On (01/12/20 08:59), Tero Saarni wrote:
Lukas Slebodnik wrote:
> There is a way how to run sssd as non-root but /usr/sbin/sssd still require bunch of
linux capabilities to achieve that.
One more question, which I should have mentioned in my previous reply.
Since there are few places in the code that check explicitly for root and exit with error
if getuid() != 0 for example here
https://github.com/SSSD/sssd/blob/master/src/monitor/monitor.c#L2449. Since these checks
do not seem to be optional, adding capabilities alone do not help.
It is not just about `if getuid() != 0` in the monitor code.
there are also other places in {krb5/ldap}_child which try to escalate
privileges if they run as unprivileged user and it woudl not be allwed
due to missing CAP_SETGID, CAP_SETUID
And bunch of other places.
How do the maintainers feel about making sssd run on OpenShift? Would
this be something to pursue / possibly contribute to?
As I mentioned in previous email you can run sssd in OpenShift but not with
restricted scc.
If you really want to run it in restricted scc you can use LD_PRELOAD to pretend
execution as root e.g. fakeroot
https://nixdoc.net/man-pages/Linux/man1/fakeroot.1.html
It is used in sssd CI for some testing but it is not meant for production.
But feel free to use it if you feel brave enough :-)
LS