From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 24 Feb 2018 09:18:20 -0500 Subject: [refpolicy] [PATCH] misc dbus patches In-Reply-To: <20180223072510.GA3931@julius.enp8s0.d30> References: <20180213003649.GA17327@xev> <2087459.qDY3ImaCar@liv> <20180223072510.GA3931@julius.enp8s0.d30> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/23/2018 02:25 AM, Dominick Grift via refpolicy wrote: > On Fri, Feb 23, 2018 at 03:53:01PM +1100, Russell Coker via refpolicy wrote: >> On Friday, 16 February 2018 8:57:48 AM AEDT Chris PeBenito wrote: >>> On 02/12/2018 07:36 PM, Russell Coker via refpolicy wrote: >>>> Here is a collection of dbus policy patches, all fairly simple. >>>> >>>> Chris please merge the ones you like and we can discuss any you don't like >>>> afterwards. >>> >>> I merged everything except for the user/groupadd ones, which need >>> explanation: what are they doing with dbus exactly? >> >> sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="l\1\0\1\t >> \0\0\0\2\0\0\0\247\0\0\0\1\1o\0\31\0\0\0/org/freedesktop/ >> systemd1\0\0\0\0\0\0\0\3\1s\0\27\0\0\0LookupDynamicUserByName\0\2\1s\0 >> \0\0\0org.freedesktop.systemd1.Manager\0\0\0\0\0\0\0\0\6\1s >> \0\30\0\0\0org.freedesktop.systemd1\0\0\0\0\0\0\0\0\10\1g\0\1s\0\0", >> iov_len=184}, {iov_base="\4\0\0\0zzz2\0", iov_len=9}], msg_iovlen=2, >> msg_controllen=0, msg_flags=0}, MSG_DONTWAIT|MSG_NOSIGNAL) = 193 >> >> The above is from a strace of "groupadd zzz2". It is sending a message to >> systemd to lookup dynamic users. I can't find where in the groupadd code it >> does this though. I checked the pam configuration and that doesn't appear to >> have it. > > this is nss_systemd. it is an optional systemd nss module. > > from that perspective one might consider adding it to auth_use_nsswitch() That does make sense. It does additionally bring up how big that interface is getting. Perhaps it should be split up, maybe by the nsswitch database (passwd, hosts, networks, etc.) -- Chris PeBenito