[Freeipa-devel] [PATCH] self service aci

Simo Sorce ssorce at redhat.com
Tue Oct 30 18:49:21 UTC 2007


On Tue, 2007-10-30 at 11:47 -0700, Pete Rowley wrote:
> Simo Sorce wrote:
> > On Tue, 2007-10-30 at 11:21 -0700, Pete Rowley wrote:
> >   
> >> Well, I was thinking along the lines of it allowing arbitrary commands 
> >> to be executed with root privilege. For example, an escalation of privilege:
> >>
> >> loginShell: /home/prowley/addMeToSudoers
> >>
> >> I suspect this is the kind of thing that makes it problem, still need to 
> >> check it out though.
> >>     
> >
> > The shell is run as the user, so this is not to worry.
> >
> >   
> Hmm, yes. So what problem do you envisage with this?

I guess I have been exposed for too long to control freaks, so anything
that is not cosmetic and allows self-change makes me nervous :-)

Maybe we can have an easy way to switch between
permissive/non-permissive mode easily? Ie, not change the list of
permitted attributes, just enable/disable that ACI on demand?

Simo.




More information about the Freeipa-devel mailing list