KCM: root can't access arbitrary KCM cache

[alexey-tikhonov]

so remove confusing traces suggesting otherwise

See: #7274 (comment)

Resolves: #7274

[gemini-code-assist]

Code Review

This pull request removes the special handling for the root user in the KCM ccache access checks. The change is implemented by removing the code that granted root access to any credential cache in kcm_cc_access. The man page documentation is also updated to reflect this change. This is a good security enhancement. My review points out that some comments in the header file kcmsrv_ccache.h are now outdated and should be updated to match the new logic.

[alexey-tikhonov]

Note: Covscan is green.

[ikerexxe]

LGTM!

[sssd-bot]

The pull request was accepted by @ikerexxe with the following PR CI status:

---

🟢 CodeFactor (success)
🟢 CodeQL (success)
NEUTRAL osh-diff-scan:fedora-rawhide-x86_64:upstream (neutral)
🟢 rpm-build:centos-stream-10-x86_64:upstream (success)
🟢 rpm-build:fedora-41-x86_64:upstream (success)
🟢 rpm-build:fedora-42-x86_64:upstream (success)
🟢 rpm-build:fedora-43-x86_64:upstream (success)
🟢 rpm-build:fedora-rawhide-x86_64:upstream (success)
🟢 Analyze (target) / cppcheck (success)
🟢 Build / freebsd (success)
🟢 Build / make-distcheck (success)
🟢 ci / intgcheck (centos-10) (success)
🟢 ci / intgcheck (fedora-41) (success)
🟢 ci / intgcheck (fedora-42) (success)
🟢 ci / intgcheck (fedora-43) (success)
🟢 ci / intgcheck (fedora-44) (success)
🟢 ci / prepare (success)
🟢 ci / system (centos-10) (success)
🟢 ci / system (fedora-41) (success)
🟢 ci / system (fedora-42) (success)
🟢 ci / system (fedora-43) (success)
🟢 ci / system (fedora-44) (success)
➖ Coverity scan / coverity (skipped)
🟢 Static code analysis / codeql (success)
🟢 Static code analysis / pre-commit (success)
🟢 Static code analysis / python-system-tests (success)

---

There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging.