On (29/11/16 10:01), Lukas Slebodnik wrote: >On (28/11/16 11:27), Jakub Hrozek wrote: >>On Mon, Nov 28, 2016 at 10:57:44AM +0100, Pavel Březina wrote: >>> On 11/28/2016 10:47 AM, Jakub Hrozek wrote: >>> > On Thu, Nov 24, 2016 at 02:33:04PM +0100, Fabiano Fidêncio wrote: >>> > > The design page is done [0] and it's based on this discussion [1] we >>> > > had on this very same mailing list. A pull-request with the >>> > > implementation is already opened [2]. >>> > > >>> > > [0]: >>> > > https://fedorahosted.org/sssd/wiki/DesignDocs/SocketActivatableResponders >>> > > [1]: >>> > > https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org/message/H6JOF5SGGSIJUIWYNANDA73ODHWBS7J2/ >>> > > [2]: https://github.com/SSSD/sssd/pull/84 >>> > > >>> > > The full text of c&p here: >>> > >>> > In general looks good to me, but note that I was involved a bit with >>> > Fabiano in the discussion, so my view might be tainted. >>> >>> I finally got to it. The design page looks good and I'll start reviewing the >>> patches. >>> >>> The only think I wonder about is whether we want to pass parameters " --uid >>> 0 --gid 0 --debug-to-files" or we will read the from sssd.conf? I prefer >>> reading them. >>> >>> Also what do we use the private sockets for? It is used only for root? >> >>Yes, that's where we route PAM requests started by UID 0 to. >> >For example. The nss responder need't run as root. It does not require >any extra privileges. And the privileges are dropped as soon as possible. >The only issue might be with switching from root to non-root. >A responder need to change owner of log files. >But it could be solved with ExecStartPre in service file > >e.g. >ExecStartPre=/usr/bin/chown sssd:sssd /var/log/sssd/sssd_nss.log >ExecStart=/usr/libexec/sssd/sssd_nss --debug-to-files >User=sssd >Group=sssd >PermissionsStartOnly=true > >@see the explanation of PermissionsStartOnly in man 5 systemd.service > Actually we might add new parameter "--unprivileged-start" which would be used for skiping calls of *chown_debug_file* + *become_user* and also maybe checking that process is not executed as root (uid != 0 && gid != 0)
LS _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
