Description of problem:
Systemd's ask password api for clients requires the client requesting a password to be root:
# ls -al /var/run/systemd/ask-password
drwxr-xr-x. 2 root root 40 Mar 29 15:33 .
drwxr-xr-x. 17 root root 380 Mar 29 16:19 ..
Due to the design of other applications with privilege isolation and dropping mechanisms, it can be difficult to re-architect these to request passwords as root: If anything it would be bad form.
I would like to ask that systemd creates a systemd-ask-password group for clients able to request passwords. They should be able to write to the directory /var/run/systemd/ask-password, but only root should be able to respond to the requests (Which is enforced in a number of ways already)
This would significantly improve the utility of this api: And it's required for us (Directory Server) to integrate properly with systemd-ask-password.
Thanks for your help,
Red Hat Directory Server has bug 1316580 which is depending upon this bug.
Currently, we have to ask the customers to run this every time the system is restarted to support the functionality, which is not acceptable.
1) using systemctl
# setfacl -m g:dirsrv:rwx /var/run/systemd/ask-password
<== This is needed unless bz 1322167 is taken care by the systemd team.
Could you please fix this issue as described in #c0 or give us an advice to solve it in the better way than running setfacl?
I am not sure if this is a good idea. But anyway, upstream first:
Thank you for giving us the right direction, Lukáš!
#3027 has a pointer to this ticket , which has an interesting note:
poettering commented on Sep 18, 2015
I figure we should rework this to be based on the kernel keyring, and then support this at the same time.
* User bus breaks kernel "session" keyrings #1299 -- Closed
* RFE: extend Password Agents to user instances of systemd #2217 -- Closed
* [RFE] Systemd ask password clients must be run as root: should be a group to allow access #3027 -- Open <== Our goal.
So, it seems the kernel side tasks are done and this issue is ready to work on?
Please let non-root users ask for passwords
(In reply to Lukáš Nykrýn from comment #3)
> I am not sure if this is a good idea. But anyway, upstream first:
By the way, the upstream issue talks about implementation that uses the kernel keyring, which IMO is irrelevant to who owns /var/run/systemd/ask-password/.
The upstream issue got stale and nobody really seems to care, plus this RFE is not RHEL-7 material any more.