[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: special principals handling

To: heimdal-discuss@sics.se, Guillaume Rousse <Guillaume.Rousse@inria.fr>
Subject: Re: special principals handling
From: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>
Date: Fri, 1 Feb 2008 10:18:07 -0500
In-Reply-To: <47A32961.2080204@inria.fr>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <47A32961.2080204@inria.fr>
Reply-To: heimdal-discuss@sics.se, "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>

On Feb 1, 2008, at 9:14 , Guillaume Rousse wrote:

> Second, our usual policy is to grant admins all authorisations with
> their standard accounts (through sudo, or ldap group ACLs, for
> instance), so as to avoid keeping trace of shared passwords. It seems
> the usual kerberos practice is to create additional principal with a
> 'admin' instance for admins, but this constitute two different  
> accounts.
> Is there any way to automatically sync 'foo@REALM' with
> 'foo/admin@REALM' for this purpose ? Or is it really a bad practice to
> grant all powers to 'foo@REALM' ?

Minimal privilege is a very good idea in general, to help avoid  
mistakes and to make it easier to test things (if your normal account  
has full privileges, you have to use someone else's account to test  
and debug privilege/permission-related issues).  This is also why  
it's a bad idea to do everything on Unix as root or on Windows as  
Administrator, etc.

-- 
brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery@kf8nh.com
system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon university    KF8NH

Follow-Ups:
- Re: special principals handling
  - From: Guillaume Rousse <Guillaume.Rousse@inria.fr>

References:
- special principals handling
  - From: Guillaume Rousse <Guillaume.Rousse@inria.fr>

Prev by Date: Re: special principals handling
Next by Date: Re: How to cross-compile
Prev by thread: Re: special principals handling
Next by thread: Re: special principals handling
Index(es):
- Date
- Thread