On Fri, Nov 14, 2014 at 02:25:23PM +0100, Jakub Hrozek wrote: > Hi, > > this is the final (for now) patch in my nonroot branch. It allows the > backend to drop privileges after startup so that the back end works > unprivileged.
I've tested this patch together with the krb5 patches and found no issues so far, so ACK. I've opened https://fedorahosted.org/sssd/ticket/2493 to check how chown_debug_file() behaves with journald and without debug files. bye, Sumit > From 367b3d006bf3a7b46027c37daa8d727a3b44ccea Mon Sep 17 00:00:00 2001 > From: Jakub Hrozek <[email protected]> > Date: Mon, 27 Oct 2014 16:14:51 +0100 > Subject: [PATCH] BE: Become a regular user after initialization > > Some parts of initialization (Kerberos ticket renewal, checking the > keytab for the right principal) still require the root privileges. Drop > privileges after initializing the back ends. > > Related: > https://fedorahosted.org/sssd/ticket/2370 > --- > src/providers/data_provider_be.c | 13 +++++++++++++ > 1 file changed, 13 insertions(+) > > diff --git a/src/providers/data_provider_be.c > b/src/providers/data_provider_be.c > index > a5e7714fecbf0593834e7c3204a21cea91043ff9..467fcec369c77e2929f6987f97ef301674129207 > 100644 > --- a/src/providers/data_provider_be.c > +++ b/src/providers/data_provider_be.c > @@ -2896,6 +2896,19 @@ int main(int argc, const char *argv[]) > return 3; > } > > + ret = chown_debug_file(NULL, uid, gid); > + if (ret != EOK) { > + DEBUG(SSSDBG_MINOR_FAILURE, > + "Cannot chown the debug files, debugging might not work!\n"); > + } > + > + ret = become_user(uid, gid); > + if (ret != EOK) { > + DEBUG(SSSDBG_FUNC_DATA, > + "Cannot become user [%"SPRIuid"][%"SPRIgid"].\n", uid, gid); > + return ret; > + } > + > DEBUG(SSSDBG_TRACE_FUNC, "Backend provider (%s) started!\n", be_domain); > > /* loop on main */ > -- > 1.9.3 > > _______________________________________________ > sssd-devel mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
