diff options
author | Simo Sorce <ssorce@redhat.com> | 2008-08-15 17:17:03 -0400 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2008-09-10 15:43:41 -0400 |
commit | 9932887f2af38b9701efec27707648c026ec445c (patch) | |
tree | 0298a730617c5f82079a518b42d1f7ec2386882f | |
parent | af06a9fe128038aad03c5bee1b9f91404374da61 (diff) | |
download | freeipa-9932887f2af38b9701efec27707648c026ec445c.tar.gz freeipa-9932887f2af38b9701efec27707648c026ec445c.tar.xz freeipa-9932887f2af38b9701efec27707648c026ec445c.zip |
CVE 2008 3274 related fixes
-rw-r--r-- | ipa-server/ipa-install/share/default-aci.ldif | 4 | ||||
-rw-r--r-- | ipa-server/ipaserver/krbinstance.py | 8 |
2 files changed, 9 insertions, 3 deletions
diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif index 9cb5d831b..55c1d0143 100644 --- a/ipa-server/ipa-install/share/default-aci.ldif +++ b/ipa-server/ipa-install/share/default-aci.ldif @@ -3,8 +3,8 @@ dn: $SUFFIX changetype: modify add: aci -aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) -aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";) +aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) +aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py index deea4a6e5..9c8c5d4b8 100644 --- a/ipa-server/ipaserver/krbinstance.py +++ b/ipa-server/ipaserver/krbinstance.py @@ -48,6 +48,10 @@ import pyasn1.codec.ber.decoder import struct import base64 +KRBMKEY_DENY_ACI = """ +(targetattr = "krbMKey")(version 3.0; acl "No external access"; deny (all) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) +""" + def update_key_val_in_file(filename, key, val): if os.path.exists(filename): pattern = "^[\s#]*%s\s*=\s*%s\s*" % (re.escape(key), re.escape(val)) @@ -358,7 +362,9 @@ class KrbInstance(service.Service): entry = ipaldap.Entry("cn="+self.realm+",cn=kerberos,"+self.suffix) dn = "cn="+self.realm+",cn=kerberos,"+self.suffix - mod = [(ldap.MOD_ADD, 'krbMKey', str(asn1key))] + #protect the master key by adding an appropriate deny rule along with the key + mod = [(ldap.MOD_ADD, 'aci', ipautil.template_str(KRBMKEY_DENY_ACI, self.sub_dict)), + (ldap.MOD_ADD, 'krbMKey', str(asn1key))] try: self.conn.modify_s(dn, mod) except ldap.TYPE_OR_VALUE_EXISTS, e: |