From d914df62bd8e532fc2f3476ff350efb84bf2f87e Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Thu, 12 Sep 2024 09:14:03 +0200 Subject: [PATCH 1/2] SPEC: don't fail uninstallation if 'alternatives' fails This is seen on rpm-ostree based system during uninstall: ``` Running scriptlet: sssd-client-2.9.5-4.el9.x86_64 9/9 admindir /var/lib/alternatives invalid error: %preun(sssd-client-2.9.5-4.el9.x86_64) scriptlet failed, exit status 2 ``` This should be fixed by https://github.com/fedora-sysv/chkconfig/pull/135 but let's avoid hard failing here anyway. --- contrib/sssd.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 4edabce5694..7f1c3a9ba72 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -1167,7 +1167,7 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "Us %preun client if [ $1 -eq 0 ] ; then - /usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so + /usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so || true fi %posttrans common From 6ed56fda16f058915104c5058d3f64285d2a7ae1 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Thu, 12 Sep 2024 09:39:13 +0200 Subject: [PATCH 2/2] SYSTEMD: chown all artifacts at startup Main reason for this is compatibility with rpm-ostree based systems where rpm post install scriplets aren't run on an actual system. In general this looks like an unneeded overhead since ownership can be only wrong after upgrade from sssd-2.9- to sssd-2.10+ But this appears to be most simple solution atm and from practical point of view the main issue is merely a clutter in service files. --- Makefile.am | 4 +++- src/sysv/systemd/sssd-kcm.service.in | 3 +++ src/sysv/systemd/sssd.service.in | 3 +++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/Makefile.am b/Makefile.am index fe144c0d9c4..01e21792f94 100644 --- a/Makefile.am +++ b/Makefile.am @@ -5295,7 +5295,9 @@ edit_cmd = $(SED) \ -e 's|@nss_service_user_group[@]|$(nss_service_user_group)|g' \ -e 's|@nss_socket_user_group[@]|$(nss_socket_user_group)|g' \ -e 's|@supplementary_groups[@]|$(supplementary_groups)|g' \ - -e 's|@sssdconfdir[@]|$(sssdconfdir)|g' + -e 's|@sssdconfdir[@]|$(sssdconfdir)|g' \ + -e 's|@secdbpath[@]|$(secdbpath)|g' \ + -e 's|@dbpath[@]|$(dbpath)|g' replace_script = \ @rm -f $@ $@.tmp; \ diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in index 2b3de184b1c..6c5c6aa43d0 100644 --- a/src/sysv/systemd/sssd-kcm.service.in +++ b/src/sysv/systemd/sssd-kcm.service.in @@ -9,8 +9,11 @@ Also=sssd-kcm.socket [Service] Environment=DEBUG_LOGGER=--logger=files +ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d +ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb +ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER} CapabilityBoundingSet= CAP_DAC_OVERRIDE CAP_CHOWN CAP_SETGID CAP_SETUID SecureBits=noroot noroot-locked diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in index 584ad9d8263..32f35462bfe 100644 --- a/src/sysv/systemd/sssd.service.in +++ b/src/sysv/systemd/sssd.service.in @@ -10,9 +10,12 @@ StartLimitBurst=5 [Service] Environment=DEBUG_LOGGER=--logger=files EnvironmentFile=-@environment_file@ +ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki +ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb +ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @logpath@/*.log ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER} Type=notify NotifyAccess=main