[Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree
Simo Sorce
simo at redhat.com
Wed Sep 3 14:51:35 UTC 2014
On Wed, 2014-09-03 at 13:27 +0200, Petr Viktorin wrote:
> Hello,
> This adds managed read permissions to the compat tree.
>
> For users it grants anonymous access; authenticated users can read
> groups, hosts and netgroups.
>
> I'm unsure if this is what we want to do for groups, but "Read Group
> Membership" is only granted to authenticated users by default, and the
> compat tree exposes memberuid.
The reason we restrict member is because it exposes also hbac, sudo and
other sensible groupings. memberuid does not have those groups in, so I
think it is safe (and necessary for legacy clients) to allow anonymous
to read it, just like for users.
Simo.
> https://fedorahosted.org/freeipa/ticket/4521
>
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list