[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
HonzaCholasta
freeipa-github-notification at redhat.com
Tue Feb 14 14:55:30 UTC 2017
URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code
HonzaCholasta commented:
"""
I would personally go with:
* Change session handling: 5959
* Generate tmpfiles config at install time: 5959
* Drop use of kinit_as_http from trust code: 5959
* Use Anonymous user to obtain FAST armor ccache: 5959
* Configure HTTPD to work via Gss-Proxy: 4189, 5959
* Separate RA cert store from the HTTP cert store: 5959
* Simplify NSSDatabase password file handling: 5959
* Always use /etc/ipa/ca.crt as CA cert file: 5959
* Add a new user to run the framework code: 5959
* Rationalize creation of RA and HTTPD NSS databases: 5959
* Fix uninstall stopping ipa.service: 5959
* Allow rpc callers to pass ccache and service names: 6543
* Explicitly pass down ccache names for connections: 6543
* Insure removal of session on identity change: 6543
"""
See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279729055
More information about the Freeipa-devel
mailing list