On 09/09/2013 04:44 PM, Rob Crittenden wrote:
Petr Viktorin wrote:

There needs to be some mechanism for us for force-replace existing ACIs
in the case of a security issue.

Under my proposal, we can just remove the offending attribute from the default list, and trust that the admin didn't for some reason explicitly add it. (This would differ from a normal update in that it would actively remove the attribute instead of ignoring pre-existing entries.)

If that's not enough, then this affects *all* ACI, not just ones added by IPA by default. We'd need to have an update plugin that crawls through all existing permissions (or even all ACIs) and fixes them.


Freeipa-devel mailing list

Reply via email to