Add note about unprivileged mode security review

2024-12-20 09:20:44 +01:00 · 2024-12-20 09:20:44 +01:00 · 1507d9a094
commit 1507d9a094
parent 7a9befa693
1 changed files with 4 additions and 1 deletions
--- a/sssd.spec
+++ b/sssd.spec
@ -120,7 +120,6 @@ Obsoletes:      sssd-common < %version-%release
 %define keytabdir	%sssdstatedir/keytabs
 %define mcpath		%sssdstatedir/mc
 %define ldbdir %(pkg-config ldb --variable=modulesdir)
-%define child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep

 # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
 # %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
@ -480,6 +479,10 @@ mkdir -p "$b/%_sysusersdir" "$b/etc/permissions.d"
 cp -a system-user-sssd.conf "$b/%_sysusersdir/"
 %sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf
 install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf"
+#
+# Security considerations for capabilities, chown and stuff:
+# https://www.openwall.com/lists/oss-security/2024/12/19/1
+#
 # should match entry from %%files list
 cat >"$b/etc/permissions.d/sssd" <<-EOF
 	%_libexecdir/sssd/sssd_pam root:sssd 0750