URL:
https://github.com/SSSD/sssd/pull/5504
Title: #5504: limit process capabilities and sanitize usage of experimental
'--with-sssd-user=' option
sumit-bose commented:
"""
Hi,
originally the `--with-sssd-user` did 2 things, defining the default user SSSD should run
as and make sure some files are owned by this user to make switching between this user and
root more easy.
The first (default user) does not match what is currently documented and for the time
being we want the default user to be root. So, ACK to the second patch.
The different file ownerships triggered by `--with-sssd-user` with a non-root user are not
an issue in RHEL-7 and RHEL-8 where this configure options is already used because if SSSD
was running as root there were only SELinux restrictions and we made sure all files had
proper labels. When using `CapabilityBoundingSet` we have to make sure SSSD can still
access files owned by a sssd user. For this `CAP_DAC_OVERRIDE` is needed, afaik there is
no weaker capability to allow this for the time being. As a next step I would suggest to
use `sssctl` instead so that everything which requires addition permissions and
capabilities can be done outside of the SSSD processes and have opened
https://github.com/SSSD/sssd/issues/5508 to track this. So I'm fine with the third
patch as well.
Since we start using `CapabilityBoundingSet` it makes sense to use them in the other
typically used systemd service files (kcm and ifp) as well, so ACK for the first patch as
well.
"""
See the full comment at
https://github.com/SSSD/sssd/pull/5504#issuecomment-780441873