From 2708fb488277209a60a5daf5217502c029c196c1 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Tue, 24 Jul 2018 18:52:08 +0000
Subject: [PATCH] SUDO: Root should be able to read/write sssd-sudo socket
There is not any reason to require additional capabilities from root
when sssd is running as unprivileged user.
Sudo UNIX socket is not a real private socket. It just cannot
be used by others. Just owner(sssd) and root should be able to use it.
Resolves:
https://pagure.io/SSSD/sssd/issue/3778
Merges: https://pagure.io/SSSD/sssd/pull-request/3784
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 21ea8204a0bd8ea4451f420713e909d3cfee34ef)
---
src/sysv/systemd/sssd-sudo.socket.in | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in
index 96a8b0327ddb4d331c9b2e97ece3453f8f76872d..e94a2f6151e3d69edc304776b72a81db22762503 100644
--- a/src/sysv/systemd/sssd-sudo.socket.in
+++ b/src/sysv/systemd/sssd-sudo.socket.in
@@ -10,8 +10,7 @@ Conflicts=shutdown.target
ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo
ListenStream=@pipepath@/sudo
SocketUser=@SSSD_USER@
-SocketGroup=@SSSD_USER@
-SocketMode=0600
+SocketMode=0660
[Install]
WantedBy=sssd.service
--
2.14.4