Hi, this is the final (for now) patch in my nonroot branch. It allows the backend to drop privileges after startup so that the back end works unprivileged.
>From 367b3d006bf3a7b46027c37daa8d727a3b44ccea Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <[email protected]> Date: Mon, 27 Oct 2014 16:14:51 +0100 Subject: [PATCH] BE: Become a regular user after initialization
Some parts of initialization (Kerberos ticket renewal, checking the keytab for the right principal) still require the root privileges. Drop privileges after initializing the back ends. Related: https://fedorahosted.org/sssd/ticket/2370 --- src/providers/data_provider_be.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c index a5e7714fecbf0593834e7c3204a21cea91043ff9..467fcec369c77e2929f6987f97ef301674129207 100644 --- a/src/providers/data_provider_be.c +++ b/src/providers/data_provider_be.c @@ -2896,6 +2896,19 @@ int main(int argc, const char *argv[]) return 3; } + ret = chown_debug_file(NULL, uid, gid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot chown the debug files, debugging might not work!\n"); + } + + ret = become_user(uid, gid); + if (ret != EOK) { + DEBUG(SSSDBG_FUNC_DATA, + "Cannot become user [%"SPRIuid"][%"SPRIgid"].\n", uid, gid); + return ret; + } + DEBUG(SSSDBG_TRACE_FUNC, "Backend provider (%s) started!\n", be_domain); /* loop on main */ -- 1.9.3
_______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
