Project

General

Profile

Actions

Task #2458

open

Review shell access list

Added by Guilhem Moulin over 6 years ago. Updated 14 days ago.

Status:
In Progress
Priority:
Normal
Category:
-
Target version:
Team - Recurring
Start date:
Due date:
2025-02-17 (Due in about 4 months)
% Done:

0%

Tags:

Description

Some shell accounts were created manually, and other using salt. The same for the accounts' supplementary groups, including sudo and ssh-login.

As we don't have a central database for account information, it's not trivial to determine who has access to what, and with which privileges. Moreover contributors come and go ­— naturally — so the access list needs to be reviewed regularly to reflect the current reality. The same goes for the tdf-admin mailing list (aka hostmaster@tdf).

Actions #1

Updated by Guilhem Moulin over 6 years ago

For per-machine access we could use LDAP with pam_nss (excluding global admins in case LDAP access would break or something), as Norbert suggested. Having UNIX accounts and ACLs in a central database would simplify this task a lot.

Actions #2

Updated by Florian Effenberger over 6 years ago

Priority-wise, I see this after we have some more services in LDAP, as admin access is managed via Salt
Do you agree, or would you prioritize that higher?

Actions #3

Updated by Guilhem Moulin over 6 years ago

I agree it's not high priority, just a neat way to solve the problem :-)

Actions #4

Updated by Florian Effenberger over 6 years ago

Can we do a first round of "removal proposals" (from tdf-admin as well as SSH logins/root access) within the next two weeks? Send the name to me privately please ;-)

Actions #5

Updated by Florian Effenberger over 6 years ago

  • Due date changed from 2018-04-11 to 2018-07-27

Done late May, so let's review late July

Actions #6

Updated by Florian Effenberger about 6 years ago

Done late May, so let's review late July

Can you send me the current list of shell access (do not attach to this ticket, as it's public) - and we'll review together if there's any need for action?

Actions #7

Updated by Florian Effenberger about 6 years ago

Florian Effenberger wrote:

Done late May, so let's review late July

Can you send me the current list of shell access (do not attach to this ticket, as it's public) - and we'll review together if there's any need for action?

Ping?

Actions #8

Updated by Guilhem Moulin about 6 years ago

  • Due date changed from 2018-07-27 to 2019-01-01
Actions #9

Updated by Florian Effenberger over 5 years ago

Can you share the current list with me privately, so we can have a look?

Actions #10

Updated by Florian Effenberger over 5 years ago

  • Due date changed from 2019-01-01 to 2019-10-01
  • Status changed from New to In Progress
Actions #11

Updated by Guilhem Moulin almost 5 years ago

  • Due date changed from 2019-10-01 to 2020-05-01
Actions #12

Updated by Guilhem Moulin over 4 years ago

  • Due date changed from 2020-05-01 to 2020-11-01
Actions #13

Updated by Guilhem Moulin over 3 years ago

  • Due date changed from 2020-11-01 to 2021-11-01
Actions #14

Updated by Guilhem Moulin almost 3 years ago

  • Due date changed from 2021-11-01 to 2022-02-18
Actions #15

Updated by Guilhem Moulin over 2 years ago

  • Due date changed from 2022-02-18 to 2022-07-01
Actions #16

Updated by Guilhem Moulin 14 days ago

  • Due date changed from 2022-07-01 to 2024-02-15
Actions #17

Updated by Guilhem Moulin 14 days ago

  • Due date changed from 2024-02-15 to 2025-02-17
Actions

Also available in: Atom PDF