On Tue, Nov 29, 2016 at 10:24 AM, Fabiano Fidêncio <fiden...@redhat.com> wrote:
> On Tue, Nov 29, 2016 at 10:01 AM, Lukas Slebodnik <lsleb...@redhat.com> wrote:
>> On (28/11/16 11:27), Jakub Hrozek wrote:
>>>On Mon, Nov 28, 2016 at 10:57:44AM +0100, Pavel Březina wrote:
>>>> On 11/28/2016 10:47 AM, Jakub Hrozek wrote:
>>>> > On Thu, Nov 24, 2016 at 02:33:04PM +0100, Fabiano Fidêncio wrote:
>>>> > > The design page is done [0] and it's based on this discussion [1] we
>>>> > > had on this very same mailing list. A pull-request with the
>>>> > > implementation is already opened [2].
>>>> > >
>>>> > > [0]: 
>>>> > > https://fedorahosted.org/sssd/wiki/DesignDocs/SocketActivatableResponders
>>>> > > [1]: 
>>>> > > https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org/message/H6JOF5SGGSIJUIWYNANDA73ODHWBS7J2/
>>>> > > [2]: https://github.com/SSSD/sssd/pull/84
>>>> > >
>>>> > > The full text of c&p here:
>>>> >
>>>> > In general looks good to me, but note that I was involved a bit with
>>>> > Fabiano in the discussion, so my view might be tainted.
>>>>
>>>> I finally got to it. The design page looks good and I'll start reviewing 
>>>> the
>>>> patches.
>>>>
>>>> The only think I wonder about is whether we want to pass parameters " --uid
>>>> 0 --gid 0 --debug-to-files" or we will read the from sssd.conf? I prefer
>>>> reading them.
>>>>
>>>> Also what do we use the private sockets for? It is used only for root?
>>>
>>>Yes, that's where we route PAM requests started by UID 0 to.
>>>
>> For example. The nss responder need't run as root. It does not require
>> any extra privileges. And the privileges are dropped as soon as possible.
>> The only issue might be with switching from root to non-root.
>> A responder need to change owner of log files.
>> But it could be solved with ExecStartPre in service file
>>
>> e.g.
>> ExecStartPre=/usr/bin/chown sssd:sssd /var/log/sssd/sssd_nss.log
>> ExecStart=/usr/libexec/sssd/sssd_nss --debug-to-files
>> User=sssd
>> Group=sssd
>> PermissionsStartOnly=true
>>
>> @see the explanation of PermissionsStartOnly in man 5 systemd.service
>
> I like the suggestion. But I also would like to ask which are the
> responders that have to executed as root?

This question still stands ...

We have the following responders: autofs, ifp, nss, pac, pam, ssh and sudo.
All of those can run as sssd user?

>
> Best Regards,
> --
> Fabiano Fidêncio
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to