Re: systemd unit access to /etc/shadow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sa, 23.11.24 02:40, Jesse Crawford (jesse@xxxxxxxxxxxxx) wrote:

(2nd offlist reply)

> Is there a best practice, or any advice, for giving a service the
> ability to read /etc/shadow? I am not worried about the selinux part
> because I know how to handle that, but I'm not so sure about the
> actual file permissions. ACL maybe?

BTW, unrelated to your specific question: I was wondering if you had a
look at this stuff:

https://systemd.io/USER_GROUP_API/

And maybe would be interested to hook up kanidm to that? Basically, on
systemd systems you can then have rich user records that can carry
any fields you want, and systemd's components (such as systemd-logind)
will enforce a bunch of them, that previously weren't available.

I was also wondering: in systemd we try to clean up the mess we are
currently in regarding UID range allocation, and documented clearly
what the expectations are that systemd has on this. Hence I was
wondering, from which UID range does kanidm allocate the UIDs it
assigns? Can we come to some agreement on this so that for each
purpose we have clearly separated UID ranges and we don't step on each
others toes? (I am basically talking about this stuff:
https://systemd.io/UIDS-GIDS/)

Background: IPA folks are very negative about all this, I think they
kinda are offended by the fact we are trying to clean these things
up. They really insist that IPA/SSSS owns the whole UID range, and
they define the Linux user database, which um, is not how I see
things, I'd rather have a more pluralistic view, that we agree on
rules, and everyone can have their UID range without conflicts (at
least in future, I am fully aware that legacy installations allocate
from all kind of ranges).

Anyway, if you are interested in working with us on this, would be
happy to!

For example, if you think that exposing JSON user group records via
said API would be an option for kanidm, then I'd be happy to add the
fields you need to the spec (i.e. this spec:
https://systemd.io/USER_RECORD/)

Lennart

--
Lennart Poettering, Berlin
-- 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux