summaryrefslogtreecommitdiffstats
path: root/zarb-ml/mageia-sysadm/2010-November/000465.html
diff options
context:
space:
mode:
Diffstat (limited to 'zarb-ml/mageia-sysadm/2010-November/000465.html')
-rw-r--r--zarb-ml/mageia-sysadm/2010-November/000465.html165
1 files changed, 165 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/2010-November/000465.html b/zarb-ml/mageia-sysadm/2010-November/000465.html
new file mode 100644
index 000000000..dd02892d1
--- /dev/null
+++ b/zarb-ml/mageia-sysadm/2010-November/000465.html
@@ -0,0 +1,165 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
+<HTML>
+ <HEAD>
+ <TITLE> [Mageia-sysadm] Usernames, uids, and groups
+ </TITLE>
+ <LINK REL="Index" HREF="index.html" >
+ <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Usernames%2C%20uids%2C%20and%20groups&In-Reply-To=%3C201011101010.18578.bgmilne%40multilinks.com%3E">
+ <META NAME="robots" CONTENT="index,nofollow">
+ <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
+ <LINK REL="Previous" HREF="000495.html">
+ <LINK REL="Next" HREF="000479.html">
+ </HEAD>
+ <BODY BGCOLOR="#ffffff">
+ <H1>[Mageia-sysadm] Usernames, uids, and groups</H1>
+ <B>Buchan Milne</B>
+ <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Usernames%2C%20uids%2C%20and%20groups&In-Reply-To=%3C201011101010.18578.bgmilne%40multilinks.com%3E"
+ TITLE="[Mageia-sysadm] Usernames, uids, and groups">bgmilne at multilinks.com
+ </A><BR>
+ <I>Wed Nov 10 10:10:18 CET 2010</I>
+ <P><UL>
+ <LI>Previous message: <A HREF="000495.html">[Mageia-sysadm] Usernames, uids, and groups
+</A></li>
+ <LI>Next message: <A HREF="000479.html">[Mageia-sysadm] Usernames, uids, and groups
+</A></li>
+ <LI> <B>Messages sorted by:</B>
+ <a href="date.html#465">[ date ]</a>
+ <a href="thread.html#465">[ thread ]</a>
+ <a href="subject.html#465">[ subject ]</a>
+ <a href="author.html#465">[ author ]</a>
+ </LI>
+ </UL>
+ <HR>
+<!--beginarticle-->
+<PRE>On Wednesday, 10 November 2010 01:01:21 nicolas vigier wrote:
+&gt;<i> On Tue, 09 Nov 2010, Buchan Milne wrote:
+</I>&gt;<i> &gt; On Monday, 8 November 2010 17:29:24 nicolas vigier wrote:
+</I>
+&gt;<i> &gt; &gt; On some machines like the svn server, we need to use pam_ldap to allow
+</I>&gt;<i> &gt; &gt; users access with their ldap accounts. But on others servers like
+</I>&gt;<i> &gt; &gt; alamut (web services), or the build nodes, normal users have no reason
+</I>&gt;<i> &gt; &gt; to login.
+</I>&gt;<i> &gt;
+</I>&gt;<i> &gt; But, sysadm members have a reason, and I see no reason to increase their
+</I>&gt;<i> &gt; overhead with local accounts.
+</I>&gt;<i>
+</I>&gt;<i> Maybe not on alamut, but on build nodes, I don't think user accounts for
+</I>&gt;<i> sysadmins will be very useful. The only reason to login to those nodes
+</I>&gt;<i> will be to check/fix iurt problems, which requires root permissions.
+</I>
+Root privileges, and how a user logs in, are different things.
+
+IMHO, the only time a sysadmin should log in directly as root is to fix a
+problem that is preventing authentication from working (e.g. problem booting,
+bringing network up, fixing name resolution etc. etc.).
+
+&gt;<i> &gt; &gt; On those servers, do you think we should restrict access with
+</I>&gt;<i> &gt; &gt; ssh configuration and a group, or disable pam_ldap completly on those
+</I>&gt;<i> &gt; &gt; servers and only use local accounts ?
+</I>&gt;<i> &gt;
+</I>&gt;<i> &gt; I was planning for pam_ldap's pam_groupdn option. E.g. a 'sysadm' group.
+</I>&gt;<i> &gt;
+</I>&gt;<i> &gt; &gt; We also need to decide what UID ranges we use for local accounts, and
+</I>&gt;<i> &gt; &gt; for ldap accounts.
+</I>&gt;<i> &gt; &gt;
+</I>&gt;<i> &gt; &gt; And groups. I think we could use the following groups :
+</I>&gt;<i> &gt; &gt; * posix : promotes the user as posixAccount+sshPublicKey (in ldap),
+</I>&gt;<i> &gt; &gt; and
+</I>&gt;<i> &gt; &gt;
+</I>&gt;<i> &gt; &gt; allows access to the svn and git using svn+<A HREF="ssh://">ssh://</A> and git+<A HREF="ssh://">ssh://</A>
+</I>&gt;<i> &gt;
+</I>&gt;<i> &gt; I think it would be better to try and provide VCS commit access without
+</I>&gt;<i> &gt; shell access. This is easy enough for subversion with mod_dav_svn.
+</I>&gt;<i>
+</I>&gt;<i> Is there the same for git ?
+</I>
+Not really. AFAIU, the model for git is that there should be no such thing as
+authorization ...
+
+&gt;<i> But we already need need (restricted) shell access for mdvsys submit.
+</I>
+Why? In the original repsys model, a request to &quot;build pkg foo rXXXX for
+release Y&quot; was all that was required. While I agree it may be quicker to go
+with mdvsys/iurt etc. now, why should submission require shell access? AFAIK,
+other similar tools (koji, OBS) don't.
+
+&gt;<i> &gt; &gt; * packager : allows commits in packages repository, package submit
+</I>&gt;<i> &gt; &gt; using
+</I>&gt;<i> &gt; &gt;
+</I>&gt;<i> &gt; &gt; mdvsys,
+</I>&gt;<i> &gt;
+</I>&gt;<i> &gt; How are we submitting to mdvsys? Command-line? API?
+</I>&gt;<i>
+</I>&gt;<i> With mdvsys, and a restricted shell on valstar allowing access to only
+</I>&gt;<i> /usr/share/repsys/create-srpm, svn and git commands.
+</I>&gt;<i>
+</I>&gt;<i> &gt; &gt; additional permissions on bugzilla,
+</I>&gt;<i> &gt;
+</I>&gt;<i> &gt; What permissions do packagers need that non-packager committer don't?
+</I>&gt;<i>
+</I>&gt;<i> Maybe none, I'm not sure.
+</I>&gt;<i>
+</I>&gt;<i> &gt; &gt; access to the packages
+</I>&gt;<i> &gt; &gt; maintainers database, etc ...
+</I>&gt;<i> &gt; &gt;
+</I>&gt;<i> &gt; &gt; * web : for members of web team, allows commits in web repository
+</I>&gt;<i> &gt; &gt; * documentation, translator, qa, marketing, etc ... :
+</I>&gt;<i> &gt; &gt; * packagerapprentice, webapprentice, etc ... : for apprentices, with
+</I>&gt;<i> &gt; &gt;
+</I>&gt;<i> &gt; &gt; more restricted access
+</I>&gt;<i> &gt;
+</I>&gt;<i> &gt; This is svn commit but no mdvsys access?
+</I>&gt;<i>
+</I>&gt;<i> Yes.
+</I>&gt;<i>
+</I>&gt;<i> &gt; &gt; * sysadm : gives admin permissions on all applications
+</I>&gt;<i> &gt;
+</I>&gt;<i> &gt; There is 'Account Admin' &quot;system&quot; group in LDAP, which allows any
+</I>&gt;<i> &gt; modification to any users. But, should system administration necessarily
+</I>&gt;<i> &gt; mean all access in all applications?
+</I>&gt;<i>
+</I>&gt;<i> I think yes, at least for applications managed by sysadmin team.
+</I>
+From a security/governance perspective, this would normally not be a good
+idea, as powers should be separated ...
+
+Regards,
+Buchan
+</PRE>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+<!--endarticle-->
+ <HR>
+ <P><UL>
+ <!--threads-->
+ <LI>Previous message: <A HREF="000495.html">[Mageia-sysadm] Usernames, uids, and groups
+</A></li>
+ <LI>Next message: <A HREF="000479.html">[Mageia-sysadm] Usernames, uids, and groups
+</A></li>
+ <LI> <B>Messages sorted by:</B>
+ <a href="date.html#465">[ date ]</a>
+ <a href="thread.html#465">[ thread ]</a>
+ <a href="subject.html#465">[ subject ]</a>
+ <a href="author.html#465">[ author ]</a>
+ </LI>
+ </UL>
+
+<hr>
+<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
+mailing list</a><br>
+</body></html>