Project

General

Profile

Task #2458

Review shell access list

Added by Guilhem Moulin over 1 year ago. Updated about 1 month ago.

Status:
In Progress
Priority:
Normal
Category:
-
Target version:
Team - Recurring
Start date:
Due date:
2019-10-01
% Done:

0%

Estimated time:
Tags:
URL:

Description

Some shell accounts were created manually, and other using salt. The same for the accounts' supplementary groups, including sudo and ssh-login.

As we don't have a central database for account information, it's not trivial to determine who has access to what, and with which privileges. Moreover contributors come and go ­— naturally — so the access list needs to be reviewed regularly to reflect the current reality. The same goes for the tdf-admin mailing list (aka hostmaster@tdf).

History

#1 Updated by Guilhem Moulin over 1 year ago

For per-machine access we could use LDAP with pam_nss (excluding global admins in case LDAP access would break or something), as Norbert suggested. Having UNIX accounts and ACLs in a central database would simplify this task a lot.

#2 Updated by Florian Effenberger over 1 year ago

Priority-wise, I see this after we have some more services in LDAP, as admin access is managed via Salt
Do you agree, or would you prioritize that higher?

#3 Updated by Guilhem Moulin over 1 year ago

I agree it's not high priority, just a neat way to solve the problem :-)

#4 Updated by Florian Effenberger about 1 year ago

Can we do a first round of "removal proposals" (from tdf-admin as well as SSH logins/root access) within the next two weeks? Send the name to me privately please ;-)

#5 Updated by Florian Effenberger about 1 year ago

  • Due date changed from 2018-04-11 to 2018-07-27

Done late May, so let's review late July

#6 Updated by Florian Effenberger 10 months ago

Done late May, so let's review late July

Can you send me the current list of shell access (do not attach to this ticket, as it's public) - and we'll review together if there's any need for action?

#7 Updated by Florian Effenberger 9 months ago

Florian Effenberger wrote:

Done late May, so let's review late July

Can you send me the current list of shell access (do not attach to this ticket, as it's public) - and we'll review together if there's any need for action?

Ping?

#8 Updated by Guilhem Moulin 9 months ago

  • Due date changed from 2018-07-27 to 2019-01-01

#9 Updated by Florian Effenberger about 2 months ago

Can you share the current list with me privately, so we can have a look?

#10 Updated by Florian Effenberger about 1 month ago

  • Due date changed from 2019-01-01 to 2019-10-01
  • Status changed from New to In Progress

Also available in: Atom PDF