[Freeipa-devel] [PATCH] self service aci

Rob Crittenden rcritten at redhat.com
Tue Oct 30 18:00:43 UTC 2007 

Pete Rowley wrote:
> Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Mon, 2007-10-29 at 15:35 -0700, Pete Rowley wrote:
>>>> Simo Sorce wrote:
>>>>> On Mon, 2007-10-29 at 14:55 -0700, Pete Rowley wrote:
>>>>>  
>>>>>> +aci: (targetattr = "givenName || sn || cn || displayName || initials
>>>>>> || loginShell || homePhone || mobile || pager ||
>>>>>> facsimileTelephoneNumber || telephoneNumber || street || 
>>>>>> roomNumber ||
>>>>>> l || st || postalCode || manager || description || carLicense ||
>>>>>> labeledURI || inetUserHTTPURL || seeAlso || userPassword")(version
>>>>>> 3.0;acl "Self service";allow (write) userdn="ldap:///self";)
>>>>>>     
>>>>> Allow users by default to change name (givenName, cn, sn), manager and
>>>>> loginShell by themselves?
>>>>>
>>>>>   
>>>> loginShell might be a problem, what issue do you have with the others?
>>>
>>> Well I am not sure it makes sense to change your own name, why should
>>> you?
>>> Same for the manager, we might think of ACIs where manager=<something>
>>> may matter
>>>
>>
>> I agree about the name field, it shouldn't be user-modifiable (that is 
>> what HR is for). I think we should limit changes to phone number, 
>> address, license, shell, password, etc.
>>
> The basic philosophy here is "if it isn't an out and out security risk 
> allow it." Inherent in self service is some level of /trust/, or why 
> would we allow any attribute to be changed? If I can trust my employee 
> to change their phone number to something that will allow me to call 
> them, I think I can trust them not to arbitrarily rename themselves 
> Winston Churchill or some such. Still, there may be those that would, 
> and what do you suspect would happen in such cases? I suspect not good 
> things for the WC wannabe.
> 
> This default policy can be changed by the deployment if they disagree, 
> and some will.

True, the trick is how able we'll be to let them change the policy. This 
will likely be a v2 thing with it documented in v1.

> I still need to go research login shell to see whether it matters.

Can't users change their shell today with /usr/bin/chsh? I don't see the 
controversy there. The trick is only letting them put in a legal value 
and that is system-dependant (e.g. mine is set for /bin/zsh and I log 
into an AIX box without that installed).

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/2d98a0cf/attachment.bin>

More information about the Freeipa-devel mailing list