On Do, 06.12.18 16:34, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote:
> > I wonder if we should think of a tighter system integration and subsume > > the tasks of nss_machines into SSSD. > > It would allow for detection and logging of UID conflicts should they > > happen in a live system with the ability, for the admin to better > > choose which of the pools should have priority in case of conflict ... > > Integration with sssd could be useful, dunno. But nss modules only report > existing usage of uids on the system. So by the time the nss modules are > invoked, it's already too late, in the sense that two completely unrelated > entities are sharing the user, possibly leading to unintended privilege > augmentation or information leakage. Nss modules are not useful to "choose" > anything. Yes, I agree fully. Announcing allocated users with NSS is one thing, it's something we always should do, unconditionally. It's only reasonably way to announce you took possession of a range. Actually allocating ranges is a different discussion. It's a discussion worth having, but is unrelated from the NSS discussion I think. Lennart -- Lennart Poettering, Red Hat _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
