From 55266793fd78dea8974a3ec11a3241d294867ced Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Thu, 2 Jan 2025 14:15:37 +0100 Subject: [PATCH 1/2] SYSTEMD: traverse 'sssdconfdir' symlink while chown-ing to support use case where /etc/sssd is a symlink. '-H' only allows following a command line argument itself, everything else encountered due to '-R' isn't followed. This is an update to a20fa0ffd6cb61bc164f52403f396cce6de8b2ea Resolves: https://github.com/SSSD/sssd/issues/7781 --- src/sysv/systemd/sssd-kcm.service.in | 4 +++- src/sysv/systemd/sssd.service.in | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in index 0886112545..67da0368eb 100644 --- a/src/sysv/systemd/sssd-kcm.service.in +++ b/src/sysv/systemd/sssd-kcm.service.in @@ -9,7 +9,9 @@ Also=sssd-kcm.socket [Service] Environment=DEBUG_LOGGER=--logger=files -ExecStartPre=+-/bin/chown -f -R -h root:@SSSD_USER@ @sssdconfdir@ +# '-H' is used with @sssdconfdir@ to support use case where /etc/sssd is a symlink. +# '-H' only allows following a command line argument itself, everything else encountered due to '-R' isn't followed. +ExecStartPre=+-/bin/chown -f -R -H root:@SSSD_USER@ @sssdconfdir@ ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb" ExecStartPre=+-/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in index 441e35f6fc..ccd2204ec5 100644 --- a/src/sysv/systemd/sssd.service.in +++ b/src/sysv/systemd/sssd.service.in @@ -10,7 +10,9 @@ StartLimitBurst=5 [Service] Environment=DEBUG_LOGGER=--logger=files EnvironmentFile=-@environment_file@ -ExecStartPre=+-/bin/chown -f -R -h root:@SSSD_USER@ @sssdconfdir@ +# '-H' is used with @sssdconfdir@ to support use case where /etc/sssd is a symlink. +# '-H' only allows following a command line argument itself, everything else encountered due to '-R' isn't followed. +ExecStartPre=+-/bin/chown -f -R -H root:@SSSD_USER@ @sssdconfdir@ ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb" ExecStartPre=+-/bin/chown -f -R -h @SSSD_USER@:@SSSD_USER@ @gpocachepath@ From f4e7595ba4d05e386350a124c54b0a9fdd62351d Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Thu, 2 Jan 2025 14:56:39 +0100 Subject: [PATCH 2/2] SYSTEMD: fix missing 'g+x' on /etc/sssd and subdirs for rpm-ostree based systems --- src/sysv/systemd/sssd-kcm.service.in | 3 +++ src/sysv/systemd/sssd.service.in | 3 +++ 2 files changed, 6 insertions(+) diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in index 67da0368eb..b3d2a6e73f 100644 --- a/src/sysv/systemd/sssd-kcm.service.in +++ b/src/sysv/systemd/sssd-kcm.service.in @@ -13,6 +13,9 @@ Environment=DEBUG_LOGGER=--logger=files # '-H' only allows following a command line argument itself, everything else encountered due to '-R' isn't followed. ExecStartPre=+-/bin/chown -f -R -H root:@SSSD_USER@ @sssdconfdir@ ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ +ExecStartPre=+-/bin/chmod -f g+x @sssdconfdir@ +ExecStartPre=+-/bin/chmod -f g+x @sssdconfdir@/conf.d +ExecStartPre=+-/bin/chmod -f g+x @sssdconfdir@/pki ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb" ExecStartPre=+-/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER} diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in index ccd2204ec5..09ea69114d 100644 --- a/src/sysv/systemd/sssd.service.in +++ b/src/sysv/systemd/sssd.service.in @@ -14,6 +14,9 @@ EnvironmentFile=-@environment_file@ # '-H' only allows following a command line argument itself, everything else encountered due to '-R' isn't followed. ExecStartPre=+-/bin/chown -f -R -H root:@SSSD_USER@ @sssdconfdir@ ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ +ExecStartPre=+-/bin/chmod -f g+x @sssdconfdir@ +ExecStartPre=+-/bin/chmod -f g+x @sssdconfdir@/conf.d +ExecStartPre=+-/bin/chmod -f g+x @sssdconfdir@/pki ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb" ExecStartPre=+-/bin/chown -f -R -h @SSSD_USER@:@SSSD_USER@ @gpocachepath@ ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @logpath@/*.log"