Issue #3621: FleetCommander integration must not require capability DAC_OVERRIDE - sssd

SSSD / sssd

#3621 FleetCommander integration must not require capability DAC_OVERRIDE

Closed: Fixed 6 years ago Opened 6 years ago by lslebodn.

Manual pages for linux capabilities says

       CAP_DAC_OVERRIDE
              Bypass file read, write, and execute permission checks.  (DAC is
              an abbreviation of "discretionary access control".)

It is a dangerous capability which root has by default but it makes it much harder to run daemon in non-privilege mode.

The related design page[1] says a very little to the related file directory structure

So each per-user JSON file would be stored at /var/lib/sss/deskprofile/<domain>/<username>/<profilename>.json. The <username> directories need to be owned by the user being logged in.

it woudl be good to elaborate there more and specify who should have which access to files (rw, ro, ...)

[1] https://docs.pagure.org/SSSD.sssd/design_pages/fleet_commander_integration.html

lslebodn commented 6 years ago

Assigning to author of this feature to at least update design page.

Metadata Update from @lslebodn:
- Issue assigned to fidencio

6 years ago

fidencio commented 6 years ago

PR: https://github.com/SSSD/sssd/pull/498

Edited 6 years ago by lslebodn

Metadata Update from @fidencio:
- Custom field patch adjusted to on

6 years ago

fidencio commented 6 years ago

Design page PR: https://pagure.io/SSSD/docs/pull-request/62

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.2

6 years ago

Metadata Update from @jhrozek:
- Issue tagged with: PR

6 years ago

jhrozek commented 6 years ago

master:

Bug fix found by coverity:

0633e97

Edited 6 years ago by lslebodn

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.1 (was: SSSD 1.16.2)

6 years ago

fidencio commented 6 years ago

Design page has been updated, PRs have been merged.
There's already another ticket to track Fleet Commander usage when running SSSD as unprivileged user.

I'm closing this ticket.

Metadata Update from @fidencio:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

6 years ago

fidencio commented 6 years ago

And here's the reference to the other ticket mentioned: https://pagure.io/SSSD/sssd/issue/3638

pbrezina commented 3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4642

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata

Assignee

fidencio

Tags

Blocking

None

Depending on

None

Priority

None

Milestone

SSSD 1.16.1

type

None

component

None

version

None

selected

None

testsupdated

None

patch

rhbz

None

design_review

None

review

None

changelog

None

keywords

None

coverity

None

mark

None

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#3621 FleetCommander integration must not require capability DAC_OVERRIDE Closed: Fixed 6 years ago Opened 6 years ago by lslebodn.

Metadata

PR

#3621 FleetCommander integration must not require capability DAC_OVERRIDE

Closed: Fixed 6 years ago Opened 6 years ago by lslebodn.