[Freeipa-devel] [PATCH] 942 limit resetting admins passwords
Martin Kosek
mkosek at redhat.com
Wed Feb 8 14:12:47 UTC 2012
On Wed, 2012-02-08 at 08:57 -0500, Simo Sorce wrote:
> On Wed, 2012-02-08 at 13:28 +0100, Martin Kosek wrote:
> > On Tue, 2012-02-07 at 18:19 -0500, Rob Crittenden wrote:
> > > Don't allow the 'change user password' permission to be able to reset
> > > the password of the admins group.
> > >
> > > rob
> >
> > NACK
> >
> > The admin filter works OK, user fbar (in helpdesk role) is now not able
> > to change admin's password:
> >
> > # klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: fbar at IDM.LAB.BOS.REDHAT.COM
> >
> > # ipa passwd admin
> > New Password:
> > Enter New Password again to verify:
> > ipa: ERROR: Insufficient access: Insufficient access rights
> >
> > But what about this little exercise:
> >
> > # ipa group-remove-member admins --user=admin
> > Group name: admins
> > Description: Account administrators group
> > GID: 480800000
> > ---------------------------
> > Number of members removed 1
> > ---------------------------
> > # ipa passwd admin
> > New Password:
> > Enter New Password again to verify:
> > ---------------------------------------------------
> > Changed password for "admin at IDM.LAB.BOS.REDHAT.COM"
> > ---------------------------------------------------
> > # ipa group-add-member admins --user=admin
> > Group name: admins
> > Description: Account administrators group
> > GID: 480800000
> > Member users: admin
> > -------------------------
> > Number of members added 1
> > -------------------------
> >
> > I was able to achieve the very same goal. Maybe we should forbid "modify
> > group membership" role to manipulate with admins group as well.
> >
> > Martin
>
> I would say this is another issue, so I'd ACK Rob's patch and require
> opening a ticket to prevent changing admins memberships from non-admins.
>
> Simo.
>
Yeah, we can do that. I decided to rather nack the patch as ticket/BZ
description mentioned that it want to prevent helpdesk users from
changing the admin password - which they can do using the approach I
described.
But if you want to do it in a separate ticket I am ok with pushing patch
942.
Martin
More information about the Freeipa-devel
mailing list