Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A bunch of assorted patches related to socket activation feature (part 1) #6873

Closed
wants to merge 10 commits into from
Closed

A bunch of assorted patches related to socket activation feature (part 1) #6873

wants to merge 10 commits into from

Commits on Sep 4, 2023

  1. Get rid of '--dbus-activated'. 

    Code makes no difference handling '--socket-activated' and
'--dbus-activated', it only makes things more obscure.
Moreover, on a systemd enabled system, dbus activation actually
starts systemd service anyway, so there is really no big difference.
    @alexey-tikhonov
    alexey-tikhonov committed Sep 4, 2023
    Configuration menu
    Copy the full SHA
    39fe549 View commit details
    Browse the repository at this point in the history

  2. CONFDB: removed unneeded wrapper

    @alexey-tikhonov
    alexey-tikhonov committed Sep 4, 2023
    Configuration menu
    Copy the full SHA
    e36d10f View commit details
    Browse the repository at this point in the history

  3. CONF: there is no use for CONFDB_FALLBACK_CONFIG 

    since implicit files provider can't be enabled by default anymore.

Resolves: SSSD#5022
    @alexey-tikhonov
    alexey-tikhonov committed Sep 4, 2023
    Configuration menu
    Copy the full SHA
    3ba2054 View commit details
    Browse the repository at this point in the history

  4. SBUS: additional details in debug messages

    @alexey-tikhonov
    alexey-tikhonov committed Sep 4, 2023
    Configuration menu
    Copy the full SHA
    2de10f7 View commit details
    Browse the repository at this point in the history

  5. MONITOR: debug messages updates

    @alexey-tikhonov
    alexey-tikhonov committed Sep 4, 2023
    Configuration menu
    Copy the full SHA
    e5e3726 View commit details
    Browse the repository at this point in the history

  6. SYSTEMD: removed unneeded capabilities 

    This patch removes capabilities that aren't needed at all.

Some (if not all) of remaining capabilities can be probably
avoided with proper code changes, but currently those are needed.

Examples (not limiting) of those caps usage:
 - CAP_DAC_OVERRIDE (@additional_caps@): access to /var/log/sssd,
   to /var/lib/sss/pipes/private/* (sssd:sssd owned sbus-monitor/dp
   sbus sockets)
 - CAP_CHOWN: `chown_debug_file()` in case of monitor activation
 - CAP_SETUID/CAP_SETGID: drop privs in case of monitor activation,
   switch_creds (in particular, sssd_kcm executing krb5_child
   for ticket renewal)
 - CAP_FOWNER: chmod(mem-cache)

It's not that clear about 'CAP_KILL'. When 'sssd_be' terminates
child process, it either still runs under root (so uid matches and
no caps needed) or it dropped privs already and have lost CAP_KILL
anyway. Another thing is 'monitor' signalling responders and
providers that could be running under 'sssd' while 'monitor'
itself runs under 'root'.
    @alexey-tikhonov
    alexey-tikhonov committed Sep 4, 2023
    Configuration menu
    Copy the full SHA
    6f0fd67 View commit details
    Browse the repository at this point in the history

  7. SYSV/NSS: avoid chmod() in sssd_nss 

    This allows to remove CAP_FOWNER.
    @alexey-tikhonov
    alexey-tikhonov committed Sep 4, 2023
    Configuration menu
    Copy the full SHA
    c5b51d7 View commit details
    Browse the repository at this point in the history

  8. SYSTEMD::IFP: don't restrict ExecStartPre=chown(log) 

    'PermissionsStartOnly' is deprecated but used for consistency
with other unit files.
    @alexey-tikhonov
    alexey-tikhonov committed Sep 4, 2023
    Configuration menu
    Copy the full SHA
    f1b7d2b View commit details
    Browse the repository at this point in the history

  9. SYSTEMD: replace deprecated 'PermissionsStartOnly=true' with '+'

    @alexey-tikhonov
    alexey-tikhonov committed Sep 4, 2023
    Configuration menu
    Copy the full SHA
    dd24e1f View commit details
    Browse the repository at this point in the history

  10. SYSTEMD: several comments to service files

    @alexey-tikhonov
    alexey-tikhonov committed Sep 4, 2023
    Configuration menu
    Copy the full SHA
    944a633 View commit details
    Browse the repository at this point in the history