diff options
| author | Simo Sorce <simo@redhat.com> | 2016-07-25 06:46:24 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2016-07-25 08:37:17 -0400 |
| commit | 26afe94cea65ba50041592cf31f97b9e0502aeb0 (patch) | |
| tree | 43c80e4268681b29c97c408bf4dc28599cca0f86 /daemons/ipa-slapi-plugins | |
| parent | ab4fcb0fe25e313c93caae3b90f68b4010a9f2eb (diff) | |
| download | freeipa-setkeytab.tar.gz freeipa-setkeytab.tar.xz freeipa-setkeytab.zip | |
Restrict the old setkeytab operationsetkeytab
Allow it only to set computers keys by default. This is to allow older hosts
to join a newer IPA Server only. All other principals are denied access to
the setkeytab operation by default.
Ticket: https://fedorahosted.org/freeipa/ticket/232
Signed-off-by: Simo Sorce <simo@redhat.com>
Diffstat (limited to 'daemons/ipa-slapi-plugins')
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 3c2c44f61..48880cdb7 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -1171,6 +1171,8 @@ done: return rc; } +#define SETKEYS_OP_CHECK "ipaProtectedOperation;set_keys" + /* Password Modify Extended operation plugin function */ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) { @@ -1238,15 +1240,24 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) goto free_and_return; } - /* Accesseck strategy: + /* Access check strategy: * If the user has WRITE access, a new keytab can be set on the entry. * If not, then we fail immediately with insufficient access. This * means that we don't leak any useful information to the client such * as current password wrong, etc. + * + * In addition to the historic check, we now also check if the setkeytab + * operation is allowed at all. */ allowed_access = is_allowed_to_access_attr(pb, bindDN, targetEntry, "krbPrincipalKey", NULL, SLAPI_ACL_WRITE); + if (allowed_access) { + /* check if we are allowed to *set* keys */ + allowed_access = is_allowed_to_access_attr(pb, bindDN, targetEntry, + SETKEYS_OP_CHECK, NULL, + SLAPI_ACL_WRITE); + } if (!allowed_access) { LOG_FATAL("Access not allowed to set keytab on [%s]!\n", serviceName); |