Alexey A Tikhonov
Alexey A Tikhonov
`passkey_child` doesn't (shouldn't) have SUID bit (or any other file caps) set . It's executed by other SSSD processes that are run under configured user (either 'root' or 'sssd').
> So the most obvious thing to do would be to run `umockdev-run` as user `sssd` Would it work other way round: run `umockdev-run` as user `sssd` but `passkey_child` as...
Meanwhile we realized that *real* tokens are (also) not accessible by non privileged users. For this reason following udev rule was added to sssd-passkey package: https://github.com/SSSD/sssd/blob/master/contrib/90-sssd-token-access.rules.in But looks like it...
> Sure, a root process has no trouble accessing files owned by any user. (Unless it drops CAP_DAC_OVERRIDE) It does drop all capabilities. This is how 'umockdev-run' is executed: https://github.com/SSSD/sssd-test-framework/blob/ff10c0fd5ed949ad426a2c9b5c3d47ac611643f8/sssd_test_framework/utils/authentication.py#L352...
> 'run_su' script has 'chmod -R a+rwx $UMOCKDEV_DIR': https://github.com/SSSD/sssd-test-framework/blob/ff10c0fd5ed949ad426a2c9b5c3d47ac611643f8/sssd_test_framework/utils/authentication.py#L341C17-L341C45 > > But this doesn't help for some reason... Ah, of course, it doesn't help because this is a source dir,...
> So the most obvious thing to do would be to run `umockdev-run` as user `sssd` @martinpitt, how will `umockdev-run` create a file under /dev/ then?
@martinpitt, is it possible to make following udev rule work with 'umockdev-run': ``` # cat ./usr/lib/udev/rules.d/90-sssd-token-access.rules # this udev file should be used with udev 188 and newer ACTION!="add|change", GOTO="sssd_end"...
I tried both 'runuser' and 'setpriv' without luck so far.
@martinpitt, ``` Usage: umockdev-run [OPTION?] -- program [args..] ``` -- by the moment 'umockdev-run' starts execution of 'program', is mocked device file already available? In our case 'program' is a...
v 4.14.16. The same or similar crash on Xubuntu 22.04.3, randomly and often (no special action like "save a file" is required, just while reading a chat): ``` Scudo ERROR:...