Restrict the old setkeytab operationsetkeytab

Allow it only to set computers keys by default. This is to allow older hosts
to join a newer IPA Server only. All other principals are denied access to
the setkeytab operation by default.

Ticket: https://fedorahosted.org/freeipa/ticket/232

Signed-off-by: Simo Sorce <simo@redhat.com>

2 files changed, 17 insertions, 1 deletions

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 3c2c44f61..48880cdb7 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -1171,6 +1171,8 @@ done:
     return rc;
 }
 
+#define SETKEYS_OP_CHECK "ipaProtectedOperation;set_keys"
+
 /* Password Modify Extended operation plugin function */
 static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
 {
@@ -1238,15 +1240,24 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
         goto free_and_return;
     }
 
-    /* Accesseck strategy:
+    /* Access check strategy:
      * If the user has WRITE access, a new keytab can be set on the entry.
      * If not, then we fail immediately with insufficient access. This
      * means that we don't leak any useful information to the client such
      * as current password wrong, etc.
+     *
+     * In addition to the historic check, we now also check if the setkeytab
+     * operation is allowed at all.
      */
     allowed_access = is_allowed_to_access_attr(pb, bindDN, targetEntry,
                                                "krbPrincipalKey", NULL,
                                                SLAPI_ACL_WRITE);
+    if (allowed_access) {
+        /* check if we are allowed to *set* keys */
+        allowed_access = is_allowed_to_access_attr(pb, bindDN, targetEntry,
+                                                   SETKEYS_OP_CHECK, NULL,
+                                                   SLAPI_ACL_WRITE);
+    }
     if (!allowed_access) {
         LOG_FATAL("Access not allowed to set keytab on [%s]!\n",
                   serviceName);
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index e9c10f54a..0251a7af9 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -114,6 +114,11 @@ add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entit
 add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Admins are allowed to rekey any entity"; allow(write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey managed entries"; allow(write) userattr="managedby#USERDN";)
 
+# Set Keytab operation Access Control - legacy interface for host joins
+dn: cn=computers,cn=accounts,$SUFFIX
+add:aci: (targetattr="ipaProtectedOperation;set_keys")(version 3.0; acl "Installers are allowed to set host keytabs"; allow(write) userattr="managedby#USERDN";)
+add:aci: (targetattr="ipaProtectedOperation;set_keys")(version 3.0; acl "Admins are allowed to set host keytabs"; allow(write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
+
 # User certificates
 dn: $SUFFIX
 add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";)