On 2/18/11 5:49 AM, "Simo Sorce" <sso...@redhat.com> wrote:
>On Fri, 18 Feb 2011 13:18:36 +0000 >JR Aquino <jr.aqu...@citrix.com> wrote: > >> I'm afraid not Simo. >> As you recall. Both /etc/sudoers and the 2 Sudo containers in FreeIPA >> are protected. There is a deliberate default aci which prevents >> anonymous users from enumerating everyones Sudo information. >> >> This means it is necessary for Sudo to initiate some form of >> authenticated bind. >> >> And as we discovered, the SUDO SASL implementation is suboptimal in >> that it seems to want a cronjob to sit around kinit'ing >> the /etc/krb5.keytab in order to use it's ccache. > >Ouch, I forgot about the ACIs ... I guess we should document how to >remove them as an alternative too ? > >Simo. There is indeed a ticket to create a 2.1 feature for opening the ACI. Documentation for opening the default ACI will be written in red for those who wish to ignore best security practices... By default the ACI's were decided to prohibit anonymous access. On a standalone system /etc/sudoers is set to root:root with 440. Sudo information is critically sensitive security information that should be treated at a similar level to passwords in terms of protections. A binduser is instead suggested as a means to accommodate sudo, and it is written into the beginnings of the documentation. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
