[Freeipa-users] Re: Block change others password

[Alexander Bokovoy via FreeIPA-users]

On ma, 18 maalis 2019, Mateusz O via FreeIPA-users wrote:
I read information from link and resigns from idea to block users to viev 
information about other users.
About password issue.

I'm creating  a new user which is in default 'ipausers' group and are not 
assigned to any role.
When I log using new created account I can reset others password.
Uhm. I think you need to show more details. 

For example, I have IPA.TEST deployment where I use admin user to create
two other users: 'someuser' and 'anotheruser'. I set them passwords and
then try to reset a password for 'someuser' as 'anotheruser'. I get
denial for that because 'anotheruser' cannot change a password for
'someuser'. The same happens in web UI. The denial is reflected in the
LDAP server access log. It doesn't matter that someone can enter
something in a web UI form -- as long as you are not actually able to
change the account details where you shouldn't, it makes no difference
how you came to the change point.

bash-4.4# kdestroy
bash-4.4# kinit admin
Password for ad...@ipa.test: 
bash-4.4# ipa user-add someuser
First name: Some
Last name: User
---------------------
Added user "someuser"
---------------------
 User login: someuser
 First name: Some
 Last name: User
 Full name: Some User
 Display name: Some User
 Initials: SU
 Home directory: /home/someuser
 GECOS: Some User
 Login shell: /bin/sh
 Principal name: someu...@ipa.test
 Principal alias: someu...@ipa.test
 Email address: someu...@ipa.test
 UID: 1811400001
 GID: 1811400001
 Password: False
 Member of groups: ipausers
 Kerberos keys available: False
bash-4.4# ipa passwd someuser
New Password: 
Enter New Password again to verify: 
----------------------------------------
Changed password for "someu...@ipa.test"
----------------------------------------
bash-4.4# ipa user-add anotheruser
First name: Another
Last name: User
------------------------
Added user "anotheruser"
------------------------
 User login: anotheruser
 First name: Another
 Last name: User
 Full name: Another User
 Display name: Another User
 Initials: AU
 Home directory: /home/anotheruser
 GECOS: Another User
 Login shell: /bin/sh
 Principal name: anotheru...@ipa.test
 Principal alias: anotheru...@ipa.test
 Email address: anotheru...@ipa.test
 UID: 1811400003
 GID: 1811400003
 Password: False
 Member of groups: ipausers
 Kerberos keys available: False
bash-4.4# ipa passwd anotheruser
New Password: 
Enter New Password again to verify: 
-------------------------------------------
Changed password for "anotheru...@ipa.test"
-------------------------------------------
bash-4.4# kdestroy
bash-4.4# kinit anotheruser
Password for anotheru...@ipa.test: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
bash-4.4# klist    
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: anotheru...@ipa.test

Valid starting     Expires            Service principal
03/18/19 10:46:40  03/19/19 10:46:40  krbtgt/ipa.t...@ipa.test
bash-4.4# ipa passwd someuser
New Password: 
Enter New Password again to verify: 
ipa: ERROR: Insufficient access: Insufficient access rights


In the access logs (/var/log/dirsrv/slapd-<INSTANCE>/access) for LDAP
server I see the whole sequence for the last 'ipa passwd someuser'
operation:

[18/Mar/2019:10:46:58.591696828 +0000] conn=380 op=0 BIND dn="" method=sasl 
version=3 mech=GSS-SPNEGO
[18/Mar/2019:10:46:58.604926385 +0000] conn=380 op=0 RESULT err=0 tag=97 nentries=0 
etime=0.0013438281 dn="uid=anotheruser,cn=users,cn=accounts,dc=ipa,dc=test"
[18/Mar/2019:10:46:58.609801432 +0000] conn=380 op=1 SRCH 
base="cn=ipaconfig,cn=etc,dc=ipa,dc=test" scope=0 filter="(objectClass=*)" 
attrs=ALL
[18/Mar/2019:10:46:58.611001189 +0000] conn=380 op=1 RESULT err=0 tag=101 
nentries=1 etime=0.0001376879
[18/Mar/2019:10:46:58.613015017 +0000] conn=380 op=2 SRCH base="cn=users,cn=accounts,dc=ipa,dc=test" 
scope=2 filter="(&(krbPrincipalName=someu...@ipa.test)(objectClass=posixaccount))" 
attrs=""
[18/Mar/2019:10:46:58.613522708 +0000] conn=380 op=2 RESULT err=0 tag=101 
nentries=1 etime=0.0000660001
[18/Mar/2019:10:46:58.614403297 +0000] conn=380 op=3 EXT oid="1.3.6.1.4.1.4203.1.11.1" 
name="IPA Password Manager"
[18/Mar/2019:10:46:58.615899244 +0000] conn=380 op=3 RESULT err=50 tag=120 
nentries=0 etime=0.0001635916
[18/Mar/2019:10:46:58.620618391 +0000] conn=380 op=4 UNBIND
[18/Mar/2019:10:46:58.620681680 +0000] conn=380 op=4 fd=110 closed - U1

Operation 3 (lines with op=3) is an attempt to change the password and
it fails (err=50, Insufficient access rights).

What do you see?


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org