SYSTEMD: chown all artifacts at startup

Main reason for this is compatibility with rpm-ostree based systems where rpm post install scriplets aren't run on an actual system. In general this looks like an unneeded overhead since ownership can be only wrong after upgrade from sssd-2.9- to sssd-2.10+ But this appears to be most simple solution atm and from practical point of view the main issue is merely a clutter in service files.
SSSD · Sep 12, 2024 · 6ed56fd · 6ed56fd
1 parent d914df6
commit 6ed56fd
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 1 deletion.
diff --git a/Makefile.am b/Makefile.am
@@ -5295,7 +5295,9 @@ edit_cmd = $(SED) \
         -e 's|@nss_service_user_group[@]|$(nss_service_user_group)|g' \
         -e 's|@nss_socket_user_group[@]|$(nss_socket_user_group)|g' \
         -e 's|@supplementary_groups[@]|$(supplementary_groups)|g' \
-        -e 's|@sssdconfdir[@]|$(sssdconfdir)|g'
+        -e 's|@sssdconfdir[@]|$(sssdconfdir)|g' \
+        -e 's|@secdbpath[@]|$(secdbpath)|g' \
+        -e 's|@dbpath[@]|$(dbpath)|g'
 
 replace_script = \
     @rm -f $@ $@.tmp; \

diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in
@@ -9,8 +9,11 @@ Also=sssd-kcm.socket
 
 [Service]
 Environment=DEBUG_LOGGER=--logger=files
+ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
 ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
 ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
+ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @secdbpath@/*.ldb
+ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_kcm.log
 ExecStart=@libexecdir@/sssd/sssd_kcm ${DEBUG_LOGGER}
 CapabilityBoundingSet= CAP_DAC_OVERRIDE CAP_CHOWN CAP_SETGID CAP_SETUID
 SecureBits=noroot noroot-locked

diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
@@ -10,9 +10,12 @@ StartLimitBurst=5
 [Service]
 Environment=DEBUG_LOGGER=--logger=files
 EnvironmentFile=-@environment_file@
+ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@
 ExecStartPre=+-/bin/chown -f @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/sssd.conf
 ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/conf.d
 ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @sssdconfdir@/pki
+ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @dbpath@/*.ldb
+ExecStartPre=+-/bin/chown -f -R @SSSD_USER@:@SSSD_USER@ @logpath@/*.log
 ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER}
 Type=notify
 NotifyAccess=main