On 02/15/2013 01:39 PM, Orion Poplawski wrote:
On 02/15/2013 11:38 AM, John Dennis wrote:
On 02/15/2013 01:35 PM, Rob Crittenden wrote:
John Dennis wrote:
The example cited was the apache user, a system daemon. For system users
bound to system daemons I stand by what I said. If you want to talk
about other system users not bound to a daemon than state that rather
than confusing the issue.
He cited a backup user. That isn't tied to a daemon.
The original message said this:
I think the main issue we've run into is needing the apache user ...
And:
Another example is a backup user account that backup software logs in as.
Also some accounts that own files and some services run as that are needed on
multiple machines. I suppose we could use puppet to manage those, but ldap
seems more convenient.
O.K. but I want to make sure you understand the difference. If you give
login or other permissions to a network facing system daemon you're
opening a huge security hole. Adding the apache user to the set of users
managed by IPA is quite dangerous unless you are extraordinarily careful
to remove privileges normally granted by IPA, it could lead to the
complete compromise of your network.
--
John Dennis <jden...@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
