From 97629f36becb8acf7ed9de82f4d2649aa45098f9 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Fri, 6 Dec 2024 20:03:16 +0100 Subject: [PATCH] SYSTEMD SERVICE: use "--no-dereference" for 'chown' to avoid following accidential symbolic links in those dirs. Reviewed-by: Sumit Bose (cherry picked from commit a20fa0ffd6cb61bc164f52403f396cce6de8b2ea) --- src/sysv/systemd/sssd-kcm.service.in | 6 +++--- src/sysv/systemd/sssd.service.in | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in index 3e48945aa..088611254 100644 --- a/src/sysv/systemd/sssd-kcm.service.in +++ b/src/sysv/systemd/sssd-kcm.service.in @@ -9,10 +9,10 @@ Also=sssd-kcm.socket [Service] Environment=DEBUG_LOGGER=--logger=files -ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ +ExecStartPre=+-/bin/chown -f -R -h root:@SSSD_USER@ @sssdconfdir@ ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ -ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb" -ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log +ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb" +ExecStartPre=+-/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER} CapabilityBoundingSet= CAP_DAC_READ_SEARCH CAP_SETGID CAP_SETUID SecureBits=noroot noroot-locked diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in index 4f3cd24ff..441e35f6f 100644 --- a/src/sysv/systemd/sssd.service.in +++ b/src/sysv/systemd/sssd.service.in @@ -10,11 +10,11 @@ StartLimitBurst=5 [Service] Environment=DEBUG_LOGGER=--logger=files EnvironmentFile=-@environment_file@ -ExecStartPre=+-/bin/chown -f -R root:@SSSD_USER@ @sssdconfdir@ +ExecStartPre=+-/bin/chown -f -R -h root:@SSSD_USER@ @sssdconfdir@ ExecStartPre=+-/bin/chmod -f -R g+r @sssdconfdir@ -ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb" -ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @gpocachepath@ -ExecStartPre=+-/bin/sh -c "/bin/chown -f @SSSD_USER@:@SSSD_USER@ @logpath@/*.log" +ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb" +ExecStartPre=+-/bin/chown -f -R -h @SSSD_USER@:@SSSD_USER@ @gpocachepath@ +ExecStartPre=+-/bin/sh -c "/bin/chown -f -h @SSSD_USER@:@SSSD_USER@ @logpath@/*.log" ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER} Type=notify NotifyAccess=main -- 2.47.0