On 09/09/2013 04:44 PM, Rob Crittenden wrote:
Petr Viktorin wrote:
There needs to be some mechanism for us for force-replace existing ACIs
in the case of a security issue.
Under my proposal, we can just remove the offending attribute from the
default list, and trust that the admin didn't for some reason explicitly
(This would differ from a normal update in that it would actively remove
the attribute instead of ignoring pre-existing entries.)
If that's not enough, then this affects *all* ACI, not just ones added
by IPA by default. We'd need to have an update plugin that crawls
through all existing permissions (or even all ACIs) and fixes them.
Freeipa-devel mailing list