Hi,

The name of any protected group now cannot be changed by modifing
the cn attribute using --setattr. Unit tests have been added to
make sure there is no regression.

https://fedorahosted.org/freeipa/ticket/3354

Tomas
>From 68f54e33c70ee0eef11c26cc7772af96725f21bf Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Mon, 11 Feb 2013 10:19:53 +0100
Subject: [PATCH] Prevent changing protected group's name using --setattr

The name of any protected group now cannot be changed by modifing
the cn attribute using --setattr. Unit tests have been added to
make sure there is no regression.

https://fedorahosted.org/freeipa/ticket/3354
---
 ipalib/plugins/group.py                |  2 +-
 tests/test_xmlrpc/test_group_plugin.py | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index f86b134e61fc8c7518a64d25329babee3398c6ef..4fa985739a9576f99948c226a088aa5f842f730b 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -265,7 +265,7 @@ class group_mod(LDAPUpdate):
 
         is_protected_group = keys[-1] in PROTECTED_GROUPS
 
-        if 'rename' in options:
+        if 'rename' in options or 'cn' in entry_attrs:
             if is_protected_group:
                 raise errors.ProtectedEntryError(label=u'group', key=keys[-1],
                     reason=u'Cannot be renamed')
diff --git a/tests/test_xmlrpc/test_group_plugin.py b/tests/test_xmlrpc/test_group_plugin.py
index a74a5e4c3b20692e07167bdfee9bafa09c36a39d..2d6d2014ae968e8fbe09a8862443b1de02ea804f 100644
--- a/tests/test_xmlrpc/test_group_plugin.py
+++ b/tests/test_xmlrpc/test_group_plugin.py
@@ -879,6 +879,13 @@ class test_group(Declarative):
         ),
 
         dict(
+            desc='Try to rename the admins group via setattr',
+            command=('group_mod', [u'admins'], {'setattr': u'cn=loosers'}),
+            expected=errors.ProtectedEntryError(label=u'group',
+                key='admins', reason='Cannot be renamed'),
+        ),
+
+        dict(
             desc='Try to modify the admins group to support external membership',
             command=('group_mod', [u'admins'], dict(external=True)),
             expected=errors.ProtectedEntryError(label=u'group',
@@ -900,6 +907,14 @@ class test_group(Declarative):
         ),
 
         dict(
+            desc='Try to rename the trust admins group via setattr',
+            command=('group_mod', [u'trust admins'], {'setattr': u'cn=loosers'}),
+            expected=errors.ProtectedEntryError(label=u'group',
+                key='trust admins', reason='Cannot be renamed'),
+        ),
+
+
+        dict(
             desc='Try to modify the trust admins group to support external membership',
             command=('group_mod', [u'trust admins'], dict(external=True)),
             expected=errors.ProtectedEntryError(label=u'group',
-- 
1.8.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to