diff --git a/TODO b/TODO
new file mode 100644
index 0000000..5152943
--- /dev/null
+++ b/TODO
@@ -0,0 +1,2 @@
+* Enable symvers.patch
+* cifs idmap plugin alternatives
diff --git a/sssd.permissions b/sssd.permissions
new file mode 100644
index 0000000..8a20ff8
--- /dev/null
+++ b/sssd.permissions
@@ -0,0 +1,11 @@
+/usr/libexec/sssd/sssd_pam root:sssd 0750
+ +capabilities cap_dac_read_search=p
+
+/usr/libexec/sssd/selinux_child root:sssd 0750
+ +capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
+
+/usr/libexec/sssd/krb5_child root:sssd 0750
+ +capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
+
+/usr/libexec/sssd/ldap_child root:sssd 0750
+ +capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
diff --git a/sssd.spec b/sssd.spec
index d04e8d3..ed40c6e 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -29,6 +29,7 @@ Source2:        https://github.com/SSSD/sssd/releases/download/%version/%name-2.
 Source3:        baselibs.conf
 Source5:        %name.keyring
 Source6:        sssd.sysusers
+Source7:        sssd.permissions
 Patch1:         krb-noversion.diff
 Patch2:         harden_sssd-ifp.service.patch
 Patch3:         harden_sssd-kcm.service.patch
@@ -103,6 +104,8 @@ BuildRequires:  pkgconfig(uuid)
 %endif
 %{?systemd_ordering}
 %sysusers_requires
+Requires(pre):  permissions
+Requires(post): permissions
 Requires:       sssd-ldap = %version-%release
 Requires(postun): pam-config
 Provides:       libsss_sudo = %version-%release
@@ -111,8 +114,8 @@ Obsoletes:      libsss_sudo < %version-%release
 Provides:       sssd-common = %version-%release
 Obsoletes:      sssd-common < %version-%release
 
+# Adjust sssd.permissions if the user changes
 %global sssd_user sssd
-%global child_capabilities cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep
 
 %define servicename	sssd
 %define sssdstatedir	%_localstatedir/lib/sss
@@ -216,6 +219,8 @@ Summary:        SSSD helpers needed for Kerberos and GSSAPI authentication
 License:        GPL-3.0-or-later
 Group:          System/Daemons
 Requires:       cyrus-sasl-gssapi
+Requires(pre):  permissions
+Requires(post): permissions
 
 %description krb5-common
 Provides helper processes that the LDAP and Kerberos back ends can
@@ -500,6 +505,7 @@ sed -i '1s@#!.*python.*@#!%{_bindir}/python3.11@' %{buildroot}/%{_libexecdir}/%{
 
 install -D -p -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf
 install -D -p -m 0644 contrib/sssd-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/%{name}.conf
+install -D -p -m 0644 %{SOURCE7} %{buildroot}%{_sysconfdir}/permissions.d/%{name}
 
 %check
 # sss_config-tests fails
@@ -545,6 +551,10 @@ fi
 %{_bindir}/chown -f -R %{sssd_user}:%{sssd_user} %{_sysconfdir}/sssd/conf.d || true
 %{_bindir}/chown -f %{sssd_user}:%{sssd_user} %{_var}/log/%{name}/*.log || true
 
+%tmpfiles_create %{name}.conf
+%set_permissions %_libexecdir/%{name}/selinux_child
+%set_permissions %_libexecdir/%{name}/sssd_pam
+
 # install SSSD cifs-idmap plugin as an alternative
 update-alternatives --install %cifs_idmap_plugin %cifs_idmap_name %cifs_idmap_lib %cifs_idmap_priority
 
@@ -575,6 +585,10 @@ if [ ! -f "%cifs_idmap_lib" ]; then
 	update-alternatives --remove %cifs_idmap_name %cifs_idmap_lib
 fi
 
+%verifyscript
+%verify_permissions -e %_libexecdir/%{name}/selinux_child
+%verify_permissions -e %_libexecdir/%{name}/sssd_pam
+
 %post   -n libsss_certmap0 -p /sbin/ldconfig
 %postun -n libsss_certmap0 -p /sbin/ldconfig
 %post   -n libipa_hbac0 -p /sbin/ldconfig
@@ -625,6 +639,14 @@ fi
 %sysusers_create_package %{name} %SOURCE6
 %sysusers_create_package %{name}-krb5-common %SOURCE6
 
+%post krb5-common
+%set_permissions %_libexecdir/%{name}/krb5_child
+%set_permissions %_libexecdir/%{name}/ldap_child
+
+%verifyscript krb5-common
+%verify_permissions -e %_libexecdir/%{name}/krb5_child
+%verify_permissions -e %_libexecdir/%{name}/ldap_child
+
 %pre proxy
 %sysusers_create_package %{name} %SOURCE6
 %sysusers_create_package %{name}-proxy %SOURCE6
@@ -738,13 +760,13 @@ fi
 %_libexecdir/%name/sssd_autofs
 %_libexecdir/%name/sssd_be
 %_libexecdir/%name/sssd_nss
-%attr(0750,root,%{sssd_user}) %caps(cap_dac_read_search=p) %{_libexecdir}/%{name}/sssd_pam
+%attr(0750,root,%{sssd_user}) %{_libexecdir}/%{name}/sssd_pam
 %_libexecdir/%name/sssd_ssh
 %_libexecdir/%name/sssd_sudo
 %_libexecdir/%name/sss_signal
 %_libexecdir/%name/sssd_check_socket_activated_responders
 %if 0%{?suse_version} >= 1600
-%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %{_libexecdir}/%{name}/selinux_child
+%attr(0750,root,%{sssd_user}) %{_libexecdir}/%{name}/selinux_child
 %endif
 %dir %sssdstatedir
 %attr(700,%{sssd_user},%{sssd_user}) %dir %dbpath/
@@ -757,10 +779,11 @@ fi
 %attr(700,%{sssd_user},%{sssd_user}) %dir %keytabdir/
 %attr(750,%{sssd_user},%{sssd_user}) %dir %_localstatedir/log/%name/
 %attr(775,%{sssd_user},%{sssd_user}) %dir %sssdstatedir/
+%config(noreplace) %_sysconfdir/permissions.d/sssd
 %if "%{?_distconfdir}" != ""
 %attr(750,%{sssd_user},%{sssd_user}) %dir %_distconfdir/sssd/
 %attr(750,%{sssd_user},%{sssd_user}) %dir %_distconfdir/sssd/conf.d
-%attr(0600,%{sssd_user},%{sssd_user}) %config(noreplace) %_distconfdir/sssd/sssd.conf
+%attr(0600,%{sssd_user},%{sssd_user}) %_distconfdir/sssd/sssd.conf
 %else
 %attr(750,%{sssd_user},%{sssd_user}) %dir %_sysconfdir/sssd/
 %attr(750,%{sssd_user},%{sssd_user}) %dir %_sysconfdir/sssd/conf.d
@@ -875,8 +898,8 @@ fi
 %dir %_libdir/%name/
 %_libdir/%name/libsss_krb5_common.so
 %dir %_libexecdir/%name/
-%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %_libexecdir/%name/krb5_child
-%attr(0750,root,%{sssd_user}) %caps(%{child_capabilities}) %_libexecdir/%name/ldap_child
+%attr(0750,root,%{sssd_user}) %_libexecdir/%name/krb5_child
+%attr(0750,root,%{sssd_user}) %_libexecdir/%name/ldap_child
 
 %files polkit-rules
 %{_datadir}/polkit-1/rules.d/sssd-pcsc.rules