On 03/31/2014 02:59 PM, Petr Spacek wrote:
Hello list,
thread "[Freeipa-devel] Read access to container entries" reminds me
an idea I have in mind for a while:
We could check effective ACIs [1] for interesting objects (Kerberos
master key, trust objects etc.) and make sure that there is nothing
like 'read by anonymous' etc.
Method [1] has one important limitation: It checks ACI in given
sub-tree against one specified DN.
Realization of my idea would be better with a "reverse" approach:
Specify DN of a single object as "target" and get list of all users
with non-null access rights for the object in question. (This could be
refined with filter for specific rights so we can get "list of DNs
allowed to write to this object" etc.)
Does it make sense?
yes, I think it would be a "nice to have" feature, but ...
I think it will be quit ecomplex to implement and you could get very
large result sets, eg all users.
In geteffectiverigths you more or less do the normal aci evaluation for
a given bind dn, but in your request you ask for all dns which could
match teh bind rules and this could be complicated in case of bind rules
depneding on attributes of the entry and the bind rule eg in a userattr
rule, so you would have to look at every entyr and check if the userattr
matches. In rules with groupdns we need to find all direct or indirect
group members and for macro acis the expansion to all dns matchng the
macro could also get complicated
[1]
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Viewing_the_ACIs_for_an_Entry-Get_Effective_Rights_Control.html
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel