[Mageia-sysadm] Usernames, uids, and groups

nicolas vigier boklm at mars-attacks.org
Wed Nov 10 01:01:21 CET 2010 

On Tue, 09 Nov 2010, Buchan Milne wrote:

> On Monday, 8 November 2010 17:29:24 nicolas vigier wrote:
> > Hello,
> 
> Why a new thread?

I only received your email after creating this thread.

> 
> > On some machines like the svn server, we need to use pam_ldap to allow
> > users access with their ldap accounts. But on others servers like
> > alamut (web services), or the build nodes, normal users have no reason
> > to login.
> 
> But, sysadm members have a reason, and I see no reason to increase their 
> overhead with local accounts.

Maybe not on alamut, but on build nodes, I don't think user accounts for
sysadmins will be very useful. The only reason to login to those nodes
will be to check/fix iurt problems, which requires root permissions.

> > On those servers, do you think we should restrict access with
> > ssh configuration and a group, or disable pam_ldap completly on those
> > servers and only use local accounts ?
> 
> I was planning for pam_ldap's pam_groupdn option. E.g. a 'sysadm' group.
> 
> > We also need to decide what UID ranges we use for local accounts, and for
> > ldap accounts.
> > 
> > And groups. I think we could use the following groups :
> >  * posix : promotes the user as posixAccount+sshPublicKey (in ldap), and
> >    allows access to the svn and git using svn+ssh:// and git+ssh://
> 
> I think it would be better to try and provide VCS commit access without shell 
> access. This is easy enough for subversion with mod_dav_svn.

Is there the same for git ?
But we already need need (restricted) shell access for mdvsys submit.

> 
> >  * packager : allows commits in packages repository, package submit using
> >    mdvsys,
> 
> How are we submitting to mdvsys? Command-line? API?

With mdvsys, and a restricted shell on valstar allowing access to only
/usr/share/repsys/create-srpm, svn and git commands.

> 
> >    additional permissions on bugzilla,
> 
> What permissions do packagers need that non-packager committer don't?

Maybe none, I'm not sure.

> >    access to the packages
> >    maintainers database, etc ...
> 
> 
> >  * web : for members of web team, allows commits in web repository
> >  * documentation, translator, qa, marketing, etc ... :
> >  * packagerapprentice, webapprentice, etc ... : for apprentices, with
> >    more restricted access
> 
> This is svn commit but no mdvsys access?

Yes.

> 
> >  * sysadm : gives admin permissions on all applications
> 
> There is 'Account Admin' "system" group in LDAP, which allows any modification 
> to any users. But, should system administration necessarily mean all access in 
> all applications?

I think yes, at least for applications managed by sysadmin team.

Nicolas

More information about the Mageia-sysadm mailing list