On 09/03/2014 10:45 AM, Petr Viktorin wrote:
On 09/03/2014 10:17 AM, Martin Kosek wrote:
Exposing the same data anonymously over compat tree when it is available
only for authenticated users over primary tree isn't secure.
If you check
you would see that we only allow attributes we already expose to
in the basic permission. So it is not that bad.
For users, yes. I assume we want the others to be authenticated only?
But maybe we should add a new internal "link" between standard and
permissions and issue a warning when visibility of one is changed...
Regarding missing compat permissions, I would personally add these:
System: Read User Compat Tree
System: Read Group Compat Tree
System: Read Host Compat Tree
System: Read Netgroup Compat Tree
Also, what about sudoers?
Freeipa-devel mailing list