[Freeipa-devel] [PATCH] self service aci
Pete Rowley
prowley at redhat.com
Tue Oct 30 18:58:43 UTC 2007
Simo Sorce wrote:
> On Tue, 2007-10-30 at 11:47 -0700, Pete Rowley wrote:
>
>> Simo Sorce wrote:
>>
>>> On Tue, 2007-10-30 at 11:21 -0700, Pete Rowley wrote:
>>>
>>>
>>>> Well, I was thinking along the lines of it allowing arbitrary commands
>>>> to be executed with root privilege. For example, an escalation of privilege:
>>>>
>>>> loginShell: /home/prowley/addMeToSudoers
>>>>
>>>> I suspect this is the kind of thing that makes it problem, still need to
>>>> check it out though.
>>>>
>>>>
>>> The shell is run as the user, so this is not to worry.
>>>
>>>
>>>
>> Hmm, yes. So what problem do you envisage with this?
>>
>
> I guess I have been exposed for too long to control freaks, so anything
> that is not cosmetic and allows self-change makes me nervous :-)
>
> Maybe we can have an easy way to switch between
> permissive/non-permissive mode easily? Ie, not change the list of
> permitted attributes, just enable/disable that ACI on demand?
>
>
We definitely will need to have ui to help modify this... in the future
:) i.e. after v1
--
Pete
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071030/40e3d5e3/attachment.bin>
More information about the Freeipa-devel
mailing list