[Freeipa-devel] [PATCH] 245 Forbid public access to DNS tree
Martin Kosek
mkosek at redhat.com
Mon Apr 2 15:16:13 UTC 2012
Test instructions are attached to ticket.
--
With a publicly accessible DNS tree in LDAP, anyone with an access
to the LDAP server can get all DNS data as with a zone transfer
which is already restricted with ACL. Making DNS tree not readable
to public is a common security practice and should be applied
in FreeIPA as well.
This patch adds a new deny rule to forbid access to DNS tree to
users or hosts without an appropriate permission or users which
are not members of admins group. The new permission/aci is
applied both for new installs and upgraded servers.
bind-dyndb-ldap plugin is allowed to read DNS tree without any
change because its principal is already a member of "DNS
Servers" privilege.
https://fedorahosted.org/freeipa/ticket/2569
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-245-forbid-public-access-to-dns-tree.patch
Type: text/x-patch
Size: 7069 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120402/2aee4c8b/attachment.bin>
More information about the Freeipa-devel
mailing list