[Freeipa-devel] Visibility of the sensitive LDAP data
Hi, We have been through this some time before and the decision made then still left me uneasy. We said that LDAP is by nature something is a readable by an authenticated used. Other than special password and key related attributes everything else should be readable. Now we have a bug https://bugzilla.redhat.com/show_bug.cgi?id=711693 It seems reasonable to hide the SUDO information from the normal user and not make it widely available. I would argue that the HBAC should fall into the same category. I suspect there is a way to hide this information and if we implemented everything correctly the UI and CLI should not fail and respecting the effective rights will not present the UI or fail the CLI command. So what should we do: 1) Leave as is and not bother at all (i.e. it is what it is) 2) Leave as is and defer the solution till later (do not fix it in 2.1 defer to 2.2) 3) Leave as is but document how to do it using permissions ACIs 4) Provide default ACIs that would hide the records for the broad user population Looking for an opinion here. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Visibility of the sensitive LDAP data
On Wed, 2011-06-08 at 14:15 -0400, Dmitri Pal wrote: Hi, We have been through this some time before and the decision made then still left me uneasy. We said that LDAP is by nature something is a readable by an authenticated used. Other than special password and key related attributes everything else should be readable. Now we have a bug https://bugzilla.redhat.com/show_bug.cgi?id=711693 It seems reasonable to hide the SUDO information from the normal user and not make it widely available. I would argue that the HBAC should fall into the same category. I suspect there is a way to hide this information and if we implemented everything correctly the UI and CLI should not fail and respecting the effective rights will not present the UI or fail the CLI command. So what should we do: 1) Leave as is and not bother at all (i.e. it is what it is) 2) Leave as is and defer the solution till later (do not fix it in 2.1 defer to 2.2) 3) Leave as is but document how to do it using permissions ACIs 4) Provide default ACIs that would hide the records for the broad user population Looking for an opinion here. I am for (2) Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Visibility of the sensitive LDAP data
On Jun 8, 2011, at 11:30 AM, Simo Sorce wrote: On Wed, 2011-06-08 at 14:15 -0400, Dmitri Pal wrote: Hi, We have been through this some time before and the decision made then still left me uneasy. We said that LDAP is by nature something is a readable by an authenticated used. Other than special password and key related attributes everything else should be readable. Now we have a bug https://bugzilla.redhat.com/show_bug.cgi?id=711693 It seems reasonable to hide the SUDO information from the normal user and not make it widely available. I would argue that the HBAC should fall into the same category. I suspect there is a way to hide this information and if we implemented everything correctly the UI and CLI should not fail and respecting the effective rights will not present the UI or fail the CLI command. So what should we do: 1) Leave as is and not bother at all (i.e. it is what it is) 2) Leave as is and defer the solution till later (do not fix it in 2.1 defer to 2.2) 3) Leave as is but document how to do it using permissions ACIs 4) Provide default ACIs that would hide the records for the broad user population Looking for an opinion here. I am for (2) Simo. I am also for (2) This logic becomes quite tricky however, because controlling this via ACI's would have to be cognizant of the authenticated user to be able to make the decision to show them only their /OWN/ authorization/access rights... ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Visibility of the sensitive LDAP data
On Jun 8, 2011, at 12:29 PM, Dmitri Pal wrote: On 06/08/2011 03:15 PM, JR Aquino wrote: 1) Leave as is and not bother at all (i.e. it is what it is) 2) Leave as is and defer the solution till later (do not fix it in 2.1 defer to 2.2) 3) Leave as is but document how to do it using permissions ACIs 4) Provide default ACIs that would hide the records for the broad user population Looking for an opinion here. I am for (2) Simo. I am also for (2) This logic becomes quite tricky however, because controlling this via ACI's would have to be cognizant of the authenticated user to be able to make the decision to show them only their /OWN/ authorization/access rights... I am not sure if the user really needs to see these things at all. The SUDO and HBAC rules should be seen by SSSD or the LDAP client on the host (until SUDO is SSSD integrated) the user does not need to see or fetch the rules for himself. I do not think that any system exposes its access control rules in a way that user can inspect and see in advance what he can do and what he can't. Correct, specifically... SSSD doesn't currently have support for SUDO, so a 'BindUser' is used to perform ldap lookups for sudo information, my point was, the Client/Server system is what is performing the ldap lookup, not the user itself. The system must have the ability to review all entries in order to perform the decision making process. Whether the FreeIPA cli allows a user to run 'ipa hbacrule-find or ipa sudorule-find' is somewhat moot, as they can just do an ldap search to find that information out anyway (in the case of sudo, all of the needed information is present in the clear in /etc/nss_ldap.conf anyway -owned by root-) So Yes, I think that it is important for the CLI to limit an authenticated user's commands based on their authorization. BUT I think in addition to that, it is important to understand that the backend would be a way to short-circuit any prohibitions we implement via the cli. I suppose ideally, you want to introduce a change that satisfies both requirements. -JR ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel