Add users and group for the seneschal service
The seneschal service provides fine-grained access to specific parts of
the user's /home directory.
Seneschal runs as root inside a user namespace where root is mapped to
the seneschal user in the parent namespace. However, this interacts
poorly with the mechanism that dbus uses to authenticate its clients.
Clients are supposed to send their effective uid with the AUTH message
and the dbus daemon uses SO_PEERCRED to verify that the clients uid
matches what it claims to be. This doesn't work in a user namespace
because the client thinks it is root while the dbus daemon sees a
different user.
To deal with this the seneschal daemon temporarily switches its
effective uid to the seneschal-dbus user before connecting to the dbus
daemon. This uid is identity mapped inside seneschal's user namespace,
which allows the dbus authentication to succeed. Once seneschal has
connected to the dbus daemon it changes its effective uid back to root
(inside its user namespace) so that it can regain the capabilities it
needs to carry out its job.
BUG=chromium:703939
TEST=`start seneschal` and see that it is running
Change-Id: Icede13e93380862851c2a2b3df24fbd7cb18b247
Signed-off-by: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1094267
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>
4 files changed
