SYSTEMD: removed unneeded capabilities

This patch removes capabilities that aren't needed at all. Some (if not all) of remaining capabilities can be probably avoided with proper code changes, but currently those are needed. Examples (not limiting) of those caps usage: - CAP_DAC_OVERRIDE (@additional_caps@): access to /var/log/sssd, to /var/lib/sss/pipes/private/* (sssd:sssd owned sbus-monitor/dp sbus sockets) - CAP_CHOWN: `chown_debug_file()` in case of monitor activation - CAP_SETUID/CAP_SETGID: drop privs in case of monitor activation, switch_creds (in particular, sssd_kcm executing krb5_child for ticket renewal) - CAP_FOWNER: chmod(mem-cache) It's not that clear about 'CAP_KILL'. When 'sssd_be' terminates child process, it either still runs under root (so uid matches and no caps needed) or it dropped privs already and have lost CAP_KILL anyway. Another thing is 'monitor' signalling responders and providers that could be running under 'sssd' while 'monitor' itself runs under 'root'. Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Pavel Březina <[email protected]> Reviewed-by: Sumit Bose <[email protected]>
SSSD · Sep 6, 2023 · 49f59cd · 49f59cd
1 parent abd9130
commit 49f59cd
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in
@@ -11,7 +11,7 @@ Type=dbus
 BusName=org.freedesktop.sssd.infopipe
 ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_ifp.log
 ExecStart=@libexecdir@/sssd/sssd_ifp ${DEBUG_LOGGER} --socket-activated
-CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID
+CapabilityBoundingSet= @additional_caps@
 Restart=on-failure
 User=@SSSD_USER@
 Group=@SSSD_USER@
diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
@@ -11,4 +11,4 @@ Also=sssd-kcm.socket
 Environment=DEBUG_LOGGER=--logger=files
 ExecStartPre=-@sbindir@/sssd --genconf-section=kcm
 ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER}
-CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID
+CapabilityBoundingSet= @additional_caps@ CAP_SETGID CAP_SETUID
diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
@@ -14,7 +14,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
 Type=notify
 NotifyAccess=main
 PIDFile=@pidpath@/sssd.pid
-CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND
+CapabilityBoundingSet= @additional_caps@ CAP_CHOWN CAP_KILL CAP_FOWNER CAP_SETGID CAP_SETUID
 Restart=on-abnormal
 
 [Install]