On (01/12/20 08:59), Tero Saarni wrote:
> Lukas Slebodnik wrote:
>> There is a way how to run sssd as non-root but /usr/sbin/sssd still require
>> bunch of linux capabilities to achieve that.
>
>One more question, which I should have mentioned in my previous reply.
>
>Since there are few places in the code that check explicitly for root and exit
>with error if getuid() != 0 for example here
>https://github.com/SSSD/sssd/blob/master/src/monitor/monitor.c#L2449. Since
>these checks do not seem to be optional, adding capabilities alone do not help.
>
It is not just about `if getuid() != 0` in the monitor code.
there are also other places in {krb5/ldap}_child which try to escalate
privileges if they run as unprivileged user and it woudl not be allwed
due to missing CAP_SETGID, CAP_SETUID
And bunch of other places.
>How do the maintainers feel about making sssd run on OpenShift? Would this be
>something to pursue / possibly contribute to?
>
As I mentioned in previous email you can run sssd in OpenShift but not with
restricted scc.
If you really want to run it in restricted scc you can use LD_PRELOAD to pretend
execution as root e.g. fakeroot
https://nixdoc.net/man-pages/Linux/man1/fakeroot.1.html
It is used in sssd CI for some testing but it is not meant for production.
But feel free to use it if you feel brave enough :-)
LS
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
