Hello all, I package kanidm for Fedora in a COPR for my own use. kanidm is an identity management solution. In the most recent version, the kanidm-unixd client was enhanced to be able to perform authentication against the system files as well. This has various advantages (e.g. ability to annotate local accounts with data from the user directory), but it poses a packaging difficulty: that means that kanidm-unixd wants to read the /etc/shadow. kanidm-unixd runs as a systemd service, as you would imagine. On OpenSUSE where kanidm is mainly developed, that service has 'shadow' in its SupplementaryGroups to allow it to read /etc/shadow and /etc/gshadow. On Fedora, the 'shadow' group doesn't exist, and /etc/shadow is owned root:root with 0000 permissions. This leaves me without any obvious way to give a systemd service the ability to read /etc/shadow. I can imagine this is not a situation that comes up very often, but hopefully once or twice. Is there a best practice, or any advice, for giving a service the ability to read /etc/shadow? I am not worried about the selinux part because I know how to handle that, but I'm not so sure about the actual file permissions. ACL maybe? Thanks! jc -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
