Simo Sorce wrote:
On Wed, 20 Oct 2010 17:14:56 -0400
Rob Crittenden<rcrit...@redhat.com>  wrote:

Rob Crittenden wrote:
Dmitri Pal wrote:
Simo Sorce wrote:
On Fri, 15 Oct 2010 17:27:07 -0400
Rob Crittenden<rcrit...@redhat.com>  wrote:


Remove the enrolledBy when a host is unenrolled (which is the
same as disabling the host).

ticket 301

rob


nack, if host can write enrolledBy it can fake info

Simo.


I agree. I think it should be "delete" rather than "write".


The delete permission is for entries, not for attributes.

I'll need to ask the 389-ds guys about how to do this, though I
think it may be via an attr value aci which will require some work
in our aci plugin because it doesn't currently support them.

rob

Updated patch to clear out enrolledBy when a host is unenrolled.

This uses a targattrfilters aci that says that enrolledBy can be
deleted if it is not empty. We also require that krblastpwddchange be
empty, so you can't simply delete enrolledby on an enrolled host.

host-disable first deletes the principalkey and lastpwdchange and then
removes the enrollment.

ticket 301

This patch looks good but I was a bit surprised to see that you use
krblastpwdchange as a trigger. Why not the principal key ?

Because we can't read the principal key (by design).


Also if I read it right
(targattrfilters="del=enrolledby:(enrolledBy=*)") allows you to
delete enrolledBy but not to change it to another value.
This prevents misrepresenting who enrolled the host, but still allows
the host to remove the information (the host can remove
krblastpwdchange first and then re-add it right ?)

Yes, I suppose that's possible.


So I am wondering if we really solve all relevant abuses with
this patch (some of it is solved) or if we are still leaving the door
open to something.

Simo.


Ok, I'll reconsider this some more.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to