Skip to content

Commit

Permalink
As a test for C9S rebase on sssd-2.10
Browse files Browse the repository at this point in the history
Configure default service user to 'root'
  • Loading branch information
alexey-tikhonov committed Sep 14, 2024
1 parent 579351e commit 3ed5329
Show file tree
Hide file tree
Showing 15 changed files with 38 additions and 45 deletions.
4 changes: 1 addition & 3 deletions Makefile.am
Original file line number Diff line number Diff line change
Expand Up @@ -108,9 +108,7 @@ capabilities += \n\# Comment this out if support of deprecated "sssd.conf::user"
endif # BUILD_CONF_SERVICE_USER_SUPPORT

if SSSD_NON_ROOT_USER
nss_service_user_group = User=$(SSSD_USER)\nGroup=$(SSSD_USER)
nss_socket_user_group = SocketUser=$(SSSD_USER)\nSocketGroup=$(SSSD_USER)
supplementary_groups = \# If service configured to be run under "root", uncomment "SupplementaryGroups"\n\#SupplementaryGroups=$(SSSD_USER)
supplementary_groups = SupplementaryGroups=$(SSSD_USER)
else
supplementary_groups = \# Note: SSSD package was built without support of running as non-privileged user
endif # SSSD_NON_ROOT_USER
Expand Down
5 changes: 0 additions & 5 deletions contrib/sssd.spec.in
Original file line number Diff line number Diff line change
Expand Up @@ -1117,11 +1117,6 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us
%__rm -f %{mcpath}/group
%__rm -f %{mcpath}/initgroups
%__rm -f %{mcpath}/sid
%__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true
%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
%__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
%__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true

%preun common
%systemd_preun sssd.service
Expand Down
4 changes: 2 additions & 2 deletions src/sysv/systemd/sssd-autofs.service.in
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,6 @@ ExecStart=@libexecdir@/sssd/sssd_autofs ${DEBUG_LOGGER} --socket-activated
# No capabilities:
CapabilityBoundingSet=
Restart=on-failure
User=@SSSD_USER@
Group=@SSSD_USER@
User=root
Group=root
@supplementary_groups@
4 changes: 2 additions & 2 deletions src/sysv/systemd/sssd-autofs.socket.in
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ Conflicts=shutdown.target
[Socket]
ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r autofs
ListenStream=@pipepath@/autofs
SocketUser=@SSSD_USER@
SocketGroup=@SSSD_USER@
SocketUser=root
SocketGroup=root

[Install]
WantedBy=sssd.service
4 changes: 2 additions & 2 deletions src/sysv/systemd/sssd-ifp.service.in
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,6 @@ ExecStart=@libexecdir@/sssd/sssd_ifp ${DEBUG_LOGGER} --socket-activated
# No capabilities:
CapabilityBoundingSet=
Restart=on-failure
User=@SSSD_USER@
Group=@SSSD_USER@
User=root
Group=root
@supplementary_groups@
14 changes: 7 additions & 7 deletions src/sysv/systemd/sssd-kcm.service.in
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,14 @@ Also=sssd-kcm.socket

[Service]
Environment=DEBUG_LOGGER=--logger=files
ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb
ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log
ExecStartPre=+-/bin/chown -f root:root @sssdconfdir@
ExecStartPre=+-/bin/chown -f root:root @sssdconfdir@/sssd.conf
ExecStartPre=+-/bin/chown -f -R root:root @sssdconfdir@/conf.d
ExecStartPre=+-/bin/chown -f -R root:root @secdbpath@/*.ldb
ExecStartPre=+-/bin/chown -f -R root:root @logpath@/sssd_kcm.log
ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER}
CapabilityBoundingSet= CAP_DAC_OVERRIDE CAP_CHOWN CAP_SETGID CAP_SETUID
SecureBits=noroot noroot-locked
User=@SSSD_USER@
Group=@SSSD_USER@
User=root
Group=root
@supplementary_groups@
4 changes: 2 additions & 2 deletions src/sysv/systemd/sssd-pac.service.in
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,6 @@ ExecStart=@libexecdir@/sssd/sssd_pac ${DEBUG_LOGGER} --socket-activated
# No capabilities:
CapabilityBoundingSet=
Restart=on-failure
User=@SSSD_USER@
Group=@SSSD_USER@
User=root
Group=root
@supplementary_groups@
4 changes: 2 additions & 2 deletions src/sysv/systemd/sssd-pac.socket.in
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ Conflicts=shutdown.target
[Socket]
ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r pac
ListenStream=@pipepath@/pac
SocketUser=@SSSD_USER@
SocketGroup=@SSSD_USER@
SocketUser=root
SocketGroup=root

[Install]
WantedBy=sssd.service
4 changes: 2 additions & 2 deletions src/sysv/systemd/sssd-pam.service.in
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,6 @@ ExecStart=@libexecdir@/sssd/sssd_pam ${DEBUG_LOGGER} --socket-activated
# 'CAP_DAC_READ_SEARCH' is granted as permitted file capability to be elevated to establish GSS API context
CapabilityBoundingSet= CAP_DAC_READ_SEARCH
Restart=on-failure
User=@SSSD_USER@
Group=@SSSD_USER@
User=root
Group=root
@supplementary_groups@
4 changes: 2 additions & 2 deletions src/sysv/systemd/sssd-pam.socket.in
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ Conflicts=shutdown.target
[Socket]
ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r pam
ListenStream=@pipepath@/pam
SocketUser=@SSSD_USER@
SocketGroup=@SSSD_USER@
SocketUser=root
SocketGroup=root

[Install]
WantedBy=sssd.service
4 changes: 2 additions & 2 deletions src/sysv/systemd/sssd-ssh.service.in
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,6 @@ ExecStart=@libexecdir@/sssd/sssd_ssh ${DEBUG_LOGGER} --socket-activated
# No capabilities:
CapabilityBoundingSet=
Restart=on-failure
User=@SSSD_USER@
Group=@SSSD_USER@
User=root
Group=root
@supplementary_groups@
4 changes: 2 additions & 2 deletions src/sysv/systemd/sssd-ssh.socket.in
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ Conflicts=shutdown.target
[Socket]
ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r ssh
ListenStream=@pipepath@/ssh
SocketUser=@SSSD_USER@
SocketGroup=@SSSD_USER@
SocketUser=root
SocketGroup=root

[Install]
WantedBy=sssd.service
4 changes: 2 additions & 2 deletions src/sysv/systemd/sssd-sudo.service.in
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,6 @@ ExecStart=@libexecdir@/sssd/sssd_sudo ${DEBUG_LOGGER} --socket-activated
# No capabilities:
CapabilityBoundingSet=
Restart=on-failure
User=@SSSD_USER@
Group=@SSSD_USER@
User=root
Group=root
@supplementary_groups@
4 changes: 2 additions & 2 deletions src/sysv/systemd/sssd-sudo.socket.in
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ Conflicts=shutdown.target
[Socket]
ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo
ListenStream=@pipepath@/sudo
SocketUser=@SSSD_USER@
SocketGroup=@SSSD_USER@
SocketUser=root
SocketGroup=root
SocketMode=0660

[Install]
Expand Down
16 changes: 8 additions & 8 deletions src/sysv/systemd/sssd.service.in
Original file line number Diff line number Diff line change
Expand Up @@ -10,20 +10,20 @@ StartLimitBurst=5
[Service]
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-@environment_file@
ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki
ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb
ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @logpath@/*.log
ExecStartPre=+-/bin/chown -f root:root @sssdconfdir@
ExecStartPre=+-/bin/chown -f root:root @sssdconfdir@/sssd.conf
ExecStartPre=+-/bin/chown -f -R root:root @sssdconfdir@/conf.d
ExecStartPre=+-/bin/chown -f -R root:root @sssdconfdir@/pki
ExecStartPre=+-/bin/chown -f -R root:root @dbpath@/*.ldb
ExecStartPre=+-/bin/chown -f -R root:root @logpath@/*.log
ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
Type=notify
NotifyAccess=main
Restart=on-abnormal
@capabilities@
SecureBits=noroot noroot-locked
User=@SSSD_USER@
Group=@SSSD_USER@
User=root
Group=root
@supplementary_groups@

[Install]
Expand Down

0 comments on commit 3ed5329

Please sign in to comment.