diff options
| author | Martin Kosek <mkosek@redhat.com> | 2012-04-02 14:57:33 +0200 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-04-01 21:17:28 -0400 |
| commit | cf8f2f86ec52a1de90df6ea434463aa6417ef8ea (patch) | |
| tree | f4523ef33ed76f4daab82c678a139394a91b1f35 /ipaserver | |
| parent | 57950b959e1d981ecd5a2d3689ea99d8265789e0 (diff) | |
| download | freeipa.git-cf8f2f86ec52a1de90df6ea434463aa6417ef8ea.tar.gz freeipa.git-cf8f2f86ec52a1de90df6ea434463aa6417ef8ea.tar.xz freeipa.git-cf8f2f86ec52a1de90df6ea434463aa6417ef8ea.zip | |
Forbid public access to DNS tree
With a publicly accessible DNS tree in LDAP, anyone with an access
to the LDAP server can get all DNS data as with a zone transfer
which is already restricted with ACL. Making DNS tree not readable
to public is a common security practice and should be applied
in FreeIPA as well.
This patch adds a new deny rule to forbid access to DNS tree to
users or hosts without an appropriate permission or users which
are not members of admins group. The new permission/aci is
applied both for new installs and upgraded servers.
bind-dyndb-ldap plugin is allowed to read DNS tree without any
change because its principal is already a member of "DNS
Servers" privilege.
https://fedorahosted.org/freeipa/ticket/2569
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/plugins/dns.py | 59 |
1 files changed, 44 insertions, 15 deletions
diff --git a/ipaserver/install/plugins/dns.py b/ipaserver/install/plugins/dns.py index 84b7b23a..a9846fa8 100644 --- a/ipaserver/install/plugins/dns.py +++ b/ipaserver/install/plugins/dns.py @@ -87,6 +87,39 @@ class update_dns_permissions(PostUpdate): enabled DNS. LDIF loaded by DNS installer would fail because of duplicate entries otherwise. """ + + _write_dns_perm_dn = DN('cn=Write DNS Configuration', + api.env.container_permission, + api.env.basedn) + _write_dns_perm_entry = ['objectClass:groupofnames', + 'objectClass:top', + 'cn:Write DNS Configuration', + 'description:Write DNS Configuration', + 'member:cn=DNS Administrators,cn=privileges,cn=pbac,%s' \ + % api.env.basedn, + 'member:cn=DNS Servers,cn=privileges,cn=pbac,%s' \ + % api.env.basedn] + + _read_dns_perm_dn = DN('cn=read dns entries', + api.env.container_permission, + api.env.basedn) + _read_dns_perm_entry = ['objectClass:top', + 'objectClass:groupofnames', + 'objectClass:ipapermission', + 'cn:read dns entries', + 'description:Read DNS entries', + 'ipapermissiontype:SYSTEM', + 'member:cn=DNS Administrators,cn=privileges,cn=pbac,%s' \ + % api.env.basedn, + 'member:cn=DNS Servers,cn=privileges,cn=pbac,%s' \ + % api.env.basedn,] + + _write_dns_aci_dn = DN(api.env.basedn) + _write_dns_aci_entry = ['add:aci:\'(targetattr = "idnsforwardpolicy || idnsforwarders || idnsallowsyncptr || idnszonerefresh || idnspersistentsearch")(target = "ldap:///cn=dns,%(realm)s")(version 3.0;acl "permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write DNS Configuration,cn=permissions,cn=pbac,%(realm)s";)\'' % dict(realm=api.env.basedn)] + + _read_dns_aci_dn = DN(api.env.container_dns, api.env.basedn) + _read_dns_aci_entry = ['add:aci:\'(targetattr = "*")(version 3.0; acl "No access to DNS tree without a permission"; deny (read,search,compare) (groupdn != "ldap:///cn=admins,cn=groups,cn=accounts,%(realm)s") and (groupdn != "ldap:///cn=read dns entries,cn=permissions,cn=pbac,%(realm)s");)\'' % dict(realm=api.env.basedn) ] + def execute(self, **options): ldap = self.obj.backend @@ -94,21 +127,17 @@ class update_dns_permissions(PostUpdate): return (False, False, []) dnsupdates = {} - dn = str(DN('cn=Write DNS Configuration', api.env.container_permission, api.env.basedn)) - entry = ['objectClass:groupofnames', - 'objectClass:top', - 'cn:Write DNS Configuration', - 'description:Write DNS Configuration', - 'member:cn=DNS Administrators,cn=privileges,cn=pbac,%s' % api.env.basedn, - 'member:cn=DNS Servers,cn=privileges,cn=pbac,%s' % api.env.basedn] - # make sure everything is str or otherwise python-ldap will complain - entry = map(str, entry) - dnsupdates[dn] = {'dn' : str(dn), 'default' : entry} - - dn = str(DN(api.env.basedn)) - entry = ['add:aci:\'(targetattr = "idnsforwardpolicy || idnsforwarders || idnsallowsyncptr || idnszonerefresh || idnspersistentsearch")(target = "ldap:///cn=dns,%(realm)s")(version 3.0;acl "permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write DNS Configuration,cn=permissions,cn=pbac,%(realm)s";)\'' % dict(realm=api.env.basedn)] - entry = map(str, entry) - dnsupdates[dn] = {'dn' : dn, 'updates' : entry} + + # add default and updated entries + for dn, container, entry in ((self._write_dns_perm_dn, 'default', self._write_dns_perm_entry), + (self._read_dns_perm_dn, 'default', self._read_dns_perm_entry), + (self._write_dns_aci_dn, 'updates', self._write_dns_aci_entry), + (self._read_dns_aci_dn, 'updates', self._read_dns_aci_entry)): + + dn = str(dn) + # make sure everything is str or otherwise python-ldap would complain + entry = map(str, entry) + dnsupdates[dn] = {'dn' : dn, container : entry} return (False, True, [dnsupdates]) |