[Freeipa-devel] [PATCH] 0528 Add managed read permission to automount

Simo Sorce ssorce at redhat.com
Wed Apr 16 16:15:53 UTC 2014

On Wed, 2014-04-16 at 11:59 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On 04/16/2014 02:14 PM, Petr Viktorin wrote:
> >> A single permission granting anonymous read access covers automountlocation,
> >> automountmap, and automountkey.
> >>
> >
> > This works fine, I am just wondering about the ACI:
> >
> > 1) Simo, are you OK with one ACI covering all automount objects? I personally
> > am, I cannot imagine a situation when somebody allows automount maps but not
> > the automount keys. But on the other hand, we also have separate permissions
> > for sudo commands, sudo command groups, sudo rules...
> With sudo you may want a different set of users deciding WHAT can be 
> executed from WHO can execute it. I don't think automount needs that 
> level of specificity.
> >
> > 2) Should we limit the ACI by an objectclass filter? I.e.
> > (|(objectclass=automountmap)(objectclass=automount))?
> I think these are the only things living in that container so it may be 
> overkill. I'm not against adding it if someone feels more strongly about it.

I think Rob summarized my own thought, and I think he has more authority
than I have as he's been working on automount stuff more than I have.


More information about the Freeipa-devel mailing list