-
Notifications
You must be signed in to change notification settings - Fork 252
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve ability to run under non-root user; revoke unneeded capabilities; run under 'sssd' starting F41 by default. #7193
Conversation
An overview of relevant build/configuration options/combinations. (I) Built
(II) Built (1) sssd.service::User=sssd -- this is a default and a recommended configuration (starting f41/c10s)
(2) sssd.service::User=root (2.1) sssd.conf::user not set
(2.2) sssd.conf::user=sssd
|
Now about testing of all those different combinations. CI of this PR itself covers (I) (everything besides f41 and centos-9) and (II.1) (f-41 and centos-9) #7195 covers (II.2.1) - almost all tests on f-41 and centos-9 and (II.2.2) - core subset of system tests on f-41 and centos-9 (see c4e8094). Other platforms can be ignored in this PR as it doesn't bring anything new. |
A note that there is currently some discrepancy between centos-9 configuration in this PR and a real/projected centos-9 config. This PR configures centos-9 with |
e7fb9b6
to
297a5ce
Compare
#7195 helped to discover a couple of missing bits:
Now all CI tests are green in both PRs. |
297a5ce
to
39f9a90
Compare
Rebased and added a patch to |
39f9a90
to
3a0d604
Compare
Rebased. |
3a0d604
to
a4bf7ab
Compare
Some PRCI jobs use configure sssd with this action, does |
a4bf7ab
to
7cafc57
Compare
Added (and rebased). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack, thank you.
This will also allow to use "SecureBits=noroot" in sssd.service
in sssd.service to avoid processes gaining all capabilities from bounding set during execv() with uid=0/gid=0 (so that, for example, 'sssd_be' runs without capabilities even if "User=root")
so that SSSD built --with-sssd-user=sssd but run under 'root' can get to sssd.conf without capabilities (using "SupplementaryGroups=sssd") sssd.conf still needs to be chown'ed to 'root:root' manually in this case.
For a real device this is handled by udev rule that makes device readable by SSSD. This rule doesn't work with mocked device.
387e666
to
0981e0c
Compare
(rebase) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi,
thank you very much for your persistence and patience on this task, ACK.
bye,
Sumit
Pushed PR: #7193
|
Hi @sumit-bose,
This "touch" is done in two functions: What is the reason for (1)? It looks like
I tried to follow code logic to figure out when functions (1) and (2) are executed. |
Hi, yes, currently it is not expected that the settings written by
Yes, ti happens during startup and when updating the information about subdomains. I would not couple this with getting the TGT because during ipa/ad_subdomains_handler_send() you already have a TGT. bye, |
Practically that's already (almost) the case: it's either
@sumit-bose, what calls |
Hi, nothing, this has to be added if one of those helpers should do the touch. bye, |
So a new (sync) command like we did to iterate keytab? |
tl,dr brief overview of changes:
For more lengthy and more "user facing" text see commit message of:
sssd.service: run under SSSD_USER by default
-- this will be a basis for a release note.
There are a number of known issues remains to address:
SSSDDomain::write() should chown sssd.conf to sssd.service::User, so that ipa-client-install would create sssd.conf readable by SSSD(now included in this PR)sss_krb5_touch_config()
fails being called by 'sssd_be' viasss_write_domain_mappings()
orsss_write_krb5_conf_snippet()
Above stuff should be addressed before sssd-2.10 release, but this work has been brewing for too long already.
I think it's in a good enough shape for a review.
(plus see additional comments below)