URL: https://github.com/SSSD/sssd/pull/498
Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE

lslebodn commented:
Unfortunately, it was pushed without careful review.

That would not work when running sssd in non-privileged mode because `seteuid` 
will fail.
And it was mentioned in upstream ticket https://pagure.io/SSSD/sssd/issue/3621

Quick POC
sh# su --shell=/bin/bash - sssd
sh$ python
Python 2.7.14 (default, Jan 31 2018, 14:27:00) 
[GCC 8.0.1 20180127 (Red Hat 8.0.1-0.6)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.getuid()
>>> os.geteuid()
>>> os.seteuid(1000)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
OSError: [Errno 1] Operation not permitted

BTW I ran few basic tests in non-privileged mode and works like a charm with 
following IPA tests:
selinux-usemap, sudo, hbac, user, group, netgroup, password changes, ssh keys, 

I didn't test ad-trust tests because there is a known issue in non-privileged 

See the full comment at 
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to