From 90a9614a04ad9d9099c6bc6bf343e250331b3b6f Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Wed, 11 Sep 2024 18:03:42 +0200 Subject: [PATCH] As a test for C9S rebase on sssd-2.10 Configure default service user to 'root' --- Makefile.am | 4 +--- contrib/sssd.spec.in | 5 ----- src/sysv/systemd/sssd-autofs.service.in | 4 ++-- src/sysv/systemd/sssd-autofs.socket.in | 4 ++-- src/sysv/systemd/sssd-ifp.service.in | 4 ++-- src/sysv/systemd/sssd-kcm.service.in | 8 ++++---- src/sysv/systemd/sssd-pac.service.in | 4 ++-- src/sysv/systemd/sssd-pac.socket.in | 4 ++-- src/sysv/systemd/sssd-pam.service.in | 4 ++-- src/sysv/systemd/sssd-pam.socket.in | 4 ++-- src/sysv/systemd/sssd-ssh.service.in | 4 ++-- src/sysv/systemd/sssd-ssh.socket.in | 4 ++-- src/sysv/systemd/sssd-sudo.service.in | 4 ++-- src/sysv/systemd/sssd-sudo.socket.in | 4 ++-- src/sysv/systemd/sssd.service.in | 10 +++++----- 15 files changed, 32 insertions(+), 39 deletions(-) diff --git a/Makefile.am b/Makefile.am index fe144c0d9c4..b79688ff842 100644 --- a/Makefile.am +++ b/Makefile.am @@ -108,9 +108,7 @@ capabilities += \n\# Comment this out if support of deprecated "sssd.conf::user" endif # BUILD_CONF_SERVICE_USER_SUPPORT if SSSD_NON_ROOT_USER -nss_service_user_group = User=$(SSSD_USER)\nGroup=$(SSSD_USER) -nss_socket_user_group = SocketUser=$(SSSD_USER)\nSocketGroup=$(SSSD_USER) -supplementary_groups = \# If service configured to be run under "root", uncomment "SupplementaryGroups"\n\#SupplementaryGroups=$(SSSD_USER) +supplementary_groups = SupplementaryGroups=$(SSSD_USER) else supplementary_groups = \# Note: SSSD package was built without support of running as non-privileged user endif # SSSD_NON_ROOT_USER diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 4edabce5694..80445482fca 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -1108,11 +1108,6 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us %__rm -f %{mcpath}/group %__rm -f %{mcpath}/initgroups %__rm -f %{mcpath}/sid -%__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true -%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true -%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true -%__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true -%__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true %preun common %systemd_preun sssd.service diff --git a/src/sysv/systemd/sssd-autofs.service.in b/src/sysv/systemd/sssd-autofs.service.in index 0fa24b2471a..c27979b4c2f 100644 --- a/src/sysv/systemd/sssd-autofs.service.in +++ b/src/sysv/systemd/sssd-autofs.service.in @@ -15,6 +15,6 @@ ExecStart=@libexecdir@/sssd/sssd_autofs ${DEBUG_LOGGER} --socket-activated # No capabilities: CapabilityBoundingSet= Restart=on-failure -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=root +Group=root @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-autofs.socket.in b/src/sysv/systemd/sssd-autofs.socket.in index 201b33d90f8..8dd976df87d 100644 --- a/src/sysv/systemd/sssd-autofs.socket.in +++ b/src/sysv/systemd/sssd-autofs.socket.in @@ -9,8 +9,8 @@ Conflicts=shutdown.target [Socket] ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r autofs ListenStream=@pipepath@/autofs -SocketUser=@SSSD_USER@ -SocketGroup=@SSSD_USER@ +SocketUser=root +SocketGroup=root [Install] WantedBy=sssd.service diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in index 1ab163392f5..6ce7f6d57f1 100644 --- a/src/sysv/systemd/sssd-ifp.service.in +++ b/src/sysv/systemd/sssd-ifp.service.in @@ -13,6 +13,6 @@ ExecStart=@libexecdir@/sssd/sssd_ifp ${DEBUG_LOGGER} --socket-activated # No capabilities: CapabilityBoundingSet= Restart=on-failure -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=root +Group=root @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in index 2b3de184b1c..09aa48e2716 100644 --- a/src/sysv/systemd/sssd-kcm.service.in +++ b/src/sysv/systemd/sssd-kcm.service.in @@ -9,11 +9,11 @@ Also=sssd-kcm.socket [Service] Environment=DEBUG_LOGGER=--logger=files -ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf -ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d +ExecStartPre=+-/bin/chown -f root:root @sssdconfdir@/sssd.conf +ExecStartPre=+-/bin/chown -f -R root:root @sssdconfdir@/conf.d ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER} CapabilityBoundingSet= CAP_DAC_OVERRIDE CAP_CHOWN CAP_SETGID CAP_SETUID SecureBits=noroot noroot-locked -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=root +Group=root @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-pac.service.in b/src/sysv/systemd/sssd-pac.service.in index c2420c143f0..5c5b41fb711 100644 --- a/src/sysv/systemd/sssd-pac.service.in +++ b/src/sysv/systemd/sssd-pac.service.in @@ -15,6 +15,6 @@ ExecStart=@libexecdir@/sssd/sssd_pac ${DEBUG_LOGGER} --socket-activated # No capabilities: CapabilityBoundingSet= Restart=on-failure -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=root +Group=root @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-pac.socket.in b/src/sysv/systemd/sssd-pac.socket.in index 40dec44912a..6e39c4dbd62 100644 --- a/src/sysv/systemd/sssd-pac.socket.in +++ b/src/sysv/systemd/sssd-pac.socket.in @@ -9,8 +9,8 @@ Conflicts=shutdown.target [Socket] ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r pac ListenStream=@pipepath@/pac -SocketUser=@SSSD_USER@ -SocketGroup=@SSSD_USER@ +SocketUser=root +SocketGroup=root [Install] WantedBy=sssd.service diff --git a/src/sysv/systemd/sssd-pam.service.in b/src/sysv/systemd/sssd-pam.service.in index 67f7bc6ef0f..05e80157c1b 100644 --- a/src/sysv/systemd/sssd-pam.service.in +++ b/src/sysv/systemd/sssd-pam.service.in @@ -15,6 +15,6 @@ ExecStart=@libexecdir@/sssd/sssd_pam ${DEBUG_LOGGER} --socket-activated # 'CAP_DAC_READ_SEARCH' is granted as permitted file capability to be elevated to establish GSS API context CapabilityBoundingSet= CAP_DAC_READ_SEARCH Restart=on-failure -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=root +Group=root @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-pam.socket.in b/src/sysv/systemd/sssd-pam.socket.in index e4916cac4ef..b0a8a09546a 100644 --- a/src/sysv/systemd/sssd-pam.socket.in +++ b/src/sysv/systemd/sssd-pam.socket.in @@ -9,8 +9,8 @@ Conflicts=shutdown.target [Socket] ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r pam ListenStream=@pipepath@/pam -SocketUser=@SSSD_USER@ -SocketGroup=@SSSD_USER@ +SocketUser=root +SocketGroup=root [Install] WantedBy=sssd.service diff --git a/src/sysv/systemd/sssd-ssh.service.in b/src/sysv/systemd/sssd-ssh.service.in index dc1f46d1ee6..58afa0d129c 100644 --- a/src/sysv/systemd/sssd-ssh.service.in +++ b/src/sysv/systemd/sssd-ssh.service.in @@ -15,6 +15,6 @@ ExecStart=@libexecdir@/sssd/sssd_ssh ${DEBUG_LOGGER} --socket-activated # No capabilities: CapabilityBoundingSet= Restart=on-failure -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=root +Group=root @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-ssh.socket.in b/src/sysv/systemd/sssd-ssh.socket.in index 4772ef3c01b..f975c02dfbd 100644 --- a/src/sysv/systemd/sssd-ssh.socket.in +++ b/src/sysv/systemd/sssd-ssh.socket.in @@ -9,8 +9,8 @@ Conflicts=shutdown.target [Socket] ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r ssh ListenStream=@pipepath@/ssh -SocketUser=@SSSD_USER@ -SocketGroup=@SSSD_USER@ +SocketUser=root +SocketGroup=root [Install] WantedBy=sssd.service diff --git a/src/sysv/systemd/sssd-sudo.service.in b/src/sysv/systemd/sssd-sudo.service.in index f2d104ad419..5695bf84414 100644 --- a/src/sysv/systemd/sssd-sudo.service.in +++ b/src/sysv/systemd/sssd-sudo.service.in @@ -15,6 +15,6 @@ ExecStart=@libexecdir@/sssd/sssd_sudo ${DEBUG_LOGGER} --socket-activated # No capabilities: CapabilityBoundingSet= Restart=on-failure -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=root +Group=root @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in index b0191a261e6..68f052aab0a 100644 --- a/src/sysv/systemd/sssd-sudo.socket.in +++ b/src/sysv/systemd/sssd-sudo.socket.in @@ -9,8 +9,8 @@ Conflicts=shutdown.target [Socket] ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo ListenStream=@pipepath@/sudo -SocketUser=@SSSD_USER@ -SocketGroup=@SSSD_USER@ +SocketUser=root +SocketGroup=root SocketMode=0660 [Install] diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in index 584ad9d8263..e40d854f975 100644 --- a/src/sysv/systemd/sssd.service.in +++ b/src/sysv/systemd/sssd.service.in @@ -10,17 +10,17 @@ StartLimitBurst=5 [Service] Environment=DEBUG_LOGGER=--logger=files EnvironmentFile=-@environment_file@ -ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf -ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d -ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki +ExecStartPre=+-/bin/chown -f root:root @sssdconfdir@/sssd.conf +ExecStartPre=+-/bin/chown -f -R root:root @sssdconfdir@/conf.d +ExecStartPre=+-/bin/chown -f -R root:root @sssdconfdir@/pki ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER} Type=notify NotifyAccess=main Restart=on-abnormal @capabilities@ SecureBits=noroot noroot-locked -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=root +Group=root @supplementary_groups@ [Install]