On 11/21/2011 02:55 PM, Stephen Gallagher wrote: 
Granted, that's a bit of a  contrived example, but as a rule I tend to
feel that data like this should be configured centrally, rather than
updated by clients. First rule of security: always assume your clients
are malicious.


      

    

    I see. I needed this purely for auditing computers on LAN - so no
    big danger of malicious clients.

    Even in your (indeed contrived) example could the malicious
    application cause to disjoin machine from AD/IPA domain or perform
    DOS attacks against the servers. Eventually:

    1. Even if we agree that we will set it up once upon machine join,
    the malicious client can change it any time later. So no big
    difference here.

    2. Even Microsoft AD clients (AD member computers) do it this way I
    believe.

    

    I think in all cases you have to (to some extent) either trust your
    clients to make damn sure that no user application can gain root
    privileges. Even such a well perceived protocol like Kerberos can
    not protect you against malicious root application running on your
    desktop.

    

    So, with all respect, I do not take your arguments.

    

    Ondrej