[SSSD] [sssd PR#616][comment] become_user: add supplementary groups so ad provider can access keytab
URL: https://github.com/SSSD/sssd/pull/616 Title: #616: become_user: add supplementary groups so ad provider can access keytab asheplyakov commented: """ > become_user() is also used in krb5_child to switch to the user trying to log > in to create the ccache with the right permissions. Yep, calling initgroups in this context is indeed inappropriate. What about adding a new function `become_user_ext`, which adds supplementary groups, and using it where appropriate, for instance, in [server_setup](https://github.com/SSSD/sssd/blob/519354d079731e673244a8e3851e5c5522d1b45e/src/util/server.c#L487) and [data_provider_be.c:main](https://github.com/SSSD/sssd/blob/1038473e1c9775d1273809c46673fa1475e50937/src/providers/data_provider_be.c#L630)? """ See the full comment at https://github.com/SSSD/sssd/pull/616#issuecomment-405041095 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/GQRNBOWKX2KRJHCK7BN223W3KESPZUYS/
[SSSD] [sssd PR#616][comment] become_user: add supplementary groups so ad provider can access keytab
URL: https://github.com/SSSD/sssd/pull/616 Title: #616: become_user: add supplementary groups so ad provider can access keytab asheplyakov commented: """ > I wonder if you wouldn't be able to achieve the same by setting the primary > group of the _sssd user to _keytab? This way other daemons which need access to keytab (apache, postgresql, you name it) might be able to read sssd caches and logs (which belong to _sssd:_keytab). It looks like sssd is careful enough to chmod 600 all those files, yet it's better to avoid possible bugs. > could the keytab file allow the sssd user to read the contents with a POSIX > ACL? - often keytab is managed automatically by `samba-tool join` or similar tools. Patching these tools to set proper ACLs *when sssd package is installed* doesn't look like a good idea. On the other hand, it's enough to patch libkrb5 to force correct group/permissions of /etc/krb5.keytab, and the patch is simple enough (see http://git.altlinux.org/people/sin/packages/?p=krb5.git;a=blob;f=krb5-1.16-alt-default_keytab_group.patch;h=3ea8c536d57045002b39e77992d7bf36cc94c3ac;hb=bd27c4dfd73611a0192691a2567101f4f5c89936#l100) - also not every filesystem/kernel support POSIX ACLs (think of those NAS devices), but virtually all sensible filesystems know what uid/gid are. """ See the full comment at https://github.com/SSSD/sssd/pull/616#issuecomment-405040134 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/YAZ3PBQJNA323MBAFZ47TEPE6XE3TFTA/
[SSSD] [sssd PR#616][comment] become_user: add supplementary groups so ad provider can access keytab
URL: https://github.com/SSSD/sssd/pull/616 Title: #616: become_user: add supplementary groups so ad provider can access keytab sumit-bose commented: """ On Wed, Jul 11, 2018 at 12:19:33PM -0700, Jakub Hrozek wrote: > On Wed, Jul 11, 2018 at 11:42:44AM -0700, sumit-bose wrote: > > Thank you for the patch it looks quite interesting. > > > > I wonder if you wouldn't be able to achieve the same by setting the primary > > group of the _sssd user to _keytab? > > This would be my preference too. Or owning the keytab by > keytab.sssd. Alternatively, could the keytab file allow the sssd user to > read the contents with a POSIX ACL? (setfacl -m u:sssd:r /etc/krb5.keytab) > > > > > Additionally if you think that a secondary group is really necessary I > > think it would be better to add a config option for this so that you can add > > e.g. to the [domain/...] section 'secondary_gid = 12345'. This way > > /etc/group > > (where is _sssd user is added to the _keytab group) is not a required part > > of the SSSD configuration > > I don't understand this part, I'm sorry. Do you propose that sssd_be > runs with some supplementary GIDs, but the responders don't? This makes > sense, but in general I'm not sure I like constructing some artificial > identity. It is not about identity but giving the sssd_be the needed privileges to access the file. But as said above my preferences would be to use the primary gid or as you suggested POSIX ACLs to solve the issue. > > > and the initgroups() call can be avoided because > > it might be expensive at some places where become_user() is called. > > This is a fair comment, although storing the sssd user in a remote > directory (which is realistically the only setup which might be slow) > doesn't strike me as the best idea. become_user() is also used in krb5_child to switch to the user trying to log in to create the ccache with the right permissions. > > > -- > You are receiving this because you commented. > Reply to this email directly or view it on GitHub: > https://github.com/SSSD/sssd/pull/616#issuecomment-404281393 """ See the full comment at https://github.com/SSSD/sssd/pull/616#issuecomment-404285945 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/SD2ZYSDQA3SMEGI6QM6A5HJTFFK4YHMU/
[SSSD] [sssd PR#616][comment] become_user: add supplementary groups so ad provider can access keytab
URL: https://github.com/SSSD/sssd/pull/616 Title: #616: become_user: add supplementary groups so ad provider can access keytab jhrozek commented: """ On Wed, Jul 11, 2018 at 11:42:44AM -0700, sumit-bose wrote: > Thank you for the patch it looks quite interesting. > > I wonder if you wouldn't be able to achieve the same by setting the primary > group of the _sssd user to _keytab? This would be my preference too. Or owning the keytab by keytab.sssd. Alternatively, could the keytab file allow the sssd user to read the contents with a POSIX ACL? (setfacl -m u:sssd:r /etc/krb5.keytab) > > Additionally if you think that a secondary group is really necessary I > think it would be better to add a config option for this so that you can add > e.g. to the [domain/...] section 'secondary_gid = 12345'. This way /etc/group > (where is _sssd user is added to the _keytab group) is not a required part > of the SSSD configuration I don't understand this part, I'm sorry. Do you propose that sssd_be runs with some supplementary GIDs, but the responders don't? This makes sense, but in general I'm not sure I like constructing some artificial identity. > and the initgroups() call can be avoided because > it might be expensive at some places where become_user() is called. This is a fair comment, although storing the sssd user in a remote directory (which is realistically the only setup which might be slow) doesn't strike me as the best idea. """ See the full comment at https://github.com/SSSD/sssd/pull/616#issuecomment-404281393 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/ZDE3RCOL6FCZLP7Y3P5FM4XED7XSDHNN/
[SSSD] [sssd PR#616][comment] become_user: add supplementary groups so ad provider can access keytab
URL: https://github.com/SSSD/sssd/pull/616 Title: #616: become_user: add supplementary groups so ad provider can access keytab sumit-bose commented: """ Thank you for the patch it looks quite interesting. I wonder if you wouldn't be able to achieve the same by setting the primary group of the _sssd user to _keytab? Additionally if you think that a secondary group is really necessary I think it would be better to add a config option for this so that you can add e.g. to the [domain/...] section 'secondary_gid = 12345'. This way /etc/group (where is _sssd user is added to the _keytab group) is not a required part of the SSSD configuration and the initgroups() call can be avoided because it might be expensive at some places where become_user() is called. """ See the full comment at https://github.com/SSSD/sssd/pull/616#issuecomment-404270980 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/Q43VIVRVGJGKCUIM7HXCYNNQCSVLVTX6/
[SSSD] [sssd PR#616][comment] become_user: add supplementary groups so ad provider can access keytab
URL: https://github.com/SSSD/sssd/pull/616 Title: #616: become_user: add supplementary groups so ad provider can access keytab fidencio commented: """ ok to test """ See the full comment at https://github.com/SSSD/sssd/pull/616#issuecomment-404221858 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/A7TZU3V7IYXIWHJAYZNF662OI3NDF736/
[SSSD] [sssd PR#616][comment] become_user: add supplementary groups so ad provider can access keytab
URL: https://github.com/SSSD/sssd/pull/616 Title: #616: become_user: add supplementary groups so ad provider can access keytab centos-ci commented: """ Can one of the admins verify this patch? """ See the full comment at https://github.com/SSSD/sssd/pull/616#issuecomment-404174418 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/TO3JPEWSN7FYDGWHKRJ6OZLCWLJVDKOF/
[SSSD] [sssd PR#616][comment] become_user: add supplementary groups so ad provider can access keytab
URL: https://github.com/SSSD/sssd/pull/616 Title: #616: become_user: add supplementary groups so ad provider can access keytab centos-ci commented: """ Can one of the admins verify this patch? """ See the full comment at https://github.com/SSSD/sssd/pull/616#issuecomment-404174417 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/QVJ5Z6PRLCUVDUMGQUF6SYBSOOSG44HM/