[Freeipa-devel] [PATCH] 0529 Add managed read permission to trusts

Alexander Bokovoy abokovoy at redhat.com
Wed Apr 16 15:10:19 UTC 2014 

On Wed, 16 Apr 2014, Martin Kosek wrote:
>On 04/16/2014 03:59 PM, Alexander Bokovoy wrote:
>> On Wed, 16 Apr 2014, Simo Sorce wrote:
>>> On Wed, 2014-04-16 at 16:15 +0300, Alexander Bokovoy wrote:
>>>> On Wed, 16 Apr 2014, Simo Sorce wrote:
>>>> >> +                'ipanttrusteddomainsid', 'ipanttrustforesttrustinfo',
>>>> >> +                'ipanttrustposixoffset',
>>>> >> 'ipantsupportedencryptiontypes',
>>>> >> +                'ipantsidblacklistincoming',
>>>> >> 'ipantsidblacklistoutgoing',
>>>> >> +                # ipaNTDomainAttrs:
>>>> >> +                'ipantsecurityidentifier', 'ipantflatname',
>>>> >> 'ipantdomainguid',
>>>> >> +                'ipantfallbackprimarygroup',
>>>> >> +            },
>>>> >> +        },
>>>> >> +    }
>>>> >>
>>>> >>      label = _('Trusts')
>>>> >>      label_singular = _('Trust')
>>>> >
>>>> >In general I am not sure all authenticated users need access to all this
>>>> >info. Alexander ?
>>>> SSSD needs to read some of this information for subdomains support.
>>>> That would be at least host/*@REALM who needs to access it.
>>>
>>> Can you please list exactly which ones are needed ?
>> SSSD subdomains support needs:
>>   - objectclasses ipaNTTrustedDomain/ipaNTDomainAttrs
>>     - ipaNTFlatName
>>     - ipaNTSecurityIdentifier
>>     - ipaNTTrustedDomainSID
>>     - cn
>
>Question is - is there any added value in hiding part of the
>trust information from authenticated users? I.e. attributes like
>ipanttrustdirection, ipaNTTrustAttributes (what is the purpose of this
>attribute anyway?), SID blacklists...
Yes. Some of those attributes are needed as internal detail of ipasam --
part of how Samba stores this information taken from specific DCE RPC
structures.

>If yes, we would need to split this permission in 2 and have one for
>authenticated users and one for "Trust Adminitrators" and "Trust Readers".
Yes. Authenticated users shouldn't get any access to those details:
   ipantsupportedencryptiontypes
   ipanttrustattributes
   ipanttrustauthincoming
   ipanttrustauthoutgoing


-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list