[Freeipa-devel] [PATCH 0032] Update ACIs to permit users to add/delete their own tokens
Nathaniel McCallum
npmccallum at redhat.com
Fri Jan 10 20:14:16 UTC 2014
On Thu, 2014-01-09 at 17:37 -0500, Simo Sorce wrote:
> On Thu, 2014-01-09 at 16:32 -0500, Nathaniel McCallum wrote:
> > This patch is independent from my patches 0028-0031 and can be merged in
> > any order.
> >
> > This patch has a bug, but I can't figure it out. We need to set
> > nsslapd-access-userattr-strict on cn=config to "off".
>
> Uhmm what is the effect on ACL evaluation of changing this boolean ?
> I can;t figure out from your commit not from 389ds commit what exactly
> changes and how it impacts the security of the directory.
>
> I ask because I was planning on using userattr to protect some
> operations in the password plugin but was waiting due to bug:
> https://fedorahosted.org/389/ticket/47571 which is beeing resolved.
>
> I want to make sure your change won't change what this ACIs would allow.
>
> Is this option simply allowing the use of add/delete ACIs to be
> specified in conjunction with userattr, so that a user can add an attr
> only if it contains its own DN ?
>
> Will it allow the user to add multiple values to the same attr as long
> as one of the is the userDN ? O will it restrict that case ?
>
> (I know that ipaTokenOwner is a single-value attribute, but the
> mechanism you are enabling here is general, and I want to be sure of
> what the semantics are)
After testing, it was determined that the 389DS patch #47653 does in
fact permit addition if any of the multi-valued attributes match the
condition. This is definitely problematic.
After discussion today with nkinder, simo, nhosoi, we agreed to
roll-back patch #47653 and find an alternate approach. This also
invalidates patch freeipa-npmccallum-0032. Simo will follow up this
email with an alternate proposal.
Nathaniel
More information about the Freeipa-devel
mailing list