From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-sysadm/2010-November/000425.html | 144 ++++++++++++++++++++++++ 1 file changed, 144 insertions(+) create mode 100644 zarb-ml/mageia-sysadm/2010-November/000425.html (limited to 'zarb-ml/mageia-sysadm/2010-November/000425.html') diff --git a/zarb-ml/mageia-sysadm/2010-November/000425.html b/zarb-ml/mageia-sysadm/2010-November/000425.html new file mode 100644 index 000000000..c9b3efb3d --- /dev/null +++ b/zarb-ml/mageia-sysadm/2010-November/000425.html @@ -0,0 +1,144 @@ + + + + [Mageia-sysadm] Usernames, uids, and groups + + + + + + + + + +

[Mageia-sysadm] Usernames, uids, and groups

+ nicolas vigier + boklm at mars-attacks.org +
+ Wed Nov 10 01:01:21 CET 2010 +

+
+ +
On Tue, 09 Nov 2010, Buchan Milne wrote:
+
+> On Monday, 8 November 2010 17:29:24 nicolas vigier wrote:
+> > Hello,
+> 
+> Why a new thread?
+
+I only received your email after creating this thread.
+
+> 
+> > On some machines like the svn server, we need to use pam_ldap to allow
+> > users access with their ldap accounts. But on others servers like
+> > alamut (web services), or the build nodes, normal users have no reason
+> > to login.
+> 
+> But, sysadm members have a reason, and I see no reason to increase their 
+> overhead with local accounts.
+
+Maybe not on alamut, but on build nodes, I don't think user accounts for
+sysadmins will be very useful. The only reason to login to those nodes
+will be to check/fix iurt problems, which requires root permissions.
+
+> > On those servers, do you think we should restrict access with
+> > ssh configuration and a group, or disable pam_ldap completly on those
+> > servers and only use local accounts ?
+> 
+> I was planning for pam_ldap's pam_groupdn option. E.g. a 'sysadm' group.
+> 
+> > We also need to decide what UID ranges we use for local accounts, and for
+> > ldap accounts.
+> > 
+> > And groups. I think we could use the following groups :
+> >  * posix : promotes the user as posixAccount+sshPublicKey (in ldap), and
+> >    allows access to the svn and git using svn+ssh:// and git+ssh://
+> 
+> I think it would be better to try and provide VCS commit access without shell 
+> access. This is easy enough for subversion with mod_dav_svn.
+
+Is there the same for git ?
+But we already need need (restricted) shell access for mdvsys submit.
+
+> 
+> >  * packager : allows commits in packages repository, package submit using
+> >    mdvsys,
+> 
+> How are we submitting to mdvsys? Command-line? API?
+
+With mdvsys, and a restricted shell on valstar allowing access to only
+/usr/share/repsys/create-srpm, svn and git commands.
+
+> 
+> >    additional permissions on bugzilla,
+> 
+> What permissions do packagers need that non-packager committer don't?
+
+Maybe none, I'm not sure.
+
+> >    access to the packages
+> >    maintainers database, etc ...
+> 
+> 
+> >  * web : for members of web team, allows commits in web repository
+> >  * documentation, translator, qa, marketing, etc ... :
+> >  * packagerapprentice, webapprentice, etc ... : for apprentices, with
+> >    more restricted access
+> 
+> This is svn commit but no mdvsys access?
+
+Yes.
+
+> 
+> >  * sysadm : gives admin permissions on all applications
+> 
+> There is 'Account Admin' "system" group in LDAP, which allows any modification 
+> to any users. But, should system administration necessarily mean all access in 
+> all applications?
+
+I think yes, at least for applications managed by sysadmin team.
+
+Nicolas
+
+
+ + + + + + + + + + +
+

+ +
+More information about the Mageia-sysadm +mailing list
+ -- cgit v1.2.1