On Tue, Nov 29, 2016 at 10:01 AM, Lukas Slebodnik <[email protected]> wrote: > On (28/11/16 11:27), Jakub Hrozek wrote: >>On Mon, Nov 28, 2016 at 10:57:44AM +0100, Pavel Březina wrote: >>> On 11/28/2016 10:47 AM, Jakub Hrozek wrote: >>> > On Thu, Nov 24, 2016 at 02:33:04PM +0100, Fabiano Fidêncio wrote: >>> > > The design page is done [0] and it's based on this discussion [1] we >>> > > had on this very same mailing list. A pull-request with the >>> > > implementation is already opened [2]. >>> > > >>> > > [0]: >>> > > https://fedorahosted.org/sssd/wiki/DesignDocs/SocketActivatableResponders >>> > > [1]: >>> > > https://lists.fedorahosted.org/archives/list/[email protected]/message/H6JOF5SGGSIJUIWYNANDA73ODHWBS7J2/ >>> > > [2]: https://github.com/SSSD/sssd/pull/84 >>> > > >>> > > The full text of c&p here: >>> > >>> > In general looks good to me, but note that I was involved a bit with >>> > Fabiano in the discussion, so my view might be tainted. >>> >>> I finally got to it. The design page looks good and I'll start reviewing the >>> patches. >>> >>> The only think I wonder about is whether we want to pass parameters " --uid >>> 0 --gid 0 --debug-to-files" or we will read the from sssd.conf? I prefer >>> reading them. >>> >>> Also what do we use the private sockets for? It is used only for root? >> >>Yes, that's where we route PAM requests started by UID 0 to. >> > For example. The nss responder need't run as root. It does not require > any extra privileges. And the privileges are dropped as soon as possible. > The only issue might be with switching from root to non-root. > A responder need to change owner of log files. > But it could be solved with ExecStartPre in service file > > e.g. > ExecStartPre=/usr/bin/chown sssd:sssd /var/log/sssd/sssd_nss.log > ExecStart=/usr/libexec/sssd/sssd_nss --debug-to-files > User=sssd > Group=sssd > PermissionsStartOnly=true > > @see the explanation of PermissionsStartOnly in man 5 systemd.service
I like the suggestion. But I also would like to ask which are the responders that have to executed as root? Best Regards, -- Fabiano Fidêncio _______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
