Project

General

Profile

Task #2458

Review shell access list

Added by Guilhem Moulin about 1 year ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Category:
-
Target version:
Team - Recurring
Start date:
Due date:
2019-01-01
% Done:

0%

Estimated time:
Tags:
URL:

Description

Some shell accounts were created manually, and other using salt. The same for the accounts' supplementary groups, including sudo and ssh-login.

As we don't have a central database for account information, it's not trivial to determine who has access to what, and with which privileges. Moreover contributors come and go ­— naturally — so the access list needs to be reviewed regularly to reflect the current reality. The same goes for the tdf-admin mailing list (aka hostmaster@tdf).

History

#1 Updated by Guilhem Moulin about 1 year ago

For per-machine access we could use LDAP with pam_nss (excluding global admins in case LDAP access would break or something), as Norbert suggested. Having UNIX accounts and ACLs in a central database would simplify this task a lot.

#2 Updated by Florian Effenberger 11 months ago

Priority-wise, I see this after we have some more services in LDAP, as admin access is managed via Salt
Do you agree, or would you prioritize that higher?

#3 Updated by Guilhem Moulin 10 months ago

I agree it's not high priority, just a neat way to solve the problem :-)

#4 Updated by Florian Effenberger 9 months ago

Can we do a first round of "removal proposals" (from tdf-admin as well as SSH logins/root access) within the next two weeks? Send the name to me privately please ;-)

#5 Updated by Florian Effenberger 8 months ago

  • Due date changed from 2018-04-11 to 2018-07-27

Done late May, so let's review late July

#6 Updated by Florian Effenberger 5 months ago

Done late May, so let's review late July

Can you send me the current list of shell access (do not attach to this ticket, as it's public) - and we'll review together if there's any need for action?

#7 Updated by Florian Effenberger 4 months ago

Florian Effenberger wrote:

Done late May, so let's review late July

Can you send me the current list of shell access (do not attach to this ticket, as it's public) - and we'll review together if there's any need for action?

Ping?

#8 Updated by Guilhem Moulin 4 months ago

  • Due date changed from 2018-07-27 to 2019-01-01

Also available in: Atom PDF