On Wed, 2012-02-08 at 15:12 +0100, Martin Kosek wrote:
> On Wed, 2012-02-08 at 08:57 -0500, Simo Sorce wrote:
> > On Wed, 2012-02-08 at 13:28 +0100, Martin Kosek wrote:
> > > On Tue, 2012-02-07 at 18:19 -0500, Rob Crittenden wrote:
> > > > Don't allow the 'change user password' permission to be able to reset 
> > > > the password of the admins group.
> > > > 
> > > > rob
> > > 
> > > NACK
> > > 
> > > The admin filter works OK, user fbar (in helpdesk role) is now not able
> > > to change admin's password:
> > > 
> > > # klist
> > > Ticket cache: FILE:/tmp/krb5cc_0
> > > Default principal: f...@idm.lab.bos.redhat.com
> > > 
> > > # ipa passwd admin
> > > New Password: 
> > > Enter New Password again to verify: 
> > > ipa: ERROR: Insufficient access: Insufficient access rights
> > > 
> > > But what about this little exercise:
> > > 
> > > # ipa group-remove-member admins --user=admin
> > >   Group name: admins
> > >   Description: Account administrators group
> > >   GID: 480800000
> > > ---------------------------
> > > Number of members removed 1
> > > ---------------------------
> > > # ipa passwd admin
> > > New Password: 
> > > Enter New Password again to verify: 
> > > ---------------------------------------------------
> > > Changed password for "ad...@idm.lab.bos.redhat.com"
> > > ---------------------------------------------------
> > > # ipa group-add-member admins --user=admin
> > >   Group name: admins
> > >   Description: Account administrators group
> > >   GID: 480800000
> > >   Member users: admin
> > > -------------------------
> > > Number of members added 1
> > > -------------------------
> > > 
> > > I was able to achieve the very same goal. Maybe we should forbid "modify
> > > group membership" role to manipulate with admins group as well.
> > > 
> > > Martin
> > 
> > I would say this is another issue, so I'd ACK Rob's patch and require
> > opening a ticket to prevent changing admins memberships from non-admins.
> > 
> > Simo.
> > 
> 
> Yeah, we can do that. I decided to rather nack the patch as ticket/BZ
> description mentioned that it want to prevent helpdesk users from
> changing the admin password - which they can do using the approach I
> described.
> 
> But if you want to do it in a separate ticket I am ok with pushing patch
> 942.
> 
> Martin

After an IRC discussion with Rob I ACKed this patch and pushed it to
master, ipa-2-2.

A new ticket to prevent the workaround have been created and linked to
the appropriate BZ:

https://fedorahosted.org/freeipa/ticket/2416

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to