URL: https://github.com/SSSD/sssd/pull/5504 Title: #5504: systemd configs: limit process capabilities alexey-tikhonov commented: """ Multihost tests fail on RHEL. This is expected in some way. The major issue I see here is that we use upstream spec file that aims F34+/RHEL9 to build RHEL8 package. That's not gonna work in general. And I'm not sure it makes sense to run multihost tests on RHEL8 for a package that is different than package actually used on this target. @pbrezina , @sgoveas , probably it makes sense to replace RHEL8 with RHEL9-alpha? Another thing is that even this won't resolve issue entirely: despite our best effort it seems we will have downstream only patches for RHEL9... Anyway, I guess current fail: ``` 2021-02-15 19:00:08,882 - sssd.testlib.common.qe_class.QeHost.client.cmd58 - DEBUG - Job for sssd.service failed because the control process exited with error code. ``` is very similar to https://bugzilla.redhat.com/show_bug.cgi?id=1926304 : - upstream spec file says to chown files as sssd:sssd - sssd monitor starts under root - this patch limits process capabilities so it can't access /var/log/sssd/*, etc This is gonna be solved with addition of 'CAP_DAC_OVERRIDE' on RHEL platform and so far I didn't see a reason to make this upstream (because long term plan is to get feature "running as a non root user" fully supported and get rid of all those workarounds). But this means multihost will keep failing in upstream PR CI even if we replace 8 with 9... """ See the full comment at https://github.com/SSSD/sssd/pull/5504#issuecomment-779814324

URL: https://github.com/SSSD/sssd/pull/5504 Author: alexey-tikhonov Title: #5504: limit process capabilities and sanitize usage of experimental '--with-sssd-user=' option Action: edited Changed field: title Original value: """ systemd configs: limit process capabilities """

URL: https://github.com/SSSD/sssd/pull/5504 Author: alexey-tikhonov Title: #5504: limit process capabilities and sanitize usage of experimental '--with-sssd-user=' option Action: synchronized To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5504/head:pr5504 git checkout pr5504

URL: https://github.com/SSSD/sssd/pull/5504 Title: #5504: limit process capabilities and sanitize usage of experimental '--with-sssd-user=' option sumit-bose commented: """ Hi, originally the `--with-sssd-user` did 2 things, defining the default user SSSD should run as and make sure some files are owned by this user to make switching between this user and root more easy. The first (default user) does not match what is currently documented and for the time being we want the default user to be root. So, ACK to the second patch. The different file ownerships triggered by `--with-sssd-user` with a non-root user are not an issue in RHEL-7 and RHEL-8 where this configure options is already used because if SSSD was running as root there were only SELinux restrictions and we made sure all files had proper labels. When using `CapabilityBoundingSet` we have to make sure SSSD can still access files owned by a sssd user. For this `CAP_DAC_OVERRIDE` is needed, afaik there is no weaker capability to allow this for the time being. As a next step I would suggest to use `sssctl` instead so that everything which requires addition permissions and capabilities can be done outside of the SSSD processes and have opened https://github.com/SSSD/sssd/issues/5508 to track this. So I'm fine with the third patch as well. Since we start using `CapabilityBoundingSet` it makes sense to use them in the other typically used systemd service files (kcm and ifp) as well, so ACK for the first patch as well. """ See the full comment at https://github.com/SSSD/sssd/pull/5504#issuecomment-780441873

URL: https://github.com/SSSD/sssd/pull/5504 Title: #5504: limit process capabilities and sanitize usage of experimental '--with-sssd-user=' option Label: +Ready to push

URL: https://github.com/SSSD/sssd/pull/5504 Title: #5504: limit process capabilities and sanitize usage of experimental '--with-sssd-user=' option pbrezina commented: """ Pushed PR: https://github.com/SSSD/sssd/pull/5504 * `master` * fd7ce7b3de9647eb6de75c3dd3974b44d860078e - systemd configs: add CAP_DAC_OVERRIDE in case certain case * ee9dbea1e67365ef1a48fff6bbf7cb4844c4b9ad - monitor: fixed default value of 'user' config option * 9aaa0e51ddf556265b799d551e29a6eaccfea13e - systemd configs: limit process capabilities """ See the full comment at https://github.com/SSSD/sssd/pull/5504#issuecomment-781942812

URL: https://github.com/SSSD/sssd/pull/5504 Title: #5504: limit process capabilities and sanitize usage of experimental '--with-sssd-user=' option Label: -Accepted

URL: https://github.com/SSSD/sssd/pull/5504 Author: alexey-tikhonov Title: #5504: limit process capabilities and sanitize usage of experimental '--with-sssd-user=' option Action: closed To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5504/head:pr5504 git checkout pr5504