On (29/11/16 10:30), Jakub Hrozek wrote: >On Tue, Nov 29, 2016 at 10:24:03AM +0100, Fabiano Fidêncio wrote: >> On Tue, Nov 29, 2016 at 10:01 AM, Lukas Slebodnik <[email protected]> >> wrote: >> > On (28/11/16 11:27), Jakub Hrozek wrote: >> >>On Mon, Nov 28, 2016 at 10:57:44AM +0100, Pavel Březina wrote: >> >>> On 11/28/2016 10:47 AM, Jakub Hrozek wrote: >> >>> > On Thu, Nov 24, 2016 at 02:33:04PM +0100, Fabiano Fidêncio wrote: >> >>> > > The design page is done [0] and it's based on this discussion [1] we >> >>> > > had on this very same mailing list. A pull-request with the >> >>> > > implementation is already opened [2]. >> >>> > > >> >>> > > [0]: >> >>> > > https://fedorahosted.org/sssd/wiki/DesignDocs/SocketActivatableResponders >> >>> > > [1]: >> >>> > > https://lists.fedorahosted.org/archives/list/[email protected]/message/H6JOF5SGGSIJUIWYNANDA73ODHWBS7J2/ >> >>> > > [2]: https://github.com/SSSD/sssd/pull/84 >> >>> > > >> >>> > > The full text of c&p here: >> >>> > >> >>> > In general looks good to me, but note that I was involved a bit with >> >>> > Fabiano in the discussion, so my view might be tainted. >> >>> >> >>> I finally got to it. The design page looks good and I'll start reviewing >> >>> the >> >>> patches. >> >>> >> >>> The only think I wonder about is whether we want to pass parameters " >> >>> --uid >> >>> 0 --gid 0 --debug-to-files" or we will read the from sssd.conf? I prefer >> >>> reading them. >> >>> >> >>> Also what do we use the private sockets for? It is used only for root? >> >> >> >>Yes, that's where we route PAM requests started by UID 0 to. >> >> >> > For example. The nss responder need't run as root. It does not require >> > any extra privileges. And the privileges are dropped as soon as possible. >> > The only issue might be with switching from root to non-root. >> > A responder need to change owner of log files. >> > But it could be solved with ExecStartPre in service file >> > >> > e.g. >> > ExecStartPre=/usr/bin/chown sssd:sssd /var/log/sssd/sssd_nss.log >> > ExecStart=/usr/libexec/sssd/sssd_nss --debug-to-files >> > User=sssd >> > Group=sssd >> > PermissionsStartOnly=true >> > >> > @see the explanation of PermissionsStartOnly in man 5 systemd.service >> >> I like the suggestion. But I also would like to ask which are the >> responders that have to executed as root? > >I guess ideally none, especially some security certifications require >that no code that authenticates users runs as root. But we're not there yet, >see for example: > https://fedorahosted.org/sssd/ticket/3014 it iss not related to responder. >or: > https://fedorahosted.org/sssd/ticket/3099 > it is not related to responder either.
>btw now that you nuked the config changing API in IFP, it should be >possible for IFP to drop privileges after it connects to the system bus >(or even before? I'm really not sure anymore). > >Can we have a ticket to examine if we can start IFP as the sssd user? ifp responder can be started with --uid 0 --gid 0 and not with --unprivileged-start. We can convert to unprivileged-start later if possible. So far I cannot see any big issue. Circular dependency between resolving sssd user and files provider and be solved with hardcoded UID GID. LS _______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
