On (01/12/20 08:59), Tero Saarni wrote: > Lukas Slebodnik wrote: >> There is a way how to run sssd as non-root but /usr/sbin/sssd still require >> bunch of linux capabilities to achieve that. > >One more question, which I should have mentioned in my previous reply. > >Since there are few places in the code that check explicitly for root and exit >with error if getuid() != 0 for example here >https://github.com/SSSD/sssd/blob/master/src/monitor/monitor.c#L2449. Since >these checks do not seem to be optional, adding capabilities alone do not help. >
It is not just about `if getuid() != 0` in the monitor code. there are also other places in {krb5/ldap}_child which try to escalate privileges if they run as unprivileged user and it woudl not be allwed due to missing CAP_SETGID, CAP_SETUID And bunch of other places. >How do the maintainers feel about making sssd run on OpenShift? Would this be >something to pursue / possibly contribute to? > As I mentioned in previous email you can run sssd in OpenShift but not with restricted scc. If you really want to run it in restricted scc you can use LD_PRELOAD to pretend execution as root e.g. fakeroot https://nixdoc.net/man-pages/Linux/man1/fakeroot.1.html It is used in sssd CI for some testing but it is not meant for production. But feel free to use it if you feel brave enough :-) LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org