Re: [rfc] mass package change to introduce sysusers.d configs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Суб, 25 сту 2025, Richard W.M. Jones wrote:

On Sat, Jan 25, 2025 at 11:06:43AM +0200, Alexander Bokovoy wrote:

On Суб, 25 сту 2025, Zbigniew Jędrzejewski-Szmek wrote:
>On Fri, Jan 24, 2025 at 01:25:18PM -0300, Rafael Jeffman wrote:
>>Some of these packages might have the same issue as
>>softhsm/opendnssec as they use the same user, but,
>>currently user GECOS is different on both packages,
>>causing systemd-sysuers to fail (or warn).
>
>This is a preexisting bug in softhsm and opendnssec. In fact, it might
>be a ecurity issue, since two services will run under the same user.
>I'm not familiar with those packages, but in general there are two
>options:
>- if the user shall be shared, let on of the packages define the user
> and have the other package add Requires:user(…).
>- if the user shall not be shared, use a different user name in one
> or both packages.

OpenDNSSEC and SoftHSM are coupled. SoftHSM's primary function is to be
used as the certificate store for OpenDNSSEC, this is why its default
data store is defined to be used by 'ods' user.


Sorry if I'm missing something obvious, but shouldn't they use a
different user but a common group?


Yes, that's what we do when using OpenDNSSEC within BIND integration.
And had to go to a greater length to make it working for three
components involved (OpenDNSSEC, BIND, and FreeIPA's LDAP synchronizer).

However, default SoftHSM datastore itself is not used by anything else
but OpenDNSSEC. It is a bit awkward in itself, the only other package
dependency user (ocicrypt, used by Moby/containerd) is not relying on
the default datastore but rather uses softhsm for testing purposes.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux