Michael DeHaan wrote:
Colin Walters wrote:
Hi,
I prefer to do all work as my regular user login, because this makes
it easy for components (such as my shell) to integrate with the
desktop.
Currently it seems func out of the box requires uid 0 just to access
the certificates stored in /etc/pki.
Proposed solution here is to use ACLs, since they're simple and don't
require any changes to code.
setfacl -d -R -m 'u:walters:rX' /etc/pki/func/
setfacl -R -m 'u:walters:rX' /etc/pki/func
Other alternatives would be for the certmaster could to have an
interface to read certificates, and add say allowed_uids to the config
file. This would in theory allow you to have certificates stored on
one machine, and run func from another. Though I guess in that case
you'd want some way to encrypt your certificates =)
Or maybe there's another solution. The problem isn't specific to func
really, it's more just an instance of "How do I control access to the
system PKI data?", and seeing as that seems to come down to the
filesystem controls, it makes sense to use ACLs.
_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list
FuncWeb will eventually need a way of running as non-root.
As an aside, we're working on porting func's certmaster to it's own
seperate project
certmaster.
If you're planning on submitting a patch for ACL's, I'd wait and apply
it there so you don't have
to repeat anything.
--Michael
BTW, we talked about this some a week or so ago ... the ACL solution
seems to be a good one.
Are we sure no code changes are relevant? I can't think of any offhand.
If not, we can probably go ahead and document this on the Wiki.
--Michael
_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list
