IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Remove the global anonymous read ACI

Browse Source 
Also remove
- the deny ACIs that implemented exceptions to it:
  - no anonymous access to roles
  - no anonymous access to member information
  - no anonymous access to hbac
  - no anonymous access to sudo (2×)
- its updater plugin

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
This commit is contained in:
Petr Viktorin 2014-04-29 21:46:26 +02:00
parent 63becae88c
commit 193ced0bd7
6 changed files with 30 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
install/share/default-aci.ldif
View File

@ -3,10 +3,7 @@
dn: $SUFFIX
changetype: modify
add: aci
aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)
aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)
aci: (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)
dn: $SUFFIX
changetype: modify
@ -65,16 +62,6 @@ changetype: modify
add: aci
aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
dn: cn=hbac,$SUFFIX
changetype: modify
add: aci
aci: (targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";)
dn: cn=sudo,$SUFFIX
changetype: modify
add: aci
aci: (targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)
# This is used for the host/service one-time passwordn and keytab indirectors.
# We can do a query on a DN to see if an attribute exists.
dn: cn=accounts,$SUFFIX

5
install/share/delegation.ldif
View File

@ -577,11 +577,6 @@ aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=se
# Delegation administration
dn: $SUFFIX
changetype: modify
add: aci
aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)
dn: $SUFFIX
changetype: modify
add: aci

11
install/updates/20-aci.update
View File

@ -51,3 +51,14 @@ add:aci:'(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || k
dn: cn=config
# Replaced by 'System: Read Replication Agreements'
remove:aci: '(targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)'
dn: $SUFFIX
remove:aci: '(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)'
remove:aci: '(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)'
remove:aci: '(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)'
dn: cn=hbac,$SUFFIX
remove:aci: '(targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";)'
dn: cn=sudo,$SUFFIX
remove:aci: '(targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";)'

1
install/updates/60-trusts.update
View File

@ -34,7 +34,6 @@ add:aci: '(target = "ldap:///cn=trusts,$SUFFIX")(targetattr = "ipaNTTrustType ||
dn: $SUFFIX
add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
remove:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)::(target != "ldap:///idnsname=*,cn=dns,$SUFFIX")(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)'
# Add the default PAC type to configuration
dn: cn=ipaConfig,cn=etc,$SUFFIX

96
ipaserver/install/plugins/update_anonymous_aci.py
View File

@ -1,96 +0,0 @@
# Authors:
# Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2013 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from copy import deepcopy
from ipaserver.install.plugins import FIRST, LAST
from ipaserver.install.plugins.baseupdate import PostUpdate
from ipalib import api, errors
from ipalib.aci import ACI
from ipalib.plugins import aci
from ipapython.ipa_log_manager import *
class update_anonymous_aci(PostUpdate):
"""
Update the Anonymous ACI to ensure that all secrets are protected.
"""
order = FIRST
def execute(self, **options):
aciname = u'Enable Anonymous access'
aciprefix = u'none'
ldap = self.obj.backend
targetfilter = '(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration)))'
filter = None
entry_attrs = ldap.get_entry(api.env.basedn, ['aci'])
acistrs = entry_attrs.get('aci', [])
acilist = aci._convert_strings_to_acis(entry_attrs.get('aci', []))
try:
rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname)
except errors.NotFound:
root_logger.error('Anonymous ACI not found, cannot update it')
return False, False, []
attrs = rawaci.target['targetattr']['expression']
rawfilter = rawaci.target.get('targetfilter', None)
if rawfilter is not None:
filter = rawfilter['expression']
update_attrs = deepcopy(attrs)
needed_attrs = []
for attr in ('ipaNTTrustAuthOutgoing', 'ipaNTTrustAuthIncoming'):
if attr not in attrs:
needed_attrs.append(attr)
update_attrs.extend(needed_attrs)
if (len(attrs) == len(update_attrs) and
filter == targetfilter):
root_logger.debug("Anonymous ACI already update-to-date")
return (False, False, [])
for tmpaci in acistrs:
candidate = ACI(tmpaci)
if rawaci.isequal(candidate):
acistrs.remove(tmpaci)
break
if len(attrs) != len(update_attrs):
root_logger.debug("New Anonymous ACI attributes needed: %s",
needed_attrs)
rawaci.target['targetattr']['expression'] = update_attrs
if filter != targetfilter:
root_logger.debug("New Anonymous ACI targetfilter needed.")
rawaci.set_target_filter(targetfilter)
acistrs.append(unicode(rawaci))
entry_attrs['aci'] = acistrs
try:
ldap.update_entry(entry_attrs)
except Exception, e:
root_logger.error("Failed to update Anonymous ACI: %s" % e)
return (False, False, [])
api.register(update_anonymous_aci)

19
ipaserver/install/plugins/update_managed_permissions.py
View File

@ -81,6 +81,7 @@ from ipapython.dn import DN
from ipalib.plugable import Registry
from ipalib.plugins import aci
from ipalib.plugins.permission import permission
from ipalib.aci import ACI
from ipaserver.plugins.ldap2 import ldap2
from ipaserver.install.plugins import LAST
from ipaserver.install.plugins.baseupdate import PostUpdate
@ -250,6 +251,21 @@ class update_managed_permissions(PostUpdate):
except errors.NotFound:
return None
def remove_anonymous_read_aci(self, ldap, anonymous_read_aci):
base_entry = ldap.get_entry(self.api.env.basedn, ['aci'])
acistrs = base_entry.get('aci', [])
for acistr in acistrs:
if ACI(acistr).isequal(anonymous_read_aci):
self.log.info('Removing anonymous ACI: %s', acistr)
acistrs.remove(acistr)
break
else:
return
ldap.update_entry(base_entry)
def execute(self, **options):
ldap = self.api.Backend[ldap2]
@ -276,6 +292,9 @@ class update_managed_permissions(PostUpdate):
self.update_permission(ldap, None, unicode(name), template,
anonymous_read_aci)
if anonymous_read_aci:
self.remove_anonymous_read_aci(ldap, anonymous_read_aci)
return False, False, ()
def update_permission(self, ldap, obj, name, template, anonymous_read_aci):