[Freeipa-users] Adding other users to a user's created default group

[KodaK]

I suspect the answer to this is no, but I'm asking anyway:

Let's say I have an IPA user named bob.  When bob was created, IPA
created a matching GID for him.  Is it possible, through IPA, to add
another user to that GID?

If not, and I add another user to that GID by directly manipulating
LDAP, will that break anything in IPA?

I know the correct way is to make a new group.

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Adding other users to a user's created default group

[Simo Sorce]

On Fri, 2013-02-15 at 17:35 -0500, Dmitri Pal wrote:
 On 02/15/2013 05:15 PM, KodaK wrote:
  I suspect the answer to this is no, but I'm asking anyway:
 
  Let's say I have an IPA user named bob.  When bob was created, IPA
  created a matching GID for him.  Is it possible, through IPA, to add
  another user to that GID?
 
  If not, and I add another user to that GID by directly manipulating
  LDAP, will that break anything in IPA?
 
  I know the correct way is to make a new group.
 
 I think you should be able to.

You may be able to but you -should not-.

 There was/is way to display UPGs in the
 UI so it should be managble as yet another group with some special
 warnings. At least this is how it was speced. I do not know how it is
 actually implemented.

No, the UPG are not special just because of display reasons.

The UPG are private to the user because on most *nix the default mask is
allows access by the primary group. This means having other users part
of the primary group of a user means all this user files are readable by
the other users by default.

So the way we generate UPGs is that we do not add the groupOFmembers
objectclass which prevents you from adding the member attribute,
preventing additional users to be made part of this group.

Now, you can convert a UPG group into a normal group manually via LDAP
operations, or you can also simply delete the UPG and then recreate a
new group with the same gid number.

Just make sure you are comfortable with the security consequences for
the original user when doing so.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Adding other users to a user's created default group

[Dmitri Pal]

On 02/15/2013 05:50 PM, Simo Sorce wrote:
 On Fri, 2013-02-15 at 17:35 -0500, Dmitri Pal wrote:
 On 02/15/2013 05:15 PM, KodaK wrote:
 I suspect the answer to this is no, but I'm asking anyway:

 Let's say I have an IPA user named bob.  When bob was created, IPA
 created a matching GID for him.  Is it possible, through IPA, to add
 another user to that GID?

 If not, and I add another user to that GID by directly manipulating
 LDAP, will that break anything in IPA?

 I know the correct way is to make a new group.

 I think you should be able to.
 You may be able to but you -should not-.

 There was/is way to display UPGs in the
 UI so it should be managble as yet another group with some special
 warnings. At least this is how it was speced. I do not know how it is
 actually implemented.
 No, the UPG are not special just because of display reasons.

This is not what I said or meant.
UPGs are not by default shown in the UI.
They are filtered out.
There is a way (at least how it was specd)  to show them and perform
operations on them.
There is a supposed to be a check box on the list of the groups screen
that controls it (I do not have the IPA instance to confirm).
I also do not remember what operations are allowed against such group.
It might very well be that the only operation allowed is to decouple UPG
from the user. Now that I think of it this might be the case. This is an
irreversible operation.
Then you can add another user into that group but definitely Simo is
correct about the security implications, however based on the way you
worded the question it seems that your are aware of them.

 The UPG are private to the user because on most *nix the default mask is
 allows access by the primary group. This means having other users part
 of the primary group of a user means all this user files are readable by
 the other users by default.

 So the way we generate UPGs is that we do not add the groupOFmembers
 objectclass which prevents you from adding the member attribute,
 preventing additional users to be made part of this group.

 Now, you can convert a UPG group into a normal group manually via LDAP
 operations, or you can also simply delete the UPG and then recreate a
 new group with the same gid number.

There should be a CLI command for that AFAIR.


 Just make sure you are comfortable with the security consequences for
 the original user when doing so.

 Simo.



-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users