From 1507d9a0944d5e4561b50f5711c11410c6102db2357375f84d4e99c977e11c66 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Fri, 20 Dec 2024 09:20:44 +0100
Subject: [PATCH] Add note about unprivileged mode security review

---
 sssd.spec | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sssd.spec b/sssd.spec
index 5f59646..a79967b 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -120,7 +120,6 @@ Obsoletes:      sssd-common < %version-%release
 %define keytabdir	%sssdstatedir/keytabs
 %define mcpath		%sssdstatedir/mc
 %define ldbdir %(pkg-config ldb --variable=modulesdir)
-%define child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
 
 # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
 # %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
@@ -480,6 +479,10 @@ mkdir -p "$b/%_sysusersdir" "$b/etc/permissions.d"
 cp -a system-user-sssd.conf "$b/%_sysusersdir/"
 %sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf
 install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf"
+#
+# Security considerations for capabilities, chown and stuff:
+# https://www.openwall.com/lists/oss-security/2024/12/19/1
+#
 # should match entry from %%files list
 cat >"$b/etc/permissions.d/sssd" <<-EOF
 	%_libexecdir/sssd/sssd_pam root:sssd 0750