URL: https://github.com/SSSD/sssd/pull/183 Title: #183: More socket-activation fixes
jhrozek commented: """ On Fri, Mar 10, 2017 at 05:50:58AM -0800, fidencio wrote: > @sgallah, @lslebodn > > On Fri, Mar 10, 2017 at 2:22 PM, Stephen Gallagher <notificati...@github.com > > wrote: > > > @lslebodn <https://github.com/lslebodn> > > > > @sgallagher <https://github.com/sgallagher> The purpose of calling chown > > in ExecStartPre is to allow starting responders as non-privileged from > > beginning. Systemd drops permissions before exec. > > > > Yeah, I get that. And I told @fidencio <https://github.com/fidencio> on > > IRC that we can live with the TOCTOU for the time being and figure out a > > better option later. That said, we cannot use /usr/bin/chown for this, > > because it unconditionally calls getpwnam()/getpwuid() in its execution, > > which causes a problem when socket-activating. I suggested that we might > > want to just create a reduced-functionality /usr/libexec/sssd/sss_chown > > that calls only the low-level system function. > > > > Well, considering we write our own sss_chown binary ... as we still don't > have a static uid for the sssd user we would end up calling > getpwnam()/getpwuid() for the unprivileged user. > > In other others, it would solve the situation but only for the NSS > responder. > > What I'm proposing is to take a step back and do *not* support unprivileged > users for socket-activated services for now. Get the socket-activation > working without cycle dependency on SSSD and avoid the TUCTOU issue. btw I think this is better instead of providing a hack because by default, even if the service is started explicitly in the [sssd] section, it runs as root. As long as we track switching to nonroot in the next release, I prefer running as root over adding hacks to the code. > > Once we have the static uid for the sssd user on Fedora then I can start > bugging Debian/Ubuntu/openSUSE/SUSE maintainers in order to provide the > same and we get back to supporting the unprivileged user for > socket-activated services. > > That's my suggestion ... but I'd go with whatever you guys agree on ... > > Best Regards, > -- > Fabiano FidĂȘncio > > > -- > You are receiving this because you are subscribed to this thread. > Reply to this email directly or view it on GitHub: > https://github.com/SSSD/sssd/pull/183#issuecomment-285673416 """ See the full comment at https://github.com/SSSD/sssd/pull/183#issuecomment-285674937
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
