From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) by sourceware.org (Postfix) with ESMTPS id A38D13858C51 for ; Thu, 28 Jul 2022 17:47:18 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org A38D13858C51 Received: by mail-ej1-x62e.google.com with SMTP id bp15so4376545ejb.6 for ; Thu, 28 Jul 2022 10:47:18 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=PNu3NMf3cU77N6IallLuat5mOIf2tZXC8YRpuX9F3a0=; b=XXCl/8IKONPtHl8XuconnQZEJskheQrLUZoSzAAZOBn7Ud9JTU3rr21hp5wxnJd9oW OSTI1RmazoW7YXaXuyTQHVValn8lQ5griFr3MeZv0w/tuIA4hDBLzi9qhVKkYVXTI5JO We1YKLdwDadjEfYJYFr2EYQ//BvznVa/XK6+tMpXNrzx3RhZ68Vs2dEMtMoY49fiFf5l HWCU+MYpPAVUOFyVhKt29cGO0qeZPpweBkLnRJqqPqUp2UY5bQFIH+12AWTns+ylgQIO A7Ivcaylegy+Z65wxa8q5tlpK4ac3owBhX2/q+qybY9V/bASLmdyozIBYDjKHBBUjGCI kLRg== X-Gm-Message-State: AJIora8sPv1vgWX7mGhIqlU8YdwOyP/oVV6Ush2BPgJg1ODDIUj0hyPY 9aoEeEuy1mFBfX53uIXJ9MDCmR6+SDHeoubaMf2O7g0rN6M= X-Google-Smtp-Source: AGRyM1vUgaTIRly0/+vb3VZwK5NuMIVq9q+AczzYtX9ZXnkrgF6v8r+4w2K0B949Hm2AfqRIfePZb4lHsmnXIcy6K7s= X-Received: by 2002:a17:907:1690:b0:72b:4f11:66c4 with SMTP id hc16-20020a170907169000b0072b4f1166c4mr54981ejc.562.1659030437014; Thu, 28 Jul 2022 10:47:17 -0700 (PDT) MIME-Version: 1.0 References: <7e442ae6d3be28043d3c3ecd8a66af011b8dd573.camel@klomp.org> In-Reply-To: <7e442ae6d3be28043d3c3ecd8a66af011b8dd573.camel@klomp.org> From: Daniel Thornburgh Date: Thu, 28 Jul 2022 10:47:05 -0700 Message-ID: Subject: Re: debuginfod Credential Helper RFC To: Mark Wielaard Cc: elfutils-devel@sourceware.org X-Spam-Status: No, score=-16.4 required=5.0 tests=BAYES_00, DKIMWL_WL_MED, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH, HK_OBFDOM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, USER_IN_DEF_DKIM_WL, USER_IN_DEF_SPF_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: elfutils-devel@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Elfutils-devel mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2022 17:47:20 -0000 > > I think this could work for a standalone program like debuginfod-find, > but not for a library like libdebuginfod. I would rather not have to > fork and exec from libdebuginfod. > Could this functionality be made optional? Something a client could call to fork out to a credential helper, but with a notice on the tin? Or just a way to pass through credentials to libcurl, and libraries for parsing/producing the helper format? > Can't this be handled through e.g. the underlying libcurl library by > setting a proxy environment variable so the requests goes through a > local proxy that is setup to do some kind of authentication > transparently? It would be at least somewhat undesirable for any process capable of making loopback requests to gain access equivalent to any user using debuginfod on that system. A credential helper would only have the ambient authority available to the user running the debuginfod client. That being said, I'm not opposed to this idea of an authenticating proxy, so long as there's a way of scoping access to it appropriately. I'm pretty far from a UNIX/Windows networking wizard, so if you know of a reasonable way to do this, please let me know. > Or by simply defining the base DEBUGINFOD_URL with > https://user:pass@debuginfod.example.com/ ? > The specific use case we had in mind uses OAuth2 bearer tokens, not username/password pairs. This is increasingly common for the sorts of cloud hosting one might like to use for things like debug binaries. -- Daniel Thornburgh | dthorn@google.com