On Wed, Oct 15, 2014 at 06:02:02PM -0400, Simo Sorce wrote:
I am going to send a number of separate replies as I go and read
about
the patches.
First on patch 01
On Wed, 15 Oct 2014 22:24:04 +0200
Jakub Hrozek <jhrozek(a)redhat.com> wrote:
> Adds two new options, user and group that are specified in the [sssd]
> section. When these options are specified, SSSD will run as the user
> and group. When these are not specified, SSSD will run as the
> configure-time user and group.
Do we really need to specify both a user and a group ?
In other projects specifying the user and using its primary group is
considered sufficient.
I think allowing to specify both can lead to potential issues if the
user is not member of the specified group.
Unless there is an actual need to specify the group explicitly I would
simplify and allow to specify only the user.
Then I looked at different projects (nslcd, cockpit) :-)
I'm not against only specifying user, that would simplify the code a
bit. I'll change the patch accordingly.
I can't seem to find where sss_user_from_string() is defined, is it in
a previous patch not yet committed to master ?
Yes, sorry:
https://patchwork.acksyn.org/patch/8045/
Now, after stepping back from the code I realize the function is
misnamed as the input can be either a name ('sssd') or a UID in string
form ('123').
In short, the function tries getpwnam its input, then on failure tries
to getpwgid. I think allowing both name or ID is quite common.. Also,
this is how specifying users works in both the PAC and IFP responders and
I wanted to reuse the same code.
Why do we need this function when we can call directly getpwnam() ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York