[Bug 771698] Re: /usr/bin/id does not show ldap groups
Thomas Schweikle
771698 at bugs.launchpad.net
Thu Apr 28 08:46:49 UTC 2011
> The fact that id shows fewer groups is not a security issue
> -- the user should have fewer privileges than with the
> intended ldap groups.
This is only correct as long as belonging to a group grants additional
rights. It is not correct any more if belonging to a group revoked
rights. The user this way has, since he isn't seen in this particular
group any more, additional rights, he wouldn't have if he was part of
the group in question. We're using such a scheme for trainees. They are
part of the group, but being part of the group "trainee" revokes some
rights they would have if they where not part of the group "trainee".
In our special case this doesn't matter: both groups are derived by
ldap. Since pam doesn't question ldap any more for groups the user is
in, rights are not granted and not revoked --- most people do not have
any rights to do anything ... :-(
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/771698
Title:
/usr/bin/id does not show ldap groups
More information about the Ubuntu-server-bugs
mailing list