From 4b377041ef88f7c683b0a880e937e71a773c2c68 Mon Sep 17 00:00:00 2001 From: Eric Mackay Date: Fri, 29 Apr 2022 18:02:47 -0700 Subject: Add ability for MGMT IPC to check UID only The default behavior in iscsid, which is to check mgmt IPCs for UID==0 and user explicitly named "root", is unchanged. This option to perform only the UID check for management IPCs can be enabled in iscsid.conf. This can be useful for running iscsid in a constrained environment, e.g., initramfs. For instance, klibc initramfs in Ubuntu and Debian does not include a user DB. Attempting to run iscsid and iscsiadm in klibc initramfs would result in ISCSI_ERR_ACCESS for all MGMT IPCs. Specifying just the UID check allows iscsid and iscsiadm to run in klibc initramfs without a user DB. systemd can still start an iscsid process later in boot with the default full MGMT IPC auth checks, leaving the steady-state behavior of iscsid the same as before. The following setting in iscsid.conf enables this behavior: iscsid.ipc_auth_uid = Yes iscsistart now uses this mechanism to only perform the UID check, rather than statically linking against an alternate implementation of getpwuid(). This is effectively the same behavior as before. Signed-off-by: Eric Mackay Reviewed-by: Mike Christie --- etc/iscsid.conf | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'etc') diff --git a/etc/iscsid.conf b/etc/iscsid.conf index 2dc412f..79d8127 100644 --- a/etc/iscsid.conf +++ b/etc/iscsid.conf @@ -31,6 +31,12 @@ # and refuse to logout if there are any. Defaults to "No". # iscsid.safe_logout = Yes +# Only require UID auth for MGMT IPCs, and not username. +# Useful if you want to run iscsid in a constrained environment. +# Note: Only do this if you are aware of the security implications. +# Defaults to "No". +# iscsid.ipc_auth_uid = Yes + ############################# # NIC/HBA and driver settings ############################# -- cgit v1.2.1