On 02/15/2013 05:50 PM, Simo Sorce wrote:
> On Fri, 2013-02-15 at 17:35 -0500, Dmitri Pal wrote:
>> On 02/15/2013 05:15 PM, KodaK wrote:
>>> I suspect the answer to this is "no," but I'm asking anyway:
>>> Let's say I have an IPA user named "bob."  When bob was created, IPA
>>> created a matching GID for him.  Is it possible, through IPA, to add
>>> another user to that GID?
>>> If not, and I add another user to that GID by directly manipulating
>>> LDAP, will that break anything in IPA?
>>> I know the "correct" way is to make a new group.
>> I think you should be able to.
> You may be able to but you -should not-.
>> There was/is way to display UPGs in the
>> UI so it should be managble as yet another group with some special
>> warnings. At least this is how it was speced. I do not know how it is
>> actually implemented.
> No, the UPG are not special just because of display reasons.

This is not what I said or meant.
UPGs are not by default shown in the UI.
They are filtered out.
There is a way (at least how it was specd)  to show them and perform
operations on them.
There is a supposed to be a check box on the list of the groups screen
that controls it (I do not have the IPA instance to confirm).
I also do not remember what operations are allowed against such group.
It might very well be that the only operation allowed is to decouple UPG
from the user. Now that I think of it this might be the case. This is an
irreversible operation.
Then you can add another user into that group but definitely Simo is
correct about the security implications, however based on the way you
worded the question it seems that your are aware of them.
> The UPG are private to the user because on most *nix the default mask is
> allows access by the primary group. This means having other users part
> of the primary group of a user means all this user files are readable by
> the other users by default.
> So the way we generate UPGs is that we do not add the groupOFmembers
> objectclass which prevents you from adding the member attribute,
> preventing additional users to be made part of this group.
> Now, you can convert a UPG group into a normal group manually via LDAP
> operations, or you can also simply delete the UPG and then recreate a
> new group with the same gid number.

There should be a CLI command for that AFAIR.

> Just make sure you are comfortable with the security consequences for
> the original user when doing so.
> Simo.

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to