forked from jengelh/sssd
Add note about unprivileged mode security review
This commit is contained in:
parent
7a9befa693
commit
1507d9a094
@ -120,7 +120,6 @@ Obsoletes: sssd-common < %version-%release
|
|||||||
%define keytabdir %sssdstatedir/keytabs
|
%define keytabdir %sssdstatedir/keytabs
|
||||||
%define mcpath %sssdstatedir/mc
|
%define mcpath %sssdstatedir/mc
|
||||||
%define ldbdir %(pkg-config ldb --variable=modulesdir)
|
%define ldbdir %(pkg-config ldb --variable=modulesdir)
|
||||||
%define child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
|
|
||||||
|
|
||||||
# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
|
# Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
|
||||||
# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
|
# %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
|
||||||
@ -480,6 +479,10 @@ mkdir -p "$b/%_sysusersdir" "$b/etc/permissions.d"
|
|||||||
cp -a system-user-sssd.conf "$b/%_sysusersdir/"
|
cp -a system-user-sssd.conf "$b/%_sysusersdir/"
|
||||||
%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf
|
%sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf
|
||||||
install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf"
|
install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf"
|
||||||
|
#
|
||||||
|
# Security considerations for capabilities, chown and stuff:
|
||||||
|
# https://www.openwall.com/lists/oss-security/2024/12/19/1
|
||||||
|
#
|
||||||
# should match entry from %%files list
|
# should match entry from %%files list
|
||||||
cat >"$b/etc/permissions.d/sssd" <<-EOF
|
cat >"$b/etc/permissions.d/sssd" <<-EOF
|
||||||
%_libexecdir/sssd/sssd_pam root:sssd 0750
|
%_libexecdir/sssd/sssd_pam root:sssd 0750
|
||||||
|
Loading…
Reference in New Issue
Block a user