[Freeipa-devel] [PATCHES] 0552-0554 Upgrading write permissions
Martin Kosek
mkosek at redhat.com
Wed May 28 14:56:17 UTC 2014
On 05/28/2014 04:50 PM, Simo Sorce wrote:
> On Wed, 2014-05-28 at 16:27 +0200, Petr Viktorin wrote:
>> Simo, I hazily remember discussing that we should only allow specific
>> attributes on add, otherwise users can add entries with any extra
>> objectclasses and attributes. Did we come to a conclusion?
>> I might have confused targetattr with targetattrfilter in my notes;
>> since I see targetarr is ineffective.
>>
> Yes we need to restrict at least the allowed objectclasses I think.
>
> Simo.
>
We do not have a support for targetattrfilter, I do not think this was ever
tested. This part of ACI is also not very well documented, I think Petr found
just one notice in the DS documentation about targetattrfilter.
For 4.0, I would keep the add ACIs as they area (we do not have time for
additional experiments anyway). If we feel the urge later, given the
permissions are managed, it should be easy to change that.
Martin
More information about the Freeipa-devel
mailing list