URL: https://github.com/SSSD/sssd/pull/183 Title: #183: More socket-activation fixes
sgallagher commented: """ @lslebodn
@sgallagher The purpose of calling chown in ExecStartPre is to allow starting responders as non-privileged from beginning. Systemd drops permissions before exec.
Yeah, I get that. And I told @fidencio on IRC that we can live with the TOCTOU for the time being and figure out a better option later. That said, we cannot use `/usr/bin/chown` for this, because it unconditionally calls `getpwnam()`/`getpwuid()` in its execution, which causes a problem when socket-activating. I suggested that we might want to just create a reduced-functionality `/usr/libexec/sssd/sss_chown` that calls only the low-level system function. """
See the full comment at https://github.com/SSSD/sssd/pull/183#issuecomment-285667642