[Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree
Petr Viktorin
pviktori at redhat.com
Wed Sep 3 14:55:48 UTC 2014
On 09/03/2014 04:51 PM, Simo Sorce wrote:
> On Wed, 2014-09-03 at 13:27 +0200, Petr Viktorin wrote:
>> Hello,
>> This adds managed read permissions to the compat tree.
>>
>> For users it grants anonymous access; authenticated users can read
>> groups, hosts and netgroups.
>>
>> I'm unsure if this is what we want to do for groups, but "Read Group
>> Membership" is only granted to authenticated users by default, and the
>> compat tree exposes memberuid.
>
> The reason we restrict member is because it exposes also hbac, sudo and
> other sensible groupings. memberuid does not have those groups in, so I
> think it is safe (and necessary for legacy clients) to allow anonymous
> to read it, just like for users.
>
> Simo.
In that case, I'd also add memberuid to 'Read Groups', to make it clear
what our default policy is.
--
Petr³
More information about the Freeipa-devel
mailing list