confluent

mirror of https://github.com/xcat2/confluent.git synced 2024-11-25 19:10:10 +00:00

History

Jarrod Johnson ce1cb952e8 Fix PAM authentication It's tricky. On Redhat platforms, we need the CAP_DAC_READ_SEARCH capability. Unfortunately this is one of the nicest capabilities to have. For now add it to ambient set so that PAM can work on redhat platforms. Mitigate this risk by safeguarding the license handling code, which is the only known place that can read a file and send it to somewhere. If we could drop the capability from effective set and add it back in when needed, that would be nice, but that appears not to be possible. Short of that, having a separate authentication process running and dropping privilege would potentially work.	2020-02-11 14:09:22 -05:00
..
confluent.service	Fix PAM authentication	2020-02-11 14:09:22 -05:00

Jarrod Johnson ce1cb952e8 Fix PAM authentication

It's tricky.  On Redhat platforms, we need the CAP_DAC_READ_SEARCH
capability.  Unfortunately this is one of the nicest capabilities to have.

For now add it to ambient set so that PAM can work on redhat platforms.
Mitigate this risk by safeguarding the license handling code, which
is the only known place that can read a file and send it to somewhere.

If we could drop the capability from effective set and add it back in when
needed, that would be nice, but that appears not to be possible.

Short of that, having a separate authentication process
running and dropping privilege would potentially work.

2020-02-11 14:09:22 -05:00

confluent.service

Fix PAM authentication

2020-02-11 14:09:22 -05:00