PROXY: strip SUID bit off 'proxy_child'

[alexey-tikhonov]

'proxy' provider can be used to load arbitrary modules that might
(or might not) require specific capabilities.

Granting all capabilities unconditionally feels unjustified. One of
the widely used options is proxy around 'libnss_files' that doesn't
require any capabilities. Let administrator to set file capability
manually if required in esoteric use cases.

[alexey-tikhonov]

FWIW, a run --with-sssd-user=sssd and system tests using sssd.conf::user=sssd is available in #7135

Besides "hardening in general", this change (among other '*_child' related changes) is needed to allow to use "SecureBits=noroot noroot-locked" in 'sssd.service'
And this, in turn, is needed to avoid 'sssd_be' regaining capabilities even when user=root (without those security bits set, execv with uid/gid=0 regains capabilities from bounding to permitted set)

[justin-stephenson]

Ack thank you. Should there be a release note?

[alexey-tikhonov]

Ack thank you. Should there be a release note?

I think "support of running under non-privileged user" should have a huge, holistic release note.
Adding a bunch of assorted RNs doesn't make sense, imo.

[alexey-tikhonov]

Take a note this makes 'proxy_child' binary readable/executable by anyone (the same as 'p11_child' or 'oidc_child', for example). But I don't think this is an issue.

[pbrezina]

You also need to change it in makefile: https://github.com/SSSD/sssd/blob/master/Makefile.am#L5539

[alexey-tikhonov]

You also need to change it in makefile: https://github.com/SSSD/sssd/blob/master/Makefile.am#L5539

Thanks, done.

[sumit-bose]

Hi,

thanks for the patch, ACK.

bye,
Sumit

[alexey-tikhonov]

Pushed PR: #7134

• master
  • a785115 - PROXY: strip SUID bit off 'proxy_child'