Bug 1322167

Summary: [rfe] Systemd ask password clients must be run as root: should be a group to allow access
Product: Red Hat Enterprise Linux 7 Reporter: wibrown <wibrown>
Component: systemdAssignee: systemd-maint
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: high Docs Contact:
Priority: high    
Version: 7.2CC: jsynacek, lnykryn, nhosoi, systemd-maint-list
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-04 08:26:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1316580    

Description wibrown@redhat.com 2016-03-29 23:47:09 UTC 
Description of problem:
Systemd's ask password api for clients requires the client requesting a password to be root:

# ls -al /var/run/systemd/ask-password
total 0
drwxr-xr-x.  2 root root  40 Mar 29 15:33 .
drwxr-xr-x. 17 root root 380 Mar 29 16:19 ..

Due to the design of other applications with privilege isolation and dropping mechanisms, it can be difficult to re-architect these to request passwords as root: If anything it would be bad form.

I would like to ask that systemd creates a systemd-ask-password group for clients able to request passwords. They should be able to write to the directory /var/run/systemd/ask-password, but only root should be able to respond to the requests (Which is enforced in a number of ways already)

This would significantly improve the utility of this api: And it's required for us (Directory Server) to integrate properly with systemd-ask-password.

Thanks for your help,
Comment 2 Noriko Hosoi 2016-04-12 22:51:16 UTC 
Hello,

Red Hat Directory Server has bug 1316580 which is depending upon this bug.

Currently, we have to ask the customers to run this every time the system is restarted to support the functionality, which is not acceptable.

  1) using systemctl
  # setfacl -m g:dirsrv:rwx /var/run/systemd/ask-password
    <== This is needed unless bz 1322167 is taken care by the systemd team.
  (See https://bugzilla.redhat.com/show_bug.cgi?id=1316580#c4)

Could you please fix this issue as described in #c0 or give us an advice to solve it in the better way than running setfacl?

Thanks.
Comment 3 Lukáš Nykrýn 2016-04-13 08:20:14 UTC 
I am not sure if this is a good idea. But anyway, upstream first:
https://github.com/systemd/systemd/issues/3027
Comment 4 Noriko Hosoi 2016-04-13 16:23:28 UTC 
Thank you for giving us the right direction, Lukáš!

#3027 has a pointer to this ticket [1], which has an interesting note:

poettering commented on Sep 18, 2015
I figure we should rework this to be based on the kernel keyring, and then support this at the same time.

* User bus breaks kernel "session" keyrings #1299 -- Closed
* RFE: extend Password Agents to user instances of systemd #2217 -- Closed
* [RFE] Systemd ask password clients must be run as root: should be a group to allow access #3027 -- Open <== Our goal.

So, it seems the kernel side tasks are done and this issue is ready to work on?

[1] https://github.com/systemd/systemd/issues/1232
Please let non-root users ask for passwords
Comment 8 Jan Synacek 2017-08-28 10:24:44 UTC 
(In reply to Lukáš Nykrýn from comment #3)
> I am not sure if this is a good idea. But anyway, upstream first:
> https://github.com/systemd/systemd/issues/3027

Why not?

By the way, the upstream issue talks about implementation that uses the kernel keyring, which IMO is irrelevant to who owns /var/run/systemd/ask-password/.
Comment 9 Jan Synacek 2019-03-04 08:26:55 UTC 
The upstream issue got stale and nobody really seems to care, plus this RFE is not RHEL-7 material any more.