Petr Spacek wrote:
Hello list,

thread "[Freeipa-devel] Read access to container entries" reminds me an
idea I have in mind for a while:

We could check effective ACIs [1] for interesting objects (Kerberos
master key, trust objects etc.) and make sure that there is nothing like
'read by anonymous' etc.

Method [1] has one important limitation: It checks ACI in given sub-tree
against one specified DN.

Realization of my idea would be better with a "reverse" approach:
Specify DN of a single object as "target" and get list of all users with
non-null access rights for the object in question. (This could be
refined with filter for specific rights so we can get "list of DNs
allowed to write to this object" etc.)


Does it make sense?



[1]
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Viewing_the_ACIs_for_an_Entry-Get_Effective_Rights_Control.html

Maybe. We've had a long-term need to run the unit tests as various other users to avoid delegation regressions. We really should have some subset of tests to do positive and negative testing of each role. We'd probably want to do these tests directly with the framework.

Ideally this could be extended to disabling anonymous access, setting minimum SSF, etc. This could probably be mostly done using GER.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to