#3638 Make Fleet Commander related code work for unprivileged users
Opened a year ago by fidencio. Modified 5 months ago

As pointed by https://github.com/SSSD/sssd/pull/498#issuecomment-365839135 the Fleet Commander code will have some issues running on environments where the domain's process is unprivileged.

A possible solution for this would be to have different permissions for the deskprofile folder and the folders under this one.

I really would like to hear @simo's opinion on this one!

I would prefer to close this ticket as duplicate of #3621. The use-case from description of this ticket
is already mentioned in #3621 and #3621 has not been closed yet.

BTW it is not RFE but bug

BTW it is not RFE but bug

"RFE" word has been removed as by your suggestion.

I think it is ok to track this in a separate ticket.

Since the Fleet Commander support is an independent feature it is imo sufficient to document that it currently only works if SSSD runs a root. This ticket already documents this but an entry in a related man page wouldn't hurt either.

@fidencio would you prefer me to open another ticket about the man page entry? Or feel free to do it yourself.
Then we could defer this ticket to make it clear that the functionality doesn't work with an unprivileged user and fix the man page.

Created a new issue and updated the reference in the PR. JFTR: https://pagure.io/SSSD/sssd/issue/3648

Oh, I didn't notice there was a PR already. I'm all set then and I'll move this ticket to Patches Welcome.

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD Patches welcome

a year ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1626564

5 months ago

To fix the issue with creating directories with proper ownerships where currently seteuid() is used it might help to call the 'install' command (part of coreutils) with the needed arguments via oddjob. This way we can avoid to write another suid helper binary.

Login to comment on this ticket.