[Freeipa-devel] [PATCH] 0593 Allow anonymous read access to virtual operation entries (Re: Virtual operation ACIs)

Fri, 20 Jun 2014 07:50:36 -0700 

On 06/19/2014 02:13 PM, Martin Kosek wrote:

On 06/19/2014 12:52 PM, Petr Viktorin wrote:

I'll address the other issues separately.

On 06/18/2014 05:46 PM, Martin Kosek wrote:

3) I hit one issue when I open the Web UI host tab, I get "Insufficient access:
No such virtual command" error triggered by "cert-show" command.

We will need to add the permission "System: Read Virtual Operations" that Honza
is creating also to "Host Administrators" to fix that part.


I'm not familiar with Honza's effort, but that seems right.
I'm curious, why don't we just allow reading virtual operations by anybody? It
seems to me they're the same in every IPA installation, what's there to hide?


They are indeed the same. This is an old (very old) mean to check access when
ACI cannot be used. I admit it is a bit clumsy.

I agree that we should indeed allow reading the list of virtual operations as
the list can be retrieved from our git anyway. The virtual operations do not
even show list of it's members as permissions hold it, so it really should not
leak any sensitive information.


Anyway, I poked around in how it works now: for cert-show you need write access
to the objectClass of the "retrieve certificate" virt op entry. So that right
you can actually remove the "ipaVirtualOperation" objectClass.
Aand the new "Anonymous read access to containers" ACI has a
(!(objectclass=ipaVirtualOperation)) filter, so any user privileged for a virt
op can allow everyone see that virt op).
Shouldn't we base the check on some other attribute instead?

And curiously, for cert-find there is no virt op based access check.


I think we should eventually invent something better than current virtual
operations. For now (4.0), we should do something simple and straightforward.
The simplest thing to do is stick to the old behavior, i.e.:

1) Remove the (!(objectclass=ipaVirtualOperation)) part of the filter (should
improve performance, right?)
2) Remove the ipaVirtualOperation objectclass again from the virtual operations
as it would be useless after change 1)


Patch attached.

--
PetrĀ³

From 0aaa4cb3e152b2a3c0b6728207d493075e786e4b Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Fri, 20 Jun 2014 16:21:35 +0200
Subject: [PATCH] Allow anonymous read access to virtual operation entries

These entries are the same in all IPA installations, so there's
no need to hide them.

Also remove the ipaVirtualOperation objectclass, since it is
no longer needed.
---
 install/share/60basev3.ldif          | 1 -
 install/updates/20-aci.update        | 2 +-
 install/updates/40-delegation.update | 6 ------
 3 files changed, 1 insertion(+), 8 deletions(-)

diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 552045b63d9485ccd3685942b10c3f0e5b6105b6..8b92af247c742516c867a1f0666f4770cd4273d2 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -64,4 +64,3 @@ dn: cn=schema
 objectClasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3')
 objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' )
 objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget ) X-ORIGIN 'IPA v3' )
-objectClasses: (2.16.840.1.113730.3.8.12.23 NAME 'ipaVirtualOperation' DESC 'IPA Virtual operation objectclass' SUP top AUXILIARY MUST ( cn ) X-ORIGIN 'IPA v3' )
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 42fca71f33cfa2e4f145ed2bfc6faf35d82ecc05..4eb5c737a9c794b01ca551228169fcf816a73eb3 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -23,7 +23,7 @@ dn: $SUFFIX
 
 # Read access to containers
 dn: $SUFFIX
-add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy))(!(objectclass=ipaVirtualOperation)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX";)(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";;)'
+add:aci:'(targetfilter="(&(objectclass=nsContainer)(!(objectclass=krbPwdPolicy)))")(target!="ldap:///cn=masters,cn=ipa,cn=etc,$SUFFIX";)(targetattr="objectclass || cn")(version 3.0; acl "Anonymous read access to containers"; allow(read, search, compare) userdn = "ldap:///anyone";;)'
 
 dn: cn=replicas,cn=ipa,cn=etc,$SUFFIX
 add:aci:'(targetfilter="(objectclass=nsContainer)")(version 3.0; acl "Deny read access to replica configuration"; deny(read, search, compare) userdn = "ldap:///anyone";;)'
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index fdbed5ba5416cc5ada449801e049e050540730a1..7d65e9e19def78f33358eb38d124b6e54afcec77 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -279,37 +279,31 @@ dn: cn=config
 # Virtual operations
 
 dn: cn=retrieve certificate,cn=virtual operations,cn=etc,$SUFFIX
-add:objectClass: ipaVirtualOperation
 default:objectClass: top
 default:objectClass: nsContainer
 default:cn: retrieve certificate
 
 dn: cn=request certificate,cn=virtual operations,cn=etc,$SUFFIX
-add:objectClass: ipaVirtualOperation
 default:objectClass: top
 default:objectClass: nsContainer
 default:cn: request certificate
 
 dn: cn=request certificate different host,cn=virtual operations,cn=etc,$SUFFIX
-add:objectClass: ipaVirtualOperation
 default:objectClass: top
 default:objectClass: nsContainer
 default:cn: request certificate different host
 
 dn: cn=certificate status,cn=virtual operations,cn=etc,$SUFFIX
-add:objectClass: ipaVirtualOperation
 default:objectClass: top
 default:objectClass: nsContainer
 default:cn: certificate status
 
 dn: cn=revoke certificate,cn=virtual operations,cn=etc,$SUFFIX
-add:objectClass: ipaVirtualOperation
 default:objectClass: top
 default:objectClass: nsContainer
 default:cn: revoke certificate
 
 dn: cn=certificate remove hold,cn=virtual operations,cn=etc,$SUFFIX
-add:objectClass: ipaVirtualOperation
 default:objectClass: top
 default:objectClass: nsContainer
 default:cn: certificate remove hold
-- 
1.9.3


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to