diff options
Diffstat (limited to 'zarb-ml/mageia-sysadm/2010-November/000465.html')
-rw-r--r-- | zarb-ml/mageia-sysadm/2010-November/000465.html | 165 |
1 files changed, 165 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/2010-November/000465.html b/zarb-ml/mageia-sysadm/2010-November/000465.html new file mode 100644 index 000000000..dd02892d1 --- /dev/null +++ b/zarb-ml/mageia-sysadm/2010-November/000465.html @@ -0,0 +1,165 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-sysadm] Usernames, uids, and groups + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Usernames%2C%20uids%2C%20and%20groups&In-Reply-To=%3C201011101010.18578.bgmilne%40multilinks.com%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="000495.html"> + <LINK REL="Next" HREF="000479.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-sysadm] Usernames, uids, and groups</H1> + <B>Buchan Milne</B> + <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Usernames%2C%20uids%2C%20and%20groups&In-Reply-To=%3C201011101010.18578.bgmilne%40multilinks.com%3E" + TITLE="[Mageia-sysadm] Usernames, uids, and groups">bgmilne at multilinks.com + </A><BR> + <I>Wed Nov 10 10:10:18 CET 2010</I> + <P><UL> + <LI>Previous message: <A HREF="000495.html">[Mageia-sysadm] Usernames, uids, and groups +</A></li> + <LI>Next message: <A HREF="000479.html">[Mageia-sysadm] Usernames, uids, and groups +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#465">[ date ]</a> + <a href="thread.html#465">[ thread ]</a> + <a href="subject.html#465">[ subject ]</a> + <a href="author.html#465">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>On Wednesday, 10 November 2010 01:01:21 nicolas vigier wrote: +><i> On Tue, 09 Nov 2010, Buchan Milne wrote: +</I>><i> > On Monday, 8 November 2010 17:29:24 nicolas vigier wrote: +</I> +><i> > > On some machines like the svn server, we need to use pam_ldap to allow +</I>><i> > > users access with their ldap accounts. But on others servers like +</I>><i> > > alamut (web services), or the build nodes, normal users have no reason +</I>><i> > > to login. +</I>><i> > +</I>><i> > But, sysadm members have a reason, and I see no reason to increase their +</I>><i> > overhead with local accounts. +</I>><i> +</I>><i> Maybe not on alamut, but on build nodes, I don't think user accounts for +</I>><i> sysadmins will be very useful. The only reason to login to those nodes +</I>><i> will be to check/fix iurt problems, which requires root permissions. +</I> +Root privileges, and how a user logs in, are different things. + +IMHO, the only time a sysadmin should log in directly as root is to fix a +problem that is preventing authentication from working (e.g. problem booting, +bringing network up, fixing name resolution etc. etc.). + +><i> > > On those servers, do you think we should restrict access with +</I>><i> > > ssh configuration and a group, or disable pam_ldap completly on those +</I>><i> > > servers and only use local accounts ? +</I>><i> > +</I>><i> > I was planning for pam_ldap's pam_groupdn option. E.g. a 'sysadm' group. +</I>><i> > +</I>><i> > > We also need to decide what UID ranges we use for local accounts, and +</I>><i> > > for ldap accounts. +</I>><i> > > +</I>><i> > > And groups. I think we could use the following groups : +</I>><i> > > * posix : promotes the user as posixAccount+sshPublicKey (in ldap), +</I>><i> > > and +</I>><i> > > +</I>><i> > > allows access to the svn and git using svn+<A HREF="ssh://">ssh://</A> and git+<A HREF="ssh://">ssh://</A> +</I>><i> > +</I>><i> > I think it would be better to try and provide VCS commit access without +</I>><i> > shell access. This is easy enough for subversion with mod_dav_svn. +</I>><i> +</I>><i> Is there the same for git ? +</I> +Not really. AFAIU, the model for git is that there should be no such thing as +authorization ... + +><i> But we already need need (restricted) shell access for mdvsys submit. +</I> +Why? In the original repsys model, a request to "build pkg foo rXXXX for +release Y" was all that was required. While I agree it may be quicker to go +with mdvsys/iurt etc. now, why should submission require shell access? AFAIK, +other similar tools (koji, OBS) don't. + +><i> > > * packager : allows commits in packages repository, package submit +</I>><i> > > using +</I>><i> > > +</I>><i> > > mdvsys, +</I>><i> > +</I>><i> > How are we submitting to mdvsys? Command-line? API? +</I>><i> +</I>><i> With mdvsys, and a restricted shell on valstar allowing access to only +</I>><i> /usr/share/repsys/create-srpm, svn and git commands. +</I>><i> +</I>><i> > > additional permissions on bugzilla, +</I>><i> > +</I>><i> > What permissions do packagers need that non-packager committer don't? +</I>><i> +</I>><i> Maybe none, I'm not sure. +</I>><i> +</I>><i> > > access to the packages +</I>><i> > > maintainers database, etc ... +</I>><i> > > +</I>><i> > > * web : for members of web team, allows commits in web repository +</I>><i> > > * documentation, translator, qa, marketing, etc ... : +</I>><i> > > * packagerapprentice, webapprentice, etc ... : for apprentices, with +</I>><i> > > +</I>><i> > > more restricted access +</I>><i> > +</I>><i> > This is svn commit but no mdvsys access? +</I>><i> +</I>><i> Yes. +</I>><i> +</I>><i> > > * sysadm : gives admin permissions on all applications +</I>><i> > +</I>><i> > There is 'Account Admin' "system" group in LDAP, which allows any +</I>><i> > modification to any users. But, should system administration necessarily +</I>><i> > mean all access in all applications? +</I>><i> +</I>><i> I think yes, at least for applications managed by sysadmin team. +</I> +From a security/governance perspective, this would normally not be a good +idea, as powers should be separated ... + +Regards, +Buchan +</PRE> + + + + + + + + + + + + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="000495.html">[Mageia-sysadm] Usernames, uids, and groups +</A></li> + <LI>Next message: <A HREF="000479.html">[Mageia-sysadm] Usernames, uids, and groups +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#465">[ date ]</a> + <a href="thread.html#465">[ thread ]</a> + <a href="subject.html#465">[ subject ]</a> + <a href="author.html#465">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm +mailing list</a><br> +</body></html> |