diff options
| author | Fabiano Fidêncio <fidencio@redhat.com> | 2016-11-17 00:53:22 +0100 |
|---|---|---|
| committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-01-23 18:46:37 +0100 |
| commit | 6a7e28f06e4db1fa07e63ee39f3c28446ff56f4e (patch) | |
| tree | 381948e158e030ffd78f901f88c9a53d9aaa9ca0 /src/sysv | |
| parent | e4093605339062548364d338c811431673bdfe25 (diff) | |
| download | sssd-6a7e28f06e4db1fa07e63ee39f3c28446ff56f4e.tar.gz sssd-6a7e28f06e4db1fa07e63ee39f3c28446ff56f4e.tar.xz sssd-6a7e28f06e4db1fa07e63ee39f3c28446ff56f4e.zip | |
PAM: Make PAM responder socket-activatable
As part of the effort of making all responder socket-activatable, let's
make PAM responder ready for this by providing its systemd's units.
In case the administrators want to use PAM responder taking advantage
of socket-activation they will need to enable sssd-pam.socket and after
a restart of the sssd service, the PAM socket will be ready waiting for
any activity in order to start the PAM responder. Also, the PAM
responder must be removed from the services line on sssd.conf.
The PAM responder service is binded to the SSSD service, which means
that the responder will be restarted in case SSSD is restarted and
shutdown in case SSSD is shutdown/crashes.
PAM responder, differently from the others, is a special case as it has
two sockets and its private sockets must be owned by root and must have
a specifc permission (0600). It's not new, though, and it's following
what has been already done in the project..
Related:
https://fedorahosted.org/sssd/ticket/2243
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Diffstat (limited to 'src/sysv')
| -rw-r--r-- | src/sysv/systemd/sssd-pam-priv.socket.in | 15 | ||||
| -rw-r--r-- | src/sysv/systemd/sssd-pam.service.in | 16 | ||||
| -rw-r--r-- | src/sysv/systemd/sssd-pam.socket.in | 13 |
3 files changed, 44 insertions, 0 deletions
diff --git a/src/sysv/systemd/sssd-pam-priv.socket.in b/src/sysv/systemd/sssd-pam-priv.socket.in new file mode 100644 index 000000000..84b8caa04 --- /dev/null +++ b/src/sysv/systemd/sssd-pam-priv.socket.in @@ -0,0 +1,15 @@ +[Unit] +Description=SSSD PAM Service responder private socket +Documentation=man:sssd.conf(5) +BindsTo=sssd.service +BindsTo=sssd-pam.socket + +[Socket] +Service=sssd-pam.service +ListenStream=@pipepath@/private/pam +SocketUser=root +SocketGroup=root +SocketMode=0600 + +[Install] +WantedBy=sssd.service diff --git a/src/sysv/systemd/sssd-pam.service.in b/src/sysv/systemd/sssd-pam.service.in new file mode 100644 index 000000000..a7f285c8e --- /dev/null +++ b/src/sysv/systemd/sssd-pam.service.in @@ -0,0 +1,16 @@ +[Unit] +Description=SSSD PAM Service responder +Documentation=man:sssd.conf(5) +After=sssd.service +BindsTo=sssd.service + +[Install] +Also=sssd-pam.socket sssd-pam-priv.socket + +[Service] +ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_pam.log +ExecStart=@libexecdir@/sssd/sssd_pam --debug-to-files --socket-activated +Restart=on-failure +User=@SSSD_USER@ +Group=@SSSD_USER@ +PermissionsStartOnly=true diff --git a/src/sysv/systemd/sssd-pam.socket.in b/src/sysv/systemd/sssd-pam.socket.in new file mode 100644 index 000000000..9554785ca --- /dev/null +++ b/src/sysv/systemd/sssd-pam.socket.in @@ -0,0 +1,13 @@ +[Unit] +Description=SSSD PAM Service responder socket +Documentation=man:sssd.conf(5) +BindsTo=sssd.service +BindsTo=sssd-pam-priv.socket + +[Socket] +ListenStream=@pipepath@/pam +SocketUser=root +SocketGroup=root + +[Install] +WantedBy=sssd.service |