"Fuchs, Andreas" <[email protected]> wrote on 11/18/2014
07:48:21 AM:
>
> Hi Stefan,
>
> how does your use case differ in functionality from the --disable-
> usercheck configure switch ?
The tcsd daemon using /dev/tpm0 has to be started as root. It should also
change to a non-privileged user, here tss. No changes in this case.
So in the (intended) use case a non-privileged user can then also start
tcsd using sockets to talk to an emulator.
> (see the #ifdef NOUSERCHECK right before your code additions)
> I think the use case is better covered by the configure-switch,
> since in a standard-environment you want to be warned / failed when
> there is uid-problems. And for your (and my) dev-envs we can have a
> second tssd-executable...
Packages only get compiled in one way. On Fedora at least the part
checking the access rights to the config file and the setuid() part are
always compiled in and that's good this way.
>
> Regarding the code: It seems as if you skip whenever getuid() == 0
> Isn't that reverse to what you described in the commit message ?
My bad. Will repost.
Stefan
>
> Just my 2 cents on things,
>
> Cheers,
> Andreas
>
> ________________________________________
> From: Stefan Berger [[email protected]]
> Sent: Tuesday, November 18, 2014 13:28
> To: [email protected]
> Subject: [TrouSerS-tech] [PATCH] Allow to run tcsd as normal user
>
> Currently TCSD requires that it is run by root or the tss user sinceonly
then
> it will be able to setuid to tss or read the TCSD configuration
> file, which must
> also be owned by tss:tss. However, there are use cases when TCSD does
not need
> to be started as root, particularly when it communicates with a TPM
emulator
> over sockets. In this case we should be able to start the TCSD from a
> non-privileged user account.
>
> Signed-off-by: Stefan Berger <[email protected]>
> ---
> src/tcsd/svrside.c | 4 ++++
> src/tcsd/tcsd_conf.c | 5 +++++
> 2 files changed, 9 insertions(+)
>
> diff --git a/src/tcsd/svrside.c b/src/tcsd/svrside.c
> index 1ae1636..f00ff38 100644
> --- a/src/tcsd/svrside.c
> +++ b/src/tcsd/svrside.c
> @@ -463,6 +463,9 @@ main(int argc, char **argv)
> "(Compiled with --disable-usercheck)");
> #else
> #ifndef SOLARIS
> + if (getuid() == 0)
> + goto skip_setuid;
> +
> pwd = getpwnam(TSS_USER_NAME);
> if (pwd == NULL) {
> if (errno == 0) {
> @@ -474,6 +477,7 @@ main(int argc, char **argv)
> return TCSERR(TSS_E_INTERNAL_ERROR);
> }
> setuid(pwd->pw_uid);
> + skip_setuid:
> #endif
> #endif
>
> diff --git a/src/tcsd/tcsd_conf.c b/src/tcsd/tcsd_conf.c
> index a31503d..549c2bb 100644
> --- a/src/tcsd/tcsd_conf.c
> +++ b/src/tcsd/tcsd_conf.c
> @@ -772,6 +772,9 @@ conf_file_init(struct tcsd_config *conf)
>
> #ifndef NOUSERCHECK
> #ifndef SOLARIS
> + if (getuid() == 0)
> + goto skip_tss_check;
> +
> /* find the gid that owns the conf file */
> errno = 0;
> grp = getgrnam(TSS_GROUP_NAME);
> @@ -809,6 +812,8 @@ conf_file_init(struct tcsd_config *conf)
> LogError("TCSD config file (%s) must be mode 0600",
> tcsd_config_file);
> return TCSERR(TSS_E_INTERNAL_ERROR);
> }
> +
> + skip_tss_check:
> #endif /* SOLARIS */
> #endif /* NOUSERCHECK */
>
> --
> 1.9.3
>
>
>
------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration &
more
> Get technology previously reserved for billion-dollar corporations, FREE
>
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> _______________________________________________
> TrouSerS-tech mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-tech
>
>
------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration &
more
> Get technology previously reserved for billion-dollar corporations, FREE
>
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> _______________________________________________
> TrouSerS-tech mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-tech
>
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
TrouSerS-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-tech
