Looking more closely at the upstream Fedora change proposal linked in this bug, and at the current running state of SSSD on my 26.04 system I think we've got some material differences that impact this issue:
- Monitor proc is not running as root, whereas the design would be for it to remain doing so to handle any elevated tasks (eg read the keytab). It also has no additional capabilities: CapPrm: 0000000000000000 CapEff: 0000000000000000 I'm not a wiz at kernel capabilities settings but I'm hoping that you might be, and can look into the differences in assigned / activated kernel caps vs the intended settings for those upstream as a way to drop privs except where explicitly needed. Some evidence: The systemd service starts the SSSD monitor itself as User=sssd/Group=sssd. The monitor process is not root and has no effective or permitted capabilities: Uid: 109 109 109 109 Gid: 112 112 112 112 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: 00000000000000c4 = cap_dac_read_search,cap_setgid,cap_setuid /usr/sbin/sssd and /usr/libexec/sssd/sssd_be have no file capabilities. Only ldap_child and krb5_child have file capabilities: /usr/libexec/sssd/ldap_child cap_dac_read_search=p /usr/libexec/sssd/krb5_child cap_dac_read_search,cap_setgid,cap_setuid=p This differs from upstream design notes that describe the monitor process remaining root so it can fork/exec initially privileged children. On this Ubuntu package, the monitor and backend are unprivileged, and SSSD failed to read/select the keytab principal when /etc/krb5.keytab was root:root 0600. And the more I think about changing the ownership and mode on /etc/krb5.keytab the more I'm reluctant to say things should go that way - it seems hackish to manage that rather than staying true to upstream SSSD's model for dropping privs rather than interleaving filesystem permissions changes (that some may object to) in order to accomplish readability. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2139337 Title: don't run as root, instead use --with-sssd-user=sssd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2139337/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
