On (28/11/16 11:27), Jakub Hrozek wrote: >On Mon, Nov 28, 2016 at 10:57:44AM +0100, Pavel Březina wrote: >> On 11/28/2016 10:47 AM, Jakub Hrozek wrote: >> > On Thu, Nov 24, 2016 at 02:33:04PM +0100, Fabiano Fidêncio wrote: >> > > The design page is done [0] and it's based on this discussion [1] we >> > > had on this very same mailing list. A pull-request with the >> > > implementation is already opened [2]. >> > > >> > > [0]: >> > > https://fedorahosted.org/sssd/wiki/DesignDocs/SocketActivatableResponders >> > > [1]: >> > > https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org/message/H6JOF5SGGSIJUIWYNANDA73ODHWBS7J2/ >> > > [2]: https://github.com/SSSD/sssd/pull/84 >> > > >> > > The full text of c&p here: >> > >> > In general looks good to me, but note that I was involved a bit with >> > Fabiano in the discussion, so my view might be tainted. >> >> I finally got to it. The design page looks good and I'll start reviewing the >> patches. >> >> The only think I wonder about is whether we want to pass parameters " --uid >> 0 --gid 0 --debug-to-files" or we will read the from sssd.conf? I prefer >> reading them. >> >> Also what do we use the private sockets for? It is used only for root? > >Yes, that's where we route PAM requests started by UID 0 to. > For example. The nss responder need't run as root. It does not require any extra privileges. And the privileges are dropped as soon as possible. The only issue might be with switching from root to non-root. A responder need to change owner of log files. But it could be solved with ExecStartPre in service file
e.g. ExecStartPre=/usr/bin/chown sssd:sssd /var/log/sssd/sssd_nss.log ExecStart=/usr/libexec/sssd/sssd_nss --debug-to-files User=sssd Group=sssd PermissionsStartOnly=true @see the explanation of PermissionsStartOnly in man 5 systemd.service LS _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
