| |
@@ -97,6 +97,33 @@
|
| |
``/var/lib/sss/deskprofile/<domain>/<username>/<profilename>.json``.
|
| |
The ``<username>`` directories need to be owned by the user being logged in.
|
| |
|
| |
+ The structure of the the created dirs follow::
|
| |
+
|
| |
+ /var/lib/sss/deskprofile/<domain>/<username>/<profilename>.json
|
| |
+ ------------ -------- ---------- ------------------
|
| |
+ | | | |
|
| |
+ v | | |
|
| |
+ Created by sssd package as | | |
|
| |
+ root:root (or sssd:sssd) | | |
|
| |
+ and has permissions 0751 | | |
|
| |
+ | | |
|
| |
+ v | |
|
| |
+ Owned by user:user_group | |
|
| |
+ and has permissions 0751 | |
|
| |
+ | |
|
| |
+ | |
|
| |
+ v |
|
| |
+ Owned by user:user_group |
|
| |
+ and has permissions 0700 |
|
| |
+ |
|
| |
+ v
|
| |
+ Owned by user:user_group
|
| |
+ and has permissions 0400
|
| |
+
|
| |
+ Please, keep in mind that this feature relies on CAP_SETUID and
|
| |
+ CAP_SETGID to properly work as expected and relies on SSSD being run
|
| |
+ as privileged user (root).
|
| |
+
|
| |
The ``<profilename.json>`` file must include the priority as a number
|
| |
which is read from the rule's ``prio`` attribute. The Fleet Commander
|
| |
client component will then process the JSON files in this priority. The
|
| |
fidencio
commented 6 years ago
This commit has the intented to explain better the perms of the dirs
that have to be created by SSSD when taking advantage of FleetCommander
integration and also explicitly says that we depend on CAP_SETUID and
CAP_SETGID.
Signed-off-by: Fabiano Fidêncio fidencio@redhat.com