[Freeipa-devel] Compat tree permissions
Petr Viktorin
pviktori at redhat.com
Wed Sep 3 10:32:22 UTC 2014
On 09/03/2014 10:45 AM, Petr Viktorin wrote:
> On 09/03/2014 10:17 AM, Martin Kosek wrote:
> [...]
>>> Exposing the same data anonymously over compat tree when it is available
>>> only for authenticated users over primary tree isn't secure.
>>
>> If you check
>> cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>> you would see that we only allow attributes we already expose to
>> anonymous as
>> in the basic permission. So it is not that bad.
>
> For users, yes. I assume we want the others to be authenticated only?
>
>> But maybe we should add a new internal "link" between standard and
>> compat tree
>> permissions and issue a warning when visibility of one is changed...
>>
>> Regarding missing compat permissions, I would personally add these:
>>
>> System: Read User Compat Tree
>> System: Read Group Compat Tree
>> System: Read Host Compat Tree
>> System: Read Netgroup Compat Tree
Also, what about sudoers?
--
Petr³
More information about the Freeipa-devel
mailing list