[Freeipa-devel] Compat tree permissions
Alexander Bokovoy
abokovoy at redhat.com
Wed Sep 3 10:39:04 UTC 2014
On Wed, 03 Sep 2014, Petr Viktorin wrote:
>On 09/03/2014 10:17 AM, Martin Kosek wrote:
>[...]
>>>Exposing the same data anonymously over compat tree when it is available
>>>only for authenticated users over primary tree isn't secure.
>>
>>If you check
>>cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>>you would see that we only allow attributes we already expose to anonymous as
>>in the basic permission. So it is not that bad.
>
>For users, yes. I assume we want the others to be authenticated only?
My point was that if we are hiding from anonymous access even the fact
that certain user or group exists, compat tree is the one where we were
leaking this information. Do we want to continue giving it out for
unauthenticated?
It is not about specific attributes but rather just the fact that
certain user or group exists.
Finally, sudo compat tree shouldn't be an issue as SSSD does use
authenticated access and native sudo.ldap plugin supports using bind DN.
The only issue is switching from unauthenticated 3.3 to authenticated
4.0.x where your existing clients using non-bound version will stop
authorizing sudo commands. And this issue is huge.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list