[Freeipa-devel] Notes and questions for fine-grained read permissions
Petr Viktorin
pviktori at redhat.com
Mon Sep 9 14:51:08 UTC 2013
On 09/09/2013 04:44 PM, Rob Crittenden wrote:
> Petr Viktorin wrote:
[...]
>
> There needs to be some mechanism for us for force-replace existing ACIs
> in the case of a security issue.
Under my proposal, we can just remove the offending attribute from the
default list, and trust that the admin didn't for some reason explicitly
add it.
(This would differ from a normal update in that it would actively remove
the attribute instead of ignoring pre-existing entries.)
If that's not enough, then this affects *all* ACI, not just ones added
by IPA by default. We'd need to have an update plugin that crawls
through all existing permissions (or even all ACIs) and fixes them.
--
Petr³
More information about the Freeipa-devel
mailing list