diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-04-29 21:46:26 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-05-26 12:14:55 +0200 |
commit | 193ced0bd7a9a26e7b25f08b023ee21302acaac7 (patch) | |
tree | 994ad23b37d49ab451f65c52a54e71901cc3aedc | |
parent | 63becae88c6c270b98f0432dc474b661b82f3119 (diff) | |
download | freeipa-193ced0bd7a9a26e7b25f08b023ee21302acaac7.tar.gz freeipa-193ced0bd7a9a26e7b25f08b023ee21302acaac7.tar.xz freeipa-193ced0bd7a9a26e7b25f08b023ee21302acaac7.zip |
Remove the global anonymous read ACI
Also remove
- the deny ACIs that implemented exceptions to it:
- no anonymous access to roles
- no anonymous access to member information
- no anonymous access to hbac
- no anonymous access to sudo (2×)
- its updater plugin
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
-rw-r--r-- | install/share/default-aci.ldif | 13 | ||||
-rw-r--r-- | install/share/delegation.ldif | 5 | ||||
-rw-r--r-- | install/updates/20-aci.update | 11 | ||||
-rw-r--r-- | install/updates/60-trusts.update | 1 | ||||
-rw-r--r-- | ipaserver/install/plugins/update_anonymous_aci.py | 96 | ||||
-rw-r--r-- | ipaserver/install/plugins/update_managed_permissions.py | 19 |
6 files changed, 30 insertions, 115 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 480facf32..04fc185f7 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -3,10 +3,7 @@ dn: $SUFFIX changetype: modify add: aci -aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) -aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";) aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";) -aci: (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";) dn: $SUFFIX changetype: modify @@ -65,16 +62,6 @@ changetype: modify add: aci aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) -dn: cn=hbac,$SUFFIX -changetype: modify -add: aci -aci: (targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";) - -dn: cn=sudo,$SUFFIX -changetype: modify -add: aci -aci: (targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";) - # This is used for the host/service one-time passwordn and keytab indirectors. # We can do a query on a DN to see if an attribute exists. dn: cn=accounts,$SUFFIX diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 7bd4e1e2d..43d13974f 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -580,11 +580,6 @@ aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=se dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";) - -dn: $SUFFIX -changetype: modify -add: aci aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX";) aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX";) aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX";) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index f31c20177..34cba4cc8 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -51,3 +51,14 @@ add:aci:'(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || k dn: cn=config # Replaced by 'System: Read Replication Agreements' remove:aci: '(targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)' + +dn: $SUFFIX +remove:aci: '(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)' +remove:aci: '(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)' +remove:aci: '(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)' + +dn: cn=hbac,$SUFFIX +remove:aci: '(targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";)' + +dn: cn=sudo,$SUFFIX +remove:aci: '(targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)' diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update index 77c2104ff..371bf656f 100644 --- a/install/updates/60-trusts.update +++ b/install/updates/60-trusts.update @@ -34,7 +34,6 @@ add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType || dn: $SUFFIX add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)' remove:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)' -replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)::(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)' # Add the default PAC type to configuration dn: cn=ipaConfig,cn=etc,$SUFFIX diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py deleted file mode 100644 index 943b24577..000000000 --- a/ipaserver/install/plugins/update_anonymous_aci.py +++ /dev/null @@ -1,96 +0,0 @@ -# Authors: -# Rob Crittenden <rcritten@redhat.com> -# -# Copyright (C) 2013 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -from copy import deepcopy -from ipaserver.install.plugins import FIRST, LAST -from ipaserver.install.plugins.baseupdate import PostUpdate -from ipalib import api, errors -from ipalib.aci import ACI -from ipalib.plugins import aci -from ipapython.ipa_log_manager import * - -class update_anonymous_aci(PostUpdate): - """ - Update the Anonymous ACI to ensure that all secrets are protected. - """ - order = FIRST - - def execute(self, **options): - aciname = u'Enable Anonymous access' - aciprefix = u'none' - ldap = self.obj.backend - targetfilter = '(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration)))' - filter = None - - entry_attrs = ldap.get_entry(api.env.basedn, ['aci']) - - acistrs = entry_attrs.get('aci', []) - acilist = aci._convert_strings_to_acis(entry_attrs.get('aci', [])) - try: - rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname) - except errors.NotFound: - root_logger.error('Anonymous ACI not found, cannot update it') - return False, False, [] - - attrs = rawaci.target['targetattr']['expression'] - rawfilter = rawaci.target.get('targetfilter', None) - if rawfilter is not None: - filter = rawfilter['expression'] - - update_attrs = deepcopy(attrs) - - needed_attrs = [] - for attr in ('ipaNTTrustAuthOutgoing', 'ipaNTTrustAuthIncoming'): - if attr not in attrs: - needed_attrs.append(attr) - - update_attrs.extend(needed_attrs) - if (len(attrs) == len(update_attrs) and - filter == targetfilter): - root_logger.debug("Anonymous ACI already update-to-date") - return (False, False, []) - - for tmpaci in acistrs: - candidate = ACI(tmpaci) - if rawaci.isequal(candidate): - acistrs.remove(tmpaci) - break - - if len(attrs) != len(update_attrs): - root_logger.debug("New Anonymous ACI attributes needed: %s", - needed_attrs) - - rawaci.target['targetattr']['expression'] = update_attrs - - if filter != targetfilter: - root_logger.debug("New Anonymous ACI targetfilter needed.") - - rawaci.set_target_filter(targetfilter) - - acistrs.append(unicode(rawaci)) - entry_attrs['aci'] = acistrs - - try: - ldap.update_entry(entry_attrs) - except Exception, e: - root_logger.error("Failed to update Anonymous ACI: %s" % e) - - return (False, False, []) - -api.register(update_anonymous_aci) diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py index 72c1b131f..c9994c77d 100644 --- a/ipaserver/install/plugins/update_managed_permissions.py +++ b/ipaserver/install/plugins/update_managed_permissions.py @@ -81,6 +81,7 @@ from ipapython.dn import DN from ipalib.plugable import Registry from ipalib.plugins import aci from ipalib.plugins.permission import permission +from ipalib.aci import ACI from ipaserver.plugins.ldap2 import ldap2 from ipaserver.install.plugins import LAST from ipaserver.install.plugins.baseupdate import PostUpdate @@ -250,6 +251,21 @@ class update_managed_permissions(PostUpdate): except errors.NotFound: return None + def remove_anonymous_read_aci(self, ldap, anonymous_read_aci): + base_entry = ldap.get_entry(self.api.env.basedn, ['aci']) + + acistrs = base_entry.get('aci', []) + + for acistr in acistrs: + if ACI(acistr).isequal(anonymous_read_aci): + self.log.info('Removing anonymous ACI: %s', acistr) + acistrs.remove(acistr) + break + else: + return + + ldap.update_entry(base_entry) + def execute(self, **options): ldap = self.api.Backend[ldap2] @@ -276,6 +292,9 @@ class update_managed_permissions(PostUpdate): self.update_permission(ldap, None, unicode(name), template, anonymous_read_aci) + if anonymous_read_aci: + self.remove_anonymous_read_aci(ldap, anonymous_read_aci) + return False, False, () def update_permission(self, ldap, obj, name, template, anonymous_read_aci): |