SYSTEMD: several comments to service files

Reviewed-by: Justin Stephenson <[email protected]> Reviewed-by: Pavel Březina <[email protected]> Reviewed-by: Sumit Bose <[email protected]>
SSSD · Sep 6, 2023 · 9d7dd81 · 9d7dd81
1 parent 8e1d2bb
commit 9d7dd81
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 0 deletions.
diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in
@@ -11,6 +11,9 @@ Type=dbus
 BusName=org.freedesktop.sssd.infopipe
 ExecStartPre=+-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_ifp.log
 ExecStart=@libexecdir@/sssd/sssd_ifp ${DEBUG_LOGGER} --socket-activated
+# 'CapabilityBoundingSet' is used to limit privileges set only in case
+# SSSD IFP service is configured to run under 'root' (if service
+# is configured to run under non-privileged user this is a "no-op"):
 CapabilityBoundingSet= @additional_caps@
 Restart=on-failure
 User=@SSSD_USER@

diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
@@ -11,4 +11,7 @@ Also=sssd-kcm.socket
 Environment=DEBUG_LOGGER=--logger=files
 ExecStartPre=-@sbindir@/sssd --genconf-section=kcm
 ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER}
+# Currently SSSD KCM server ('sssd_kcm') always runs under 'root'
+# ('User=' and 'Group=' defaults to 'root' for system services)
+# 'CapabilityBoundingSet' is used to limit privileges set:
 CapabilityBoundingSet= @additional_caps@ CAP_SETGID CAP_SETUID
diff --git a/src/sysv/systemd/sssd-nss.service.in b/src/sysv/systemd/sssd-nss.service.in
@@ -13,3 +13,6 @@ Environment=DEBUG_LOGGER=--logger=files
 EnvironmentFile=-@environment_file@
 ExecStart=@libexecdir@/sssd/sssd_nss ${DEBUG_LOGGER} --socket-activated
 Restart=on-failure
+# Currently SSSD NSS service ('sssd_nss') can't be started under 'sssd' user
+# via systemd due to NSS loop when systemd resolves getgrouplist(sssd).
+# Hence 'User=' and 'Group=' aren't set (defaults to root).
diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
@@ -14,6 +14,9 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
 Type=notify
 NotifyAccess=main
 PIDFile=@pidpath@/sssd.pid
+# Currently main SSSD process ('sssd') always runs under 'root'
+# ('User=' and 'Group=' defaults to 'root' for system services)
+# 'CapabilityBoundingSet' is used to limit privileges set:
 CapabilityBoundingSet= @additional_caps@ CAP_CHOWN CAP_KILL CAP_SETGID CAP_SETUID
 Restart=on-abnormal