[Freeipa-devel] [PATCH] better access control and other minor things

Rob Crittenden rcritten at redhat.com
Wed Dec 12 15:52:03 UTC 2007 

Simo Sorce wrote:
> On Wed, 2007-12-12 at 09:48 -0500, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> please check, although I have tested this with CLI and saw no side
>>> effects, I have slightly restricted access that was previously
>>> erroneously granted.
>> Just a couple of things:
>>
>> +aci: (targetfilter = 
>> "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup)(objectClass=radiusprofile))")(targetattr 
>> != "aci || userPassword || krbPrincipalKey || sambaLMPassword || 
>> sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins 
>> can manage Users and Groups"; allow (add, delete, read, write) groupdn = 
>> "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
>>
>> Should this have an & before the attributes? Is this saying admins can 
>> manage these objectclasses OR anything without these attributes?
> 
> No it means that admins can manage any attribute in any entry with these
> objectclasses but access to those attributes is still forbidden.
> I had to do this because admins where seeing
> userPassword,krbPrincipalKey etc...
> 
> I tried with a deny acl at the start but it seem it is not possible to
> use something like userdn != "" && groupdn != "" and I need both. This
> made me impossible to use the deny to make double-sure nobody except
> authorized can see these attrs.
> 
> I am still thinking I can add at some point a group of "not denied
> access to secrets" so I can use the deny (not denied would be members of
> admins group, uid=kdc and kerberosprincipalname=kadmin/changepw at REALM )
> 
>> For the CalledProcessError we have ipautil in there explicitly so 
>> someone doesn't think it is coming from subprocess. I wonder if we 
>> should simply rename the function to avoid confusion instead.
> 
> I just fixed a stack trace I was getting, feel free to disambiguate it
> if important.
> 
> Simo.
> 

This is a better fix:

diff -r f40c9b9bc891 ipa-server/ipaserver/krbinstance.py
--- a/ipa-server/ipaserver/krbinstance.py       Wed Dec 12 10:34:48 2007 
-0500
+++ b/ipa-server/ipaserver/krbinstance.py       Wed Dec 12 10:51:49 2007 
-0500
@@ -30,7 +30,7 @@ import pwd
  import pwd
  import socket
  import time
-import shutil
+from ipa import ipautil

  import service
  from ipa import ipaerror
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071212/7f0e4984/attachment.bin>

More information about the Freeipa-devel mailing list