From 1cd9a9c49e82696add984cc4ced127bb363ec541 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Sat, 9 Nov 2024 11:27:52 +0100
Subject: [PATCH] Describe current capabilities usage.

Take a note that usage of cap_dac_override + chown to create cache path
components could be changed to use cap_dac_override + (granted anyway) setuid,
but not sure if it's worth the trouble.
---
 Makefile.am | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Makefile.am b/Makefile.am
index 315cc6b804..1b9484e1c6 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -100,6 +100,15 @@ ifp_systemdservice = SystemdService=sssd-ifp.service
 condconfigexists = ConditionPathExists=\|/etc/sssd/sssd.conf\nConditionDirectoryNotEmpty=\|/etc/sssd/conf.d/
 
 # Bounding set needs to list capabilities required by ldap/krb5/selinux_childs and sssd_pam, otherwise they can't gain it.
+# Capabilities usage by binaries:
+#   - 'ldap_child': read keytab (dac_read_search)
+#   - 'krb5_child':
+#         - store TGT for a given user (set*id);
+#         - create path components of DIR:/FILE: cache, for example: /run/user/$UID (dac_override, chown)
+#         - read keytab (dac_read_search could be enough but dac_override due to above)
+#     If system doesn't need to support DIR:/FILE: then 'cap_chown' can be stripped and 'cap_dac_override' replaced with 'dac_read_search'
+#   - 'selinux_child': currently chown, dac_override, set*id  --  to be narrowed
+#   - 'sssd_pam': read keytab in gss ops (dac_read_search)
 capabilities = CapabilityBoundingSet= CAP_CHOWN CAP_DAC_OVERRIDE CAP_SETGID CAP_SETUID CAP_DAC_READ_SEARCH
 
 if BUILD_CONF_SERVICE_USER_SUPPORT