I think in summary what Robert M is trying to say here is FreeIPA should be secure by default rather than create a possible hole by default which can be fixed by tweaking a setting. Think of it as the difference between Windows and OpenBSD...I know which one I would rather be using to run my network. IM(very)HO I believe he is correct that this should no longer be the default. Just my thoughts, Take care. -- Rob Lazzurs <blockquote>On 18 Nov 2008, 2:32 PM, "Robert Marcano" <<a href="mailto:robert@marcanoonline.com">robert@marcanoonline.com</a>> wrote: On Tue, 2008-11-18 at 08:39 -0500, Simo Sorce wrote: > On Mon, 2008-11-17 at 20:03 -0430, Robert Mar...... > You should be able to change the default umask for users so that groups > do not get permissions ...Yes i know about the umask option, but if you are trying to deploy not only servers but Linux workstations, that must be done on each one of them, leaving the possibility of a security hole if you miss one of them. and things can be worse if you do not have control of all the servers (in my case i have servers from another company that I will only request them to be added to the IPA realm) > > The default umask can be changed in /etc/bashrc on Fedora and similar > files on other distrib...So, Freeipa create a (little) insecure environment by default. I understand that things must be made easy for the users but remember that making things easier can compromise security too. I think it is possible to make the GUI create the primary group on another part of the LDAP tree (like i do with samba machine posix accounts because I was worried like you are with the machine$ accounts cluttering the Web UI), I only needed to change the ldap configuration to get users from the common parent nss_base_passwd cn=accounts,dc=example,dc=com,dc=ve?sub this way the UI will not be cluttered with the primary groups > Managing user/groups makes it more complex to create delete and rename > existing users, as the r...Well the simple adduser/removeuser script are able to do that (no rename), so I think it is feasible to replicate that on an LDAP environment What people think about this option? this is something that I will hopefully try to get sometime to help with, and could be the excuse to learn a little of python web development (I have no knowledge of TurboGears :-P) > > In case you find the you nonetheless want to create a group for each > user you can use CLI to...That is the temporary solution that I will propose here, but I am sad because it will not be very welcome, because we lose the integrated GUI (the primary reason we opted for freeipa) > > Simo. > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat....</blockquote>