On Wed, 2011-06-08 at 15:29 -0400, Dmitri Pal wrote:
> On 06/08/2011 03:15 PM, JR Aquino wrote: 
> > > > 1) Leave as is and not bother at all (i.e. it is what it is)
> > > > >> 2) Leave as is and defer the solution till later (do not fix it in 
> > > > >> 2.1
> > > > >> defer to 2.2)
> > > > >> 3) Leave as is but document how to do it using permissions & ACIs
> > > > >> 4) Provide default ACIs that would hide the records for the broad 
> > > > >> user
> > > > >> population
> > > > >> 
> > > > >> Looking for an opinion here.
> > > > 
> > > > I am for (2)
> > > > 
> > > > Simo.
> > > > 
> > I am also for (2)
> > 
> > This logic becomes quite tricky however, because controlling this via ACI's 
> > would have to be cognizant of the authenticated user to be able to make the 
> > decision to show them only their /OWN/ authorization/access rights...
> I am not sure if the user really needs to see these things at all. The
> SUDO and HBAC rules should be seen by SSSD or the LDAP client on the
> host (until SUDO is SSSD integrated) the user does not need to see or
> fetch the rules for himself. I do not think that any system exposes
> its access control rules in a way that user can inspect and see in
> advance what he can do and what he can't. 

Every file system does that.
ls -al shows you standard posix permissions and getfacl gets you the
whole acl.

So if we consider SUDO rules like access control rules I do not see a
big issue in showing them to all authenticated users.

I am ok to allow people to toggle a switch that allows sudo rules to be
viewed only by a subset of users (namely admins and computers), but that
should be an option, as there may be legitimate reason for wanting the
rules accessible to any authenticated entity.

That said I think we want to carefully plan for this and not rush it in
2.1 so I am for deferring. Worst case admins can alwyas add their own
ACIs to further restrict access to sudo/hbac rules for now.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to