URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code
HonzaCholasta commented: """ I would personally go with: * Change session handling: 5959 * Generate tmpfiles config at install time: 5959 * Drop use of kinit_as_http from trust code: 5959 * Use Anonymous user to obtain FAST armor ccache: 5959 * Configure HTTPD to work via Gss-Proxy: 4189, 5959 * Separate RA cert store from the HTTP cert store: 5959 * Simplify NSSDatabase password file handling: 5959 * Always use /etc/ipa/ca.crt as CA cert file: 5959 * Add a new user to run the framework code: 5959 * Rationalize creation of RA and HTTPD NSS databases: 5959 * Fix uninstall stopping ipa.service: 5959 * Allow rpc callers to pass ccache and service names: 6543 * Explicitly pass down ccache names for connections: 6543 * Insure removal of session on identity change: 6543 """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279729055
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code