Bug 58000 - UMC-server and SSSD sidecar are running as root
Summary: UMC-server and SSSD sidecar are running as root
Status: CLOSED FIXED
Alias: None
Product: Nubus
Classification: Unclassified
Component: UMC
Version: unspecified
Hardware: Other Mac OS X 10.1
: P5 major
Target Milestone: ---
Assignee: Nubus maintainers
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-02-25 18:15 CET by Thomas Kintscher
Modified: 2025-06-19 14:16 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?: Yes
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Kintscher univentionstaff 2025-02-25 18:15:16 CET 
Currently the umc-server and the sssd sidecar processes are running under the root user. This is because the version of sssd in use does not support running as with reduced permissions.

(sssd is currently needed for certain actions around password changes, expiry and verification, especially but not limited to environments with connect with Samba or Kerberos.)

Upstream ticket: https://github.com/SSSD/sssd/issues/5443

The ability to run with reduced permissions was introduced very recently with sssd 2.10.x: 
https://sssd.io/release-notes/sssd-2.10.0.html

It is to be evaluated if upgrading to this version allows us to run the containers without root-permissions.
Comment 2 Florian Best univentionstaff 2025-03-21 13:21:27 CET 
See also Bug #48604.
Comment 3 Thomas Kintscher univentionstaff 2025-06-19 14:16:34 CEST 
This was resolved in Nubus-for-Kubernetes in version 1.10.0.