sssd: enable unprivileged service user feature

The unprivileged service user feature has been improved in 2.10 to allow running the sssd service as an unprivileged user [1]. So enable this feature, and then we can run the service as the unprivileged user sssd. [1] https://github.com/SSSD/sssd/releases/tag/2.10.0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Yi Zhao <yi.zhao@eng.windriver.com> 2025-03-27 21:23:27 +0800
committer: Armin Kuster <akuster808@gmail.com> 2025-04-13 14:07:57 -0400
commit: d31c2619da9f2b21b129d54a91d27088107f9026 (patch)
tree: 251a3bfbe6b107f6255348951f30b21ccaa09362
parent: 0d6aa528cf91701cfc368dc3013d9bba84d2d831 (diff)
download: meta-security-d31c2619da9f2b21b129d54a91d27088107f9026.tar.gz
1 files changed, 10 insertions, 4 deletions
diff --git a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.10.2.bb b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.10.2.bb
index 0ed62b8..b02710e 100644
--- a/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.10.2.bb
+++ b/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.10.2.bb
@@ -28,12 +28,16 @@ SRC_URI[sha256sum] = "e8aa5e6b48ae465bea7064048715ce7e9c53b50ec6a9c69304f59e0d35
 UPSTREAM_CHECK_URI = "https://github.com/SSSD/${BPN}/releases"
-inherit autotools pkgconfig gettext python3native features_check systemd
+inherit autotools pkgconfig gettext python3native features_check systemd useradd
 REQUIRED_DISTRO_FEATURES = "pam"
-SSSD_UID ?= "root"
+SSSD_UID ?= "sssd"
-SSSD_GID ?= "root"
+SSSD_GID ?= "sssd"
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM:${PN} = "--system sssd"
+USERADD_PARAM:${PN} = "--system --home /run/sssd --no-create-home -g sssd --shell /sbin/nologin sssd"
 CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
    ac_cv_prog_HAVE_PYTHON3=yes \
@@ -66,6 +70,7 @@ EXTRA_OECONF += " \
    --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
    --with-pid-path=/run/sssd \
    --with-os=fedora \
+    --with-sssd-user=sssd \
 "
 do_configure:prepend () {
@@ -87,6 +92,7 @@ do_install () {
    install -d ${D}/${sysconfdir}/${BPN}
    install -m 600 ${UNPACKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN}
+    chown -R root:${SSSD_GID} ${D}/${sysconfdir}/${BPN}
    # /var/log/sssd needs to be created in runtime. Use rmdir to catch if
    # upstream stops creating /var/log/sssd, or adds something else in
@@ -118,7 +124,6 @@ pkg_postinst_ontarget:${PN} () {
    if [ -e /etc/init.d/populate-volatile.sh ] ; then
        ${sysconfdir}/init.d/populate-volatile.sh update
    fi
-    chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf
 }
 CONFFILES:${PN} = "${sysconfdir}/${BPN}/${BPN}.conf"
@@ -146,6 +151,7 @@ FILES:${PN} += "${base_libdir}/security/pam_sss*.so  \
                ${nonarch_libdir}/tmpfiles.d \
                ${datadir}/dbus-1/system.d/*.conf \
                ${datadir}/dbus-1/system-services/*.service \
+                ${datadir}/polkit-1/* \
                ${libdir}/krb5/* \
                ${libdir}/ldb/* \
                ${PYTHON_SITEPACKAGES_DIR}/sssd \
author	Yi Zhao <yi.zhao@eng.windriver.com>	2025-03-27 21:23:27 +0800
committer	Armin Kuster <akuster808@gmail.com>	2025-04-13 14:07:57 -0400
commit	d31c2619da9f2b21b129d54a91d27088107f9026 (patch)
tree	251a3bfbe6b107f6255348951f30b21ccaa09362
parent	0d6aa528cf91701cfc368dc3013d9bba84d2d831 (diff)
download	meta-security-d31c2619da9f2b21b129d54a91d27088107f9026.tar.gz