Skip to content

Commit

Permalink
Release sssd-2.10.0
Browse files Browse the repository at this point in the history
  • Loading branch information
pbrezina committed Oct 15, 2024
1 parent dbbfd52 commit e069d0a
Show file tree
Hide file tree
Showing 2 changed files with 132 additions and 0 deletions.
128 changes: 128 additions & 0 deletions src/release-notes/sssd-2.10.0.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
SSSD 2.10.0 Release Notes
===============================

Highlights
----------

General information
~~~~~~~~~~~~~~~~~~~

* **IMPORTANT note for downstream maintainers!**

This release features significant improvements of "running with less
privileges (under unprivileged service user)" feature. There is still a
``./configure`` option ``--with-sssd-user=`` available that allows downstream
package maintainers to choose if support of non-root service user should be
built. In case such support is built, a preferred way to configure service
user is simply by starting SSSD under this user; for example, using
``User=/Group=`` options of systemd sssd.service file. Upstream defaults are
to build ``--with-sssd-user=sssd`` and to install systemd service with
``User=/Group=sssd``. In this case, only several helper processes -
``ldap_child``, ``krb5_child`` and ``selinux_child`` - are executed with
elevated capabilities (that are now granted using fine grained file
capabilities instead of SUID bit). All other SSSD components run without any
capabilities. In this scenario it's still possible to re-configure SSSD to run
under ``root`` (if needed for some reason): besides changing ``User/Group=``
options, some other tweaks of systemd service files are required.

A legacy method to configure a service user - sssd.conf ``user`` option - is
now deprecated and its support isn’t built by default. It can be enabled using
``--with-conf-service-user-support`` ``./configure`` option if needed (for
example, due to backward compatibility requirements of stable releases).

Further, no matter if SSSD is built ``--with-sssd-user=sssd`` or
``--with-sssd-user=root``, when it's configured to run under ``root`` (in both
cases) it still runs without capabilities, the same way as when it's
configured to run under ``sssd`` user. The only difference is from the DAC
perspective.

Important note: owner of ``/etc/sssd/sssd.conf`` file (and snippets) should
match the user configured to start SSSD service. Upstream spec file and
service files change ownership of existing ``sssd.conf`` to sssd during
package installation and at runtime for seamless upgrades / transition period
only.

Additionally, this release fixes a large number of issues with "socket
activation of responders" feature, making it operable out-of-the-box when the
package is built ``--with-sssd-user=sssd``. Please take a note, that user
configured to run main sssd.service and socket activated responders (if used)
should match (i.e. if sssd.service is re-configured from upstream defaults to
``root`` then responders services also should be re-configured).

Downstream package maintainers are advised to carefully inspect changes in
``contrib/sssd.spec.in``, ``src/sysv/systemd/*`` and ``./configure`` options
that this release brings!

* sssctl ``cache-upgrade`` command was removed. SSSD performs automatic upgrades
at startup when needed.

* Support of ``enumeration`` feature (i.e. ability to list all users/groups
using ``getent passwd/group`` without argument) for AD/IPA providers is
deprecated and might be removed in further releases. Those who are interested
to keep using it awhile should configure its build explicitly using
``--with-extended-enumeration-support`` ./configure option.

* A number of minor glitches of ``sssd-2.10.0-beta1`` around building and
packaging were fixed.

New features
~~~~~~~~~~~~

* The new tool ``sss_ssh_knownhosts`` can be used with ssh's
``KnownHostsCommand`` configuration option to retrieve the host's public keys
from a remote server (FreeIPA, LDAP, etc.). This new tool, which is more
reliable, replaces ``sss_ssh_knownhostsproxy``. The latter is no longer built
by default, but its build can be forced with the ``./configure`` option
``--with-ssh-known-hosts-proxy``.

Packaging changes
~~~~~~~~~~~~~~~~~

* Building SSSD now unconditionally requires availability of ``ucred``/
``SO_PEERCRED`` to enforce certain security checks at runtime (see ``man 7
unix`` for details).

* SSSD now requires ``libini`` not older than v1.3

* Explicit ``--with-semanage`` ./configure switch was removed, going forward
``--with-selinux`` includes this.

* ``sssd_pam`` binary lost public ``rx`` bits and got ``cap_dac_read_search=p``
file capability to be able to use GSSAPI

* Support of OpenSSL older than 1.0.1 was dropped

* Support of ``--without-infopipe`` ``./configure`` option was dropped. Feature
is long time out of experimental state. Since building it doesn't require any
additional dependencies, there is not much sense to keep option available.
Those who not interested in feature can skip installing sssd-ifp sub-package.

Configuration changes
~~~~~~~~~~~~~~~~~~~~~

* Default ``ldap_id_use_start_tls`` value changed from ``false`` to ``true`` for
improved security.

* Added a ``ldap_use_ppolicy`` option for backends with broken ppolicy extension
handling.

* Obsolete ``config_file_version`` option was removed.

* Option ``reconnection_retries`` was removed since it is no longer used. SSSD
switch to a new architecte of internal IPC between SSSD processes where
responders do not connect to backend anymore and therefore this option is no
longer used.

Tickets Fixed
-------------

TBD

Detailed Changelog
------------------

.. code-block:: release-notes-shortlog
$ git shortlog --pretty=format:"%h %s" -w0,4 2.9.0..2.10.0
TBD
4 changes: 4 additions & 0 deletions src/releases.rst
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ SSSD Releases

.. releases::

.. release:: sssd-2.10.0
:date: 2024-10-15
:download: https://github.com/SSSD/sssd/releases/tag/2.10.0

.. release:: sssd-2.10.0-beta2
:date: 2024-06-26
:download: https://github.com/SSSD/sssd/releases/tag/2.10.0-beta2
Expand Down

0 comments on commit e069d0a

Please sign in to comment.