From f4454d26f96e9128dd63db180ef52dcf5c0fcbc9 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Wed, 23 Aug 2023 14:00:36 +0200 Subject: [PATCH] SYSTEMD UNIT FILES: removed unneeded capabilities Justification for remaining caps: - CAP_DAC_OVERRIDE (@additional_caps@): access to /var/log/sssd, to /var/lib/sss/pipes/private/*, ... - CAP_CHOWN: `chown_debug_file()` in case of monitor activation, ... - CAP_KILL: terminate child process on timeout, ... - CAP_SET?ID: drop privs in case of monitor activation, sssd_kcm renewal exec(krb5_child), ... - CAP_FOWNER (probably can be avoided): chmod(mem-cache), ... --- src/sysv/systemd/sssd-ifp.service.in | 2 +- src/sysv/systemd/sssd-kcm.service.in | 2 +- src/sysv/systemd/sssd.service.in | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in index 0d492dde0f2..0add06ffa3b 100644 --- a/src/sysv/systemd/sssd-ifp.service.in +++ b/src/sysv/systemd/sssd-ifp.service.in @@ -11,7 +11,7 @@ Type=dbus BusName=org.freedesktop.sssd.infopipe ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_ifp.log ExecStart=@libexecdir@/sssd/sssd_ifp ${DEBUG_LOGGER} --socket-activated -CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID +CapabilityBoundingSet= @additional_caps@ Restart=on-failure User=@SSSD_USER@ Group=@SSSD_USER@ diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in index 2ea2e0832ef..92210b0ff91 100644 --- a/src/sysv/systemd/sssd-kcm.service.in +++ b/src/sysv/systemd/sssd-kcm.service.in @@ -11,4 +11,4 @@ Also=sssd-kcm.socket Environment=DEBUG_LOGGER=--logger=files ExecStartPre=-@sbindir@/sssd --genconf-section=kcm ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER} -CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID +CapabilityBoundingSet= @additional_caps@ CAP_SETGID CAP_SETUID diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in index 79bba20be5c..df05e9b38ba 100644 --- a/src/sysv/systemd/sssd.service.in +++ b/src/sysv/systemd/sssd.service.in @@ -14,7 +14,7 @@ ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER} Type=notify NotifyAccess=main PIDFile=@pidpath@/sssd.pid -CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_KILL CAP_NET_ADMIN CAP_SYS_NICE CAP_FOWNER CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_BLOCK_SUSPEND +CapabilityBoundingSet= @additional_caps@ CAP_CHOWN CAP_KILL CAP_FOWNER CAP_SETGID CAP_SETUID Restart=on-abnormal [Install]