On 03/31/2014 03:23 PM, Rob Crittenden wrote:
> Petr Spacek wrote:
>> Hello list,
>> thread "[Freeipa-devel] Read access to container entries" reminds me an
>> idea I have in mind for a while:
>> We could check effective ACIs [1] for interesting objects (Kerberos
>> master key, trust objects etc.) and make sure that there is nothing like
>> 'read by anonymous' etc.
>> Method [1] has one important limitation: It checks ACI in given sub-tree
>> against one specified DN.
>> Realization of my idea would be better with a "reverse" approach:
>> Specify DN of a single object as "target" and get list of all users with
>> non-null access rights for the object in question. (This could be
>> refined with filter for specific rights so we can get "list of DNs
>> allowed to write to this object" etc.)
>> Does it make sense?
>> [1]
>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Viewing_the_ACIs_for_an_Entry-Get_Effective_Rights_Control.html
> Maybe. We've had a long-term need to run the unit tests as various other users
> to avoid delegation regressions. We really should have some subset of tests to
> do positive and negative testing of each role. We'd probably want to do these
> tests directly with the framework.
> Ideally this could be extended to disabling anonymous access, setting minimum
> SSF, etc. This could probably be mostly done using GER.
> rob

FYI - we have a ticket already open to do something like what Petr says:


IMO it is a good thing to do.


Freeipa-devel mailing list

Reply via email to