Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The same as #7042 but with "--sssd-user=sssd" and forced 'sssd.conf::user=sssd' by default for 'system' tests #7044

Closed
wants to merge 16 commits into from
Closed

The same as #7042 but with "--sssd-user=sssd" and forced 'sssd.conf::user=sssd' by default for 'system' tests #7044

wants to merge 16 commits into from

Conversation

alexey-tikhonov
Copy link
Member

No description provided.

@alexey-tikhonov alexey-tikhonov changed the title The same as #7042 but with "--sssd-user=sssd" The same as #7042 but with "--sssd-user=sssd" and forced 'sssd.conf::user=sssd' by default for 'system' tests Nov 28, 2023
@alexey-tikhonov alexey-tikhonov mentioned this pull request Nov 28, 2023
Closed
@alexey-tikhonov
CLIENT: move all socket paths checks to a single function
9a1ca5b
@alexey-tikhonov
CLIENT: remove check for rw-rw-rw-
3675a11 
as it doesn't make much sense anyway.
@alexey-tikhonov
KRB5: a comment to explain the need for explicit `sss_pac_check_and_o…
648b1e6 
…pen()`
@alexey-tikhonov
CLIENT: reduce code duplication
b9d27a4
@alexey-tikhonov
CLIENT: add an optional check of server credentials
b4df367 
to `sss_cli_make_request_with_checks()`

This requires to make sure 'sss_sssd_*id' are initialized in
`check_server_cred()`
@alexey-tikhonov
CLIENT: reduce code duplication
65162f5
@alexey-tikhonov
CLIENT: SUDO: force check of server credentials
5e7f12b 
as a general hardening
@alexey-tikhonov
CLIENT: move sudo/autofs/ssh related code
61ee3c8 
out of common module
@alexey-tikhonov
SUDO: refuse to serve clients running under non-root
9c038c4
@alexey-tikhonov
SUDO: make 'sssd_sudo' socket sssd:sssd owned
9e244f3 
The only intended client of 'sssd_sudo' is 'sudo' that is suid
binary and thus still can access socket.
But if for whatever reason it's undesirable to make 'sudo' use
its CAP_DAC_OVERRIDE capability then socket mode can be changed
to rw-rw-rw -- previous patch will restrict access to the socket
for root only.

The reason for this change is to avoid the need for CAP_CHOWN for
SSSD itself.
@alexey-tikhonov
PAM: no need in root:root owned socket
67a04fd 
since 1451c6e
@alexey-tikhonov
RESPONDER: remove support for custom pipe_fd
4c13b99 
from `sss_process_init()` as it's not used anymore
@alexey-tikhonov
SUDO: don't overwrite major error code with minor one
37311f9 
The latter can be zero (example: socket closed during
`sss_cli_recv_rep()`)
@alexey-tikhonov
CLIENT: fixed a mistype in check_socket_cred()
8bd5277
@alexey-tikhonov
SPEC: build Fedora >= 38 package with sssd user support
36b10f9
@alexey-tikhonov
Run system tests with 'user = sssd' as a default
8fe7e5a
@alexey-tikhonov
Copy link
Member Author

tests/test_passkey.py doesn't work when SSSD run under non-root because of the way device is mocked.

@alexey-tikhonov
Copy link
Member Author

centos-8 doesn't have HAVE_PTHREAD_EXT support and isn't expected to run sssd-2.10+ code anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@alexey-tikhonov