diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2012-02-21 10:21:03 -0500 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-02-23 11:05:52 +0100 |
| commit | 960baaebf4a1305a38f7cec099f51607e2427d24 (patch) | |
| tree | 95b044a9e6e33641431cbade9632afafe9b75d5c | |
| parent | ce7b66ebfbe52e5efb3a7cf28e61954baf78982e (diff) | |
| download | freeipa-960baaebf4a1305a38f7cec099f51607e2427d24.tar.gz freeipa-960baaebf4a1305a38f7cec099f51607e2427d24.tar.xz freeipa-960baaebf4a1305a38f7cec099f51607e2427d24.zip | |
Don't allow "Modify Group membership" permission to manage admins
The permission "Modify Group membership" is used to delegate group
management responsibilities. We don't want that to include managing
the admins group.
https://fedorahosted.org/freeipa/ticket/2416
| -rw-r--r-- | install/share/delegation.ldif | 2 | ||||
| -rw-r--r-- | install/updates/40-delegation.update | 4 |
2 files changed, 5 insertions, 1 deletions
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index f46589eb..c6124084 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -578,7 +578,7 @@ dn: $SUFFIX changetype: modify add: aci aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Groups";allow (add) groupdn = "ldap:///cn=Add Groups,cn=permissions,cn=pbac,$SUFFIX";) -aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";) +aci: (targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Groups";allow (delete) groupdn = "ldap:///cn=Remove Groups,cn=permissions,cn=pbac,$SUFFIX";) # We need objectclass and gidnumber in modify so a non-posix group can be # promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached. diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 74d882bd..09b80568 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -331,3 +331,7 @@ add:aci:'(targetattr = "ipasshpubkey")(target = "ldap:///fqdn=*,cn=computers,cn= # of administrators dn: $SUFFIX replace:aci:'(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(!(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX))")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "permission:Change a user password";allow (write) groupdn = "ldap:///cn=Change a user password,cn=permissions,cn=pbac,$SUFFIX";)' + +# Don't allow the default 'manage group membership' to be able to manage the +# admins group +replace:aci:'(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)::(targetfilter = "(!(cn=admins))")(targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Group membership";allow (write) groupdn = "ldap:///cn=Modify Group membership,cn=permissions,cn=pbac,$SUFFIX";)' |