From cf8f2f86ec52a1de90df6ea434463aa6417ef8ea Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Mon, 2 Apr 2012 14:57:33 +0200 Subject: Forbid public access to DNS tree With a publicly accessible DNS tree in LDAP, anyone with an access to the LDAP server can get all DNS data as with a zone transfer which is already restricted with ACL. Making DNS tree not readable to public is a common security practice and should be applied in FreeIPA as well. This patch adds a new deny rule to forbid access to DNS tree to users or hosts without an appropriate permission or users which are not members of admins group. The new permission/aci is applied both for new installs and upgraded servers. bind-dyndb-ldap plugin is allowed to read DNS tree without any change because its principal is already a member of "DNS Servers" privilege. https://fedorahosted.org/freeipa/ticket/2569 --- install/share/dns.ldif | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'install') diff --git a/install/share/dns.ldif b/install/share/dns.ldif index 3fd8cfb8..a8d27788 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -4,6 +4,7 @@ objectClass: idnsConfigObject objectClass: nsContainer objectClass: top cn: dns +aci: (targetattr = "*")(version 3.0; acl "No access to DNS tree without a permission"; deny (read,search,compare) (groupdn != "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX") and (groupdn != "ldap:///cn=read dns entries,cn=permissions,cn=pbac,$SUFFIX");) dn: $SUFFIX changetype: modify @@ -56,6 +57,17 @@ description: Update DNS entries member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX +dn: cn=read dns entries,cn=permissions,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: ipapermission +cn: read dns entries +description: Read DNS entries +ipapermissiontype: SYSTEM +member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +member: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX + dn: cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: groupofnames -- cgit