summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPetr Viktorin <pviktori@redhat.com>2014-04-29 21:46:26 +0200
committerPetr Viktorin <pviktori@redhat.com>2014-05-26 12:14:55 +0200
commit193ced0bd7a9a26e7b25f08b023ee21302acaac7 (patch)
tree994ad23b37d49ab451f65c52a54e71901cc3aedc
parent63becae88c6c270b98f0432dc474b661b82f3119 (diff)
downloadfreeipa-193ced0bd7a9a26e7b25f08b023ee21302acaac7.zip
freeipa-193ced0bd7a9a26e7b25f08b023ee21302acaac7.tar.gz
freeipa-193ced0bd7a9a26e7b25f08b023ee21302acaac7.tar.xz
Remove the global anonymous read ACI
Also remove - the deny ACIs that implemented exceptions to it: - no anonymous access to roles - no anonymous access to member information - no anonymous access to hbac - no anonymous access to sudo (2×) - its updater plugin Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
-rw-r--r--install/share/default-aci.ldif13
-rw-r--r--install/share/delegation.ldif5
-rw-r--r--install/updates/20-aci.update11
-rw-r--r--install/updates/60-trusts.update1
-rw-r--r--ipaserver/install/plugins/update_anonymous_aci.py96
-rw-r--r--ipaserver/install/plugins/update_managed_permissions.py19
6 files changed, 30 insertions, 115 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 480facf..04fc185 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -3,10 +3,7 @@
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
-aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)
aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)
-aci: (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)
dn: $SUFFIX
changetype: modify
@@ -65,16 +62,6 @@ changetype: modify
add: aci
aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
-dn: cn=hbac,$SUFFIX
-changetype: modify
-add: aci
-aci: (targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";)
-
-dn: cn=sudo,$SUFFIX
-changetype: modify
-add: aci
-aci: (targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)
-
# This is used for the host/service one-time passwordn and keytab indirectors.
# We can do a query on a DN to see if an attribute exists.
dn: cn=accounts,$SUFFIX
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 7bd4e1e..43d1397 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -580,11 +580,6 @@ aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=se
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)
-
-dn: $SUFFIX
-changetype: modify
-add: aci
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX";)
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index f31c201..34cba4c 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -51,3 +51,14 @@ add:aci:'(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || k
dn: cn=config
# Replaced by 'System: Read Replication Agreements'
remove:aci: '(targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)'
+
+dn: $SUFFIX
+remove:aci: '(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)'
+remove:aci: '(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)'
+remove:aci: '(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)'
+
+dn: cn=hbac,$SUFFIX
+remove:aci: '(targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";)'
+
+dn: cn=sudo,$SUFFIX
+remove:aci: '(targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)'
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index 77c2104..371bf65 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -34,7 +34,6 @@ add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType ||
dn: $SUFFIX
add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
remove:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
-replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)::(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)'
# Add the default PAC type to configuration
dn: cn=ipaConfig,cn=etc,$SUFFIX
diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py
deleted file mode 100644
index 943b245..0000000
--- a/ipaserver/install/plugins/update_anonymous_aci.py
+++ /dev/null
@@ -1,96 +0,0 @@
-# Authors:
-# Rob Crittenden <rcritten@redhat.com>
-#
-# Copyright (C) 2013 Red Hat
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-from copy import deepcopy
-from ipaserver.install.plugins import FIRST, LAST
-from ipaserver.install.plugins.baseupdate import PostUpdate
-from ipalib import api, errors
-from ipalib.aci import ACI
-from ipalib.plugins import aci
-from ipapython.ipa_log_manager import *
-
-class update_anonymous_aci(PostUpdate):
- """
- Update the Anonymous ACI to ensure that all secrets are protected.
- """
- order = FIRST
-
- def execute(self, **options):
- aciname = u'Enable Anonymous access'
- aciprefix = u'none'
- ldap = self.obj.backend
- targetfilter = '(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration)))'
- filter = None
-
- entry_attrs = ldap.get_entry(api.env.basedn, ['aci'])
-
- acistrs = entry_attrs.get('aci', [])
- acilist = aci._convert_strings_to_acis(entry_attrs.get('aci', []))
- try:
- rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname)
- except errors.NotFound:
- root_logger.error('Anonymous ACI not found, cannot update it')
- return False, False, []
-
- attrs = rawaci.target['targetattr']['expression']
- rawfilter = rawaci.target.get('targetfilter', None)
- if rawfilter is not None:
- filter = rawfilter['expression']
-
- update_attrs = deepcopy(attrs)
-
- needed_attrs = []
- for attr in ('ipaNTTrustAuthOutgoing', 'ipaNTTrustAuthIncoming'):
- if attr not in attrs:
- needed_attrs.append(attr)
-
- update_attrs.extend(needed_attrs)
- if (len(attrs) == len(update_attrs) and
- filter == targetfilter):
- root_logger.debug("Anonymous ACI already update-to-date")
- return (False, False, [])
-
- for tmpaci in acistrs:
- candidate = ACI(tmpaci)
- if rawaci.isequal(candidate):
- acistrs.remove(tmpaci)
- break
-
- if len(attrs) != len(update_attrs):
- root_logger.debug("New Anonymous ACI attributes needed: %s",
- needed_attrs)
-
- rawaci.target['targetattr']['expression'] = update_attrs
-
- if filter != targetfilter:
- root_logger.debug("New Anonymous ACI targetfilter needed.")
-
- rawaci.set_target_filter(targetfilter)
-
- acistrs.append(unicode(rawaci))
- entry_attrs['aci'] = acistrs
-
- try:
- ldap.update_entry(entry_attrs)
- except Exception, e:
- root_logger.error("Failed to update Anonymous ACI: %s" % e)
-
- return (False, False, [])
-
-api.register(update_anonymous_aci)
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 72c1b13..c9994c7 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -81,6 +81,7 @@ from ipapython.dn import DN
from ipalib.plugable import Registry
from ipalib.plugins import aci
from ipalib.plugins.permission import permission
+from ipalib.aci import ACI
from ipaserver.plugins.ldap2 import ldap2
from ipaserver.install.plugins import LAST
from ipaserver.install.plugins.baseupdate import PostUpdate
@@ -250,6 +251,21 @@ class update_managed_permissions(PostUpdate):
except errors.NotFound:
return None
+ def remove_anonymous_read_aci(self, ldap, anonymous_read_aci):
+ base_entry = ldap.get_entry(self.api.env.basedn, ['aci'])
+
+ acistrs = base_entry.get('aci', [])
+
+ for acistr in acistrs:
+ if ACI(acistr).isequal(anonymous_read_aci):
+ self.log.info('Removing anonymous ACI: %s', acistr)
+ acistrs.remove(acistr)
+ break
+ else:
+ return
+
+ ldap.update_entry(base_entry)
+
def execute(self, **options):
ldap = self.api.Backend[ldap2]
@@ -276,6 +292,9 @@ class update_managed_permissions(PostUpdate):
self.update_permission(ldap, None, unicode(name), template,
anonymous_read_aci)
+ if anonymous_read_aci:
+ self.remove_anonymous_read_aci(ldap, anonymous_read_aci)
+
return False, False, ()
def update_permission(self, ldap, obj, name, template, anonymous_read_aci):