Re: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write.
Simo Sorce wrote: I guess so. Ok, removed the duplicate krbMKey and pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write.
On Tue, 30 Nov 2010 10:28:41 -0500 Rob Crittenden wrote: > Simo Sorce wrote: > > On Wed, 17 Nov 2010 15:07:03 -0500 > > Rob Crittenden wrote: > > > >> +aci: (targetattr != "userPassword || krbPrincipalKey || > >> sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || > >> krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || > >> krbTicketPolicyReference || krbPrincipalExpiration || > >> krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType > >> || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || > >> krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || > >> krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || > >> serverHostName || enrolledBy")(version 3.0; acl "Admin can manage > >> any entry"; allow (all) groupdn = > >> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;) > > > > Ah also forgot to say that I am not sure we want admin to be able to > > change krbPwdHistory and krbLastPwdChange. > > Also not sure about krbLastSuccessfulAuth and krbLastFailedAuth, > > while we might let admin write krbLoginFailedCount in order to > > unlock an automatically locked account that failed preauth too many > > times. > > > > We also probably do not want admin to be able to change ipaUniqueId. > > > > Simo. > > > > These are already attributes that the admin cannot write. Can I just > remove the duplicate krbMKey? I guess so. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write.
Simo Sorce wrote: On Wed, 17 Nov 2010 15:07:03 -0500 Rob Crittenden wrote: +aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;) Ah also forgot to say that I am not sure we want admin to be able to change krbPwdHistory and krbLastPwdChange. Also not sure about krbLastSuccessfulAuth and krbLastFailedAuth, while we might let admin write krbLoginFailedCount in order to unlock an automatically locked account that failed preauth too many times. We also probably do not want admin to be able to change ipaUniqueId. Simo. These are already attributes that the admin cannot write. Can I just remove the duplicate krbMKey? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write.
Simo Sorce wrote: On Wed, 17 Nov 2010 15:07:03 -0500 Rob Crittenden wrote: +aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;) Ah also forgot to say that I am not sure we want admin to be able to change krbPwdHistory and krbLastPwdChange. Also not sure about krbLastSuccessfulAuth and krbLastFailedAuth, while we might let admin write krbLoginFailedCount in order to unlock an automatically locked account that failed preauth too many times. We also probably do not want admin to be able to change ipaUniqueId. Simo. I was going to tackle krbLoginFailedCount when we finally got a way to unlock users across replicas. You're right on the other two, we want admins to reset passwords :-) ipaUniqueId needs to be writable so a UPG group can be detached. The write is "autogenerate", the plugin handles the rest of the access control. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write.
On Wed, 17 Nov 2010 15:07:03 -0500 Rob Crittenden wrote: > +aci: (targetattr != "userPassword || krbPrincipalKey || > sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || > krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || > krbTicketPolicyReference || krbPrincipalExpiration || > krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || > krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || > krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || > krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || > serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any > entry"; allow (all) groupdn = > "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;) Ah also forgot to say that I am not sure we want admin to be able to change krbPwdHistory and krbLastPwdChange. Also not sure about krbLastSuccessfulAuth and krbLastFailedAuth, while we might let admin write krbLoginFailedCount in order to unlock an automatically locked account that failed preauth too many times. We also probably do not want admin to be able to change ipaUniqueId. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write.
Simo Sorce wrote: On Wed, 17 Nov 2010 15:07:03 -0500 Rob Crittenden wrote: aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;) -aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;) +aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(versi Nack. Some attributes are repeated multiple times in this chunk. (krbMKey for example). Simo. Gah, ok. What I did here was ran GER on the various objects and wonder "Gee, should those be writable?" I guess I did a poor job de-duping. I'll take another look. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write.
On Wed, 17 Nov 2010 15:07:03 -0500 Rob Crittenden wrote: > aci: (targetattr != "userPassword || krbPrincipalKey || > sambaLMPassword || sambaNTPassword || passwordHistory || > krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, > search, compare) userdn = "ldap:///anyone";;) -aci: (targetattr != > "userPassword || krbPrincipalKey || sambaLMPassword || > sambaNTPassword || passwordHistory || krbMKey || memberOf || > serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any > entry"; allow (all) groupdn = > "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;) +aci: > (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || > sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || > krbCanonicalName || krbUPEnabled || krbMKey || > krbTicketPolicyReference || krbPrincipalExpiration || > krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || > krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || > krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || > krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || > serverHostName || enrolledBy")(versi Nack. Some attributes are repeated multiple times in this chunk. (krbMKey for example). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write.
Rob Crittenden wrote: Jakub Hrozek wrote: On Wed, Nov 10, 2010 at 04:25:18PM -0500, Rob Crittenden wrote: The list of attributes that a host bound as itself could write was overly broad. A host can now only update its description, information about itself such as OS release, etc, its certificate, password and keytab. https://fedorahosted.org/freeipa/ticket/416 rob Some of the changes in install/share/default-aci.ldif seem to not apply cleanly on top of the current master. Does this patch depend on another one? Maybe unreviewed patch 593 fix group objectclasses on detach rob Ok, yes, this relies on patch 593. I also re-based it to patch cleanly against the master. rob >From be1e360438742bd3c7965ad206272c9630d74628 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 17 Nov 2010 15:04:33 -0500 Subject: [PATCH] Reduce the number of attributes a host is allowed to write. The list of attributes that a host bound as itself could write was overly broad. A host can now only update its description, information about itself such as OS release, etc, its certificate, password and keytab. ticket 416 --- install/share/default-aci.ldif |8 ++-- install/updates/40-delegation.update |4 ++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index e0caf1f..ad54f5f 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -4,7 +4,7 @@ dn: $SUFFIX changetype: modify add: aci aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;) -aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;) +aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";;) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/chang...@$realm,cn=$REALM,cn=kerberos,$SUFFIX";;) @@ -12,6 +12,10 @@ aci: (targetattr = "userPassword || krbPrincipalKey || krbPasswordExpiration || aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account can update some fields"; allow (write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";;) aci: (targetattr = "krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Only the KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";;) aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;) + +dn: cn=users,cn=accounts,$SUFFIX +changetype: modify +add: aci aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || busi
Re: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write.
Jakub Hrozek wrote: On Wed, Nov 10, 2010 at 04:25:18PM -0500, Rob Crittenden wrote: The list of attributes that a host bound as itself could write was overly broad. A host can now only update its description, information about itself such as OS release, etc, its certificate, password and keytab. https://fedorahosted.org/freeipa/ticket/416 rob Some of the changes in install/share/default-aci.ldif seem to not apply cleanly on top of the current master. Does this patch depend on another one? Maybe unreviewed patch 593 fix group objectclasses on detach rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write.
On Wed, Nov 10, 2010 at 04:25:18PM -0500, Rob Crittenden wrote: > The list of attributes that a host bound as itself could write was > overly broad. > > A host can now only update its description, information about itself > such as OS release, etc, its certificate, password and keytab. > > https://fedorahosted.org/freeipa/ticket/416 > > rob Some of the changes in install/share/default-aci.ldif seem to not apply cleanly on top of the current master. Does this patch depend on another one? Jakub ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 609 Reduce the number of attributes a host is allowed to write.
The list of attributes that a host bound as itself could write was overly broad. A host can now only update its description, information about itself such as OS release, etc, its certificate, password and keytab. https://fedorahosted.org/freeipa/ticket/416 rob >From 9bb5fbc682bf290b81e5b86efcaf28d5970550b6 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 10 Nov 2010 16:21:19 -0500 Subject: [PATCH] Reduce the number of attributes a host is allowed to write. The list of attributes that a host bound as itself could write was overly broad. A host can now only update its description, information about itself such as OS release, etc, its certificate, password and keytab. ticket 416 --- install/share/default-aci.ldif |8 ++-- install/updates/40-delegation.update |4 ++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index c48a68c..ce97085 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -4,7 +4,7 @@ dn: $SUFFIX changetype: modify add: aci aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;) -aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;) +aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";;) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/chang...@$realm,cn=$REALM,cn=kerberos,$SUFFIX";;) @@ -12,6 +12,10 @@ aci: (targetattr = "userPassword || krbPrincipalKey || krbPasswordExpiration || aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account can update some fields"; allow (write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";;) aci: (targetattr = "krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Only the KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";;) aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;) + +dn: cn=users,cn=accounts,$SUFFIX +changetype: modify +add: aci aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";;) dn: cn=ipaConfig,cn=etc,$SUFFIX @@ -49,7 +53,7 @@ aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts c dn: cn=computers,cn=accounts,$SUFFIX changetype: modify add: aci -aci: (targetattr="userCertificate || krbLastPwdChange")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write