Ubuntu
sssd package

Merge ~3v1n0/ubuntu/+source/sssd:ubuntu/focal into ubuntu/+source/sssd:ubuntu/focal-devel

  1. Git
  2. lp:~3v1n0/ubuntu/+source/sssd
  3. ubuntu/focal
  4. Merge into ubuntu/focal-devel
Proposed by Marco Trevisan (Treviño)
Status: Needs review
Proposed branch: ~3v1n0/ubuntu/+source/sssd:ubuntu/focal
Merge into: ubuntu/+source/sssd:ubuntu/focal-devel
Diff against target: 500 lines (+357/-1)
9 files modified
debian/changelog (+35/-0)
debian/control (+10/-1)
debian/nss-database-pem-exporter/README.md (+13/-0)
debian/nss-database-pem-exporter/nss-database-pem-exporter.c (+179/-0)
debian/patches/series (+1/-0)
debian/patches/test_ca-Look-for-libsofthsm2-in-libdir-before-falling-bac.patch (+37/-0)
debian/rules (+13/-0)
debian/sssd-common.install (+1/-0)
debian/sssd-common.postinst (+68/-0)
Reviewer Review Type Date Requested Status
Dimitri John Ledkov (community) with logs Approve
Sergio Durigan Junior (community) Approve
Review via email: mp+395411@code.launchpad.net

This proposal supersedes a proposal from 2020-12-16.

Description of the change

* debian/control:
- Add missing (test) dependencies as per libcrypto usage (LP: #1905790)
- Update Maintainer to Ubuntu devs
* debian/rules: Compile using libcrypto as crypto backend (LP: #1905790)
* debian/nss-database-pem-exporter: Add to sssd-common and run on postinst.
When upgrading from previous versions (that were compiled using the NSS
crypto backend) we need to migrate the trusted CA certificates that the
user may have added to the SSSD's NSS system database (that defaults to
/etc/pki/nssdb).
To do this, and not to introduce a new dependency on libnss3-tools
(which is not shipped by default, other than making the parsing not
working in some scenarios) I've added a small C tool that we compile and
install as part of the sssd-common package which is able to get all the
trusted CA certificates for a NSS database and export them in PEM
format.
The nss-database-pem-exporter is then used in the postinst script where
we now:
    1. Read the SSSD settings
    2. Convert all the certificates in the configured NSS databases
    3. Store them all, appending them to the (new) default location
    (/etc/sssd/pki/sssd_auth_ca_db.pem)
    4. Disables the configured locations if pointing to NSS dbs (needed or
    we'll leave the configuration with broken values).
At this point nss-database-pem-exporter is then the only binary in the
package that still depends on NSS libraries. (LP: #1905790)
* debian/patches:
- Get libsofthsm2 from right path for each architecture, this is now used
    for real (wasn't before) to test p11k components with libcrypto and
    p11-kit, also avoids a test build failure on armhf (LP: #1905790)

To post a comment you must log in.
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

A PPA with the built packages is at https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4361/+packages

Reply
~3v1n0/ubuntu/+source/sssd:ubuntu/focal updated
d6e9b9c... by Marco Trevisan (Treviño)

debian/patches: Get libsofthsm2 from right path for each architecture

This is now used for real (wasn't before) to test p11k components with
libcrypto and p11-kit

LP: #1905790

e5a94d6... by Marco Trevisan (Treviño)

debian/control: Add missing test dependencies as per libcrypto usage

In order to run all the tests with libcrypto we need some more
components to be installed at build time, as some tool that were
provided by NSS are not used anymore.

LP: #1905790

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks for the MP, and sorry about the delay in reviewing it.

I have a few minor comments, mostly about the packaging, but otherwise this MP looks fine. I'm not the best person to review the new program you wrote; I looked at it as a C programmer, and it looks OK, but when it comes to a security review I'll defer to xnox.

I'm marking this as Needs Fixing because of the small things I've found/commented on, and because I'm SRUing sssd on Focal (for another, unrelated problem), so you will need to rebase the branch when that is accepted.

review: Needs Fixing
Reply
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

Good, thanks... I've sent my replies.

I noticed you were going to do a new focal release, so fine for me to rebase it.

Reply
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

Ok, I've addressed your comments and rebased...

Reply
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

From my side, everything LGTM (we still need to hear from xnox, I think). Thanks!

review: Approve
Reply
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

I think he approved in chat :)

[18:20] Trevinho: hey [18:20] Trevinho: have you had some time to look at <https://github.com/3v1n0/nss-database-pem-exporter> that is inculde in <https://code.launchpad.net/~3v1n0/ubuntu/+source/sssd/+git/sssd/+merge/395411> ? (edited) [18:27] xnox: I did look at the .c programme [18:27] xnox: It is fine. [18:28] xnox: And packaging looks good too. [20:18] Trevinho: Ok cool, on the c file the only things I was insure was related to trusted flags thing <https://github.com/3v1n0/nss-database-pem-exporter/blob/cafec16fc414945527df6f9a25f77fedeee30485/nss-database-pem-exporter.c#L86> [20:18] Trevinho: Maybe put a line on the LP MR as well as Sergio was wating for your ACK ;) ──────────────────────────────────────────────────────────────────────2021-01-20────────────────────────────────────────
[02:13] xnox: I've seen flags be everything and anything. [02:13] xnox: Many UK passports don't even have valid checksums on their NFC chips so I wouldn't worry about flags 😀 [02:14] xnox: It is a good quick check, as you implemented. [02:15] │ Trevinho: Eheh ok, good then. Thanks for checking!

Reply
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Looks good to me!

review: Approve (with logs)
Reply

Unmerged commits

7f55160... by Marco Trevisan (Treviño)

Update changelog

b8c4d9c... by Marco Trevisan (Treviño)

debian/control: Update Maintainer to Ubuntu devs

c16c499... by Marco Trevisan (Treviño)

debian: Add nss-database-pem-exporter tool to the package and run it on postinst

When upgrading from previous versions (that were compiled using the NSS
crypto backend) we need to migrate the trusted CA certificates that the
user may have added to the SSSD's NSS system database (that defaults to
/etc/pki/nssdb).

To do this, and not to introduce a new dependency on libnss3-tools
(which is not shipped by default, other than making the parsing not
working in some scenarios) I've added a small C tool that we compile and
install as part of the sssd-common package which is able to get all the
trusted CA certificates for a NSS database and export them in PEM
format.

The nss-database-pem-exporter is then used in the postinst script where
we now:
 1. Read the SSSD settings
 2. Convert all the certificates in the configured NSS databases
 3. Store them all, appending them to the (new) default location
    (/etc/sssd/pki/sssd_auth_ca_db.pem)
 4. Disables the configured locations if pointing to NSS dbs (needed or
    we'll leave the configuration with broken values).

At this point nss-database-pem-exporter is then the only binary in the
package that still depends on NSS libraries.

LP: #1905790

d6e9b9c... by Marco Trevisan (Treviño)

debian/patches: Get libsofthsm2 from right path for each architecture

This is now used for real (wasn't before) to test p11k components with
libcrypto and p11-kit

LP: #1905790

e5a94d6... by Marco Trevisan (Treviño)

debian/control: Add missing test dependencies as per libcrypto usage

In order to run all the tests with libcrypto we need some more
components to be installed at build time, as some tool that were
provided by NSS are not used anymore.

LP: #1905790

22d3d57... by Marco Trevisan (Treviño)

debian/{control,rules}: Compile using libcrypto as crypto backend

LP: #1905790

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index b6366f5..95463f8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,38 @@
1sssd (2.2.3-3ubuntu0.3) UNRELEASED; urgency=medium
2
3 * debian/control:
4 - Add missing (test) dependencies as per libcrypto usage (LP: #1905790)
5 - Update Maintainer to Ubuntu devs
6 * debian/rules: Compile using libcrypto as crypto backend (LP: #1905790)
7 * debian/nss-database-pem-exporter: Add to sssd-common and run on postinst.
8 When upgrading from previous versions (that were compiled using the NSS
9 crypto backend) we need to migrate the trusted CA certificates that the
10 user may have added to the SSSD's NSS system database (that defaults to
11 /etc/pki/nssdb).
12 To do this, and not to introduce a new dependency on libnss3-tools
13 (which is not shipped by default, other than making the parsing not
14 working in some scenarios) I've added a small C tool that we compile and
15 install as part of the sssd-common package which is able to get all the
16 trusted CA certificates for a NSS database and export them in PEM
17 format.
18 The nss-database-pem-exporter is then used in the postinst script where
19 we now:
20 1. Read the SSSD settings
21 2. Convert all the certificates in the configured NSS databases
22 3. Store them all, appending them to the (new) default location
23 (/etc/sssd/pki/sssd_auth_ca_db.pem)
24 4. Disables the configured locations if pointing to NSS dbs (needed or
25 we'll leave the configuration with broken values).
26 At this point nss-database-pem-exporter is then the only binary in the
27 package that still depends on NSS libraries. (LP: #1905790)
28 * debian/patches:
29 - Get libsofthsm2 from right path for each architecture, this is now used
30 for real (wasn't before) to test p11k components with libcrypto and
31 p11-kit, also avoids a test build failure on armhf (LP: #1905790)
32 * Update changelog
33
34 -- Marco Trevisan (Treviño) <marco@ubuntu.com> Tue, 19 Jan 2021 20:05:24 +0100
35
1sssd (2.2.3-3ubuntu0.2) focal; urgency=medium36sssd (2.2.3-3ubuntu0.2) focal; urgency=medium
237
3 * d/p/0003-Only-start-sssd.service-if-there-s-a-configuration-f.patch:38 * d/p/0003-Only-start-sssd.service-if-there-s-a-configuration-f.patch:
diff --git a/debian/control b/debian/control
index 648a240..2180505 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
1Source: sssd1Source: sssd
2Section: utils2Section: utils
3Priority: optional3Priority: optional
4Maintainer: Debian SSSD Team <pkg-sssd-devel@alioth-lists.debian.net>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5XSBC-Original-Maintainer: Debian SSSD Team <pkg-sssd-devel@alioth-lists.debian.net>
5Uploaders: Timo Aaltonen <tjaalton@debian.org>,6Uploaders: Timo Aaltonen <tjaalton@debian.org>,
6 Dominik George <natureshadow@debian.org>7 Dominik George <natureshadow@debian.org>
7Build-Depends:8Build-Depends:
@@ -15,6 +16,8 @@ Build-Depends:
15 docbook-xml,16 docbook-xml,
16 docbook-xsl,17 docbook-xsl,
17 dpkg-dev (>= 1.16.1~),18 dpkg-dev (>= 1.16.1~),
19 faketime <!nocheck>,
20 gnutls-bin <!nocheck>,
18 krb5-config,21 krb5-config,
19 ldap-utils,22 ldap-utils,
20 libaugeas-dev,23 libaugeas-dev,
@@ -38,6 +41,8 @@ Build-Depends:
38 libnspr4-dev,41 libnspr4-dev,
39 libnss-wrapper,42 libnss-wrapper,
40 libnss3-dev,43 libnss3-dev,
44 libp11-kit-dev,
45 libpam-wrapper <!nocheck>,
41 libpam0g-dev | libpam-dev,46 libpam0g-dev | libpam-dev,
42 libpcre3-dev,47 libpcre3-dev,
43 libpopt-dev,48 libpopt-dev,
@@ -45,6 +50,7 @@ Build-Depends:
45 libselinux1-dev [linux-any],50 libselinux1-dev [linux-any],
46 libsemanage1-dev [linux-any],51 libsemanage1-dev [linux-any],
47 libsmbclient-dev,52 libsmbclient-dev,
53 libssl-dev,
48 libsystemd-dev [linux-any],54 libsystemd-dev [linux-any],
49 libtalloc-dev,55 libtalloc-dev,
50 libtdb-dev,56 libtdb-dev,
@@ -52,10 +58,13 @@ Build-Depends:
52 libuid-wrapper,58 libuid-wrapper,
53 libxml2-utils,59 libxml2-utils,
54 lsb-release,60 lsb-release,
61 openssh-client <!nocheck>,
62 openssl <!nocheck>,
55 python3-dev,63 python3-dev,
56 python3-setuptools,64 python3-setuptools,
57 quilt,65 quilt,
58 samba-dev (>= 2:4.1.13),66 samba-dev (>= 2:4.1.13),
67 softhsm2 <!nocheck>,
59 systemd,68 systemd,
60 systemtap-sdt-dev,69 systemtap-sdt-dev,
61 uuid-dev,70 uuid-dev,
diff --git a/debian/nss-database-pem-exporter/README.md b/debian/nss-database-pem-exporter/README.md
62new file mode 10064471new file mode 100644
index 0000000..919d5cd
--- /dev/null
+++ b/debian/nss-database-pem-exporter/README.md
@@ -0,0 +1,13 @@
1# NSS Database Certificates exporter
2
3A simple tool to export all the trusted CA certificates in a NSS database
4(aka nssdb, usually in `~/.pki/nssdb` or `/etc/pki/nssdb`) as a chained cert
5PEM cert file.
6
7 ./nss-database-pem-exporter > chained-certs.pem
8
9You can verify the parsed content using:
10
11 openssl crl2pkcs7 -nocrl -certfile chained-certs.pem | openssl pkcs7 -print_certs -text -noout
12
13It defaults to `/etc/pki/nssdb`, use `NSS_DATABASE` env variable to override it.
diff --git a/debian/nss-database-pem-exporter/nss-database-pem-exporter.c b/debian/nss-database-pem-exporter/nss-database-pem-exporter.c
0new file mode 10064414new file mode 100644
index 0000000..e3afebc
--- /dev/null
+++ b/debian/nss-database-pem-exporter/nss-database-pem-exporter.c
@@ -0,0 +1,179 @@
1/*
2 * This file is part of the nss-database-pem-exporter distribution.
3 * Copyright (c) 2020 Marco Trevisan <marco.trevisan@canonical.com>.
4 *
5 * This program is free software: you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation, version 3.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program. If not, see <http://www.gnu.org/licenses/>.
16 */
17
18#include <assert.h>
19#include <stdbool.h>
20#include <stdio.h>
21#include <stdlib.h>
22#include <string.h>
23
24#include <nss.h>
25#include <nss/base64.h>
26#include <nss/cert.h>
27#include <nss/certdb.h>
28#include <nss/pk11func.h>
29
30#define NSS_DATABASE_PATH "/etc/pki/nssdb"
31#define OPEN_FLAGS (NSS_INIT_READONLY | NSS_INIT_NOROOTINIT | NSS_INIT_FORCEOPEN)
32
33#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
34#define NS_CERT_TRAILER "-----END CERTIFICATE-----"
35
36static SECStatus
37print_ascii_certificate (CERTCertDBHandle *handle,
38 const CERTCertificate *cert)
39{
40 CERTCertList *certs;
41 CERTCertListNode *node;
42
43 certs = CERT_CreateSubjectCertList (NULL, handle, &cert->derSubject,
44 PR_Now (), PR_FALSE);
45
46 for (node = CERT_LIST_HEAD (certs); !CERT_LIST_END (node, certs);
47 node = CERT_LIST_NEXT (node))
48 {
49 CERTCertificate *c = node->cert;
50 char *ascii_cert = BTOA_DataToAscii (c->derCert.data, c->derCert.len);
51
52 fprintf (stdout, NS_CERT_HEADER "\n");
53 fprintf (stdout, "%s\n", ascii_cert);
54 fprintf (stdout, NS_CERT_TRAILER "\n");
55
56 free (ascii_cert);
57 }
58
59 if (certs)
60 CERT_DestroyCertList (certs);
61
62 return SECSuccess;
63}
64
65const char *
66get_cert_name (CERTCertListNode *node)
67{
68 CERTCertificate * cert = node->cert;
69 const char *name = node->appData;
70
71 if (name && *name != '\0')
72 return name;
73
74 name = cert->nickname;
75 if (name && *name != '\0')
76 return name;
77
78 name = cert->emailAddr;
79 if (name && *name != '\0')
80 return name;
81
82 return NULL;
83}
84
85bool
86check_trusted_flags (unsigned int flags)
87{
88 if (!(flags & CERTDB_VALID_CA))
89 return false;
90
91 /* Just return true here in any case (to handle the 'c' flag)? */
92 return (flags & (CERTDB_TRUSTED |
93 CERTDB_TRUSTED_CA |
94 CERTDB_TRUSTED_CLIENT_CA |
95 CERTDB_GOVT_APPROVED_CA)) != 0;
96}
97
98bool
99cert_is_trusted (const CERTCertificate *cert)
100{
101 CERTCertTrust *trust = cert->trust;
102
103 if (!trust)
104 return false;
105
106 if (check_trusted_flags (trust->sslFlags))
107 return true;
108
109 if (check_trusted_flags (trust->emailFlags))
110 return true;
111
112 if (check_trusted_flags (trust->objectSigningFlags))
113 return true;
114
115 return false;
116}
117
118static SECStatus
119print_trusted_certificates (CERTCertDBHandle *handle)
120{
121 CERTCertList *list;
122 CERTCertListNode *node;
123
124 list = PK11_ListCerts (PK11CertListCA, NULL);
125 for (node = CERT_LIST_HEAD (list); !CERT_LIST_END (node, list);
126 node = CERT_LIST_NEXT (node))
127 {
128 CERTCertificate *cert = node->cert;
129 const char *cert_name = get_cert_name (node);
130
131 if (!(cert->nsCertType & NS_CERT_TYPE_CA))
132 continue;
133
134 fprintf (stderr, "Found CA certificate %s\n", cert_name);
135 if (!cert)
136 continue;
137
138 if (!cert_is_trusted (cert))
139 {
140 fprintf (stderr, "Certificate %s is not a trusted CA certificate, ignoring\n",
141 cert_name);
142 continue;
143 }
144
145 print_ascii_certificate (handle, cert);
146 }
147
148 if (list)
149 CERT_DestroyCertList (list);
150 return SECSuccess;
151}
152
153int
154main (void)
155{
156 CERTCertDBHandle *certHandle;
157 const char *nssdb;
158 int exit_status = EXIT_SUCCESS;
159
160 nssdb = getenv ("NSS_DATABASE");
161 if (!nssdb || !*nssdb)
162 nssdb = NSS_DATABASE_PATH;
163
164 if (NSS_Initialize (nssdb, NULL, NULL,
165 "secmod.db", OPEN_FLAGS) != SECSuccess)
166 {
167 fprintf (stderr, "Failed to open database %s\n", nssdb);
168 return EXIT_FAILURE;
169 }
170
171 certHandle = CERT_GetDefaultCertDB ();
172 if (print_trusted_certificates (certHandle) != SECSuccess)
173 exit_status = EXIT_FAILURE;
174
175 if (NSS_Shutdown () != SECSuccess)
176 return EXIT_FAILURE;
177
178 return exit_status;
179}
diff --git a/debian/patches/series b/debian/patches/series
index 2ec352f..85ab941 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@ lp-1868703-02-ad-add-ad_use_ldaps.patch
7lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch7lp-1868703-03-ldap-add-new-option-ldap_sasl_maxssf.patch
8lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch8lp-1868703-04-ad-set-min-and-max-ssf-for-ldaps.patch
90003-Only-start-sssd.service-if-there-s-a-configuration-f.patch90003-Only-start-sssd.service-if-there-s-a-configuration-f.patch
10test_ca-Look-for-libsofthsm2-in-libdir-before-falling-bac.patch
diff --git a/debian/patches/test_ca-Look-for-libsofthsm2-in-libdir-before-falling-bac.patch b/debian/patches/test_ca-Look-for-libsofthsm2-in-libdir-before-falling-bac.patch
10new file mode 10064411new file mode 100644
index 0000000..b28f39d
--- /dev/null
+++ b/debian/patches/test_ca-Look-for-libsofthsm2-in-libdir-before-falling-bac.patch
@@ -0,0 +1,37 @@
1From: Marco Trevisan (Treviño) <mail@3v1n0.net>
2Date: Wed, 16 Dec 2020 18:19:00 +0100
3Subject: test_ca: Look for libsofthsm2 in libdir before falling back to
4 hardcoded paths
5
6Right now building SSSD in archs different from amd64 (at least in
7debian and derivatives) won't ever get the test_CA built because
8libsofthsm2 won't be found (leading also to #5397 at times).
9
10As per this, until they won't provide a pkg-config file:
11 - Prioritize looking for libsofthsm2 in configured libdir (will help
12 the developer case when using custom prefixes with custom softhsm2)
13 - Fallback to /usr prefixes, supporting any arch (not only x86_64)
14
15Origin: https://github.com/SSSD/sssd/pull/5438
16Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1905790
17---
18 src/external/test_ca.m4 | 6 +++++-
19 1 file changed, 5 insertions(+), 1 deletion(-)
20
21diff --git a/src/external/test_ca.m4 b/src/external/test_ca.m4
22index 4d45a5a..7f996f3 100644
23--- a/src/external/test_ca.m4
24+++ b/src/external/test_ca.m4
25@@ -33,7 +33,11 @@ AC_DEFUN([AM_CHECK_TEST_CA],
26 AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -x "$CERTUTIL" -a -x "$PK12UTIL"])
27 else
28
29- for p in /usr/lib64/pkcs11/libsofthsm2.so /usr/lib/pkcs11/libsofthsm2.so /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so; do
30+ for p in "$(eval echo ${libdir})"/pkcs11/libsofthsm2.so \
31+ "$(eval echo ${libdir})"/softhsm/libsofthsm2.so \
32+ /usr/lib*/pkcs11/libsofthsm2.so \
33+ /usr/lib/*-linux-gnu*/softhsm/libsofthsm2.so \
34+ /usr/lib/softhsm/libsofthsm2.so; do
35 if test -f "${p}"; then
36 SOFTHSM2_PATH="${p}"
37 break;
diff --git a/debian/rules b/debian/rules
index b5d46e2..02a0b29 100755
--- a/debian/rules
+++ b/debian/rules
@@ -34,6 +34,7 @@ override_dh_auto_configure:
34 --disable-static \34 --disable-static \
35 --disable-rpath \35 --disable-rpath \
36 --with-autofs \36 --with-autofs \
37 --with-crypto=libcrypto \
37 --with-ssh \38 --with-ssh \
38 --with-initscript=systemd \39 --with-initscript=systemd \
39 --with-systemdunitdir=/lib/systemd/system \40 --with-systemdunitdir=/lib/systemd/system \
@@ -42,6 +43,14 @@ override_dh_auto_configure:
42 --without-python2-bindings \43 --without-python2-bindings \
43 --with-sudo44 --with-sudo
4445
46override_dh_auto_build:
47 dh_auto_build
48
49 mkdir -p $(CURDIR)/debian/build
50 $(CC) $(CURDIR)/debian/nss-database-pem-exporter/nss-database-pem-exporter.c \
51 $(shell pkg-config --cflags --libs nss) -o \
52 $(CURDIR)/debian/build/nss-database-pem-exporter
53
45override_dh_auto_test:54override_dh_auto_test:
46 export CK_TIMEOUT_MULTIPLIER=1055 export CK_TIMEOUT_MULTIPLIER=10
47 dh_auto_test -- VERBOSE=yes56 dh_auto_test -- VERBOSE=yes
@@ -50,6 +59,9 @@ override_dh_auto_test:
50override_dh_auto_install:59override_dh_auto_install:
51 dh_auto_install --max-parallel=160 dh_auto_install --max-parallel=1
5261
62 install -m755 -D $(CURDIR)/debian/build/nss-database-pem-exporter \
63 -t $(CURDIR)/debian/tmp/usr/libexec/sssd/
64
53override_dh_fixperms:65override_dh_fixperms:
54 dh_fixperms -Xkrb5_child -Xldap_child -Xselinux_child66 dh_fixperms -Xkrb5_child -Xldap_child -Xselinux_child
5567
@@ -102,3 +114,4 @@ override_dh_auto_clean:
102 rm -f $(CURDIR)/src/config/*.pyc114 rm -f $(CURDIR)/src/config/*.pyc
103 rm -f $(CURDIR)/po/stamp-po115 rm -f $(CURDIR)/po/stamp-po
104 rm -f $(CURDIR)/src/sbus/codegen/__pycache__/*.pyc116 rm -f $(CURDIR)/src/sbus/codegen/__pycache__/*.pyc
117 rm -rf $(CURDIR)/debian/build
diff --git a/debian/sssd-common.install b/debian/sssd-common.install
index e0f8ad4..fafdab6 100644
--- a/debian/sssd-common.install
+++ b/debian/sssd-common.install
@@ -40,6 +40,7 @@ usr/lib/*/sssd/libsss_util.so
40usr/lib/*/sssd/modules/libsss_autofs.so40usr/lib/*/sssd/modules/libsss_autofs.so
41usr/lib/*/sssd/modules/sssd_krb5_localauth_plugin.so41usr/lib/*/sssd/modules/sssd_krb5_localauth_plugin.so
42usr/libexec/sssd/p11_child42usr/libexec/sssd/p11_child
43usr/libexec/sssd/nss-database-pem-exporter
43usr/libexec/sssd/sss_signal44usr/libexec/sssd/sss_signal
44usr/libexec/sssd/sssd_autofs45usr/libexec/sssd/sssd_autofs
45usr/libexec/sssd/sssd_be46usr/libexec/sssd/sssd_be
diff --git a/debian/sssd-common.postinst b/debian/sssd-common.postinst
index 295d6a2..ff8d3ee 100644
--- a/debian/sssd-common.postinst
+++ b/debian/sssd-common.postinst
@@ -20,6 +20,48 @@ set -e
20OUT=/dev/null20OUT=/dev/null
21HOME=/var/lib/sss21HOME=/var/lib/sss
22LIBDIR=/usr/libexec/sssd22LIBDIR=/usr/libexec/sssd
23CA_CERTS_NSSDB=/etc/pki/nssdb
24CA_CERTS_CHAIN=/etc/sssd/pki/sssd_auth_ca_db.pem
25
26get_config_value()
27{
28 if [ ! -f /etc/sssd/sssd.conf ]; then
29 return 0
30 fi
31
32 awk -F '=' '{if (! ($0 ~ /^;/) && ! ($0 ~ /^#/) && $0 ~ /'"$1"'/) print $2}' \
33 /etc/sssd/sssd.conf | tr -d ' ' | tail -n1
34}
35
36is_pem_file()
37{
38 [ -f "$1" ] && \
39 grep -qsI -- "-----BEGIN CERTIFICATE-----" "$1" && \
40 grep -qsI -- "-----END CERTIFICATE-----" "$1"
41}
42
43import_nss_ca_certs()
44{
45 nssdb="$1"
46
47 if [ -z "$nssdb" ]; then
48 return
49 fi
50
51 if is_pem_file "$nssdb"; then
52 return 1
53 fi
54
55 echo "Importing $nssdb CA certificates to $CA_CERTS_CHAIN"
56 env NSS_DATABASE="$nssdb" \
57 $LIBDIR/nss-database-pem-exporter >> "$CA_CERTS_CHAIN"
58}
59
60disable_setting()
61{
62 echo "Disabling sssd.conf setting using invalid value: '$1'"
63 sed -i 's/^[^#;]*'"$1"'\b/#&/' /etc/sssd/sssd.conf || true
64}
2365
24case "$1" in66case "$1" in
25 configure)67 configure)
@@ -41,6 +83,7 @@ case "$1" in
41 /etc/sssd \83 /etc/sssd \
42 /var/log/sssd84 /var/log/sssd
43 chown root:sssd $LIBDIR/p11_child85 chown root:sssd $LIBDIR/p11_child
86 chown root:sssd $LIBDIR/nss-database-pem-exporter
4487
45 chmod 4754 $LIBDIR/p11_child88 chmod 4754 $LIBDIR/p11_child
46 chmod 755 $HOME/gpo_cache $HOME/mc $HOME/pipes $HOME/pubconf89 chmod 755 $HOME/gpo_cache $HOME/mc $HOME/pipes $HOME/pubconf
@@ -52,6 +95,31 @@ case "$1" in
52 chown root:root /etc/sssd/sssd.conf95 chown root:root /etc/sssd/sssd.conf
53 chmod 0600 /etc/sssd/sssd.conf96 chmod 0600 /etc/sssd/sssd.conf
54 fi97 fi
98
99 if dpkg --compare-versions "$2" lt-nl 2.2.3-3ubuntu0.2; then
100 # When upgrading (only), we may need to migrate the NSS
101 # database entries
102 ca_db=$(get_config_value ca_db)
103 pam_cert_db_path=$(get_config_value pam_cert_db_path)
104
105 mkdir -p -m711 "$(dirname "$CA_CERTS_CHAIN")"
106
107 nss_db="$ca_db"
108 if [ -z "$nss_db" ] && [ -d "$CA_CERTS_NSSDB" ]; then
109 nss_db="$CA_CERTS_NSSDB"
110 fi
111
112 if import_nss_ca_certs "$nss_db"; then
113 [ "$nss_db" = "$ca_db" ] && \
114 disable_setting 'ca_db'
115 fi
116
117 if [ "$pam_cert_db_path" != "$nss_db" ]; then
118 if import_nss_ca_certs "$pam_cert_db_path"; then
119 disable_setting 'pam_cert_db_path'
120 fi
121 fi
122 fi
55 ;;123 ;;
56124
57 abort-upgrade|abort-remove|abort-deconfigure)125 abort-upgrade|abort-remove|abort-deconfigure)

Subscribers

People subscribed via source and target branches