[Freeipa-users] ipausers default group

Simo Sorce ssorce at redhat.com
Tue Nov 18 15:00:01 UTC 2008 

On Tue, 2008-11-18 at 10:01 -0430, Robert Marcano wrote:
> On Tue, 2008-11-18 at 08:39 -0500, Simo Sorce wrote:
> > On Mon, 2008-11-17 at 20:03 -0430, Robert Marcano wrote:
> > > Is a good idea that "ipausers" group be the default primary group for
> > > all users? i see everyday applications that create temporary files that
> > > does not follows the 0600 file permissions.
> > > 
> > > All RedHat/Fedora tools create a user and a group by default, unless you
> > > request a different primary group.
> > > 
> 
> ...
> 
> > You should be able to change the default umask for users so that groups
> > do not get permissions like others.
> > The umask can be changed from 0002 to 0022 so that group sdo not get
> > write permissions by default.
> > If you want by default no readability to anyone but the user y9ou can
> > also set it to 0077
> 
> Yes i know about the umask option, but if you are trying to deploy not
> only servers but Linux workstations, that must be done on each one of
> them, leaving the possibility of a security hole if you miss one of
> them. and things can be worse if you do not have control of all the
> servers (in my case i have servers from another company that I will only
> request them to be added to the IPA realm)

There are many things that need to be configured properly to avoid
security issues, this is just on of them, maybe we should make it better
known in the docs.

> > The default umask can be changed in /etc/bashrc on Fedora and similar
> > files on other distributions, or even just per-user in ~/.bashrc
> > 
> > > Creating a group by hand for each user is repetitive and there is no way
> > > to assign them easily, you need to copy the GID and copy it to the user
> > > by hand
> > 
> > Creating a group for each user creates an unnecessary proliferation of
> > groups that clogs the group interface with mostly useless groups.
> 
> So, Freeipa create a (little) insecure environment by default.

No, it is just a different environment, security depends on how well or
bad you configure your environment.

We could make ipa-client-install to change the umask by default maybe,
and with v2 we should be able to have policies that do that on all
clients.

>  I
> understand that things must be made easy for the users but remember that
> making things easier can compromise security too.

Making things more complex the same, sorry I do not buy the argument
that easier = less secure, I wouldn't have worked on the FreeIPA project
at all if I thought that.

> I think it is possible
> to make the GUI create the primary group on another part of the LDAP
> tree (like i do with samba machine posix accounts because I was worried
> like you are with the machine$ accounts cluttering the Web UI), I only
> needed to change the ldap configuration to get users from the common
> parent 
> 
> nss_base_passwd cn=accounts,dc=example,dc=com,dc=ve?sub
> 
> this way the UI will not be cluttered with the primary groups

If it were just about concealing personal user we could it in many
different ways without having to put them elsewhere but there are other
aspects than UI ugliness.

> > Managing user/groups makes it more complex to create delete and rename
> > existing users, as the relative groups would need to follow, and
> > exceptions would need to be handled.
> > 
> Well the simple adduser/removeuser script are able to do that (no
> rename), so I think it is feasible to replicate that on an LDAP
> environment

It's more complex than you think. What do you do if you create a new
user and a group of the same name already exists ? What do you do if you
remove a user and its associated group has other memberships ?
And so on.

Adding a group per user just to keep the umask 022 is honestly just an
hack, that makes managing groups cumbersome.

> What people think about this option? this is something that I will
> hopefully try to get sometime to help with, and could be the excuse to
> learn a little of python web development (I have no knowledge of
> TurboGears :-P)

Well if you want to propose patches so that the admins can optional
observe one or the other behavior we may consider them. You whould work
on the v2 code base though, as I don't think we will pursue so radical
changes in the  1.1.x series at this point.

> > In case you find the you nonetheless want to create a group for each
> > user you can use CLI tools and some scripts to make it simpler for you
> > to create users the way you prefer.
> 
> That is the temporary solution that I will propose here, but I am sad
> because it will not be very welcome, because we lose the integrated GUI
> (the primary reason we opted for freeipa)

It would be easier to change the umask indeed it's not that difficult :)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list