[Mageia-sysadm] Usernames, uids, and groups

Wed Nov 10 10:10:18 CET 2010

On Wednesday, 10 November 2010 01:01:21 nicolas vigier wrote:
> On Tue, 09 Nov 2010, Buchan Milne wrote:
> > On Monday, 8 November 2010 17:29:24 nicolas vigier wrote:

> > > On some machines like the svn server, we need to use pam_ldap to allow
> > > users access with their ldap accounts. But on others servers like
> > > alamut (web services), or the build nodes, normal users have no reason
> > > to login.
> > 
> > But, sysadm members have a reason, and I see no reason to increase their
> > overhead with local accounts.
> 
> Maybe not on alamut, but on build nodes, I don't think user accounts for
> sysadmins will be very useful. The only reason to login to those nodes
> will be to check/fix iurt problems, which requires root permissions.

Root privileges, and how a user logs in, are different things.

IMHO, the only time a sysadmin should log in directly as root is to fix a 
problem that is preventing authentication from working (e.g. problem booting, 
bringing network up, fixing name resolution etc. etc.).

> > > On those servers, do you think we should restrict access with
> > > ssh configuration and a group, or disable pam_ldap completly on those
> > > servers and only use local accounts ?
> > 
> > I was planning for pam_ldap's pam_groupdn option. E.g. a 'sysadm' group.
> > 
> > > We also need to decide what UID ranges we use for local accounts, and
> > > for ldap accounts.
> > > 
> > > And groups. I think we could use the following groups :
> > >  * posix : promotes the user as posixAccount+sshPublicKey (in ldap),
> > >  and
> > >  
> > >    allows access to the svn and git using svn+ssh:// and git+ssh://
> > 
> > I think it would be better to try and provide VCS commit access without
> > shell access. This is easy enough for subversion with mod_dav_svn.
> 
> Is there the same for git ?

Not really. AFAIU, the model for git is that there should be no such thing as 
authorization ...

> But we already need need (restricted) shell access for mdvsys submit.

Why? In the original repsys model, a request to "build pkg foo rXXXX for 
release Y" was all that was required. While I agree it may be quicker to go 
with mdvsys/iurt etc. now, why should submission require shell access? AFAIK, 
other similar tools (koji, OBS) don't.

> > >  * packager : allows commits in packages repository, package submit
> > >  using
> > >  
> > >    mdvsys,
> > 
> > How are we submitting to mdvsys? Command-line? API?
> 
> With mdvsys, and a restricted shell on valstar allowing access to only
> /usr/share/repsys/create-srpm, svn and git commands.
> 
> > >    additional permissions on bugzilla,
> > 
> > What permissions do packagers need that non-packager committer don't?
> 
> Maybe none, I'm not sure.
> 
> > >    access to the packages
> > >    maintainers database, etc ...
> > >  
> > >  * web : for members of web team, allows commits in web repository
> > >  * documentation, translator, qa, marketing, etc ... :
> > >  * packagerapprentice, webapprentice, etc ... : for apprentices, with
> > >  
> > >    more restricted access
> > 
> > This is svn commit but no mdvsys access?
> 
> Yes.
> 
> > >  * sysadm : gives admin permissions on all applications
> > 
> > There is 'Account Admin' "system" group in LDAP, which allows any
> > modification to any users. But, should system administration necessarily
> > mean all access in all applications?
> 
> I think yes, at least for applications managed by sysadmin team.

From a security/governance perspective, this would normally not be a good 
idea, as powers should be separated ...

Regards,
Buchan