From 40b1fc9173c64c2a76fc5a5571a2aeca4837110d Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Thu, 2 May 2024 15:33:28 +0200 Subject: [PATCH] SYSTEMD: chown() sssd.conf in service file --- Makefile.am | 3 ++- src/sysv/systemd/sssd-kcm.service.in | 2 ++ src/sysv/systemd/sssd.service.in | 3 +++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/Makefile.am b/Makefile.am index 2381ca87aa2..49c5b5ba96c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -5309,7 +5309,8 @@ edit_cmd = $(SED) \ -e 's|@capabilities[@]|$(capabilities)|g' \ -e 's|@nss_service_user_group[@]|$(nss_service_user_group)|g' \ -e 's|@nss_socket_user_group[@]|$(nss_socket_user_group)|g' \ - -e 's|@supplementary_groups[@]|$(supplementary_groups)|g' + -e 's|@supplementary_groups[@]|$(supplementary_groups)|g' \ + -e 's|@sssdconfdir[@]|$(sssdconfdir)|g' replace_script = \ @rm -f $@ $@.tmp; \ diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in index be53ca359ea..2b3de184b1c 100644 --- a/src/sysv/systemd/sssd-kcm.service.in +++ b/src/sysv/systemd/sssd-kcm.service.in @@ -9,6 +9,8 @@ Also=sssd-kcm.socket [Service] Environment=DEBUG_LOGGER=--logger=files +ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf +ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER} CapabilityBoundingSet= CAP_DAC_OVERRIDE CAP_CHOWN CAP_SETGID CAP_SETUID SecureBits=noroot noroot-locked diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in index f982ef263f6..584ad9d8263 100644 --- a/src/sysv/systemd/sssd.service.in +++ b/src/sysv/systemd/sssd.service.in @@ -10,6 +10,9 @@ StartLimitBurst=5 [Service] Environment=DEBUG_LOGGER=--logger=files EnvironmentFile=-@environment_file@ +ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf +ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d +ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER} Type=notify NotifyAccess=main