Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users
On 06/19/2014 05:11 PM, Petr Viktorin wrote: > On 06/19/2014 04:50 PM, Martin Kosek wrote: >> On 06/19/2014 03:59 PM, Petr Viktorin wrote: >>> On 06/19/2014 02:19 PM, Martin Kosek wrote: On 06/19/2014 01:39 PM, Petr Viktorin wrote: > See commit message. > > This was found in the review of host write permissions (my patches > 0578-0579). Wouldn't it be better to filter based on objectclass? I.e.: (targetfilter="(!(objectclass=ipaConfigObject))" instead of DN based target filter? It seems to me that it is more resilient to changes in LDAP structure, in case we change RDN or make one more level like (just example): cn=DNSSEC,cn=DNS,cn=ipa.master.test,... >>> >>> Sure, fixed patch attached. >> >> /me sighs. I took the information for granted and I did not read the ACI >> carefully and did not notice you sent wrong patch which I pushed... Could we >> please fix the filter and remove the target part now? >> >> Thanks, >> Martin > > Sorry for that :( > Here is a fix patch. Thanks. ACK, pushed (both) to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users
On 06/19/2014 04:50 PM, Martin Kosek wrote: On 06/19/2014 03:59 PM, Petr Viktorin wrote: On 06/19/2014 02:19 PM, Martin Kosek wrote: On 06/19/2014 01:39 PM, Petr Viktorin wrote: See commit message. This was found in the review of host write permissions (my patches 0578-0579). Wouldn't it be better to filter based on objectclass? I.e.: (targetfilter="(!(objectclass=ipaConfigObject))" instead of DN based target filter? It seems to me that it is more resilient to changes in LDAP structure, in case we change RDN or make one more level like (just example): cn=DNSSEC,cn=DNS,cn=ipa.master.test,... Sure, fixed patch attached. /me sighs. I took the information for granted and I did not read the ACI carefully and did not notice you sent wrong patch which I pushed... Could we please fix the filter and remove the target part now? Thanks, Martin Sorry for that :( Here is a fix patch. -- Petr³ From 0c4410eb6b4baa3bd3288e86c48987eb1b24f7cd Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 19 Jun 2014 13:01:06 +0200 Subject: [PATCH] Fix: Allow read access to masters, but not their services, to auth'd users Fixes commit b243da415ecb2c28b5aa9bc563595efe35a40987 A bad version of the patch was sent and pushed. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 --- install/updates/20-aci.update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index a10eb407700d352634d04c1e33dc996af6aaf87d..42fca71f33cfa2e4f145ed2bfc6faf35d82ecc05 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -30,7 +30,7 @@ dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX # Read access to masters (but not their services) dn: cn=masters,cn=ipa,cn=etc,$SUFFIX -add:aci:'(targetfilter="(objectclass=nsContainer)")(target!="ldap:///cn=*,cn=*,cn=masters,cn=ipa,cn=etc,$SUFFIX";)(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";;)' +add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=ipaConfigObject)))")(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";;)' # Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos) dn: cn=kerberos,$SUFFIX -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users
On 06/19/2014 03:59 PM, Petr Viktorin wrote: > On 06/19/2014 02:19 PM, Martin Kosek wrote: >> On 06/19/2014 01:39 PM, Petr Viktorin wrote: >>> See commit message. >>> >>> This was found in the review of host write permissions (my patches >>> 0578-0579). >> >> Wouldn't it be better to filter based on objectclass? I.e.: >> >> (targetfilter="(!(objectclass=ipaConfigObject))" >> >> instead of DN based target filter? It seems to me that it is more resilient >> to >> changes in LDAP structure, in case we change RDN or make one more level like >> (just example): >> >> cn=DNSSEC,cn=DNS,cn=ipa.master.test,... > > Sure, fixed patch attached. /me sighs. I took the information for granted and I did not read the ACI carefully and did not notice you sent wrong patch which I pushed... Could we please fix the filter and remove the target part now? Thanks, Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users
On 06/19/2014 04:03 PM, Rob Crittenden wrote: > Petr Viktorin wrote: >> On 06/19/2014 02:19 PM, Martin Kosek wrote: >>> On 06/19/2014 01:39 PM, Petr Viktorin wrote: See commit message. This was found in the review of host write permissions (my patches 0578-0579). >>> >>> Wouldn't it be better to filter based on objectclass? I.e.: >>> >>> (targetfilter="(!(objectclass=ipaConfigObject))" >>> >>> instead of DN based target filter? It seems to me that it is more >>> resilient to >>> changes in LDAP structure, in case we change RDN or make one more >>> level like >>> (just example): >>> >>> cn=DNSSEC,cn=DNS,cn=ipa.master.test,... >> >> Sure, fixed patch attached. > > Are you sure you need read access and not just search/compare? The > purpose is to see "is that thing there" and not "what is in that thing" > right? Sure someone could fish for masters if they really wanted to. > > rob I had the same idea and I did couple tests with just search&compare yesterday. However, neither form worked for me so I gave up. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users
Petr Viktorin wrote: > On 06/19/2014 02:19 PM, Martin Kosek wrote: >> On 06/19/2014 01:39 PM, Petr Viktorin wrote: >>> See commit message. >>> >>> This was found in the review of host write permissions (my patches >>> 0578-0579). >> >> Wouldn't it be better to filter based on objectclass? I.e.: >> >> (targetfilter="(!(objectclass=ipaConfigObject))" >> >> instead of DN based target filter? It seems to me that it is more >> resilient to >> changes in LDAP structure, in case we change RDN or make one more >> level like >> (just example): >> >> cn=DNSSEC,cn=DNS,cn=ipa.master.test,... > > Sure, fixed patch attached. Are you sure you need read access and not just search/compare? The purpose is to see "is that thing there" and not "what is in that thing" right? Sure someone could fish for masters if they really wanted to. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users
On 06/19/2014 02:19 PM, Martin Kosek wrote: On 06/19/2014 01:39 PM, Petr Viktorin wrote: See commit message. This was found in the review of host write permissions (my patches 0578-0579). Wouldn't it be better to filter based on objectclass? I.e.: (targetfilter="(!(objectclass=ipaConfigObject))" instead of DN based target filter? It seems to me that it is more resilient to changes in LDAP structure, in case we change RDN or make one more level like (just example): cn=DNSSEC,cn=DNS,cn=ipa.master.test,... Sure, fixed patch attached. -- Petr³ From 3b30eb633431f83817cd3513b44c69d5de40be3c Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 19 Jun 2014 13:01:06 +0200 Subject: [PATCH] Allow read access to masters, but not their services, to auth'd users The ipa host-del command checks if the host to be deleted is an IPA master by looking up the entry in cn=masters. If the entry is not accessible, host-del would proceed to delete the host. Thus we need to allow reading the master entries to at least those that can delete hosts. Since the host information is also available via DNS, it makes no sense be extremely secretive about it. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 --- install/updates/20-aci.update | 4 1 file changed, 4 insertions(+) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 6af800111f30d26d37ceb0849f8730a3e15dad0b..a10eb407700d352634d04c1e33dc996af6aaf87d 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -28,6 +28,10 @@ dn: $SUFFIX dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";;)' +# Read access to masters (but not their services) +dn: cn=masters,cn=ipa,cn=etc,$SUFFIX +add:aci:'(targetfilter="(objectclass=nsContainer)")(target!="ldap:///cn=*,cn=*,cn=masters,cn=ipa,cn=etc,$SUFFIX";)(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";;)' + # Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos) dn: cn=kerberos,$SUFFIX add:aci:'(targetattr = "cn || objectclass")(targetfilter = "(|(objectclass=krbrealmcontainer)(objectclass=krbcontainer))")(version 3.0;acl "Anonymous read access to Kerberos containers";allow (read,compare,search) userdn = "ldap:///anyone";;)' -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users
On 06/19/2014 01:39 PM, Petr Viktorin wrote: > See commit message. > > This was found in the review of host write permissions (my patches 0578-0579). Wouldn't it be better to filter based on objectclass? I.e.: (targetfilter="(!(objectclass=ipaConfigObject))" instead of DN based target filter? It seems to me that it is more resilient to changes in LDAP structure, in case we change RDN or make one more level like (just example): cn=DNSSEC,cn=DNS,cn=ipa.master.test,... Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0590 Allow read access to masters, but not their services, to auth'd users
See commit message. This was found in the review of host write permissions (my patches 0578-0579). -- Petr³ From 3b30eb633431f83817cd3513b44c69d5de40be3c Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 19 Jun 2014 13:01:06 +0200 Subject: [PATCH] Allow read access to masters, but not their services, to auth'd users The ipa host-del command checks if the host to be deleted is an IPA master by looking up the entry in cn=masters. If the entry is not accessible, host-del would proceed to delete the host. Thus we need to allow reading the master entries to at least those that can delete hosts. Since the host information is also available via DNS, it makes no sense be extremely secretive about it. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 --- install/updates/20-aci.update | 4 1 file changed, 4 insertions(+) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index 6af800111f30d26d37ceb0849f8730a3e15dad0b..a10eb407700d352634d04c1e33dc996af6aaf87d 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -28,6 +28,10 @@ dn: $SUFFIX dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";;)' +# Read access to masters (but not their services) +dn: cn=masters,cn=ipa,cn=etc,$SUFFIX +add:aci:'(targetfilter="(objectclass=nsContainer)")(target!="ldap:///cn=*,cn=*,cn=masters,cn=ipa,cn=etc,$SUFFIX";)(targetattr="objectclass || cn")(version 3.0; acl "Read access to masters"; allow(read, search, compare) userdn = "ldap:///all";;)' + # Read access to Kerberos container (cn=kerberos) and realm containers (cn=$REALM,cn=kerberos) dn: cn=kerberos,$SUFFIX add:aci:'(targetattr = "cn || objectclass")(targetfilter = "(|(objectclass=krbrealmcontainer)(objectclass=krbcontainer))")(version 3.0;acl "Anonymous read access to Kerberos containers";allow (read,compare,search) userdn = "ldap:///anyone";;)' -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel