[Freeipa-devel] [PATCH] don't allow special groups to be removed
Rob Crittenden
rcritten at redhat.com
Fri Nov 30 19:54:40 UTC 2007
Karl MacMillan wrote:
> On Fri, 2007-11-30 at 12:53 -0500, Rob Crittenden wrote:
>> This patch won't allow the XML-RPC interface to remove the admins or
>> editors groups nor the configured group that is the default group for
>> new users.
>>
>
> Pushed.
>
>> I was originally going to do an ACI for this but thought that returning
>> a useful error message was better.
>>
>
> We need both - because users can always directly access the DS there is
> no security value to checks in the xml-rpc layer. They are useful for
> error reporting, consistency, etc., but not for security.
>
> Karl
>
Removing the admins or editors groups isn't a security issue, they'll
just break their IPA install.
IMHO if they want to use LDAP commands to hork up IPA entries let them.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071130/b6c5b45e/attachment.bin>
More information about the Freeipa-devel
mailing list