[info=1507d9a0944d5e4561b50f5711c11410c6102db2357375f84d4e99c977e11c66]

OBS-URL: https://build.opensuse.org/package/show/network:ldap/sssd?expand=0&rev=332

_scmsync.obsinfo

@@ -1,4 +1,4 @@
-mtime: 1733909604
-commit: 7a9befa6936272129afd7622722b7d44d87bdf6afa02bc7b21a6ccfd037903cc
+mtime: 1734682844
+commit: 1507d9a0944d5e4561b50f5711c11410c6102db2357375f84d4e99c977e11c66
 url: https://src.opensuse.org/jengelh/sssd
 revision: master

build.specials.obscpio

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:0f64dc33371d73cda0723d180821fa83b5cdad37b17fb4a9c2be8f8b473ea876
+oid sha256:5cef82fe2efad31ced57e8be6a100bc78b17ba52373d3567d44c87746a418e28
 size 256

sssd.spec

@@ -120,7 +120,6 @@ Obsoletes:      sssd-common < %version-%release
 %define keytabdir	%sssdstatedir/keytabs
 %define mcpath		%sssdstatedir/mc
 %define ldbdir %(pkg-config ldb --variable=modulesdir)
-%define child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
 
 # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko
 # %%_sysconfdir/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins
@@ -480,6 +479,10 @@ mkdir -p "$b/%_sysusersdir" "$b/etc/permissions.d"
 cp -a system-user-sssd.conf "$b/%_sysusersdir/"
 %sysusers_generate_pre system-user-sssd.conf random system-user-sssd.conf
 install -Dpm 0644 contrib/sssd-tmpfiles.conf "%buildroot/%_tmpfilesdir/%name.conf"
+#
+# Security considerations for capabilities, chown and stuff:
+# https://www.openwall.com/lists/oss-security/2024/12/19/1
+#
 # should match entry from %%files list
 cat >"$b/etc/permissions.d/sssd" <<-EOF
 	%_libexecdir/sssd/sssd_pam root:sssd 0750