mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-05-31 12:50:19 +00:00
Code Issues Projects Releases Wiki Activity

sssd: enable unprivileged service user feature

Browse Source 
The unprivileged service user feature has been improved in 2.10 to allow
running the sssd service as an unprivileged user [1]. So enable this
feature, and then we can run the service as the unprivileged user sssd.

[1] https://github.com/SSSD/sssd/releases/tag/2.10.0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Yi Zhao
2025-03-27 21:23:27 +08:00
committed by Armin Kuster
parent 0d6aa528cf
commit d31c2619da
1 changed files with 10 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.10.2.bb
+10 -4
View File
@@ -28,12 +28,16 @@ SRC_URI[sha256sum] = "e8aa5e6b48ae465bea7064048715ce7e9c53b50ec6a9c69304f59e0d35
UPSTREAM_CHECK_URI = "https://github.com/SSSD/${BPN}/releases"
inherit autotools pkgconfig gettext python3native features_check systemd
inherit autotools pkgconfig gettext python3native features_check systemd useradd
REQUIRED_DISTRO_FEATURES = "pam"
SSSD_UID ?= "root"
SSSD_GID ?= "root"
SSSD_UID ?= "sssd"
SSSD_GID ?= "sssd"
USERADD_PACKAGES = "${PN}"
GROUPADD_PARAM:${PN} = "--system sssd"
USERADD_PARAM:${PN} = "--system --home /run/sssd --no-create-home -g sssd --shell /sbin/nologin sssd"
CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
ac_cv_prog_HAVE_PYTHON3=yes \
@@ -66,6 +70,7 @@ EXTRA_OECONF += " \
--with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
--with-pid-path=/run/sssd \
--with-os=fedora \
--with-sssd-user=sssd \
"
do_configure:prepend () {
@@ -87,6 +92,7 @@ do_install () {
install -d ${D}/${sysconfdir}/${BPN}
install -m 600 ${UNPACKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN}
chown -R root:${SSSD_GID} ${D}/${sysconfdir}/${BPN}
# /var/log/sssd needs to be created in runtime. Use rmdir to catch if
# upstream stops creating /var/log/sssd, or adds something else in
@@ -118,7 +124,6 @@ pkg_postinst_ontarget:${PN} () {
if [ -e /etc/init.d/populate-volatile.sh ] ; then
${sysconfdir}/init.d/populate-volatile.sh update
fi
chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf
}
CONFFILES:${PN} = "${sysconfdir}/${BPN}/${BPN}.conf"
@@ -146,6 +151,7 @@ FILES:${PN} += "${base_libdir}/security/pam_sss*.so \
${nonarch_libdir}/tmpfiles.d \
${datadir}/dbus-1/system.d/*.conf \
${datadir}/dbus-1/system-services/*.service \
${datadir}/polkit-1/* \
${libdir}/krb5/* \
${libdir}/ldb/* \
${PYTHON_SITEPACKAGES_DIR}/sssd \