[Freeipa-devel] [PATCH] don't allow special groups to be removed
Rob Crittenden
rcritten at redhat.com
Fri Nov 30 20:35:59 UTC 2007
Karl MacMillan wrote:
> On Fri, 2007-11-30 at 14:54 -0500, Rob Crittenden wrote:
>> Karl MacMillan wrote:
>>> On Fri, 2007-11-30 at 12:53 -0500, Rob Crittenden wrote:
>>>> This patch won't allow the XML-RPC interface to remove the admins or
>>>> editors groups nor the configured group that is the default group for
>>>> new users.
>>>>
>>> Pushed.
>>>
>>>> I was originally going to do an ACI for this but thought that returning
>>>> a useful error message was better.
>>>>
>>> We need both - because users can always directly access the DS there is
>>> no security value to checks in the xml-rpc layer. They are useful for
>>> error reporting, consistency, etc., but not for security.
>>>
>>> Karl
>>>
>> Removing the admins or editors groups isn't a security issue, they'll
>> just break their IPA install.
>>
>> IMHO if they want to use LDAP commands to hork up IPA entries let them.
>>
>
> It's definitely a security issue - stripping admins of all admin rights
> as a regular user is definitely a problem. Perhaps the acis already
> cover that case though?
>
> Karl
>
A regular user doesn't have the access rights to delete the admins or
editors groups even over LDAP:
% ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: lowlife at FREEIPA.ORG
SASL SSF: 56
SASL installing layers
dn: cn=admins,cn=groups,cn=accounts,dc=freeipa,dc=org
changetype: delete
deleting entry "cn=admins,cn=groups,cn=accounts,dc=freeipa,dc=org"
ldap_delete: Insufficient access (50)
additional info: Insufficient 'delete' privilege to delete the
entry 'cn=admins,cn=groups,cn=accounts,dc=freeipa,dc=org'.
And using our tool:
% ipa-delgroup editors
The admins and editors groups are required.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071130/9f0ad84c/attachment.bin>
More information about the Freeipa-devel
mailing list