[Kolab-devel] Suse kolabd patch

Bernhard Reiter bernhard.reiter at intevation.de
Wed Jan 4 11:47:56 CET 2006


Am Mittwoch, 4. Januar 2006 00:05 schrieb Richard Bos:
> Op dinsdag 3 januari 2006 17:25, schreef Bernhard Reiter:
> > >   Changed most of the users and groups to root, this is a known user
> > >   and it takes care that kolab_bootstrap at least finishes.
> >
> > I am not sure if using "root" for all kolab* users is a good idea,
> > it will has security implications and it will make Kolab Servers
> > harder to maintain on different plattforms.
> >
> > Why not find a compatible way for suse to add the necessary users
> > for "kolab" "kolab-r" and "kolab-n"?
>
> as stated it is done to let kolab_bootstrap reach the end..., so at least
> ldapsearch is doing something. 

I did not look into the surroundings, but briefly browsed it and this fell
into my eye. If you are saying this is only for running kolab_bootstrap
it might be okay, but I cannot say. This is why I better asked, to make
sure we do not miss something.

> I just discovered that perl-kolab does 
> checks on the existance of kolab(-r/-n) users...  The thing is that I don't
> whether these are needed at all.  Perhaps they can all be replaced by users
> that already exist on the target platform (suse in my case), like www,
> ldap, etc?

In my conception it would be cool to keep the same users
on all Kolab Server installations, best would be with the same uids and gids.
This way somebody that understands the Kolab security mechanism
can deal with all installations. Otherwise support will be even more 
distribution specific, which we all want to avoid.

The kolab(-r/-n) are used to give certain rights to various processes
so that we only give out the needed priviledges. In my conception they
probably are good idea to keep even with other users for services around, 
like www,ldap. Now thinking about it: 
There probably has a way to integrate them somehow.

> It is very interesting to know, which files/apps should be owned by
> kolab(-r/-n).  Can you say something about that??

This is an implementation part that I (personally) did not look into very 
much, but Martin and Steffen (should) know.
My attempt to find out would be to look at a running Kolab Server (based
on OpenPKG) and see about processes and their permissions.

Bernhard




More information about the devel mailing list