URL: https://github.com/freeipa/freeipa/pull/341 Author: mbasti-rh Title: #341: certprofile-mod: correctly authorise config update Action: opened
PR body: """ Certificate profiles consist of an FreeIPA object, and a corresponding Dogtag configuration object. When updating profile configuration, changes to the Dogtag configuration are not properly authorised, allowing unprivileged operators to modify (but not create or delete) profiles. This could result in issuance of certificates with fraudulent subject naming information, improper key usage, or other badness. Update certprofile-mod to ensure that the operator has permission to modify FreeIPA certprofile objects before modifying the Dogtag configuration. https://fedorahosted.org/freeipa/ticket/6560 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/341/head:pr341 git checkout pr341
From 3b64673de8309bdd98171c4e23d1b177e855e033 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Tue, 15 Nov 2016 14:02:54 +1000 Subject: [PATCH] certprofile-mod: correctly authorise config update Certificate profiles consist of an FreeIPA object, and a corresponding Dogtag configuration object. When updating profile configuration, changes to the Dogtag configuration are not properly authorised, allowing unprivileged operators to modify (but not create or delete) profiles. This could result in issuance of certificates with fraudulent subject naming information, improper key usage, or other badness. Update certprofile-mod to ensure that the operator has permission to modify FreeIPA certprofile objects before modifying the Dogtag configuration. https://fedorahosted.org/freeipa/ticket/6560 --- ipaserver/plugins/certprofile.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ipaserver/plugins/certprofile.py b/ipaserver/plugins/certprofile.py index f446607..2bd3311 100644 --- a/ipaserver/plugins/certprofile.py +++ b/ipaserver/plugins/certprofile.py @@ -310,6 +310,11 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): raise errors.ProtectedEntryError(label='certprofile', key=keys[0], reason=_('Certificate profiles cannot be renamed')) if 'file' in options: + # ensure operator has permission to update a certprofile + if not ldap.can_write(dn, 'ipacertprofilestoreissued'): + raise errors.ACIError(info=_( + "Insufficient privilege to modify a certificate profile.")) + with self.api.Backend.ra_certprofile as profile_api: profile_api.disable_profile(keys[0]) try:
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code