On Tue, Nov 29, 2016 at 10:24:03AM +0100, Fabiano Fidêncio wrote:
On Tue, Nov 29, 2016 at 10:01 AM, Lukas Slebodnik
<lslebodn(a)redhat.com> wrote:
> On (28/11/16 11:27), Jakub Hrozek wrote:
>>On Mon, Nov 28, 2016 at 10:57:44AM +0100, Pavel Březina wrote:
>>> On 11/28/2016 10:47 AM, Jakub Hrozek wrote:
>>> > On Thu, Nov 24, 2016 at 02:33:04PM +0100, Fabiano Fidêncio wrote:
>>> > > The design page is done [0] and it's based on this discussion
[1] we
>>> > > had on this very same mailing list. A pull-request with the
>>> > > implementation is already opened [2].
>>> > >
>>> > > [0]:
https://fedorahosted.org/sssd/wiki/DesignDocs/SocketActivatableResponders
>>> > > [1]:
https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahoste...
>>> > > [2]:
https://github.com/SSSD/sssd/pull/84
>>> > >
>>> > > The full text of c&p here:
>>> >
>>> > In general looks good to me, but note that I was involved a bit with
>>> > Fabiano in the discussion, so my view might be tainted.
>>>
>>> I finally got to it. The design page looks good and I'll start reviewing
the
>>> patches.
>>>
>>> The only think I wonder about is whether we want to pass parameters "
--uid
>>> 0 --gid 0 --debug-to-files" or we will read the from sssd.conf? I
prefer
>>> reading them.
>>>
>>> Also what do we use the private sockets for? It is used only for root?
>>
>>Yes, that's where we route PAM requests started by UID 0 to.
>>
> For example. The nss responder need't run as root. It does not require
> any extra privileges. And the privileges are dropped as soon as possible.
> The only issue might be with switching from root to non-root.
> A responder need to change owner of log files.
> But it could be solved with ExecStartPre in service file
>
> e.g.
> ExecStartPre=/usr/bin/chown sssd:sssd /var/log/sssd/sssd_nss.log
> ExecStart=/usr/libexec/sssd/sssd_nss --debug-to-files
> User=sssd
> Group=sssd
> PermissionsStartOnly=true
>
> @see the explanation of PermissionsStartOnly in man 5 systemd.service
I like the suggestion. But I also would like to ask which are the
responders that have to executed as root?
I guess ideally none, especially some security certifications require
that no code that authenticates users runs as root. But we're not there yet,
see for example:
https://fedorahosted.org/sssd/ticket/3014
or:
https://fedorahosted.org/sssd/ticket/3099
btw now that you nuked the config changing API in IFP, it should be
possible for IFP to drop privileges after it connects to the system bus
(or even before? I'm really not sure anymore).
Can we have a ticket to examine if we can start IFP as the sssd user?