URL: https://github.com/SSSD/sssd/pull/21 Title: #21: IFP: expose user and group unique IDs through DBus
pbrezina commented: """ On 09/21/2016 12:29 PM, Jakub Hrozek wrote: > On Tue, Sep 20, 2016 at 05:24:45AM -0700, sumit-bose wrote: >> > With the SIDs we already have a library thay pretty much anyone can > call and retrieve the SID for ID. But not for GUIDs.. CC @sbose-rh for > another opinion.. >> >> In general the GUIDs are even less informative than the SID, e.g. you > cannot derive the domain form it, it is just a random strings created > with some rules to try to avoid collisions. So I cannot see a leak here. > Additionally I think there is only special protection on the LDAP side > on the GUID attribute, e.g. ipaUniqueID can be read anonymously. >> >> Only if the GUID is misused, e.g. as initial password, there would be > an issue but imo not on our side. > > Thank you. > > Then I don't see a reason to not accept this PR. I tested it and it > seems to work: > > $ dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe > /org/freedesktop/sssd/infopipe/Users > org.freedesktop.sssd.infopipe.Users.FindByName string:ad...@ipa.test > method return time=1474453460.862332 sender=:1.305 -> destination=:1.308 > serial=9 reply_serial=2 > object path "/org/freedesktop/sssd/infopipe/Users/ipa_2etest/935600000" > > $ dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe > /org/freedesktop/sssd/infopipe/Users/ipa_2etest/935600000 > org.freedesktop.DBus.Properties.Get > string:org.freedesktop.sssd.infopipe.Users.User string:uniqueID > method return time=1474453484.184180 sender=:1.305 -> destination=:1.309 > serial=11 reply_serial=2 > variant string "4e80c946-436e-11e6-8fbd-525400f71478" > > If anyone thinks having group_attributes should block this PR, I'm OK > with implementing it.. > > So I'll just wait a bit to see if there is any opposition and if not, > I'll push the patch.. Feel free to push it. We can create a ticket to trac more detailed access control in IFP. I remember that we talked about usign polkit for this, since IFP is slowly growing we should look into this. """ See the full comment at https://github.com/SSSD/sssd/pull/21#issuecomment-248578041
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org