On Tue, Nov 29, 2016 at 10:50:31AM +0100, Lukas Slebodnik wrote:
> On (29/11/16 10:27), Jakub Hrozek wrote:
> >On Tue, Nov 29, 2016 at 10:01:58AM +0100, Lukas Slebodnik wrote:
> >> On (28/11/16 11:27), Jakub Hrozek wrote:
> >> >On Mon, Nov 28, 2016 at 10:57:44AM +0100, Pavel Březina wrote:
> >> >> On 11/28/2016 10:47 AM, Jakub Hrozek wrote:
> >> >> > On Thu, Nov 24, 2016 at 02:33:04PM +0100, Fabiano Fidêncio wrote:
> >> >> > > The design page is done [0] and it's based on this discussion [1] we
> >> >> > > had on this very same mailing list. A pull-request with the
> >> >> > > implementation is already opened [2].
> >> >> > >
> >> >> > > [0]:
> >> >> > > https://fedorahosted.org/sssd/wiki/DesignDocs/SocketActivatableResponders
> >> >> > > [1]:
> >> >> > > https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org/message/H6JOF5SGGSIJUIWYNANDA73ODHWBS7J2/
> >> >> > > [2]: https://github.com/SSSD/sssd/pull/84
> >> >> > >
> >> >> > > The full text of c&p here:
> >> >> >
> >> >> > In general looks good to me, but note that I was involved a bit with
> >> >> > Fabiano in the discussion, so my view might be tainted.
> >> >>
> >> >> I finally got to it. The design page looks good and I'll start
> >> >> reviewing the
> >> >> patches.
> >> >>
> >> >> The only think I wonder about is whether we want to pass parameters "
> >> >> --uid
> >> >> 0 --gid 0 --debug-to-files" or we will read the from sssd.conf? I prefer
> >> >> reading them.
> >> >>
> >> >> Also what do we use the private sockets for? It is used only for root?
This is the question, right? What do we use the private sockets for,
like this one:
/var/lib/sss/pipes/private/pam
as opposed to this one:
/var/lib/sss/pipes/pam
> >> >
> >> >Yes, that's where we route PAM requests started by UID 0 to.
> >> >
> >> For example. The nss responder need't run as root.
> >
> >I don't think this is about the identity the responder runs at, but
> >about the identity of the client who talks to the responder socket, no?
> >
> I do not understant. Could you elaborate or provide an example?
> Where you can see a problem with pure systemd solution for
> unprivileged responders. We need to provide service files anyway.
So provided I'm answering the right question :) the logic that routes
the PAM request to /var/lib/sss/pipes/private/pam or
/var/lib/sss/pipes/pam is in sss_pam_make_request(). If the PAM
application is running as UID 0, then the PAM module writes to
SSS_PAM_PRIV_SOCKET_NAME, otherwise it writes to SSS_PAM_SOCKET_NAME.
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
