On Wed, Jan 27, 2016 at 01:18:16PM +0200, Nikolai Kondrashov wrote:
> Hi everyone,
>
> I'm starting implementing tlog [1] configuration interfaces and would like
> to know what you'd like to use best in SSSD.
>
> Among tlog parameters are:
>
> Path to the shell to start
> The text for the warning about the session being recorded
> Logging latency, seconds - how long to cache recorded data before logging
> Maximum log message payload, bytes
> Log target (file / syslog / perhaps journald later)
> Log target options:
> file:
> path
> syslog:
> facility
> level
> journald:
> ???
>
> I guess out of these only a few would be controlled by SSSD.
>
> I'd like to have three interfaces implemented:
>
> Configuration file in /etc, in JSON (tlog needs it anyway)
> Environment variable(s)
> Command-line options
>
> Ideally, all the parameters should be controllable from any of them, but the
> setting priority would be as above.
>
> Our main use case for the start would require faking tlog as the shell in
> nss_sss, passing the real shell in pam_sss via an environment variable and
> letting the administrator configure the rest via the configuration file.
> Command-line interface would be used to support "login" asking for login
> shell, ssh doing the same and passing commands to execute, and testing.
>
> Later we might want to add more parameters passed via pam_sss and environment
> variables.
>
> SSSD may also choose to write the tlog config file, but I think that it's
> better to leave that for the administrators and only use environment
> variable(s) from pam_sss instead.
>
> Regarding that, I'm actually thinking about simply accepting the same data as
> configuration file provides via an environment variable. I.e. in JSON. It
> wouldn't need to be complete, and will be overlaid on top of what was read
> from the configuration file. So for the start pam_sss would need to pass this,
> for example:
>
> TLOG_REC_CONF='{"shell": "/bin/bash"}'
Is there a reason to pass this from pam_sss? Do you need this in the
user's PAM environment?
I admit I don't know how tlog works internally, but I liked the initial
idea of https://fedorahosted.org/sssd/ticket/2893 where we would specify
the shell that would be wrapped by tlog. That way, we would also know we
need to invoke tlog at all.
btw should tlog be configurable only globally or per-user?
>
> Later it might grow into something like this:
>
> TLOG_REC_CONF='{
> "shell": "/bin/bash",
> "warning": "WARNING! Your session is being recorded!\n",
> "latency": 10,
> "writer": "syslog",
> "syslog": {
> "facility": "authpriv",
> "level": "info"
> }
> }'
>
> The above would require implementing JSON string escaping, but it's not
> difficult and pretty much the same as C string escaping everyone's familiar
> with (see http://json.org).
>
> The alternatives are:
>
> * Supplying all the possible options via separate environment variables.
> That would require documenting them separately.
>
> * Having an environment variable containing command-line options instead.
> However, the latter would require handling word-splitting and unquoting
> the same way shell does, and that's non-trivial without asking an actual
> shell to do it. Whereas tlog already has a JSON parser.
>
> So would the above be suitable for SSSD? Would pam_sss be OK with passing more
> parameters, than just the shell to start? Do you have any other ideas,
> objections? Please write!
>
> Thank you.
>
> Sincerely,
> Nick
>
> [1] https://github.com/spbnick/tlog
> _______________________________________________
> sssd-devel mailing list
> sssd-devel@lists.fedorahosted.org
> https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
