Re: [Freeipa-devel] [PATCHES] 0532-0533 Extend anonymous read ACI for containers

[Petr Viktorin]

On 04/18/2014 04:17 PM, Simo Sorce wrote:

On Fri, 2014-04-18 at 16:11 +0200, Martin Kosek wrote:

On 04/18/2014 04:07 PM, Simo Sorce wrote:

On Fri, 2014-04-18 at 15:49 +0200, Martin Kosek wrote:

On 04/18/2014 03:43 PM, Simo Sorce wrote:

On Fri, 2014-04-18 at 13:50 +0200, Petr Viktorin wrote:

This extends the "Anonymous read access to containers" ACI to cover
cn=etc, as discussed in [0].

A new objectClass is added so we can exclude virtual ops with
targetfilter: ipaVirtualOperation (2.16.840.1.113730.3.8.12.23).


[0] http://www.redhat.com/archives/freeipa-devel/2014-April/msg00319.html

LGTM

It works perfectly except one subtree we missed during initial review and which
we should discuss:

cn=replicas,cn=ipa,cn=etc,SUFFIX

It contains list of replicas (not FreeIPA masters) connected to FreeIPA.
Currently, this only affects Winsync replicas.

I just verified that anonymous user can retrieve list of connected ADs via
winsync. Question is, how to prevent it given that this is created dynamically
also by older FreeIPA server and given that it has no special objectsclass to
base a filtration on.

Maybe we would need to add a deny ACI in this case after all?

Or we can add an objectclass here too, the update script will then need
to look at existing objects dynamically and update them.

This would not work well as older FreeIPA servers would not use this
objectclass when "ipa-replica-manage connect --winsync" is run on them.

I know, although you are probably not supposed to keep creating these
kind of agreements until you finish upgrading all the server, we always
advice people to upgrade the infra in a matter of weeks.

However we could also ass a deny aci only in this subtree for now and
change it later, if we think that's too much work.

We have plans to revisit shared replica information storage anyway, so
perhaps it is not worth spending too much time on this now.

Simo.

deny ACI is preventing access to nsContainer to anonymous users in
cn=replica... is probably it is our best shot ATM unless we find a better 
solution.

Agree.

simo.

Updated patch attached.

--
Petr³

From 7a6ede6ac363666bee370bb9758c85969abea894 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Thu, 17 Apr 2014 12:36:33 +0200
Subject: [PATCH] Add a new ipaVirtualOperation objectClass to virtual
 operations

The entries are moved from the ldif file to an update file.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
 install/share/60basev3.ldif          |  1 +
 install/share/delegation.ldif        | 36 ---------------------------------
 install/updates/40-delegation.update | 39 ++++++++++++++++++++++++++++++++++++
 3 files changed, 40 insertions(+), 36 deletions(-)

diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 8b92af247c742516c867a1f0666f4770cd4273d2..552045b63d9485ccd3685942b10c3f0e5b6105b6 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -64,3 +64,4 @@ dn: cn=schema
 objectClasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3')
 objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' )
 objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget ) X-ORIGIN 'IPA v3' )
+objectClasses: (2.16.840.1.113730.3.8.12.23 NAME 'ipaVirtualOperation' DESC 'IPA Virtual operation objectclass' SUP top AUXILIARY MUST ( cn ) X-ORIGIN 'IPA v3' )
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 7fe3030828c09e21a3098227350b4b04256f031f..7bd4e1e2d93b1dde4122ad1bfbe889625d983544 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -647,12 +647,6 @@ dn: cn=virtual operations,cn=etc,$SUFFIX
 cn: virtual operations
 
 # Retrieve Certificate virtual op
-dn: cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: nsContainer
-cn: retrieve certificate
-
 dn: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
@@ -667,12 +661,6 @@ dn: $SUFFIX
 aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,$SUFFIX";)
 
 # Request Certificate virtual op
-dn: cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: nsContainer
-cn: request certificate
-
 dn: cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
@@ -687,12 +675,6 @@ dn: $SUFFIX
 aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Request Certificate" ; allow (write) groupdn = "ldap:///cn=Request Certificate,cn=permissions,cn=pbac,$SUFFIX";)
 
 # Request Certificate from different host virtual op
-dn: cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: nsContainer
-cn: request certificate different host
-
 dn: cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
@@ -707,12 +689,6 @@ dn: $SUFFIX
 aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=Request Certificates from a different host,cn=permissions,cn=pbac,$SUFFIX";)
 
 # Certificate Status virtual op
-dn: cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: nsContainer
-cn: certificate status
-
 dn: cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
@@ -727,12 +703,6 @@ dn: $SUFFIX
 aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=Get Certificates status from the CA,cn=permissions,cn=pbac,$SUFFIX";)
 
 # Revoke Certificate virtual op
-dn: cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: nsContainer
-cn: revoke certificate
-
 dn: cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
@@ -747,12 +717,6 @@ dn: $SUFFIX
 aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0 ; acl "permission:Revoke Certificate"; allow (write) groupdn = "ldap:///cn=Revoke Certificate,cn=permissions,cn=pbac,$SUFFIX";)
 
 # Certificate Remove Hold virtual op
-dn: cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: nsContainer
-cn: certificate remove hold
-
 dn: cn=Certificate Remove Hold,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 69061ca3df0cde8f66816e2f2f09aa15405a369e..33383038c8e40e132a4e75dee202619e6d7c1398 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -394,6 +394,45 @@ dn: cn=config
 add:aci: '(target = "ldap:///cn=automember rebuild membership,cn=tasks,cn=config")(targetattr=*)(version 3.0;acl "permission:Add Automember Rebuild Membership Task";allow (add) groupdn = "ldap:///cn=Add Automember Rebuild Membership Task,cn=permissions,cn=pbac,$SUFFIX";)'
 
 
+# Virtual operations
+
+dn: cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX
+add:objectClass: ipaVirtualOperation
+default:objectClass: top
+default:objectClass: nsContainer
+default:cn: retrieve certificate
+
+dn: cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX
+add:objectClass: ipaVirtualOperation
+default:objectClass: top
+default:objectClass: nsContainer
+default:cn: request certificate
+
+dn: cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX
+add:objectClass: ipaVirtualOperation
+default:objectClass: top
+default:objectClass: nsContainer
+default:cn: request certificate different host
+
+dn: cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX
+add:objectClass: ipaVirtualOperation
+default:objectClass: top
+default:objectClass: nsContainer
+default:cn: certificate status
+
+dn: cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX
+add:objectClass: ipaVirtualOperation
+default:objectClass: top
+default:objectClass: nsContainer
+default:cn: revoke certificate
+
+dn: cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX
+add:objectClass: ipaVirtualOperation
+default:objectClass: top
+default:objectClass: nsContainer
+default:cn: certificate remove hold
+
+
 # Read privileges
 dn: cn=RBAC Readers,cn=privileges,cn=pbac,$SUFFIX
 default:objectClass: nestedgroup
-- 
1.9.0


From 612472a29b1c6b3bfe895bfcc165968714ec7dcb Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Wed, 16 Apr 2014 10:27:09 +0200
Subject: [PATCH] Extend anonymous read ACI for containers

- Allow cn=etc,$SUFFIX with these exceptions:
  - cn=masters,cn=ipa,cn=etc,$SUFFIX
  - virtual operations
  - cn=replicas,cn=ipa,cn=etc,$SUFFIX
- Disallow anonymous read access to Kerberos password policy

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
 install/updates/20-aci.update | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 9d8a6392f2ffbfb52dd6725ed4008b29bc164b03..d3a9db2ae1e81ee9a0e8fb73102457bc2ec1826f 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -23,7 +23,10 @@ dn: $SUFFIX
 
 # Read access to containers
 dn: $SUFFIX
-add:aci:'(targetfilter="(objectclass=nsContainer)")(target!="ldap:///cn=etc,$SUFFIX";)(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";;)'
+add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy))(!(objectclass=ipaVirtualOperation)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX";)(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";;)'
+
+dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
+add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";;)'
 
 # Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos)
 dn: cn=kerberos,$SUFFIX
-- 
1.9.0


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel