Re: [Freeipa-devel] [PATCH] 683 block anonymous access to hbac info

2011-01-24 Thread Rob Crittenden 

JR Aquino wrote:

On 1/20/11 10:05 AM, Rob Crittendenrcrit...@redhat.com  wrote:

Simo Sorce wrote:

On Wed, 19 Jan 2011 17:51:56 -0500
Rob Crittendenrcrit...@redhat.com   wrote:


+aci: (targetattr = member || memberOf || memberHost ||
memberUser)(version 3.0; acl No anonymous access to member
information; deny (read,search,compare) userdn != ldap:///all;;)


Nack, without 'member', nss_ldap will have no way to determine
posixAccount group memberships using anonymous access (the default).

Simo.



Ok, dropped member and added an aci for cn=roles.

rob
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


ACK



pushed to master

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 683 block anonymous access to hbac info

2011-01-20 Thread JR Aquino 
I think it is safe to give up member.  It is necessary for nss_ldap and
nis.

If we remove member and add the role container I think that should cover
the low hanging fruit that discloses authorization data.

On 1/19/11 3:28 PM, Simo Sorce sso...@redhat.com wrote:

On Wed, 19 Jan 2011 17:51:56 -0500
Rob Crittenden rcrit...@redhat.com wrote:

 +aci: (targetattr = member || memberOf || memberHost ||
 memberUser)(version 3.0; acl No anonymous access to member
 information; deny (read,search,compare) userdn != ldap:///all;;)

Nack, without 'member', nss_ldap will have no way to determine
posixAccount group memberships using anonymous access (the default).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 683 block anonymous access to hbac info

2011-01-19 Thread Rob Crittenden 
Add a couple of acis to block anonymous access to cn=hbac and to member 
attributes. This is so you can't hunt for what roles, groups, etc. a 
user might be in (so you can target an attack).


ticket 811

rob
From b1d9409042946406b0354af17c9345c1bdf9ec0f Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Wed, 19 Jan 2011 17:47:50 -0500
Subject: [PATCH] Block anonymous access to HBAC and member information.

Prevents an unauthenticated user from accessing HBAC information as well
as member information which could diclose roles, memberships in HBAC, etc.

ticket 811
---
 install/share/default-aci.ldif |6 ++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index ff0e5ae..6264135 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -4,6 +4,7 @@ dn: $SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey)(version 3.0; acl Enable Anonymous access; allow (read, search, compare) userdn = ldap:///anyone;;)
+aci: (targetattr = member || memberOf || memberHost || memberUser)(version 3.0; acl No anonymous access to member information; deny (read,search,compare) userdn != ldap:///all;;)
 aci: (targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy)(version 3.0; acl Admin can manage any entry; allow (all) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)
 aci: (targetattr = userpassword || krbprincipalkey || sambalmpassword || sambantpassword)(version 3.0; acl Self can write own password; allow (write) userdn=ldap:///self;;)
 aci: (targetattr = userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory)(version 3.0; acl Admins can write passwords; allow (add,delete,write) groupdn=ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)
@@ -67,3 +68,8 @@ dn: cn=computers,cn=accounts,$SUFFIX
 changetype: modify
 add: aci
 aci: (targetattr = krbPrincipalKey || krbLastPwdChange)(target = ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX;)(version 3.0;acl Admins can manage host keytab;allow (write) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;)
+
+dn: cn=hbac,$SUFFIX
+changetype: modify
+add: aci
+aci: (targetattr = *)(version 3.0; acl No anonymous access to hbac; deny (read,search,compare) userdn != ldap:///all;;)
-- 
1.7.3.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 683 block anonymous access to hbac info

2011-01-19 Thread Simo Sorce 
On Wed, 19 Jan 2011 17:51:56 -0500
Rob Crittenden rcrit...@redhat.com wrote:

 +aci: (targetattr = member || memberOf || memberHost ||
 memberUser)(version 3.0; acl No anonymous access to member
 information; deny (read,search,compare) userdn != ldap:///all;;)

Nack, without 'member', nss_ldap will have no way to determine
posixAccount group memberships using anonymous access (the default).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel