Re: [Freeipa-devel] [PATCH] 0544 Remove the global anonymous read ACI
On 05/23/2014 02:26 PM, Martin Kosek wrote: On 05/22/2014 04:03 PM, Petr Viktorin wrote: On 05/21/2014 08:08 AM, Martin Kosek wrote: On 05/19/2014 03:27 PM, Petr Viktorin wrote: On 05/16/2014 02:00 PM, Martin Kosek wrote: On 04/29/2014 11:02 PM, Petr Viktorin wrote: I didn't test this as much as I'd like to, but it might come in handy when testing my earlier patches. The ACI is removed in the managed permissions plugin because I want to make sure it's done after all the managed permission updates, which query it. It worked in my case (I tested upgrade from 3.3.5). What do we do about other permissions we will want to remove? I am talking about following ACIs: - no anonymous access to roles - no anonymous access to sudo - no anonymous access to hbac - no anonymous access to member information I would like to remove them in 544 as well as otherwise they would bias the testing. Right. Here is the updated patch. I tested upgrade from 3.3.5 to 4.0 and in SUFFIX I still had some of the ACIs left: (targetattr = *)(target = ldap:///cn=*,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test;)(version 3.0; acl No anonymous access to roles; deny (read,search,compare) userdn != ldap:///all;;) (targetattr = *)(target = ldap:///cn=*,ou=SUDOers,dc=mkosek-fedora20,dc=test;)(version 3.0; acl No anonymous access to sudo; deny (read,search,compare) userdn != ldap:///all;;) The problem is that you used your testing suffix instead of suffix variable. Shame on me. I've updated rebased the patch. I've also made a git hook yell at me when I commit something containing BRQ, hopefully this won't happen again. Would it make sense to publish your FreeIPA git hooks somewhere on http://www.freeipa.org/page/Contribute/Code or your github and link it? I think it already contains couple gems that may help other people prevent basic errors like this one. Sure, I'll document it a bit and publish. Otherwise, the patch worked fine - ACK! I would like it to be pushed as soon as user ACI patch is pushed so that we have some time to find issues. Thanks! Pushed to master: 193ced0bd7a9a26e7b25f08b023ee21302acaac7 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0544 Remove the global anonymous read ACI
On 05/22/2014 04:03 PM, Petr Viktorin wrote: On 05/21/2014 08:08 AM, Martin Kosek wrote: On 05/19/2014 03:27 PM, Petr Viktorin wrote: On 05/16/2014 02:00 PM, Martin Kosek wrote: On 04/29/2014 11:02 PM, Petr Viktorin wrote: I didn't test this as much as I'd like to, but it might come in handy when testing my earlier patches. The ACI is removed in the managed permissions plugin because I want to make sure it's done after all the managed permission updates, which query it. It worked in my case (I tested upgrade from 3.3.5). What do we do about other permissions we will want to remove? I am talking about following ACIs: - no anonymous access to roles - no anonymous access to sudo - no anonymous access to hbac - no anonymous access to member information I would like to remove them in 544 as well as otherwise they would bias the testing. Right. Here is the updated patch. I tested upgrade from 3.3.5 to 4.0 and in SUFFIX I still had some of the ACIs left: (targetattr = *)(target = ldap:///cn=*,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test;)(version 3.0; acl No anonymous access to roles; deny (read,search,compare) userdn != ldap:///all;;) (targetattr = *)(target = ldap:///cn=*,ou=SUDOers,dc=mkosek-fedora20,dc=test;)(version 3.0; acl No anonymous access to sudo; deny (read,search,compare) userdn != ldap:///all;;) The problem is that you used your testing suffix instead of suffix variable. Shame on me. I've updated rebased the patch. I've also made a git hook yell at me when I commit something containing BRQ, hopefully this won't happen again. Would it make sense to publish your FreeIPA git hooks somewhere on http://www.freeipa.org/page/Contribute/Code or your github and link it? I think it already contains couple gems that may help other people prevent basic errors like this one. Otherwise, the patch worked fine - ACK! I would like it to be pushed as soon as user ACI patch is pushed so that we have some time to find issues. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0544 Remove the global anonymous read ACI
On 05/21/2014 08:08 AM, Martin Kosek wrote: On 05/19/2014 03:27 PM, Petr Viktorin wrote: On 05/16/2014 02:00 PM, Martin Kosek wrote: On 04/29/2014 11:02 PM, Petr Viktorin wrote: I didn't test this as much as I'd like to, but it might come in handy when testing my earlier patches. The ACI is removed in the managed permissions plugin because I want to make sure it's done after all the managed permission updates, which query it. It worked in my case (I tested upgrade from 3.3.5). What do we do about other permissions we will want to remove? I am talking about following ACIs: - no anonymous access to roles - no anonymous access to sudo - no anonymous access to hbac - no anonymous access to member information I would like to remove them in 544 as well as otherwise they would bias the testing. Right. Here is the updated patch. I tested upgrade from 3.3.5 to 4.0 and in SUFFIX I still had some of the ACIs left: (targetattr = *)(target = ldap:///cn=*,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test;)(version 3.0; acl No anonymous access to roles; deny (read,search,compare) userdn != ldap:///all;;) (targetattr = *)(target = ldap:///cn=*,ou=SUDOers,dc=mkosek-fedora20,dc=test;)(version 3.0; acl No anonymous access to sudo; deny (read,search,compare) userdn != ldap:///all;;) The problem is that you used your testing suffix instead of suffix variable. Shame on me. I've updated rebased the patch. I've also made a git hook yell at me when I commit something containing BRQ, hopefully this won't happen again. -- Petr³ From 0802e5ae783703c6f1d05ac3f961e41233884a10 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Tue, 29 Apr 2014 21:46:26 +0200 Subject: [PATCH] Remove the global anonymous read ACI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also remove - the deny ACIs that implemented exceptions to it: - no anonymous access to roles - no anonymous access to member information - no anonymous access to hbac - no anonymous access to sudo (2Ã) - its updater plugin Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 --- install/share/default-aci.ldif | 13 --- install/share/delegation.ldif | 5 -- install/updates/20-aci.update | 11 +++ install/updates/60-trusts.update | 1 - ipaserver/install/plugins/update_anonymous_aci.py | 96 -- .../install/plugins/update_managed_permissions.py | 19 + 6 files changed, 30 insertions(+), 115 deletions(-) delete mode 100644 ipaserver/install/plugins/update_anonymous_aci.py diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 480facf3294c593c6a2bcf326e20c32157d6d3c6..04fc185f785ee71246c6cc4f958c754158f16302 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -3,10 +3,7 @@ dn: $SUFFIX changetype: modify add: aci -aci: (targetfilter = ((!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration(target != ldap:///idnsname=*,cn=dns,$SUFFIX;)(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming)(version 3.0; acl Enable Anonymous access; allow (read, search, compare) userdn = ldap:///anyone;;) -aci: (targetattr = memberOf || memberHost || memberUser)(version 3.0; acl No anonymous access to member information; deny (read,search,compare) userdn != ldap:///all;;) aci: (targetattr = userpassword || krbprincipalkey || sambalmpassword || sambantpassword)(version 3.0; acl selfservice:Self can write own password; allow (write) userdn=ldap:///self;;) -aci: (targetattr = *)(target = ldap:///cn=*,ou=SUDOers,$SUFFIX;)(version 3.0; acl No anonymous access to sudo; deny (read,search,compare) userdn != ldap:///all;;) dn: $SUFFIX changetype: modify @@ -65,16 +62,6 @@ dn: cn=computers,cn=accounts,$SUFFIX add: aci aci: (targetattr = krbPrincipalKey || krbLastPwdChange)(target = ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX;)(version 3.0;acl Admins can manage host keytab;allow (write) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;) -dn: cn=hbac,$SUFFIX -changetype: modify -add: aci -aci: (targetattr = *)(version 3.0; acl No anonymous access to hbac; deny (read,search,compare) userdn != ldap:///all;;) - -dn: cn=sudo,$SUFFIX -changetype: modify -add: aci -aci: (targetattr = *)(version 3.0; acl No anonymous access to sudo; deny (read,search,compare) userdn != ldap:///all;;) - # This is used for the host/service one-time passwordn and keytab indirectors. # We can do a query on a DN to see if an attribute exists. dn: cn=accounts,$SUFFIX diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 7bd4e1e2d93b1dde4122ad1bfbe889625d983544..43d13974ffd63ea6ee554c815b911715609149b8
Re: [Freeipa-devel] [PATCH] 0544 Remove the global anonymous read ACI
On 05/19/2014 03:27 PM, Petr Viktorin wrote: On 05/16/2014 02:00 PM, Martin Kosek wrote: On 04/29/2014 11:02 PM, Petr Viktorin wrote: I didn't test this as much as I'd like to, but it might come in handy when testing my earlier patches. The ACI is removed in the managed permissions plugin because I want to make sure it's done after all the managed permission updates, which query it. It worked in my case (I tested upgrade from 3.3.5). What do we do about other permissions we will want to remove? I am talking about following ACIs: - no anonymous access to roles - no anonymous access to sudo - no anonymous access to hbac - no anonymous access to member information I would like to remove them in 544 as well as otherwise they would bias the testing. Right. Here is the updated patch. I tested upgrade from 3.3.5 to 4.0 and in SUFFIX I still had some of the ACIs left: (targetattr = *)(target = ldap:///cn=*,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test;)(version 3.0; acl No anonymous access to roles; deny (read,search,compare) userdn != ldap:///all;;) (targetattr = *)(target = ldap:///cn=*,ou=SUDOers,dc=mkosek-fedora20,dc=test;)(version 3.0; acl No anonymous access to sudo; deny (read,search,compare) userdn != ldap:///all;;) The problem is that you used your testing suffix instead of suffix variable. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0544 Remove the global anonymous read ACI
On 05/16/2014 02:00 PM, Martin Kosek wrote: On 04/29/2014 11:02 PM, Petr Viktorin wrote: I didn't test this as much as I'd like to, but it might come in handy when testing my earlier patches. The ACI is removed in the managed permissions plugin because I want to make sure it's done after all the managed permission updates, which query it. It worked in my case (I tested upgrade from 3.3.5). What do we do about other permissions we will want to remove? I am talking about following ACIs: - no anonymous access to roles - no anonymous access to sudo - no anonymous access to hbac - no anonymous access to member information I would like to remove them in 544 as well as otherwise they would bias the testing. Right. Here is the updated patch. -- Petr³ From 316605f6aa5f487b2845bc3abc3d9e029b60bd0a Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Tue, 29 Apr 2014 21:46:26 +0200 Subject: [PATCH] Remove the global anonymous read ACI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also remove - the deny ACIs that implemented exceptions to it: - no anonymous access to roles - no anonymous access to member information - no anonymous access to hbac - no anonymous access to sudo (2Ã) - its updater plugin Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 --- install/share/default-aci.ldif | 13 --- install/share/delegation.ldif | 5 -- install/updates/20-aci.update | 13 +++ install/updates/60-trusts.update | 1 - ipaserver/install/plugins/update_anonymous_aci.py | 96 -- .../install/plugins/update_managed_permissions.py | 19 + 6 files changed, 32 insertions(+), 115 deletions(-) delete mode 100644 ipaserver/install/plugins/update_anonymous_aci.py diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index 480facf3294c593c6a2bcf326e20c32157d6d3c6..04fc185f785ee71246c6cc4f958c754158f16302 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -3,10 +3,7 @@ dn: $SUFFIX changetype: modify add: aci -aci: (targetfilter = ((!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration(target != ldap:///idnsname=*,cn=dns,$SUFFIX;)(targetattr != userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming)(version 3.0; acl Enable Anonymous access; allow (read, search, compare) userdn = ldap:///anyone;;) -aci: (targetattr = memberOf || memberHost || memberUser)(version 3.0; acl No anonymous access to member information; deny (read,search,compare) userdn != ldap:///all;;) aci: (targetattr = userpassword || krbprincipalkey || sambalmpassword || sambantpassword)(version 3.0; acl selfservice:Self can write own password; allow (write) userdn=ldap:///self;;) -aci: (targetattr = *)(target = ldap:///cn=*,ou=SUDOers,$SUFFIX;)(version 3.0; acl No anonymous access to sudo; deny (read,search,compare) userdn != ldap:///all;;) dn: $SUFFIX changetype: modify @@ -65,16 +62,6 @@ dn: cn=computers,cn=accounts,$SUFFIX add: aci aci: (targetattr = krbPrincipalKey || krbLastPwdChange)(target = ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX;)(version 3.0;acl Admins can manage host keytab;allow (write) groupdn = ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX;;) -dn: cn=hbac,$SUFFIX -changetype: modify -add: aci -aci: (targetattr = *)(version 3.0; acl No anonymous access to hbac; deny (read,search,compare) userdn != ldap:///all;;) - -dn: cn=sudo,$SUFFIX -changetype: modify -add: aci -aci: (targetattr = *)(version 3.0; acl No anonymous access to sudo; deny (read,search,compare) userdn != ldap:///all;;) - # This is used for the host/service one-time passwordn and keytab indirectors. # We can do a query on a DN to see if an attribute exists. dn: cn=accounts,$SUFFIX diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 7bd4e1e2d93b1dde4122ad1bfbe889625d983544..43d13974ffd63ea6ee554c815b911715609149b8 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -580,11 +580,6 @@ dn: $SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = *)(target = ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX;)(version 3.0; acl No anonymous access to roles; deny (read,search,compare) userdn != ldap:///all;;) - -dn: $SUFFIX -changetype: modify -add: aci aci: (target = ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX;)(version 3.0;acl permission:Add Roles;allow (add) groupdn = ldap:///cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX;) aci: (target = ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX;)(version 3.0;acl permission:Remove Roles;allow (delete) groupdn = ldap:///cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX;) aci: (targetattr = cn || description)(target =
