Running gssproxy as a non-privileged user
by Levin Stanislav
Hello All.
I'm planning to run gssproxy as a non-privileged user (say _gssproxy).
I see that there is such possibility via "run_as_user".
Moreover, I want to deliver this as default to my distro.
The expected gssproxy's clients are FreeIPA, NFS-{server,client} with
their default gssproxy configs.
So, i've checked against FreeIPA.
It seems that works, but there is an error message:
```
gssproxy[9862]: Unexpected failure in realpath: 13 (Permission denied)
```
Which come from:
```
lstat("/proc", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
lstat("/proc/4054", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
lstat("/proc/4054/exe", {st_mode=S_IFLNK|0777, st_size=0, ...}) = 0
readlink("/proc/4054/exe", 0x7ffe7dbf5ee0, 4095) = -1 EACCES (Permission
denied)
```
As I understood from man page and code a canonical path to a program is
used to whether allow service access to gssproxy or not.
Please, consider next code:
```
struct gp_service *gp_creds_match_conn(struct gssproxy_ctx
*gpctx,
struct gp_conn
*conn)
{
struct gp_creds
*gcs;
const char
*socket;
const char
*program;
gcs =
gp_conn_get_creds(conn);
socket =
gp_conn_get_socket(conn);
program =
gp_conn_get_program(conn);
for (int i = 0; i < gpctx->config->num_svcs; i++)
{
struct gp_service *svc =
gpctx->config->svcs[i];
if ((!svc->any_uid && svc->euid != gcs->ucred.uid)
||
!gp_conn_check_selinux(conn, svc->selinux_ctx)
||
(svc->program && !gp_same(program, svc->program))
||
(svc->socket && !gp_same(socket, svc->socket))
||
(!svc->socket && !gp_same(socket,
gpctx->config->socket_name))) {
continue;
}
GPDEBUGN(2, "Connection matched service %s\n",
svc->name);
return
svc;
}
GPDEBUGN(2, "No matching service
found\n");
return
NULL;
}
```
The pattern 'program = /a/b/c' will not work in such a case because
"program" pointer is always 0x0.
For now this is no problem for FreeIPA, NFS. But in future there may be
new clients of gssproxy.
So, my question are there any other known limitations of utilization of
gssproxy non-privileged user?
Thank you in advance!
5 years
branch master updated (f59040a -> 1aff8e4)
by git repository hosting
This is an automated email from the git hooks/post-receive script.
simo pushed a change to branch master
in repository gssproxy.
from f59040a Check for test-relevant executables early in suite
add 1aff8e4 Fix typo about pid-file
No new revisions were added by this update.
Summary of changes:
conf_macros.m4 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
5 years
