Re: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write.

Rob Crittenden Wed, 17 Nov 2010 12:08:16 -0800

Rob Crittenden wrote:

Jakub Hrozek wrote:

On Wed, Nov 10, 2010 at 04:25:18PM -0500, Rob Crittenden wrote:

The list of attributes that a host bound as itself could write was
overly broad.


A host can now only update its description, information about itself
such as OS release, etc, its certificate, password and keytab.

https://fedorahosted.org/freeipa/ticket/416

rob


Some of the changes in install/share/default-aci.ldif seem to not apply
cleanly on top of the current master. Does this patch depend on another
one?


Maybe unreviewed patch 593 fix group objectclasses on detach

rob

Ok, yes, this relies on patch 593. I also re-based it to patch cleanlyagainst the master.

rob

>From be1e360438742bd3c7965ad206272c9630d74628 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Wed, 17 Nov 2010 15:04:33 -0500
Subject: [PATCH] Reduce the number of attributes a host is allowed to write.

The list of attributes that a host bound as itself could write was
overly broad.

A host can now only update its description, information about itself
such as OS release, etc, its certificate, password and keytab.

ticket 416
---
 install/share/default-aci.ldif       |    8 ++++++--
 install/updates/40-delegation.update |    4 ++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index e0caf1f..ad54f5f 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -4,7 +4,7 @@ dn: $SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)
-aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
+aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";;)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/chang...@$realm,cn=$REALM,cn=kerberos,$SUFFIX";;)
@@ -12,6 +12,10 @@ aci: (targetattr = "userPassword || krbPrincipalKey || krbPasswordExpiration ||
 aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account can update some fields"; allow (write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";;)
 aci: (targetattr = "krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Only the KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";;)
 aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
+
+dn: cn=users,cn=accounts,$SUFFIX
+changetype: modify
+add: aci
 aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType  || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";;)
 
 dn: cn=ipaConfig,cn=etc,$SUFFIX
@@ -49,5 +53,5 @@ aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts c
 dn: cn=computers,cn=accounts,$SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr="userCertificate || krbLastPwdChange")(version 3.0; acl "Hosts can modify service userCertificate"; allow(write) userdn = "ldap:///self";;)
+aci: (targetattr="userCertificate || krbLastPwdChange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";;)
 
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 085cd1f..7dc12d8 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -241,7 +241,7 @@ add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version
 add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version
   3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn=
  taskgroups,cn=accounts,$SUFFIX";)'
-add:aci: '(targetattr = "cn || description || l || nshostlocation ||
+add:aci: '(targetattr = "description || l || nshostlocation ||
  nshardwareplatform || nsosversion")
  (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;
  acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts,
@@ -501,7 +501,7 @@ add:member:'cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX'
 # set the krbPrincipalName, add krbPrincipalAux to objectClass and
 # set enrolledBy to whoever ran join.
 dn: $SUFFIX
-add:aci: '(targetattr = "krbPrincipalName || enrolledBy || objectClass")
+add:aci: '(targetattr = "enrolledBy || objectClass")
   (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)
   (version 3.0;acl "Enroll a host";
   allow (write) groupdn = "ldap:///cn=enroll_host,cn=taskgroups,
-- 
1.7.2.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write.

Reply via email to