On (29/11/16 11:03), Jakub Hrozek wrote: >On Tue, Nov 29, 2016 at 10:50:31AM +0100, Lukas Slebodnik wrote: >> On (29/11/16 10:27), Jakub Hrozek wrote: >> >On Tue, Nov 29, 2016 at 10:01:58AM +0100, Lukas Slebodnik wrote: >> >> On (28/11/16 11:27), Jakub Hrozek wrote: >> >> >On Mon, Nov 28, 2016 at 10:57:44AM +0100, Pavel Březina wrote: >> >> >> On 11/28/2016 10:47 AM, Jakub Hrozek wrote: >> >> >> > On Thu, Nov 24, 2016 at 02:33:04PM +0100, Fabiano Fidêncio wrote: >> >> >> > > The design page is done [0] and it's based on this discussion [1] >> >> >> > > we >> >> >> > > had on this very same mailing list. A pull-request with the >> >> >> > > implementation is already opened [2]. >> >> >> > > >> >> >> > > [0]: >> >> >> > > https://fedorahosted.org/sssd/wiki/DesignDocs/SocketActivatableResponders >> >> >> > > [1]: >> >> >> > > https://lists.fedorahosted.org/archives/list/[email protected]/message/H6JOF5SGGSIJUIWYNANDA73ODHWBS7J2/ >> >> >> > > [2]: https://github.com/SSSD/sssd/pull/84 >> >> >> > > >> >> >> > > The full text of c&p here: >> >> >> > >> >> >> > In general looks good to me, but note that I was involved a bit with >> >> >> > Fabiano in the discussion, so my view might be tainted. >> >> >> >> >> >> I finally got to it. The design page looks good and I'll start >> >> >> reviewing the >> >> >> patches. >> >> >> >> >> >> The only think I wonder about is whether we want to pass parameters " >> >> >> --uid >> >> >> 0 --gid 0 --debug-to-files" or we will read the from sssd.conf? I >> >> >> prefer >> >> >> reading them. >> >> >> >> >> >> Also what do we use the private sockets for? It is used only for root? > >This is the question, right? What do we use the private sockets for, >like this one: > /var/lib/sss/pipes/private/pam >as opposed to this one: > /var/lib/sss/pipes/pam > >> >> > >> >> >Yes, that's where we route PAM requests started by UID 0 to. >> >> > >> >> For example. The nss responder need't run as root. >> > >> >I don't think this is about the identity the responder runs at, but >> >about the identity of the client who talks to the responder socket, no? >> > >> I do not understant. Could you elaborate or provide an example? >> Where you can see a problem with pure systemd solution for >> unprivileged responders. We need to provide service files anyway. > >So provided I'm answering the right question :) the logic that routes >the PAM request to /var/lib/sss/pipes/private/pam or >/var/lib/sss/pipes/pam is in sss_pam_make_request(). If the PAM >application is running as UID 0, then the PAM module writes to ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ how is it related to running pam responder as UID 0?
>SSS_PAM_PRIV_SOCKET_NAME, otherwise it writes to SSS_PAM_SOCKET_NAME. Both sockets are created in function *pam_process_init* which is called after dropping privileges in *server_setup*. So I cannot see any problem for starting sssd_pam responder as unprivileged user which would be done by systemd. LS _______________________________________________ sssd-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
