From 8db2df4fcbd09badafbc207bd4150b5f1cc2d5fb Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Thu, 24 Oct 2024 15:34:26 +0200 Subject: [PATCH] Configuration: make sure /etc/sssd and everything MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit beneath is owned by 'sssd' group and readable by group. This should allow for reasonable rw-r----- root:sssd At some points those chown/chmod can be removed. Reviewed-by: Justin Stephenson Reviewed-by: Pavel Březina Reviewed-by: Sumit Bose (cherry picked from commit 518db322fdd5a4de41813fbe5bc35fc20392ce67) --- contrib/sssd.spec.in | 4 ++-- src/sysv/systemd/sssd-kcm.service.in | 5 ++--- src/sysv/systemd/sssd.service.in | 6 ++---- 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 4fbacb959..83de563f3 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -1136,9 +1136,9 @@ getent passwd sssd >/dev/null || useradd -r -g sssd -d /run/sssd -s /sbin/nologi %__rm -f %{mcpath}/group %__rm -f %{mcpath}/initgroups %__rm -f %{mcpath}/sid +%__chown -f -R root:%{sssd_user} %{_sysconfdir}/sssd || true +%__chmod -f -R g+r %{_sysconfdir}/sssd || true %__chown -f %{sssd_user}:%{sssd_user} %{dbpath}/* || true -%__chown -f %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/sssd.conf || true -%__chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true %__chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true %__chown -f %{sssd_user}:%{sssd_user} %{secdbpath}/*.ldb || true %__chown -f %{sssd_user}:%{sssd_user} %{gpocachepath}/* || true diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in index 0c839ec5c..ba9e27cd9 100644 --- a/src/sysv/systemd/sssd-kcm.service.in +++ b/src/sysv/systemd/sssd-kcm.service.in @@ -9,9 +9,8 @@ Also=sssd-kcm.socket [Service] Environment=DEBUG_LOGGER=--logger=files -ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ -ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf -ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d +ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ +ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb" ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER} diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in index 37e0a63f8..a6f79ff8a 100644 --- a/src/sysv/systemd/sssd.service.in +++ b/src/sysv/systemd/sssd.service.in @@ -10,10 +10,8 @@ StartLimitBurst=5 [Service] Environment=DEBUG_LOGGER=--logger=files EnvironmentFile=-@environment_file@ -ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@ -ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf -ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d -ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki +ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ +ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb" ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @gpocachepath@/*" ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/*.log" -- 2.47.0