On Fri, Jan 26, 2018 at 03:06:31PM +0100, Fabiano Fidêncio wrote: > On Mon, Jan 22, 2018 at 3:20 PM, Simo Sorce <s...@redhat.com> wrote: > > > On Mon, 2018-01-22 at 15:10 +0100, Fabiano Fidêncio wrote: > > > People, > > > > > > Let's start with the context of this email: > > > https://bugzilla.redhat.com/show_bug.cgi?id=1536854 > > > So, seems that even without knowing that, I've relied on CAP_DAC_OVERRIDE > > > in order to have the Fleet Commander integration working as expected and > > in > > > the implementation details of this feature. > > > > > > The desktop profiles are stored in a dir like: > > > /var/lib/sss/deskprofile/$domain/$user/$profile. > > > > > > Currently, the way I've been creating those are: > > > $domain = 755 (root:root) > > > $user = 600 ($user:$user_group) > > > $profile = 600 ($user:$user_group) > > > > > > Now, as mentioned in the bugzilla linked in this email, the current code > > > fails with an EACCES. > > > > > > With all this background, I'd like to discuss what's the best approach to > > > take. I've opened a PR (https://github.com/SSSD/sssd/pull/498) which > > makes > > > everything work again, but does the following changes: > > > > > > $domain = 755 (root:root) -- NO changes here > > > $user = 770 ($user:root) --> changed from 600 ($user:$user_group) > > > $profile = 660 ($user:root) --> changed from 600 ($user:$user_group) > > > > > > This is one way to solve the issue suggested at > > > https://bugzilla.redhat.com/show_bug.cgi?id=1536854#c5. > > > > > > Another suggestion, also mentioned in the bugzilla, would be to only > > > fchown()/fchmod() the files/dirs *after* all the operations we do are > > over. > > > > > > Is there any other suggestion? Whatever comes out of this discussion will > > > be used to update the feature's design page accordingly. > > > > Change euid to that of the user during operations, leave the > > permissions strict ? > > > > Does the other developers agree with Simo's proposal? If yes, I'll just > update the DesignPage accordingly and provide the patches.
This happens in the main backend process not in a child, right? I wonder if there is a chance that e.g. a signal can force to backend to do something else when running with the changed euid? Is there something you do not like about the approach of PR498? bye, Sumit > > > > > > Simo. > > > > -- > > Simo Sorce > > Sr. Principal Software Engineer > > Red Hat, Inc > > _______________________________________________ > > sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org > > To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org > > > _______________________________________________ > sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org > To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
