NSS: Avoid changing the memory cache ownership away from the sssd user
    
    Resolves:
    https://pagure.io/SSSD/sssd/issue/3890
    
    In case SSSD is compiled --with-sssd-user but run as root (which is the
    default on RHEL and derivatives), then the memory cache will be owned by
    the user that sssd_nss runs as, so root.
    
    This conflicts with the packaging which specifies sssd.sssd as the owner. And
    in turn, this means that users can't reliably assess the package integrity
    using rpm -V.
    
    This patch makes sure that the memory cache files are chowned to sssd.sssd
    even if the nss responder runs as root.
    
    Also, this patch changes the sssd_nss responder so that is becomes a member
    of the supplementary sssd group. Even though in traditional UNIX sense,
    a process running as root could write to a file owned by sssd:sssd, with
    SELinux enforcing mode this becomes problematic as SELinux emits an error
    such as:
    
    type=AVC msg=audit(1543524888.125:1495): avc:  denied  { fsetid } for
    pid=7706 comm="sssd_nss" capability=4  scontext=system_u:system_r:sssd_t:s0
    tcontext=system_u:system_r:sssd_t:s0 tclass=capability
    
    To make it possible for the sssd_nss process to write to the files, the
    files are also made group-writable. The 'others' permission is still set
    to read only.
    
    Reviewed-by: Michal Židek <mzidek@redhat.com>