From 0b78a9314ca67b1e83de1131c5c2f77a82fd72bf Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Thu, 26 Mar 2026 13:24:28 +0100 Subject: [PATCH] Run as root Signed-off-by: Samuel Cabrero --- Makefile.am | 3 ++- src/examples/logrotate.in | 2 +- src/sysv/systemd/sssd-autofs.service.in | 4 ++-- src/sysv/systemd/sssd-autofs.socket.in | 4 ++-- src/sysv/systemd/sssd-ifp.service.in | 4 ++-- src/sysv/systemd/sssd-kcm.service.in | 8 ++++---- src/sysv/systemd/sssd-pac.service.in | 4 ++-- src/sysv/systemd/sssd-pac.socket.in | 4 ++-- src/sysv/systemd/sssd-pam.service.in | 4 ++-- src/sysv/systemd/sssd-pam.socket.in | 4 ++-- src/sysv/systemd/sssd-ssh.service.in | 4 ++-- src/sysv/systemd/sssd-ssh.socket.in | 4 ++-- src/sysv/systemd/sssd-sudo.service.in | 4 ++-- src/sysv/systemd/sssd-sudo.socket.in | 4 ++-- src/sysv/systemd/sssd.service.in | 11 ++++++----- 15 files changed, 35 insertions(+), 33 deletions(-) diff --git a/Makefile.am b/Makefile.am index dcd05d1d4..eb92b4a51 100644 --- a/Makefile.am +++ b/Makefile.am @@ -118,7 +118,7 @@ endif # BUILD_CONF_SERVICE_USER_SUPPORT if SSSD_NON_ROOT_USER nss_service_user_group = User=$(SSSD_USER)\nGroup=$(SSSD_USER) nss_socket_user_group = SocketUser=$(SSSD_USER)\nSocketGroup=$(SSSD_USER) -supplementary_groups = \# If service configured to be run under "root", uncomment "SupplementaryGroups"\n\#SupplementaryGroups=$(SSSD_USER) +supplementary_groups = \# If service configured to be run under "root", uncomment "SupplementaryGroups"\nSupplementaryGroups=$(SSSD_USER) else supplementary_groups = \# Note: SSSD package was built without support of running as non-privileged user endif # SSSD_NON_ROOT_USER @@ -5257,6 +5257,7 @@ edit_cmd = $(SED) \ -e 's|@pipepath[@]|$(pipepath)|g' \ -e 's|@prefix[@]|$(prefix)|g' \ -e 's|@SSSD_USER[@]|$(SSSD_USER)|g' \ + -e 's|@SSSD_RUN_USER[@]|root|g' \ -e 's|@condconfigexists[@]|$(condconfigexists)|g' \ -e 's|@capabilities[@]|$(capabilities)|g' \ -e 's|@nss_service_user_group[@]|$(nss_service_user_group)|g' \ diff --git a/src/examples/logrotate.in b/src/examples/logrotate.in index d4352c4e3..5926e6791 100644 --- a/src/examples/logrotate.in +++ b/src/examples/logrotate.in @@ -6,7 +6,7 @@ rotate 2 compress delaycompress - su @SSSD_USER@ @SSSD_USER@ + su root @SSSD_USER@ postrotate /bin/kill -HUP `cat @pidpath@/sssd.pid 2>/dev/null` 2> /dev/null || true /bin/pkill -HUP sssd_kcm 2> /dev/null || true diff --git a/src/sysv/systemd/sssd-autofs.service.in b/src/sysv/systemd/sssd-autofs.service.in index 0fa24b247..eeb0eb179 100644 --- a/src/sysv/systemd/sssd-autofs.service.in +++ b/src/sysv/systemd/sssd-autofs.service.in @@ -15,6 +15,6 @@ ExecStart=@libexecdir@/sssd/sssd_autofs ${DEBUG_LOGGER} --socket-activated # No capabilities: CapabilityBoundingSet= Restart=on-failure -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=@SSSD_RUN_USER@ +Group=@SSSD_RUN_USER@ @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-autofs.socket.in b/src/sysv/systemd/sssd-autofs.socket.in index 201b33d90..6b2370054 100644 --- a/src/sysv/systemd/sssd-autofs.socket.in +++ b/src/sysv/systemd/sssd-autofs.socket.in @@ -9,8 +9,8 @@ Conflicts=shutdown.target [Socket] ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r autofs ListenStream=@pipepath@/autofs -SocketUser=@SSSD_USER@ -SocketGroup=@SSSD_USER@ +SocketUser=@SSSD_RUN_USER@ +SocketGroup=@SSSD_RUN_USER@ [Install] WantedBy=sssd.service diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in index 1ab163392..460d58d67 100644 --- a/src/sysv/systemd/sssd-ifp.service.in +++ b/src/sysv/systemd/sssd-ifp.service.in @@ -13,6 +13,6 @@ ExecStart=@libexecdir@/sssd/sssd_ifp ${DEBUG_LOGGER} --socket-activated # No capabilities: CapabilityBoundingSet= Restart=on-failure -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=@SSSD_RUN_USER@ +Group=@SSSD_RUN_USER@ @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in index 849d6e3e6..285cc1159 100644 --- a/src/sysv/systemd/sssd-kcm.service.in +++ b/src/sysv/systemd/sssd-kcm.service.in @@ -16,11 +16,11 @@ ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ ExecStartPre=+-/bin/chmod -f g+x @sssdconfdir@ ExecStartPre=+-/bin/chmod -f g+x @sssdconfdir@/conf.d ExecStartPre=+-/bin/chmod -f g+x @sssdconfdir@/pki -ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb" -ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log*" +ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_RUN_USER@:@SSSD_RUN_USER@ @secdbpath@/*.ldb" +ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_RUN_USER@:@SSSD_RUN_USER@ @logpath@/sssd_kcm.log*" ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER} CapabilityBoundingSet= CAP_DAC_READ_SEARCH CAP_SETGID CAP_SETUID SecureBits=noroot noroot-locked -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=@SSSD_RUN_USER@ +Group=@SSSD_RUN_USER@ @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-pac.service.in b/src/sysv/systemd/sssd-pac.service.in index c2420c143..915877b0e 100644 --- a/src/sysv/systemd/sssd-pac.service.in +++ b/src/sysv/systemd/sssd-pac.service.in @@ -15,6 +15,6 @@ ExecStart=@libexecdir@/sssd/sssd_pac ${DEBUG_LOGGER} --socket-activated # No capabilities: CapabilityBoundingSet= Restart=on-failure -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=@SSSD_RUN_USER@ +Group=@SSSD_RUN_USER@ @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-pac.socket.in b/src/sysv/systemd/sssd-pac.socket.in index 40dec4491..3cd9c2070 100644 --- a/src/sysv/systemd/sssd-pac.socket.in +++ b/src/sysv/systemd/sssd-pac.socket.in @@ -9,8 +9,8 @@ Conflicts=shutdown.target [Socket] ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r pac ListenStream=@pipepath@/pac -SocketUser=@SSSD_USER@ -SocketGroup=@SSSD_USER@ +SocketUser=@SSSD_RUN_USER@ +SocketGroup=@SSSD_RUN_USER@ [Install] WantedBy=sssd.service diff --git a/src/sysv/systemd/sssd-pam.service.in b/src/sysv/systemd/sssd-pam.service.in index 67f7bc6ef..9f37547c1 100644 --- a/src/sysv/systemd/sssd-pam.service.in +++ b/src/sysv/systemd/sssd-pam.service.in @@ -15,6 +15,6 @@ ExecStart=@libexecdir@/sssd/sssd_pam ${DEBUG_LOGGER} --socket-activated # 'CAP_DAC_READ_SEARCH' is granted as permitted file capability to be elevated to establish GSS API context CapabilityBoundingSet= CAP_DAC_READ_SEARCH Restart=on-failure -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=@SSSD_RUN_USER@ +Group=@SSSD_RUN_USER@ @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-pam.socket.in b/src/sysv/systemd/sssd-pam.socket.in index e4916cac4..4bbf7b412 100644 --- a/src/sysv/systemd/sssd-pam.socket.in +++ b/src/sysv/systemd/sssd-pam.socket.in @@ -9,8 +9,8 @@ Conflicts=shutdown.target [Socket] ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r pam ListenStream=@pipepath@/pam -SocketUser=@SSSD_USER@ -SocketGroup=@SSSD_USER@ +SocketUser=@SSSD_RUN_USER@ +SocketGroup=@SSSD_RUN_USER@ [Install] WantedBy=sssd.service diff --git a/src/sysv/systemd/sssd-ssh.service.in b/src/sysv/systemd/sssd-ssh.service.in index dc1f46d1e..dd37009cf 100644 --- a/src/sysv/systemd/sssd-ssh.service.in +++ b/src/sysv/systemd/sssd-ssh.service.in @@ -15,6 +15,6 @@ ExecStart=@libexecdir@/sssd/sssd_ssh ${DEBUG_LOGGER} --socket-activated # No capabilities: CapabilityBoundingSet= Restart=on-failure -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=@SSSD_RUN_USER@ +Group=@SSSD_RUN_USER@ @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-ssh.socket.in b/src/sysv/systemd/sssd-ssh.socket.in index 4772ef3c0..65f0a780c 100644 --- a/src/sysv/systemd/sssd-ssh.socket.in +++ b/src/sysv/systemd/sssd-ssh.socket.in @@ -9,8 +9,8 @@ Conflicts=shutdown.target [Socket] ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r ssh ListenStream=@pipepath@/ssh -SocketUser=@SSSD_USER@ -SocketGroup=@SSSD_USER@ +SocketUser=@SSSD_RUN_USER@ +SocketGroup=@SSSD_RUN_USER@ [Install] WantedBy=sssd.service diff --git a/src/sysv/systemd/sssd-sudo.service.in b/src/sysv/systemd/sssd-sudo.service.in index f2d104ad4..d82f1f84d 100644 --- a/src/sysv/systemd/sssd-sudo.service.in +++ b/src/sysv/systemd/sssd-sudo.service.in @@ -15,6 +15,6 @@ ExecStart=@libexecdir@/sssd/sssd_sudo ${DEBUG_LOGGER} --socket-activated # No capabilities: CapabilityBoundingSet= Restart=on-failure -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=@SSSD_RUN_USER@ +Group=@SSSD_RUN_USER@ @supplementary_groups@ diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in index b0191a261..935543dd3 100644 --- a/src/sysv/systemd/sssd-sudo.socket.in +++ b/src/sysv/systemd/sssd-sudo.socket.in @@ -9,8 +9,8 @@ Conflicts=shutdown.target [Socket] ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo ListenStream=@pipepath@/sudo -SocketUser=@SSSD_USER@ -SocketGroup=@SSSD_USER@ +SocketUser=@SSSD_RUN_USER@ +SocketGroup=@SSSD_RUN_USER@ SocketMode=0660 [Install] diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in index ffcc7c2ad..d51fc6d30 100644 --- a/src/sysv/systemd/sssd.service.in +++ b/src/sysv/systemd/sssd.service.in @@ -17,17 +17,18 @@ ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ ExecStartPre=+-/bin/chmod -f g+x @sssdconfdir@ ExecStartPre=+-/bin/chmod -f g+x @sssdconfdir@/conf.d ExecStartPre=+-/bin/chmod -f g+x @sssdconfdir@/pki -ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb" -ExecStartPre=+-/bin/chown -f -R -h @SSSD_USER@:@SSSD_USER@ @gpocachepath@ -ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @logpath@/*.log*" +ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_RUN_USER@:@SSSD_RUN_USER@ @dbpath@/*.ldb" +# Avoid error if the gpo_cache directory is empty +ExecStartPre=+-/bin/sh -c "/bin/chown -f -R -h @SSSD_RUN_USER@:@SSSD_RUN_USER@ @gpocachepath@/* || true" +ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_RUN_USER@:@SSSD_RUN_USER@ @logpath@/*.log*" ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER} Type=notify NotifyAccess=main Restart=on-abnormal @capabilities@ SecureBits=noroot noroot-locked -User=@SSSD_USER@ -Group=@SSSD_USER@ +User=@SSSD_RUN_USER@ +Group=@SSSD_RUN_USER@ @supplementary_groups@ [Install] -- 2.53.0