[Freeipa-devel] Compat tree permissions

Martin Kosek mkosek at redhat.com
Wed Sep 3 10:49:01 UTC 2014 

On 09/03/2014 12:39 PM, Alexander Bokovoy wrote:
> On Wed, 03 Sep 2014, Petr Viktorin wrote:
>> On 09/03/2014 10:17 AM, Martin Kosek wrote:
>> [...]
>>>> Exposing the same data anonymously over compat tree when it is available
>>>> only for authenticated users over primary tree isn't secure.
>>>
>>> If you check
>>> cn=users,cn=Schema Compatibility,cn=plugins,cn=config
>>> you would see that we only allow attributes we already expose to anonymous as
>>> in the basic permission. So it is not that bad.
>>
>> For users, yes. I assume we want the others to be authenticated only?
> My point was that if we are hiding from anonymous access even the fact
> that certain user or group exists

Are we?

# ipa permission-find standard
--------------------
1 permission matched
--------------------
  Permission name: System: Read User Standard Attributes
  Granted rights: read, compare, search
  Effective attributes: cn, description, displayname, gecos, gidnumber,
givenname, homedirectory,
                        initials, ipantsecurityidentifier, loginshell, manager,
objectclass, sn, title,
                        uid, uidnumber
  Default attributes: displayname, description, title, objectclass, loginshell,
ipantsecurityidentifier,
                      uidnumber, gidnumber, initials, manager, gecos, sn,
homedirectory, givenname, cn,
                      uid
  Bind rule type: *anonymous*
  Subtree: cn=users,cn=accounts,dc=mkosek-fedora20,dc=test
  Type: user
----------------------------
Number of entries returned 1
----------------------------

# ipa permission-show "System: Read Groups"
  Permission name: System: Read Groups
  Granted rights: read, compare, search
  Effective attributes: businesscategory, cn, description, gidnumber,
ipaexternalmember,
                        ipantsecurityidentifier, ipauniqueid, mepmanagedby, o,
objectclass, ou, owner,
                        seealso
  Default attributes: businesscategory, cn, ipaexternalmember, objectclass,
ipantsecurityidentifier,
                      description, gidnumber, o, mepmanagedby, ipauniqueid,
owner, ou, seealso
  Bind rule type: *anonymous*
  Subtree: cn=groups,cn=accounts,dc=mkosek-fedora20,dc=test
  Type: group

> compat tree is the one where we were
> leaking this information. Do we want to continue giving it out for
> unauthenticated?
> 
> It is not about specific attributes but rather just the fact that
> certain user or group exists.
> 
> Finally, sudo compat tree shouldn't be an issue as SSSD does use
> authenticated access and native sudo.ldap plugin supports using bind DN.
> 
> The only issue is switching from unauthenticated 3.3 to authenticated
> 4.0.x where your existing clients using non-bound version will stop
> authorizing sudo commands. And this issue is huge.

Right, this affects Legacy clients feature, makes our ipa-advise insufficient.

Martin

More information about the Freeipa-devel mailing list