On Thu, 2012-07-05 at 21:01 +0200, Sumit Bose wrote:
> On Thu, Jul 05, 2012 at 01:30:02PM -0400, Simo Sorce wrote:
> > On Thu, 2012-07-05 at 18:51 +0200, Sumit Bose wrote:
> > > On Thu, Jul 05, 2012 at 09:12:16AM -0400, Simo Sorce wrote:
> > > > On Thu, 2012-07-05 at 14:06 +0200, Sumit Bose wrote:
> > > > >
> > > > >
> > > > > Hi,
> > > > >
> > > > > this patch added the checks requested in ticket #1382 to the
PAC
> > > > > responder. The check itself can be found in the commom responder
code.
> > > > > It can be used by all responder, but currently only the PAC
responder
> > > > > uses it.
> > > > >
> > > > > I took a quite strict default here, i.e. only root is allowed
to
> > > > > access
> > > > > the PAC responder by default. Is this too restrictive?
> > > > >
> > > >
> > > > Patch looks good, but I wonder why you do not allow specifying user
> > > > names, a getpwnam() is not too expensive.
> > >
> > > yes, but I think this way is more robust because I expect that someone
> > > will have some system accounts served by sssd, see e.g.
> > >
https://fedorahosted.org/sssd/ticket/1357 . But if you prefer I can add
> > > a loop with getpwnam() at startup time.
> >
> > I think we can express the problems with using usernames in the man
> > page.
> >
> > If this list is generated after the sssd_nss responder is started
> > though, we should have no issues resolving any name even if sssd itself
> > provides them (assuming you unset the env variable that prevents loops
> > in the PAC responder).
>
> Ok, then I will change it to accept usernames. Shall it be usernames
> only or usernames and UIDs (and if the second, what about numerical
> usernames :-)
Usernames an uids, a numeric only string is always a uid.