URL: https://github.com/SSSD/sssd/pull/717 Author: jhrozek Title: #717: NSS: Avoid changing the memory cache ownership away from the sssd user (sssd-1-16 backport) Action: opened

PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3890

In case SSSD is compiled --with-sssd-user but run as root (which is the default on RHEL and derivatives), then the memory cache will be owned by the user that sssd_nss runs as, so root.

This conflicts with the packaging which specifies sssd.sssd as the owner. And in turn, this means that users can't reliably assess the package integrity using rpm -V.

This patch makes sure that the memory cache files are chowned to sssd.sssd even if the nss responder runs as root.

Also, this patch changes the sssd_nss responder so that is becomes a member of the supplementary sssd group. Even though in traditional UNIX sense, a process running as root could write to a file owned by sssd:sssd, with SELinux enforcing mode this becomes problematic as SELinux emits an error such as:

type=AVC msg=audit(1543524888.125:1495): avc: denied { fsetid } for pid=7706 comm="sssd_nss" capability=4 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:sssd_t:s0 tclass=capability

To make it possible for the sssd_nss process to write to the files, the files are also made group-writable. The 'others' permission is still set to read only.

Reviewed-by: Michal Židek mzidek@redhat.com (cherry picked from commit 61e4ba58934b20a950255e05797aca25aadc1242) """

To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/717/head:pr717 git checkout pr717