URL: https://github.com/SSSD/sssd/pull/183 Title: #183: More socket-activation fixes
lslebodn commented: """ NACK to removing non-privileged user from all services. Ticket https://pagure.io/SSSD/sssd/issue/3322 is only about sssd-nss.service We might use numeric values `/bin/chown 0:0` in sssd-nss.service or drop `chown` from _sssd-nss.service_ ; because root can write even to files owned by non-privilegen user. @sgallagher The purpose of calling `chown` in `ExecStartPre` is to allow starting responders as non-privileged from beginning. Systemd drops permissions before `exec`. `chown_debug_file` is used only with monitor + non-privileged user because we have capability to change owner of file as root and then drop privileges. There might be TOCTOU but it is not related to socket activated services. """ See the full comment at https://github.com/SSSD/sssd/pull/183#issuecomment-285617124
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
