SERVICES: allow to run socket activated sssd_nss under SSSD_USER

Since 'libnss_sss.so' doesn't resolve SSSD_USER anymore, it should be safe to use it as "User=" (no NSS loop).
SSSD · Jan 7, 2024 · 674517d · 674517d
1 parent bac2f3c
commit 674517d
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 4 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -103,6 +103,8 @@ condconfigexists = ConditionPathExists=\|/etc/sssd/sssd.conf\nConditionDirectory
 # originally then it's addition to CapabilityBoundingSet doesn't matter.
 if SSSD_NON_ROOT_USER
 additional_caps = CAP_DAC_OVERRIDE
+nss_service_user_group = User=$(SSSD_USER)\nGroup=$(SSSD_USER)
+nss_socket_user_group = SocketUser=$(SSSD_USER)\nSocketGroup=$(SSSD_USER)
 endif
 else
 ifp_dbus_exec_comment = \# "sss_signal" is used to force SSSD monitor to trigger "sssd_ifp" reconnection to dbus
@@ -5262,7 +5264,9 @@ edit_cmd = $(SED) \
         -e 's|@prefix[@]|$(prefix)|g' \
         -e 's|@SSSD_USER[@]|$(SSSD_USER)|g' \
         -e 's|@condconfigexists[@]|$(condconfigexists)|g' \
-        -e 's|@additional_caps[@]|$(additional_caps)|g'
+        -e 's|@additional_caps[@]|$(additional_caps)|g' \
+        -e 's|@nss_service_user_group[@]|$(nss_service_user_group)|g' \
+        -e 's|@nss_socket_user_group[@]|$(nss_socket_user_group)|g'
 
 replace_script = \
     @rm -f $@ $@.tmp; \

diff --git a/src/sysv/systemd/sssd-nss.service.in b/src/sysv/systemd/sssd-nss.service.in
@@ -13,6 +13,10 @@ Environment=DEBUG_LOGGER=--logger=files
 EnvironmentFile=-@environment_file@
 ExecStart=@libexecdir@/sssd/sssd_nss ${DEBUG_LOGGER} --socket-activated
 Restart=on-failure
-# Currently SSSD NSS service ('sssd_nss') can't be started under 'sssd' user
-# via systemd due to NSS loop when systemd resolves getgrouplist(sssd).
-# Hence 'User=' and 'Group=' aren't set (defaults to root).
+# 'sssd_nss' is special in that it might be used for resolution of 'User='/'Group='/etc,
+# and this may cause the service to hang (loop).
+# For this reason avoid '/bin/chown root:root' auxiliary helper
+# and don't put 'User=root'/'Group=root' explicitly here (use it as a default instead if needed).
+# In case SSSD was built with support of running under non-root user, there is a special
+# handling of this situation in 'libnss_sss' and it is allowed to use it as 'User='/'Group='
+@nss_service_user_group@
diff --git a/src/sysv/systemd/sssd-nss.socket.in b/src/sysv/systemd/sssd-nss.socket.in
@@ -10,6 +10,7 @@ Conflicts=shutdown.target
 [Socket]
 ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r nss
 ListenStream=@pipepath@/nss
+@nss_socket_user_group@
 
 [Install]
 WantedBy=sssd.service