diff options
author | Eric Mackay <eric.mackay@oracle.com> | 2022-04-29 18:02:47 -0700 |
---|---|---|
committer | Eric Mackay <eric.mackay@oracle.com> | 2022-05-16 09:46:17 -0700 |
commit | 4b377041ef88f7c683b0a880e937e71a773c2c68 (patch) | |
tree | c3ac5f0733cc34595e970f027e13ac392e5c340a /etc | |
parent | 9dc06a2a75438907cbac0a1523f4d235d28ab58b (diff) | |
download | open-iscsi-4b377041ef88f7c683b0a880e937e71a773c2c68.tar.gz |
Add ability for MGMT IPC to check UID only
The default behavior in iscsid, which is to check mgmt IPCs
for UID==0 and user explicitly named "root", is unchanged.
This option to perform only the UID check for management
IPCs can be enabled in iscsid.conf. This can be useful for
running iscsid in a constrained environment, e.g., initramfs.
For instance, klibc initramfs in Ubuntu and Debian does not
include a user DB. Attempting to run iscsid and iscsiadm
in klibc initramfs would result in ISCSI_ERR_ACCESS for
all MGMT IPCs. Specifying just the UID check allows iscsid
and iscsiadm to run in klibc initramfs without a user DB.
systemd can still start an iscsid process later in boot with
the default full MGMT IPC auth checks, leaving the steady-state
behavior of iscsid the same as before.
The following setting in iscsid.conf enables this behavior:
iscsid.ipc_auth_uid = Yes
iscsistart now uses this mechanism to only perform the UID
check, rather than statically linking against an alternate
implementation of getpwuid(). This is effectively the same
behavior as before.
Signed-off-by: Eric Mackay <eric.mackay@oracle.com>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Diffstat (limited to 'etc')
-rw-r--r-- | etc/iscsid.conf | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/etc/iscsid.conf b/etc/iscsid.conf index 2dc412f..79d8127 100644 --- a/etc/iscsid.conf +++ b/etc/iscsid.conf @@ -31,6 +31,12 @@ # and refuse to logout if there are any. Defaults to "No". # iscsid.safe_logout = Yes +# Only require UID auth for MGMT IPCs, and not username. +# Useful if you want to run iscsid in a constrained environment. +# Note: Only do this if you are aware of the security implications. +# Defaults to "No". +# iscsid.ipc_auth_uid = Yes + ############################# # NIC/HBA and driver settings ############################# |