From 70a06fbbc7f01ea6fd322a8f8cff0527b3cbbd03 Mon Sep 17 00:00:00 2001 From: Alex Botelho Date: Thu, 2 Jan 2025 21:02:58 -0500 Subject: [PATCH 1/3] fix: add case statement for setting sssd capabilities based on Fedora version --- 1_prune.sh | 46 ++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 42 insertions(+), 4 deletions(-) diff --git a/1_prune.sh b/1_prune.sh index 0c71d1a..39d9157 100755 --- a/1_prune.sh +++ b/1_prune.sh @@ -1,6 +1,10 @@ #!/usr/bin/env bash # Prune files in tree that are extraneous +get_fedora_version() { + cat /etc/os-release | grep --word-regexp VERSION_ID | cut --delimiter='=' --fields=2 +} + if [ $(id -u) -ne 0 ]; then echo "Run as superuser" exit 1 @@ -197,10 +201,44 @@ setcap cap_net_bind_service=ep ./usr/bin/rlogin setcap cap_net_bind_service=ep ./usr/bin/rsh setcap cap_sys_admin=p $(realpath ./usr/bin/sunshine) # SSSD -setcap cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep ./usr/libexec/sssd/krb5_child -setcap cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep ./usr/libexec/sssd/ldap_child -setcap cap_chown,cap_dac_override,cap_setgid,cap_setuid=ep ./usr/libexec/sssd/selinux_child -setcap cap_dac_read_search=p ./usr/libexec/sssd/sssd_pam +fedora_version="$(get_fedora_version)" +set_sssd_caps='false' # defaulting to false for safety +echo "Detected Fedora version: $fedora_version" +case $fedora_version in + 40) + echo 'Not setting capabilities on sssd binaries.' + set_sssd_caps='false' + ;; + 41) + # sssd version is 2.10.1+ + sssd_krb5_child_caps='cap_dac_read_search,cap_setgid,cap_setuid=p' + sssd_ldap_child_caps='cap_dac_read_search=p' + sssd_selinux_child_caps='cap_setgid,cap_setuid=p' + sssd_pam_caps='cap_dac_read_search=p' + set_sssd_caps='true' + ;; + *) + # treat this as a default which "should" work in the future assuming the capabilities of Fedora 41's sssd binaries if the version is 41+ + if [ $fedora_version -ge 41 ]; then + echo "[WARNING] Unknown Fedora version: ${fedora_version}. Assuming capabilities." + echo "[WARNING] Please confirm capabilities and add a case for this Fedora version in ${0}." + sssd_krb5_child_caps='cap_dac_read_search,cap_setgid,cap_setuid=p' + sssd_ldap_child_caps='cap_dac_read_search=p' + sssd_selinux_child_caps='cap_setgid,cap_setuid=p' + sssd_pam_caps='cap_dac_read_search=p' + set_sssd_caps='true' + else + set_sssd_caps='false' + fi + ;; +esac + +if [ "$set_sssd_caps" == 'true' ]; then + setcap $sssd_krb5_child_caps ./usr/libexec/sssd/krb5_child + setcap $sssd_ldap_child_caps ./usr/libexec/sssd/ldap_child + setcap $sssd_selinux_child_caps ./usr/libexec/sssd/selinux_child + setcap $sssd_pam_caps ./usr/libexec/sssd/sssd_pam +fi # Fix polkid group POLKIT_ID=$(cat ./usr/lib/group | grep polkitd | cut -d: -f3) From 997890ccd158047b8c695f6b15e63b01bc2ba5db Mon Sep 17 00:00:00 2001 From: Alex Botelho Date: Thu, 2 Jan 2025 21:16:33 -0500 Subject: [PATCH 2/3] fix: make Fedora version fetch relative to $TREE --- 1_prune.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1_prune.sh b/1_prune.sh index 39d9157..de97f78 100755 --- a/1_prune.sh +++ b/1_prune.sh @@ -2,7 +2,7 @@ # Prune files in tree that are extraneous get_fedora_version() { - cat /etc/os-release | grep --word-regexp VERSION_ID | cut --delimiter='=' --fields=2 + cat ${TREE}/etc/os-release | grep --word-regexp VERSION_ID | cut --delimiter='=' --fields=2 } if [ $(id -u) -ne 0 ]; then From 99864ff7709ace2a4bd6987b33742ba8fd0c9543 Mon Sep 17 00:00:00 2001 From: Antheas Kapenekakis Date: Sat, 4 Jan 2025 11:52:21 +0100 Subject: [PATCH 3/3] simplify logic --- 1_prune.sh | 51 ++++++++++----------------------------------------- 1 file changed, 10 insertions(+), 41 deletions(-) diff --git a/1_prune.sh b/1_prune.sh index de97f78..119bc2c 100755 --- a/1_prune.sh +++ b/1_prune.sh @@ -1,10 +1,6 @@ #!/usr/bin/env bash # Prune files in tree that are extraneous -get_fedora_version() { - cat ${TREE}/etc/os-release | grep --word-regexp VERSION_ID | cut --delimiter='=' --fields=2 -} - if [ $(id -u) -ne 0 ]; then echo "Run as superuser" exit 1 @@ -200,44 +196,17 @@ setcap cap_net_bind_service=ep ./usr/bin/rcp setcap cap_net_bind_service=ep ./usr/bin/rlogin setcap cap_net_bind_service=ep ./usr/bin/rsh setcap cap_sys_admin=p $(realpath ./usr/bin/sunshine) -# SSSD -fedora_version="$(get_fedora_version)" -set_sssd_caps='false' # defaulting to false for safety -echo "Detected Fedora version: $fedora_version" -case $fedora_version in - 40) - echo 'Not setting capabilities on sssd binaries.' - set_sssd_caps='false' - ;; - 41) - # sssd version is 2.10.1+ - sssd_krb5_child_caps='cap_dac_read_search,cap_setgid,cap_setuid=p' - sssd_ldap_child_caps='cap_dac_read_search=p' - sssd_selinux_child_caps='cap_setgid,cap_setuid=p' - sssd_pam_caps='cap_dac_read_search=p' - set_sssd_caps='true' - ;; - *) - # treat this as a default which "should" work in the future assuming the capabilities of Fedora 41's sssd binaries if the version is 41+ - if [ $fedora_version -ge 41 ]; then - echo "[WARNING] Unknown Fedora version: ${fedora_version}. Assuming capabilities." - echo "[WARNING] Please confirm capabilities and add a case for this Fedora version in ${0}." - sssd_krb5_child_caps='cap_dac_read_search,cap_setgid,cap_setuid=p' - sssd_ldap_child_caps='cap_dac_read_search=p' - sssd_selinux_child_caps='cap_setgid,cap_setuid=p' - sssd_pam_caps='cap_dac_read_search=p' - set_sssd_caps='true' - else - set_sssd_caps='false' - fi - ;; -esac -if [ "$set_sssd_caps" == 'true' ]; then - setcap $sssd_krb5_child_caps ./usr/libexec/sssd/krb5_child - setcap $sssd_ldap_child_caps ./usr/libexec/sssd/ldap_child - setcap $sssd_selinux_child_caps ./usr/libexec/sssd/selinux_child - setcap $sssd_pam_caps ./usr/libexec/sssd/sssd_pam +# SSSD +if [ -f ${TREE}/etc/os-release ] && + [ $(cat ${TREE}/etc/os-release | grep VERSION_ID | grep 40) ]; then + echo "Detected Fedora version: 40" + echo "Not setting capabilities on sssd binaries for Fedora 40." +else + setcap cap_dac_read_search,cap_setgid,cap_setuid=p ./usr/libexec/sssd/krb5_child + setcap cap_dac_read_search=p ./usr/libexec/sssd/ldap_child + setcap cap_setgid,cap_setuid=p ./usr/libexec/sssd/selinux_child + setcap cap_dac_read_search=p ./usr/libexec/sssd/sssd_pam fi # Fix polkid group