| goraxe | ion: I have updated my branch to meet your review comments | 00:30 |
|---|---|---|
| ion | Great, thanks | 00:30 |
| goraxe | do you think this a feature thats likely to get merged? | 00:31 |
| ion | There’s definitely demand for that, and it would be nice to have while full PAM support is still in TODO. The change isn’t invasive either. Ultimately it’s up to Keybuk, though. | 00:36 |
| goraxe | coll thanks | 00:37 |
| goraxe | doh | 00:37 |
| goraxe | *cool | 00:37 |
| ion | There are still some function calls in the “foo()” style instead of “foo ()”. Oh, and the first instance of JOB_PROCESS_ERROR_SETUID is probably a typo, it should be _USER i guess. | 00:37 |
| goraxe | space between function (parms)? | 00:37 |
| ion | Yeah, that’s the coding style in Upstart. | 00:37 |
| Keybuk | ion: "for that" ? | 00:37 |
| ion | keybuk: For setuid support in jobs. https://code.edge.launchpad.net/~goraxe/upstart/user_sid/+merge/31905 | 00:38 |
| Keybuk | randomly quick comments | 00:39 |
| Keybuk | "user" should be "uid" (since it's set uid, not PAM user support) | 00:39 |
| Keybuk | should support "uid 1000" as well as "uid messagebus" | 00:39 |
| Keybuk | setgid? initgroups? | 00:39 |
| goraxe | user -> uid sure can do, setgid yep, spotting uid \d vs \w ... may need some advice, initgroups guessing that sets up non primary group member ship? | 00:42 |
| Keybuk | all group membership in fact | 00:43 |
| Keybuk | if you just setuid() like that, it'll still be gid 0 | 00:43 |
| Keybuk | which may have surprising consequences permissions-wise | 00:43 |
| goraxe | yep can see that | 00:43 |
| Keybuk | hmm, actually, can't remember whether initgroups sets the primary group or not ;) | 00:45 |
| goraxe | I will check the manpage for usage | 00:46 |
| ion | The man page only seems to talk about the supplementary group list. | 00:46 |
| goraxe | ta | 00:46 |
| goraxe | :-) | 00:46 |
| Keybuk | you may need to setgid (user->pw_gid) as well | 00:47 |
| Keybuk | in which case, definitely add a "gid" support in too | 00:47 |
| goraxe | if gid not set use ->pw_gid ? | 00:47 |
| goraxe | should uid and gid be looked up at parse time instead of job spawn time? | 00:50 |
| Keybuk | exactly | 00:50 |
| Keybuk | hmm | 00:50 |
| Keybuk | looking up user and group ids is complex | 00:50 |
| Keybuk | at parse time is when init starts, you almost certainly don't have nsswitch by then ;-) | 00:51 |
| Keybuk | LDAP, Kerberos, etc. won't be up | 00:51 |
| Keybuk | (no network, for a start!) | 00:51 |
| Keybuk | one bright side of doing this in job_process is that it's also done in a child, so any issues just prevent spawning, rather than holding up or crapping up the init daemon | 00:51 |
| Keybuk | sure you get no cacheing, but then setuid isn't really common enough to cache | 00:52 |
| Keybuk | certainly if any two services spawned *share* a uid (benefit to cacheing) they're probably doing it wrong from a security POV | 00:52 |
| goraxe | my use case for this is entirly for local user services, and we have a LDAP/kerberos env | 00:53 |
| goraxe | basicly we have started using exec su <user> -c <command> ... which i think is quite ugly ... | 00:54 |
| Keybuk | yeah, su gives you a PAM session though | 00:54 |
| Keybuk | which may be what you want | 00:54 |
| goraxe | hmm ... you may have a point ... I think for our trivial cases we just want to spawn daemons at statup keep em running if they crash, and do some basic priv dropping | 00:56 |
| goraxe | ie this would be a good start, but I agree would not cover all cases | 00:56 |
| goraxe | how much of the pam stuff have you got scoped out? | 00:56 |
| Keybuk | the PAM stuff is easy | 00:57 |
| Keybuk | thinking about how a user of the same uid would restart a service - that's hard :) | 00:57 |
| Keybuk | the "uid"/"gid" stuff is just a property of a system service in this case, so just required someone to care enough to implement it | 00:57 |
| Keybuk | I've no problem with applying it into the next 0.6 release once it's ready | 00:57 |
| goraxe | cool, thanks | 00:58 |
| goraxe | on that note I really should call it a night | 01:00 |
| sacarde | hi | 12:28 |
| morgan__ | hello there, i was wondering if there is any list of integrated upstart signals such as "start on net-device-added" or "start on filesystem" available ? | 18:41 |
| === Md_ is now known as Md | ||
| goraxe | ion, Keybuk: I have done some more work to change to uid & gid stanza | 23:44 |
| goraxe | I'm having a bit of a problem with initgroups though | 23:45 |
| goraxe | it seems to only work if the process is running as root, even chmod +s on the file did not give it enough perms | 23:49 |
| goraxe | the file being test_job_process | 23:49 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!