[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Report from DSA Team Sprint in Oslo

]] Yves-Alexis Perez 

> You don't speak at all of the virtualization solution. Afair xen is
> currently already used on part of the infrastructure. Is it the
> preferred choice? Did you consider the use of containers / “lightweight
> virtualization”?

We're mostly using KVM nowadays and I think we're likely to continue
down that path.  Containers are interesting, but, from my very cursory
exploration of them, they are where full VMs were a few years back and
probably need a bit more maturing.

> > User and Group Management
> > =========================
> > 
> > Debian has, approximately, 50 000 shell accounts [4].  We believe most
> > of these are unused and would therefore like to disable those that are.
> > The goal is to reduce the our exposure and not to take away anybody's
> > privileges.  We will monitor shell account activity in order to identify
> > and disable shell accounts that have been unused for a significant
> > amount of time (months).  We will extend ud-ldap to allow users to
> > easily and quickly re-enable their shell accounts.
> So that means something like a signed mail based “shell-knocking”? DD
> would need to send a gpg-signed mail to (re)enable a shell on a chosen
> machine before he can use it?

That's one possible way, we might also make it available on the LDAP
update web form.  The exact details have not been worked out.

> > Similarly, there is currently no mechanism which ensures that people
> > only have the group memberships which they are using.  We would like to
> > implement a system which will require users to periodically confirm
> > their group memberships.  Like the shell accounts, the goal is to reduce
> > our exposure, not to take away anybody's privileges.
> Shouldn't the various teams handling the group take care of managing
> them? Do they currently fail at that?

I think we can say that yes, they generally fail at asking for people to
be removed from groups.  I'm still a member of webwml even though I
don't think I've committed anything there since 2007 or so.  I'm also
apparently a qa member, though I can't even remember asking to be put in
the group. :-)

(Not picking on those two groups specifically, I'm just using myself as
an example here.)

> Regards, and again thank you for all the work!


Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to: