[apparmor] [patch] (u)nscd setuid/setgid to non-root user

[Christian Boltz]

Hello,

another profile patch ;-)


Add capability setuid and setgid to nscd profile. Needed by unscd
to switch to a non-root user. unscd is installed as /usr/sbin/nscd
at least at openSUSE.

Original changelog entry from unscd package:
Mon Sep  7 17:30:36 CEST 2009 - pbaudis[at]suse.cz
- Provide the /etc/apparmor.d/usr.sbin.nscd file and make it allow
  for change to the nobody user [bnc#535467]

Currently the nscd package from glibc and the unscd package both contain
a usr.sbin.nscd profile which needs to maintained/updated manually.
With this patch, the profile could be moved back to the
apparmor-profiles package.


Regards,

Christian Boltz
-- 
"If you are using an Macintosh e-mail program that is not from
Microsoft, we recommend checking with that particular company. But most
likely other e-mail programs like Eudora are not designed to enable
virus replication"
[http://www.microsoft.com/mac/products/office/2001/virus_alert.asp]
-------------- next part --------------
Add capability setuid and setgid to nscd profile. Needed by unscd
to switch to a non-root user. unscd is installed as /usr/sbin/nscd
at least at openSUSE.

Original changelog entry from unscd package:
Mon Sep  7 17:30:36 CEST 2009 - pbaudis[at]suse.cz
- Provide the /etc/apparmor.d/usr.sbin.nscd file and make it allow
  for change to the nobody user [bnc#535467]

Currently the nscd package from glibc and the unscd package both contain
a usr.sbin.nscd profile which needs to maintained/updated manually.
With this patch, the profile could be moved back to the
apparmor-profiles package.

=== modified file 'profiles/apparmor.d/usr.sbin.nscd'
--- profiles/apparmor.d/usr.sbin.nscd	2011-08-22 23:22:41 +0000
+++ profiles/apparmor.d/usr.sbin.nscd	2011-08-23 20:01:52 +0000
@@ -17,6 +17,8 @@
   #include <abstractions/ssl_certs>
 
   capability net_bind_service,
+  capability setgid,
+  capability setuid,
 
   network inet dgram,
   network inet stream,