On Mon, 9 Oct 2006 14:39:07 -0500
Peter Samuelson [EMAIL PROTECTED] wrote:
[Roberto C. Sanchez]
That is a problem if I want to server everything up out of LDAP.
There really should be a reserved range, maybe 100-499 of Debian
gids, where they are assigned in a predertmined way.
I
On Tue, Oct 10, 2006 at 09:36:56AM +0200, Tim Dijkstra wrote:
That is no longer a reality with groups like plugdev, powerdev and
netdev, which users need to be a member of to be able to get the wonders
of automatically mounted usb-sticks, tweakable power management and
whatever comes with the
On Tue, 10 Oct 2006 11:20:26 +0200
Gabor Gombas [EMAIL PROTECTED] wrote:
On Tue, Oct 10, 2006 at 09:36:56AM +0200, Tim Dijkstra wrote:
That is no longer a reality with groups like plugdev, powerdev and
netdev, which users need to be a member of to be able to get the wonders
of
[Tim Dijkstra]
Hmm, pam_group doesn't sound to secure to me... what if on one
machine gid 110 is www-data and on another plugdev. Then if a user
logs in on the second machine it will get access to gid 110, make
some suid executable, which on another machine ... Well the nfs
mount is nosuid,
On Mon, Oct 09, 2006 at 10:16:45AM -0400, Roberto C. Sanchez wrote:
I guess that if the deployment were on a new network, it would be easier
to affect how the gids are assigned, since you would be looking for
issues like that. However, for an existing network, this can be more of
a problem.
On Tue, Oct 10, 2006 at 11:33:43AM +0200, Tim Dijkstra wrote:
Hmm, pam_group doesn't sound to secure to me... what if on one machine
gid 110 is www-data and on another plugdev. Then if a user logs in on the
second
machine it will get access to gid 110, make some suid executable, which on
On Tue, 10 Oct 2006 15:08:29 +0200
Gabor Gombas [EMAIL PROTECTED] wrote:
On Tue, Oct 10, 2006 at 11:33:43AM +0200, Tim Dijkstra wrote:
Hmm, pam_group doesn't sound to secure to me... what if on one machine
gid 110 is www-data and on another plugdev. Then if a user logs in on the
second
On Tue, Oct 10, 2006 at 11:20:26AM +0200, Gabor Gombas wrote:
On Tue, Oct 10, 2006 at 09:36:56AM +0200, Tim Dijkstra wrote:
That is no longer a reality with groups like plugdev, powerdev and
netdev, which users need to be a member of to be able to get the wonders
of automatically mounted
On Tue, Oct 10, 2006 at 12:46:58PM +0200, Wouter Verhelst wrote:
On Mon, Oct 09, 2006 at 10:16:45AM -0400, Roberto C. Sanchez wrote:
I guess that if the deployment were on a new network, it would be easier
to affect how the gids are assigned, since you would be looking for
issues like that.
On Tue, Oct 10, 2006 at 11:15:51AM -0400, Roberto C. Sanchez wrote:
That is fine for a home network. However, on a network of 1000
workstations, having to specify group memberships on the clients is kind
of a pain.
It's not different than having to specify what NFS file systems to mount
or
On Tue, Oct 10, 2006 at 03:36:20PM +0200, Tim Dijkstra wrote:
That's not an argument someone can just 'chown :plugdev' something.
Crap. I knew I'd overlook something. I think you could still prevent
that with SELinux though :-)
On the other hand I was thinking about if in your case basically
On Tue, 10 Oct 2006 18:10:42 +0200
Gabor Gombas [EMAIL PROTECTED] wrote:
On Tue, Oct 10, 2006 at 03:36:20PM +0200, Tim Dijkstra wrote:
That's not an argument someone can just 'chown :plugdev' something.
Crap. I knew I'd overlook something. I think you could still prevent
that with
I have started working with transitioning a network to LDAP. I am still
experimenting with this at home before implementing it for real. This
brings me to my concern. It appears that many groups are added to the
system willy-nilly. By that I mean, I have one system where part of
the /etc/group
Roberto C. Sanchez [EMAIL PROTECTED] wrote:
I have started working with transitioning a network to LDAP. I am still
experimenting with this at home before implementing it for real. This
brings me to my concern. It appears that many groups are added to the
system willy-nilly. By that I
[Roberto C. Sanchez]
That is a problem if I want to server everything up out of LDAP.
There really should be a reserved range, maybe 100-499 of Debian
gids, where they are assigned in a predertmined way.
I don't think it's a good idea to put system users and groups into LDAP
anyway. They are
On Mon, Oct 09, 2006 at 07:09:14PM +0200, Andreas Metzler wrote:
Roberto C. Sanchez [EMAIL PROTECTED] wrote:
I have started working with transitioning a network to LDAP. I am still
experimenting with this at home before implementing it for real. This
brings me to my concern. It appears
On Mon, Oct 09, 2006 at 02:39:07PM -0500, Peter Samuelson wrote:
[Roberto C. Sanchez]
That is a problem if I want to server everything up out of LDAP.
There really should be a reserved range, maybe 100-499 of Debian
gids, where they are assigned in a predertmined way.
I don't think
17 matches
Mail list logo
