[Freeipa-users] ipausers default group

Robert Marcano robert at marcanoonline.com
Tue Nov 18 16:04:11 UTC 2008 

On Tue, 2008-11-18 at 15:00 +0000, Simo Sorce wrote:

> There are many things that need to be configured properly to avoid
> security issues, this is just on of them, maybe we should make it better
> known in the docs.

I do not buy this either, this is like if Red Hat Enterpise Linux docs
say me that in order to have more security i need to change the umask,
because the default is not good enough, and the adduser script just
create by default users on the rhusers group.

> 
> > So, Freeipa create a (little) insecure environment by default.
> 
> No, it is just a different environment, security depends on how well or
> bad you configure your environment.

a different evironment whose defaults are less secure than a default
RH/Fedora install, Freeipa (in its current state) can protect password
being stealed on the net (Kerberos) but local security is less secure
than a plain RH/Fedora installation
> 
> We could make ipa-client-install to change the umask by default maybe,
> and with v2 we should be able to have policies that do that on all
> clients.

if V2 will do that, then the group per user issue is resolved, but it
does not do that today, and by default current freeipa is insecure and a
security advisory is needed (some temporary files could be writeable by
any member of ipausers).

(note that I am a little extremist on file security issues
https://bugzilla.redhat.com/show_bug.cgi?id=447430 )

> 
> >  I
> > understand that things must be made easy for the users but remember that
> > making things easier can compromise security too.
> 
> Making things more complex the same, sorry I do not buy the argument
> that easier = less secure, I wouldn't have worked on the FreeIPA project
> at all if I thought that.

I am not saying the UI must be made complex, but simplicity means to be
more careful of what you do, because you do not give the options to the
user to customize and blame him/her of any error.

...

> Adding a group per user just to keep the umask 022 is honestly just an
> hack, that makes managing groups cumbersome.

Could be, but do you not replace a hack without doing the real well done
fix (freeipa removes the hack but does not change the umask)

...

> > 
> > That is the temporary solution that I will propose here, but I am sad
> > because it will not be very welcome, because we lose the integrated GUI
> > (the primary reason we opted for freeipa)
> 
> It would be easier to change the umask indeed it's not that difficult :)

again the easier argument, it is not easier, do things on a central
location is easier or more manageable that changing the umask on each
ipa client .

in summary, current freeipa needs a patch to set the umask to users
whose primary group is ipauser (or uid greather than 1000?), until V2
policies can do that

Just a note, umask is for the user session, not having a group per user
will make that all services provided on the network must be checked, for
example, all Samba shares "create mask" and "create directory mask" must
be checked

> Simo.
>

More information about the Freeipa-users mailing list