[Freeipa-devel] Compat tree permissions
Martin Kosek
mkosek at redhat.com
Wed Sep 3 10:34:28 UTC 2014
On 09/03/2014 12:32 PM, Petr Viktorin wrote:
> On 09/03/2014 10:45 AM, Petr Viktorin wrote:
>> On 09/03/2014 10:17 AM, Martin Kosek wrote:
>> [...]
>>>> Exposing the same data anonymously over compat tree when it is available
>>>> only for authenticated users over primary tree isn't secure.
>>>
>>> If you check
>>> cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>>> you would see that we only allow attributes we already expose to
>>> anonymous as
>>> in the basic permission. So it is not that bad.
>>
>> For users, yes. I assume we want the others to be authenticated only?
>>
>>> But maybe we should add a new internal "link" between standard and
>>> compat tree
>>> permissions and issue a warning when visibility of one is changed...
>>>
>>> Regarding missing compat permissions, I would personally add these:
>>>
>>> System: Read User Compat Tree
>>> System: Read Group Compat Tree
>>> System: Read Host Compat Tree
>>> System: Read Netgroup Compat Tree
>
> Also, what about sudoers?
What about them? I thought we have that part resolved already:
# ipa permission-find sudoers
--------------------
1 permission matched
--------------------
Permission name: System: Read Sudoers compat tree
Granted rights: read, compare, search
Effective attributes: cn, description, objectclass, ou, sudocommand,
sudohost, sudonotafter,
sudonotbefore, sudooption, sudoorder, sudorunas,
sudorunasgroup, sudorunasuser,
sudouser
Default attributes: sudonotafter, description, sudouser, cn, objectclass,
sudooption, sudocommand,
sudonotbefore, sudorunas, sudorunasuser, sudohost, ou,
sudoorder, sudorunasgroup
Bind rule type: all
Subtree: dc=mkosek-fedora20,dc=test
ACI target DN: ou=sudoers,dc=mkosek-fedora20,dc=test
----------------------------
Number of entries returned 1
----------------------------
Martin
More information about the Freeipa-devel
mailing list