#1048 sssd should have a mode to only return Usernames for My UID and My Groups.
Closed: wontfix 4 years ago by pbrezina. Opened 12 years ago by dpal.

https://bugzilla.redhat.com/show_bug.cgi?id=726408

Description of problem:

As we move to multi-tenant environments we might want to start preventing full
read access to the /etc/passwd machine, or the ability to dump all users in the
passwd database.

I would like to be able to use SELinux to lock down access to the /etc/passwd
file, so users could not cat the file.  And even prevent most apps on the
machine from reading the file.  Then have sssd become the arbiter of who gets
translations.

I would suggest that we add a flag the the sssd configuration that would say,
translate only the names that the requesting UID is a member of.

Meaning that dwalsh could translate the UID of dwalsh, and all users in the
Engineering group.  But other UID, would not resolve.

If I am user "Coke" and I execute getpwnam("Pepsi"), I would want this to
return no such user.  If I saw a process on the machine that was running as uid
1234 and I was not 1234 and 1234 was not in any of mygroups I would want sssd
to not translate the UID.

The biggest use case for this I would see is multitenant environments where an
admin does not want users on the system to know anything about the other users
on the system.  (OpenShift Express) for example.  But also large terminal
servers would like to run in this mode.

Metadata Update from @dpal:
- Issue set to the milestone: SSSD Patches welcome

7 years ago

Thank you for taking time to submit this request for SSSD. Unfortunately this issue was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfill this request I am closing the issue as wontfix.

If the issue still persist on recent SSSD you can request re-consideration of this decision by reopening this issue. Please provide additional technical details about its importance to you.

Thank you for understanding.

Metadata Update from @pbrezina:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2090

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata