[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE simo5 commented: """ @fidencio fidencio I do not care for unprivileged mode when it makes things way harder then they ought to be. sssd can always make up a root account and escalate privileges anyway so running as a non privileged user is not high on my list of things to make work, especially because it simply can't for many tasks, making the software more complex (and thus buggier) for no good reason. """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-365925337 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE fidencio commented: """ I've opened https://pagure.io/SSSD/sssd/issue/3638 and let's keep the discussion there. """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-365878269 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE fidencio commented: """ @lslebodn, I'd like to ask you to have a ticket opened about this and we'll treat it from there. Also, @simo5, would you mind giving your opinion here? """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-365847319 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE lslebodn commented: """ Unfortunately, it was pushed without careful review. That would not work when running sssd in non-privileged mode because `seteuid` will fail. And it was mentioned in upstream ticket https://pagure.io/SSSD/sssd/issue/3621 Quick POC ``` sh# su --shell=/bin/bash - sssd sh$ python Python 2.7.14 (default, Jan 31 2018, 14:27:00) [GCC 8.0.1 20180127 (Red Hat 8.0.1-0.6)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import os >>> os.getuid() 974 >>> os.geteuid() 974 >>> os.seteuid(1000) Traceback (most recent call last): File "", line 1, in OSError: [Errno 1] Operation not permitted ``` BTW I ran few basic tests in non-privileged mode and works like a charm with following IPA tests: selinux-usemap, sudo, hbac, user, group, netgroup, password changes, ssh keys, automount. I didn't test ad-trust tests because there is a known issue in non-privileged mode. """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-365839135 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE jhrozek commented: """ * master: * f0cbe890adf696d8318373203580d709f3d38d8c * 1a011c4f20e80f2bcb4d10a4d690b3a88c2fd70d * 07ae0da06c0d94a3198e484d0de28c9282c4d6cd * 2c5b03913c54234efdabcff83de368bae72dc799 * b576b290d3d7e165269edf36d6be27bc1441a688 * 0fce902c563c3b54f2e67235668273ff7ff40752 """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-365744752 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE fidencio commented: """ Adding the "Accepted" label as per @simo5's review and @olivergs's tests. """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-365685945 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE olivergs commented: """ After testing this patch in a clean environment it worked like a charm. Thanks! """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-365685736 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE fidencio commented: """ Thanks for the review, @simo5. I'll add the accepted label (per your review) as soon as I hear back from Oliver (from FleetCommander) that his tests passed as well. """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-365449789 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE simo5 commented: """ I cannot set labels, but ACK """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-365428458 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE fidencio commented: """ @simo5, updated the patches according to your suggestion and did a local test here and it works like a charm. """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-365423441 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE fidencio commented: """ @simo5, can I have your bless (and ACK) on those? """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-364437733 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE fidencio commented: """ Patch set has been updated! """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-363520010 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE fidencio commented: """ @simo5, for some reason I couldn't add you as a reviewer, but I'd like to hear some feedbacks from you here! """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-362998097 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE fidencio commented: """ Patch set has been updated and also there's a PR related to the design page of this feature: https://pagure.io/SSSD/docs/pull-request/62 """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-362997764 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
[SSSD] [sssd PR#498][comment] DESKPROFILE: Do not require CAP_DAC_OVERRIDE
URL: https://github.com/SSSD/sssd/pull/498 Title: #498: DESKPROFILE: Do not require CAP_DAC_OVERRIDE lslebodn commented: """ Would you be so kind and could you firstly update design page. ATM it is unclear who should have which access to the related directory. Therefore it is difficult to say whether we can use this approach or need to use a different solution. BTW linked ticket already contains such suggestion: ``` it woudl be good to elaborate there more and specify who should have which access to files (rw, ro, ...) ``` """ See the full comment at https://github.com/SSSD/sssd/pull/498#issuecomment-359419594 ___ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org