On 05/16/2014 02:00 PM, Martin Kosek wrote:
On 04/29/2014 11:02 PM, Petr Viktorin wrote:
I didn't test this as much as I'd like to, but it might come in handy when
testing my earlier patches.
The ACI is removed in the managed permissions plugin because I want to make
sure it's done after all the managed permission updates, which query it.
It worked in my case (I tested upgrade from 3.3.5). What do we do about other
permissions we will want to remove? I am talking about following ACIs:
- no anonymous access to roles
- no anonymous access to sudo
- no anonymous access to hbac
- no anonymous access to member information
I would like to remove them in 544 as well as otherwise they would bias the
testing.
Right. Here is the updated patch.
--
Petr³
From 316605f6aa5f487b2845bc3abc3d9e029b60bd0a Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Tue, 29 Apr 2014 21:46:26 +0200
Subject: [PATCH] Remove the global anonymous read ACI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Also remove
- the deny ACIs that implemented exceptions to it:
- no anonymous access to roles
- no anonymous access to member information
- no anonymous access to hbac
- no anonymous access to sudo (2Ã)
- its updater plugin
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
install/share/default-aci.ldif | 13 ---
install/share/delegation.ldif | 5 --
install/updates/20-aci.update | 13 +++
install/updates/60-trusts.update | 1 -
ipaserver/install/plugins/update_anonymous_aci.py | 96 ----------------------
.../install/plugins/update_managed_permissions.py | 19 +++++
6 files changed, 32 insertions(+), 115 deletions(-)
delete mode 100644 ipaserver/install/plugins/update_anonymous_aci.py
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 480facf3294c593c6a2bcf326e20c32157d6d3c6..04fc185f785ee71246c6cc4f958c754158f16302 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -3,10 +3,7 @@
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX";)(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)
-aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";;)
aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";;)
-aci: (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX";)(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";;)
dn: $SUFFIX
changetype: modify
@@ -65,16 +62,6 @@ dn: cn=computers,cn=accounts,$SUFFIX
add: aci
aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
-dn: cn=hbac,$SUFFIX
-changetype: modify
-add: aci
-aci: (targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";;)
-
-dn: cn=sudo,$SUFFIX
-changetype: modify
-add: aci
-aci: (targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";;)
-
# This is used for the host/service one-time passwordn and keytab indirectors.
# We can do a query on a DN to see if an attribute exists.
dn: cn=accounts,$SUFFIX
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 7bd4e1e2d93b1dde4122ad1bfbe889625d983544..43d13974ffd63ea6ee554c815b911715609149b8 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -580,11 +580,6 @@ dn: $SUFFIX
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX";)(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";;)
-
-dn: $SUFFIX
-changetype: modify
-add: aci
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX";)
aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX";)(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX";)
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index d9dcad2e572ab72ff793c41a4300562caead6c77..6874c036fcd2978b5870b955e2af1dff433d0d40 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -46,3 +46,16 @@ dn: $SUFFIX
add:aci:'(targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength")(version 3.0;acl "Admins can write password policies"; allow (read, search, compare, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)'
# Read-only
add:aci:'(targetattr="ipaUniqueId || memberOf || enrolledBy || krbExtraData || krbPrincipalName || krbCanonicalName || krbPasswordExpiration || krbLastPwdChange || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount")(version 3.0; acl "Admin read-only attributes"; allow (read, search, compare) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)'
+
+
+# Removal of obsolete ACIs
+dn: $SUFFIX
+remove:aci: '(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";;)'
+remove:aci: '(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";;)'
+remove:aci: '(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com";)(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";;)'
+
+dn: cn=hbac,$SUFFIX
+remove:aci: '(targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";;)'
+
+dn: cn=sudo,$SUFFIX
+remove:aci: '(targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";;)'
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index 77c2104ffa62462634438f7b729cdfd71cd27eb3..371bf656fcdea6b7ec54aeb42c5afd25ef1b90f9 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -34,7 +34,6 @@ dn: cn=trusts,$SUFFIX
dn: $SUFFIX
add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
remove:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
-replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)::(target != "ldap:///idnsname=*,cn=dns,$SUFFIX";)(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)'
# Add the default PAC type to configuration
dn: cn=ipaConfig,cn=etc,$SUFFIX
diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py
deleted file mode 100644
index 943b2457774c964fa66d97496bb66ef1f4e80f1c..0000000000000000000000000000000000000000
--- a/ipaserver/install/plugins/update_anonymous_aci.py
+++ /dev/null
@@ -1,96 +0,0 @@
-# Authors:
-# Rob Crittenden <rcrit...@redhat.com>
-#
-# Copyright (C) 2013 Red Hat
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-from copy import deepcopy
-from ipaserver.install.plugins import FIRST, LAST
-from ipaserver.install.plugins.baseupdate import PostUpdate
-from ipalib import api, errors
-from ipalib.aci import ACI
-from ipalib.plugins import aci
-from ipapython.ipa_log_manager import *
-
-class update_anonymous_aci(PostUpdate):
- """
- Update the Anonymous ACI to ensure that all secrets are protected.
- """
- order = FIRST
-
- def execute(self, **options):
- aciname = u'Enable Anonymous access'
- aciprefix = u'none'
- ldap = self.obj.backend
- targetfilter = '(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration)))'
- filter = None
-
- entry_attrs = ldap.get_entry(api.env.basedn, ['aci'])
-
- acistrs = entry_attrs.get('aci', [])
- acilist = aci._convert_strings_to_acis(entry_attrs.get('aci', []))
- try:
- rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname)
- except errors.NotFound:
- root_logger.error('Anonymous ACI not found, cannot update it')
- return False, False, []
-
- attrs = rawaci.target['targetattr']['expression']
- rawfilter = rawaci.target.get('targetfilter', None)
- if rawfilter is not None:
- filter = rawfilter['expression']
-
- update_attrs = deepcopy(attrs)
-
- needed_attrs = []
- for attr in ('ipaNTTrustAuthOutgoing', 'ipaNTTrustAuthIncoming'):
- if attr not in attrs:
- needed_attrs.append(attr)
-
- update_attrs.extend(needed_attrs)
- if (len(attrs) == len(update_attrs) and
- filter == targetfilter):
- root_logger.debug("Anonymous ACI already update-to-date")
- return (False, False, [])
-
- for tmpaci in acistrs:
- candidate = ACI(tmpaci)
- if rawaci.isequal(candidate):
- acistrs.remove(tmpaci)
- break
-
- if len(attrs) != len(update_attrs):
- root_logger.debug("New Anonymous ACI attributes needed: %s",
- needed_attrs)
-
- rawaci.target['targetattr']['expression'] = update_attrs
-
- if filter != targetfilter:
- root_logger.debug("New Anonymous ACI targetfilter needed.")
-
- rawaci.set_target_filter(targetfilter)
-
- acistrs.append(unicode(rawaci))
- entry_attrs['aci'] = acistrs
-
- try:
- ldap.update_entry(entry_attrs)
- except Exception, e:
- root_logger.error("Failed to update Anonymous ACI: %s" % e)
-
- return (False, False, [])
-
-api.register(update_anonymous_aci)
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 91686e1108303d19358886934c98926a8d57ed5c..1d48f866cdab9c50e304a474da50e4a3c5d9af41 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -81,6 +81,7 @@
from ipalib.plugable import Registry
from ipalib.plugins import aci
from ipalib.plugins.permission import permission
+from ipalib.aci import ACI
from ipaserver.plugins.ldap2 import ldap2
from ipaserver.install.plugins import LAST
from ipaserver.install.plugins.baseupdate import PostUpdate
@@ -189,6 +190,21 @@ def get_anonymous_read_aci(self, ldap):
except errors.NotFound:
return None
+ def remove_anonymous_read_aci(self, ldap, anonymous_read_aci):
+ base_entry = ldap.get_entry(self.api.env.basedn, ['aci'])
+
+ acistrs = base_entry.get('aci', [])
+
+ for acistr in acistrs:
+ if ACI(acistr).isequal(anonymous_read_aci):
+ self.log.info('Removing anonymous ACI: %s', acistr)
+ acistrs.remove(acistr)
+ break
+ else:
+ return
+
+ ldap.update_entry(base_entry)
+
def execute(self, **options):
ldap = self.api.Backend[ldap2]
@@ -215,6 +231,9 @@ def execute(self, **options):
self.update_permission(ldap, None, unicode(name), template,
anonymous_read_aci)
+ if anonymous_read_aci:
+ self.remove_anonymous_read_aci(ldap, anonymous_read_aci)
+
return False, False, ()
def update_permission(self, ldap, obj, name, template, anonymous_read_aci):
--
1.9.0
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
