URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE
lslebodn commented: """ Unfortunately, it was pushed without careful review. That would not work when running sssd in non-privileged mode because `seteuid` will fail. And it was mentioned in upstream ticket https://pagure.io/SSSD/sssd/issue/3621 Quick POC ``` sh# su --shell=/bin/bash - sssd sh$ python Python 2.7.14 (default, Jan 31 2018, 14:27:00) [GCC 8.0.1 20180127 (Red Hat 8.0.1-0.6)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import os >>> os.getuid() 974 >>> os.geteuid() 974 >>> os.seteuid(1000) Traceback (most recent call last): File "<stdin>", line 1, in <module> OSError: [Errno 1] Operation not permitted ``` BTW I ran few basic tests in non-privileged mode and works like a charm with following IPA tests: selinux-usemap, sudo, hbac, user, group, netgroup, password changes, ssh keys, automount. I didn't test ad-trust tests because there is a known issue in non-privileged mode. """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-365839135
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
