trust)
226+ return false;
227+
228+ if (check_trusted_flags (trust->sslFlags))
229+ return true;
230+
231+ if (check_trusted_flags (trust->emailFlags))
232+ return true;
233+
234+ if (check_trusted_flags (trust->objectSigningFlags))
235+ return true;
236+
237+ return false;
238+}
239+
240+static SECStatus
241+print_trusted_certificates (CERTCertDBHandle *handle)
242+{
243+ CERTCertList *list;
244+ CERTCertListNode *node;
245+
246+ list = PK11_ListCerts (PK11CertListCA, NULL);
247+ for (node = CERT_LIST_HEAD (list); !CERT_LIST_END (node, list);
248+ node = CERT_LIST_NEXT (node))
249+ {
250+ CERTCertificate *cert = node->cert;
251+ const char *cert_name = get_cert_name (node);
252+
253+ if (!(cert->nsCertType & NS_CERT_TYPE_CA))
254+ continue;
255+
256+ fprintf (stderr, "Found CA certificate %s\n", cert_name);
257+ if (!cert)
258+ continue;
259+
260+ if (!cert_is_trusted (cert))
261+ {
262+ fprintf (stderr, "Certificate %s is not a trusted CA certificate, ignoring\n",
263+ cert_name);
264+ continue;
265+ }
266+
267+ print_ascii_certificate (handle, cert);
268+ }
269+
270+ if (list)
271+ CERT_DestroyCertList (list);
272+ return SECSuccess;
273+}
274+
275+int
276+main (void)
277+{
278+ CERTCertDBHandle *certHandle;
279+ const char *nssdb;
280+ int exit_status = EXIT_SUCCESS;
281+
282+ nssdb = getenv ("NSS_DATABASE");
283+ if (!nssdb || !*nssdb)
284+ nssdb = NSS_DATABASE_PATH;
285+
286+ if (NSS_Initialize (nssdb, NULL, NULL,
287+ "secmod.db", OPEN_FLAGS) != SECSuccess)
288+ {
289+ fprintf (stderr, "Failed to open database %s\n", nssdb);
290+ return EXIT_FAILURE;
291+ }
292+
293+ certHandle = CERT_GetDefaultCertDB ();
294+ if (print_trusted_certificates (certHandle) != SECSuccess)
295+ exit_status = EXIT_FAILURE;
296+
297+ if (NSS_Shutdown () != SECSuccess)
298+ return EXIT_FAILURE;
299+
300+ return exit_status;
301+}
302diff --git a/debian/patches/series b/debian/patches/series
303index 2ec352f..85ab941 100644
304--- a/debian/patches/series
305+++ b/debian/patches/series
306@@ -7,3 +7,4 @@ lp-1868703-02-ad-add-ad_use_ldaps.patch
307 lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch
308 lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch
309 0003-Only-start-sssd.service-if-there-s-a-configuration-f.patch
310+test_ca-Look-for-libsofthsm2-in-libdir-before-falling-bac.patch
311diff --git a/debian/patches/test_ca-Look-for-libsofthsm2-in-libdir-before-falling-bac.patch b/debian/patches/test_ca-Look-for-libsofthsm2-in-libdir-before-falling-bac.patch
312new file mode 100644
313index 0000000..b28f39d
314--- /dev/null
315+++ b/debian/patches/test_ca-Look-for-libsofthsm2-in-libdir-before-falling-bac.patch
316@@ -0,0 +1,37 @@
317+From: Marco Trevisan (Treviño) <mail@3v1n0.net>
318+Date: Wed, 16 Dec 2020 18:19:00 +0100
319+Subject: test_ca: Look for libsofthsm2 in libdir before falling back to
320+ hardcoded paths
321+
322+Right now building SSSD in archs different from amd64 (at least in
323+debian and derivatives) won't ever get the test_CA built because
324+libsofthsm2 won't be found (leading also to #5397 at times).
325+
326+As per this, until they won't provide a pkg-config file:
327+ - Prioritize looking for libsofthsm2 in configured libdir (will help
328+ the developer case when using custom prefixes with custom softhsm2)
329+ - Fallback to /usr prefixes, supporting any arch (not only x86_64)
330+
331+Origin: https://github.com/SSSD/sssd/pull/5438
332+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1905790
333+---
334+ src/external/test_ca.m4 | 6 +++++-
335+ 1 file changed, 5 insertions(+), 1 deletion(-)
336+
337+diff --git a/src/external/test_ca.m4 b/src/external/test_ca.m4
338+index 4d45a5a..7f996f3 100644
339+--- a/src/external/test_ca.m4
340++++ b/src/external/test_ca.m4
341+@@ -33,7 +33,11 @@ AC_DEFUN([AM_CHECK_TEST_CA],
342+ AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -x "$CERTUTIL" -a -x "$PK12UTIL"])
343+ else
344+
345+- for p in /usr/lib64/pkcs11/libsofthsm2.so /usr/lib/pkcs11/libsofthsm2.so /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so; do
346++ for p in "$(eval echo ${libdir})"/pkcs11/libsofthsm2.so \
347++ "$(eval echo ${libdir})"/softhsm/libsofthsm2.so \
348++ /usr/lib*/pkcs11/libsofthsm2.so \
349++ /usr/lib/*-linux-gnu*/softhsm/libsofthsm2.so \
350++ /usr/lib/softhsm/libsofthsm2.so; do
351+ if test -f "${p}"; then
352+ SOFTHSM2_PATH="${p}"
353+ break;
354diff --git a/debian/rules b/debian/rules
355index b5d46e2..02a0b29 100755
356--- a/debian/rules
357+++ b/debian/rules
358@@ -34,6 +34,7 @@ override_dh_auto_configure:
359 --disable-static \
360 --disable-rpath \
361 --with-autofs \
362+ --with-crypto=libcrypto \
363 --with-ssh \
364 --with-initscript=systemd \
365 --with-systemdunitdir=/lib/systemd/system \
366@@ -42,6 +43,14 @@ override_dh_auto_configure:
367 --without-python2-bindings \
368 --with-sudo
369
370+override_dh_auto_build:
371+ dh_auto_build
372+
373+ mkdir -p $(CURDIR)/debian/build
374+ $(CC) $(CURDIR)/debian/nss-database-pem-exporter/nss-database-pem-exporter.c \
375+ $(shell pkg-config --cflags --libs nss) -o \
376+ $(CURDIR)/debian/build/nss-database-pem-exporter
377+
378 override_dh_auto_test:
379 export CK_TIMEOUT_MULTIPLIER=10
380 dh_auto_test -- VERBOSE=yes
381@@ -50,6 +59,9 @@ override_dh_auto_test:
382 override_dh_auto_install:
383 dh_auto_install --max-parallel=1
384
385+ install -m755 -D $(CURDIR)/debian/build/nss-database-pem-exporter \
386+ -t $(CURDIR)/debian/tmp/usr/libexec/sssd/
387+
388 override_dh_fixperms:
389 dh_fixperms -Xkrb5_child -Xldap_child -Xselinux_child
390
391@@ -102,3 +114,4 @@ override_dh_auto_clean:
392 rm -f $(CURDIR)/src/config/*.pyc
393 rm -f $(CURDIR)/po/stamp-po
394 rm -f $(CURDIR)/src/sbus/codegen/__pycache__/*.pyc
395+ rm -rf $(CURDIR)/debian/build
396diff --git a/debian/sssd-common.install b/debian/sssd-common.install
397index e0f8ad4..fafdab6 100644
398--- a/debian/sssd-common.install
399+++ b/debian/sssd-common.install
400@@ -40,6 +40,7 @@ usr/lib/*/sssd/libsss_util.so
401 usr/lib/*/sssd/modules/libsss_autofs.so
402 usr/lib/*/sssd/modules/sssd_krb5_localauth_plugin.so
403 usr/libexec/sssd/p11_child
404+usr/libexec/sssd/nss-database-pem-exporter
405 usr/libexec/sssd/sss_signal
406 usr/libexec/sssd/sssd_autofs
407 usr/libexec/sssd/sssd_be
408diff --git a/debian/sssd-common.postinst b/debian/sssd-common.postinst
409index 295d6a2..ff8d3ee 100644
410--- a/debian/sssd-common.postinst
411+++ b/debian/sssd-common.postinst
412@@ -20,6 +20,48 @@ set -e
413 OUT=/dev/null
414 HOME=/var/lib/sss
415 LIBDIR=/usr/libexec/sssd
416+CA_CERTS_NSSDB=/etc/pki/nssdb
417+CA_CERTS_CHAIN=/etc/sssd/pki/sssd_auth_ca_db.pem
418+
419+get_config_value()
420+{
421+ if [ ! -f /etc/sssd/sssd.conf ]; then
422+ return 0
423+ fi
424+
425+ awk -F '=' '{if (! ($0 ~ /^;/) && ! ($0 ~ /^#/) && $0 ~ /'"$1"'/) print $2}' \
426+ /etc/sssd/sssd.conf | tr -d ' ' | tail -n1
427+}
428+
429+is_pem_file()
430+{
431+ [ -f "$1" ] && \
432+ grep -qsI -- "-----BEGIN CERTIFICATE-----" "$1" && \
433+ grep -qsI -- "-----END CERTIFICATE-----" "$1"
434+}
435+
436+import_nss_ca_certs()
437+{
438+ nssdb="$1"
439+
440+ if [ -z "$nssdb" ]; then
441+ return
442+ fi
443+
444+ if is_pem_file "$nssdb"; then
445+ return 1
446+ fi
447+
448+ echo "Importing $nssdb CA certificates to $CA_CERTS_CHAIN"
449+ env NSS_DATABASE="$nssdb" \
450+ $LIBDIR/nss-database-pem-exporter >> "$CA_CERTS_CHAIN"
451+}
452+
453+disable_setting()
454+{
455+ echo "Disabling sssd.conf setting using invalid value: '$1'"
456+ sed -i 's/^[^#;]*'"$1"'\b/#&/' /etc/sssd/sssd.conf || true
457+}
458
459 case "$1" in
460 configure)
461@@ -41,6 +83,7 @@ case "$1" in
462 /etc/sssd \
463 /var/log/sssd
464 chown root:sssd $LIBDIR/p11_child
465+ chown root:sssd $LIBDIR/nss-database-pem-exporter
466
467 chmod 4754 $LIBDIR/p11_child
468 chmod 755 $HOME/gpo_cache $HOME/mc $HOME/pipes $HOME/pubconf
469@@ -52,6 +95,31 @@ case "$1" in
470 chown root:root /etc/sssd/sssd.conf
471 chmod 0600 /etc/sssd/sssd.conf
472 fi
473+
474+ if dpkg --compare-versions "$2" lt-nl 2.2.3-3ubuntu0.2; then
475+ # When upgrading (only), we may need to migrate the NSS
476+ # database entries
477+ ca_db=$(get_config_value ca_db)
478+ pam_cert_db_path=$(get_config_value pam_cert_db_path)
479+
480+ mkdir -p -m711 "$(dirname "$CA_CERTS_CHAIN")"
481+
482+ nss_db="$ca_db"
483+ if [ -z "$nss_db" ] && [ -d "$CA_CERTS_NSSDB" ]; then
484+ nss_db="$CA_CERTS_NSSDB"
485+ fi
486+
487+ if import_nss_ca_certs "$nss_db"; then
488+ [ "$nss_db" = "$ca_db" ] && \
489+ disable_setting 'ca_db'
490+ fi
491+
492+ if [ "$pam_cert_db_path" != "$nss_db" ]; then
493+ if import_nss_ca_certs "$pam_cert_db_path"; then
494+ disable_setting 'pam_cert_db_path'
495+ fi
496+ fi
497+ fi
498 ;;
499
500 abort-upgrade|abort-remove|abort-deconfigure)

Subscribers

People subscribed via source and target branches