[Freeipa-devel] [PATCH] 0528 Add managed read permission to automount

Rob Crittenden rcritten at redhat.com
Wed Apr 16 15:59:46 UTC 2014

Martin Kosek wrote:
> On 04/16/2014 02:14 PM, Petr Viktorin wrote:
>> A single permission granting anonymous read access covers automountlocation,
>> automountmap, and automountkey.
> This works fine, I am just wondering about the ACI:
> 1) Simo, are you OK with one ACI covering all automount objects? I personally
> am, I cannot imagine a situation when somebody allows automount maps but not
> the automount keys. But on the other hand, we also have separate permissions
> for sudo commands, sudo command groups, sudo rules...

With sudo you may want a different set of users deciding WHAT can be 
executed from WHO can execute it. I don't think automount needs that 
level of specificity.

> 2) Should we limit the ACI by an objectclass filter? I.e.
> (|(objectclass=automountmap)(objectclass=automount))?

I think these are the only things living in that container so it may be 
overkill. I'm not against adding it if someone feels more strongly about it.


More information about the Freeipa-devel mailing list