[Freeipa-devel] [PATCH] self service aci

Pete Rowley prowley at redhat.com
Tue Oct 30 18:58:43 UTC 2007


Simo Sorce wrote:
> On Tue, 2007-10-30 at 11:47 -0700, Pete Rowley wrote:
>   
>> Simo Sorce wrote:
>>     
>>> On Tue, 2007-10-30 at 11:21 -0700, Pete Rowley wrote:
>>>   
>>>       
>>>> Well, I was thinking along the lines of it allowing arbitrary commands 
>>>> to be executed with root privilege. For example, an escalation of privilege:
>>>>
>>>> loginShell: /home/prowley/addMeToSudoers
>>>>
>>>> I suspect this is the kind of thing that makes it problem, still need to 
>>>> check it out though.
>>>>     
>>>>         
>>> The shell is run as the user, so this is not to worry.
>>>
>>>   
>>>       
>> Hmm, yes. So what problem do you envisage with this?
>>     
>
> I guess I have been exposed for too long to control freaks, so anything
> that is not cosmetic and allows self-change makes me nervous :-)
>
> Maybe we can have an easy way to switch between
> permissive/non-permissive mode easily? Ie, not change the list of
> permitted attributes, just enable/disable that ACI on demand?
>
>   
We definitely will need to have ui to help modify this... in the future 
:) i.e. after v1


-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/40e3d5e3/attachment.bin>


More information about the Freeipa-devel mailing list