#1048 sssd should have a mode to only return Usernames for My UID and My Groups.

Created 5 years ago by dpal
Modified 7 months ago

https://bugzilla.redhat.com/show_bug.cgi?id=726408

Description of problem:

As we move to multi-tenant environments we might want to start preventing full
read access to the /etc/passwd machine, or the ability to dump all users in the
passwd database.

I would like to be able to use SELinux to lock down access to the /etc/passwd
file, so users could not cat the file.  And even prevent most apps on the
machine from reading the file.  Then have sssd become the arbiter of who gets
translations.

I would suggest that we add a flag the the sssd configuration that would say,
translate only the names that the requesting UID is a member of.

Meaning that dwalsh could translate the UID of dwalsh, and all users in the
Engineering group.  But other UID, would not resolve.

If I am user "Coke" and I execute getpwnam("Pepsi"), I would want this to
return no such user.  If I saw a process on the machine that was running as uid
1234 and I was not 1234 and 1234 was not in any of mygroups I would want sssd
to not translate the UID.

The biggest use case for this I would see is multitenant environments where an
admin does not want users on the system to know anything about the other users
on the system.  (OpenShift Express) for example.  But also large terminal
servers would like to run in this mode.
7 months ago

Metadata Update from @dpal:
- Issue set to the milestone: SSSD Patches welcome

Login to comment on this ticket.

defect

SSSD

https://bugzilla.redhat.com/show_bug.cgi?id=726408

cancel