Skip to content

Commit

Permalink
Configuration: make sure /etc/sssd and everything
Browse files Browse the repository at this point in the history 
beneath is owned by 'sssd' group and readable by group.

This should allow for reasonable rw-r----- root:sssd

At some points those chown/chmod can be removed.

:packaging: /etc/sssd and everything beneath should be readabale
by the user used to run SSSD service and shouldn't be accessible
by others (non-user/group). No other restrictions are implied.
  • Loading branch information
@alexey-tikhonov
alexey-tikhonov committed Oct 24, 2024
1 parent 571783c commit 316e2f5
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 9 deletions.
4 changes: 2 additions & 2 deletions contrib/sssd.spec.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1137,8 +1137,8 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi
%__rm -f %{mcpath}/initgroups
%__rm -f %{mcpath}/sid
%__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true
%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true
%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
%__chown -f -R :%{sssd_user} %{_sysconfdir} || true
%__chmod -f -R g+r %{_sysconfdir} || true
%__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
%__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true
%__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true
Expand Down
5 changes: 2 additions & 3 deletions src/sysv/systemd/sssd-kcm.service.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,8 @@ Also=sssd-kcm.socket

[Service]
Environment=DEBUG_LOGGER=--logger=files
ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
ExecStartPre=+-/bin/chown -f -R :@SSSD_USER@ @sssdconfdir@
ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@
ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb"
ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log
ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER}
Expand Down
6 changes: 2 additions & 4 deletions src/sysv/systemd/sssd.service.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,8 @@ StartLimitBurst=5
[Service]
Environment=DEBUG_LOGGER=--logger=files
EnvironmentFile=-@environment_file@
ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki
ExecStartPre=+-/bin/chown -f -R :@SSSD_USER@ @sssdconfdir@
ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@
ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb"
ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @gpocachepath@/*"
ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/*.log"
Expand Down

0 comments on commit 316e2f5

Please sign in to comment.