On Wed, 2012-02-08 at 13:28 +0100, Martin Kosek wrote:
> On Tue, 2012-02-07 at 18:19 -0500, Rob Crittenden wrote:
> > Don't allow the 'change user password' permission to be able to reset 
> > the password of the admins group.
> > 
> > rob
> 
> NACK
> 
> The admin filter works OK, user fbar (in helpdesk role) is now not able
> to change admin's password:
> 
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: f...@idm.lab.bos.redhat.com
> 
> # ipa passwd admin
> New Password: 
> Enter New Password again to verify: 
> ipa: ERROR: Insufficient access: Insufficient access rights
> 
> But what about this little exercise:
> 
> # ipa group-remove-member admins --user=admin
>   Group name: admins
>   Description: Account administrators group
>   GID: 480800000
> ---------------------------
> Number of members removed 1
> ---------------------------
> # ipa passwd admin
> New Password: 
> Enter New Password again to verify: 
> ---------------------------------------------------
> Changed password for "ad...@idm.lab.bos.redhat.com"
> ---------------------------------------------------
> # ipa group-add-member admins --user=admin
>   Group name: admins
>   Description: Account administrators group
>   GID: 480800000
>   Member users: admin
> -------------------------
> Number of members added 1
> -------------------------
> 
> I was able to achieve the very same goal. Maybe we should forbid "modify
> group membership" role to manipulate with admins group as well.
> 
> Martin

I would say this is another issue, so I'd ACK Rob's patch and require
opening a ticket to prevent changing admins memberships from non-admins.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to