On Tue, Sep 03, 2013 at 10:07:13PM -0400, Simo Sorce wrote: > After the recent patches to explicitly enable the KEYRING type in SSSD I > realized that the code that manipulates ccaches had grown too much, and, > most importantly, was doing unnecessary operations already performed in > an abstract way by krb5 functions. > > This patch set mostly addresses ticket #2061 > > The aims has been to remove as much as possible type-specific code, > resorting to type specific behavior only as an explicit exception where > necessary due to historical or other reasons. > > The combined diff gives a nice total stat of: > 815 insertions(+) > 1529 deletions(-) >
I really like cleanup that comes with the patches but I would prefer not to use setresuid() in the backend code because it allows any SSSD user to kill the complete sssd_be process. If there is no other safe way to handle the credential cache I think the related operations should be moved from the backend code to the krb5_child. bye, Sumit > > The last patch is an attempt to address ticket #2071, > > It was necessary to add it here otherwise sssd will fail to operate > correctly with some templates (as noted in #2071). > However I am not sure that's the way we want to resolve the problem. > The patch aimed at maintaining as much as possible a reasonable > behavior, although the intended behavior was not really written > anywhere. Personally I would rather scrap the patch and instead provide > a new one that would simply stop creating public directories at all, I > do not think it is sssd's role to fix/create directories that should be > set up by the admin appropriately ahead of time (either manually of via > tmpfiles.d or whatever). > > I will try to follow up with a proposed patch that 'simplifies' sssd > behavior instead of fixing it for #2071 > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel