summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/plugins
diff options
context:
space:
mode:
authorMartin Kosek <mkosek@redhat.com>2012-04-02 14:57:33 +0200
committerRob Crittenden <rcritten@redhat.com>2012-04-01 21:17:04 -0400
commitdf13cdcb974e9f8b161be35fcef9651c2ffe0b5e (patch)
tree6c3e7ee8be605e4c37998ecdedca40f7da184c5e /ipaserver/install/plugins
parent874a298b073997ec6b1e5a119210c7f0975aed18 (diff)
downloadfreeipa-df13cdcb974e9f8b161be35fcef9651c2ffe0b5e.tar.gz
freeipa-df13cdcb974e9f8b161be35fcef9651c2ffe0b5e.tar.xz
freeipa-df13cdcb974e9f8b161be35fcef9651c2ffe0b5e.zip
Forbid public access to DNS tree
With a publicly accessible DNS tree in LDAP, anyone with an access to the LDAP server can get all DNS data as with a zone transfer which is already restricted with ACL. Making DNS tree not readable to public is a common security practice and should be applied in FreeIPA as well. This patch adds a new deny rule to forbid access to DNS tree to users or hosts without an appropriate permission or users which are not members of admins group. The new permission/aci is applied both for new installs and upgraded servers. bind-dyndb-ldap plugin is allowed to read DNS tree without any change because its principal is already a member of "DNS Servers" privilege. https://fedorahosted.org/freeipa/ticket/2569
Diffstat (limited to 'ipaserver/install/plugins')
-rw-r--r--ipaserver/install/plugins/dns.py59
1 files changed, 44 insertions, 15 deletions
diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py
index 84b7b23a5..a9846fa84 100644
--- a/ipaserver/install/plugins/dns.py
+++ b/ipaserver/install/plugins/dns.py
@@ -87,6 +87,39 @@ class update_dns_permissions(PostUpdate):
enabled DNS. LDIF loaded by DNS installer would fail because of duplicate
entries otherwise.
"""
+
+ _write_dns_perm_dn = DN('cn=Write DNS Configuration',
+ api.env.container_permission,
+ api.env.basedn)
+ _write_dns_perm_entry = ['objectClass:groupofnames',
+ 'objectClass:top',
+ 'cn:Write DNS Configuration',
+ 'description:Write DNS Configuration',
+ 'member:cn=DNS Administrators,cn=privileges,cn=pbac,%s' \
+ % api.env.basedn,
+ 'member:cn=DNS Servers,cn=privileges,cn=pbac,%s' \
+ % api.env.basedn]
+
+ _read_dns_perm_dn = DN('cn=read dns entries',
+ api.env.container_permission,
+ api.env.basedn)
+ _read_dns_perm_entry = ['objectClass:top',
+ 'objectClass:groupofnames',
+ 'objectClass:ipapermission',
+ 'cn:read dns entries',
+ 'description:Read DNS entries',
+ 'ipapermissiontype:SYSTEM',
+ 'member:cn=DNS Administrators,cn=privileges,cn=pbac,%s' \
+ % api.env.basedn,
+ 'member:cn=DNS Servers,cn=privileges,cn=pbac,%s' \
+ % api.env.basedn,]
+
+ _write_dns_aci_dn = DN(api.env.basedn)
+ _write_dns_aci_entry = ['add:aci:\'(targetattr = "idnsforwardpolicy || idnsforwarders || idnsallowsyncptr || idnszonerefresh || idnspersistentsearch")(target = "ldap:///cn=dns,%(realm)s")(version 3.0;acl "permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write DNS Configuration,cn=permissions,cn=pbac,%(realm)s";)\'' % dict(realm=api.env.basedn)]
+
+ _read_dns_aci_dn = DN(api.env.container_dns, api.env.basedn)
+ _read_dns_aci_entry = ['add:aci:\'(targetattr = "*")(version 3.0; acl "No access to DNS tree without a permission"; deny (read,search,compare) (groupdn != "ldap:///cn=admins,cn=groups,cn=accounts,%(realm)s") and (groupdn != "ldap:///cn=read dns entries,cn=permissions,cn=pbac,%(realm)s");)\'' % dict(realm=api.env.basedn) ]
+
def execute(self, **options):
ldap = self.obj.backend
@@ -94,21 +127,17 @@ class update_dns_permissions(PostUpdate):
return (False, False, [])
dnsupdates = {}
- dn = str(DN('cn=Write DNS Configuration', api.env.container_permission, api.env.basedn))
- entry = ['objectClass:groupofnames',
- 'objectClass:top',
- 'cn:Write DNS Configuration',
- 'description:Write DNS Configuration',
- 'member:cn=DNS Administrators,cn=privileges,cn=pbac,%s' % api.env.basedn,
- 'member:cn=DNS Servers,cn=privileges,cn=pbac,%s' % api.env.basedn]
- # make sure everything is str or otherwise python-ldap will complain
- entry = map(str, entry)
- dnsupdates[dn] = {'dn' : str(dn), 'default' : entry}
-
- dn = str(DN(api.env.basedn))
- entry = ['add:aci:\'(targetattr = "idnsforwardpolicy || idnsforwarders || idnsallowsyncptr || idnszonerefresh || idnspersistentsearch")(target = "ldap:///cn=dns,%(realm)s")(version 3.0;acl "permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write DNS Configuration,cn=permissions,cn=pbac,%(realm)s";)\'' % dict(realm=api.env.basedn)]
- entry = map(str, entry)
- dnsupdates[dn] = {'dn' : dn, 'updates' : entry}
+
+ # add default and updated entries
+ for dn, container, entry in ((self._write_dns_perm_dn, 'default', self._write_dns_perm_entry),
+ (self._read_dns_perm_dn, 'default', self._read_dns_perm_entry),
+ (self._write_dns_aci_dn, 'updates', self._write_dns_aci_entry),
+ (self._read_dns_aci_dn, 'updates', self._read_dns_aci_entry)):
+
+ dn = str(dn)
+ # make sure everything is str or otherwise python-ldap would complain
+ entry = map(str, entry)
+ dnsupdates[dn] = {'dn' : dn, container : entry}
return (False, True, [dnsupdates])