On 03/31/2014 03:23 PM, Rob Crittenden wrote: > Petr Spacek wrote: >> Hello list, >> >> thread "[Freeipa-devel] Read access to container entries" reminds me an >> idea I have in mind for a while: >> >> We could check effective ACIs [1] for interesting objects (Kerberos >> master key, trust objects etc.) and make sure that there is nothing like >> 'read by anonymous' etc. >> >> Method [1] has one important limitation: It checks ACI in given sub-tree >> against one specified DN. >> >> Realization of my idea would be better with a "reverse" approach: >> Specify DN of a single object as "target" and get list of all users with >> non-null access rights for the object in question. (This could be >> refined with filter for specific rights so we can get "list of DNs >> allowed to write to this object" etc.) >> >> >> Does it make sense? >> >> >> >> [1] >> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Viewing_the_ACIs_for_an_Entry-Get_Effective_Rights_Control.html >> > > Maybe. We've had a long-term need to run the unit tests as various other users > to avoid delegation regressions. We really should have some subset of tests to > do positive and negative testing of each role. We'd probably want to do these > tests directly with the framework. > > Ideally this could be extended to disabling anonymous access, setting minimum > SSF, etc. This could probably be mostly done using GER. > > rob
FYI - we have a ticket already open to do something like what Petr says: https://fedorahosted.org/freeipa/ticket/4035 IMO it is a good thing to do. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel