1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-sysadm] Usernames, uids, and groups
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Usernames%2C%20uids%2C%20and%20groups&In-Reply-To=%3C201011101010.18578.bgmilne%40multilinks.com%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="000495.html">
<LINK REL="Next" HREF="000479.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-sysadm] Usernames, uids, and groups</H1>
<B>Buchan Milne</B>
<A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Usernames%2C%20uids%2C%20and%20groups&In-Reply-To=%3C201011101010.18578.bgmilne%40multilinks.com%3E"
TITLE="[Mageia-sysadm] Usernames, uids, and groups">bgmilne at multilinks.com
</A><BR>
<I>Wed Nov 10 10:10:18 CET 2010</I>
<P><UL>
<LI>Previous message: <A HREF="000495.html">[Mageia-sysadm] Usernames, uids, and groups
</A></li>
<LI>Next message: <A HREF="000479.html">[Mageia-sysadm] Usernames, uids, and groups
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#465">[ date ]</a>
<a href="thread.html#465">[ thread ]</a>
<a href="subject.html#465">[ subject ]</a>
<a href="author.html#465">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>On Wednesday, 10 November 2010 01:01:21 nicolas vigier wrote:
><i> On Tue, 09 Nov 2010, Buchan Milne wrote:
</I>><i> > On Monday, 8 November 2010 17:29:24 nicolas vigier wrote:
</I>
><i> > > On some machines like the svn server, we need to use pam_ldap to allow
</I>><i> > > users access with their ldap accounts. But on others servers like
</I>><i> > > alamut (web services), or the build nodes, normal users have no reason
</I>><i> > > to login.
</I>><i> >
</I>><i> > But, sysadm members have a reason, and I see no reason to increase their
</I>><i> > overhead with local accounts.
</I>><i>
</I>><i> Maybe not on alamut, but on build nodes, I don't think user accounts for
</I>><i> sysadmins will be very useful. The only reason to login to those nodes
</I>><i> will be to check/fix iurt problems, which requires root permissions.
</I>
Root privileges, and how a user logs in, are different things.
IMHO, the only time a sysadmin should log in directly as root is to fix a
problem that is preventing authentication from working (e.g. problem booting,
bringing network up, fixing name resolution etc. etc.).
><i> > > On those servers, do you think we should restrict access with
</I>><i> > > ssh configuration and a group, or disable pam_ldap completly on those
</I>><i> > > servers and only use local accounts ?
</I>><i> >
</I>><i> > I was planning for pam_ldap's pam_groupdn option. E.g. a 'sysadm' group.
</I>><i> >
</I>><i> > > We also need to decide what UID ranges we use for local accounts, and
</I>><i> > > for ldap accounts.
</I>><i> > >
</I>><i> > > And groups. I think we could use the following groups :
</I>><i> > > * posix : promotes the user as posixAccount+sshPublicKey (in ldap),
</I>><i> > > and
</I>><i> > >
</I>><i> > > allows access to the svn and git using svn+<A HREF="ssh://">ssh://</A> and git+<A HREF="ssh://">ssh://</A>
</I>><i> >
</I>><i> > I think it would be better to try and provide VCS commit access without
</I>><i> > shell access. This is easy enough for subversion with mod_dav_svn.
</I>><i>
</I>><i> Is there the same for git ?
</I>
Not really. AFAIU, the model for git is that there should be no such thing as
authorization ...
><i> But we already need need (restricted) shell access for mdvsys submit.
</I>
Why? In the original repsys model, a request to "build pkg foo rXXXX for
release Y" was all that was required. While I agree it may be quicker to go
with mdvsys/iurt etc. now, why should submission require shell access? AFAIK,
other similar tools (koji, OBS) don't.
><i> > > * packager : allows commits in packages repository, package submit
</I>><i> > > using
</I>><i> > >
</I>><i> > > mdvsys,
</I>><i> >
</I>><i> > How are we submitting to mdvsys? Command-line? API?
</I>><i>
</I>><i> With mdvsys, and a restricted shell on valstar allowing access to only
</I>><i> /usr/share/repsys/create-srpm, svn and git commands.
</I>><i>
</I>><i> > > additional permissions on bugzilla,
</I>><i> >
</I>><i> > What permissions do packagers need that non-packager committer don't?
</I>><i>
</I>><i> Maybe none, I'm not sure.
</I>><i>
</I>><i> > > access to the packages
</I>><i> > > maintainers database, etc ...
</I>><i> > >
</I>><i> > > * web : for members of web team, allows commits in web repository
</I>><i> > > * documentation, translator, qa, marketing, etc ... :
</I>><i> > > * packagerapprentice, webapprentice, etc ... : for apprentices, with
</I>><i> > >
</I>><i> > > more restricted access
</I>><i> >
</I>><i> > This is svn commit but no mdvsys access?
</I>><i>
</I>><i> Yes.
</I>><i>
</I>><i> > > * sysadm : gives admin permissions on all applications
</I>><i> >
</I>><i> > There is 'Account Admin' "system" group in LDAP, which allows any
</I>><i> > modification to any users. But, should system administration necessarily
</I>><i> > mean all access in all applications?
</I>><i>
</I>><i> I think yes, at least for applications managed by sysadmin team.
</I>
From a security/governance perspective, this would normally not be a good
idea, as powers should be separated ...
Regards,
Buchan
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="000495.html">[Mageia-sysadm] Usernames, uids, and groups
</A></li>
<LI>Next message: <A HREF="000479.html">[Mageia-sysadm] Usernames, uids, and groups
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#465">[ date ]</a>
<a href="thread.html#465">[ thread ]</a>
<a href="subject.html#465">[ subject ]</a>
<a href="author.html#465">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
mailing list</a><br>
</body></html>
|
