diff options
Diffstat (limited to 'zarb-ml/mageia-sysadm/2010-November/000425.html')
| -rw-r--r-- | zarb-ml/mageia-sysadm/2010-November/000425.html | 144 |
1 files changed, 144 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/2010-November/000425.html b/zarb-ml/mageia-sysadm/2010-November/000425.html new file mode 100644 index 000000000..c9b3efb3d --- /dev/null +++ b/zarb-ml/mageia-sysadm/2010-November/000425.html @@ -0,0 +1,144 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-sysadm] Usernames, uids, and groups + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Usernames%2C%20uids%2C%20and%20groups&In-Reply-To=%3C20101110000121.GR21938%40mars-attacks.org%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="000407.html"> + <LINK REL="Next" HREF="000433.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-sysadm] Usernames, uids, and groups</H1> + <B>nicolas vigier</B> + <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Usernames%2C%20uids%2C%20and%20groups&In-Reply-To=%3C20101110000121.GR21938%40mars-attacks.org%3E" + TITLE="[Mageia-sysadm] Usernames, uids, and groups">boklm at mars-attacks.org + </A><BR> + <I>Wed Nov 10 01:01:21 CET 2010</I> + <P><UL> + <LI>Previous message: <A HREF="000407.html">[Mageia-sysadm] Usernames, uids, and groups +</A></li> + <LI>Next message: <A HREF="000433.html">[Mageia-sysadm] Usernames, uids, and groups +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#425">[ date ]</a> + <a href="thread.html#425">[ thread ]</a> + <a href="subject.html#425">[ subject ]</a> + <a href="author.html#425">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>On Tue, 09 Nov 2010, Buchan Milne wrote: + +><i> On Monday, 8 November 2010 17:29:24 nicolas vigier wrote: +</I>><i> > Hello, +</I>><i> +</I>><i> Why a new thread? +</I> +I only received your email after creating this thread. + +><i> +</I>><i> > On some machines like the svn server, we need to use pam_ldap to allow +</I>><i> > users access with their ldap accounts. But on others servers like +</I>><i> > alamut (web services), or the build nodes, normal users have no reason +</I>><i> > to login. +</I>><i> +</I>><i> But, sysadm members have a reason, and I see no reason to increase their +</I>><i> overhead with local accounts. +</I> +Maybe not on alamut, but on build nodes, I don't think user accounts for +sysadmins will be very useful. The only reason to login to those nodes +will be to check/fix iurt problems, which requires root permissions. + +><i> > On those servers, do you think we should restrict access with +</I>><i> > ssh configuration and a group, or disable pam_ldap completly on those +</I>><i> > servers and only use local accounts ? +</I>><i> +</I>><i> I was planning for pam_ldap's pam_groupdn option. E.g. a 'sysadm' group. +</I>><i> +</I>><i> > We also need to decide what UID ranges we use for local accounts, and for +</I>><i> > ldap accounts. +</I>><i> > +</I>><i> > And groups. I think we could use the following groups : +</I>><i> > * posix : promotes the user as posixAccount+sshPublicKey (in ldap), and +</I>><i> > allows access to the svn and git using svn+<A HREF="ssh://">ssh://</A> and git+<A HREF="ssh://">ssh://</A> +</I>><i> +</I>><i> I think it would be better to try and provide VCS commit access without shell +</I>><i> access. This is easy enough for subversion with mod_dav_svn. +</I> +Is there the same for git ? +But we already need need (restricted) shell access for mdvsys submit. + +><i> +</I>><i> > * packager : allows commits in packages repository, package submit using +</I>><i> > mdvsys, +</I>><i> +</I>><i> How are we submitting to mdvsys? Command-line? API? +</I> +With mdvsys, and a restricted shell on valstar allowing access to only +/usr/share/repsys/create-srpm, svn and git commands. + +><i> +</I>><i> > additional permissions on bugzilla, +</I>><i> +</I>><i> What permissions do packagers need that non-packager committer don't? +</I> +Maybe none, I'm not sure. + +><i> > access to the packages +</I>><i> > maintainers database, etc ... +</I>><i> +</I>><i> +</I>><i> > * web : for members of web team, allows commits in web repository +</I>><i> > * documentation, translator, qa, marketing, etc ... : +</I>><i> > * packagerapprentice, webapprentice, etc ... : for apprentices, with +</I>><i> > more restricted access +</I>><i> +</I>><i> This is svn commit but no mdvsys access? +</I> +Yes. + +><i> +</I>><i> > * sysadm : gives admin permissions on all applications +</I>><i> +</I>><i> There is 'Account Admin' "system" group in LDAP, which allows any modification +</I>><i> to any users. But, should system administration necessarily mean all access in +</I>><i> all applications? +</I> +I think yes, at least for applications managed by sysadmin team. + +Nicolas + +</PRE> + + + + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="000407.html">[Mageia-sysadm] Usernames, uids, and groups +</A></li> + <LI>Next message: <A HREF="000433.html">[Mageia-sysadm] Usernames, uids, and groups +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#425">[ date ]</a> + <a href="thread.html#425">[ thread ]</a> + <a href="subject.html#425">[ subject ]</a> + <a href="author.html#425">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm +mailing list</a><br> +</body></html> |