On (26/11/20 16:21), Tero Saarni wrote: >Hi, > >I'm trying to run SSSD inside docker container without root user. The >container is executed in OpenShift cluster which does not allow running as root >inside container. > >SSSD requires root and checks for this specifically. > >Is there any workaround for this? > >I believe the limitation is implemented for security reasons, in order to have >most critical parts executed as root and have it drop privileges for other >parts but this now completely blocks using SSSD in the above environment. >
There is a way how to run sssd as non-root but /usr/sbin/sssd still require bunch of linux capabilities to achieve that. Here is the list: audit_write chown dac_override dac_read_search fowner ipc_lock kill net_admin setgid setuid sys_admin sys_nice sys_resource # sys_resource is optional and not needed with default configuration And openshift unprivileged pod has jsut following capabilities chown, dac_override, fowner, fsetid, setpcap, net_bind_service, net_raw, sys_chroot, audit_write, setfcap Folowing two are the most problematic: setgid setuid but they are removed from default set in the openshift by default. You would need to run sssd with differet security context than restricted https://www.openshift.com/blog/introduction-to-security-contexts-and-sccs HTH LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
