[meta-security][PATCH 1/5] Revert "sssd: fix libcrypto version used"

[meta-security][PATCH 1/5] Revert "sssd: fix libcrypto version used"

[Armin Kuster]

This reverts commit 2488c965d6b1b440734f43326fb33ac642ac7b82.

This corrects an incorrect fix as pointed out by Adrian Bunk.
---
 recipes-security/sssd/sssd_1.16.3.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-security/sssd/sssd_1.16.3.bb b/recipes-security/sssd/sssd_1.16.3.bb
index d39fa23..8f7f805 100644
--- a/recipes-security/sssd/sssd_1.16.3.bb
+++ b/recipes-security/sssd/sssd_1.16.3.bb
@@ -33,7 +33,7 @@ PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no"
 PACKAGECONFIG[python2] = "--with-python2-bindings, --without-python2-bindings"
 PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings"
 PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss,"
-PACKAGECONFIG[cyrpto] = "--with-crypto=libcrypto, , libcrypto10"
+PACKAGECONFIG[cyrpto] = "--with-crypto=libcrypto, , libcrypto"
 PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no "
 PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
 PACKAGECONFIG[systemd] = "--with-systemdunitdir=${systemd_unitdir}/system/, --with-systemdunitdir="
-- 
2.17.1

[meta-security][PATCH 2/5] libldb: work around samba libldb packaging issues

[Armin Kuster]

Samba and libldb overlap in a few places. This is the simplest fix for
now.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 recipes-support/libldb/libldb_%.bbappend | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 recipes-support/libldb/libldb_%.bbappend

diff --git a/recipes-support/libldb/libldb_%.bbappend b/recipes-support/libldb/libldb_%.bbappend
new file mode 100644
index 0000000..2633a1e
--- /dev/null
+++ b/recipes-support/libldb/libldb_%.bbappend
@@ -0,0 +1,22 @@
+# This fixes this issue:
+#ERROR: sssd-1.16.3-r0 do_prepare_recipe_sysroot: The file /usr/lib/python2.7/site-packages/_ldb_text.py is installed by both libldb and samba, aborting
+
+EXTRA_OECONF += "--disable-python"
+
+#Error: Transaction check error:
+#  file /usr/bin/ldbadd conflicts between attempted installs of samba-4.8.4-r0.cortexa15t2hf_neon_vfpv4 and libldb-1.4.1-r0.cortexa15t2hf_neon_vfpv4
+#  file /usr/bin/ldbdel conflicts between attempted installs of samba-4.8.4-r0.cortexa15t2hf_neon_vfpv4 and libldb-1.4.1-r0.cortexa15t2hf_neon_vfpv4
+#  file /usr/bin/ldbedit conflicts between attempted installs of samba-4.8.4-r0.cortexa15t2hf_neon_vfpv4 and libldb-1.4.1-r0.cortexa15t2hf_neon_vfpv4
+#  file /usr/bin/ldbmodify conflicts between attempted installs of samba-4.8.4-r0.cortexa15t2hf_neon_vfpv4 and libldb-1.4.1-r0.cortexa15t2hf_neon_vfpv4
+#  file /usr/bin/ldbrename conflicts between attempted installs of samba-4.8.4-r0.cortexa15t2hf_neon_vfpv4 and libldb-1.4.1-r0.cortexa15t2hf_neon_vfpv4
+#  file /usr/bin/ldbsearch conflicts between attempted installs of samba-4.8.4-r0.cortexa15t2hf_neon_vfpv4 and libldb-1.4.1-r0.cortexa15t2hf_neon_vfpv4
+
+do_install_append() {
+   rm -f ${D}${bindir}/ldbadd
+   rm -f ${D}${bindir}/ldbdel
+   rm -f ${D}${bindir}/ldbedit
+   rm -f ${D}${bindir}/ldbmodify
+   rm -f ${D}${bindir}/ldbrename
+   rm -f ${D}${bindir}/ldbsearch
+   rmdir ${D}${bindir}
+}
-- 
2.17.1

[meta-security][PATCH 3/5] sssd: fix a few runtime issues

[Armin Kuster]

include a few more RDEPEND packages. remove init script as there really
isn't one yet.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 recipes-security/sssd/sssd_1.16.3.bb | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/recipes-security/sssd/sssd_1.16.3.bb b/recipes-security/sssd/sssd_1.16.3.bb
index 8f7f805..e3fb254 100644
--- a/recipes-security/sssd/sssd_1.16.3.bb
+++ b/recipes-security/sssd/sssd_1.16.3.bb
@@ -14,7 +14,7 @@ SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz\
 SRC_URI[md5sum] = "af4288c9d1f9953e3b3b6e0b165a5ece"
 SRC_URI[sha256sum] = "ee5d17a0c663c09819cbab9364085b9e57faeca02406cc30efe14cc0cfc04ec4"
 
-inherit autotools pkgconfig gettext update-rc.d python-dir distro_features_check
+inherit autotools pkgconfig gettext python-dir distro_features_check
 
 REQUIRED_DISTRO_FEATURES = "pam"
 
@@ -55,6 +55,16 @@ do_install () {
     rmdir --ignore-fail-on-non-empty "${D}/${bindir}"
     install -d ${D}/${sysconfdir}/${BPN}
     install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN}
+
+    # Remove /var/run as it is created on startup
+    rm -rf ${D}${localstatedir}/run
+}
+
+pkg_postinst_ontarget_${PN} () {
+if [ -e /etc/init.d/populate-volatile.sh ] ; then
+    ${sysconfdir}/init.d/populate-volatile.sh update
+fi
+
 }
 
 CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf"
@@ -70,4 +80,4 @@ FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la"
 # The package contains symlinks that trip up insane
 INSANE_SKIP_${PN} = "dev-so"
 
-RDEPENDS_${PN} += "bind dbus"
+RDEPENDS_${PN} = "bind dbus samba libldb"
-- 
2.17.1

[meta-security][PATCH 4/5] sssd: update to 1.16.4

[Armin Kuster]

Add systemd pkgconf via DISTRO_FEATURE

Fix uid/gid of sssd.conf

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../sssd/{sssd_1.16.3.bb => sssd_1.16.4.bb}          | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)
 rename recipes-security/sssd/{sssd_1.16.3.bb => sssd_1.16.4.bb} (88%)

diff --git a/recipes-security/sssd/sssd_1.16.3.bb b/recipes-security/sssd/sssd_1.16.4.bb
similarity index 88%
rename from recipes-security/sssd/sssd_1.16.3.bb
rename to recipes-security/sssd/sssd_1.16.4.bb
index e3fb254..3fa3426 100644
--- a/recipes-security/sssd/sssd_1.16.3.bb
+++ b/recipes-security/sssd/sssd_1.16.4.bb
@@ -11,13 +11,16 @@ DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent"
 SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz\
             file://sssd.conf "
 
-SRC_URI[md5sum] = "af4288c9d1f9953e3b3b6e0b165a5ece"
-SRC_URI[sha256sum] = "ee5d17a0c663c09819cbab9364085b9e57faeca02406cc30efe14cc0cfc04ec4"
+SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50"
+SRC_URI[sha256sum] = "6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f3bf959"
 
 inherit autotools pkgconfig gettext python-dir distro_features_check
 
 REQUIRED_DISTRO_FEATURES = "pam"
 
+SSSD_UID ?= "root"
+SSSD_GID ?= "root"
+
 CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
     ac_cv_path_NSUPDATE=${bindir} \
     ac_cv_path_PYTHON2=${PYTHON_DIR} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \
@@ -25,6 +28,7 @@ CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
 
 PACKAGECONFIG ?="nss nscd"
 PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
 
 PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, "
 PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba"
@@ -64,7 +68,7 @@ pkg_postinst_ontarget_${PN} () {
 if [ -e /etc/init.d/populate-volatile.sh ] ; then
     ${sysconfdir}/init.d/populate-volatile.sh update
 fi
-
+    chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf
 }
 
 CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf"
@@ -80,4 +84,4 @@ FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la"
 # The package contains symlinks that trip up insane
 INSANE_SKIP_${PN} = "dev-so"
 
-RDEPENDS_${PN} = "bind dbus samba libldb"
+RDEPENDS_${PN} = "bind dbus samba libldb libpam"
-- 
2.17.1

[meta-security][PATCH 5/5] sssd: Add basic runtime test

[Armin Kuster]

This does some basic testing and checks.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 lib/oeqa/runtime/cases/sssd.py | 37 ++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 lib/oeqa/runtime/cases/sssd.py

diff --git a/lib/oeqa/runtime/cases/sssd.py b/lib/oeqa/runtime/cases/sssd.py
new file mode 100644
index 0000000..4644836
--- /dev/null
+++ b/lib/oeqa/runtime/cases/sssd.py
@@ -0,0 +1,37 @@
+# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
+#
+import re
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+
+class SSSDTest(OERuntimeTestCase):
+
+    @OEHasPackage(['sssd'])
+    @OETestDepends(['ssh.SSHTest.test_ssh'])
+    def test_sssd_help(self):
+        status, output = self.target.run('sssctl --help')
+        msg = ('sssctl command does not work as expected. '
+               'Status and output:%s and %s' % (status, output))
+        self.assertEqual(status, 1, msg = msg)
+
+    @OETestDepends(['sssd.SSSDTest.test_sssd_help'])
+    def test_sssd_sssctl_conf_perms_chk(self):
+        status, output = self.target.run('sssctl domain-status')
+        match = re.search('ConfDB initialization has failed', output)
+        if match:
+            msg = ('sssctl domain-status failed, check sssd.conf perms. '
+               'Status and output:%s and %s' % (status, output))
+            self.assertEqual(status, 0, msg = msg)
+
+    @OETestDepends(['sssd.SSSDTest.test_sssd_sssctl_conf_perms_chk'])
+    def test_sssd_sssctl_deamon(self):
+        status, output = self.target.run('sssctl domain-status')
+        match = re.search('No domains configured, fatal error!', output)
+        if match:
+            msg = ('sssctl domain-status failed, sssd.conf not setup correctly. '
+               'Status and output:%s and %s' % (status, output))
+            self.assertEqual(status, 0, msg = msg)
+
-- 
2.17.1

Re: [meta-security][PATCH 2/5] libldb: work around samba libldb packaging issues

[Adrian Bunk]

On Thu, Mar 28, 2019 at 10:28:18PM -0700, Armin Kuster wrote:
> Samba and libldb overlap in a few places. This is the simplest fix for
> now.

Adding a quick hack for interaction problems between two packages
that are both in meta-openembedded by adding a .bbappend in 
meta-security creates a technical debt while not even helping
users who are not using meta-security.

The proper solution is likely to make samba use the external libldb 
instead of an internal copy.

> Signed-off-by: Armin Kuster <akuster808@gmail.com>
> ---
>  recipes-support/libldb/libldb_%.bbappend | 22 ++++++++++++++++++++++
>  1 file changed, 22 insertions(+)
>  create mode 100644 recipes-support/libldb/libldb_%.bbappend
> 
> diff --git a/recipes-support/libldb/libldb_%.bbappend b/recipes-support/libldb/libldb_%.bbappend
> new file mode 100644
> index 0000000..2633a1e
> --- /dev/null
> +++ b/recipes-support/libldb/libldb_%.bbappend
> @@ -0,0 +1,22 @@
> +# This fixes this issue:
> +#ERROR: sssd-1.16.3-r0 do_prepare_recipe_sysroot: The file /usr/lib/python2.7/site-packages/_ldb_text.py is installed by both libldb and samba, aborting
> +
> +EXTRA_OECONF += "--disable-python"
>...

So just adding the meta-security layer will turn the pyldb* packages 
into empty packages?

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Re: [meta-security][PATCH 3/5] sssd: fix a few runtime issues

[Adrian Bunk]

On Thu, Mar 28, 2019 at 10:28:19PM -0700, Armin Kuster wrote:
> include a few more RDEPEND packages. remove init script as there really
> isn't one yet.
> 
> Signed-off-by: Armin Kuster <akuster808@gmail.com>
> ---
>  recipes-security/sssd/sssd_1.16.3.bb | 14 ++++++++++++--
>  1 file changed, 12 insertions(+), 2 deletions(-)
> 
> diff --git a/recipes-security/sssd/sssd_1.16.3.bb b/recipes-security/sssd/sssd_1.16.3.bb
> index 8f7f805..e3fb254 100644
> --- a/recipes-security/sssd/sssd_1.16.3.bb
> +++ b/recipes-security/sssd/sssd_1.16.3.bb
>...
>  # The package contains symlinks that trip up insane
>  INSANE_SKIP_${PN} = "dev-so"
>  
> -RDEPENDS_${PN} += "bind dbus"
> +RDEPENDS_${PN} = "bind dbus samba libldb"

Even when samba support is not enabled?

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Re: [meta-security][PATCH 4/5] sssd: update to 1.16.4

[Adrian Bunk]

On Thu, Mar 28, 2019 at 10:28:20PM -0700, Armin Kuster wrote:
> Add systemd pkgconf via DISTRO_FEATURE
> 
> Fix uid/gid of sssd.conf
> 
> Signed-off-by: Armin Kuster <akuster808@gmail.com>
>...
> -RDEPENDS_${PN} = "bind dbus samba libldb"
> +RDEPENDS_${PN} = "bind dbus samba libldb libpam"

Why is this required?

And the way this commit mixes unrelated changes, it is no even clear 
whether this is for the new upstream version or supposed to fix some 
older issue.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Re: [meta-security][PATCH 2/5] libldb: work around samba libldb packaging issues

[Adrian Bunk]

On Fri, Mar 29, 2019 at 08:50:14AM +0200, Adrian Bunk wrote:
> On Thu, Mar 28, 2019 at 10:28:18PM -0700, Armin Kuster wrote:
> > Samba and libldb overlap in a few places. This is the simplest fix for
> > now.
> 
> Adding a quick hack for interaction problems between two packages
> that are both in meta-openembedded by adding a .bbappend in 
> meta-security creates a technical debt while not even helping
> users who are not using meta-security.
> 
> The proper solution is likely to make samba use the external libldb 
> instead of an internal copy.
>...

commit a001e465293b36c03d4ca4500857fe0a67d13e20
Date:   Fri Jul 27 14:09:10 2018 -0700

    samba: Update to 4.8.3
    
    LDB 1.4.0 breaks Samba < 4.9 therefore use internal version


So the root cause is that last summer LDB in meta-openembedded was 
updated to a version not compatible with with the Samba version in 
meta-openembedded.

As workaround Samba was changed to use the internal version
of the library.

What is now proposed is a workaround to fix a regression caused
by the first workaround.

The best way forward would be to upgrade Samba to 4.9 or 4.10 and
use the external LDB again.


cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Re: [meta-security][PATCH 3/5] sssd: fix a few runtime issues

[akuster]

On 3/28/19 11:51 PM, Adrian Bunk wrote:
> On Thu, Mar 28, 2019 at 10:28:19PM -0700, Armin Kuster wrote:
>> include a few more RDEPEND packages. remove init script as there really
>> isn't one yet.
>>
>> Signed-off-by: Armin Kuster <akuster808@gmail.com>
>> ---
>>  recipes-security/sssd/sssd_1.16.3.bb | 14 ++++++++++++--
>>  1 file changed, 12 insertions(+), 2 deletions(-)
>>
>> diff --git a/recipes-security/sssd/sssd_1.16.3.bb b/recipes-security/sssd/sssd_1.16.3.bb
>> index 8f7f805..e3fb254 100644
>> --- a/recipes-security/sssd/sssd_1.16.3.bb
>> +++ b/recipes-security/sssd/sssd_1.16.3.bb
>> ...
>>  # The package contains symlinks that trip up insane
>>  INSANE_SKIP_${PN} = "dev-so"
>>  
>> -RDEPENDS_${PN} += "bind dbus"
>> +RDEPENDS_${PN} = "bind dbus samba libldb"
> Even when samba support is not enabled?
Yeah, that isn't right.
thanks,
Armin
>
> cu
> Adrian
>

Re: [meta-security][PATCH 2/5] libldb: work around samba libldb packaging issues

[akuster]

On 3/28/19 11:50 PM, Adrian Bunk wrote:
> On Thu, Mar 28, 2019 at 10:28:18PM -0700, Armin Kuster wrote:
>> Samba and libldb overlap in a few places. This is the simplest fix for
>> now.
> Adding a quick hack for interaction problems between two packages
> that are both in meta-openembedded by adding a .bbappend in 
> meta-security creates a technical debt while not even helping
> users who are not using meta-security.
>
> The proper solution is likely to make samba use the external libldb 
> instead of an internal copy.
>
>> Signed-off-by: Armin Kuster <akuster808@gmail.com>
>> ---
>>  recipes-support/libldb/libldb_%.bbappend | 22 ++++++++++++++++++++++
>>  1 file changed, 22 insertions(+)
>>  create mode 100644 recipes-support/libldb/libldb_%.bbappend
>>
>> diff --git a/recipes-support/libldb/libldb_%.bbappend b/recipes-support/libldb/libldb_%.bbappend
>> new file mode 100644
>> index 0000000..2633a1e
>> --- /dev/null
>> +++ b/recipes-support/libldb/libldb_%.bbappend
>> @@ -0,0 +1,22 @@
>> +# This fixes this issue:
>> +#ERROR: sssd-1.16.3-r0 do_prepare_recipe_sysroot: The file /usr/lib/python2.7/site-packages/_ldb_text.py is installed by both libldb and samba, aborting
>> +
>> +EXTRA_OECONF += "--disable-python"
>> ...
> So just adding the meta-security layer will turn the pyldb* packages 
> into empty packages?
 I think I have a possible solution in libldb. patch out shortly.

- armin
>
> cu
> Adrian
>

Re: [meta-security][PATCH 4/5] sssd: update to 1.16.4

[akuster]

On 3/29/19 12:10 AM, Adrian Bunk wrote:
> On Thu, Mar 28, 2019 at 10:28:20PM -0700, Armin Kuster wrote:
>> Add systemd pkgconf via DISTRO_FEATURE
>>
>> Fix uid/gid of sssd.conf
>>
>> Signed-off-by: Armin Kuster <akuster808@gmail.com>
>> ...
>> -RDEPENDS_${PN} = "bind dbus samba libldb"
>> +RDEPENDS_${PN} = "bind dbus samba libldb libpam"
> Why is this required?
>
> And the way this commit mixes unrelated changes, it is no even clear 
> whether this is for the new upstream version or supposed to fix some 
> older issue.
I will be squish those extra changes into the clean up patch and just
have the update separate.
thanks,
Armin
> cu
> Adrian
>