On Thu, 27 Nov 2014 09:25:09 -0500
Simo Sorce <simo(a)redhat.com> wrote:
On Thu, 27 Nov 2014 15:09:32 +0200
Nikolai Kondrashov <Nikolai.Kondrashov(a)redhat.com> wrote:
> Hi everyone,
>
> While trying to arrange running sssd under cwrap in "make check" I
> came upon this roadblock:
>
> There doesn't seem to be a way to make libnsss_sss use server
> sockets in non-default location at runtime, only at build time. And
> it seems that doing it at runtime would be a security issue.
Why would it be a security issue ?
> That means that we can't include tests involving libnss_sss into
> "make check", as that is not guaranteed to be invoked on a build
> with a special location where the current user can write to.
We can use environment variables to find the socket as long as use
secure_getenv() (which means they will not work when running as a
setuid process, but otherwise will).
The other option is to have a configuration file that libnsss_sss
reads, we haven't gone this route so far as we wanted to avoid adding
file operations to find out sockets, but it wouldn't be very hard to
do if we keep the file format so simple we do not need a file format
parser. But then this would again be a system level setting not per
process, so perhaps the env var route is better for testing anyway.
> This leaves us with being able to run these tests under CI only,
> which can arrange for special configure options and thus locations.
>
> Could there be another way? Am I missing something?
A last option would be to intercept unix socket calls in socket
wrapper too, and redirect them.
Oh forgot another possibility, a chroot environment.
Simo.
--
Simo Sorce * Red Hat, Inc * New York