fcos.filesystem: add sssd helpers to setuid filter

[jlebon]

SSSD is moving to running as its own system user instead of as root.
Part of this move involves adding setuid helpers with mode 4750 in order
to read some privileged information before dropping privs.

Those files trigger our setuid filter. Add them to the list.

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jlebon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [jlebon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jlebon]

@pbrezina Does that sound accurate? I based the above off of https://sssd.io/docs/design_pages/not_root_sssd.html, though couldn't find the source for that file in the repo itself (wanted to git annotate it), which is a bit puzzling.

[cgwalters]

I can't comment on that page but suid binaries are really just a dangerous idea in general. They're a huge attack surface. For this use case instead, the monitor process can expose an internal API (e.g. over a socketpair) that runs something privileged and passes its output to the requesting unprivileged process.

[cgwalters]

Hmm this whitelist should probably move to fedora-coreos-config in misc-ro - and maybe even add direct support to rpm-ostree for whitelisting suid/fcaps binaries.

[jlebon]

@cgwalters I share your concerns. Let's see what the devs say and whether we can find a path forward long-term (though let's not block on it).

Hmm this whitelist should probably move to fedora-coreos-config in misc-ro - and maybe even add direct support to rpm-ostree for whitelisting suid/fcaps binaries.

Yeah, I think we could move all of fcos.filesystem there.

[cgwalters]

Merging for now but I'd like to see the sssd team followup on this.

[pbrezina]

@pbrezina Does that sound accurate? I based the above off of https://sssd.io/docs/design_pages/not_root_sssd.html, though couldn't find the source for that file in the repo itself (wanted to git annotate it), which is a bit puzzling.

The setuid binaries got to Fedora by mistake, I will revert it soon. SSSD has limited support for running as non-rooot, we would like to make it fully supported and default in the future, but as of this moment it is not something we recommend.

[jlebon]

@pbrezina Does that sound accurate? I based the above off of sssd.io/docs/design_pages/not_root_sssd.html, though couldn't find the source for that file in the repo itself (wanted to git annotate it), which is a bit puzzling.

The setuid binaries got to Fedora by mistake, I will revert it soon. SSSD has limited support for running as non-rooot, we would like to make it fully supported and default in the future, but as of this moment it is not something we recommend.

Ack thanks for following up. We should revert this PR as well once they're no longer there.

[pbrezina]

There is a build on F33, 34 and rawhide that should no longer add setuid to those binaries. sssd-2.4.2-1

[jlebon]

PR revert in #2050.