Re: WLUS development perspective
On Wed, May 11, 2005 at 12:04:32PM +0200, Bjorn Ove Grotan wrote:
> Geert Stappers:
> > On Sun, May 08, 2005 at 08:47:19AM +0200, Andreas Schuldei wrote:
> > <snip/>
> > > ideas, suggestions?
> >
> > There was an posting from Barbarossa
> > with the idea of putting "root privilegde required commands" in a queue
> > and execute it as root.
i discussed different approaches with people on #d-d on
irc.debian.org and the result was what i posted. the cron
solution would not really bring additional savety but would only
provide an additional level of redirection, that is why I did not
go for it.
> > My contrib:
> > use
> > include /etc/ldap/acces/
> > like
> > include /etc/ldap/schema/
> > in /etc/ldap/slapd{,-debian-edu}.conf
> > That will make it easier to update the access permissions.
i think newer slapd.confs (2.2) provide such featues allready,
dont they?
> True.. like suggested in http://www.grotan.com/ldap/slapd.access.conf
> If I'm not mistaken (I might be though ;), "include" takes a file, not a
> directory. At least, this will make it a bit more tidy until we can make
> use of ACI-objects inside the database rather than access instructions
ACIs are said to be slower then ACIs. Right now we dont have much
change in the DB regarding change of access restictions. and with
the current "writeableBy:" attribute we are as flexible as that
allready, without ACIs.
> in a configfile where the server has to be HUPed to re-read the
> instructions.
>
> I'm not very fond of adding root privileged-required commands in a
> queue, since this very well can be used go gain root-access or do
> serious damage to a system (`rm -rf` comes to mind). What are the actual
> commands that need root privileges? Making new homedirectories and
> running a set of chmod,chown,chgrp on it?
yes, right.
Note that i did not go through the whole application to check for
required root accesses yet. Does smbpasswd require it? And we
need to delete stuff, when cleaning up after accounts etc and
flush nscd.
Reply to: