... in any case this is a major change which screws the site's
configuration if no precautions are taken.
For my feeling, such a change in the authorization concept should not be
carried out in a *simple* regular update.
Regards
Andreas
On Wed, 2 May 2007, Yves Kemp wrote:
> Hi Maarten,
>
> > The idea was to finally fix the security issues with the static accounts,
> > so we did not want to give an easy option to just ignore these changes.
>
> You suggest that the sgm and prd accounts are in a different primary
> group than the normal users. (although having the normal group as
> secondary group)
> This will make troubles when software or data is written groupreadable,
> and normal user want to access them.
> In addition, there will be problems when one sgm or prd user will
> change/delete files written by another sgm or prd user.
>
> For sure, there are ways of dealing with these issues on the system
> side, but I doubt every sgm or prd user or sysadmin will do this.
>
> I fear that files might end up world readable and writable, which
> implies other security concerns (not to mention the administrative
> overhead: "Why can't I read the VO software at your site?"...)
>
> What are the experiences of other sites with these changes?
>
> Have there been any security incidents in the past that forced the
> implementation of the new mapping accounts?
>
> Is there any possibility to use the old mapping scheme?
>
> Best
>
> Yves
>
> --------------------------------------------
> Yves Kemp
> [log in to unmask] Desy IT 2b/312
> Fon: +49-(0)40-8998-2318 Notkestr. 85
> Fax: +49-(0)40-8994-2318 D-22607 Hamburg
> --------------------------------------------
>
++++++++++++++++++++++++++++++++++++++++++++++++
Andreas Gellrich http://www.desy.de/~gellrich
DESY IT
++++++++++++++++++++++++++++++++++++++++++++++++
|