Project

General

Profile

Task #2458

Review shell access list

Added by Guilhem Moulin almost 4 years ago. Updated 9 months ago.

Status:
In Progress
Priority:
Normal
Category:
-
Target version:
Team - Recurring
Start date:
Due date:
2021-11-01 (27 days late)
% Done:

0%

Tags:
URL:

Description

Some shell accounts were created manually, and other using salt. The same for the accounts' supplementary groups, including sudo and ssh-login.

As we don't have a central database for account information, it's not trivial to determine who has access to what, and with which privileges. Moreover contributors come and go ­— naturally — so the access list needs to be reviewed regularly to reflect the current reality. The same goes for the tdf-admin mailing list (aka hostmaster@tdf).

#1

Updated by Guilhem Moulin almost 4 years ago

For per-machine access we could use LDAP with pam_nss (excluding global admins in case LDAP access would break or something), as Norbert suggested. Having UNIX accounts and ACLs in a central database would simplify this task a lot.

#2

Updated by Florian Effenberger over 3 years ago

Priority-wise, I see this after we have some more services in LDAP, as admin access is managed via Salt
Do you agree, or would you prioritize that higher?

#3

Updated by Guilhem Moulin over 3 years ago

I agree it's not high priority, just a neat way to solve the problem :-)

#4

Updated by Florian Effenberger over 3 years ago

Can we do a first round of "removal proposals" (from tdf-admin as well as SSH logins/root access) within the next two weeks? Send the name to me privately please ;-)

#5

Updated by Florian Effenberger over 3 years ago

  • Due date changed from 2018-04-11 to 2018-07-27

Done late May, so let's review late July

#6

Updated by Florian Effenberger over 3 years ago

Done late May, so let's review late July

Can you send me the current list of shell access (do not attach to this ticket, as it's public) - and we'll review together if there's any need for action?

#7

Updated by Florian Effenberger about 3 years ago

Florian Effenberger wrote:

Done late May, so let's review late July

Can you send me the current list of shell access (do not attach to this ticket, as it's public) - and we'll review together if there's any need for action?

Ping?

#8

Updated by Guilhem Moulin about 3 years ago

  • Due date changed from 2018-07-27 to 2019-01-01
#9

Updated by Florian Effenberger over 2 years ago

Can you share the current list with me privately, so we can have a look?

#10

Updated by Florian Effenberger over 2 years ago

  • Due date changed from 2019-01-01 to 2019-10-01
  • Status changed from New to In Progress
#11

Updated by Guilhem Moulin about 2 years ago

  • Due date changed from 2019-10-01 to 2020-05-01
#12

Updated by Guilhem Moulin over 1 year ago

  • Due date changed from 2020-05-01 to 2020-11-01
#13

Updated by Guilhem Moulin 9 months ago

  • Due date changed from 2020-11-01 to 2021-11-01

Also available in: Atom PDF