On Tue, Oct 31, 2017 at 12:48:42PM +0100, Jakub Hrozek wrote: > OK, this is another possibility. I guess this would amount to creating > a new DP method to fetch the rules and calling it from IFP? Anything else? > > I also wonder about IFP access control in this respect. By default we only > allow root to call our D-Bus API. If the IFP access list is extended, anyone > will be able to fetch the rules -- but since anyone is able to call > pam_acct_mgmt() from a simple program (..or just write raw data to the > PAM socket) I don't see this as an issue.
I realized we never pushed this design page upstream, I created https://pagure.io/SSSD/docs/pull-request/58 for that (this version includes Pavel's changes) _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
