[Freeipa-devel] [PATCH] better access control and other minor things

[Simo Sorce]

On Wed, 2007-12-12 at 09:48 -0500, Rob Crittenden wrote:
> Simo Sorce wrote:
> > please check, although I have tested this with CLI and saw no side
> > effects, I have slightly restricted access that was previously
> > erroneously granted.
> 
> Just a couple of things:
> 
> +aci: (targetfilter = 
> "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup)(objectClass=radiusprofile))")(targetattr 
> != "aci || userPassword || krbPrincipalKey || sambaLMPassword || 
> sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins 
> can manage Users and Groups"; allow (add, delete, read, write) groupdn = 
> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
> 
> Should this have an & before the attributes? Is this saying admins can 
> manage these objectclasses OR anything without these attributes?

No it means that admins can manage any attribute in any entry with these
objectclasses but access to those attributes is still forbidden.
I had to do this because admins where seeing
userPassword,krbPrincipalKey etc...

I tried with a deny acl at the start but it seem it is not possible to
use something like userdn != "" && groupdn != "" and I need both. This
made me impossible to use the deny to make double-sure nobody except
authorized can see these attrs.

I am still thinking I can add at some point a group of "not denied
access to secrets" so I can use the deny (not denied would be members of
admins group, uid=kdc and kerberosprincipalname=kadmin/changepw at REALM )

> For the CalledProcessError we have ipautil in there explicitly so 
> someone doesn't think it is coming from subprocess. I wonder if we 
> should simply rename the function to avoid confusion instead.

I just fixed a stack trace I was getting, feel free to disambiguate it
if important.

Simo.

-- 
| Simo S Sorce |
| Sr.Soft.Eng. |
| Red Hat, Inc |
| New York, NY |