A bunch of assorted patches related to socket activation feature (part 1) #6873
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alexey-tikhonov
force-pushed
the
socket-activation
branch
6 times, most recently
from
f8a6f20
to
b1b755f
Compare
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
alexey-tikhonov
force-pushed
the
socket-activation
branch
from
7515d28
to
e9c6852
Compare
alexey-tikhonov
force-pushed
the
socket-activation
branch
from
e9c6852
to
0e428ed
Compare
alexey-tikhonov
force-pushed
the
socket-activation
branch
from
0e428ed
to
53c49f5
Compare
alexey-tikhonov
force-pushed
the
socket-activation
branch
from
53c49f5
to
7a17b5e
Compare
alexey-tikhonov
force-pushed
the
socket-activation
branch
from
79c60c8
to
f4454d2
Compare
alexey-tikhonov
force-pushed
the
socket-activation
branch
from
f4454d2
to
5d15802
Compare
alexey-tikhonov
force-pushed
the
socket-activation
branch
from
5d15802
to
c855197
Compare
alexey-tikhonov
force-pushed
the
socket-activation
branch
from
49a02e9
to
691d413
Compare
sumit-bose
approved these changes
Aug 31, 2023
justin-stephenson
approved these changes
Aug 31, 2023
pbrezina
requested changes
Sep 4, 2023
I meant to denote both |
Code makes no difference handling '--socket-activated' and '--dbus-activated', it only makes things more obscure. Moreover, on a systemd enabled system, dbus activation actually starts systemd service anyway, so there is really no big difference.
since implicit files provider can't be enabled by default anymore. Resolves: SSSD#5022
This patch removes capabilities that aren't needed at all. Some (if not all) of remaining capabilities can be probably avoided with proper code changes, but currently those are needed. Examples (not limiting) of those caps usage: - CAP_DAC_OVERRIDE (@additional_caps@): access to /var/log/sssd, to /var/lib/sss/pipes/private/* (sssd:sssd owned sbus-monitor/dp sbus sockets) - CAP_CHOWN: `chown_debug_file()` in case of monitor activation - CAP_SETUID/CAP_SETGID: drop privs in case of monitor activation, switch_creds (in particular, sssd_kcm executing krb5_child for ticket renewal) - CAP_FOWNER: chmod(mem-cache) It's not that clear about 'CAP_KILL'. When 'sssd_be' terminates child process, it either still runs under root (so uid matches and no caps needed) or it dropped privs already and have lost CAP_KILL anyway. Another thing is 'monitor' signalling responders and providers that could be running under 'sssd' while 'monitor' itself runs under 'root'.
This allows to remove CAP_FOWNER.
'PermissionsStartOnly' is deprecated but used for consistency with other unit files.
alexey-tikhonov
force-pushed
the
socket-activation
branch
from
9732dd3
to
944a633
Compare
Done. |
Ah, I did not get that :-) |
pbrezina
approved these changes
Sep 5, 2023
pbrezina
added
Accepted
Ready to push
|
Pushed PR: #6873
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.