[Freeipa-devel] [PATCH] better access control and other minor things
Rob Crittenden
rcritten at redhat.com
Wed Dec 12 15:52:03 UTC 2007
Simo Sorce wrote:
> On Wed, 2007-12-12 at 09:48 -0500, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> please check, although I have tested this with CLI and saw no side
>>> effects, I have slightly restricted access that was previously
>>> erroneously granted.
>> Just a couple of things:
>>
>> +aci: (targetfilter =
>> "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup)(objectClass=radiusprofile))")(targetattr
>> != "aci || userPassword || krbPrincipalKey || sambaLMPassword ||
>> sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins
>> can manage Users and Groups"; allow (add, delete, read, write) groupdn =
>> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
>>
>> Should this have an & before the attributes? Is this saying admins can
>> manage these objectclasses OR anything without these attributes?
>
> No it means that admins can manage any attribute in any entry with these
> objectclasses but access to those attributes is still forbidden.
> I had to do this because admins where seeing
> userPassword,krbPrincipalKey etc...
>
> I tried with a deny acl at the start but it seem it is not possible to
> use something like userdn != "" && groupdn != "" and I need both. This
> made me impossible to use the deny to make double-sure nobody except
> authorized can see these attrs.
>
> I am still thinking I can add at some point a group of "not denied
> access to secrets" so I can use the deny (not denied would be members of
> admins group, uid=kdc and kerberosprincipalname=kadmin/changepw at REALM )
>
>> For the CalledProcessError we have ipautil in there explicitly so
>> someone doesn't think it is coming from subprocess. I wonder if we
>> should simply rename the function to avoid confusion instead.
>
> I just fixed a stack trace I was getting, feel free to disambiguate it
> if important.
>
> Simo.
>
This is a better fix:
diff -r f40c9b9bc891 ipa-server/ipaserver/krbinstance.py
--- a/ipa-server/ipaserver/krbinstance.py Wed Dec 12 10:34:48 2007
-0500
+++ b/ipa-server/ipaserver/krbinstance.py Wed Dec 12 10:51:49 2007
-0500
@@ -30,7 +30,7 @@ import pwd
import pwd
import socket
import time
-import shutil
+from ipa import ipautil
import service
from ipa import ipaerror
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071212/7f0e4984/attachment.bin>
More information about the Freeipa-devel
mailing list