[Freeipa-devel] [PATCH] 0528 Add managed read permission to automount
Rob Crittenden
rcritten at redhat.com
Wed Apr 16 15:59:46 UTC 2014
Martin Kosek wrote:
> On 04/16/2014 02:14 PM, Petr Viktorin wrote:
>> A single permission granting anonymous read access covers automountlocation,
>> automountmap, and automountkey.
>>
>
> This works fine, I am just wondering about the ACI:
>
> 1) Simo, are you OK with one ACI covering all automount objects? I personally
> am, I cannot imagine a situation when somebody allows automount maps but not
> the automount keys. But on the other hand, we also have separate permissions
> for sudo commands, sudo command groups, sudo rules...
With sudo you may want a different set of users deciding WHAT can be
executed from WHO can execute it. I don't think automount needs that
level of specificity.
>
> 2) Should we limit the ACI by an objectclass filter? I.e.
> (|(objectclass=automountmap)(objectclass=automount))?
I think these are the only things living in that container so it may be
overkill. I'm not against adding it if someone feels more strongly about it.
rob
More information about the Freeipa-devel
mailing list