freeipa/doc/designs
Julien Rische f77c0a573c
kdb: fix vulnerability in GCD rules handling
The initial implementation of MS-SFU by MIT Kerberos was missing a
condition for granting the "forwardable" flag on S4U2Self tickets.
Fixing this mistake required adding special case for the
check_allowed_to_delegate() function: if the target service argument is
NULL, then it means the KDC is probing for general constrained
delegation rules, not actually checking a specific S4U2Proxy request.

In commit e86807b5, the behavior of ipadb_match_acl() was modified to
match the changes from upstream MIT Kerberos a441fbe3. However, a
mistake resulted in this mechanism to apply in cases where target
service argument is set AND unset. This results in S4U2Proxy requests to
be accepted regardless of the fact there is a matching service
delegation rule or not.

This vulnerability does not affect services having RBCD (resource-based
constrained delegation) rules.

This fixes CVE-2024-2698

Signed-off-by: Julien Rische <jrische@redhat.com>
2024-06-10 12:46:05 +02:00
..
adtrust Design: Integrate SID configuration into base IPA installers 2021-10-28 16:22:26 -04:00
external-idp docs: add security section to idp 2022-11-16 14:44:13 -05:00
audit-ipa-api.md frontend: add systemd journal audit of executed API commands 2024-05-22 17:06:23 -04:00
client-install-pkinit.md Add PKINIT support to ipa-client-install 2022-11-16 14:32:05 +02:00
disable-stale-users.md DSU: add Design for Disable Stale Users 2019-11-23 00:12:24 +01:00
expired_certificate_pruning.md doc: Update pruning design with implement enable/disable options 2023-02-20 10:43:17 +01:00
expiring-password-notification.md IPA-EPN: Add design draft 2020-04-28 09:32:19 -04:00
extdom-plugin-protocol.md extdom: add extdom protocol documentation 2019-09-12 10:48:13 +03:00
hidden-replicas.md Add explicit syntax language to code blocks 2020-03-21 07:42:20 +02:00
hsm.md docs: Add a section on SELinux modules to the HSM design 2024-05-16 08:46:32 -04:00
id-mapping.md doc/designs/id-mapping.md: expand on ID range allocation details 2024-01-30 10:11:47 -05:00
index.rst frontend: add systemd journal audit of executed API commands 2024-05-22 17:06:23 -04:00
ipa_to_ipa_migration.md Issue 9568 - Update IPA to IPA migration design doc 2024-04-04 17:25:04 -04:00
krb-ticket-policy.md doc/designs: add External IdP support design documents 2022-05-10 15:52:41 +03:00
ldap_grace_period.md doc: Update LDAP grace period design with default values 2022-08-18 17:51:20 -04:00
ldap_pam_passthrough.md Design doc to allow LDAP bind using the RADIUS auth type 2021-06-11 09:23:56 -04:00
ldapi-autobind-services.md doc/designs: fix formatting in LDAPI autobind design 2021-11-02 15:38:05 +02:00
libpwquality.md Requirements and design for libpwquality integration 2020-10-23 09:32:52 -04:00
membermanager.md Add explicit syntax language to code blocks 2020-03-21 07:42:20 +02:00
passkeys.md Passkey design: add second sssd design page 2023-06-01 08:20:37 +02:00
prci_checker.md doc: Use case examples for PR-CI checker tool 2023-02-18 09:02:27 +01:00
random-serial-numbers.md doc/designs: add Random Serial Numbers v3 support 2022-06-09 08:35:15 +02:00
rbcd.md kdb: fix vulnerability in GCD rules handling 2024-06-10 12:46:05 +02:00
subordinate-ids.md Update subordinate design doc 2022-06-10 14:50:07 +02:00
template.md Doc: add a design template 2021-09-14 14:58:33 -04:00