Security review:
While there have been CVEs, they were fixed in a reasonable amount of
time and with minimal code changes. Upstream is responsive as well.
Redhat and Fedora have sssd in there repos and they receive security
updates, so we can coordinate with others. Interestingly, rhel6 and
Debian still have sssd 1.2.
I spot checked the code and it is coded well and defensively.
There are no compiler warnings or errors in the build
Once configured, there is a long-running root daemon, but based on
upstream documentation and initial configuration, it does not listen
over the network (though it obviously makes connections over the
network). The daemon must necessarily run as root to perform
authentication duties. There are a number of userspace tools that must
be run as root to manage users.
sssd also has a test suite that is enabled during the build, though there is
this interesting tidbit from configure:
checking for CHECK... no
configure: WARNING: Without the 'CHECK' libraries, you will be unable to run
all tests in the 'make check' suite
There is DBus integration, but AIUI it is on a private bus and not
accessible to non-root processes.
It would be nice to have those additional tests enabled in the build,
but it is not a condition of this MIR.
ACK for sssd.
As for libsemanage, it requires libustr-dev to also be promoted. ustr is
a small library with no CVE history, but has a lot of compiler warnings
that I would like to see fixed before it was considered for main
inclusion. But beyond that, Ubuntu does not have a strong SELinux
community around it, so while I would like to be able to have sssd have
full SELinux support, I don't think it is appropriate to promote
libsemanage at this time.
** Changed in: sssd (Ubuntu)
Status: Confirmed => Fix Committed
** Changed in: sssd (Ubuntu)
Assignee: Jamie Strandboge (jdstrand) => (unassigned)
** Changed in: libsemanage (Ubuntu)
Status: Confirmed => Won't Fix
** Changed in: libsemanage (Ubuntu)
Assignee: Jamie Strandboge (jdstrand) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/903752
Title:
[MIR] sssd
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ding-libs/+bug/903752/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
