Hi, Attached are patches that perform changes in the monitor process and the low-level sbus and sysdb code required to run the NSS responder as a non-privileged user. Some of the patches call chmod/chown on files owned by the SSSD, so I'd like to request a very careful review. The patches depend on patches from threads: * SSSD: Add the options to specify a UID and GID to run as * Packaging fixes related to non-root SSSD I tried to explain the changes well in the commit messages. See below for some more and especially questions. [PATCH 1/7] SSSD: Load a user to run a service as from configuration Pretty much just loads the sssd user from configuration and stores the uid/gid. One question -- should the individual services or domain have a option to ignore the sssd user? For instance: [sssd] user = sssd group = sssd [nss] # Would run as SSSD [pam] # Would run as root/whatever user monitor runs as ignore_sssd_user = True This would mostly be a fallback for cases where we introduce a bug. I don't think this kind of granularity is needed, the user can just run sssd as root completely: [sssd] user = root group = root [PATCH 2/7] SBUS: Chown the sbus socket if needed Chowns the monitor sbus socket if a non-root sssd user is specified. I don't think we allow more privileges than before, the monitor socket has permissions 0600 and is owned by sssd.sssd, so only the private user and root (who bypasses DAC checks anyway) can access it. In sbus_new_server(), we can open the socket after dbus creates it and call fchmod() and fchown() to avoid some kind of TOCTOU races. But I'm not sure this is needed given that a privileged process will create the pipes. [PATCH 3/7] SBUS: Allow connections from other UIDs A simple patch, allows connections from the sssd user. Please see the commit message for more details. This patch (and the previous) should have a unit test, but currently our sbus tests are tightly tied to the check framework. I need to change the common code to be test framework-agnostic, but I don't want to delay the inclusion of these patches. [PATCH 4/7] BE: Own the sbus socket as the SSSD user Same as the two previous patches, just for the sssd_be process. [PATCH 5/7] MONITOR: Allow confdb to be accessed by nonroot user Confdb is created by the privileged monitor process, but needs to be accessed by nonprivileged responder processes. chown it after creation. [PATCH 6/7] SYSDB: Allow calling chown on the sysdb file from monitor Same as the previous one, just for the sysdb. [PATCH 7/7] NSS: Run as a user specified by monitor With this patch, it's possible to run the NSS responder as a non-privileged user.