From 0ece757319ba57976e138bc66425db03d527d499 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Sat, 20 Dec 2025 11:40:42 +0100 Subject: [PATCH] TMP/TEST: don't grant cap-set-id to 'krb5_child' (cherry picked from commit a4a7b3d6186b31c9141860f7ceb834f249b16bcd) --- Makefile.am | 2 +- contrib/sssd.spec.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile.am b/Makefile.am index 4bc4e28a9f..507bf2c30c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -5524,7 +5524,7 @@ if SSSD_USER -$(SETCAP) cap_dac_read_search=p $(DESTDIR)$(sssdlibexecdir)/ldap_child -chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/krb5_child chmod 750 $(DESTDIR)$(sssdlibexecdir)/krb5_child - -$(SETCAP) cap_dac_read_search,cap_setuid,cap_setgid=p $(DESTDIR)$(sssdlibexecdir)/krb5_child + -$(SETCAP) cap_dac_read_search=p $(DESTDIR)$(sssdlibexecdir)/krb5_child -chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/proxy_child chmod 750 $(DESTDIR)$(sssdlibexecdir)/proxy_child -chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/sssd_pam diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in index 20bbbdcc93..a959761c0c 100644 --- a/contrib/sssd.spec.in +++ b/contrib/sssd.spec.in @@ -779,7 +779,7 @@ install -D -p -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/sssd.conf %license COPYING %attr(775,sssd,sssd) %dir %{pubconfpath}/krb5.include.d %attr(0750,root,sssd) %caps(cap_dac_read_search=p) %{_libexecdir}/%{servicename}/ldap_child -%attr(0750,root,sssd) %caps(cap_dac_read_search,cap_setuid,cap_setgid=p) %{_libexecdir}/%{servicename}/krb5_child +%attr(0750,root,sssd) %caps(cap_dac_read_search=p) %{_libexecdir}/%{servicename}/krb5_child %config(noreplace) %{_sysconfdir}/krb5.conf.d/enable_sssd_conf_dir %dir %{_datadir}/sssd/krb5-snippets %{_datadir}/sssd/krb5-snippets/enable_sssd_conf_dir