From 2708fb488277209a60a5daf5217502c029c196c1 Mon Sep 17 00:00:00 2001

From: Lukas Slebodnik <lslebodn@redhat.com>

Date: Tue, 24 Jul 2018 18:52:08 +0000

Subject: [PATCH] SUDO: Root should be able to read/write sssd-sudo socket

There is not any reason to require additional capabilities from root

when sssd is running as unprivileged user.

Sudo UNIX socket is not a real private socket. It just cannot

be used by others. Just owner(sssd) and root should be able to use it.

Resolves:

https://pagure.io/SSSD/sssd/issue/3778

Merges: https://pagure.io/SSSD/sssd/pull-request/3784

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

(cherry picked from commit 21ea8204a0bd8ea4451f420713e909d3cfee34ef)

---

 src/sysv/systemd/sssd-sudo.socket.in | 3 +--

 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in

index 96a8b0327ddb4d331c9b2e97ece3453f8f76872d..e94a2f6151e3d69edc304776b72a81db22762503 100644

--- a/src/sysv/systemd/sssd-sudo.socket.in

+++ b/src/sysv/systemd/sssd-sudo.socket.in

@@ -10,8 +10,7 @@ Conflicts=shutdown.target

 ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo

 ListenStream=@pipepath@/sudo

 SocketUser=@SSSD_USER@

-SocketGroup=@SSSD_USER@

-SocketMode=0600

+SocketMode=0660

 [Install]

 WantedBy=sssd.service

-- 

2.14.4