[Freeipa-devel] [PATCH] 942 limit resetting admins passwords
Simo Sorce
simo at redhat.com
Wed Feb 8 13:57:46 UTC 2012
On Wed, 2012-02-08 at 13:28 +0100, Martin Kosek wrote:
> On Tue, 2012-02-07 at 18:19 -0500, Rob Crittenden wrote:
> > Don't allow the 'change user password' permission to be able to reset
> > the password of the admins group.
> >
> > rob
>
> NACK
>
> The admin filter works OK, user fbar (in helpdesk role) is now not able
> to change admin's password:
>
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: fbar at IDM.LAB.BOS.REDHAT.COM
>
> # ipa passwd admin
> New Password:
> Enter New Password again to verify:
> ipa: ERROR: Insufficient access: Insufficient access rights
>
> But what about this little exercise:
>
> # ipa group-remove-member admins --user=admin
> Group name: admins
> Description: Account administrators group
> GID: 480800000
> ---------------------------
> Number of members removed 1
> ---------------------------
> # ipa passwd admin
> New Password:
> Enter New Password again to verify:
> ---------------------------------------------------
> Changed password for "admin at IDM.LAB.BOS.REDHAT.COM"
> ---------------------------------------------------
> # ipa group-add-member admins --user=admin
> Group name: admins
> Description: Account administrators group
> GID: 480800000
> Member users: admin
> -------------------------
> Number of members added 1
> -------------------------
>
> I was able to achieve the very same goal. Maybe we should forbid "modify
> group membership" role to manipulate with admins group as well.
>
> Martin
I would say this is another issue, so I'd ACK Rob's patch and require
opening a ticket to prevent changing admins memberships from non-admins.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list