diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-11-17 15:04:33 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2010-11-30 14:30:52 -0500 |
| commit | d644d17adf117321747db1e4e22a771fbea3b09e (patch) | |
| tree | 8a7a5fa1b1ae82fee66ae01f5fa281125141ef70 | |
| parent | 88133ab43cecc68248bb95014d1716aa5b74bc75 (diff) | |
| download | freeipa-d644d17adf117321747db1e4e22a771fbea3b09e.tar.gz freeipa-d644d17adf117321747db1e4e22a771fbea3b09e.tar.xz freeipa-d644d17adf117321747db1e4e22a771fbea3b09e.zip | |
Reduce the number of attributes a host is allowed to write.
The list of attributes that a host bound as itself could write was
overly broad.
A host can now only update its description, information about itself
such as OS release, etc, its certificate, password and keytab.
ticket 416
| -rw-r--r-- | install/share/default-aci.ldif | 8 | ||||
| -rw-r--r-- | install/updates/40-delegation.update | 4 |
2 files changed, 8 insertions, 4 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 2805e2f6f..11c2f51df 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -4,7 +4,7 @@ dn: $SUFFIX changetype: modify add: aci aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) -aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) +aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) @@ -12,6 +12,10 @@ aci: (targetattr = "userPassword || krbPrincipalKey || krbPasswordExpiration || aci: (targetattr = "krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "KDC System Account can update some fields"; allow (write) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetattr = "krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Only the KDC System Account has access to kerberos material"; allow (read, search, compare) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) + +dn: cn=users,cn=accounts,$SUFFIX +changetype: modify +add: aci aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";) dn: cn=ipaConfig,cn=etc,$SUFFIX @@ -49,7 +53,7 @@ aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts c dn: cn=computers,cn=accounts,$SUFFIX changetype: modify add: aci -aci: (targetattr="userCertificate || krbLastPwdChange")(version 3.0; acl "Hosts can modify service userCertificate"; allow(write) userdn = "ldap:///self";) +aci: (targetattr="userCertificate || krbLastPwdChange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";) # Define which hosts can edit other hosts # The managedby attribute stores the DN of hosts that are allowed to manage diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 085cd1f81..7dc12d8c9 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -241,7 +241,7 @@ add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version add:aci: '(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Hosts";allow (delete) groupdn = "ldap:///cn=removehosts,cn= taskgroups,cn=accounts,$SUFFIX";)' -add:aci: '(targetattr = "cn || description || l || nshostlocation || +add:aci: '(targetattr = "description || l || nshostlocation || nshardwareplatform || nsosversion") (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0; acl "Modify Hosts";allow (write) groupdn = "ldap:///cn=modifyhosts, @@ -501,7 +501,7 @@ add:member:'cn=enrollhost,cn=rolegroups,cn=accounts,$SUFFIX' # set the krbPrincipalName, add krbPrincipalAux to objectClass and # set enrolledBy to whoever ran join. dn: $SUFFIX -add:aci: '(targetattr = "krbPrincipalName || enrolledBy || objectClass") +add:aci: '(targetattr = "enrolledBy || objectClass") (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX") (version 3.0;acl "Enroll a host"; allow (write) groupdn = "ldap:///cn=enroll_host,cn=taskgroups, |