On Mon, Feb 14, 2022 at 6:37 PM Erik Sjölund <[email protected]> wrote: > > Hi Daniel, > Thanks for the feedback. > > On Thu, Feb 10, 2022 at 4:40 AM Daniel Black <[email protected]> wrote: > > There's some really powerful concepts with unix_socket auth across > > into the container if you get the uid mapping, try to map the local %u > > (uid - %U) to the mysql(999) user (or another user and start the > > container with --user). > > You'll probably need to add a user to the container. With that you'll > > have a unix socket auth based mechanism in the container directly. > > Also the current container entrypoint avoids creating unix socket auth > > users (until very recently in a limited way > > https://github.com/MariaDB/mariadb-docker/pull/409). Maybe its too > > fiddly however to get right.
Nice! > I've recently submitted a PR > https://github.com/containers/podman/pull/13084/files > to the Podman project that adds two troubleshooting > tips regarding UID/GID mapping. > They describe how to run the container with a non-root user > inside the container but mapped to the regular UID/GID on the host. Nice read. Thanks. The implied user but defaulting to root nature of the mariadb container with gosu took a bit to get used to. Some sane mapping rules help thanks. > As the PR has not yet been approved, now approved I see. > I had an idea regarding "unix_socket authentication": > Permissions could be granted to specific Unix sockets by > using FileDescriptorName interesting. The "extra" is used as a FDName for extra sockets but its a generally unexplored space. > If the permissions are given to a specific Unix socket, a sysadmin could > create multiple Unix sockets with different levels of permissions. There > would be no need to rely on > > "calling the getsockopt system call with the SO_PEERCRED socket option, > which allows it to retrieve the uid of the process that is connected > to the socket." > quote from > https://mariadb.com/kb/en/authentication-plugin-unix-socket/#is-it-secure If you've got a good general use case, write a https://jira.mariadb.org task. > A sysadmin could instead protect the Unix socket from unauthorized access > by using normal file and directory permissions. MySQL's implementation also extends by using the "AS ..." syntax to extend coverage to one other user. https://dev.mysql.com/doc/refman/8.0/en/socket-pluggable-authentication.html#socket-pluggable-authentication-usage > > If conmon acts a true passthough maybe the same option is needed. I > > guess try with some invalid configuration. seems there are some conman aspects I need to understand more. _______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
