[Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts

Wed Apr 16 13:01:15 UTC 2014

On Wed, 2014-04-16 at 14:55 +0200, Petr Viktorin wrote:
> Similarly to automount, a single permission is added for reading all
> the 
> trust objects.
> Read access is given to all authenticated users.

NACK!!

See inline

> From a499784cbea2f1282a07629a94e67e14c14a35d0 Mon Sep 17 00:00:00 2001
> From: Petr Viktorin <pviktori at redhat.com>
> Date: Wed, 26 Mar 2014 17:11:23 +0100
> Subject: [PATCH] Add managed read permissions to trust
> 
> A single permission is added to cover trust, trustconfig, and
> trustdomain.
> 
> Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
> ---
>  ipalib/plugins/trust.py | 23 +++++++++++++++++++++++
>  1 file changed, 23 insertions(+)
> 
> diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
> index
> f57cf7d891928903fdbee67697b96db4ad2679b7..df69bb82d9c545839f2962d6a1a961f89e6691d3 100644
> --- a/ipalib/plugins/trust.py
> +++ b/ipalib/plugins/trust.py
> @@ -312,6 +312,29 @@ class trust(LDAPObject):
>      search_display_attributes = ['cn', 'ipantflatname',
>                                   'ipanttrusteddomainsid',
> 'ipanttrusttype',
>                                   'ipantsidblacklistincoming',
> 'ipantsidblacklistoutgoing' ]
> +    managed_permissions = {
> +        'System: Read Trusts': {
> +            # Single read permission for all trust-related entries
> +            'non_object': True,
> +            'ipapermlocation': DN(container_dn, api.env.basedn),
> +            'replaces_global_anonymous_aci': True,
> +            'ipapermbindruletype': 'all',
> +            'ipapermright': {'read', 'search', 'compare'},
> +            'ipapermdefaultattr': {
> +                'cn', 'objectclass',
> +                # ipaNTTrustedDomain:
> +                'ipanttrusttype', 'ipanttrustattributes',
> +                'ipanttrustdirection', 'ipanttrustpartner',
> 'ipantflatname',
> +                'ipanttrustauthoutgoing', 'ipanttrustauthincoming',

These 2 attributes here ^^^^

They contain trust credentials, certainly must not be readbale by any
authenticated user except the trust agents.

> +                'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo',
> +                'ipanttrustposixoffset',
> 'ipantsupportedencryptiontypes',
> +                'ipantsidblacklistincoming',
> 'ipantsidblacklistoutgoing',
> +                # ipaNTDomainAttrs:
> +                'ipantsecurityidentifier', 'ipantflatname',
> 'ipantdomainguid',
> +                'ipantfallbackprimarygroup',
> +            },
> +        },
> +    }
>  
>      label = _('Trusts')
>      label_singular = _('Trust')

In general I am not sure all authenticated users need access to all this
info. Alexander ?

Simo.