[Freeipa-devel] Compat tree permissions
Martin Kosek
mkosek at redhat.com
Wed Sep 3 10:49:01 UTC 2014
On 09/03/2014 12:39 PM, Alexander Bokovoy wrote:
> On Wed, 03 Sep 2014, Petr Viktorin wrote:
>> On 09/03/2014 10:17 AM, Martin Kosek wrote:
>> [...]
>>>> Exposing the same data anonymously over compat tree when it is available
>>>> only for authenticated users over primary tree isn't secure.
>>>
>>> If you check
>>> cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>>> you would see that we only allow attributes we already expose to anonymous as
>>> in the basic permission. So it is not that bad.
>>
>> For users, yes. I assume we want the others to be authenticated only?
> My point was that if we are hiding from anonymous access even the fact
> that certain user or group exists
Are we?
# ipa permission-find standard
--------------------
1 permission matched
--------------------
Permission name: System: Read User Standard Attributes
Granted rights: read, compare, search
Effective attributes: cn, description, displayname, gecos, gidnumber,
givenname, homedirectory,
initials, ipantsecurityidentifier, loginshell, manager,
objectclass, sn, title,
uid, uidnumber
Default attributes: displayname, description, title, objectclass, loginshell,
ipantsecurityidentifier,
uidnumber, gidnumber, initials, manager, gecos, sn,
homedirectory, givenname, cn,
uid
Bind rule type: *anonymous*
Subtree: cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
Type: user
----------------------------
Number of entries returned 1
----------------------------
# ipa permission-show "System: Read Groups"
Permission name: System: Read Groups
Granted rights: read, compare, search
Effective attributes: businesscategory, cn, description, gidnumber,
ipaexternalmember,
ipantsecurityidentifier, ipauniqueid, mepmanagedby, o,
objectclass, ou, owner,
seealso
Default attributes: businesscategory, cn, ipaexternalmember, objectclass,
ipantsecurityidentifier,
description, gidnumber, o, mepmanagedby, ipauniqueid,
owner, ou, seealso
Bind rule type: *anonymous*
Subtree: cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test
Type: group
> compat tree is the one where we were
> leaking this information. Do we want to continue giving it out for
> unauthenticated?
>
> It is not about specific attributes but rather just the fact that
> certain user or group exists.
>
> Finally, sudo compat tree shouldn't be an issue as SSSD does use
> authenticated access and native sudo.ldap plugin supports using bind DN.
>
> The only issue is switching from unauthenticated 3.3 to authenticated
> 4.0.x where your existing clients using non-bound version will stop
> authorizing sudo commands. And this issue is huge.
Right, this affects Legacy clients feature, makes our ipa-advise insufficient.
Martin
More information about the Freeipa-devel
mailing list