systemd configs: add CAP_DAC_OVERRIDE in case certain case

If sssd is configured with --with-sssd-user=<user> where <user>!='root'
but is actually run under the root we need CAP_DAC_OVERRIDE to access
files owned by <user>:<user>
If sssd is really run under non-root account that doesn't have this cap
originally then it's addition to CapabilityBoundingSet doesn't matter.

Reviewed-by: Sumit Bose <[email protected]>

Makefile.am

@@ -104,6 +104,14 @@ condconfigexists =
 else
 condconfigexists = ConditionPathExists=\|/etc/sssd/sssd.conf\nConditionDirectoryNotEmpty=\|/etc/sssd/conf.d/
 endif
+# If sssd is configured with --with-sssd-user=<user> where <user>!='root'
+# but is actually run under the root we need CAP_DAC_OVERRIDE to access
+# files owned by <user>:<user>
+# If sssd is really run under non-root account that doesn't have this cap
+# originally then it's addition to CapabilityBoundingSet doesn't matter.
+if SSSD_NON_ROOT_USER
+additional_caps = CAP_DAC_OVERRIDE
+endif
 else
 ifp_exec_cmd = $(sssdlibexecdir)/sss_signal
 ifp_systemdservice =
@@ -5123,7 +5131,8 @@ edit_cmd = $(SED) \
         -e 's|@pipepath[@]|$(pipepath)|g' \
         -e 's|@prefix[@]|$(prefix)|g' \
         -e 's|@SSSD_USER[@]|$(SSSD_USER)|g' \
-        -e 's|@condconfigexists[@]|$(condconfigexists)|g'
+        -e 's|@condconfigexists[@]|$(condconfigexists)|g' \
+        -e 's|@additional_caps[@]|$(additional_caps)|g'
 
 replace_script = \
     @rm -f $@ $@.tmp; \

src/conf_macros.m4

@@ -807,6 +807,7 @@ AC_DEFUN([WITH_SSSD_USER],
     AC_SUBST(SSSD_USER)
     AC_DEFINE_UNQUOTED(SSSD_USER, "$SSSD_USER", ["The default user to run SSSD as"])
     AM_CONDITIONAL([SSSD_USER], [test x"$with_sssd_user" != x])
+    AM_CONDITIONAL([SSSD_NON_ROOT_USER], [test x"$SSSD_USER" != xroot])
   ])
 
   AC_DEFUN([WITH_AD_GPO_DEFAULT],

src/sysv/systemd/sssd-kcm.service.in

@@ -11,4 +11,4 @@ Also=sssd-kcm.socket
 Environment=DEBUG_LOGGER=--logger=files
 ExecStartPre=-@sbindir@/sssd --genconf-section=kcm
 ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER}
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID
+CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID

src/sysv/systemd/sssd.service.in

@@ -12,7 +12,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
 Type=notify
 NotifyAccess=main
 PIDFile=@pidpath@/sssd.pid
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
+CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
 Restart=on-failure
 
 [Install]