[Freeipa-users] ipausers default group

Robert Marcano robert at marcanoonline.com
Tue Nov 18 14:31:59 UTC 2008 

On Tue, 2008-11-18 at 08:39 -0500, Simo Sorce wrote:
> On Mon, 2008-11-17 at 20:03 -0430, Robert Marcano wrote:
> > Is a good idea that "ipausers" group be the default primary group for
> > all users? i see everyday applications that create temporary files that
> > does not follows the 0600 file permissions.
> > 
> > All RedHat/Fedora tools create a user and a group by default, unless you
> > request a different primary group.
> > 

...

> You should be able to change the default umask for users so that groups
> do not get permissions like others.
> The umask can be changed from 0002 to 0022 so that group sdo not get
> write permissions by default.
> If you want by default no readability to anyone but the user y9ou can
> also set it to 0077

Yes i know about the umask option, but if you are trying to deploy not
only servers but Linux workstations, that must be done on each one of
them, leaving the possibility of a security hole if you miss one of
them. and things can be worse if you do not have control of all the
servers (in my case i have servers from another company that I will only
request them to be added to the IPA realm)

> 
> The default umask can be changed in /etc/bashrc on Fedora and similar
> files on other distributions, or even just per-user in ~/.bashrc
> 
> > Creating a group by hand for each user is repetitive and there is no way
> > to assign them easily, you need to copy the GID and copy it to the user
> > by hand
> 
> Creating a group for each user creates an unnecessary proliferation of
> groups that clogs the group interface with mostly useless groups.

So, Freeipa create a (little) insecure environment by default. I
understand that things must be made easy for the users but remember that
making things easier can compromise security too. I think it is possible
to make the GUI create the primary group on another part of the LDAP
tree (like i do with samba machine posix accounts because I was worried
like you are with the machine$ accounts cluttering the Web UI), I only
needed to change the ldap configuration to get users from the common
parent 

nss_base_passwd cn=accounts,dc=example,dc=com,dc=ve?sub

this way the UI will not be cluttered with the primary groups

> Managing user/groups makes it more complex to create delete and rename
> existing users, as the relative groups would need to follow, and
> exceptions would need to be handled.
> 
Well the simple adduser/removeuser script are able to do that (no
rename), so I think it is feasible to replicate that on an LDAP
environment

What people think about this option? this is something that I will
hopefully try to get sometime to help with, and could be the excuse to
learn a little of python web development (I have no knowledge of
TurboGears :-P)

> 
> In case you find the you nonetheless want to create a group for each
> user you can use CLI tools and some scripts to make it simpler for you
> to create users the way you prefer.

That is the temporary solution that I will propose here, but I am sad
because it will not be very welcome, because we lose the integrated GUI
(the primary reason we opted for freeipa)


> 
> Simo.
>

More information about the Freeipa-users mailing list