On Tue, Nov 29, 2016 at 10:24 AM, Fabiano Fidêncio <fiden...@redhat.com> wrote: > On Tue, Nov 29, 2016 at 10:01 AM, Lukas Slebodnik <lsleb...@redhat.com> wrote: >> On (28/11/16 11:27), Jakub Hrozek wrote: >>>On Mon, Nov 28, 2016 at 10:57:44AM +0100, Pavel Březina wrote: >>>> On 11/28/2016 10:47 AM, Jakub Hrozek wrote: >>>> > On Thu, Nov 24, 2016 at 02:33:04PM +0100, Fabiano Fidêncio wrote: >>>> > > The design page is done [0] and it's based on this discussion [1] we >>>> > > had on this very same mailing list. A pull-request with the >>>> > > implementation is already opened [2]. >>>> > > >>>> > > [0]: >>>> > > https://fedorahosted.org/sssd/wiki/DesignDocs/SocketActivatableResponders >>>> > > [1]: >>>> > > https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org/message/H6JOF5SGGSIJUIWYNANDA73ODHWBS7J2/ >>>> > > [2]: https://github.com/SSSD/sssd/pull/84 >>>> > > >>>> > > The full text of c&p here: >>>> > >>>> > In general looks good to me, but note that I was involved a bit with >>>> > Fabiano in the discussion, so my view might be tainted. >>>> >>>> I finally got to it. The design page looks good and I'll start reviewing >>>> the >>>> patches. >>>> >>>> The only think I wonder about is whether we want to pass parameters " --uid >>>> 0 --gid 0 --debug-to-files" or we will read the from sssd.conf? I prefer >>>> reading them. >>>> >>>> Also what do we use the private sockets for? It is used only for root? >>> >>>Yes, that's where we route PAM requests started by UID 0 to. >>> >> For example. The nss responder need't run as root. It does not require >> any extra privileges. And the privileges are dropped as soon as possible. >> The only issue might be with switching from root to non-root. >> A responder need to change owner of log files. >> But it could be solved with ExecStartPre in service file >> >> e.g. >> ExecStartPre=/usr/bin/chown sssd:sssd /var/log/sssd/sssd_nss.log >> ExecStart=/usr/libexec/sssd/sssd_nss --debug-to-files >> User=sssd >> Group=sssd >> PermissionsStartOnly=true >> >> @see the explanation of PermissionsStartOnly in man 5 systemd.service > > I like the suggestion. But I also would like to ask which are the > responders that have to executed as root?
This question still stands ... We have the following responders: autofs, ifp, nss, pac, pam, ssh and sudo. All of those can run as sssd user? > > Best Regards, > -- > Fabiano Fidêncio _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
