On 19/08/2023 19.18, DFIRob via FreeIPA-users wrote:
I might be missing something here, but if an account can manage all
posixGroup objects then he's, from a attacker point of view, as
privileged as a member of the admin group, isn't he?
No, they can only add/remove groups and modify group members for all
POSIX groups except "admins". The permission "System: Modify Group
Membership" and "System: Remove group" prevent any tampering with the
admins group. A user with elevated group management permission cannot
add or remove members from the admins group no can they delete and
re-create the admins group.
There are still scenarios where a custom group combined with custom HBAC
and cystom SUDO rules may allow a group membership admin to gain
additional permissions. You can prevent it by restricting logins and
SUDO access to IPA servers.
Christian
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael
O'Neill
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
