Hi,
First: is it possible to ignore the authselect configuration during FreeIPA server installation? Reason I'm asking is because we're hardening the OS before we run FreeIPA installation, meaning there have been issues with UMASK and authselect overwrite.
FreeIPA installation does not support UMASK stricter than 022. The FreeIPA installation also changes our authselect configuration as we configure this as part of our OS hardening and setting the immutable flag on some of these config files.
We don't want FreeIPA installation to configure the authselect. Unfortunately we haven't found anything in /usr/lib/python3.9/site-packages/ipaplatform/redhat/authconfig.py that let us do this. Is it possible to ignore this?
Finn Fysj via FreeIPA-users wrote:
Hi,
First: is it possible to ignore the authselect configuration during FreeIPA server installation? Reason I'm asking is because we're hardening the OS before we run FreeIPA installation, meaning there have been issues with UMASK and authselect overwrite.
FreeIPA installation does not support UMASK stricter than 022. The FreeIPA installation also changes our authselect configuration as we configure this as part of our OS hardening and setting the immutable flag on some of these config files.
We don't want FreeIPA installation to configure the authselect. Unfortunately we haven't found anything in /usr/lib/python3.9/site-packages/ipaplatform/redhat/authconfig.py that let us do this. Is it possible to ignore this?
There is not currently.
I guess I would suggest hardening after installing IPA. You're moving into an untested/unsupported configuration so keep that in mind. There be dragons.
rob
Finn Fysj via FreeIPA-users wrote:
There is not currently.
I guess I would suggest hardening after installing IPA. You're moving into an untested/unsupported configuration so keep that in mind. There be dragons.
rob
Thanks Rob.
However, does that mean we can get surprises if we're so bold and configure e.g UMASK after IPA installation etc.?
freeipa-users@lists.fedorahosted.org