diff --git a/Makefile.am b/Makefile.am index 01e21792f94..29999fa3eb5 100644 --- a/Makefile.am +++ b/Makefile.am @@ -108,9 +108,7 @@ capabilities += \n\# Comment this out if support of deprecated "sssd.conf::user" endif # BUILD_CONF_SERVICE_USER_SUPPORT if SSSD_NON_ROOT_USER -nss_service_user_group = User=$(SSSD_USER)\nGroup=$(SSSD_USER) -nss_socket_user_group = SocketUser=$(SSSD_USER)\nSocketGroup=$(SSSD_USER) -supplementary_groups = \# If service configured to be run under "root", uncomment "SupplementaryGroups"\n\#SupplementaryGroups=$(SSSD_USER) +supplementary_groups = SupplementaryGroups=$(SSSD_USER) else supplementary_groups = \# Note: SSSD package was built without support of running as non-privileged user endif # SSSD_NON_ROOT_USER diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 90bb5bbdd0e..a3ccb1208fa 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -1117,11 +1117,6 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us %__rm -f %{mcpath}/group %__rm -f %{mcpath}/initgroups %__rm -f %{mcpath}/sid -%__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true -%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true -%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true -%__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true -%__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true %preun common %systemd_preun sssd.service diff --git a/src/sysv/systemd/sssd-autofs.service.in b/src/sysv/systemd/sssd-autofs.service.in index 0fa24b2471a..c27979b4c2f 100644 --- a/src/sysv/systemd/sssd-autofs.service.in +++ b/src/sysv/systemd/sssd-autofs.service.in @@ -15,6 +15,6 @@ ExecStart=@libexecdir@/sssd/sssd_autofs ${DEBUG_LOGGER} --socket-activated # No capabilities: CapabilityBoundingSet= Restart=on-failure -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=root +Group=root @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-autofs.socket.in b/src/sysv/systemd/sssd-autofs.socket.in index 201b33d90f8..8dd976df87d 100644 --- a/src/sysv/systemd/sssd-autofs.socket.in +++ b/src/sysv/systemd/sssd-autofs.socket.in @@ -9,8 +9,8 @@ Conflicts=shutdown.target [Socket] ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r autofs ListenStream=@pipepath@/autofs -SocketUser=@SSSD_USER@ -SocketGroup=@SSSD_USER@ +SocketUser=root +SocketGroup=root [Install] WantedBy=sssd.service diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in index 1ab163392f5..6ce7f6d57f1 100644 --- a/src/sysv/systemd/sssd-ifp.service.in +++ b/src/sysv/systemd/sssd-ifp.service.in @@ -13,6 +13,6 @@ ExecStart=@libexecdir@/sssd/sssd_ifp ${DEBUG_LOGGER} --socket-activated # No capabilities: CapabilityBoundingSet= Restart=on-failure -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=root +Group=root @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in index 6c5c6aa43d0..feaa68e3d6e 100644 --- a/src/sysv/systemd/sssd-kcm.service.in +++ b/src/sysv/systemd/sssd-kcm.service.in @@ -9,14 +9,14 @@ Also=sssd-kcm.socket [Service] Environment=DEBUG_LOGGER=--logger=files -ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ -ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf -ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d -ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb -ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log +ExecStartPre=+-/bin/chown -f root:root @sssdconfdir@ +ExecStartPre=+-/bin/chown -f root:root @sssdconfdir@/sssd.conf +ExecStartPre=+-/bin/chown -f -R root:root @sssdconfdir@/conf.d +ExecStartPre=+-/bin/chown -f -R root:root @secdbpath@/*.ldb +ExecStartPre=+-/bin/chown -f -R root:root @logpath@/sssd_kcm.log ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER} CapabilityBoundingSet= CAP_DAC_OVERRIDE CAP_CHOWN CAP_SETGID CAP_SETUID SecureBits=noroot noroot-locked -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=root +Group=root @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-pac.service.in b/src/sysv/systemd/sssd-pac.service.in index c2420c143f0..5c5b41fb711 100644 --- a/src/sysv/systemd/sssd-pac.service.in +++ b/src/sysv/systemd/sssd-pac.service.in @@ -15,6 +15,6 @@ ExecStart=@libexecdir@/sssd/sssd_pac ${DEBUG_LOGGER} --socket-activated # No capabilities: CapabilityBoundingSet= Restart=on-failure -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=root +Group=root @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-pac.socket.in b/src/sysv/systemd/sssd-pac.socket.in index 40dec44912a..6e39c4dbd62 100644 --- a/src/sysv/systemd/sssd-pac.socket.in +++ b/src/sysv/systemd/sssd-pac.socket.in @@ -9,8 +9,8 @@ Conflicts=shutdown.target [Socket] ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r pac ListenStream=@pipepath@/pac -SocketUser=@SSSD_USER@ -SocketGroup=@SSSD_USER@ +SocketUser=root +SocketGroup=root [Install] WantedBy=sssd.service diff --git a/src/sysv/systemd/sssd-pam.service.in b/src/sysv/systemd/sssd-pam.service.in index 67f7bc6ef0f..05e80157c1b 100644 --- a/src/sysv/systemd/sssd-pam.service.in +++ b/src/sysv/systemd/sssd-pam.service.in @@ -15,6 +15,6 @@ ExecStart=@libexecdir@/sssd/sssd_pam ${DEBUG_LOGGER} --socket-activated # 'CAP_DAC_READ_SEARCH' is granted as permitted file capability to be elevated to establish GSS API context CapabilityBoundingSet= CAP_DAC_READ_SEARCH Restart=on-failure -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=root +Group=root @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-pam.socket.in b/src/sysv/systemd/sssd-pam.socket.in index e4916cac4ef..b0a8a09546a 100644 --- a/src/sysv/systemd/sssd-pam.socket.in +++ b/src/sysv/systemd/sssd-pam.socket.in @@ -9,8 +9,8 @@ Conflicts=shutdown.target [Socket] ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r pam ListenStream=@pipepath@/pam -SocketUser=@SSSD_USER@ -SocketGroup=@SSSD_USER@ +SocketUser=root +SocketGroup=root [Install] WantedBy=sssd.service diff --git a/src/sysv/systemd/sssd-ssh.service.in b/src/sysv/systemd/sssd-ssh.service.in index dc1f46d1ee6..58afa0d129c 100644 --- a/src/sysv/systemd/sssd-ssh.service.in +++ b/src/sysv/systemd/sssd-ssh.service.in @@ -15,6 +15,6 @@ ExecStart=@libexecdir@/sssd/sssd_ssh ${DEBUG_LOGGER} --socket-activated # No capabilities: CapabilityBoundingSet= Restart=on-failure -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=root +Group=root @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-ssh.socket.in b/src/sysv/systemd/sssd-ssh.socket.in index 4772ef3c01b..f975c02dfbd 100644 --- a/src/sysv/systemd/sssd-ssh.socket.in +++ b/src/sysv/systemd/sssd-ssh.socket.in @@ -9,8 +9,8 @@ Conflicts=shutdown.target [Socket] ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r ssh ListenStream=@pipepath@/ssh -SocketUser=@SSSD_USER@ -SocketGroup=@SSSD_USER@ +SocketUser=root +SocketGroup=root [Install] WantedBy=sssd.service diff --git a/src/sysv/systemd/sssd-sudo.service.in b/src/sysv/systemd/sssd-sudo.service.in index f2d104ad419..5695bf84414 100644 --- a/src/sysv/systemd/sssd-sudo.service.in +++ b/src/sysv/systemd/sssd-sudo.service.in @@ -15,6 +15,6 @@ ExecStart=@libexecdir@/sssd/sssd_sudo ${DEBUG_LOGGER} --socket-activated # No capabilities: CapabilityBoundingSet= Restart=on-failure -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=root +Group=root @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in index b0191a261e6..68f052aab0a 100644 --- a/src/sysv/systemd/sssd-sudo.socket.in +++ b/src/sysv/systemd/sssd-sudo.socket.in @@ -9,8 +9,8 @@ Conflicts=shutdown.target [Socket] ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo ListenStream=@pipepath@/sudo -SocketUser=@SSSD_USER@ -SocketGroup=@SSSD_USER@ +SocketUser=root +SocketGroup=root SocketMode=0660 [Install] diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in index 32f35462bfe..b12e0d0565c 100644 --- a/src/sysv/systemd/sssd.service.in +++ b/src/sysv/systemd/sssd.service.in @@ -10,20 +10,20 @@ StartLimitBurst=5 [Service] Environment=DEBUG_LOGGER=--logger=files EnvironmentFile=-@environment_file@ -ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ -ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf -ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d -ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki -ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb -ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @logpath@/*.log +ExecStartPre=+-/bin/chown -f root:root @sssdconfdir@ +ExecStartPre=+-/bin/chown -f root:root @sssdconfdir@/sssd.conf +ExecStartPre=+-/bin/chown -f -R root:root @sssdconfdir@/conf.d +ExecStartPre=+-/bin/chown -f -R root:root @sssdconfdir@/pki +ExecStartPre=+-/bin/chown -f -R root:root @dbpath@/*.ldb +ExecStartPre=+-/bin/chown -f -R root:root @logpath@/*.log ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER} Type=notify NotifyAccess=main Restart=on-abnormal @capabilities@ SecureBits=noroot noroot-locked -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=root +Group=root @supplementary_groups@ [Install]