[Freeipa-users] ipausers default group

Robert Lazzurs rob at lazzurs.net
Tue Nov 18 14:38:10 UTC 2008 


I think in summary what Robert M is trying to say here is FreeIPA should be 
secure by default rather than create a possible hole by default which can be 
fixed by tweaking a setting.  Think of it as the difference between Windows 
and OpenBSD...I know which one I would rather be using to run my network.

IM(very)HO I believe he is correct that this should no longer be the 
default.

Just my thoughts,

Take care.

--
Rob Lazzurs

On 18 Nov 2008, 2:32 PM, "Robert Marcano" <robert at marcanoonline.com> wrote:

On Tue, 2008-11-18 at 08:39 -0500, Simo Sorce wrote: > On Mon, 2008-11-17 at 
20:03 -0430, Robert Mar...
...

> You should be able to change the default umask for users so that groups > 
do not get permissions ...
Yes i know about the umask option, but if you are trying to deploy not
only servers but Linux workstations, that must be done on each one of
them, leaving the possibility of a security hole if you miss one of
them. and things can be worse if you do not have control of all the
servers (in my case i have servers from another company that I will only
request them to be added to the IPA realm)

> > The default umask can be changed in /etc/bashrc on Fedora and similar > 
files on other distrib...
So, Freeipa create a (little) insecure environment by default. I
understand that things must be made easy for the users but remember that
making things easier can compromise security too. I think it is possible
to make the GUI create the primary group on another part of the LDAP
tree (like i do with samba machine posix accounts because I was worried
like you are with the machine$ accounts cluttering the Web UI), I only
needed to change the ldap configuration to get users from the common
parent

nss_base_passwd cn=accounts,dc=example,dc=com,dc=ve?sub

this way the UI will not be cluttered with the primary groups

> Managing user/groups makes it more complex to create delete and rename > 
existing users, as the r...
Well the simple adduser/removeuser script are able to do that (no
rename), so I think it is feasible to replicate that on an LDAP
environment

What people think about this option? this is something that I will
hopefully try to get sometime to help with, and could be the excuse to
learn a little of python web development (I have no knowledge of
TurboGears :-P)

> > In case you find the you nonetheless want to create a group for each > 
user you can use CLI to...
That is the temporary solution that I will propose here, but I am sad
because it will not be very welcome, because we lose the integrated GUI
(the primary reason we opted for freeipa)


>
> Simo.

> _______________________________________________ Freeipa-users mailing list 
Freeipa-users at redhat....

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20081118/be285370/attachment.htm>

More information about the Freeipa-users mailing list