On Tue, 10 Oct 2006 18:10:42 +0200
Gabor Gombas <[EMAIL PROTECTED]> wrote:
> On Tue, Oct 10, 2006 at 03:36:20PM +0200, Tim Dijkstra wrote:
>
> > That's not an argument someone can just 'chown :plugdev' something.
>
> Crap. I knew I'd overlook something. I think you could still prevent
> that wit
On Tue, Oct 10, 2006 at 03:36:20PM +0200, Tim Dijkstra wrote:
> That's not an argument someone can just 'chown :plugdev' something.
Crap. I knew I'd overlook something. I think you could still prevent
that with SELinux though :-)
On the other hand I was thinking about if in your case basically a
On Tue, Oct 10, 2006 at 11:15:51AM -0400, Roberto C. Sanchez wrote:
> That is fine for a home network. However, on a network of 1000
> workstations, having to specify group memberships on the clients is kind
> of a pain.
It's not different than having to specify what NFS file systems to mount
or
On Tue, Oct 10, 2006 at 12:46:58PM +0200, Wouter Verhelst wrote:
> On Mon, Oct 09, 2006 at 10:16:45AM -0400, Roberto C. Sanchez wrote:
> > I guess that if the deployment were on a new network, it would be easier
> > to affect how the gids are assigned, since you would be looking for
> > issues like
On Tue, Oct 10, 2006 at 11:20:26AM +0200, Gabor Gombas wrote:
> On Tue, Oct 10, 2006 at 09:36:56AM +0200, Tim Dijkstra wrote:
>
> > That is no longer a reality with groups like plugdev, powerdev and
> > netdev, which users need to be a member of to be able to get the wonders
> > of automatically m
On Tue, 10 Oct 2006 15:08:29 +0200
Gabor Gombas <[EMAIL PROTECTED]> wrote:
> On Tue, Oct 10, 2006 at 11:33:43AM +0200, Tim Dijkstra wrote:
>
> > Hmm, pam_group doesn't sound to secure to me... what if on one machine
> > gid 110 is www-data and on another plugdev. Then if a user logs in on the
>
On Tue, Oct 10, 2006 at 11:33:43AM +0200, Tim Dijkstra wrote:
> Hmm, pam_group doesn't sound to secure to me... what if on one machine
> gid 110 is www-data and on another plugdev. Then if a user logs in on the
> second
> machine it will get access to gid 110, make some suid executable, which on
On Mon, Oct 09, 2006 at 10:16:45AM -0400, Roberto C. Sanchez wrote:
> I guess that if the deployment were on a new network, it would be easier
> to affect how the gids are assigned, since you would be looking for
> issues like that. However, for an existing network, this can be more of
> a problem
[Tim Dijkstra]
> Hmm, pam_group doesn't sound to secure to me... what if on one
> machine gid 110 is www-data and on another plugdev. Then if a user
> logs in on the second machine it will get access to gid 110, make
> some suid executable, which on another machine ... Well the nfs
> mount is nosui
On Tue, 10 Oct 2006 11:20:26 +0200
Gabor Gombas <[EMAIL PROTECTED]> wrote:
> On Tue, Oct 10, 2006 at 09:36:56AM +0200, Tim Dijkstra wrote:
>
> > That is no longer a reality with groups like plugdev, powerdev and
> > netdev, which users need to be a member of to be able to get the wonders
> > of a
On Tue, Oct 10, 2006 at 09:36:56AM +0200, Tim Dijkstra wrote:
> That is no longer a reality with groups like plugdev, powerdev and
> netdev, which users need to be a member of to be able to get the wonders
> of automatically mounted usb-sticks, tweakable power management and
> whatever comes with
On Mon, 9 Oct 2006 14:39:07 -0500
Peter Samuelson <[EMAIL PROTECTED]> wrote:
>
> [Roberto C. Sanchez]
> > That is a problem if I want to server everything up out of LDAP.
> > There really should be a "reserved" range, maybe 100-499 of Debian
> > gids, where they are assigned in a predertmined way
On Mon, Oct 09, 2006 at 02:39:07PM -0500, Peter Samuelson wrote:
>
> [Roberto C. Sanchez]
> > That is a problem if I want to server everything up out of LDAP.
> > There really should be a "reserved" range, maybe 100-499 of Debian
> > gids, where they are assigned in a predertmined way.
>
> I don'
On Mon, Oct 09, 2006 at 07:09:14PM +0200, Andreas Metzler wrote:
> Roberto C. Sanchez <[EMAIL PROTECTED]> wrote:
> > I have started working with transitioning a network to LDAP. I am still
> > experimenting with this at home before implementing it "for real." This
> > brings me to my concern. It
[Roberto C. Sanchez]
> That is a problem if I want to server everything up out of LDAP.
> There really should be a "reserved" range, maybe 100-499 of Debian
> gids, where they are assigned in a predertmined way.
I don't think it's a good idea to put system users and groups into LDAP
anyway. They
Roberto C. Sanchez <[EMAIL PROTECTED]> wrote:
> I have started working with transitioning a network to LDAP. I am still
> experimenting with this at home before implementing it "for real." This
> brings me to my concern. It appears that many groups are added to the
> system "willy-nilly." By th
I have started working with transitioning a network to LDAP. I am still
experimenting with this at home before implementing it "for real." This
brings me to my concern. It appears that many groups are added to the
system "willy-nilly." By that I mean, I have one system where part of
the /etc/gr
17 matches
Mail list logo
