Replace 'cap_dac_override' with 'cap_dac_read_search' for

krb5_/ldap_child. 'cap_dac_read_search' is needed to read a keytab but 'cap_dac_override' (that allows to bypass file write permission checks) shouldn't be required.
SSSD · Nov 8, 2024 · 2fe6ff0 · 2fe6ff0
1 parent 4cb209d
commit 2fe6ff0
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
@@ -913,8 +913,8 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf
 %files krb5-common
 %license COPYING
 %attr(775,%{sssd_user},%{sssd_user}) %dir %{pubconfpath}/krb5.include.d
-%attr(0750,root,%{sssd_user}) %caps(cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep) %{_libexecdir}/%{servicename}/ldap_child
-%attr(0750,root,%{sssd_user}) %caps(cap_chown,cap_dac_override,cap_setuid,cap_setgid=ep) %{_libexecdir}/%{servicename}/krb5_child
+%attr(0750,root,%{sssd_user}) %caps(cap_chown,cap_dac_read_search,cap_setuid,cap_setgid=ep) %{_libexecdir}/%{servicename}/ldap_child
+%attr(0750,root,%{sssd_user}) %caps(cap_chown,cap_dac_read_search,cap_setuid,cap_setgid=ep) %{_libexecdir}/%{servicename}/krb5_child
 
 %files krb5 -f sssd_krb5.lang
 %license COPYING

diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
@@ -14,7 +14,7 @@ ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@
 ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb"
 ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log
 ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER}
-CapabilityBoundingSet= CAP_DAC_OVERRIDE CAP_CHOWN CAP_SETGID CAP_SETUID
+CapabilityBoundingSet= CAP_DAC_READ_SEARCH CAP_CHOWN CAP_SETGID CAP_SETUID
 SecureBits=noroot noroot-locked
 User=@SSSD_USER@
 Group=@SSSD_USER@