SP packaging

Cantor, Scott cantor.2 at osu.edu
Mon Feb 1 14:40:38 UTC 2016

> Ah, right, I totally missed that these parameters exist since 2.5.0.
> I'll have to update our man page as well.  I think you can argue that
> running shibd -t as root without -u and -g is user error, still this
> isn't particulary user friendly, as the description of the -t option is
> 'config test', so users don't expect filesystem modification.  What
> about making this so by skipping cache writes when -t is in effect?
> Shot in the dark: can't you omit caching the same way as
> SPConfig::Logging?

The caching is from the metadata, and the point is to exercise the configuration and look for problems. It isn't possible to run the metadata providers and not cache, no. Probably it could check for root though, I guess that's just checking for uid=0, right? An option could be added to override the behavior.

> BTW aren't you interested in taking the man pages created by Russ into
> your tree, making them official?

If I had time to learn it. That's adding a whole other dimension of packaging and a component I don't know anything about.

> Well, since shibd drops privileges upfront (it does not bind to
> privileged ports, reads up protected config files or writes the PID file
> beforehand), it has little reason to have its own privilege-dropping
> code.  That's just more ground for (security) bugs.  Incidentally, looks
> like the current code does not reset the list of supplementary group
> IDs, lacking the initgroups()/setgroup() call.

I was given a patch to fix that, if it didn't work I guess somebody will have to give me another. There is an initgroups call now.

-- Scott

More information about the Pkg-shibboleth-devel mailing list