From 8e7c98eb7ffc58be01e323af74c8df6d49208405 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Fri, 15 Aug 2008 17:17:03 -0400
Subject: CVE 2008 3274 related fixes

---
 ipa-server/ipaserver/krbinstance.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'ipa-server/ipaserver/krbinstance.py')

diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py
index 4cdb801e..598c2b20 100644
--- a/ipa-server/ipaserver/krbinstance.py
+++ b/ipa-server/ipaserver/krbinstance.py
@@ -339,6 +339,10 @@ class KrbInstance(service.Service):
     def __add_pwd_extop_module(self):
         self.__ldap_mod("pwd-extop-conf.ldif")
 
+KRBMKEY_DENY_ACI = """
+(targetattr = "krbMKey")(version 3.0; acl "No external access"; deny (all) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
+"""
+
     def __add_master_key(self):
         #get the Master Key from the stash file
         try:
@@ -358,7 +362,9 @@ class KrbInstance(service.Service):
         asn1key = pyasn1.codec.ber.encoder.encode(krbMKey)
 
         dn = "cn="+self.realm+",cn=kerberos,"+self.suffix
-        mod = [(ldap.MOD_ADD, 'krbMKey', str(asn1key))]
+        #protect the master key by adding an appropriate deny rule along with the key
+        mod = [(ldap.MOD_ADD, 'aci', ipautil.template_str(KRBMKEY_DENY_ACI, self.sub_dict)),
+               (ldap.MOD_ADD, 'krbMKey', str(asn1key))]
         try:
             self.conn.modify_s(dn, mod)
         except ldap.TYPE_OR_VALUE_EXISTS, e:
-- 
cgit