Re: uid > 0 func usage

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Colin Walters wrote:
Hi,

I prefer to do all work as my regular user login, because this makes
it easy for components (such as my shell) to integrate with the
desktop.
Currently it seems func out of the box requires uid 0 just to access
the certificates stored in /etc/pki.

Proposed solution here is to use ACLs, since they're simple and don't
require any changes to code.
setfacl -d -R -m 'u:walters:rX' /etc/pki/func/
setfacl -R -m 'u:walters:rX' /etc/pki/func

Other alternatives would be for the certmaster could to have an
interface to read certificates, and add say allowed_uids to the config
file.  This would in theory allow you to have certificates stored on
one machine, and run func from another.  Though I guess in that case
you'd want some way to encrypt your certificates =)

Or maybe there's another solution.  The problem isn't specific to func
really, it's more just an instance of "How do I control access to the
system PKI data?", and seeing as that seems to come down to the
filesystem controls, it makes sense to use ACLs.

_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list

FuncWeb will eventually need a way of running as non-root.

As an aside, we're working on porting func's certmaster to it's own seperate project
certmaster.

If you're planning on submitting a patch for ACL's, I'd wait and apply it there so you don't have
to repeat anything.

--Michael

_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list

[Index of Archives]     [Fedora Users]     [Linux Networking]     [Fedora Legacy List]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux