> I might be missing something here, but if an account can manage all
> posixGroup objects then he's, from a attacker point of view, as privileged
> as a member of the admin group, isn't he?
>
Which is precisely why I created a new role limited to POSIX Groups only.
After reading Christian's post, I went in and investigated the existing roles
and privileges.
Start with "ipa role-find", and "ipa privilege-find" to get the following:
I have 9 here, rather than 8, because it shows the new role I created.
$ ipa role-find
---------------
9 roles matched
---------------
Role name: CIFS server
Role name: Enrollment Administrator
Description: Enrollment Administrator responsible for client(host) enrollment
Role name: Group_Administrator
Description: Responsible for creating Groups only
Role name: helpdesk
Description: Helpdesk
Role name: IT Security Specialist
Description: IT Security Specialist
Role name: IT Specialist
Description: IT Specialist
Role name: Security Architect
Description: Security Architect
Role name: Subordinate ID Selfservice User
Description: User that can self-request subordiante ids
Role name: User Administrator
Description: Responsible for creating Users and Groups
----------------------------
Number of entries returned 9
----------------------------
$ ipa privilege-find
---------------------
37 privileges matched
---------------------
Privilege name: ADTrust Agents
Description: System accounts able to access trust information
Privilege name: Automember Readers
Description: Read Automember definitions
Privilege name: Automember Task Administrator
Description: Automember Task Administrator
Privilege name: Automount Administrators
Description: Automount Administrators
Privilege name: CA Administrator
Description: CA Administrator
Privilege name: Certificate Administrators
Description: Certificate Administrators
Privilege name: Certificate Identity Mapping Administrators
Description: Certificate Identity Mapping Administrators
Privilege name: CIFS server privilege
Privilege name: Delegation Administrator
Description: Role administration
Privilege name: DNS Administrators
Description: DNS Administrators
Privilege name: DNS Servers
Description: DNS Servers
Privilege name: External IdP server Administrators
Description: External IdP server Administrators
Privilege name: Group Administrators
Description: Group Administrators
Privilege name: HBAC Administrator
Description: HBAC Administrator
Privilege name: Host Administrators
Description: Host Administrators
Privilege name: Host Enrollment
Description: Host Enrollment
Privilege name: Host Group Administrators
Description: Host Group Administrators
Privilege name: IPA Masters Readers
Description: Read list of IPA masters
Privilege name: Kerberos Ticket Policy Readers
Description: Read global and per-user Kerberos ticket policy
Privilege name: Modify Group membership
Description: Modify Group membership
Privilege name: Modify Users and Reset passwords
Description: Modify Users and Reset passwords
Privilege name: Netgroups Administrators
Description: Netgroups Administrators
Privilege name: PassSync Service
Description: PassSync Service
Privilege name: Password Policy Administrator
Description: Password Policy Administrator
Privilege name: Password Policy Readers
Description: Read password policies
Privilege name: RBAC Readers
Description: Read roles, privileges, permissions and ACIs
Privilege name: Replication Administrators
Description: Replication Administrators
Privilege name: SELinux User Map Administrators
Description: SELinux User Map Administrators
Privilege name: Service Administrators
Description: Service Administrators
Privilege name: Stage User Administrators
Description: Stage User Administrators
Privilege name: Stage User Provisioning
Description: Stage User Provisioning
Privilege name: Subordinate ID Administrators
Description: Subordinate ID Administrators
Privilege name: Subordinate ID Selfservice Users
Description: Subordinate ID Selfservice User
Privilege name: Sudo Administrator
Description: Sudo Administrator
Privilege name: User Administrators
Description: User Administrators
Privilege name: Vault Administrators
Description: Vault Administrators
Privilege name: Write IPA Configuration
Description: Write IPA Configuration
-----------------------------
Number of entries returned 37
-----------------------------
$ ipa role-show "User Administrator"
Role name: User Administrator
Description: Responsible for creating Users and Groups
Privileges: User Administrators, Group Administrators, Stage User
Administrators, Subordinate ID Administrators
$ ipa privilege-show "Group Administrators"
Privilege name: Group Administrators
Description: Group Administrators
Permissions: System: Add Groups, System: Modify External Group Membership,
System: Modify Group Membership, System: Modify Groups,
System: Remove Groups
Granting privilege to roles: User Administrator, Group_Administrator
$ ipa role-show Group_Administrator
Role name: Group_Administrator
Description: Responsible for creating Groups only
Member users: group_admin
Privileges: Group Administrators
------------------------------------------------------------------------------------------------------------------------------------
I all I needed to do was create a new role "Group_Administrator" with only the
Group_Administrator privilege. I then assigned the service id to the role.
It works exactly like I had hoped. It is only able to manipulate group
objects. Otherwise, I see something like this
$ ipa user-add test_user
First name: test
Last name: user
ipa: ERROR: Insufficient access: Could not read UPG Definition originfilter.
Check your permissions.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
