Hi Maarten,
> The idea was to finally fix the security issues with the static accounts,
> so we did not want to give an easy option to just ignore these changes.
You suggest that the sgm and prd accounts are in a different primary
group than the normal users. (although having the normal group as
secondary group)
This will make troubles when software or data is written groupreadable,
and normal user want to access them.
In addition, there will be problems when one sgm or prd user will
change/delete files written by another sgm or prd user.
For sure, there are ways of dealing with these issues on the system
side, but I doubt every sgm or prd user or sysadmin will do this.
I fear that files might end up world readable and writable, which
implies other security concerns (not to mention the administrative
overhead: "Why can't I read the VO software at your site?"...)
What are the experiences of other sites with these changes?
Have there been any security incidents in the past that forced the
implementation of the new mapping accounts?
Is there any possibility to use the old mapping scheme?
Best
Yves
--------------------------------------------
Yves Kemp
[log in to unmask] Desy IT 2b/312
Fon: +49-(0)40-8998-2318 Notkestr. 85
Fax: +49-(0)40-8994-2318 D-22607 Hamburg
--------------------------------------------
|