The IPA framework should sto prunning as the Apache user and instead be run as a separate use via mod_wsgi configuration.
This is need to implement privilege separation so that the framework will not be able to impersonate random users, only the apache authentication modules should be able to.
This is related to both efforts to introduce External Authentication[1] and efforts to add GSSAPI authentication proxying to dogtag[2].
[1] http://www.freeipa.org/page/V4/External_Authentication [2] https://fedorahosted.org/freeipa/ticket/5011
master:
Metadata Update from @simo: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)
Was implemented in 4.5. Regressions are filed separately.
Metadata Update from @pvoborni: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.