URL:
https://github.com/SSSD/sssd/pull/21
Title: #21: IFP: expose user and group unique IDs through DBus
jhrozek commented:
"""
On Wed, Sep 21, 2016 at 03:57:19AM -0700, Pavel Březina wrote:
On 09/21/2016 12:29 PM, Jakub Hrozek wrote:
> On Tue, Sep 20, 2016 at 05:24:45AM -0700, sumit-bose wrote:
>> > With the SIDs we already have a library thay pretty much anyone can
> call and retrieve the SID for ID. But not for GUIDs.. CC @sbose-rh for
> another opinion..
>>
>> In general the GUIDs are even less informative than the SID, e.g. you
> cannot derive the domain form it, it is just a random strings created
> with some rules to try to avoid collisions. So I cannot see a leak here.
> Additionally I think there is only special protection on the LDAP side
> on the GUID attribute, e.g. ipaUniqueID can be read anonymously.
>>
>> Only if the GUID is misused, e.g. as initial password, there would be
> an issue but imo not on our side.
>
> Thank you.
>
> Then I don't see a reason to not accept this PR. I tested it and it
> seems to work:
>
> $ dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe
> /org/freedesktop/sssd/infopipe/Users
> org.freedesktop.sssd.infopipe.Users.FindByName string:admin@ipa.test
> method return time=1474453460.862332 sender=:1.305 -> destination=:1.308
> serial=9 reply_serial=2
> object path "/org/freedesktop/sssd/infopipe/Users/ipa_2etest/935600000"
>
> $ dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe
> /org/freedesktop/sssd/infopipe/Users/ipa_2etest/935600000
> org.freedesktop.DBus.Properties.Get
> string:org.freedesktop.sssd.infopipe.Users.User string:uniqueID
> method return time=1474453484.184180 sender=:1.305 -> destination=:1.309
> serial=11 reply_serial=2
> variant string "4e80c946-436e-11e6-8fbd-525400f71478"
>
> If anyone thinks having group_attributes should block this PR, I'm OK
> with implementing it..
>
> So I'll just wait a bit to see if there is any opposition and if not,
> I'll push the patch..
Feel free to push it.
We can create a ticket to trac more detailed access control in IFP. I
remember that we talked about usign polkit for this, since IFP is slowly
growing we should look into this.
We have
https://fedorahosted.org/sssd/ticket/2328 for polkit so I
increased its priority. I also filed
https://fedorahosted.org/sssd/ticket/3195 for group_attributes (which
may or may not be relevant after #2328, but I didn't want to forget..)
"""
See the full comment at
https://github.com/SSSD/sssd/pull/21#issuecomment-248857307