[Freeipa-devel] [PATCH] 942 limit resetting admins passwords
Martin Kosek
mkosek at redhat.com
Wed Feb 8 12:28:17 UTC 2012
On Tue, 2012-02-07 at 18:19 -0500, Rob Crittenden wrote:
> Don't allow the 'change user password' permission to be able to reset
> the password of the admins group.
>
> rob
NACK
The admin filter works OK, user fbar (in helpdesk role) is now not able
to change admin's password:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: fbar at IDM.LAB.BOS.REDHAT.COM
# ipa passwd admin
New Password:
Enter New Password again to verify:
ipa: ERROR: Insufficient access: Insufficient access rights
But what about this little exercise:
# ipa group-remove-member admins --user=admin
Group name: admins
Description: Account administrators group
GID: 480800000
---------------------------
Number of members removed 1
---------------------------
# ipa passwd admin
New Password:
Enter New Password again to verify:
---------------------------------------------------
Changed password for "admin at IDM.LAB.BOS.REDHAT.COM"
---------------------------------------------------
# ipa group-add-member admins --user=admin
Group name: admins
Description: Account administrators group
GID: 480800000
Member users: admin
-------------------------
Number of members added 1
-------------------------
I was able to achieve the very same goal. Maybe we should forbid "modify
group membership" role to manipulate with admins group as well.
Martin
More information about the Freeipa-devel
mailing list