On Wed, 20 Oct 2010 17:14:56 -0400
Rob Crittenden <rcrit...@redhat.com> wrote:

> Rob Crittenden wrote:
> > Dmitri Pal wrote:
> >> Simo Sorce wrote:
> >>> On Fri, 15 Oct 2010 17:27:07 -0400
> >>> Rob Crittenden<rcrit...@redhat.com> wrote:
> >>>
> >>>
> >>>> Remove the enrolledBy when a host is unenrolled (which is the
> >>>> same as disabling the host).
> >>>>
> >>>> ticket 301
> >>>>
> >>>> rob
> >>>>
> >>>
> >>> nack, if host can write enrolledBy it can fake info
> >>>
> >>> Simo.
> >>>
> >>>
> >> I agree. I think it should be "delete" rather than "write".
> >>
> >
> > The delete permission is for entries, not for attributes.
> >
> > I'll need to ask the 389-ds guys about how to do this, though I
> > think it may be via an attr value aci which will require some work
> > in our aci plugin because it doesn't currently support them.
> >
> > rob
> 
> Updated patch to clear out enrolledBy when a host is unenrolled.
> 
> This uses a targattrfilters aci that says that enrolledBy can be
> deleted if it is not empty. We also require that krblastpwddchange be
> empty, so you can't simply delete enrolledby on an enrolled host.
> 
> host-disable first deletes the principalkey and lastpwdchange and then
> removes the enrollment.
> 
> ticket 301

This patch looks good but I was a bit surprised to see that you use
krblastpwdchange as a trigger. Why not the principal key ?

Also if I read it right
(targattrfilters="del=enrolledby:(enrolledBy=*)") allows you to
delete enrolledBy but not to change it to another value.
This prevents misrepresenting who enrolled the host, but still allows
the host to remove the information (the host can remove
krblastpwdchange first and then re-add it right ?)

So I am wondering if we really solve all relevant abuses with
this patch (some of it is solved) or if we are still leaving the door
open to something.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to