[Freeipa-devel] Visibility of the sensitive LDAP data

[Simo Sorce]

On Wed, 2011-06-08 at 15:29 -0400, Dmitri Pal wrote:
> On 06/08/2011 03:15 PM, JR Aquino wrote: 
> > > > 1) Leave as is and not bother at all (i.e. it is what it is)
> > > > >> 2) Leave as is and defer the solution till later (do not fix it in 2.1
> > > > >> defer to 2.2)
> > > > >> 3) Leave as is but document how to do it using permissions & ACIs
> > > > >> 4) Provide default ACIs that would hide the records for the broad user
> > > > >> population
> > > > >> 
> > > > >> Looking for an opinion here.
> > > > 
> > > > I am for (2)
> > > > 
> > > > Simo.
> > > > 
> > I am also for (2)
> > 
> > This logic becomes quite tricky however, because controlling this via ACI's would have to be cognizant of the authenticated user to be able to make the decision to show them only their /OWN/ authorization/access rights...
> I am not sure if the user really needs to see these things at all. The
> SUDO and HBAC rules should be seen by SSSD or the LDAP client on the
> host (until SUDO is SSSD integrated) the user does not need to see or
> fetch the rules for himself. I do not think that any system exposes
> its access control rules in a way that user can inspect and see in
> advance what he can do and what he can't. 

Every file system does that.
ls -al shows you standard posix permissions and getfacl gets you the
whole acl.

So if we consider SUDO rules like access control rules I do not see a
big issue in showing them to all authenticated users.

I am ok to allow people to toggle a switch that allows sudo rules to be
viewed only by a subset of users (namely admins and computers), but that
should be an option, as there may be legitimate reason for wanting the
rules accessible to any authenticated entity.

That said I think we want to carefully plan for this and not rush it in
2.1 so I am for deferring. Worst case admins can alwyas add their own
ACIs to further restrict access to sudo/hbac rules for now.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York