[Freeipa-users] Non-human users
John Dennis
jdennis at redhat.com
Fri Feb 15 18:50:59 UTC 2013
On 02/15/2013 01:39 PM, Orion Poplawski wrote:
> On 02/15/2013 11:38 AM, John Dennis wrote:
>> On 02/15/2013 01:35 PM, Rob Crittenden wrote:
>>> John Dennis wrote:
>>>> The example cited was the apache user, a system daemon. For system users
>>>> bound to system daemons I stand by what I said. If you want to talk
>>>> about other system users not bound to a daemon than state that rather
>>>> than confusing the issue.
>>>>
>>>
>>> He cited a backup user. That isn't tied to a daemon.
>>
>> The original message said this:
>>
>>> I think the main issue we've run into is needing the apache user ...
>>
>>
>>
>>
>
> And:
>
>
> Another example is a backup user account that backup software logs in as.
>
> Also some accounts that own files and some services run as that are needed on
> multiple machines. I suppose we could use puppet to manage those, but ldap
> seems more convenient.
>
>
O.K. but I want to make sure you understand the difference. If you give
login or other permissions to a network facing system daemon you're
opening a huge security hole. Adding the apache user to the set of users
managed by IPA is quite dangerous unless you are extraordinarily careful
to remove privileges normally granted by IPA, it could lead to the
complete compromise of your network.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list