summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2008-08-15 17:17:03 -0400
committerSimo Sorce <ssorce@redhat.com>2008-09-10 15:07:33 -0400
commit8e7c98eb7ffc58be01e323af74c8df6d49208405 (patch)
tree6eb2806db54fb676b1ae5d845347ad8d6f0da63c
parent89ed5a02770c54369bb6b84a33c440f1165fec32 (diff)
downloadfreeipa-8e7c98eb7ffc58be01e323af74c8df6d49208405.tar.gz
freeipa-8e7c98eb7ffc58be01e323af74c8df6d49208405.tar.xz
freeipa-8e7c98eb7ffc58be01e323af74c8df6d49208405.zip
CVE 2008 3274 related fixes
-rw-r--r--ipa-server/ipa-install/share/default-aci.ldif4
-rw-r--r--ipa-server/ipaserver/krbinstance.py8
2 files changed, 9 insertions, 3 deletions
diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif
index d2946fa8..25bd3b22 100644
--- a/ipa-server/ipa-install/share/default-aci.ldif
+++ b/ipa-server/ipa-install/share/default-aci.ldif
@@ -3,8 +3,8 @@
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
-aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
+aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
+aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py
index 4cdb801e..598c2b20 100644
--- a/ipa-server/ipaserver/krbinstance.py
+++ b/ipa-server/ipaserver/krbinstance.py
@@ -339,6 +339,10 @@ class KrbInstance(service.Service):
def __add_pwd_extop_module(self):
self.__ldap_mod("pwd-extop-conf.ldif")
+KRBMKEY_DENY_ACI = """
+(targetattr = "krbMKey")(version 3.0; acl "No external access"; deny (all) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
+"""
+
def __add_master_key(self):
#get the Master Key from the stash file
try:
@@ -358,7 +362,9 @@ class KrbInstance(service.Service):
asn1key = pyasn1.codec.ber.encoder.encode(krbMKey)
dn = "cn="+self.realm+",cn=kerberos,"+self.suffix
- mod = [(ldap.MOD_ADD, 'krbMKey', str(asn1key))]
+ #protect the master key by adding an appropriate deny rule along with the key
+ mod = [(ldap.MOD_ADD, 'aci', ipautil.template_str(KRBMKEY_DENY_ACI, self.sub_dict)),
+ (ldap.MOD_ADD, 'krbMKey', str(asn1key))]
try:
self.conn.modify_s(dn, mod)
except ldap.TYPE_OR_VALUE_EXISTS, e: