On Thu, 2013-11-21 at 15:54 -0500, Dmitri Pal wrote:
> On 11/21/2013 01:34 PM, Nathaniel McCallum wrote:
> >> The password can be retrieved with radiusproxy-show --all, because it is 
> >> > not blocked by LDAP ACIs. Is that intended?
> > Yes. But I'm torn as to whether or not this is a good idea. Regular
> > users can't see radius proxy servers at all. Admins can see all
> > attributes.
> >
> > It is common in radius server deployments to have a text file readable
> > by root with the radius secret. The current LDAP policy replicates this
> > "expected" behavior. It may be wise to block all reads of the secret
> > though. I'm open to suggestions.
> >
> If it is readable by admin only I would leave it as is for now and
> address later when we redo ACIs.

Is this specific to the one and only admin account or does it extend to
any user in the admins group ?

Looking at the current master it seem *any* user except anonymous can
read secrets ? Or is there a patch I am missing ?
I think this is too broad.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to