URL: https://github.com/freeipa/freeipa/pull/314
Title: #314: RFC: privilege separation for ipa framework code

HonzaCholasta commented:
I would personally go with:
* Change session handling: 5959
* Generate tmpfiles config at install time: 5959
* Drop use of kinit_as_http from trust code: 5959
* Use Anonymous user to obtain FAST armor ccache: 5959
* Configure HTTPD to work via Gss-Proxy: 4189, 5959
* Separate RA cert store from the HTTP cert store: 5959
* Simplify NSSDatabase password file handling: 5959
* Always use /etc/ipa/ca.crt as CA cert file: 5959
* Add a new user to run the framework code: 5959
* Rationalize creation of RA and HTTPD NSS databases: 5959
* Fix uninstall stopping ipa.service: 5959
* Allow rpc callers to pass ccache and service names: 6543
* Explicitly pass down ccache names for connections: 6543
* Insure removal of session on identity change: 6543

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to