The list of attributes that a host bound as itself could write was overly broad.
A host can now only update its description, information about itself such as OS release, etc, its certificate, password and keytab. https://fedorahosted.org/freeipa/ticket/416 rob
>From 9bb5fbc682bf290b81e5b86efcaf28d5970550b6 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Wed, 10 Nov 2010 16:21:19 -0500 Subject: [PATCH] Reduce the number of attributes a host is allowed to write. The list of attributes that a host bound as itself could write was overly broad. A host can now only update its description, information about itself such as OS release, etc, its certificate, password and keytab. ticket 416 --- install/share/default-aci.ldif | 8 ++++++-- install/updates/40-delegation.update | 4 ++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index c48a68c..ce97085 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -4,7 +4,7 @@ dn: $SUFFIX changetype: modify add: aci aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) -aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) +aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/chang...@$realm,cn=$REALM,cn=kerberos,$SUFFIX";) @@ -12,6 +12,10 @@ aci: (targetattr = "userPassword || krbPrincipalKey || krbPasswordExpiration || aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account can update some fields"; allow (write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr = "krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Only the KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) + +dn: cn=users,cn=accounts,$SUFFIX +changetype: modify +add: aci aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";) dn: cn=ipaConfig,cn=etc,$SUFFIX @@ -49,7 +53,7 @@ aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts c dn: cn=computers,cn=accounts,$SUFFIX changetype: modify add: aci -aci: (targetattr="userCertificate || krbLastPwdChange")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";) +aci: (targetattr="userCertificate || krbLastPwdChange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";) # enrolledBy lets it remove its enrollment info dn: cn=computers,cn=accounts,$SUFFIX diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 4eaad66..0493db0 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -242,7 +242,7 @@ add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn= taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "cn || description || l || nshostlocation || +add:aci: '(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion") (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts, @@ -512,7 +512,7 @@ add:member:'cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX' # set the krbPrincipalName, add krbPrincipalAux to objectClass and # set enrolledBy to whoever ran join. dn: $SUFFIX -add:aci: '(targetattr = "krbPrincipalName || enrolledBy || objectClass") +add:aci: '(targetattr = "enrolledBy || objectClass") (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX") (version 3.0;acl "Enroll a host"; allow (write) groupdn = "ldap:///cn=enroll_host,cn=taskgroups, -- 1.7.2.1
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel