Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

Alexander Bokovoy Thu, 04 Sep 2014 08:11:15 -0700

On Thu, 04 Sep 2014, Simo Sorce wrote:

On Thu, 2014-09-04 at 15:55 +0200, Martin Kosek wrote:

On 09/04/2014 02:40 PM, Alexander Bokovoy wrote:
> On Wed, 03 Sep 2014, Martin Kosek wrote:
>> On 09/03/2014 03:15 PM, Petr Viktorin wrote:
>>> On 09/03/2014 02:27 PM, Petr Viktorin wrote:
>>>> On 09/03/2014 01:27 PM, Petr Viktorin wrote:
>>>>> Hello,
>>>>> This adds managed read permissions to the compat tree.
>>>>>
>>>>> For users it grants anonymous access; authenticated users can read
>>>>> groups, hosts and netgroups.
>>>>>
>>>>> I'm unsure if this is what we want to do for groups, but "Read Group
>>>>> Membership" is only granted to authenticated users by default, and the
>>>>> compat tree exposes memberuid.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/4521
>>>>
>>>> Self-NACK, there's a typo (though I could swear I tested this :/)
>>>>
>>>>
>>>
>>> Fixed patch attached.
>>>
>>
>> I tested and it looks and works OK, ACK from me. We can wait till tomorrow to
>> see if there are no reservations from Alexander or Rob.
> I think we need a bit more fixes. Here is ACL log for an anonymous
> request:
>
> [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - searching from
> "cn=compat,dc=ipacloud,dc=test" for "(uid=admin)" with scope 2 (sub)
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
> entry(cn=computers,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no
> aci matched the subject by aci(27): aciname="permission:System: Read DNS
> Configuration", acidn="dc=ipacloud,dc=test"
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
> entry(cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci
> matched the subject by aci(27): aciname="permission:System: Read DNS
> Configuration", acidn="dc=ipacloud,dc=test"
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
> entry(cn=ab,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: 
no
> aci matched the subject by aci(27): aciname="permission:System: Read DNS
> Configuration", acidn="dc=ipacloud,dc=test"
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
> entry(cn=editors,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
> anonymous: no aci matched the subject by aci(27): aciname=
> "permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
> entry(cn=admins,cn=groups,cn=compat,dc=ipacloud,dc=test).attr(uid) to
> anonymous: no aci matched the subject by aci(27): aciname=
> "permission:System: Read DNS Configuration", acidn="dc=ipacloud,dc=test"
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny search on
> entry(cn=ng,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: no aci
> matched the subject by aci(27): aciname="permission:System: Read DNS
> Configuration", acidn="dc=ipacloud,dc=test"
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search 
on
> entry(cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous: allowed
> by aci(38): aciname= "permission:System: Read User
> Compat Tree", acidn="dc=ipacloud,dc=test"
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search 
on
> entry(uid=ab,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to anonymous:
> cached allow by aci(38)
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow search 
on
> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to 
anonymous:
> cached allow by aci(38)
> [04/Sep/2014:15:28:49 +0300] schema-compat-plugin - search matched
> uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - #### conn=18 op=1 binddn=""
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Deny read on
> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(createTimestamp)
> to anonymous: no aci matched the subject by aci(18): aciname= "Admin can 
manage
> any entry", acidn="dc=ipacloud,dc=test"
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(objectClass) to
> anonymous: allowed by aci(38): aciname= "permission:System: Read User Compat
> Tree", acidn="dc=ipacloud,dc=test"
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gecos) to
> anonymous: cached allow by aci(38)
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(cn) to anonymous:
> cached allow by aci(38)
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uidNumber) to
> anonymous: cached allow by aci(38)
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(gidNumber) to
> anonymous: cached allow by aci(38)
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(loginShell) to
> anonymous: cached allow by aci(38)
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(homeDirectory) to
> anonymous: cached allow by aci(38)
> [04/Sep/2014:15:28:49 +0300] NSACLPlugin - conn=18 op=1 (main): Allow read on
> entry(uid=admin,cn=users,cn=compat,dc=ipacloud,dc=test).attr(uid) to 
anonymous:
> cached allow by aci(38)
>
> createTimestamp is operational attribute and is synthesized by
> slapi-nis, there is no problem allowing access to it. I think we can
> allow following operational attributes:
>
> createTimestamp, modifyTimestamp, entryUSN, creatorsName, modifiersName,
> entryDN, hasSubordinates, numSubordinates


Ah, ok, probably yes. At least for some of them - CCing Simo. For example
entryUSN is used by SSSD - CCing jhrozek to confirm. So it should be allowed
for whole FreeIPA DIT. So this change is not so related to these patches.


Indeed entryUSN should always be allowed, at least to authenticated
users.

Do we also want to expose attributes like creatorsName/modifiersName? Do we
consider that a public information or juts audit-like information for DM only?


Are you asking just for the compat tree or in general ?

> Finally, ipaNTSecurityIdentifier may be allowed to access too, I didn't
> run ipa-adtrust-install on this machine yet.

I do not think that this attribute is written to cn=compat (did not see it in
config) - is it?


No, and shouldn't

Simo, so are you telling that we shouldn't return SIDs at all, even for
AD users we show in the compat tree? We currently return it for all
users and configure additional rule in the cn=users,cn=compat set within
the slapi-nis plugin if we are serving AD users to compat tree:

       if (ret.check_nsswitch != SCH_NSSWITCH_NONE) {
               backend_shr_add_strlist(&ret.attribute_format, 
"objectClass=%ifeq(\"%{ipaNTSecurityIdentifier}\",\"\",\"\",\"extensibleObject\")");
               backend_shr_add_strlist(&ret.attribute_format, 
"ipaNTSecurityIdentifier=%{ipaNTSecurityIdentifier}");
        }
--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

Reply via email to