[Mageia-sysadm] Usernames, uids, and groups

Wed Nov 10 10:10:18 CET 2010

On Wednesday, 10 November 2010 01:01:21 nicolas vigier wrote:
+> On Tue, 09 Nov 2010, Buchan Milne wrote:
+> > On Monday, 8 November 2010 17:29:24 nicolas vigier wrote:
+
+> > > On some machines like the svn server, we need to use pam_ldap to allow
+> > > users access with their ldap accounts. But on others servers like
+> > > alamut (web services), or the build nodes, normal users have no reason
+> > > to login.
+> > 
+> > But, sysadm members have a reason, and I see no reason to increase their
+> > overhead with local accounts.
+> 
+> Maybe not on alamut, but on build nodes, I don't think user accounts for
+> sysadmins will be very useful. The only reason to login to those nodes
+> will be to check/fix iurt problems, which requires root permissions.
+
+Root privileges, and how a user logs in, are different things.
+
+IMHO, the only time a sysadmin should log in directly as root is to fix a 
+problem that is preventing authentication from working (e.g. problem booting, 
+bringing network up, fixing name resolution etc. etc.).
+
+> > > On those servers, do you think we should restrict access with
+> > > ssh configuration and a group, or disable pam_ldap completly on those
+> > > servers and only use local accounts ?
+> > 
+> > I was planning for pam_ldap's pam_groupdn option. E.g. a 'sysadm' group.
+> > 
+> > > We also need to decide what UID ranges we use for local accounts, and
+> > > for ldap accounts.
+> > > 
+> > > And groups. I think we could use the following groups :
+> > >  * posix : promotes the user as posixAccount+sshPublicKey (in ldap),
+> > >  and
+> > >  
+> > >    allows access to the svn and git using svn+ssh:// and git+ssh://
+> > 
+> > I think it would be better to try and provide VCS commit access without
+> > shell access. This is easy enough for subversion with mod_dav_svn.
+> 
+> Is there the same for git ?
+
+Not really. AFAIU, the model for git is that there should be no such thing as 
+authorization ...
+
+> But we already need need (restricted) shell access for mdvsys submit.
+
+Why? In the original repsys model, a request to "build pkg foo rXXXX for 
+release Y" was all that was required. While I agree it may be quicker to go 
+with mdvsys/iurt etc. now, why should submission require shell access? AFAIK, 
+other similar tools (koji, OBS) don't.
+
+> > >  * packager : allows commits in packages repository, package submit
+> > >  using
+> > >  
+> > >    mdvsys,
+> > 
+> > How are we submitting to mdvsys? Command-line? API?
+> 
+> With mdvsys, and a restricted shell on valstar allowing access to only
+> /usr/share/repsys/create-srpm, svn and git commands.
+> 
+> > >    additional permissions on bugzilla,
+> > 
+> > What permissions do packagers need that non-packager committer don't?
+> 
+> Maybe none, I'm not sure.
+> 
+> > >    access to the packages
+> > >    maintainers database, etc ...
+> > >  
+> > >  * web : for members of web team, allows commits in web repository
+> > >  * documentation, translator, qa, marketing, etc ... :
+> > >  * packagerapprentice, webapprentice, etc ... : for apprentices, with
+> > >  
+> > >    more restricted access
+> > 
+> > This is svn commit but no mdvsys access?
+> 
+> Yes.
+> 
+> > >  * sysadm : gives admin permissions on all applications
+> > 
+> > There is 'Account Admin' "system" group in LDAP, which allows any
+> > modification to any users. But, should system administration necessarily
+> > mean all access in all applications?
+> 
+> I think yes, at least for applications managed by sysadmin team.
+
+From a security/governance perspective, this would normally not be a good 
+idea, as powers should be separated ...
+
+Regards,
+Buchan
+